Perfect MemoryLoader 绕过ring3层 所有API HOOK

类似TMD壳的系统DLL重载功能  B4kIcHA  
非LoadLibrary型系统模块重加载  FEkx&9]  
当然了 我这个代码任何模块包括EXE等等都是可以拿来MemoryLoader的 @c.pOX[]m,  
导出函数随意安全调用 EXE不存在的重定位话注意加载基址莫冲突 DLL不存在这个问题  e.N#+  
^dro*a,  
加载后模块是隐藏的 过XUETR等任何ARK工具查看 过国内任何杀软并且不报毒  谁叫我们是源码呢 当然你的函数调用系统功能号触犯杀软的RING0过滤规则就另当别论了  mwt3EV5  
Af;$ }P  
//2012/2/15  BY 金在中 QQ88009720 RW'QU`N[Y  
//Perfect MemoryLoader },l3N K  
//If you use this code freely  ,You can pass all the ring3 API hook; % 74}H8q_z  
=dPrG=A  

复制代码 #include <stdio.h> #include <Windows.h> #include <winnt.h>  typedef void *HMEMORYLOADER; void MemoryFreeLibrary(HMEMORYLOADER); #define POINTER_TYPE DWORD typedef struct {  PIMAGE_NT_HEADERS headers;  unsigned char *codeBase;  HMODULE *modules;  int numModules;  int initialized; } MEMORYMODULE, *PMEMORYMODULE; typedef BOOL (WINAPI *DllEntryProc)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved); #define GET_HEADER_DICTIONARY(module, idx) &(module)->headers->OptionalHeader.DataDirectory[idx] static void CopySections(const unsigned char *data, PIMAGE_NT_HEADERS old_headers, PMEMORYMODULE module) {  int i, size;  unsigned char *codeBase = module->codeBase;  unsigned char *dest;  PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(module->headers);  for (i=0; i<module->headers->FileHeader.NumberOfSections; i++, section++) {   if (section->SizeOfRawData == 0) {    size = old_headers->OptionalHeader.SectionAlignment;    if (size > 0) {     dest = (unsigned char *)VirtualAlloc(codeBase + section->VirtualAddress,      size,      MEM_COMMIT,      PAGE_READWRITE);     section->Misc.PhysicalAddress = (POINTER_TYPE)dest;     memset(dest, 0, size);    }    continue;   }   dest = (unsigned char *)VirtualAlloc(codeBase + section->VirtualAddress,    section->SizeOfRawData,    MEM_COMMIT,    PAGE_READWRITE);   memcpy(dest, data + section->PointerToRawData, section->SizeOfRawData);   section->Misc.PhysicalAddress = (POINTER_TYPE)dest;  } } static int ProtectionFlags[2][2][2] = {  {   {PAGE_NOACCESS, PAGE_WRITECOPY},   {PAGE_READONLY, PAGE_READWRITE},  }, {   {PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY},   {PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE},  }, }; static void FinalizeSections(PMEMORYMODULE module) {  int i;  PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(module->headers); #define imageOffset 0  for (i=0; i<module->headers->FileHeader.NumberOfSections; i++, section++) {   DWORD protect, oldProtect, size;   int executable = (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0;   int readable =   (section->Characteristics & IMAGE_SCN_MEM_READ) != 0;   int writeable =  (section->Characteristics & IMAGE_SCN_MEM_WRITE) != 0;   if (section->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) {    VirtualFree((LPVOID)((POINTER_TYPE)section->Misc.PhysicalAddress | imageOffset), section->SizeOfRawData, MEM_DECOMMIT);    continue;   }   protect = ProtectionFlags[executable][readable][writeable];   if (section->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) {    protect |= PAGE_NOCACHE;   }   size = section->SizeOfRawData;   if (size == 0) {    if (section->Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) {     size = module->headers->OptionalHeader.SizeOfInitializedData;    } else if (section->Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) {     size = module->headers->OptionalHeader.SizeOfUninitializedData;    }   }   if (size > 0) {    if (VirtualProtect((LPVOID)((POINTER_TYPE)section->Misc.PhysicalAddress | imageOffset), size, protect, &oldProtect) == 0);      }  } } static void PerformBaseRelocation(PMEMORYMODULE module, SIZE_T delta) {  DWORD i;  unsigned char *codeBase = module->codeBase;  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_BASERELOC);  if (directory->Size > 0) {   PIMAGE_BASE_RELOCATION relocation = (PIMAGE_BASE_RELOCATION) (codeBase + directory->VirtualAddress);   for (; relocation->VirtualAddress > 0; ) {    unsigned char *dest = codeBase + relocation->VirtualAddress;    unsigned short *relInfo = (unsigned short *)((unsigned char *)relocation + IMAGE_SIZEOF_BASE_RELOCATION);    for (i=0; i<((relocation->SizeOfBlock-IMAGE_SIZEOF_BASE_RELOCATION) / 2); i++, relInfo++) {     DWORD *patchAddrHL;     int type, offset;     type = *relInfo >> 12;     offset = *relInfo & 0xfff;     switch (type)     {     case IMAGE_REL_BASED_ABSOLUTE:      break;     case IMAGE_REL_BASED_HIGHLOW:      patchAddrHL = (DWORD *) (dest + offset);      *patchAddrHL += (DWORD)delta;      break;     default:      break;     }    }    relocation = (PIMAGE_BASE_RELOCATION) (((char *) relocation) + relocation->SizeOfBlock);   }  } } static int BuildImportTable(PMEMORYMODULE module) {  int result=1;  unsigned char *codeBase = module->codeBase;  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_IMPORT);  if (directory->Size > 0) {   PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR) (codeBase + directory->VirtualAddress);   for (; !IsBadReadPtr(importDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR)) && importDesc->Name; importDesc++) {    POINTER_TYPE *thunkRef;    FARPROC *funcRef;    HMODULE handle = LoadLibraryA((LPCSTR) (codeBase + importDesc->Name));    if (handle == INVALID_HANDLE_VALUE)    {     result = 0;     break;    }    module->modules = (HMODULE *)realloc(module->modules, (module->numModules+1)*(sizeof(HMODULE)));    if (module->modules == NULL) {     result = 0;     break;    }    module->modules[module->numModules++] = handle;    if (importDesc->OriginalFirstThunk) {     thunkRef = (POINTER_TYPE *) (codeBase + importDesc->OriginalFirstThunk);     funcRef = (FARPROC *) (codeBase + importDesc->FirstThunk);    } else {     thunkRef = (POINTER_TYPE *) (codeBase + importDesc->FirstThunk);     funcRef = (FARPROC *) (codeBase + importDesc->FirstThunk);    }    for (; *thunkRef; thunkRef++, funcRef++) {     if (IMAGE_SNAP_BY_ORDINAL(*thunkRef)) {      *funcRef = (FARPROC)GetProcAddress(handle, (LPCSTR)IMAGE_ORDINAL(*thunkRef));     } else {      PIMAGE_IMPORT_BY_NAME thunkData = (PIMAGE_IMPORT_BY_NAME) (codeBase + (*thunkRef));      *funcRef = (FARPROC)GetProcAddress(handle, (LPCSTR)&thunkData->Name);     }     if (*funcRef == 0) {      result = 0;      break;     }    }    if (!result) {     break;    }   }  }  return result; } HMEMORYLOADER MemoryLoadLibrary(const void *data) {  PMEMORYMODULE result;  PIMAGE_DOS_HEADER dos_header;  PIMAGE_NT_HEADERS old_header;  unsigned char *code, *headers;  SIZE_T locationDelta;  DllEntryProc DllEntry;  BOOL successfull;  dos_header = (PIMAGE_DOS_HEADER)data;  if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)  {   return NULL;  }  old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(data))[dos_header->e_lfanew];  if (old_header->Signature != IMAGE_NT_SIGNATURE)  {   return NULL;  }  code = (unsigned char *)VirtualAlloc((LPVOID)(old_header->OptionalHeader.ImageBase),   old_header->OptionalHeader.SizeOfImage,   MEM_RESERVE,   PAGE_READWRITE);  if (code == NULL) {   code = (unsigned char *)VirtualAlloc(NULL,    old_header->OptionalHeader.SizeOfImage,    MEM_RESERVE,    PAGE_READWRITE);   if (code == NULL)   {    return NULL;   }  }  result = (PMEMORYMODULE)HeapAlloc(GetProcessHeap(), 0, sizeof(MEMORYMODULE));  result->codeBase = code;  result->numModules = 0;  result->modules = NULL;  result->initialized = 0;  VirtualAlloc(code,   old_header->OptionalHeader.SizeOfImage,   MEM_COMMIT,   PAGE_READWRITE);  headers = (unsigned char *)VirtualAlloc(code,   old_header->OptionalHeader.SizeOfHeaders,   MEM_COMMIT,   PAGE_READWRITE);  memcpy(headers, dos_header, dos_header->e_lfanew + old_header->OptionalHeader.SizeOfHeaders);  result->headers = (PIMAGE_NT_HEADERS)&((const unsigned char *)(headers))[dos_header->e_lfanew];  result->headers->OptionalHeader.ImageBase = (POINTER_TYPE)code;  CopySections((const unsigned char *)data, old_header, result);  locationDelta = (SIZE_T)(code - old_header->OptionalHeader.ImageBase);  if (locationDelta != 0) {   PerformBaseRelocation(result, locationDelta);  }  if (!BuildImportTable(result)) {   goto error;  }  FinalizeSections(result);  if (result->headers->OptionalHeader.AddressOfEntryPoint != 0) {   DllEntry = (DllEntryProc) (code + result->headers->OptionalHeader.AddressOfEntryPoint);   if (DllEntry == 0)   {    goto error;   }   successfull = (*DllEntry)((HINSTANCE)code, DLL_PROCESS_ATTACH, 0);   if (!successfull)   {    goto error;   }   result->initialized = 1;  }  return (HMEMORYLOADER)result; error:  MemoryFreeLibrary(result);  return NULL; } FARPROC MemoryGetProcAddress(HMEMORYLOADER module, const char *name) {  unsigned char *codeBase = ((PMEMORYMODULE)module)->codeBase;  int idx=-1;  DWORD i, *nameRef;  WORD *ordinal;  PIMAGE_EXPORT_DIRECTORY exports;  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY((PMEMORYMODULE)module, IMAGE_DIRECTORY_ENTRY_EXPORT);  if (directory->Size == 0) {   return NULL;  }  exports = (PIMAGE_EXPORT_DIRECTORY) (codeBase + directory->VirtualAddress);  if (exports->NumberOfNames == 0 || exports->NumberOfFunctions == 0) {   return NULL;  }  nameRef = (DWORD *) (codeBase + exports->AddressOfNames);  ordinal = (WORD *) (codeBase + exports->AddressOfNameOrdinals);  for (i=0; i<exports->NumberOfNames; i++, nameRef++, ordinal++) {   if (_stricmp(name, (const char *) (codeBase + (*nameRef))) == 0) {    idx = *ordinal;    break;   }  }  if (idx == -1) {   return NULL;  }  if ((DWORD)idx > exports->NumberOfFunctions) {   return NULL;  }  return (FARPROC) (codeBase + (*(DWORD *) (codeBase + exports->AddressOfFunctions + (idx*4)))); } void MemoryFreeLibrary(HMEMORYLOADER mod) {  int i;  PMEMORYMODULE module = (PMEMORYMODULE)mod;  if (module != NULL) {   if (module->initialized != 0) {    DllEntryProc DllEntry = (DllEntryProc) (module->codeBase + module->headers->OptionalHeader.AddressOfEntryPoint);    (*DllEntry)((HINSTANCE)module->codeBase, DLL_PROCESS_DETACH, 0);    module->initialized = 0;   }   if (module->modules != NULL) {    for (i=0; i<module->numModules; i++) {     if (module->modules != INVALID_HANDLE_VALUE) {      FreeLibrary(module->modules);     }    }    free(module->modules);   }   if (module->codeBase != NULL) {    VirtualFree(module->codeBase, 0, MEM_RELEASE);   }   HeapFree(GetProcessHeap(), 0, module);  } }

Au9Rr3n  
以上代码已经完整 如若要调用例程和注释的 自行购买附件 [5H#ay  
MemoryLoader.rar (34 K) 下载次数:73 售价:100金钱 5~v({R.  
v81<K*w`P  

强大的东西，速度拿下

看样子很强大的说 做个记号 说不定哪天要用到

例程中把loader函数封装了下 C[fefV9g2  
^W sgAyCB  
给出了一个简单的MessageboxA 调用 O)W+rmToI  
但是OD下断 MessageboxA Z;N3mD+\ye  
                  MessageboxW _#
Hd2h  
                  MessageboxExW +\["HS7+'0  
                  MessageboxExA 4"|3pMr  
? #a&eW  
都无法断下  p8XvfM  
&KBDrJEX  
代码只要灵活运用 胜过那些虚伪的高价壳   iOfO+3'Z_U  
#yIHr&'oX  
7C
p/{l;d  
其实说穿了 TMD这种壳以前也就是拉圾的 内存IAT转发类型加密IAT  所以只要谨慎的对比静态PE文件和进程内存就可以还原TMD的IAT X*MK(aV3  
|X*y-d77W  
但是如果你是用我这代码编译生成的文件话 就是无IAT的真正动态调用 基本很难还原 如果再加个壳的话那强度可想而知了 &0f/ F:M  
vn*K\,  

myfunc.h在哪里

引用

引用第4楼8970665于2012-02-05 17:52发表的 : ~^ '+.  
myfunc.h在哪里 !,7)ZW?*8  

}.=wQ_  
pnv)D} "  
&)!N 5Veb  
{ueDwnZ  
没调用到那头文件 你删掉即可 a(`"qS  

小金子。。。。。。。。。厉害啊。。。。。

做个记号 说不定哪天要用到

先留个名，谢谢分享

这个要顶啊，感谢分享！！！