分享一个简短的内存加载DLL EXE C++源码

brahmana

实现类似功能的代码很多，但是我这份没有参考到别人的代码，纯粹是看微软文档撸出来的。这个需求是源于我的一个比较复杂的x86_64 shellcode，需要实现的功能很多，依赖也很多。因此用传统的方法弄的shellcode很不方便。于是我想着直接用dll/exe当作shellcode，写一个简短的linker控制在0x1000字节以内，将linker直接填在PE头处，调用时直接call头部的linker实现dll/exe的self link并执行。需求已经测试通过，完整项目不能发出来，但是可以跟大家分享验证阶段的测试代码。

主要原理：
SDK_GetProcAddress 解析kernel32拿到LoadLibraryA和GetProcAddress供linker使用。如果不是裸的代码，这里不需要。
SDK_LoadLibrary 解析dos头和nt头，并将section展开到内存。
RelocImage  进行image base重定向
LinkDLL  加载和连接依赖的dll

这里并没有处理TLS和32位的支持。这个有机会再说吧。

以下代码用mingw-w64编译，可加载运行vs和mingw-w64编译出来的pe。

1. 
   
2. 
   
3. #include <windows.h>
   
4. #include <stdio.h>
   
5. #include <string.h>
   
6. 
   
7. #include "winapi.h"
   
8. 
   
9. #ifndef MIN
   
10. #define MIN(a, b) ((a) > (b) ? (b) : (a))
    
11. #endif
    
12. 
    
13. #define RVA(a) ((PVOID)((ULONG_PTR)hExecutable + (a)))
    
14. #define K32RVA(a) ((PVOID)((ULONG_PTR)hKernel32 + (a)))
    
15. 
    
16. #define API pContext->
    
17. 
    
18. typedef struct {
    
19.     union {
    
20. #ifdef _WIN64
    
21.         struct {
    
22.             DWORD64  Unused1:63;
    
23.             DWORD64  OrdinalIfSet:1;
    
24.         } Flag;
    
25.         DWORD64 Long;
    
26. #else
    
27.         struct {
    
28.             DWORD  Unused1:31;
    
29.             DWORD  OrdinalIfSet:1;
    
30.         } Flag;
    
31.         DWORD Long;
    
32. #endif
    
33.         WORD OrdinalNumber;
    
34.         DWORD NameAddress;
    
35.     } u;
    
36. } IMPORT_LOOKUP_DESC, *PIMPORT_LOOKUP_DESC;
    
37. 
    
38. typedef struct {
    
39.     LoadLibraryA_t LoadLibraryA;
    
40.     GetProcAddress_t GetProcAddress;
    
41.     GetModuleHandleA_t GetModuleHandleA;
    
42. } LINK_CONTEXT, *PLINK_CONTEXT;
    
43. 
    
44. typedef struct {
    
45.     DWORD Page;
    
46.     DWORD BlockSize;
    
47.     struct {
    
48.         WORD Offset:12;
    
49.         WORD Type:4;
    
50.     } TypeOffset[0];
    
51. } BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;
    
52. 
    
53. HMODULE hExecutable = NULL;
    
54. 
    
55. int SDK_strcmp(const char *s1, const char *s2)
    
56. {
    
57.     while(*s1 && *s2) {
    
58.         if (*s1 != *s2)
    
59.             return -1;
    
60.         s1 ++;
    
61.         s2 ++;
    
62.     }
    
63.     return *s2 - *s1;
    
64. }
    
65. 
    
66. PVOID SDK_GetProcAddress(HMODULE hKernel32, const char *FuncName)
    
67. {
    
68.     PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)hKernel32;
    
69.     PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((char *)pDos + pDos->e_lfanew);
    
70. 
    
71.     PIMAGE_EXPORT_DIRECTORY EDT = (PIMAGE_EXPORT_DIRECTORY)K32RVA(pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    
72. 
    
73.     // printf("DLL Name: %s\n", K32RVA(EDT->Name));
    
74.     // printf("Number Of Functions: %d\n", EDT->NumberOfFunctions);
    
75.     // printf("Number Of Names: %d\n", EDT->NumberOfNames);
    
76. 
    
77.     PDWORD ExportAddressTable = (PDWORD)MOD_RVA(EDT->AddressOfFunctions);
    
78.     PDWORD ExportNamePointerTable = (PDWORD)MOD_RVA(EDT->AddressOfNames);
    
79.     PWORD ExportOrdinalTable  = (PWORD)MOD_RVA(EDT->AddressOfNameOrdinals);
    
80. 
    
81.     for(size_t i = 0; i < EDT->NumberOfNames; i++)
    
82.     {
    
83.         PCHAR name = (PCHAR)MOD_RVA(ExportNamePointerTable[i]);
    
84. 
    
85.         if (SDK_strcmp(name, FuncName) == 0) {
    
86.             WORD Ordinal = ExportOrdinalTable[i];
    
87.             return (PVOID)MOD_RVA(ExportAddressTable[Ordinal]);
    
88.         }
    
89.     }
    
90. 
    
91.     return NULL;
    
92. }
    
93. 
    
94. void LinkDLL(PLINK_CONTEXT pContext, PIMAGE_IMPORT_DESCRIPTOR IDT)
    
95. {
    
96.     const char* DLLName = (const char*)RVA(IDT->Name);
    
97.     HMODULE hDLL = API GetModuleHandleA(DLLName);
    
98. 
    
99.     if (!hDLL) {
    
100.         hDLL = API LoadLibraryA(DLLName);
     
101.     }
     
102. 
     
103.     if (!hDLL) {
     
104.         return -1;
     
105.     }
     
106. 
     
107.     printf("** %s **\n", DLLName);
     
108. 
     
109.     PIMPORT_LOOKUP_DESC ILD = (PIMPORT_LOOKUP_DESC)RVA(IDT->OriginalFirstThunk);
     
110.     PULONG_PTR IAT = (PULONG_PTR)RVA(IDT->FirstThunk);
     
111. 
     
112.     while (ILD->u.Long) {
     
113.         if (!ILD->u.Flag.OrdinalIfSet) {
     
114.             *IAT = (ULONG_PTR) API GetProcAddress(hDLL, (PCSTR)RVA(ILD->u.NameAddress+2));
     
115.             printf("%s %p\n", RVA(ILD->u.NameAddress+2), *IAT);
     
116.         } else {
     
117.             *IAT = (ULONG_PTR) API GetProcAddress(hDLL, (PCSTR)MAKEINTRESOURCE(ILD->u.OrdinalNumber));
     
118.             printf("%d %p\n", RVA(ILD->u.OrdinalNumber), *IAT);
     
119.         }
     
120.         IAT ++;
     
121.         ILD ++;
     
122.     }
     
123. }
     
124. 
     
125. void RelocImage(PBASE_RELOCATION_BLOCK BRB, ptrdiff_t Difference)
     
126. {
     
127.     printf("Difference: %ld\n", Difference);
     
128.     for(size_t i = 0; i < (BRB->BlockSize - 8)/2; i++)
     
129.     {
     
130.         WORD Offset = BRB->TypeOffset[i].Offset;
     
131.         printf("0x%.4x\t%d ", Offset, BRB->TypeOffset[i].Type);
     
132. 
     
133.         switch(BRB->TypeOffset[i].Type) {
     
134.             case IMAGE_REL_BASED_ABSOLUTE:break; // The base relocation is skipped
     
135.             case IMAGE_REL_BASED_HIGHLOW: // TODO Not test yet
     
136.                 *(DWORD*)RVA(BRB->Page + Offset) += Difference;
     
137.                 break;
     
138.             case IMAGE_REL_BASED_DIR64:
     
139.                 printf("DIR64 %lx => ", *(ptrdiff_t*)RVA(BRB->Page + Offset));
     
140.                 *(ptrdiff_t*)RVA(BRB->Page + Offset) += Difference;
     
141.                 printf("%lx", *(ptrdiff_t*)RVA(BRB->Page + Offset));
     
142.                 break;
     
143.             default:
     
144.                 fprintf(stderr, "Not support this relocation type yet.");
     
145.                 abort();
     
146.                 break;
     
147.         }
     
148.         putchar('\n');
     
149.     }
     
150. }
     
151. 
     
152. #define LLRVA(a) ((PVOID)((char*)Image + (a)))
     
153. 
     
154. HMODULE SDK_LoadLibrary(PCSTR LibraryName)
     
155. {
     
156.     IMAGE_DOS_HEADER DosHdr;
     
157.     IMAGE_NT_HEADERS NtHdr;
     
158.     HMODULE hModule = NULL;
     
159. 
     
160.     FILE *libfp = fopen(LibraryName, "rb");
     
161. 
     
162.     if (!libfp)
     
163.         goto CLEAN;
     
164. 
     
165.     fread(&DosHdr, sizeof(IMAGE_DOS_HEADER), 1, libfp);
     
166. 
     
167.     fseek(libfp, DosHdr.e_lfanew, SEEK_SET);
     
168.     fread(&NtHdr, sizeof(IMAGE_NT_HEADERS), 1, libfp);
     
169. 
     
170.     PVOID Image = VirtualAlloc(NULL, NtHdr.OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     
171.     if (!Image)
     
172.         goto CLEAN;
     
173. 
     
174.     fseek(libfp, 0, SEEK_SET);
     
175.     fread(Image, NtHdr.OptionalHeader.SizeOfHeaders, 1, libfp);
     
176. 
     
177.     PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((char *)Image + DosHdr.e_lfanew);
     
178. 
     
179.     PIMAGE_SECTION_HEADER Sections = IMAGE_FIRST_SECTION(pNt);
     
180. 
     
181.     for(size_t i = 0; i < pNt->FileHeader.NumberOfSections; i++)
     
182.     {
     
183.         fseek(libfp, Sections[i].PointerToRawData, SEEK_SET);
     
184.         fread(LLRVA(Sections[i].VirtualAddress), Sections[i].SizeOfRawData, 1, libfp);
     
185.         printf("%s\n", Sections[i].Name);
     
186.     }
     
187. 
     
188.     hModule = (HMODULE)Image;
     
189. CLEAN:
     
190.     if (libfp)
     
191.         fclose(libfp);
     
192.     return hModule;
     
193. }
     
194. 
     
195. void SDK_FreeLibrary(HMODULE hModule)
     
196. {
     
197.     VirtualFree(hModule, 0, MEM_RELEASE);
     
198. }
     
199. 
     
200. int main(int argc, const char *argv[])
     
201. {
     
202.     LINK_CONTEXT Context;
     
203. 
     
204.     if (argc != 2) {
     
205.         fprintf(stderr, "Missing dll\n");
     
206.         return -1;
     
207.     }
     
208. 
     
209.     HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
     
210.      
     
211.     Context.LoadLibraryA = (LoadLibraryA_t)SDK_GetProcAddress(hKernel32, "LoadLibraryA");
     
212.     Context.GetProcAddress = (GetProcAddress_t)SDK_GetProcAddress(hKernel32, "GetProcAddress");
     
213.     Context.GetModuleHandleA = (GetModuleHandleA_t)SDK_GetProcAddress(hKernel32, "GetModuleHandleA");
     
214. 
     
215.     printf("LoadLibraryA\t\t%p\n", Context.LoadLibraryA);
     
216.     printf("GetProcAddress\t\t%p\n", Context.GetProcAddress);
     
217.     printf("GetModuleHandleA\t%p\n", Context.GetModuleHandleA);
     
218. 
     
219.     hExecutable = SDK_LoadLibrary(argv[1]);
     
220. 
     
221.     if (hExecutable == NULL) {
     
222.         fprintf(stderr, "Can not load dll\n");
     
223.         exit(-1);
     
224.     }
     
225. 
     
226.     PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)hExecutable;
     
227.     PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((char *)pDos + pDos->e_lfanew);
     
228. 
     
229.     if ((PVOID)hExecutable != (PVOID)pNt->OptionalHeader.ImageBase)
     
230.     {
     
231. 
     
232.         printf("Image Base: %p\n", pNt->OptionalHeader.ImageBase);
     
233.         printf("Loaded Base: %p\n", hExecutable);
     
234. 
     
235.         ptrdiff_t Difference = (ptrdiff_t)hExecutable - (ptrdiff_t)pNt->OptionalHeader.ImageBase;
     
236. 
     
237.         PBASE_RELOCATION_BLOCK BRB = (PBASE_RELOCATION_BLOCK)RVA(pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
     
238. 
     
239.         while (BRB->BlockSize) {
     
240.             RelocImage(BRB, Difference);
     
241.             BRB = (PBASE_RELOCATION_BLOCK)((char*)BRB + BRB->BlockSize);
     
242.         }
     
243.     }
     
244. 
     
245.     PIMAGE_IMPORT_DESCRIPTOR IDT = (PIMAGE_IMPORT_DESCRIPTOR)RVA(pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
     
246.     while (IDT->Name != 0) {
     
247.         LinkDLL(&Context, IDT);
     
248.         IDT ++;
     
249.     }
     
250. 
     
251.     ((void(*)(HMODULE,DWORD,PVOID))RVA(pNt->OptionalHeader.AddressOfEntryPoint))(hExecutable, DLL_PROCESS_ATTACH, NULL);
     
252. 
     
253.     SDK_FreeLibrary(hExecutable);
     
254. 
     
255.     return 0;
     
256. }
     

复制代码