#include
#include
#include
#pragma comment (Lib, "ImageHLP.LIB")
#pragma pack (push, 1) // The following structural bytes are aligned
Typedef struct {byte int_pushad; byte int_push; dword push_value; byte int_moveax;
DWORD EAX_VALUE;
Word Call_EAX;
BYTE JMP_MOVEAX; DWORD JMP_VALUE; WORD JMP_EAX;
CHAR SZDLL [MAX_PATH];} inject_loadlibrary_code, * lpinject_code, inject_code; #pragma pack (POP, 1)
TypeDef struct {lpbyte lpentrypoint; // The entry address of the target process Byte OldCode [SizeOf (INJECT_CODE)]; // Code of the target process Save} spy_mem_share, * lpspy_mem_share;
Typedef struct {dword oddr; dword oldaddr; dword oldcode [4];} jmp_code, * lpjmp_code; static jmp_code _lpcode;
// Skip to the target process entry address void __declspec (naked) dojmpenTryPoint () {dword * _Glpmoveax; word * _glpjmp; dword _GFnew; dword _gfold;
// LoadLibrary recovery code behind _gfNew = PAGE_READWRITE; _glpMovEax = (DWORD *) _ lpCode.OldAddr; VirtualProtect (_glpMovEax, 2 * sizeof (DWORD), _gfNew, & _gfOld); * _glpMovEax = _lpCode.OldCode [0]; * (_ glpMovEax 1) = _lpcode.oldcode [1]; VirtualProtect (_GLPMOVEAX, 2 * SIZEOF (DWORD), _GFOLD, & _GFNEW);
// Jump to the entry of the target code _ASM popad _asm jmp _lpcode.lpentrypoint
}
Bool WinAPI INITAPISPY () {Handle Hmap; LPSPY_MEM_SHARE LPMEM; DWORD DWSIZE; BOOL RC; BYTE * LPBYTE
// Get the handle FileMapping hMap = OpenFileMapping (FILE_MAP_ALL_ACCESS, 0, "MyDllMapView"); if (hMap) {lpMem = (LPSPY_MEM_SHARE) MapViewOfFile (hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0); if (lpMem) {// recovery The entry code of the target process // gets the address of the MOV Eax, Value code _lpcode.oldddr = (DWORD) (Byte *) LPMEM-> LpenTryPoint Offsetof (INJECT_CODE, JMP_MOVEAX); _lpcode.lpenTryPoint = (dword) LPMEM-> LpenTryPoint;
// save LoadLibrary () code behind memcpy (& _ lpCode.OldCode, (BYTE *) lpMem-> oldcode offsetof (INJECT_CODE, jmp_MOVEAX), 2 * sizeof (DWORD)); // process the recovery target entry code rc = WriteProcessMemory (GetCurrentProcess (), lpMem-> lpEntryPoint, lpMem-> oldcode, sizeof (INJECT_CODE), & dwSize); lpByte = (BYTE *) lpMem-> lpEntryPoint offsetof (INJECT_CODE, jmp_MOVEAX); UnmapViewOfFile (lpMem);} CloseHandle (hMap );} Byte * lpmoveax; dword * lpmoveaxvalu; word * lpjmp; dword fnew; dword fold;
fNew = PAGE_READWRITE; lpMovEax = lpByte; VirtualProtect (lpMovEax, 2 * sizeof (DWORD), fNew, & fOld); * lpMovEax = 0xB8; lpMovEaxValu = (DWORD *) (lpMovEax 1); * lpMovEaxValu = (DWORD) & DoJmpEntryPoint; lpJmp = (Word *) (LPMOVEAX 5); * lpjmp = 0xE0ff; // (ff E0) VirtualProtect (lpmoveax, 2 * sizeof (dword), fold, & fnew); // call custom functions, do what you want to do事 // myfunc (); return true;}
Bool apientry dllmain (Handle Hinstance, DWORD UL_REASON_FOR_CALL, LPVOID LPRESERVED) {// myhmodule = (hmodule) Hinstance; if (ul_reason_for_call == dll_process_attach) Return INITAPITAPITAPITAPITAPITAPITAPITAPY ();
Return True;}
