|
|
@@ -11,6 +11,9 @@ CALLDATA _cd_Disconnect;
|
|
|
CALLDATA _cd_CheckFW;
|
|
|
CALLDATA _cd_SaveAsOutputData;
|
|
|
|
|
|
+// 调试耗时值ms;
|
|
|
+DWORD dwElapsed = 0;
|
|
|
+
|
|
|
// 8组寄存器存储;
|
|
|
DWORD dwEAX = 0;
|
|
|
DWORD dwEBX = 0;
|
|
|
@@ -34,10 +37,18 @@ void ChangeSDK(int nSDK); // 0=410SDK, 1=310SDK;
|
|
|
|
|
|
void InitCallData()
|
|
|
{
|
|
|
- // Go
|
|
|
+ // Go
|
|
|
_cd_Go.myCall = Call_MyGo;
|
|
|
- _cd_Go.dwBack2Addr = 0x00417B2A;
|
|
|
- _cd_Go.dwOriginalAddr = 0x00417B25;
|
|
|
+ _cd_Go.dwBack2Addr = 0x004376B0;
|
|
|
+ // 004376AB | E8 50A30C00 | call demo.501A00
|
|
|
+ _cd_Go.dwOriginalAddr = 0x004376AB;
|
|
|
+ _cd_Go.dwOriginalCallAddr = 0x00501A00;
|
|
|
+
|
|
|
+ _cd_Go.nMyCallDataLen = JMP_DLEN;
|
|
|
+ memset(_cd_Go.szMyCallData, 0x90, CALL_LEN);
|
|
|
+ _cd_Go.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
+ *(LPDWORD)(&_cd_Go.szMyCallData[1]) = (DWORD)_cd_Go.myCall - _cd_Go.dwOriginalAddr - JMP_DLEN;
|
|
|
+
|
|
|
|
|
|
// Connect
|
|
|
_cd_Connect.myCall = Call_MyConnect;
|
|
|
@@ -55,12 +66,42 @@ void InitCallData()
|
|
|
_cd_CheckFW.dwOriginalAddr = 0x00417B25;
|
|
|
|
|
|
// SaveAsOutputData
|
|
|
+ // 004376AB
|
|
|
_cd_SaveAsOutputData.myCall = Call_MySaveAsOutputData;
|
|
|
_cd_SaveAsOutputData.dwBack2Addr = 0x00417B2A;
|
|
|
_cd_SaveAsOutputData.dwOriginalAddr = 0x00417B25;
|
|
|
}
|
|
|
|
|
|
// 劫持原始地址;
|
|
|
+BOOL HijackedCall2(CALLDATA *pCallData)
|
|
|
+{
|
|
|
+ if ( !pCallData )
|
|
|
+ return FALSE;
|
|
|
+
|
|
|
+ memset(pCallData->szMyCallData, 0x90, CALL_LEN);
|
|
|
+ pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
+ *(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - 5;
|
|
|
+
|
|
|
+
|
|
|
+ HANDLE hProc = GetCurrentProcess();
|
|
|
+ // 将要劫持的地址指令备份下来;
|
|
|
+ memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
|
|
|
+ if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, pCallData->nOriginalAddrDataLen, NULL) )
|
|
|
+ {
|
|
|
+ MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
|
|
|
+ return FALSE;
|
|
|
+ }
|
|
|
+
|
|
|
+ // 将我们的Call地址指令写入目标地址;
|
|
|
+ if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, pCallData->nMyCallDataLen, NULL) )
|
|
|
+ {
|
|
|
+ MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
|
|
|
+ return FALSE;
|
|
|
+ }
|
|
|
+
|
|
|
+ return TRUE;
|
|
|
+}
|
|
|
+
|
|
|
BOOL HijackedCall(CALLDATA *pCallData)
|
|
|
{
|
|
|
if ( !pCallData )
|
|
|
@@ -114,6 +155,21 @@ BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)
|
|
|
return TRUE;
|
|
|
}
|
|
|
|
|
|
+BOOL RecoveryCall(CALLDATA *pCallData)
|
|
|
+{
|
|
|
+ if ( !pCallData )
|
|
|
+ return FALSE;
|
|
|
+
|
|
|
+ // 将我们的Call地址指令写入目标地址;
|
|
|
+ if ( !WriteProcessMemory(GetCurrentProcess(), (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
|
|
|
+ {
|
|
|
+ MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
|
|
|
+ return FALSE;
|
|
|
+ }
|
|
|
+
|
|
|
+ return TRUE;
|
|
|
+}
|
|
|
+
|
|
|
void __declspec(naked) Call_MySaveAsOutputData()
|
|
|
{
|
|
|
//004AB3FC
|
|
|
@@ -145,6 +201,13 @@ void __declspec(naked) Call_MySaveAsOutputData()
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+void MyGo()
|
|
|
+{
|
|
|
+ TCHAR szMsg[MAX_PATH];
|
|
|
+ DWORD dwElapsedAddr = 0x0052DF54;
|
|
|
+ _stprintf_s(szMsg, _T("MyGo耗时:%ldms"), *(LPDWORD)dwElapsedAddr);
|
|
|
+ MessageBox(NULL, szMsg, _T("MyGo"), MB_OK);
|
|
|
+}
|
|
|
|
|
|
void __declspec(naked) Call_MyGo()
|
|
|
{
|
|
|
@@ -160,10 +223,11 @@ void __declspec(naked) Call_MyGo()
|
|
|
mov dwESI, ESI;
|
|
|
mov dwEDI, EDI;
|
|
|
}
|
|
|
+
|
|
|
+ MyGo();
|
|
|
|
|
|
-
|
|
|
- MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
|
|
|
-
|
|
|
+ //MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
|
|
|
+ //RecoveryCall(&_cd_Go);
|
|
|
|
|
|
__asm{
|
|
|
// 恢复寄存器;
|
|
|
@@ -175,8 +239,10 @@ void __declspec(naked) Call_MyGo()
|
|
|
mov ESP, dwESP;
|
|
|
mov ESI, dwESI;
|
|
|
mov EDI, dwEDI;
|
|
|
- // 最后返回原Call地址下一行;
|
|
|
- jmp _cd_Go.dwBack2Addr;
|
|
|
+ // 执行原Call;
|
|
|
+ call _cd_Go.dwOriginalCallAddr
|
|
|
+ // 返回劫持地址下一行;
|
|
|
+ jmp _cd_Go.dwBack2Addr
|
|
|
}
|
|
|
}
|
|
|
|
