; Version.dll x64 劫持补丁
; FASM x64VersionFix.asm version.dll
format PE64 GUI DLL;
entry DllEntryPoint;
use64;
include 'win64a.inc';
section '.text' code readable executable;
; 修复导出表项
; 参数: 模块句柄, 函数名, 写出偏移(qword 大小)
macro apifix hMod,sz,fn
{
mov rdx, sz ; proc name
mov rcx, hMod ; hLib
call [GetProcAddress]
mov qword[fn], rax
};
; 利用 VirtualProtect 修改目标区域为可读写执行
; 修改完后再恢复其保护。
; 参数: 修改地址(地址偏移), 保护长度, 储存旧保护的地址,
; 数据宽度(byte/word/dword/qword), 写出数据
macro fixCode lpAddr,len,oldProtect,dataWidth,data
{
lea rax, oldProtect
invoke VirtualProtect, lpAddr, len, PAGE_EXECUTE_READWRITE, rax
mov rax, lpAddr
mov dataWidth [rax], data
lea rax, oldProtect
invoke VirtualProtect, lpAddr, len, dword[rax], rax
};
; 修复导出的 API 地址
proc FixImport
local hModule:QWORD
local lpBuffer:QWORD
frame
invoke LocalAlloc, LPTR, MAX_PATH + 1
mov [lpBuffer], rax
invoke GetSystemDirectory, rax, MAX_PATH
invoke strncat, [lpBuffer], szTargetLibrary, MAX_PATH
invoke LoadLibrary, [lpBuffer]
mov [hModule], rax
invoke LocalFree,[lpBuffer]
apifix [hModule], szGetFileVersionInfoA, _GetFileVersionInfoA
apifix [hModule], szGetFileVersionInfoByHandle, _GetFileVersionInfoByHandle
apifix [hModule], szGetFileVersionInfoExW, _GetFileVersionInfoExW
apifix [hModule], szGetFileVersionInfoSizeA, _GetFileVersionInfoSizeA
apifix [hModule], szGetFileVersionInfoSizeExW, _GetFileVersionInfoSizeExW
apifix [hModule], szGetFileVersionInfoSizeW, _GetFileVersionInfoSizeW
apifix [hModule], szGetFileVersionInfoW, _GetFileVersionInfoW
apifix [hModule], szVerFindFileA, _VerFindFileA
apifix [hModule], szVerFindFileW, _VerFindFileW
apifix [hModule], szVerInstallFileA, _VerInstallFileA
apifix [hModule], szVerInstallFileW, _VerInstallFileW
apifix [hModule], szVerLanguageNameA, _VerLanguageNameA
apifix [hModule], szVerLanguageNameW, _VerLanguageNameW
apifix [hModule], szVerQueryValueA, _VerQueryValueA
apifix [hModule], szVerQueryValueW, _VerQueryValueW
apifix [hModule], szVerQueryValueIndexA, _VerQueryValueIndexA
apifix [hModule], szVerQueryValueIndexW, _VerQueryValueIndexW
endf;
ret
endp;
proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
local hModule:QWORD
local oldProtect:DWORD
local lpBuffer:QWORD
cmp edx, 1
jnz skipPatch
; 检测是否为目标进程
frame
invoke LocalAlloc, LPTR, MAX_PATH + 1
mov [lpBuffer], rax
invoke GetModuleFileName, NULL, rax, MAX_PATH
invoke strstr, [lpBuffer], szTargetExeName
mov dword[oldProtect], eax
invoke LocalFree,[lpBuffer]
endf;
cmp dword[oldProtect], 0
jz skipPatch
frame
; 取得当前主程序句柄
invoke GetModuleHandle,NULL
mov [hModule], rax
; hModule + 代码段的偏移
add rax, 0x100000 ; offset
mov [lpBuffer], rax
; 然后修改其值
fixCode [lpBuffer], 1, [oldProtect], dword, 0
endf;
skipPatch:
call FixImport
mov eax,TRUE
ret
endp;
; 导出函数, 全是跳转
_exp_GetFileVersionInfoA: jmp [ _GetFileVersionInfoA]
_exp_GetFileVersionInfoByHandle: jmp [ _GetFileVersionInfoByHandle]
_exp_GetFileVersionInfoExW: jmp [ _GetFileVersionInfoExW]
_exp_GetFileVersionInfoSizeA: jmp [ _GetFileVersionInfoSizeA]
_exp_GetFileVersionInfoSizeExW: jmp [ _GetFileVersionInfoSizeExW]
_exp_GetFileVersionInfoSizeW: jmp [ _GetFileVersionInfoSizeW]
_exp_GetFileVersionInfoW: jmp [ _GetFileVersionInfoW]
_exp_VerFindFileA: jmp [ _VerFindFileA]
_exp_VerFindFileW: jmp [ _VerFindFileW]
_exp_VerInstallFileA: jmp [ _VerInstallFileA]
_exp_VerInstallFileW: jmp [ _VerInstallFileW]
_exp_VerLanguageNameA: jmp [ _VerLanguageNameA]
_exp_VerLanguageNameW: jmp [ _VerLanguageNameW]
_exp_VerQueryValueA: jmp [ _VerQueryValueA]
_exp_VerQueryValueW: jmp [ _VerQueryValueW]
_exp_VerQueryValueIndexA: jmp [ _VerQueryValueIndexA]
_exp_VerQueryValueIndexW: jmp [ _VerQueryValueIndexW]
; 常数
section '.szdb' data readable;
szTargetExeName db "\HELLO.exe", 0
szTargetLibrary db "\version.dll", 0
szGetFileVersionInfoA db "GetFileVersionInfoA", 0
szGetFileVersionInfoByHandle db "GetFileVersionInfoByHandle", 0
szGetFileVersionInfoExW db "GetFileVersionInfoExW", 0
szGetFileVersionInfoSizeA db "GetFileVersionInfoSizeA", 0
szGetFileVersionInfoSizeExW db "GetFileVersionInfoSizeExW", 0
szGetFileVersionInfoSizeW db "GetFileVersionInfoSizeW", 0
szGetFileVersionInfoW db "GetFileVersionInfoW", 0
szVerFindFileA db "VerFindFileA", 0
szVerFindFileW db "VerFindFileW", 0
szVerInstallFileA db "VerInstallFileA", 0
szVerInstallFileW db "VerInstallFileW", 0
szVerLanguageNameA db "VerLanguageNameA", 0
szVerLanguageNameW db "VerLanguageNameW", 0
szVerQueryValueA db "VerQueryValueA", 0
szVerQueryValueW db "VerQueryValueW", 0
szVerQueryValueIndexA db "VerQueryValueIndexA", 0
szVerQueryValueIndexW db "VerQueryValueIndexW", 0
; 跳转地址储存
section '.expw' data readable writeable;
_GetFileVersionInfoA dq ?
_GetFileVersionInfoByHandle dq ?
_GetFileVersionInfoExW dq ?
_GetFileVersionInfoSizeA dq ?
_GetFileVersionInfoSizeExW dq ?
_GetFileVersionInfoSizeW dq ?
_GetFileVersionInfoW dq ?
_VerFindFileA dq ?
_VerFindFileW dq ?
_VerInstallFileA dq ?
_VerInstallFileW dq ?
_VerLanguageNameA dq ?
_VerLanguageNameW dq ?
_VerQueryValueA dq ?
_VerQueryValueW dq ?
_VerQueryValueIndexA dq ?
_VerQueryValueIndexW dq ?
section '.idata' import data readable writeable; \ [x64] Version.dll 劫持补丁
library kernel,'KERNEL32.DLL', \
msvc,'msvcrt.dll'; \ FASM 1.71.54 编译通过
; \ https://jixun.moe/
import kernel, \
VirtualProtect,'VirtualProtect', \
LocalAlloc,'LocalAlloc', \
LocalFree,'LocalFree', \
GetModuleHandle,'GetModuleHandleA', \
LoadLibrary,'LoadLibraryA', \
GetProcAddress,'GetProcAddress', \
GetModuleFileName,'GetModuleFileNameA', \
GetSystemDirectory,'GetSystemDirectoryA'; \ Jixun.Moe
import msvc, \
strstr,'strstr', \
strncpy,'strncpy', \
strncat,'strncat'
section '.edata' export data readable; \
export 'version.dll', \
_exp_GetFileVersionInfoA, 'GetFileVersionInfoA', \
_exp_GetFileVersionInfoByHandle,'GetFileVersionInfoByHandle',\
_exp_GetFileVersionInfoExW, 'GetFileVersionInfoExW', \
_exp_GetFileVersionInfoSizeA, 'GetFileVersionInfoSizeA', \
_exp_GetFileVersionInfoSizeExW, 'GetFileVersionInfoSizeExW', \
_exp_GetFileVersionInfoSizeW, 'GetFileVersionInfoSizeW', \
_exp_GetFileVersionInfoW, 'GetFileVersionInfoW', \
_exp_VerFindFileA, 'VerFindFileA', \
_exp_VerFindFileW, 'VerFindFileW', \
_exp_VerInstallFileA, 'VerInstallFileA', \
_exp_VerInstallFileW, 'VerInstallFileW', \
_exp_VerLanguageNameA, 'VerLanguageNameA', \
_exp_VerLanguageNameW, 'VerLanguageNameW', \
_exp_VerQueryValueA, 'VerQueryValueA', \
_exp_VerQueryValueW, 'VerQueryValueW', \
_exp_VerQueryValueIndexA, 'VerQueryValueIndexA', \
_exp_VerQueryValueIndexW, 'VerQueryValueIndexW'
section '.reloc' data fixups readable discardable;
感觉在博客放这类补丁有点不太好,还是扔个源码算了。
… 继续阅读 »
