作 者: 鄧韜
時 間: 2011-09-19,14:46:07
鏈接: http://bbs.pediy.com/showthread.php?t=140298
原理:讀取系統DLL到分配的內存裡面去,然後定位到相關的API的代碼。
FARPROC GetApiAddr(BYTE *Base,DWORD Api)
參數一:我們分配的內存基址
參數二:函數地址減去模塊基址的差值
返回值:返回內存中得API的函數的地址
作用:對原來的系統API函數下斷點無效,因為我們已經吧全部系統DLL讀取到內存中定位到相關的代碼了,調用的是內存中得API函數
代碼:
#include <windows.h>
char Caption[]="Test";
char Text[]="MessageBoxA";
FARPROC GetApiAddr(BYTE *Base,DWORD Api)
{
DWORD VirtualSize;
DWORD PhysicalAddr;
DWORD RawSize;
FARPROC RET=NULL;
PIMAGE_DOS_HEADER DosHeader=(PIMAGE_DOS_HEADER)Base;
PIMAGE_NT_HEADERS NtHeader=(PIMAGE_NT_HEADERS)((DWORD)DosHeader+(DWORD)DosHeader->e_lfanew);
PIMAGE_SECTION_HEADER SecHeader=(PIMAGE_SECTION_HEADER)((DWORD)NtHeader+sizeof(IMAGE_FILE_HEADER)+
NtHeader->FileHeader.SizeOfOptionalHeader+4);
BYTE SecSum=NtHeader->FileHeader.NumberOfSections;
while(SecSum)
{
PhysicalAddr=(DWORD)SecHeader->Misc.PhysicalAddress;
VirtualSize=(DWORD)SecHeader->VirtualAddress;//>Misc.VirtualSize;
PhysicalAddr+=VirtualSize;
if(Api>=VirtualSize&&Api<=PhysicalAddr)
{
RawSize=SecHeader->PointerToRawData;
RawSize-=VirtualSize;
Base+=RawSize;
Base+=Api;
}
SecHeader++;
SecSum--;
}
RET=(FARPROC)Base;
return RET;
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DWORD dwRead;
char SystemPath[MAX_PATH]={0};
HMODULE hMod=GetModuleHandleA("USER32.DLL");
if(!hMod)
hMod=LoadLibraryA("USER32.DLL");
GetSystemDirectoryA(SystemPath,MAX_PATH);
lstrcat(SystemPath,"\\user32.dll");
HANDLE Handle=CreateFileA(SystemPath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
DWORD Size=GetFileSize(Handle,NULL);
BYTE *Virtual=VirtualAlloc(NULL,Size,MEM_COMMIT,PAGE_READWRITE);
VirtualLock(Virtual,Size);
ReadFile(Handle,Virtual,Size,&dwRead,NULL);
DWORD MeAddr=(DWORD)GetProcAddress(hMod,"MessageBoxA");
MeAddr=MeAddr-(DWORD)hMod;
DWORD Api=(DWORD)GetApiAddr(Virtual,MeAddr);
_asm{
push 0
lea eax,Caption
push eax
lea eax,Text
push eax
push 0
call Api
}
return FALSE;
}
没有评论:
发表评论