导入表内注入代码（二）

核心提示： 141. DWORD dwRedirectMem = (DWORD)VirtualAllocEx(142. hProcess,143. NULL,144. 0x01D000,145. MEM_COMMIT,146. PAGE_EXECUTE_READWRITE);147.148. ...1

141. DWORD dwRedirectMem = (DWORD)VirtualAllocEx(
142. hProcess,
143. NULL,
144. 0x01D000,
145. MEM_COMMIT,
146. PAGE_EXECUTE_READWRITE);
147.
148. ...
149.
150. PCHAR pLdr;
151. DWORD Ldr_rsize;
152. GetLdrCode(pLdr, Ldr_rsize);
153.
154. WriteProcessMemory( hProcess,
155. (LPVOID)(dwRedirectMem),
156. pLdr,
157. Ldr_rsize,
158. &dwBytes);159. loader被写在额外的存储空间。它有显示一个简单消息框的代码。

160. void GetLdrCode(PCHAR &pLdr, DWORD &rsize)
161. {
162. HMODULE hModule;
163. DWORD dwMessageBox;
164.
165. PCHAR ch_temp;
166. DWORD dwCodeSize;
167. ch_temp=(PCHAR)DWORD(ReturnToBytePtr(DynLoader, DYN_LOADER_START_MAGIC))+4;
168. dwCodeSize=DWORD(ReturnToBytePtr(DynLoader, DYN_LOADER_END_MAGIC))-DWORD(ch_temp);
169. rsize= dwCodeSize;
170. pLdr = (PCHAR)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, dwCodeSize);
171. memcpy(pLdr, ch_temp, dwCodeSize);
172.
173. ch_temp=(PCHAR)ReturnToBytePtr(pLdr, DYN_LOADER_START_DATA1);
174.
175. hModule = LoadLibrary("User32.dll");
176. dwMessageBox= (DWORD)GetProcAddress(hModule, "MessageBoxA");
177. memcpy(ch_temp+4, &dwMessageBox, 4);
178. }
179. ...
180. _ShellAbout_NewCode:
181. _local_0:
182. pushad // save the registers context in stack
183. call _local_1
184. _local_1:
185. pop ebp
186. sub ebp,offset _local_1// get base ebp
187. push MB_OK | MB_ICONINFORMATION
188. lea eax,[ebp+_p_szCaption]
189. push eax
190. lea eax,[ebp+_p_szText]
191. push eax
192. push NULL
193. mov eax, [ebp+_p_MessageBox]
194. call eax
195. // MessageBox(NULL, szText, szCaption, MB_OK | MB_ICONINFORMATION) ;
196. popad // restore the first registers context from stack
197. ret 10h
198. ...199. 可执行的image在修改后被写到内存上。不要忘了在写之前对内存设置完全存取权限。