Changeset 4109 for zzuf/trunk/src
- Timestamp:
- Dec 8, 2009, 2:41:35 AM (10 years ago)
- File:
-
- 1 edited
-
zzuf/trunk/src/zzuf.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
zzuf/trunk/src/zzuf.c
r4106 r4109 1130 1130 static int dll_inject(void *process, void *epaddr) 1131 1131 { 1132 uint8_t old_ep[7]; 1133 uint8_t new_ep[] = "\xb8<01>\xff\xe0"; 1134 uint8_t loader[] = "libzzuf.dll\0<0000c>\xb8<14>\x50\xb8<1a>\xff\xd0" 1135 "\xb8\0\0\0\0\x50\xb8\x07\x00\x00\x00\x50\xb8<2d>" 1136 "\x50\xb8<33>\x50\xb8<39>\xff\xd0\x50\xb8<41>\xff" 1137 "\xd0\xb8<48>\xff\xe0"; 1132 uint8_t code1[] = /* LIBZZUF: */ 1133 "libzzuf.dll\0" 1134 /* OLDEP: */ 1135 "_______" 1136 /* START: */ 1137 "\xb8____" /* mov eax,<libzzuf.dll> */ 1138 "\x50" /* push eax */ 1139 "\xb8____" /* mov eax,<LoadLibraryA> */ 1140 "\xff\xd0" /* call eax */ 1141 "\xb8\0\0\0\0" /* mov eax,0 */ 1142 "\x50" /* push eax */ 1143 "\xb8\x07\0\0\0" /* mov eax,7 */ 1144 "\x50" /* push eax */ 1145 "\xb8____" /* mov eax,<OLDEP> */ 1146 "\x50" /* push eax */ 1147 "\xb8____" /* mov eax,<NEWEP> */ 1148 "\x50" /* push eax */ 1149 "\xb8____" /* mov eax,<GetCurrentProcess> */ 1150 "\xff\xd0" /* call eax */ 1151 "\x50" /* push eax */ 1152 "\xb8____" /* mov eax,<WriteProcessMemory> */ 1153 "\xff\xd0" /* call eax */ 1154 "\xb8____" /* mov eax,<NEWEP> */ 1155 "\xff\xe0"; /* jmp eax */ 1156 uint8_t code2[] = /* NEWEP: */ 1157 "\xb8____" /* mov eax,<START> */ 1158 "\xff\xe0"; /* jmp eax */ 1138 1159 void *lib; 1139 1160 uint8_t *loaderaddr; 1140 1161 DWORD tmp; 1141 1162 1142 /* Savethe old entry-point code */1143 ReadProcessMemory(process, epaddr, old_ep, 7, &tmp);1163 /* Backup the old entry-point code */ 1164 ReadProcessMemory(process, epaddr, code1 + 0x0c, 7, &tmp); 1144 1165 if(tmp != 7) 1145 1166 return -1; 1146 1167 1147 loaderaddr = VirtualAllocEx(process, NULL, 78, MEM_COMMIT, 1168 /* Copy the first shell code to a freshly allocated memory area. */ 1169 loaderaddr = VirtualAllocEx(process, NULL, sizeof(code1), MEM_COMMIT, 1148 1170 PAGE_EXECUTE_READWRITE); 1149 1171 if(!loaderaddr) 1150 1172 return -1; 1151 1173 1152 addcpy(new_ep + 0x01, loaderaddr + 0x0c + 7);1153 WriteProcessMemory(process, epaddr, new_ep, 7, &tmp);1154 if(tmp != 7)1155 return -1;1156 1157 1174 lib = LoadLibrary("kernel32.dll"); 1158 1175 if(!lib) 1159 1176 return -1; 1160 1177 1161 memcpy(loader + 0x0c, old_ep, 7); 1162 addcpy(loader + 0x14, loaderaddr + 0x00); /* offset for dll string */ 1163 addcpy(loader + 0x1a, GetProcAddress(lib, "LoadLibraryA")); 1164 addcpy(loader + 0x2d, loaderaddr + 0x0c); 1165 addcpy(loader + 0x33, epaddr); 1166 addcpy(loader + 0x39, GetProcAddress(lib, "GetCurrentProcess")); 1167 addcpy(loader + 0x41, GetProcAddress(lib, "WriteProcessMemory")); 1168 addcpy(loader + 0x48, epaddr); 1178 addcpy(code1 + 0x14, loaderaddr + 0x00); /* offset for dll string */ 1179 addcpy(code1 + 0x1a, GetProcAddress(lib, "LoadLibraryA")); 1180 addcpy(code1 + 0x2d, loaderaddr + 0x0c); 1181 addcpy(code1 + 0x33, epaddr); 1182 addcpy(code1 + 0x39, GetProcAddress(lib, "GetCurrentProcess")); 1183 addcpy(code1 + 0x41, GetProcAddress(lib, "WriteProcessMemory")); 1184 addcpy(code1 + 0x48, epaddr); 1169 1185 FreeLibrary(lib); 1170 1186 1171 WriteProcessMemory(process, loaderaddr, loader, 78, &tmp); 1172 if(tmp != 78) 1187 WriteProcessMemory(process, loaderaddr, code1, sizeof(code1), &tmp); 1188 if(tmp != sizeof(code1)) 1189 return -1; 1190 1191 /* Copy the second shell code where the old entry point was. */ 1192 addcpy(code2 + 0x01, loaderaddr + 12 + 7); 1193 WriteProcessMemory(process, epaddr, code2, 7, &tmp); 1194 if(tmp != 7) 1173 1195 return -1; 1174 1196
Note: See TracChangeset
for help on using the changeset viewer.
