构造假堆栈

wow · 发表于 2013-6-17 10:28:28

本帖最后由 wow 于 2013-6-17 10:29 编辑

#include <windows.h>
/////////////////////////////////////////////////////////////////////////////////
// __stdcall 与 _cdecl 两个函数最后只会影响edi跟esi的值，函数都不会出什么问题
/////////////////////////////////////////////////////////////////////////////////
// __stdcall 方式的函数
void WINAPI Use_Stdcall_Bypass_Call_Func(DWORD dwFakeStackFrameArray[260] ,
DWORD FunctionName,
DWORD *dwArgv,
DWORD dwcount,
DWORD dwXAddr);
// _cdecl 方式的函数
void WINAPI Use_cdecl_Bypass_Call_Func(DWORD dwFakeStackFrameArray[260] ,
DWORD FunctionName,
DWORD *dwArgv,
DWORD dwcount,
DWORD dwXAddr);
void BypassCallStackCheck(LPTSTR szDllName);
void FuncG(void);
void FuncG(void)
{
BypassCallStackCheck(TEXT("kernel32.dll"));
MessageBox(NULL, "Test Bypass Call Stack Check", "winsun: Bypass", 0);
}
void BypassCallStackCheck(LPTSTR szDllName)
{
DWORD dwFakeStackFrame[260] = {0};
DWORD dwFakeRetAddr = 0xFEFEFEFE;
PDWORD pdwEbp = NULL;
PCHAR pszTitle = "ByPass Call Stack Check \0";
PCHAR pszCaption = "winsun \0";
DWORD dwMsgBoxAddr = 0;
DWORD dwRealAddr = 0;
PBYTE pbSearchRet = NULL;
dwMsgBoxAddr = (DWORD)GetProcAddress(GetModuleHandle("user32.dll"), "MessageBoxA");
for ( int iLoop = 0; iLoop < 100; )
{
dwFakeStackFrame[iLoop] = (DWORD)&dwFakeStackFrame[iLoop+2];
dwFakeStackFrame[iLoop+1] = dwFakeRetAddr;
iLoop += 2;
}
HMODULE hmodle = GetModuleHandle(szDllName);
if (hmodle == NULL)
{
// can't find the module
return ;
}
DWORD RetAddress = NULL;
try
{
// 找代码段里面的ret指令
PIMAGE_DOS_HEADER mzhead = (PIMAGE_DOS_HEADER) hmodle;
PIMAGE_NT_HEADERS peheader =
(PIMAGE_NT_HEADERS)((DWORD)mzhead + mzhead->e_lfanew);
LPBYTE pbuf = (LPBYTE)( (DWORD)mzhead + peheader->OptionalHeader.BaseOfCode );
DWORD dwsize = peheader->OptionalHeader.SizeOfCode;
for (DWORD i=0; i<dwsize; i++, pbuf++)
{
if (*pbuf == 0x0C3)
{
RetAddress = (DWORD)pbuf;
break;
}
}
}
catch (...)
{
// 不可读异常
return ;
}
if (RetAddress == NULL)
{
// no ret code in module
return ;
}
// 函数参数，[0]最后一个参数，[1]倒数第二个参数...
DWORD argv[4] = {0};
argv[0] = MB_OK;
argv[1] = (DWORD)pszCaption ;
argv[2] = (DWORD)pszTitle;
argv[3] = NULL;
Use_Stdcall_Bypass_Call_Func(dwFakeStackFrame, dwMsgBoxAddr, argv, 4, RetAddress); // 0x7c921224);
}
_declspec (naked) void WINAPI Use_Stdcall_Bypass_Call_Func(DWORD dwFakeStackFrameArray[260] ,
DWORD FunctionName,
DWORD *dwArgv,
DWORD dwcount,
DWORD dwXAddr)
{
_asm
{
//function prologue(函数前导指令)
mov edi, edi
push ebp
mov ebp, esp
//function body
push esi
mov esi,ebp
push REAL_RET_ADDR
mov eax,dwArgv
mov ecx,dwcount
// 函数使用的参数入当前栈
push_argv:
mov ebx,[eax]
push ebx
add eax,4
dec ecx
jnz push_argv
push dwXAddr
mov eax, FunctionName
mov ebp, dwFakeStackFrameArray //把假栈帧基地址赋值给EBP
jmp eax //跳入MessageBox()函数执行
REAL_RET_ADDR:
mov ebp,esi
pop esi
//function epilogue(函数后继指令)，for stack balance
mov esp, ebp
pop ebp
ret 20
}
}
_declspec (naked) void WINAPI Use_cdecl_Bypass_Call_Func( DWORD dwFakeStackFrameArray[260] ,
DWORD FunctionName,
DWORD *dwArgv,
DWORD dwcount,
DWORD dwXAddr)
{
_asm
{
//function prologue(函数前导指令)
mov edi, edi
push ebp
mov ebp, esp
//function body
push esi
mov esi,ebp
push edi
mov edi,dwcount
push REAL_RET_ADDR
mov eax,dwArgv
mov ecx,dwcount
push_argv:
mov ebx,[eax]
push ebx
add eax,4
dec ecx
jnz push_argv
push dwXAddr
mov eax, FunctionName
mov ebp, dwFakeStackFrameArray //把假栈帧基地址赋值给EBP
jmp eax //跳入MessageBox()函数执行
REAL_RET_ADDR:
rol edi,2
add esp,edi
pop edi
mov ebp,esi
pop esi
//function epilogue(函数后继指令)，for stack balance
mov esp, ebp
pop ebp
ret 20
}
}
int main()
{
FuncG();
return 0;
}