INTRUDER语言

linearscan

我改造了一下C语言。下面是一个Win32代码注入的例子，大家看看如何。

#define NULL                   0
#define FALSE                  0
#define TRUE                   1
#define CREATE_SUSPENDED       0x00000004
#define MEM_COMMIT             0x1000
#define PAGE_EXECUTE_READWRITE 0x40
#define MEM_RELEASE            0x8000
#define MAX_PATH               260

void @ !HANDLE;
void @ !LPVOID;
void @ !LPCVOID;
uint32 !SIZE_T;
uint32 !DWORD;
uint16 !WORD;
int32 !BOOL;
int8 @ !LPCTSTR;
int8 @ !LPTSTR;
void @ !LPSECURITY_ATTRIBUTES;
uint8 @ !LPBYTE;
void @ !HMODULE;
void @ !FARPROC;
int16 !wchar_t;
HANDLE !HWND;
int8 @ !LPCSTR;
uint32 !size_t;

struct _STARTUPINFO {
        DWORD  cb;
        LPTSTR lpReserved;
        LPTSTR lpDesktop;
        LPTSTR lpTitle;
        DWORD  dwX;
        DWORD  dwY;
        DWORD  dwXSize;
        DWORD  dwYSize;
        DWORD  dwXCountChars;
        DWORD  dwYCountChars;
        DWORD  dwFillAttribute;
        DWORD  dwFlags;
        WORD   wShowWindow;
        WORD   cbReserved2;
        LPBYTE lpReserved2;
        HANDLE hStdInput;
        HANDLE hStdOutput;
        HANDLE hStdError;
} !STARTUPINFO, @ !LPSTARTUPINFO;

struct _PROCESS_INFORMATION {
        HANDLE hProcess;
        HANDLE hThread;
        DWORD  dwProcessId;
        DWORD  dwThreadId;
} !PROCESS_INFORMATION, @ !LPPROCESS_INFORMATION;

void @ memset(void @ dest, int c, size_t count) = *"LIB:MSVCRT.DLL;API:memset;CONV:cdecl";
wchar_t @ wcscat(wchar_t @ strDestination, wchar_t @ strSource) = *"LIB:MSVCRT.DLL;API:wcscat;CONV:cdecl";
wchar_t @ wcscpy(wchar_t @ strDestination, wchar_t@ strSource) = *"LIB:MSVCRT.DLL;API:wcscpy;CONV:cdecl";
wchar_t @ wcsstr(wchar_t @ str, wchar_t @ strSearch) = *"LIB:MSVCRT.DLL;API:wcsstr;CONV:cdecl";
int wcscmp(wchar_t @ string1, wchar_t @ string2) = *"LIB:MSVCRT.DLL;API:wcscmp;CONV:cdecl";
int printf(char @ format) = *"LIB:MSVCRT.DLL;API:printf;CONV:cdecl";
BOOL CreateProcess(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = *"LIB:KERNEL32.DLL;API:CreateProcessA";
BOOL CloseHandle(HANDLE hObject) = *"LIB:KERNEL32.DLL;API:CloseHandle";
DWORD ResumeThread(HANDLE hThread) = *"LIB:KERNEL32.DLL;API:ResumeThread";
LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAllocEx";
BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T @ lpNumberOfBytesWritten) = *"LIB:KERNEL32.DLL;API:WriteProcessMemory";
HMODULE GetModuleHandle(LPCTSTR lpModuleName) = *"LIB:KERNEL32.DLL;API:GetModuleHandleA";
HMODULE LoadLibrary(LPCTSTR lpFileName) = *"LIB:KERNEL32.DLL;API:LoadLibraryA";
FARPROC GetProcAddress(HMODULE hModule, LPCSTR lpProcName) = *"LIB:KERNEL32.DLL;API:GetProcAddress";
void @ VirtualAlloc(void @ lpAddress, uint32 dwSize, uint32 flAllocationType, uint32 flProtect) = *"LIB:KERNEL32.DLL;API:VirtualAlloc";
int32 VirtualFree(void @ lpAddress, uint32 dwSize, uint32 dwFreeType) = *"LIB:KERNEL32.DLL;API:VirtualFree";
void Sleep(DWORD dwMilliseconds) = *"LIB:KERNEL32.DLL;API:Sleep";

void !FUNC(HWND hWnd, wchar_t @ text);
wchar_t @ !LPWSTR;
LPWSTR @ !LPPWSTR;

wchar_t title[MAX_PATH];

FARPROC work(LPPWSTR ptext) = &
{
        LPWSTR text = ptext;
        if (<int32>text) {
                LPWSTR notepad = L" - 记事本";
                LPWSTR str = wcsstr(text, notepad);
                if (<int32>str&&!wcscmp(str, notepad)) {
                        wcscpy(str, L"";
                        wcscpy(@title[0], text);
                        wcscat(@title[0], L" - $$$$$$$$";
                        ptext = @title[0];
                }
        }
        return GetProcAddress(GetModuleHandle("USER32.DLL", "SetWindowTextW";
};

FUNC hook = &
{
        work(@text);
        ADD(EAX, 5);
        MOV(ESP, EBP);
        JMP(EAX);
};

void init(HANDLE hProcess) = &
{
        LPVOID Page = VirtualAllocEx(hProcess, NULL, 0x4000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        if (<int32>age) {
                uint32 size = cgen(ilof hook);
                void @ buf = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                FUNC func = <FUNC>link(buf, <uint32>age);
                WriteProcessMemory(hProcess, Page, buf, size, NULL);
                VirtualFree(buf, 0, MEM_RELEASE);
                FARPROC Proc = GetProcAddress(LoadLibrary("USER32.DLL", "SetWindowTextW";
                do {
                        Sleep(1000);
                        int8 i8 = 0xE9;
                        if (!WriteProcessMemory(hProcess, Proc, @i8, sizeof(i, NULL))
                                continue;
                        int32 i32 = <int32>age-(<int32>roc+5);
                        WriteProcessMemory(hProcess, <LPVOID>@(<LPBYTE>roc)[1], @i32, sizeof(i32), NULL);
                        break;
                } while (1);
        }
        printf("\"VirtualAllocEx\" %s!\n", <int32>age?"success":"failure";
};

void main() = &
{
        STARTUPINFO StartupInfo;
        memset(@StartupInfo, 0, sizeof(STARTUPINFO));
        StartupInfo.cb = sizeof(STARTUPINFO);
        PROCESS_INFORMATION ProcessInformation;
        BOOL Success = CreateProcess("c:\\windows\\system32\\notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, "c:\\windows\\system32", @StartupInfo, @ProcessInformation);
        if (Success) {
                ResumeThread(ProcessInformation.hThread);
                init(ProcessInformation.hProcess);
                CloseHandle(ProcessInformation.hProcess);
                CloseHandle(ProcessInformation.hThread);
        }
        printf("\"CreateProcess\" %s!\n", Success?"success":"failure";
};

accessory

你改的目的是让代码更简单？另外，这个论坛里似乎搞LINUX的比较多，搞WIN32的感觉比较少。。。

linearscan

主要目的是加入一些我喜欢的功能。其次是简化，实际上也没简单多少。确实是用于win32，但这里主要体现语言特性。