C#绝地求生驱动注入源码包括易语言调用例子

小枫发表于 2020-3-9 15:30:03

C#绝地求生驱动注入源码包括易语言调用例子

<div>'调用</div><div>安装注入驱动 (“r5apex.exe”, #DLL)</div>.版本 2

.子程序 Icx_内存注入, 整数型, 公开
.参数进程名, 文本型
.参数注入文件, 字节集
.局部变量 port, _INJECTMEMBIN
.局部变量名字字节, 字节集
.局部变量文件字节, 字节集
.局部变量文件长度, 整数型
.局部变量返回数据, 整数型
.局部变量实际输出, 整数型

' 名字字节＝取空白字节集 (16)
名字字节＝到字节集 (进程名) ＋ { 0 }
文件长度＝取字节集长度 (注入文件)
文件字节＝取空白字节集 (文件长度)
文件字节＝注入文件
port.进程名＝到长整数 (取变量地址_字节集型_ (名字字节))
port.注入文件＝到长整数 (取变量地址_字节集型_ (文件字节))
port.文件大小＝到长整数 (文件长度)
DeviceIoControl_INJECTMEMBIN (设备句柄, #INITSTART, port, 24, 返回数据, 4, 实际输出, 0)
返回 (返回数据)
驱动部分VOID LoadImageNotifyRoutine(__in_opt PUNICODE_STRINGFullImageName, __in HANDLEProcessId, __in PIMAGE_INFOImageInfo) {
   VMProtectBegin("VMProtect8");
   NTSTATUS Status = STATUS_SUCCESS;
   PEPROCESS pEprocess;
   if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &pEprocess))){
            goto _RETCONTEXT;
   }
   UCHAR *ProcessName = PsGetProcessImageFileName(pEprocess);
   if (_stricmp(ProcessName, InjectName) == 0) {//_stricmp(ProcessName, InjectName) == 0
            if (wcsstr(FullImageName->Buffer, L"System32\\ntdll.dll") != 0) {
                     if (!NT_SUCCESS(ObOpenObjectByPointer(pEprocess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &ProcessHandle))) {
                           DbgPrint("打开句柄失败!\n");
                           goto _RETCONTEXT;
                     }
                     //组建参数
                     PARAMX param;
                     PVOIDfnHookZwTestAlert = (PVOID)GetDllFunctionAddress("ZwContinue", ImageInfo->ImageBase);//ZwContinueZwTestAlert
                     param.lpFileData = NULL;
                     param.DataLength = InjectDllSize;
                     param.LdrGetProcedureAddress = (LPVOID)GetDllFunctionAddress("LdrGetProcedureAddress", ImageInfo->ImageBase);
                     param.dwNtAllocateVirtualMemory = (LPVOID)GetDllFunctionAddress("NtAllocateVirtualMemory", ImageInfo->ImageBase);
                     param.pLdrLoadDll = (LPVOID)GetDllFunctionAddress("LdrLoadDll", ImageInfo->ImageBase);
                     param.RtlInitAnsiString = (LPVOID)GetDllFunctionAddress("RtlInitAnsiString", ImageInfo->ImageBase);
                     param.RtlAnsiStringToUnicodeString = (LPVOID)GetDllFunctionAddress("RtlAnsiStringToUnicodeString", ImageInfo->ImageBase);
                     param.RtlFreeUnicodeString = (LPVOID)GetDllFunctionAddress("RtlFreeUnicodeString", ImageInfo->ImageBase);
                     param.ProtectVirtualMemory = (LPVOID)GetDllFunctionAddress("NtProtectVirtualMemory", ImageInfo->ImageBase);
                     param.fnHookZwTestAlert = (ULONG64)fnHookZwTestAlert;
                     if (fnHookZwTestAlert == NULL){
                           DbgPrint("获取函数失败!\n");
                           goto _RETCONTEXT;
                     }
                     DbgPrint("ZwTestAlert! = %p\n", fnHookZwTestAlert);
                     //保存函数前5字节
                     SIZE_T Olgsize = 0;
                     if (!NT_SUCCESS(ZwReadVirtualMemory(ProcessHandle, fnHookZwTestAlert, param.OrlCode, 5, &Olgsize))) {
                           DbgPrint("拷贝字节失败!\n");
                           goto _RETCONTEXT;
                     }
                     PVOID ProtectAddress = fnHookZwTestAlert;
                     SIZE_T ShellCodeSize = sizeof(MemLoadLibraryShellCodex64);
                     //计算申请内存的大小
                     SIZE_T ProtectSize = sizeof(ShellCode) + ShellCodeSize + sizeof(PARAMX);
                     ShellCodeMemory = (PBYTE)AllocateInjectMemory(ProcessHandle, ProtectAddress, ProtectSize);
                     if (ShellCodeMemory == NULL){//申请内存失败
                           DbgPrint("申请内存失败!\n");
                           goto _RETCONTEXT;
                     }
                     DllMemory = (PBYTE)AllocateInjectMemory(ProcessHandle, ProtectAddress, InjectDllSize);
                     SIZE_T size = 5;
                     ULONG OldProtect = 0;
                     //修改内存属性
                     if (NT_SUCCESS(ZwProtectVirtualMemory(ProcessHandle, &ProtectAddress, &size, PAGE_EXECUTE_READWRITE, &OldProtect))) {
                           //设置参数
                           param.lpFileData = DllMemory;//重新设置DLL地址
                           *(ULONG64*)(ShellCode + 15) = (ULONG64)ShellCodeMemory + sizeof(ShellCode) + ShellCodeSize;
                           *(ULONG*)(ShellCode + 42) = (ULONG)((ULONG64)fnHookZwTestAlert - ((ULONG64)ShellCodeMemory + 41) - 5);
                           //DbgPrint("x64_ JmpAddress！= %p\n", (ULONG64)fnHookZwTestAlert - ((ULONG64)AollMemory + 41) - 5);
                           //写入DLL
                           ZwWriteVirtualMemory(ProcessHandle, DllMemory, InjectDllBuff, InjectDllSize, &Olgsize);
                           //写入挂接Shellcode
                           ZwWriteVirtualMemory(ProcessHandle, ShellCodeMemory, ShellCode, sizeof(ShellCode), &Olgsize);
                           //写入载入Shellcode
                           ZwWriteVirtualMemory(ProcessHandle, ShellCodeMemory + sizeof(ShellCode), MemLoadLibraryShellCodex64, ShellCodeSize, &Olgsize);
                           //写入参数
                           ZwWriteVirtualMemory(ProcessHandle, ShellCodeMemory + sizeof(ShellCode) + ShellCodeSize, ¶m, sizeof(PARAMX), &Olgsize);

                           //开始进行HOOK
                           BYTE JmpCode = { 0xE9 ,0x00,0x00,0x00,0x00 };
                           *(ULONG*)(JmpCode + 1) = (ULONG)(((ULONG64)ShellCodeMemory) - (ULONG64)fnHookZwTestAlert - 5);
                           ZwWriteVirtualMemory(ProcessHandle, fnHookZwTestAlert, JmpCode, 5, &Olgsize);
                           //还原保护属性
                           ZwProtectVirtualMemory(ProcessHandle, &ProtectAddress, &size, OldProtect, &OldProtect);
                           DbgPrint("ShellCodeMemory! = %p\n", ShellCodeMemory);

                     }
            }
   }
_RETCONTEXT:
   VMProtectEnd();
   return;
}

整套源码分享
绝地求生驱动注入源码包括易语言调用例子

页: [1]

吾爱开源's Archiver

C#绝地求生驱动注入源码包括易语言调用例子