该库与qt一起使用时 emit 函数会重名报错,可以将blackbone 中的3rd_party\AsmJit\base\assembler emit 函数重命名成emitInstruction
blackbone Process中的附加并不是附加调试器进行调试而是打开进程
#include <Process/Process.h>
1.根据进程名枚举所有进程id
std::vector<DWORD> vecPid = blackbone::Process::EnumByName(L"dfo.exe");
2.根据进程id或者进程名枚举进程信息
blackbone::call_result_t<std::vector<blackbone::ProcessInfo>> processResult = blackbone::Process::EnumByNameOrPID(11868, L"");
for (auto processInfo : processResult.result())
{
qDebug() << processInfo.imageName << processInfo.pid << processInfo.threads.size();
}
3.枚举所有进程
blackbone::call_result_t<std::vector<blackbone::ProcessInfo>> processResult = blackbone::Process::EnumByNameOrPID(0, L"");
for (auto processInfo : processResult.result())
{
qDebug() << processInfo.imageName << processInfo.pid << processInfo.threads.size();
}
4.附加一个进程
blackbone::Process process;
std::vector<DWORD> vecPid = blackbone::Process::EnumByName(L"32位.exe");
// 附加一个进程
if (!vecPid.empty() && NT_SUCCESS(process.Attach(vecPid.front())))
{
blackbone::ProcessCore& processCore = process.core();
// 进程wow64信息
blackbone::Wow64Barrier barrier = process.barrier();
// 获取进程id和进程句柄
DWORD dwPid = processCore.pid();
HANDLE handle = processCore.handle();
// 获取进程PEB
blackbone::PEB_T peb = { };
blackbone::ptr_t ptrPEB = processCore.peb(&peb);
// 获取进程的所有句柄
for (blackbone::HandleInfo handleInfo : process.EnumHandles().result())
{
qDebug() << handleInfo.name << handleInfo.handle << handleInfo.typeName;
}
}
5.启动并附加进程
blackbone::Process process;
//启动并附加进程
process.CreateAndAttach(L"G:\\辅助工具\\PEview.exe", true);
{
//恢复进程
process.Resume();
//延迟100毫秒
std::this_thread::sleep_for(std::chrono::milliseconds(100));
}
6.进程模块管理
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
//模块管理
blackbone::ProcessModules& processModules = process.modules();
//获取所有模块包括x86和x64模块
const blackbone::ProcessModules::mapModules& mapModules = processModules.GetAllModules();
//获取主模块
blackbone::ModuleDataPtr mainModule = processModules.GetMainModule();
//主模块基地址
blackbone::module_t baseAddress = mainModule->baseAddress;
//获取导出函数地址
blackbone::call_result_t<blackbone::exportData> exportFunAddr = processModules.GetExport(L"kernel32.dll", "LoadLibraryW");
if (exportFunAddr.success())
{
qDebug() << "LoadLibraryW" << exportFunAddr->procAddress;
}
//模块断链
if (processModules.Unlink(mainModule))
{
}
}
7.进程内存管理
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
//操作内存类
blackbone::ProcessMemory& memory = process.memory();
//主模块
blackbone::ModuleDataPtr mainModulePtr = process.modules().GetMainModule();
//PE头信息
IMAGE_DOS_HEADER dosHeader = { };
//读取内存,模块的开始信息是PE头信息
memory.Read(mainModulePtr->baseAddress, dosHeader);
memory.Read(mainModulePtr->baseAddress, sizeof(dosHeader), &dosHeader);
blackbone::call_result_t<IMAGE_DOS_HEADER> dosHeaderResult = memory.Read<IMAGE_DOS_HEADER>(mainModulePtr->baseAddress);
// 改变内存读写属性
if (NT_SUCCESS(memory.Protect(mainModulePtr->baseAddress, sizeof(dosHeader), PAGE_READWRITE)))
{
//写内存
memory.Write(mainModulePtr->baseAddress, dosHeader);
memory.Write(mainModulePtr->baseAddress, sizeof(dosHeader), &dosHeader);
}
// 分配内存
blackbone::call_result_t<blackbone::MemBlock> memBlockResult = memory.Allocate(0x1000, PAGE_EXECUTE_READWRITE);
if (memBlockResult.success())
{
//写内存
memBlockResult->Write(0x10, 12.0);
//读内存
memBlockResult->Read<double>(0x10, 0.0);
}
// 枚举有效的内存区域
std::vector<MEMORY_BASIC_INFORMATION64> regions = memory.EnumRegions();
}
8.进程线程管理
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
// 枚举所有线程
std::vector<blackbone::ThreadPtr> vecThreadPtr = process.threads().getAll();
//获取主线程
blackbone::ThreadPtr mainThreadPtr = process.threads().getMain();
//根据线程id获取线程信息
blackbone::ThreadPtr threadPtr = process.threads().get(mainThreadPtr->id());
// 获取线程上下文
blackbone::CONTEXT_T ctx = { };
if (threadPtr->GetContext(ctx, CONTEXT_FLOATING_POINT))
{
//设置线程上下文
threadPtr->SetContext(ctx);
}
// 等待线程退出
threadPtr->Join(100);
}
9.JIT汇编(即时汇编)
blackbone::AsmHelperPtr asmPtr = blackbone::AsmFactory::GetAssembler();
blackbone::IAsmHelper& a = *asmPtr;
//生成函数代码
a.GenPrologue();
a->add(a->zcx, a->zdx);
a->mov(a->zax, a->zcx);
a.GenEpilogue();
auto func = reinterpret_cast<uintptr_t(__fastcall*)(uintptr_t, uintptr_t)>(a->make());
uintptr_t r = func(10, 5);
10.远程代码执行
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
//远程执行
blackbone::RemoteExec& remoteExe = process.remote();
//创建远程执行环境
remoteExe.CreateRPCEnvironment(blackbone::Worker_None, true);
//获取导出函数地址
blackbone::call_result_t<blackbone::exportData> GetModuleHandleWPtr = process.modules().GetExport(L"kernel32.dll", "GetModuleHandleW");
if (GetModuleHandleWPtr.success())
{
//使用指定的入口点和参数创建新线程
DWORD mod = remoteExe.ExecDirect(GetModuleHandleWPtr->procAddress, 0);
blackbone::AsmHelperPtr asmPtr = blackbone::AsmFactory::GetAssembler();
if (asmPtr)
{
blackbone::IAsmHelper& asmHelper = *asmPtr;
asmHelper.GenPrologue();
asmHelper.GenCall(static_cast<uintptr_t>(GetModuleHandleWPtr->procAddress), { nullptr }, blackbone::cc_stdcall);
asmHelper.GenEpilogue();
uint64_t result = 0;
//创建新线程并在其中执行代码。 等待执行结束
remoteExe.ExecInNewThread(asmHelper->make(), asmHelper->getCodeSize(), result);
}
//在主线程执行
blackbone::ThreadPtr mainThreadPtr = process.threads().getMain();
blackbone::AsmHelperPtr asmHelperPtr = blackbone::AsmFactory::GetAssembler();
if (asmHelperPtr)
{
blackbone::IAsmHelper& asmHelper = *asmHelperPtr;
asmHelper.GenPrologue();
asmHelper.GenCall(static_cast<uintptr_t>(GetModuleHandleWPtr->procAddress), { nullptr }, blackbone::cc_stdcall);
asmHelper.GenEpilogue();
uint64_t result = 0;
remoteExe.ExecInAnyThread(asmHelper->make(), asmHelper->getCodeSize(), result, mainThreadPtr);
}
}
}
11.内存搜索匹配
#include <Patterns/PatternSearch.h>
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
//匹配模版
blackbone::PatternSearch ps{ 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 };
//搜索结果
std::vector<blackbone::ptr_t> results;
//内存搜索
ps.SearchRemoteWhole(process, false, 0, results);
}
12.远程函数调用
#include <Process/RPC/RemoteFunction.hpp>
blackbone::Process process;
if (NT_SUCCESS(process.Attach(L"PEview.exe")))
{
// 简单直接调用
//获取远程函数对象
blackbone::RemoteFunction<decltype(&MessageBoxW)> pMessageBoxW =
blackbone::MakeRemoteFunction<decltype(&MessageBoxW)>(process, L"user32.dll", "MessageBoxW");
if (pMessageBoxW.valid())
{
//远程调用
auto result = pMessageBoxW(HWND_DESKTOP, L"Hello world!", L"Title", MB_OKCANCEL);
if (*result == IDCANCEL)
{
}
}
// 使用特定线程调用
auto mainThread = process.threads().getMain();
if (auto pIsGUIThread = blackbone::MakeRemoteFunction<decltype(&IsGUIThread)>(process, L"user32.dll", "IsGUIThread"); pIsGUIThread && mainThread)
{
auto result = pIsGUIThread.Call({ FALSE }, mainThread);
if (*result)
{
}
}
// 给定参数调用
if (auto pMultiByteToWideChar = blackbone::MakeRemoteFunction<decltype(&MultiByteToWideChar)>(process, L"kernel32.dll", "MultiByteToWideChar"))
{
auto args = pMultiByteToWideChar.MakeArguments({ CP_ACP, 0, "Sample text", -1, nullptr, 0 });
std::wstring converted(32, L'\0');
// Set buffer pointer and size manually
args.set(4, blackbone::AsmVariant(converted.data(), converted.size() * sizeof(wchar_t)));
args.set(5, converted.size());
auto length = pMultiByteToWideChar.Call(args);
if (length)
converted.resize(*length - 1);
}
}
13.手动映射文件(参数)
MapCalcFromFile();
MapCmdFromMem();