您所在位置:主题:C语言改进---INTRUDER语言
intruder
[专家分:0] 发布于 2011-06-25 18:02:00
为了实现方便的WIN32跨进程代码注入,我修改了C语言,增加了ilof关键字和cgen函数,同时作出了一系列的其他改进.下面是一个例子.欢迎对此感兴趣的一起探讨.
#define NULL 0
#define FALSE 0
#define TRUE 1
#define CREATE_SUSPENDED 0x00000004
#define MEM_COMMIT 0x1000
#define PAGE_EXECUTE_READWRITE 0x40
#define MEM_RELEASE 0x8000
#define MAX_PATH 260
void @ !HANDLE;
void @ !LPVOID;
void @ !LPCVOID;
uint32 !SIZE_T;
uint32 !DWORD;
uint16 !WORD;
int32 !BOOL;
int8 @ !LPCTSTR;
int8 @ !LPTSTR;
void @ !LPSECURITY_ATTRIBUTES;
uint8 @ !LPBYTE;
void @ !HMODULE;
void @ !FARPROC;
int16 !wchar_t;
HANDLE !HWND;
int8 @ !LPCSTR;
uint32 !size_t;
struct _STARTUPINFO {
DWORD cb;
LPTSTR lpReserved;
LPTSTR lpDesktop;
LPTSTR lpTitle;
DWORD dwX;
DWORD dwY;
DWORD dwXSize;
DWORD dwYSize;
DWORD dwXCountChars;
DWORD dwYCountChars;
DWORD dwFillAttribute;
DWORD dwFlags;
WORD wShowWindow;
WORD cbReserved2;
LPBYTE lpReserved2;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
} !STARTUPINFO, @ !LPSTARTUPINFO;
struct _PROCESS_INFORMATION {
HANDLE hProcess;
HANDLE hThread;
DWORD dwProcessId;
DWORD dwThreadId;
} !PROCESS_INFORMATION, @ !LPPROCESS_INFORMATION;
void @ memset(void @ dest, int c, size_t count) = *"LIB:MSVCRT.DLL;API:memset;CONV:cdecl";
wchar_t @ wcscat(wchar_t @ strDestination, wchar_t @ strSource) = *"LIB:MSVCRT.DLL;API:wcscat;CONV:cdecl";
wchar_t @ wcscpy(wchar_t @ strDestination, wchar_t@ strSource) = *"LIB:MSVCRT.DLL;API:wcscpy;CONV:cdecl";
wchar_t @ wcsstr(wchar_t @ str, wchar_t @ strSearch) = *"LIB:MSVCRT.DLL;API:wcsstr;CONV:cdecl";
int wcscmp(wchar_t @ string1, wchar_t @ string2) = *"LIB:MSVCRT.DLL;API:wcscmp;CONV:cdecl";
int printf(char @ format) = *"LIB:MSVCRT.DLL;API:printf;CONV:cdecl";
BOOL CreateProcess(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = *"LIB:KERNEL32.DLL;API:CreateProcessA";
BOOL CloseHandle(HANDLE hObject) = *"LIB:KERNEL32.DLL;API:CloseHandle";
DWORD ResumeThread(HANDLE hThread) = *"LIB:KERNEL32.DLL;API:ResumeThread";
LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAllocEx";
BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T @ lpNumberOfBytesWritten) = *"LIB:KERNEL32.DLL;API:WriteProcessMemory";
HMODULE GetModuleHandle(LPCTSTR lpModuleName) = *"LIB:KERNEL32.DLL;API:GetModuleHandleA";
HMODULE LoadLibrary(LPCTSTR lpFileName) = *"LIB:KERNEL32.DLL;API:LoadLibraryA";
FARPROC GetProcAddress(HMODULE hModule, LPCSTR lpProcName) = *"LIB:KERNEL32.DLL;API:GetProcAddress";
void @ VirtualAlloc(void @ lpAddress, uint32 dwSize, uint32 flAllocationType, uint32 flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAlloc";
int32 VirtualFree(void @ lpAddress, uint32 dwSize, uint32 dwFreeType) = *"LIB:KERNEL32.DLL;API:VirtualFree";
void Sleep(DWORD dwMilliseconds) = *"LIB:KERNEL32.DLL;API:Sleep";
void !FUNC(HWND hWnd, wchar_t @ text);
wchar_t @ !LPWSTR;
LPWSTR @ !LPPWSTR;
wchar_t title[MAX_PATH];
FARPROC work(LPPWSTR ptext) = &
{
LPWSTR text = ptext;
if (<int32>text) {
LPWSTR notepad = L" - 记事本";
LPWSTR str = wcsstr(text, notepad);
if (<int32>str&&!wcscmp(str, notepad)) {
wcscpy(str, L"");
wcscpy(@title[0], text);
wcscat(@title[0], L" - $$$$$$$$");
ptext = @title[0];
}
}
return GetProcAddress(GetModuleHandle("USER32.DLL"), "SetWindowTextW");
};
FUNC hook = &
{
work(@text);
ADD(EAX, 5);
MOV(ESP, EBP);
JMP(EAX);
};
void init(HANDLE hProcess) = &
{
LPVOID Page = VirtualAllocEx(hProcess, NULL, 0x4000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (<int32>Page) {
uint32 size = cgen(ilof hook);
void @ buf = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
FUNC func = <FUNC>link(buf, <uint32>Page);
WriteProcessMemory(hProcess, Page, buf, size, NULL);
VirtualFree(buf, 0, MEM_RELEASE);
FARPROC Proc = GetProcAddress(LoadLibrary("USER32.DLL"), "SetWindowTextW");
do {
Sleep(1000);
int8 i8 = 0xE9;
if (!WriteProcessMemory(hProcess, Proc, @i8, sizeof(i8), NULL))
continue;
int32 i32 = <int32>Page-(<int32>Proc+5);
WriteProcessMemory(hProcess, <LPVOID>@(<LPBYTE>Proc)[1], @i32, sizeof(i32), NULL);
break;
} while (1);
}
printf("\"VirtualAllocEx\" %s!\n", <int32>Page?"success":"failure");
};
void main() = &
{
STARTUPINFO StartupInfo;
memset(@StartupInfo, 0, sizeof(STARTUPINFO));
StartupInfo.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION ProcessInformation;
BOOL Success = CreateProcess("c:\\windows\\system32\\notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, "c:\\windows\\system32", @StartupInfo, @ProcessInformation);
if (Success) {
ResumeThread(ProcessInformation.hThread);
init(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
}
printf("\"CreateProcess\" %s!\n", Success?"success":"failure");
};
#define NULL 0
#define FALSE 0
#define TRUE 1
#define CREATE_SUSPENDED 0x00000004
#define MEM_COMMIT 0x1000
#define PAGE_EXECUTE_READWRITE 0x40
#define MEM_RELEASE 0x8000
#define MAX_PATH 260
void @ !HANDLE;
void @ !LPVOID;
void @ !LPCVOID;
uint32 !SIZE_T;
uint32 !DWORD;
uint16 !WORD;
int32 !BOOL;
int8 @ !LPCTSTR;
int8 @ !LPTSTR;
void @ !LPSECURITY_ATTRIBUTES;
uint8 @ !LPBYTE;
void @ !HMODULE;
void @ !FARPROC;
int16 !wchar_t;
HANDLE !HWND;
int8 @ !LPCSTR;
uint32 !size_t;
struct _STARTUPINFO {
DWORD cb;
LPTSTR lpReserved;
LPTSTR lpDesktop;
LPTSTR lpTitle;
DWORD dwX;
DWORD dwY;
DWORD dwXSize;
DWORD dwYSize;
DWORD dwXCountChars;
DWORD dwYCountChars;
DWORD dwFillAttribute;
DWORD dwFlags;
WORD wShowWindow;
WORD cbReserved2;
LPBYTE lpReserved2;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
} !STARTUPINFO, @ !LPSTARTUPINFO;
struct _PROCESS_INFORMATION {
HANDLE hProcess;
HANDLE hThread;
DWORD dwProcessId;
DWORD dwThreadId;
} !PROCESS_INFORMATION, @ !LPPROCESS_INFORMATION;
void @ memset(void @ dest, int c, size_t count) = *"LIB:MSVCRT.DLL;API:memset;CONV:cdecl";
wchar_t @ wcscat(wchar_t @ strDestination, wchar_t @ strSource) = *"LIB:MSVCRT.DLL;API:wcscat;CONV:cdecl";
wchar_t @ wcscpy(wchar_t @ strDestination, wchar_t@ strSource) = *"LIB:MSVCRT.DLL;API:wcscpy;CONV:cdecl";
wchar_t @ wcsstr(wchar_t @ str, wchar_t @ strSearch) = *"LIB:MSVCRT.DLL;API:wcsstr;CONV:cdecl";
int wcscmp(wchar_t @ string1, wchar_t @ string2) = *"LIB:MSVCRT.DLL;API:wcscmp;CONV:cdecl";
int printf(char @ format) = *"LIB:MSVCRT.DLL;API:printf;CONV:cdecl";
BOOL CreateProcess(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = *"LIB:KERNEL32.DLL;API:CreateProcessA";
BOOL CloseHandle(HANDLE hObject) = *"LIB:KERNEL32.DLL;API:CloseHandle";
DWORD ResumeThread(HANDLE hThread) = *"LIB:KERNEL32.DLL;API:ResumeThread";
LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAllocEx";
BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T @ lpNumberOfBytesWritten) = *"LIB:KERNEL32.DLL;API:WriteProcessMemory";
HMODULE GetModuleHandle(LPCTSTR lpModuleName) = *"LIB:KERNEL32.DLL;API:GetModuleHandleA";
HMODULE LoadLibrary(LPCTSTR lpFileName) = *"LIB:KERNEL32.DLL;API:LoadLibraryA";
FARPROC GetProcAddress(HMODULE hModule, LPCSTR lpProcName) = *"LIB:KERNEL32.DLL;API:GetProcAddress";
void @ VirtualAlloc(void @ lpAddress, uint32 dwSize, uint32 flAllocationType, uint32 flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAlloc";
int32 VirtualFree(void @ lpAddress, uint32 dwSize, uint32 dwFreeType) = *"LIB:KERNEL32.DLL;API:VirtualFree";
void Sleep(DWORD dwMilliseconds) = *"LIB:KERNEL32.DLL;API:Sleep";
void !FUNC(HWND hWnd, wchar_t @ text);
wchar_t @ !LPWSTR;
LPWSTR @ !LPPWSTR;
wchar_t title[MAX_PATH];
FARPROC work(LPPWSTR ptext) = &
{
LPWSTR text = ptext;
if (<int32>text) {
LPWSTR notepad = L" - 记事本";
LPWSTR str = wcsstr(text, notepad);
if (<int32>str&&!wcscmp(str, notepad)) {
wcscpy(str, L"");
wcscpy(@title[0], text);
wcscat(@title[0], L" - $$$$$$$$");
ptext = @title[0];
}
}
return GetProcAddress(GetModuleHandle("USER32.DLL"), "SetWindowTextW");
};
FUNC hook = &
{
work(@text);
ADD(EAX, 5);
MOV(ESP, EBP);
JMP(EAX);
};
void init(HANDLE hProcess) = &
{
LPVOID Page = VirtualAllocEx(hProcess, NULL, 0x4000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (<int32>Page) {
uint32 size = cgen(ilof hook);
void @ buf = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
FUNC func = <FUNC>link(buf, <uint32>Page);
WriteProcessMemory(hProcess, Page, buf, size, NULL);
VirtualFree(buf, 0, MEM_RELEASE);
FARPROC Proc = GetProcAddress(LoadLibrary("USER32.DLL"), "SetWindowTextW");
do {
Sleep(1000);
int8 i8 = 0xE9;
if (!WriteProcessMemory(hProcess, Proc, @i8, sizeof(i8), NULL))
continue;
int32 i32 = <int32>Page-(<int32>Proc+5);
WriteProcessMemory(hProcess, <LPVOID>@(<LPBYTE>Proc)[1], @i32, sizeof(i32), NULL);
break;
} while (1);
}
printf("\"VirtualAllocEx\" %s!\n", <int32>Page?"success":"failure");
};
void main() = &
{
STARTUPINFO StartupInfo;
memset(@StartupInfo, 0, sizeof(STARTUPINFO));
StartupInfo.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION ProcessInformation;
BOOL Success = CreateProcess("c:\\windows\\system32\\notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, "c:\\windows\\system32", @StartupInfo, @ProcessInformation);
if (Success) {
ResumeThread(ProcessInformation.hThread);
init(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
}
printf("\"CreateProcess\" %s!\n", Success?"success":"failure");
};
