研究心得

Delete myself (exe file version)

Coder Jozu — Tue, 26 Oct 2004 21:36:00 GMT

// Delself.cpp: 删除正在运行的程序
//
// Coder Jozu

#include <windows.h>
#include <tchar.h>
#include <shlobj.h>

#pragma comment(lib, "Shell32.lib")

#define ERROR_RET 1
#define ERROR_SUC 0

#define COMSPEC TEXT("COMSPEC")
#define ARGS_PREX TEXT(" /c del ")
#define ARGS_ERR_REDIR TEXT(" >NUL")

int main(int argc, char** argv)
{
TCHAR szModuleName[MAX_PATH] = { 0 };
TCHAR szCommand[MAX_PATH] = { 0 };
TCHAR szParams[MAX_PATH] = { 0 };

STARTUPINFO si = { sizeof(STARTUPINFO) };
PROCESS_INFORMATION pi;

if(!GetModuleFileName(NULL, szModuleName, MAX_PATH))
return ERROR_RET;

if(!GetShortPathName(szModuleName, szModuleName, MAX_PATH))
return ERROR_RET;

if(!GetEnvironmentVariable(COMSPEC, szCommand, MAX_PATH))
return ERROR_RET;

_tcscat(szCommand, ARGS_PREX);
_tcscat(szCommand, szModuleName);
_tcscat(szCommand, ARGS_ERR_REDIR);

if(SetPriorityClass(GetCurrentProcess(),
  REALTIME_PRIORITY_CLASS))
{
  if(SetThreadPriority(GetCurrentThread(),
   THREAD_PRIORITY_TIME_CRITICAL))
  {
   //
   if(CreateProcess(NULL,
    szCommand,
    NULL,
    NULL,
    FALSE,
    0,
    NULL,
    NULL,
    &si,
    &pi))
   {
    SetPriorityClass(pi.hProcess,
     IDLE_PRIORITY_CLASS);

SetProcessPriorityBoost(pi.hProcess,
TRUE);

    SHChangeNotify(SHCNE_DELETE,
     SHCNF_PATH,
     szModuleName,
     NULL);
    return TRUE;
   }
  }
  else
  {
   SetPriorityClass(GetCurrentProcess(),
    NORMAL_PRIORITY_CLASS);
  }
}
return ERROR_RET;
}

Delete myself （memory version）

Coder Jozu — Mon, 25 Oct 2004 19:49:00 GMT

// MmSlfDel.cpp : Defines the entry point for the console application.
//
// Coder Jozu

#include "stdafx.h"
#include

int main(int argc, char* argv[])
{
unsigned char* p = NULL, *pHeap;
unsigned char pMem[] =
{
0xE8, 0x00, 0x00, 0x00, 0x00, // call $ + 5
0x5B, // pop ebx
0x83, 0xEB, 0x05, // sub ebx, offset next - offset start
0x8B, 0xC3, // mov eax, ebx
0x81, 0xEB, 0x00, 0x10, 0x40, 0x00, // sub ebx, offset start
0x89, 0x83, 0x35, 0x10, 0x40, 0x00, // mov dword ptr [ebx + membase], eax
0x58, // pop eax
0x68, 0x00, 0x80, 0x00, 0x00, // push 8000h
0xFF, 0xB3, 0x39, 0x10, 0x40, 0x00, // push dword ptr [ebx + memsize]
0xFF, 0xB3, 0x35, 0x10, 0x40, 0x00, // push dword ptr [ebx + membase]
0x50, // push eax
0xFF, 0xB3, 0x31, 0x10, 0x40, 0x00, // push dword ptr [ebx + fnVadFree]
0xC3 // ret
};

p = (unsigned char*)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(!p)
{
printf("memalloc error.\n");
return 1;
}

__try
{
*p = 0;
}
__except(puts("in filter1"), 1)
{
puts("in except1");
}

memcpy(p, pMem, sizeof(pMem));

pHeap = p + sizeof(pMem);
*(ULONG*)&pHeap[0] = (ULONG)VirtualFree;
*(ULONG*)&pHeap[8] = 0x00000000;

((FARPROC)p)();

__try
{
*p = 0;
}
__except(puts("in filter1"), 1)
{
puts("in except2");
}

return 0;
}

自己写一个GetProcAddr，来熟悉PE格式

Coder Jozu — Mon, 25 Oct 2004 19:47:00 GMT

// GetProcAddr.cpp : redo function GetProcAddress
//
// Coder Jozu

#include
#include
#include

// generic macro
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr) + (DWORD)(addValue))

PVOID
GetFuncAddr(
IN PVOID Base, ?
IN PULONG FuncTableBase,
IN USHORT Index)
{
return MakePtr(PVOID, Base, FuncTableBase[Index]);
}

USHORT
NameToOrdinal (
IN PCSTR Name,
IN ULONG NumberOfNames,
IN PVOID DllBase,
IN PULONG NameTableBase,
IN PUSHORT NameOrdinalTableBase
???)
{
LONG High;
LONG Low;
LONG Middle;
LONG Result;

Low = 0;
High = NumberOfNames - 1;
while (High >= Low)
{
Middle = (Low + High) >> 1;
Result = strcmp(Name, (PCHAR)((ULONG_PTR)DllBase + NameTableBase[Middle]));

if (Result < 0)
High = Middle - 1;
else if(Result > 0)
Low = Middle + 1;
else
break;
}

if (High < Low)
return (USHORT)-1;
else
return NameOrdinalTableBase[Middle];
}

//////////////////////////////////////////////////////////////////////////

PVOID
GetFuncAddrByIndex(
IN PVOID Base, ?
IN PIMAGE_EXPORT_DIRECTORY pied,
IN USHORT ulIndex)
{
PULONG FuncTableBase;

ulIndex -= (USHORT)pied->Base;

if(ulIndex >= pied->NumberOfFunctions)
return NULL;

FuncTableBase = MakePtr(PULONG, Base, pied->AddressOfFunctions);
return GetFuncAddr(Base, FuncTableBase, ulIndex);
}

//////////////////////////////////////////////////////////////////////////

PVOID
GetFuncAddrByName(
IN PVOID Base, ?
IN PIMAGE_EXPORT_DIRECTORY pied,
IN PCSTR Name)
{
USHORT OrdinalNumber;
PULONG NameTableBase;
PULONG FuncTableBase;
PUSHORT NameOrdinalTableBase;

NameTableBase = MakePtr(PULONG, Base, pied->AddressOfNames);
NameOrdinalTableBase = MakePtr(PUSHORT, Base, pied->AddressOfNameOrdinals);
FuncTableBase = MakePtr(PULONG, Base, pied->AddressOfFunctions);

OrdinalNumber = NameToOrdinal(Name,
pied->NumberOfNames,
Base,
NameTableBase,
NameOrdinalTableBase);

return GetFuncAddr(Base, FuncTableBase, OrdinalNumber);
}

//////////////////////////////////////////////////////////////////////////

PVOID
FindFunc(
IN PVOID Base,
IN PCSTR Name
)
{
#define MAX_FUNC_ID 0xFFFF
PIMAGE_DOS_HEADER pidh;
PIMAGE_NT_HEADERS pinh;
PIMAGE_EXPORT_DIRECTORY pied;
PVOID pFuncAddr = NULL;
BOOLEAN bUseIndex = FALSE;

if((ULONG)Name < MAX_FUNC_ID)
{
bUseIndex = TRUE;
}

pidh = MakePtr(PIMAGE_DOS_HEADER, Base, 0);
do
{
if(pidh->e_magic != IMAGE_DOS_SIGNATURE)
break;

pinh = MakePtr(PIMAGE_NT_HEADERS, Base, pidh->e_lfanew);
if(pinh->Signature != IMAGE_NT_SIGNATURE)
break;

pied = MakePtr(PIMAGE_EXPORT_DIRECTORY,
Base,
pinh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

if(bUseIndex)
pFuncAddr = GetFuncAddrByIndex(Base, pied, (USHORT)Name);
else
pFuncAddr = GetFuncAddrByName(Base, pied, Name);

} while(FALSE);

return pFuncAddr;
}

int main(int argc, char* argv[])
{
PVOID pFunc;
HMODULE hNtdll;

hNtdll = LoadLibrary("ntdll.dll");
pFunc = GetProcAddress(hNtdll, "KiUserExceptionDispatcher");

printf("KiUserExceptionDispatcher: pFunc = %08X\n", pFunc);

pFunc = FindFunc(hNtdll, "KiUserExceptionDispatcher");
printf("KiUserExceptionDispatcher: pFunc = %08X\n", pFunc);

pFunc = FindFunc(hNtdll, (LPCSTR)0x4f);
printf("KiUserExceptionDispatcher: pFunc = %08X\n", pFunc);

return 0;
}