按照样本优化了一下
This commit is contained in:
Huoji's
@@ -2,7 +2,7 @@
|
||||
|
||||
|
||||
auto Sandbox::InitializeLdrData() -> void {
|
||||
if (m_peInfo->isX64 && m_peb64.Ldr == 0) {
|
||||
if (m_peInfo->isX64) {
|
||||
// ΪLDR_DATA<54><41><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
|
||||
uint64_t ldrDataAddress = m_pebBase + sizeof(X64PEB);
|
||||
m_pebEnd = ldrDataAddress + sizeof(X64_PEB_LDR_DATA);
|
||||
@@ -17,148 +17,393 @@ auto Sandbox::InitializeLdrData() -> void {
|
||||
ldrData.Length = sizeof(X64_PEB_LDR_DATA);
|
||||
ldrData.Initialized = 1;
|
||||
|
||||
// <20><>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ - ʹ<EFBFBD><EFBFBD><EFBFBD>ʵ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ת<EFBFBD><EFBFBD>
|
||||
LIST_ENTRY inLoadOrderList = {
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList)),
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList)) };
|
||||
ldrData.InLoadOrderModuleList = inLoadOrderList;
|
||||
// <20><>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ - ÿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD>(<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
||||
uint64_t inLoadOrderListHead = ldrDataAddress + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList);
|
||||
uint64_t inMemoryOrderListHead = ldrDataAddress + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList);
|
||||
uint64_t inInitOrderListHead = ldrDataAddress + offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList);
|
||||
|
||||
LIST_ENTRY inMemoryOrderList = {
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList)),
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList)) };
|
||||
ldrData.InMemoryOrderModuleList = inMemoryOrderList;
|
||||
// <20><><EFBFBD><EFBFBD>ÿ<EFBFBD><C3BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>Flink<6E><6B>Blink<6E><6B>ָ<EFBFBD><D6B8><EFBFBD>Լ<EFBFBD>
|
||||
ldrData.InLoadOrderModuleList.Flink = (LIST_ENTRY*)inLoadOrderListHead;
|
||||
ldrData.InLoadOrderModuleList.Blink = (LIST_ENTRY*)inLoadOrderListHead;
|
||||
|
||||
LIST_ENTRY inInitOrderList = {
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList)),
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
ldrDataAddress +
|
||||
offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList)) };
|
||||
ldrData.InInitializationOrderModuleList = inInitOrderList;
|
||||
ldrData.InMemoryOrderModuleList.Flink = (LIST_ENTRY*)inMemoryOrderListHead;
|
||||
ldrData.InMemoryOrderModuleList.Blink = (LIST_ENTRY*)inMemoryOrderListHead;
|
||||
|
||||
uc_mem_write(m_ucEngine, ldrDataAddress, &ldrData,
|
||||
sizeof(X64_PEB_LDR_DATA));
|
||||
ldrData.InInitializationOrderModuleList.Flink = (LIST_ENTRY*)inInitOrderListHead;
|
||||
ldrData.InInitializationOrderModuleList.Blink = (LIST_ENTRY*)inInitOrderListHead;
|
||||
|
||||
// д<><D0B4>LDR_DATA<54>ṹ<EFBFBD><E1B9B9><EFBFBD>ڴ<EFBFBD>
|
||||
uc_mem_write(m_ucEngine, ldrDataAddress, &ldrData, sizeof(X64_PEB_LDR_DATA));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>PEB<45>е<EFBFBD>Ldrָ<72><D6B8>
|
||||
uc_mem_write(m_ucEngine, m_pebBase, &m_peb64, sizeof(X64PEB));
|
||||
}
|
||||
}
|
||||
|
||||
auto Sandbox::CreateLdrEntry(const std::shared_ptr<struct_moudle>& module,
|
||||
uint64_t entryAddress, uint64_t fullNameAddress,
|
||||
uint64_t baseNameAddress) -> LDR_DATA_TABLE_ENTRY {
|
||||
LDR_DATA_TABLE_ENTRY entry = { 0 };
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ṹ<EFBFBD><E1B9B9><EFBFBD><EFBFBD>ȷ<EFBFBD><C8B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֶ<EFBFBD><D6B6><EFBFBD>ȷ<EFBFBD><C8B7>ʼ<EFBFBD><CABC>
|
||||
LDR_DATA_TABLE_ENTRY entry = {};
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD>ַ - <20><><EFBFBD><EFBFBD>nullָ<6C><D6B8>
|
||||
if (module->base == 0) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD>棺ģ<EFBFBD><EFBFBD>'%s'<27>Ļ<EFBFBD>ַΪ0<CEAA><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܵ<EFBFBD><DCB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\n", module->name);
|
||||
}
|
||||
}
|
||||
|
||||
entry.DllBase = reinterpret_cast<PVOID>(module->base);
|
||||
entry.EntryPoint = reinterpret_cast<PVOID>(module->base + module->entry);
|
||||
entry.SizeOfImages = static_cast<ULONG>(module->size);
|
||||
|
||||
// <><D7BC>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD><EFBFBD>Ƶ<EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD>
|
||||
wchar_t nameBuffer[MAX_PATH] = { 0 };
|
||||
std::mbstowcs(nameBuffer, module->name, strlen(module->name));
|
||||
size_t convertedChars = 0;
|
||||
std::string fakeFullName = "c:\\windows\\system32\\" + std::string(module->name);
|
||||
|
||||
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ·<EFBFBD><EFBFBD>
|
||||
entry.FullDllName.Length =
|
||||
static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
|
||||
// ʹ<EFBFBD>ø<EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD><EFBFBD>mbstowcs_s<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
mbstowcs_s(&convertedChars, nameBuffer, MAX_PATH, fakeFullName.c_str(), fakeFullName.size());
|
||||
|
||||
// <20><>֤ת<D6A4><D7AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
size_t nameLen = wcslen(nameBuffer);
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
if (nameLen == 0 || nameLen >= MAX_PATH) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD>棺ģ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>'%s'ת<><D7AA><EFBFBD><EFBFBD><EFBFBD>⣬<EFBFBD><E2A3AC><EFBFBD><EFBFBD>=%zu\n", module->name, nameLen);
|
||||
}
|
||||
}
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD>
|
||||
entry.FullDllName.Length = static_cast<USHORT>(nameLen * sizeof(wchar_t));
|
||||
entry.FullDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
|
||||
entry.FullDllName.Buffer = reinterpret_cast<PWSTR>(fullNameAddress);
|
||||
|
||||
// <20><><EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
entry.BaseDllName.Length =
|
||||
static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
|
||||
entry.BaseDllName.Length = static_cast<USHORT>(nameLen * sizeof(wchar_t));
|
||||
entry.BaseDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
|
||||
entry.BaseDllName.Buffer = reinterpret_cast<PWSTR>(baseNameAddress);
|
||||
if (LOG_LEVEL > 4) {
|
||||
// д<><D0B4><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> - <20><><EFBFBD>ӵ<EFBFBD><D3B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
printf("DEBUG: д<><D0B4>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD> '%s' <20><><EFBFBD><EFBFBD>ַ 0x%llx <20><> 0x%llx\n",
|
||||
module->name, fullNameAddress, baseNameAddress);
|
||||
}
|
||||
uc_mem_write(m_ucEngine, fullNameAddress, nameBuffer, (nameLen + 1) * sizeof(wchar_t));
|
||||
uc_mem_write(m_ucEngine, baseNameAddress, nameBuffer, (nameLen + 1) * sizeof(wchar_t));
|
||||
|
||||
// д<EFBFBD><EFBFBD>Unicode<EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD>
|
||||
uc_mem_write(m_ucEngine, fullNameAddress, nameBuffer,
|
||||
(wcslen(nameBuffer) + 1) * sizeof(wchar_t));
|
||||
uc_mem_write(m_ucEngine, baseNameAddress, nameBuffer,
|
||||
(wcslen(nameBuffer) + 1) * sizeof(wchar_t));
|
||||
// <EFBFBD><EFBFBD>ʼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD>ΪNULL<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>UpdateLdrLinks<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ã<EFBFBD>
|
||||
entry.InLoadOrderLinks.Flink = nullptr;
|
||||
entry.InLoadOrderLinks.Blink = nullptr;
|
||||
entry.InMemoryOrderLinks.Flink = nullptr;
|
||||
entry.InMemoryOrderLinks.Blink = nullptr;
|
||||
entry.InInitializationOrderLinks.Flink = nullptr;
|
||||
entry.InInitializationOrderLinks.Blink = nullptr;
|
||||
|
||||
return entry;
|
||||
}
|
||||
|
||||
auto Sandbox::UpdateLdrLinks(const LDR_DATA_TABLE_ENTRY& entry,
|
||||
uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData)
|
||||
-> void {
|
||||
// <20><><EFBFBD><EFBFBD>LDR_DATA<54>е<EFBFBD><D0B5><EFBFBD><EFBFBD><EFBFBD>ͷ
|
||||
ldrData.InLoadOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
|
||||
entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks));
|
||||
ldrData.InMemoryOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
|
||||
entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
|
||||
ldrData.InInitializationOrderModuleList.Flink =
|
||||
reinterpret_cast<LIST_ENTRY*>(
|
||||
entryAddress +
|
||||
offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks));
|
||||
uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData) -> void {
|
||||
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>ַ
|
||||
uint64_t inLoadOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList);
|
||||
uint64_t inMemoryOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList);
|
||||
uint64_t inInitOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList);
|
||||
|
||||
// д<EFBFBD>ظ<EFBFBD><EFBFBD>º<EFBFBD><EFBFBD><EFBFBD>LDR_DATA
|
||||
uc_mem_write(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
|
||||
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><EFBFBD>ÿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>еĵ<EFBFBD>ַ
|
||||
uint64_t entryInLoadOrder = entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
|
||||
uint64_t entryInMemoryOrder = entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
|
||||
uint64_t entryInInitOrder = entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks);
|
||||
|
||||
LIST_ENTRY listHead;
|
||||
LIST_ENTRY entryLinks;
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>InLoadOrderModuleList
|
||||
uc_mem_read(m_ucEngine, inLoadOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD>뵽<EFBFBD><EBB5BD><EFBFBD><EFBFBD>ͷ֮<CDB7><D6AE>)
|
||||
entryLinks.Flink = listHead.Flink; // <20><><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF>Flink = ԭ<><D4AD>ͷ<EFBFBD><CDB7>Flink
|
||||
entryLinks.Blink = (LIST_ENTRY*)inLoadOrderListHead; // <20><><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF>Blink = ͷ
|
||||
uc_mem_write(m_ucEngine, entryInLoadOrder, &entryLinks, sizeof(LIST_ENTRY));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>Flinkָ<6B><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
|
||||
listHead.Flink = (LIST_ENTRY*)entryInLoadOrder;
|
||||
uc_mem_write(m_ucEngine, inLoadOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǿ<EFBFBD><C7BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ԭ<EFBFBD><D4AD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>ڵ<EFBFBD><DAB5><EFBFBD>Blink
|
||||
if (entryLinks.Flink != (LIST_ENTRY*)inLoadOrderListHead) {
|
||||
LIST_ENTRY nextEntry;
|
||||
uc_mem_read(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
nextEntry.Blink = (LIST_ENTRY*)entryInLoadOrder;
|
||||
uc_mem_write(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
}
|
||||
|
||||
// ͬ<><CDAC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>InMemoryOrderModuleList
|
||||
uc_mem_read(m_ucEngine, inMemoryOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
entryLinks.Flink = listHead.Flink;
|
||||
entryLinks.Blink = (LIST_ENTRY*)inMemoryOrderListHead;
|
||||
uc_mem_write(m_ucEngine, entryInMemoryOrder, &entryLinks, sizeof(LIST_ENTRY));
|
||||
listHead.Flink = (LIST_ENTRY*)entryInMemoryOrder;
|
||||
uc_mem_write(m_ucEngine, inMemoryOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
if (entryLinks.Flink != (LIST_ENTRY*)inMemoryOrderListHead) {
|
||||
LIST_ENTRY nextEntry;
|
||||
uc_mem_read(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
nextEntry.Blink = (LIST_ENTRY*)entryInMemoryOrder;
|
||||
uc_mem_write(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>InInitializationOrderModuleList
|
||||
uc_mem_read(m_ucEngine, inInitOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
entryLinks.Flink = listHead.Flink;
|
||||
entryLinks.Blink = (LIST_ENTRY*)inInitOrderListHead;
|
||||
uc_mem_write(m_ucEngine, entryInInitOrder, &entryLinks, sizeof(LIST_ENTRY));
|
||||
listHead.Flink = (LIST_ENTRY*)entryInInitOrder;
|
||||
uc_mem_write(m_ucEngine, inInitOrderListHead, &listHead, sizeof(LIST_ENTRY));
|
||||
if (entryLinks.Flink != (LIST_ENTRY*)inInitOrderListHead) {
|
||||
LIST_ENTRY nextEntry;
|
||||
uc_mem_read(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
nextEntry.Blink = (LIST_ENTRY*)entryInInitOrder;
|
||||
uc_mem_write(m_ucEngine, (uint64_t)entryLinks.Flink, &nextEntry, sizeof(LIST_ENTRY));
|
||||
}
|
||||
}
|
||||
|
||||
auto Sandbox::AddModuleToLdr(const std::shared_ptr<struct_moudle>& module)
|
||||
-> void {
|
||||
auto Sandbox::AddModuleToLdr(const std::shared_ptr<struct_moudle>& module) -> void {
|
||||
if (!m_peInfo->isX64) {
|
||||
return; // <20><>ʱֻ<CAB1><D6BB><EFBFBD><EFBFBD>64λ
|
||||
return;
|
||||
}
|
||||
|
||||
if (m_peb64.Ldr == 0) {
|
||||
InitializeLdrData();
|
||||
if (LOG_LEVEL > 4) {
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ģ<EFBFBD><EFBFBD>: '%s', <20><>ַ: 0x%llx, <20><><EFBFBD>ڵ<EFBFBD>: 0x%llx, <20><>С: 0x%llx\n",
|
||||
module->name, module->base, module->entry, module->size);
|
||||
}
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
|
||||
const size_t stringSectionSize = MAX_PATH * sizeof(wchar_t) * 2;
|
||||
uint64_t entrySize = sizeof(LDR_DATA_TABLE_ENTRY) + stringSectionSize;
|
||||
|
||||
// Ϊģ<EFBFBD>鴴<EFBFBD><EFBFBD>LDR_DATA_TABLE_ENTRY
|
||||
uint64_t entrySize = sizeof(LDR_DATA_TABLE_ENTRY) +
|
||||
MAX_PATH * 2; // <20><><EFBFBD><EFBFBD><EFBFBD>ռ<EFBFBD><D5BC><EFBFBD><EFBFBD><EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD>
|
||||
uint64_t entryAddress = m_pebEnd;
|
||||
m_pebEnd += entrySize;
|
||||
|
||||
// ȷ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD>뵽8<EFBFBD>ֽڱ߽磨<EFBFBD><EFBFBD><EFBFBD><EFBFBD>64λ<EFBFBD>ṹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD>
|
||||
uint64_t entryAddress = (m_pebEnd + 7) & ~7ULL;
|
||||
if (LOG_LEVEL > 4) {
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>LDR<EFBFBD><EFBFBD>Ŀ: <20><>ַ=0x%llx, <20><>С=0x%llx\n", entryAddress, entrySize);
|
||||
}
|
||||
// ӳ<><D3B3><EFBFBD>ڴ<EFBFBD>
|
||||
uc_mem_map(m_ucEngine, entryAddress, entrySize, UC_PROT_ALL);
|
||||
const size_t pageSize = 4096;
|
||||
size_t alignedSize = (entrySize + pageSize - 1) & ~(pageSize - 1);
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD>ַ
|
||||
uint64_t fullNameAddress = entryAddress + sizeof(LDR_DATA_TABLE_ENTRY);
|
||||
uint64_t baseNameAddress = fullNameAddress + MAX_PATH;
|
||||
uc_err err = uc_mem_map(m_ucEngine, entryAddress, alignedSize, UC_PROT_ALL);
|
||||
if (err != UC_ERR_OK) {
|
||||
if (LOG_LEVEL > 4) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>: <20><EFBFBD>ӳ<EFBFBD><D3B3>LDR<44><52>Ŀ<EFBFBD>ڴ<EFBFBD> @ 0x%llx (<28><><EFBFBD><EFBFBD>=%d)\n", entryAddress, err);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼ<EFBFBD><EFBFBD>LDR_DATA_TABLE_ENTRY
|
||||
auto entry =
|
||||
CreateLdrEntry(module, entryAddress, fullNameAddress, baseNameAddress);
|
||||
// <20><><EFBFBD><EFBFBD>Unicode<EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><EFBFBD>ȷ<EFBFBD><EFBFBD>8<EFBFBD>ֽڶ<EFBFBD><EFBFBD><EFBFBD>
|
||||
uint64_t fullNameAddress = (entryAddress + sizeof(LDR_DATA_TABLE_ENTRY) + 7) & ~7ULL;
|
||||
uint64_t baseNameAddress = (fullNameAddress + (MAX_PATH * sizeof(wchar_t)) + 7) & ~7ULL;
|
||||
if (LOG_LEVEL > 4) {
|
||||
// <20><>֤<EFBFBD><D6A4>ַ<EFBFBD><D6B7>Χ
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>: <20>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD>ַ - FullName=0x%llx, BaseName=0x%llx\n",
|
||||
fullNameAddress, baseNameAddress);
|
||||
}
|
||||
// ȷ<><C8B7><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ淶Χ
|
||||
if (baseNameAddress + (MAX_PATH * sizeof(wchar_t)) > entryAddress + alignedSize) {
|
||||
if (LOG_LEVEL > 4) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>: <20>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ淶Χ!\n");
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD>LDR<44><52>Ŀ
|
||||
auto entry = CreateLdrEntry(module, entryAddress, fullNameAddress, baseNameAddress);
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
// <20><>֤DllBase<73><65><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȷ
|
||||
if ((uint64_t)entry.DllBase != module->base) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>: DllBase<73><65>ƥ<EFBFBD><C6A5> (<28><><EFBFBD><EFBFBD>=%llx, <20><><EFBFBD><EFBFBD>=%llx)\n",
|
||||
(uint64_t)entry.DllBase, module->base);
|
||||
}
|
||||
}
|
||||
// <20><>PEB<45><42>ȡ<EFBFBD><C8A1>ǰLDR_DATA<54>ṹ
|
||||
X64_PEB_LDR_DATA ldrData;
|
||||
uc_mem_read(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>
|
||||
entry.InLoadOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
|
||||
reinterpret_cast<uintptr_t>(ldrData.InLoadOrderModuleList.Flink));
|
||||
entry.InLoadOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
|
||||
m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList));
|
||||
|
||||
entry.InMemoryOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
|
||||
reinterpret_cast<uintptr_t>(ldrData.InMemoryOrderModuleList.Flink));
|
||||
entry.InMemoryOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
|
||||
m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList));
|
||||
|
||||
entry.InInitializationOrderLinks.Flink =
|
||||
reinterpret_cast<LIST_ENTRY*>(reinterpret_cast<uintptr_t>(
|
||||
ldrData.InInitializationOrderModuleList.Flink));
|
||||
entry.InInitializationOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
|
||||
m_peb64.Ldr +
|
||||
offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList));
|
||||
|
||||
// д<><D0B4>LDR_DATA_TABLE_ENTRY<52>ṹ
|
||||
uc_mem_write(m_ucEngine, entryAddress, &entry,
|
||||
sizeof(LDR_DATA_TABLE_ENTRY));
|
||||
uc_mem_write(m_ucEngine, entryAddress, &entry, sizeof(LDR_DATA_TABLE_ENTRY));
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
UpdateLdrLinks(entry, entryAddress, ldrData);
|
||||
|
||||
printf("Added module '%s' to LDR data tables at 0x%llx\n", module->name,
|
||||
entryAddress);
|
||||
// <20><><EFBFBD><EFBFBD>PEBβ<42><CEB2>λ<EFBFBD><CEBB>
|
||||
m_pebEnd = entryAddress + alignedSize;
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
printf("<EFBFBD>ɹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ģ<EFBFBD><EFBFBD> '%s' <20><>LDR<44><52><EFBFBD>ݱ<EFBFBD> @ 0x%llx\n", module->name, entryAddress);
|
||||
}
|
||||
}
|
||||
auto Sandbox::TestLdrListTraversal() -> bool {
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
printf("\n============ LDR<44><52><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ============\n");
|
||||
|
||||
// 1. <20><>ȡPEB<45><42>ַ
|
||||
uint64_t pebAddress = m_pebBase; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>PEB<45><42>ַ
|
||||
X64PEB peb;
|
||||
if (uc_mem_read(m_ucEngine, pebAddress, &peb, sizeof(X64PEB)) != UC_ERR_OK) {
|
||||
printf("ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡPEB<45>ṹ<EFBFBD><E1B9B9>\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
printf("PEBλ<EFBFBD><EFBFBD>: 0x%llx\n", pebAddress);
|
||||
printf("PEB.Ldrָ<72><D6B8>: 0x%llx\n", peb.Ldr);
|
||||
|
||||
// 2. <20><>ȡLDR_DATA<54>ṹ
|
||||
if (peb.Ldr == 0) {
|
||||
printf("ERROR: PEB.LdrΪNULL<4C><4C>LDRδ<52><CEB4>ʼ<EFBFBD><CABC>\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
X64_PEB_LDR_DATA ldrData;
|
||||
if (uc_mem_read(m_ucEngine, peb.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA)) != UC_ERR_OK) {
|
||||
printf("ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡLDR_DATA<54>ṹ<EFBFBD><E1B9B9>\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
printf("LDR_DATA.Length: %u\n", ldrData.Length);
|
||||
printf("LDR_DATA.Initialized: %u\n", ldrData.Initialized);
|
||||
|
||||
// 3. <20><><EFBFBD>鲢<EFBFBD><E9B2A2>ӡ<EFBFBD><D3A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
DumpLdrList("InLoadOrderModuleList", peb.Ldr,
|
||||
offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList),
|
||||
offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks));
|
||||
|
||||
DumpLdrList("InMemoryOrderModuleList", peb.Ldr,
|
||||
offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList),
|
||||
offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
|
||||
|
||||
DumpLdrList("InInitializationOrderModuleList", peb.Ldr,
|
||||
offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList),
|
||||
offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks));
|
||||
|
||||
printf("========================================\n");
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ӡָ<D3A1><D6B8><EFBFBD><EFBFBD>LDR<44><52><EFBFBD><EFBFBD>
|
||||
auto Sandbox::DumpLdrList(const char* listName, uint64_t ldrDataBase, size_t listOffset, size_t entryLinkOffset) -> void {
|
||||
if (LOG_LEVEL > 4) {
|
||||
|
||||
printf("\n--- %s <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ---\n", listName);
|
||||
|
||||
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>ַ
|
||||
uint64_t listHeadAddr = ldrDataBase + listOffset;
|
||||
LIST_ENTRY listHead;
|
||||
if (uc_mem_read(m_ucEngine, listHeadAddr, &listHead, sizeof(LIST_ENTRY)) != UC_ERR_OK) {
|
||||
printf("ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD>ͷ @ 0x%llx\n", listHeadAddr);
|
||||
return;
|
||||
}
|
||||
|
||||
printf("<EFBFBD>б<EFBFBD>ͷ @ 0x%llx: Flink=0x%llx, Blink=0x%llx\n",
|
||||
listHeadAddr, (uint64_t)listHead.Flink, (uint64_t)listHead.Blink);
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD>Ϊ<EFBFBD><CEAA>
|
||||
if (listHead.Flink == (LIST_ENTRY*)listHeadAddr) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><EFBFBD> (Flinkָ<6B><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)\n");
|
||||
return;
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
uint64_t currentLink = (uint64_t)listHead.Flink;
|
||||
int entryCount = 0;
|
||||
|
||||
while (currentLink != listHeadAddr && entryCount < 100) { // <20><>ֹ<EFBFBD><D6B9><EFBFBD><EFBFBD>ѭ<EFBFBD><D1AD>
|
||||
entryCount++;
|
||||
|
||||
// <20><><EFBFBD>㵱ǰLDR_DATA_TABLE_ENTRY<52>ĵ<EFBFBD>ַ
|
||||
uint64_t entryAddr = currentLink - entryLinkOffset;
|
||||
|
||||
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
|
||||
LDR_DATA_TABLE_ENTRY entry;
|
||||
if (uc_mem_read(m_ucEngine, entryAddr, &entry, sizeof(LDR_DATA_TABLE_ENTRY)) != UC_ERR_OK) {
|
||||
printf("ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡ<EFBFBD><C8A1>Ŀ @ 0x%llx\n", entryAddr);
|
||||
break;
|
||||
}
|
||||
|
||||
printf("\n<EFBFBD><EFBFBD>Ŀ #%d @ 0x%llx:\n", entryCount, entryAddr);
|
||||
printf(" DllBase: 0x%llx\n", (uint64_t)entry.DllBase);
|
||||
printf(" EntryPoint: 0x%llx\n", (uint64_t)entry.EntryPoint);
|
||||
printf(" SizeOfImage: 0x%x\n", entry.SizeOfImages);
|
||||
|
||||
// <20><>ȡ<EFBFBD>ʹ<EFBFBD>ӡģ<D3A1><C4A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
if ((uint64_t)entry.FullDllName.Buffer != 0 && entry.FullDllName.Length > 0) {
|
||||
size_t nameLen = entry.FullDllName.Length / sizeof(wchar_t);
|
||||
wchar_t* nameBuffer = new wchar_t[nameLen + 1];
|
||||
|
||||
if (uc_mem_read(m_ucEngine, (uint64_t)entry.FullDllName.Buffer, nameBuffer, entry.FullDllName.Length) == UC_ERR_OK) {
|
||||
nameBuffer[nameLen] = L'\0';
|
||||
|
||||
// ת<><D7AA>Ϊ<EFBFBD><CEAA><EFBFBD>ֽ<EFBFBD><D6BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||||
char mbName[MAX_PATH * 2] = { 0 };
|
||||
wcstombs(mbName, nameBuffer, sizeof(mbName) - 1);
|
||||
printf(" FullDllName: %s\n", mbName);
|
||||
}
|
||||
else {
|
||||
printf(" ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡFullDllName @ 0x%llx (<28><><EFBFBD><EFBFBD>: %d)\n",
|
||||
(uint64_t)entry.FullDllName.Buffer, entry.FullDllName.Length);
|
||||
}
|
||||
|
||||
delete[] nameBuffer;
|
||||
}
|
||||
else {
|
||||
printf(" FullDllName: <<3C>ջ<EFBFBD><D5BB><EFBFBD>Ч>\n");
|
||||
}
|
||||
|
||||
// ͬ<><CDAC><EFBFBD><EFBFBD>ӡBaseDllName
|
||||
if ((uint64_t)entry.BaseDllName.Buffer != 0 && entry.BaseDllName.Length > 0) {
|
||||
size_t nameLen = entry.BaseDllName.Length / sizeof(wchar_t);
|
||||
wchar_t* nameBuffer = new wchar_t[nameLen + 1];
|
||||
|
||||
if (uc_mem_read(m_ucEngine, (uint64_t)entry.BaseDllName.Buffer, nameBuffer, entry.BaseDllName.Length) == UC_ERR_OK) {
|
||||
nameBuffer[nameLen] = L'\0';
|
||||
|
||||
char mbName[MAX_PATH * 2] = { 0 };
|
||||
wcstombs(mbName, nameBuffer, sizeof(mbName) - 1);
|
||||
printf(" BaseDllName: %s\n", mbName);
|
||||
}
|
||||
else {
|
||||
printf(" ERROR: <20><EFBFBD><DEB7><EFBFBD>ȡBaseDllName @ 0x%llx (<28><><EFBFBD><EFBFBD>: %d)\n",
|
||||
(uint64_t)entry.BaseDllName.Buffer, entry.BaseDllName.Length);
|
||||
}
|
||||
|
||||
delete[] nameBuffer;
|
||||
}
|
||||
else {
|
||||
printf(" BaseDllName: <<3C>ջ<EFBFBD><D5BB><EFBFBD>Ч>\n");
|
||||
}
|
||||
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч<EFBFBD><D0A7>
|
||||
printf(" <20><><EFBFBD><EFBFBD>: Flink=0x%llx, Blink=0x%llx\n",
|
||||
(uint64_t)entry.InLoadOrderLinks.Flink, (uint64_t)entry.InLoadOrderLinks.Blink);
|
||||
|
||||
// <20>ƶ<EFBFBD><C6B6><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>Ŀ
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ѡ<EFBFBD><D1A1><EFBFBD><EFBFBD>ȷ<EFBFBD><C8B7>Flink<6E>ֶ<EFBFBD>
|
||||
if (listOffset == offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList))
|
||||
currentLink = (uint64_t)entry.InLoadOrderLinks.Flink;
|
||||
else if (listOffset == offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList))
|
||||
currentLink = (uint64_t)entry.InMemoryOrderLinks.Flink;
|
||||
else if (listOffset == offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList))
|
||||
currentLink = (uint64_t)entry.InInitializationOrderLinks.Flink;
|
||||
|
||||
// <20>ڴ<EFBFBD><DAB4><EFBFBD>֤ - <20><>ֹ<EFBFBD><D6B9>Чָ<D0A7><D6B8>
|
||||
if (currentLink == 0 || currentLink == entryAddr) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч<EFBFBD><EFBFBD>Flinkָ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (entryCount == 0) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD>棺û<EFBFBD><EFBFBD><EFBFBD>ҵ<EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷָʾ<EFBFBD>ǿ<EFBFBD>\n");
|
||||
}
|
||||
else if (entryCount >= 100) {
|
||||
printf("<EFBFBD><EFBFBD><EFBFBD>棺<EFBFBD><EFBFBD><EFBFBD>ܵ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ѭ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ṹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\n");
|
||||
}
|
||||
else {
|
||||
printf("\n<EFBFBD>ܹ<EFBFBD><EFBFBD>ҵ<EFBFBD> %d <20><><EFBFBD><EFBFBD>Ŀ\n", entryCount);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user