标 题: 庆祝编程版块开张,发个简单的loader
作 者: marxixing
时 间: 2005-06-06,21:48
链 接: http://bbs.pediy.com/showthread.php?threadid=14300
这是前两天写的一个小工具,用来替换SoftICE的Loader的功能,因为它在我的系统上总是不好用,郁闷,类似PELord的Break Enter的功能,原理是在入口点插入int3断点,从而实现入口处在SoftICE中断下。当然前提是你要先在SoftIC
E中设置断点bpint 3. 有bug的话给我写信,目前不支持dll的导入,以后可能会考虑加上。
#include<stdio.h>
#include<windows.h>
#include<winuser.h>
#pragma comment(lib,"user32.lib")
DWORD EntryPoint(LPVOID ImageBase) //获得文件入口点的虚拟地址
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNtH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
if(!ImageBase)
return NULL;
pDH=(PIMAGE_DOS_HEADER)ImageBase;
if(pDH->e_magic!=IMAGE_DOS_SIGNATURE)
return NULL;
pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
if(pNtH->Signature!=IMAGE_NT_SIGNATURE)
return NULL;
pOH=&pNtH->OptionalHeader;
return pOH->AddressOfEntryPoint+pOH->ImageBase;
}
int main(int argc, char *argv[])
{
BYTE dbInt3=0xCC;
DWORD OldProtect;
BYTE Ori;
DWORD ReadByte;
DWORD Entry;
HANDLE hfile, hMap, p_MapFile;
char szBuffer[100]={0};
if(argc<=1)
{
printf("Useage: SIloader <FileName> \nINT 3 Breakpoint Tool for SoftICE, Code by Marxixing@tom.com at 06/04/2005\n");
return -1;
}
if((hfile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,\
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL))==INVALID_HANDLE_VALUE)
{
printf("Can not open file, error code %d\n",GetLastError());
ExitProcess(NULL);
}
if ((hMap = CreateFileMapping(hfile, NULL, PAGE_READWRITE, 0, 0, NULL))==NULL)
{
printf("Can not create file mapping!\n");
CloseHandle(hfile);
}
if ((p_MapFile = MapViewOfFile(hMap, FILE_MAP_WRITE, 0, 0, 0))==NULL)
{
printf("Can not map file!\n");
CloseHandle(hMap);
}
Entry=EntryPoint(p_MapFile);
UnmapViewOfFile(p_MapFile);
CloseHandle(hMap);
CloseHandle(hfile);
STARTUPINFO stStartUp;
PROCESS_INFORMATION stProcInfo;
GetStartupInfo(&stStartUp);
if(!CreateProcess(argv[1],NULL,NULL,NULL,NULL,CREATE_SUSPENDED,\
NULL,NULL,&stStartUp,&stProcInfo)) //进程创建时处于挂起状态
{
printf("CreateProcess fail! error code %d\n",GetLastError());
ExitProcess(NULL);
}
if(ReadProcessMemory(stProcInfo.hProcess,(LPVOID)Entry,&Ori,1,&ReadByte)==NULL) //读取入口点原来的内容
{
printf("ReadProcessMemory Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
if(WriteProcessMemory(stProcInfo.hProcess,(LPVOID)Entry,&dbInt3,1,NULL)==NULL) //写入int3断点
{
printf("WriteProcessMemory Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
wsprintf(szBuffer,"%c**[SIloader]*********%c\n%c Type \"EB EIP %X\" %c\n%c*********************%c\n",201,187,186,Ori,186,200,188);
OutputDebugString(szBuffer); //向调试器发出修改当前指令的信息
if(ResumeThread(stProcInfo.hThread)==-1) //恢复进程的运行,会中断在SoftICE中
{
printf("ResumeThread Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
CloseHandle(&stProcInfo.dwThreadId);
CloseHandle(&stProcInfo.dwProcessId);
return 1;
}
作 者: marxixing
时 间: 2005-06-06,21:48
链 接: http://bbs.pediy.com/showthread.php?threadid=14300
这是前两天写的一个小工具,用来替换SoftICE的Loader的功能,因为它在我的系统上总是不好用,郁闷,类似PELord的Break Enter的功能,原理是在入口点插入int3断点,从而实现入口处在SoftICE中断下。当然前提是你要先在SoftIC
E中设置断点bpint 3. 有bug的话给我写信,目前不支持dll的导入,以后可能会考虑加上。
#include<stdio.h>
#include<windows.h>
#include<winuser.h>
#pragma comment(lib,"user32.lib")
DWORD EntryPoint(LPVOID ImageBase) //获得文件入口点的虚拟地址
{
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNtH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
if(!ImageBase)
return NULL;
pDH=(PIMAGE_DOS_HEADER)ImageBase;
if(pDH->e_magic!=IMAGE_DOS_SIGNATURE)
return NULL;
pNtH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
if(pNtH->Signature!=IMAGE_NT_SIGNATURE)
return NULL;
pOH=&pNtH->OptionalHeader;
return pOH->AddressOfEntryPoint+pOH->ImageBase;
}
int main(int argc, char *argv[])
{
BYTE dbInt3=0xCC;
DWORD OldProtect;
BYTE Ori;
DWORD ReadByte;
DWORD Entry;
HANDLE hfile, hMap, p_MapFile;
char szBuffer[100]={0};
if(argc<=1)
{
printf("Useage: SIloader <FileName> \nINT 3 Breakpoint Tool for SoftICE, Code by Marxixing@tom.com at 06/04/2005\n");
return -1;
}
if((hfile = CreateFile(argv[1], GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,\
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL))==INVALID_HANDLE_VALUE)
{
printf("Can not open file, error code %d\n",GetLastError());
ExitProcess(NULL);
}
if ((hMap = CreateFileMapping(hfile, NULL, PAGE_READWRITE, 0, 0, NULL))==NULL)
{
printf("Can not create file mapping!\n");
CloseHandle(hfile);
}
if ((p_MapFile = MapViewOfFile(hMap, FILE_MAP_WRITE, 0, 0, 0))==NULL)
{
printf("Can not map file!\n");
CloseHandle(hMap);
}
Entry=EntryPoint(p_MapFile);
UnmapViewOfFile(p_MapFile);
CloseHandle(hMap);
CloseHandle(hfile);
STARTUPINFO stStartUp;
PROCESS_INFORMATION stProcInfo;
GetStartupInfo(&stStartUp);
if(!CreateProcess(argv[1],NULL,NULL,NULL,NULL,CREATE_SUSPENDED,\
NULL,NULL,&stStartUp,&stProcInfo)) //进程创建时处于挂起状态
{
printf("CreateProcess fail! error code %d\n",GetLastError());
ExitProcess(NULL);
}
if(ReadProcessMemory(stProcInfo.hProcess,(LPVOID)Entry,&Ori,1,&ReadByte)==NULL) //读取入口点原来的内容
{
printf("ReadProcessMemory Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
if(WriteProcessMemory(stProcInfo.hProcess,(LPVOID)Entry,&dbInt3,1,NULL)==NULL) //写入int3断点
{
printf("WriteProcessMemory Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
wsprintf(szBuffer,"%c**[SIloader]*********%c\n%c Type \"EB EIP %X\" %c\n%c*********************%c\n",201,187,186,Ori,186,200,188);
OutputDebugString(szBuffer); //向调试器发出修改当前指令的信息
if(ResumeThread(stProcInfo.hThread)==-1) //恢复进程的运行,会中断在SoftICE中
{
printf("ResumeThread Function fail, error code %d\n",GetLastError());
TerminateProcess(stProcInfo.hProcess,-1);
}
CloseHandle(&stProcInfo.dwThreadId);
CloseHandle(&stProcInfo.dwProcessId);
return 1;
}
浙公网安备 33010602011771号