pre style color 000000 background ffffff html body style color 000000

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
<pre style='color:#000000;background:#ffffff;'><html><body style='color:#000000; background:#ffffff; '><pre>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/ENTRY:WMain"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/NODEFAULTLIB"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/SUBSYSTEM:CONSOLE"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/merge:.rdata=.text"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/merge:.data=.text"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; font-weight:bold; '>pragma </span><span style='color:#bb7977; font-weight:bold; '>comment(linker, </span><span style='color:#0000e6; font-weight:bold; '>"/SECTION:.text,EWR"</span><span style='color:#bb7977; font-weight:bold; '>)</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>&lt;</span><span style='color:#40015a; '>windows.h</span><span style='color:#800000; '>></span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; '>undef</span><span style='color:#004a43; '> RtlMoveMemory</span>
<span style='color:#800000; font-weight:bold; '>extern</span> <span style='color:#603000; '>VOID</span> <span style='color:#800000; font-weight:bold; '>__stdcall</span> RtlMoveMemory<span style='color:#808030; '>(</span>IN <span style='color:#603000; '>VOID</span> UNALIGNED <span style='color:#808030; '>*</span>Destination<span style='color:#808030; '>,</span> IN <span style='color:#603000; '>CONST</span> <span style='color:#603000; '>VOID</span> UNALIGNED <span style='color:#808030; '>*</span>Source<span style='color:#808030; '>,</span> IN SIZE_T Length<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// export</span>
<span style='color:#603000; '>BYTE</span> LDE<span style='color:#808030; '>(</span><span style='color:#603000; '>PVOID</span> Address<span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
<span style='color:#603000; '>CONTEXT</span> context<span style='color:#800080; '>;</span>
<span style='color:#603000; '>DEBUG_EVENT</span> DBEvent<span style='color:#800080; '>;</span>
<span style='color:#603000; '>HANDLE</span> hThread<span style='color:#808030; '>,</span> hProcess<span style='color:#800080; '>;</span>
<span style='color:#603000; '>BYTE</span> CodeSize <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#603000; '>DWORD</span> Region<span style='color:#800080; '>;</span>
<span style='color:#603000; '>BOOL</span> Started <span style='color:#808030; '>=</span> FALSE<span style='color:#800080; '>;</span>
<span style='color:#603000; '>DWORD</span> dwWritten<span style='color:#800080; '>;</span>
<span style='color:#603000; '>STARTUPINFO</span> startinfo<span style='color:#800080; '>;</span>
<span style='color:#603000; '>PROCESS_INFORMATION</span> pi<span style='color:#800080; '>;</span>
<span style='color:#400000; '>GetStartupInfo</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>startinfo<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
CreateProcessA<span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>Empty.exe</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>,</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>,</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>,</span> FALSE<span style='color:#808030; '>,</span> DEBUG_PROCESS <span style='color:#808030; '>+</span> DEBUG_ONLY_THIS_PROCESS<span style='color:#808030; '>,</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>,</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>startinfo<span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>pi<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#400000; '>CloseHandle</span><span style='color:#808030; '>(</span>pi<span style='color:#808030; '>.</span>hThread<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#400000; '>CloseHandle</span><span style='color:#808030; '>(</span>pi<span style='color:#808030; '>.</span>hProcess<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>while</span> <span style='color:#808030; '>(</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
<span style='color:#400000; '>WaitForDebugEvent</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>DBEvent<span style='color:#808030; '>,</span> INFINITE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwDebugEventCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> CREATE_PROCESS_DEBUG_EVENT<span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
hThread <span style='color:#808030; '>=</span> DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>CreateProcessInfo<span style='color:#808030; '>.</span>hThread<span style='color:#800080; '>;</span>
hProcess <span style='color:#808030; '>=</span> DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>CreateProcessInfo<span style='color:#808030; '>.</span>hProcess<span style='color:#800080; '>;</span>
<span style='color:#400000; '>CloseHandle</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>CreateProcessInfo<span style='color:#808030; '>.</span>hFile<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwDebugEventCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> LOAD_DLL_DEBUG_EVENT<span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
<span style='color:#400000; '>CloseHandle</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>LoadDll<span style='color:#808030; '>.</span>hFile<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwDebugEventCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> EXCEPTION_DEBUG_EVENT<span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
context<span style='color:#808030; '>.</span>ContextFlags <span style='color:#808030; '>=</span> CONTEXT_CONTROL<span style='color:#800080; '>;</span>
<span style='color:#400000; '>GetThreadContext</span><span style='color:#808030; '>(</span>hThread<span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>context<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>Exception<span style='color:#808030; '>.</span>ExceptionRecord<span style='color:#808030; '>.</span>ExceptionCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> EXCEPTION_ACCESS_VIOLATION<span style='color:#808030; '>)</span> <span style='color:#808030; '>&amp;</span><span style='color:#808030; '>&amp;</span>
<span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>Exception<span style='color:#808030; '>.</span>ExceptionRecord<span style='color:#808030; '>.</span>ExceptionInformation<span style='color:#808030; '>[</span><span style='color:#008c00; '>0</span><span style='color:#808030; '>]</span> <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>8</span><span style='color:#808030; '>)</span><span style='color:#808030; '>)</span> <span style='color:#696969; '>// #AV (DEP)</span>
<span style='color:#800080; '>{</span>
Region <span style='color:#808030; '>-</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span>
CodeSize <span style='color:#808030; '>+</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span>
<span style='color:#400000; '>WriteProcessMemory</span><span style='color:#808030; '>(</span>hProcess<span style='color:#808030; '>,</span> Region<span style='color:#808030; '>,</span> Address<span style='color:#808030; '>,</span> CodeSize<span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>dwWritten<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
context<span style='color:#808030; '>.</span>EFlags <span style='color:#808030; '>|</span><span style='color:#808030; '>=</span> <span style='color:#008000; '>0x00000100</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// включаем трассировку (взводим TF)</span>
context<span style='color:#808030; '>.</span>Eip <span style='color:#808030; '>=</span> Region<span style='color:#800080; '>;</span>
<span style='color:#400000; '>SetThreadContext</span><span style='color:#808030; '>(</span>hThread<span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>context<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#696969; '>// все остальные исключения</span>
<span style='color:#800080; '>{</span>
<span style='color:#696969; '>// данный код должен выполняться только при первом EXEPTION_BREAKPOINT</span>
<span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>u<span style='color:#808030; '>.</span>Exception<span style='color:#808030; '>.</span>ExceptionRecord<span style='color:#808030; '>.</span>ExceptionCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> EXCEPTION_BREAKPOINT<span style='color:#808030; '>)</span> <span style='color:#808030; '>&amp;</span><span style='color:#808030; '>&amp;</span> <span style='color:#808030; '>(</span><span style='color:#808030; '>!</span>Started<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
<span style='color:#696969; '>// 2 страницы памяти первая с доступом RWE, вторая без доступа</span>
Region <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// система сама выберет выделяемый регион</span>
<span style='color:#696969; '>// резервируем 2 страницы ; 0x2000 = PAGE_SIZE*2</span>
Region <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span><span style='color:#808030; '>)</span><span style='color:#400000; '>VirtualAllocEx</span><span style='color:#808030; '>(</span>hProcess<span style='color:#808030; '>,</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>LPVOID</span><span style='color:#808030; '>)</span>Region<span style='color:#808030; '>,</span> <span style='color:#008000; '>0x2000</span><span style='color:#808030; '>,</span> MEM_RESERVE<span style='color:#808030; '>,</span> PAGE_NOACCESS<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#696969; '>// 0x1000 = PAGE_SIZE</span>
<span style='color:#696969; '>// по выделенному адресу первую страницу выделяем как RWE</span>
Region <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span><span style='color:#808030; '>)</span><span style='color:#400000; '>VirtualAllocEx</span><span style='color:#808030; '>(</span>hProcess<span style='color:#808030; '>,</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>LPVOID</span><span style='color:#808030; '>)</span>Region<span style='color:#808030; '>,</span> <span style='color:#008000; '>0x1000</span><span style='color:#808030; '>,</span> MEM_COMMIT<span style='color:#808030; '>,</span> PAGE_EXECUTE_READWRITE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
Region <span style='color:#808030; '>+</span><span style='color:#808030; '>=</span> <span style='color:#008000; '>0x1000</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// to #AV</span>
context<span style='color:#808030; '>.</span>EFlags <span style='color:#808030; '>|</span><span style='color:#808030; '>=</span> <span style='color:#008000; '>0x00000100</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// включаем трассировку (взводим TF)</span>
context<span style='color:#808030; '>.</span>Eip <span style='color:#808030; '>=</span> Region<span style='color:#800080; '>;</span> <span style='color:#696969; '>// и eip переносим на Region</span>
<span style='color:#400000; '>SetThreadContext</span><span style='color:#808030; '>(</span>hThread<span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>context<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
Started <span style='color:#808030; '>=</span> TRUE<span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#400000; '>TerminateProcess</span><span style='color:#808030; '>(</span>hProcess<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>if</span> <span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwDebugEventCode <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> EXIT_PROCESS_DEBUG_EVENT<span style='color:#808030; '>)</span> <span style='color:#800000; font-weight:bold; '>break</span><span style='color:#800080; '>;</span>
<span style='color:#400000; '>ContinueDebugEvent</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwProcessId<span style='color:#808030; '>,</span> DBEvent<span style='color:#808030; '>.</span>dwThreadId<span style='color:#808030; '>,</span> DBG_CONTINUE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#400000; '>ContinueDebugEvent</span><span style='color:#808030; '>(</span>DBEvent<span style='color:#808030; '>.</span>dwProcessId<span style='color:#808030; '>,</span> DBEvent<span style='color:#808030; '>.</span>dwThreadId<span style='color:#808030; '>,</span> DBG_CONTINUE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> CodeSize<span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800000; font-weight:bold; '>void</span> WMain<span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>void</span><span style='color:#808030; '>)</span>
<span style='color:#800080; '>{</span>
<span style='color:#603000; '>BYTE</span> StartCodeBuf<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span> <span style='color:#808030; '>=</span> <span style='color:#800080; '>{</span> <span style='color:#008000; '>0x6A</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x7B</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x8E</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xD0</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xCC</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xBC</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x8E</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xD0</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xA3</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x10</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x23</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0x00</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xCC</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xCC</span><span style='color:#808030; '>,</span> <span style='color:#008000; '>0xCC</span> <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
<span style='color:#603000; '>HANDLE</span> stdInHandle<span style='color:#808030; '>,</span> stdOutHandle<span style='color:#800080; '>;</span>
<span style='color:#603000; '>DWORD</span> dwWritten<span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>char</span> Buffer<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>char</span> HexBuffer<span style='color:#808030; '>[</span><span style='color:#008c00; '>100</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
SetConsoleTitleA<span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>Process LDE</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
stdOutHandle <span style='color:#808030; '>=</span> <span style='color:#400000; '>GetStdHandle</span><span style='color:#808030; '>(</span>STD_OUTPUT_HANDLE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
stdInHandle <span style='color:#808030; '>=</span> <span style='color:#400000; '>GetStdHandle</span><span style='color:#808030; '>(</span>STD_INPUT_HANDLE<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
wsprintfA<span style='color:#808030; '>(</span>HexBuffer<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>Instruction Length - 0x</span><span style='color:#0f69ff; '>%.2X</span><span style='color:#0f69ff; '>\r</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> LDE<span style='color:#808030; '>(</span>StartCodeBuf<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
WriteConsoleA<span style='color:#808030; '>(</span>stdOutHandle<span style='color:#808030; '>,</span> HexBuffer<span style='color:#808030; '>,</span> lstrlenA<span style='color:#808030; '>(</span>HexBuffer<span style='color:#808030; '>)</span><span style='color:#808030; '>,</span> <span style='color:#808030; '>&amp;</span>dwWritten<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
ReadConsoleA<span style='color:#808030; '>(</span>stdInHandle<span style='color:#808030; '>,</span>Buffer<span style='color:#808030; '>,</span><span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span><span style='color:#808030; '>&amp;</span>dwWritten<span style='color:#808030; '>,</span><span style='color:#008c00; '>0</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
</pre>