linearscan 发表于 2011-03-26 11:53

INTRUDER语言

我改造了一下C语言。下面是一个Win32代码注入的例子,大家看看如何。

#define NULL                   0
#define FALSE                  0
#define TRUE                   1
#define CREATE_SUSPENDED       0x00000004
#define MEM_COMMIT             0x1000
#define PAGE_EXECUTE_READWRITE 0x40
#define MEM_RELEASE            0x8000
#define MAX_PATH               260

void @ !HANDLE;
void @ !LPVOID;
void @ !LPCVOID;
uint32 !SIZE_T;
uint32 !DWORD;
uint16 !WORD;
int32 !BOOL;
int8 @ !LPCTSTR;
int8 @ !LPTSTR;
void @ !LPSECURITY_ATTRIBUTES;
uint8 @ !LPBYTE;
void @ !HMODULE;
void @ !FARPROC;
int16 !wchar_t;
HANDLE !HWND;
int8 @ !LPCSTR;
uint32 !size_t;

struct _STARTUPINFO {
        DWORDcb;
        LPTSTR lpReserved;
        LPTSTR lpDesktop;
        LPTSTR lpTitle;
        DWORDdwX;
        DWORDdwY;
        DWORDdwXSize;
        DWORDdwYSize;
        DWORDdwXCountChars;
        DWORDdwYCountChars;
        DWORDdwFillAttribute;
        DWORDdwFlags;
        WORD   wShowWindow;
        WORD   cbReserved2;
        LPBYTE lpReserved2;
        HANDLE hStdInput;
        HANDLE hStdOutput;
        HANDLE hStdError;
} !STARTUPINFO, @ !LPSTARTUPINFO;

struct _PROCESS_INFORMATION {
        HANDLE hProcess;
        HANDLE hThread;
        DWORDdwProcessId;
        DWORDdwThreadId;
} !PROCESS_INFORMATION, @ !LPPROCESS_INFORMATION;

void @ memset(void @ dest, int c, size_t count) = *"LIB:MSVCRT.DLL;API:memset;CONV:cdecl";
wchar_t @ wcscat(wchar_t @ strDestination, wchar_t @ strSource) = *"LIB:MSVCRT.DLL;API:wcscat;CONV:cdecl";
wchar_t @ wcscpy(wchar_t @ strDestination, wchar_t@ strSource) = *"LIB:MSVCRT.DLL;API:wcscpy;CONV:cdecl";
wchar_t @ wcsstr(wchar_t @ str, wchar_t @ strSearch) = *"LIB:MSVCRT.DLL;API:wcsstr;CONV:cdecl";
int wcscmp(wchar_t @ string1, wchar_t @ string2) = *"LIB:MSVCRT.DLL;API:wcscmp;CONV:cdecl";
int printf(char @ format) = *"LIB:MSVCRT.DLL;API:printf;CONV:cdecl";
BOOL CreateProcess(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = *"LIB:KERNEL32.DLL;API:CreateProcessA";
BOOL CloseHandle(HANDLE hObject) = *"LIB:KERNEL32.DLL;API:CloseHandle";
DWORD ResumeThread(HANDLE hThread) = *"LIB:KERNEL32.DLL;API:ResumeThread";
LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAllocEx";
BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T @ lpNumberOfBytesWritten) = *"LIB:KERNEL32.DLL;API:WriteProcessMemory";
HMODULE GetModuleHandle(LPCTSTR lpModuleName) = *"LIB:KERNEL32.DLL;API:GetModuleHandleA";
HMODULE LoadLibrary(LPCTSTR lpFileName) = *"LIB:KERNEL32.DLL;API:LoadLibraryA";
FARPROC GetProcAddress(HMODULE hModule, LPCSTR lpProcName) = *"LIB:KERNEL32.DLL;API:GetProcAddress";
void @ VirtualAlloc(void @ lpAddress, uint32 dwSize, uint32 flAllocationType, uint32 flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAlloc";
int32 VirtualFree(void @ lpAddress, uint32 dwSize, uint32 dwFreeType) = *"LIB:KERNEL32.DLL;API:VirtualFree";
void Sleep(DWORD dwMilliseconds) = *"LIB:KERNEL32.DLL;API:Sleep";

void !FUNC(HWND hWnd, wchar_t @ text);
wchar_t @ !LPWSTR;
LPWSTR @ !LPPWSTR;

wchar_t title;

FARPROC work(LPPWSTR ptext) = &
{
        LPWSTR text = ptext;
        if (<int32>text) {
                LPWSTR notepad = L" - 记事本";
                LPWSTR str = wcsstr(text, notepad);
                if (<int32>str&&!wcscmp(str, notepad)) {
                        wcscpy(str, L"");
                        wcscpy(@title, text);
                        wcscat(@title, L" - $$$$$$$$");
                        ptext = @title;
                }
        }
        return GetProcAddress(GetModuleHandle("USER32.DLL"), "SetWindowTextW");
};

FUNC hook = &
{
        work(@text);
        ADD(EAX, 5);
        MOV(ESP, EBP);
        JMP(EAX);
};

void init(HANDLE hProcess) = &
{
        LPVOID Page = VirtualAllocEx(hProcess, NULL, 0x4000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        if (<int32>Page) {
                uint32 size = cgen(ilof hook);
                void @ buf = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                FUNC func = <FUNC>link(buf, <uint32>Page);
                WriteProcessMemory(hProcess, Page, buf, size, NULL);
                VirtualFree(buf, 0, MEM_RELEASE);
                FARPROC Proc = GetProcAddress(LoadLibrary("USER32.DLL"), "SetWindowTextW");
                do {
                        Sleep(1000);
                        int8 i8 = 0xE9;
                        if (!WriteProcessMemory(hProcess, Proc, @i8, sizeof(i8), NULL))
                                continue;
                        int32 i32 = <int32>Page-(<int32>Proc+5);
                        WriteProcessMemory(hProcess, <LPVOID>@(<LPBYTE>Proc), @i32, sizeof(i32), NULL);
                        break;
                } while (1);
        }
        printf("\"VirtualAllocEx\" %s!\n", <int32>Page?"success":"failure");
};

void main() = &
{
        STARTUPINFO StartupInfo;
        memset(@StartupInfo, 0, sizeof(STARTUPINFO));
        StartupInfo.cb = sizeof(STARTUPINFO);
        PROCESS_INFORMATION ProcessInformation;
        BOOL Success = CreateProcess("c:\\windows\\system32\\notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, "c:\\windows\\system32", @StartupInfo, @ProcessInformation);
        if (Success) {
                ResumeThread(ProcessInformation.hThread);
                init(ProcessInformation.hProcess);
                CloseHandle(ProcessInformation.hProcess);
                CloseHandle(ProcessInformation.hThread);
        }
        printf("\"CreateProcess\" %s!\n", Success?"success":"failure");
};

accessory 发表于 2011-03-31 00:45

你改的目的是让代码更简单?另外,这个论坛里似乎搞LINUX的比较多,搞WIN32的感觉比较少。。。

linearscan 发表于 2011-03-31 11:54

主要目的是加入一些我喜欢的功能。其次是简化,实际上也没简单多少。确实是用于win32,但这里主要体现语言特性。
页: [1]
查看完整版本: INTRUDER语言