反向進(jìn)程注入及隱藏--動(dòng)手做一個(gè)最簡(jiǎn)單的PELoader

1、反向進(jìn)程注入及隱藏-動(dòng)手做一個(gè)最簡(jiǎn)單的PELoader動(dòng)手做一個(gè)最簡(jiǎn)單的PELoader一 最近因?yàn)楣镜捻?xiàng)目需要，順帶的學(xué)習(xí)了一點(diǎn)和PELoader相關(guān)的東西，恰見網(wǎng)上正在沸沸揚(yáng)揚(yáng)的談?wù)撎摂M脫殼。本人不才，實(shí)在是沒(méi)能力也沒(méi)精力去寫一個(gè)真正意義上的虛擬機(jī)，因此嘗試做了一個(gè)簡(jiǎn)單而偷懶的PE加載器。這個(gè)PE加載器也可以看做是VM的前身吧。我想它可以成為一個(gè)簡(jiǎn)易脫殼工具或者用戶態(tài)的進(jìn)程內(nèi)調(diào)試器基礎(chǔ)。二？1公司的項(xiàng)目需要實(shí)現(xiàn)但進(jìn)程內(nèi)多插件并發(fā)運(yùn)行，也就是說(shuō)，1個(gè)PID需要同時(shí)給n個(gè)進(jìn)程使用，這牽扯到更麻煩的進(jìn)程內(nèi)內(nèi)存切換工作。2實(shí)現(xiàn)反向進(jìn)程注入，隱藏進(jìn)程，這樣做的RK更不容易被發(fā)現(xiàn)。3自從離開了安全的

2、傷心地之后，一直墮落于做IM軟件的Server，很久沒(méi)有碰windows了，需要活動(dòng)一下大腦三PELoader完成了什么工作？這個(gè)PELoader寫得很亂很粗糙，全部代碼+調(diào)試基本上是在兩天之內(nèi)堆完的。由于時(shí)間關(guān)系，我只實(shí)現(xiàn)了它如下幾個(gè)特性：1在普通用戶權(quán)限下實(shí)現(xiàn)用戶態(tài)的PE文件啟動(dòng)執(zhí)行。2被啟動(dòng)的程序無(wú)進(jìn)程，而嵌與宿主(PELoader)程序體內(nèi)，與宿主共享一個(gè)進(jìn)程ID3實(shí)現(xiàn)了大部分資源文件的加載4實(shí)現(xiàn)了進(jìn)程內(nèi)API調(diào)試,跟蹤5最基礎(chǔ)的內(nèi)存Dump脫殼（沒(méi)做OEP等的修正工作）6宿主可在程序被加載啟動(dòng)后繼續(xù)執(zhí)行7支持console和gui程序執(zhí)行四目前可支持的程序1cmd.exe 經(jīng)過(guò)測(cè)試，

3、我發(fā)現(xiàn)存一些顯示資源的小問(wèn)題，但仍然可以比較健壯的運(yùn)行2Excel.exe(Office10) 這個(gè)程序在PELoader里運(yùn)行的非常好，但還是有一個(gè)小Bug,就是窗體資源圖標(biāo)不是很對(duì)勁問(wèn)題還沒(méi)找到五目前的問(wèn)題還是因?yàn)闀r(shí)間的問(wèn)題，好多東西我沒(méi)處理好，如果有朋友能改出一個(gè)不錯(cuò)的版本，希望可以mail我一份:msfocus1目前我正在做多進(jìn)程共享的問(wèn)題，在進(jìn)程間切換的時(shí)候，如果完全切換所有被使用的內(nèi)存，程序?qū)惓５穆Ｈ绻麅H切換部分需要使用的內(nèi)存，將牽扯到復(fù)雜的虛擬頁(yè)表切換，搞得很頭大2由于進(jìn)程自身資源錯(cuò)位，因此需要攔截非常多的API,寫到手酸，還是沒(méi)有寫全，不知道哪里能有個(gè)完整的需要攔截的API

4、的列表。3在debug狀態(tài)下運(yùn)行，經(jīng)常崩潰，煩躁4很多程序在加載時(shí)候會(huì)失敗或者啟動(dòng)之后崩潰，我一直沒(méi)功夫檢查這個(gè)錯(cuò)誤六技術(shù)原理說(shuō)明正常情況下，一個(gè)PE文件被系統(tǒng)加載后，系統(tǒng)會(huì)自動(dòng)處理好IAT和IID表，然后找到OEP開始執(zhí)行代碼，一般情況下call OEP后的第一條API為GetVersion。我們要?jiǎng)邮肿鲆粋€(gè)PELoader則必須先將進(jìn)程代碼注入自己的內(nèi)存空間，并手工解決IAT，定位OEP，如果你以為僅僅如此，那么我保證你的代碼最多運(yùn)行你自己寫的一小段shellcode要運(yùn)行一個(gè)真正的進(jìn)程，還需要做類似資源管理，句柄管理等很多的工作。沒(méi)關(guān)系，我們一個(gè)一個(gè)來(lái)：首先解決加載問(wèn)題。加載可以有很多方

5、式如：alloc一塊內(nèi)存保存或利用LoadLiarbryEx作為一個(gè)數(shù)據(jù)文件加載。但無(wú)論是哪種方法都沒(méi)有解決IAT的問(wèn)題，如果我們自己手工解決IAT,可能需要比較多的計(jì)算過(guò)程，這個(gè)過(guò)程可以參考kanxue的Linxer寫的PE重定位函數(shù)。但本文所要提的并不是這種方法。也許有人說(shuō)，有文章提到過(guò)ntdll.dll中自己搜索并導(dǎo)出LdrLoadDllEx就可以實(shí)現(xiàn)加載并解決IAT,但實(shí)際上這種方法至少在我的winxp系統(tǒng)上是失敗的。所以我采用了另外一種方式用LoadLibrary來(lái)加載：A.修改PE頭中的Characteristics屬性，為其增加IMAGE_FILE_DLL屬性，此外我還為其增加了

6、一個(gè)非必須的 IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP屬性。讓LoadLibrary誤認(rèn)為這是一個(gè)DLL文件。B.將PE選項(xiàng)部分的AddressOfEntryPoint設(shè)置為空，至于原因不要奇怪，msdn是這樣描述的：AddressOfEntryPointPointer to the entry point function, relative to the image base address. The entry point function is optional for DLLs. When no entry point is present, this m

7、ember is zero.我們這樣做只是為了讓LoadLibrary認(rèn)為這個(gè)假DLL文件沒(méi)有dll_main入口點(diǎn)。因?yàn)閷?shí)際上，我們的EXE文件只有main入口點(diǎn)。C.HOOK API，我們需要HOOK非常多的API來(lái)保證這個(gè)PE文件能夠正確的獲取自身句柄，資源等。確保啟動(dòng)過(guò)程中不會(huì)發(fā)生資源找不到之類的問(wèn)題。因?yàn)楸救颂珣械脑?，HOOK的方法參考了eyas的一個(gè)程序。這里和我們的何大俠討論了很久，發(fā)現(xiàn)還是有很多問(wèn)題要處理的。D.這是非必須的一步恢復(fù)入口點(diǎn)及Characteristics屬性，確保個(gè)別BT一點(diǎn)的進(jìn)程也能夠正常運(yùn)行。E.Call 原始的EntryPoint，這實(shí)際上會(huì)調(diào)用到目標(biāo)程

8、序的main函數(shù)，此時(shí)程序就已經(jīng)正常運(yùn)行起來(lái)了。F.擴(kuò)展VUE。這一步也不是必要的，但如果你想試試，可以考慮用我提供的dumpfile函數(shù)在執(zhí)行GetVersion的時(shí)候，或者是第一個(gè)API的時(shí)候，嘗試目標(biāo)程序的dump內(nèi)存。當(dāng)然，修復(fù)工作還是需要自己去完成的。G.在宿主內(nèi)繼續(xù)執(zhí)行代碼，包括可以設(shè)置斷點(diǎn)對(duì)目標(biāo)程序進(jìn)行調(diào)試。H.編譯時(shí)候，記得設(shè)置編譯選項(xiàng)，把代碼放到0x0f400000的地方，把0x400000等常用地址讓出給目標(biāo)程序，因?yàn)槲覍?shí)在太懶了，這樣我就可以偷懶解決沒(méi)有IID的問(wèn)題了。當(dāng)然這個(gè)是不穩(wěn)妥的解決方案。I.沒(méi)了，哪位兄弟改出漂亮的代碼mail我一份：msfocus后面給出一個(gè)b

9、ug重重的代碼：/*/PELoader.exe v1.0/Luke msn:msfocus/2007.7.25/*/#include #include #include #include #pragma pack(1)#pragma comment(lib, imagehlp.lib)#pragma comment(lib, psapi.lib)#pragma comment(lib, user32.lib)HMODULE hmod = NULL;char *lpNewBaseOfDll = NULL;char *lpNewBaseOfDll1 = NULL;MODULEINFO mi;MOD

10、ULEINFO mi1;HMODULE OldKernel32Address = NULL;HMODULE OldUser32Address = NULL;char PEFileMAX_PATH = 0;unsigned long OEP = 0;char *addr_GetModuleHandleExA = NULL;char *addr_GetModuleHandleExW = NULL;unsigned long LoadPEFile(char *FileName, char *Buffer)FILE *fp = fopen(FileName, rb);fseek(fp, 0, SEEK

11、_END);unsigned long len = ftell(fp);fseek(fp, 0, SEEK_SET);*Buffer = new charlen + 4;memset(*Buffer, 0x0, len + 4);unsigned long i = 0;while(i len)fread(*Buffer + i, 4, 1, fp);i+=4;fclose(fp);return len;void SaveAs(char *FileName, char *Buffer, unsigned long len)FILE *fp = fopen(FileName, wb);unsign

12、ed long i = 0;while(i len)fwrite(Buffer + i, 4, 1, fp);fflush(fp);i+=4;fclose(fp);void WINAPI DumpFile(char *FileName)MODULEINFO dumpinfo;DWORD dw = 0;GetModuleInformation(GetCurrentProcess(), hmod, &dumpinfo, sizeof MODULEINFO);printf(dump size:%dn, dumpinfo.SizeOfImage);SaveAs(FileName, (char *)du

13、mpinfo.lpBaseOfDll, dumpinfo.SizeOfImage);BOOL WINAPI MyGetModuleHandleExA(DWORD dwFlags, LPCSTR lpModuleName, HMODULE *phModule)printf(in MyGetModuleHandleExAn);BOOL realbool = false;char *lpm = new charMAX_PATH;memset(lpm, 0x0, MAX_PATH);if(lpModuleName = NULL)strcpy(lpm, PEFile);elsestrcpy(lpm, l

14、pModuleName);DWORD pNewFunc = (DWORD)addr_GetModuleHandleExA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push phModule_asm push lpm_asm push dwFlags_asm call pNewFunc_asm mov realbool, eaxprintf(realbool:%dn, realbool);delete lpm;/if(*phModule = OldKernel32Address)/*phModule = (HMODULE)lpNe

15、wBaseOfDll;printf(out MyGetModuleHandleExAn);return realbool;BOOL WINAPI MyGetModuleHandleExW(DWORD dwFlags, LPCWSTR lpModuleName, HMODULE *phModule)printf(in MyGetModuleHandleExWn);BOOL realbool = false;WCHAR *lpm = new WCHARMAX_PATH;memset(lpm, 0x0, sizeof(WCHAR) * MAX_PATH);if(lpModuleName = NULL

16、)swprintf(lpm, L%s, PEFile);/wcscpy(lpm, Lc:a.exe);elsewcscpy(lpm, lpModuleName);DWORD pNewFunc = (DWORD)addr_GetModuleHandleExW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push phModule_asm push lpm_asm push dwFlags_asm call pNewFunc_asm mov realbool, eaxprintf(realbool:%dn, realbool);dele

17、te lpm;/if(*phModule = OldKernel32Address)/*phModule = (HMODULE)lpNewBaseOfDll;printf(out MyGetModuleHandleExWn);return realbool;DWORD WINAPI MyGetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD nSize)printf(in MyGetModuleFileNameAn);printf(in MyGetModuleFileNameA:hModule:0x%.8x, lpFilename

18、:%sn, hModule, lpFilename);DWORD realdword = 0;if(!hModule)hModule = hmod;printf(new hmod:0x%.8xn, hModule);/if(hModule = (HMODULE)lpNewBaseOfDll)/strcpy(lpFilename, Kernel32.dll);/return strlen(Kernel32.dll);/DWORD pNewFunc = (DWORD)GetModuleFileNameA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll

19、;_asm push nSize_asm push lpFilename_asm push hModule_asm call pNewFunc_asm mov realdword, eaxprintf(File:%sn, lpFilename);printf(realdword:%dn, realdword);printf(out MyGetModuleFileNameAn);return realdword;DWORD WINAPI MyGetModuleFileNameW(HMODULE hModule, LPWSTR lpFilename, DWORD nSize)printf(in M

20、yGetModuleFileNameWn);DWORD realdword = 0;if(!hModule)hModule = hmod;printf(hModule:0x%.8xn, hModule);/if(hModule = (HMODULE)lpNewBaseOfDll)/wcscpy(lpFilename, LKernel32.dll);/return wcslen(LKernel32.dll);/DWORD pNewFunc = (DWORD)GetModuleFileNameW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_as

21、m push nSize_asm push lpFilename_asm push hModule_asm call pNewFunc_asm mov realdword, eaxprintf(realdword:%d, lpFilename:%Sn, realdword, lpFilename);printf(out MyGetModuleFileNameWn);return realdword;HMODULE WINAPI MyGetModuleHandleA(LPCTSTR lpModuleName)DumpFile(c:ps.exe);printf(in MyGetModuleHand

22、leAn);char *lpm = new charMAX_PATH;memset(lpm, 0x0, MAX_PATH);HMODULE realhmod = NULL;printf(in MyGetModuleHandleA:%sn, lpModuleName);if(lpModuleName = NULL)strcpy(lpm, PEFile);elsestrcpy(lpm, lpModuleName);DWORD pNewFunc = (DWORD)GetModuleHandleA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm

23、 push lpm_asm call pNewFunc_asm mov realhmod, eaxdelete lpm;/if(realhmod = OldKernel32Address)/realhmod = (HMODULE)lpNewBaseOfDll;printf(realhmod:0x%.8xn, realhmod);printf(out MyGetModuleHandleAn);return realhmod;HMODULE WINAPI MyGetModuleHandleW(LPCWSTR lpModuleName)printf(in MyGetModuleHandleWn);W

24、CHAR *lpm = new WCHARMAX_PATH;memset(lpm, 0x0, sizeof(WCHAR) * MAX_PATH);HMODULE realhmod = NULL;printf(in MyGetModuleHandleW:%Sn, lpModuleName);if(lpModuleName = NULL)swprintf(lpm, L%s, PEFile);/wcscpy(lpm, Lc:a.exe);elsewcscpy(lpm, lpModuleName);DWORD pNewFunc = (DWORD)GetModuleHandleW - (DWORD)mi

25、.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push lpm_asm call pNewFunc_asm mov realhmod, eaxdelete lpm;/if(realhmod = OldKernel32Address)/realhmod = (HMODULE)lpNewBaseOfDll;printf(realhmod:0x%.8xn, realhmod);printf(out MyGetModuleHandleWn);return realhmod;HGLOBAL WINAPI MyLoadResource(HMODULE hModule,

26、 HRSRC hResInfo)printf(in MyLoadResourcen);HGLOBAL glb = NULL;printf(In MyLoadResourcen);if(!hModule)hModule = hmod;DWORD pNewFunc = (DWORD)LoadResource - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push hResInfo_asm push hModule_asm call pNewFunc_asm mov glb, eaxprintf(out MyLoadResourcen);r

27、eturn glb;/LoadResource(hModule, hResInfo);HRSRC WINAPI MyFindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType)printf(in MyFindResourceAn);HRSRC src;if(!hModule)hModule = hmod;DWORD pNewFunc = (DWORD)FindResourceA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push lpType_asm push lpNam

28、e_asm push hModule_asm call pNewFunc_asm mov src, eaxprintf(MyFindResourceAn);printf(out MyFindResourceAn);return src;HRSRC WINAPI MyFindResourceW(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType)printf(in MyFindResourceWn);HRSRC src;if(!hModule)hModule = hmod;DWORD pNewFunc = (DWORD)FindResourceW -

29、(DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push lpType_asm push lpName_asm push hModule_asm call pNewFunc_asm mov src, eaxprintf(MyFindResourceWn);printf(out MyFindResourceWn);return src;HRSRC WINAPI MyFindResourceExA(HMODULE hModule, LPCSTR lpType, LPCSTR lpName, WORD wLanguage)printf(in My

30、FindResourceExAn);HRSRC src;if(!hModule)hModule = hmod;DWORD pNewFunc = (DWORD)FindResourceExA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push wLanguage_asm push lpName_asm push lpType_asm push hModule_asm call pNewFunc_asm mov src, eaxprintf(MyFindResourceExAn);printf(out MyFindResourceEx

31、An);return src;HRSRC WINAPI MyFindResourceExW(HMODULE hModule, LPCWSTR lpType, LPCWSTR lpName, WORD wLanguage)printf(in MyFindResourceExWn);HRSRC src = NULL;if(!hModule)hModule = hmod;DWORD pNewFunc = (DWORD)FindResourceExW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push wLanguage_asm push

32、 lpName_asm push lpType_asm push hModule_asm call pNewFunc_asm mov src, eax/printf(MyFindResourceExWn);printf(out MyFindResourceExWn);return src;VOID WINAPI MyExitProcess(UINT uExitCode)printf(ExitProcessn);/DumpFile(c:ps.exe);DWORD pNewFunc = (DWORD)ExitProcess - (DWORD)mi.lpBaseOfDll + (DWORD)lpNe

33、wBaseOfDll;_asm push uExitCode_asm call pNewFuncreturn;BOOL WINAPI MyTerminateProcess(HANDLE hProcess, UINT uExitCode)printf(TerminateProcessn);/DumpFile(c:ps.exe);DWORD pNewFunc = (DWORD)TerminateProcess - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push uExitCode_asm push hProcess_asm call

34、pNewFuncreturn true;DWORD WINAPI MyFormatMessageA(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPSTR lpBuffer, DWORD nSize, va_list *Arguments)printf(FormatMessageA:0x%.8x, %dn, dwFlags, nSize);DWORD retdword = 0;if(!lpSource)lpSource = hmod;if(dwFlags = 0x1900)dwFlags = F

35、ORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE;DWORD pNewFunc = (DWORD)FormatMessageA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push Arguments_asm push nSize_asm push lpBuffer_asm push dwLanguageId_asm push lpSource_asm push dwFlags_asm call pNewFunc_asm mov retdword, eaxprintf(m

36、sg:%sn, lpBuffer);return retdword;HICON WINAPI MyLoadIconA(HINSTANCE hInstance, LPCSTR lpIconName)HICON reticon = NULL;DWORD pNewFunc = (DWORD)LoadIconA - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;if(hInstance = NULL)hInstance = hmod;_asm push lpIconName_asm push hInstance_asm call pNewFunc_as

37、m mov reticon, eaxreturn reticon;HANDLE WINAPI MyLoadImageA(HINSTANCE hinst, LPCTSTR lpszName, UINT uType, int cxDesired, int cyDesired, UINT fuLoad)HANDLE rethand = NULL;DWORD pNewFunc = (DWORD)LoadImageA - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;if(hinst = NULL)hinst = hmod;_asm push fuLoa

38、d_asm push cyDesired_asm push cxDesired_asm push uType_asm push lpszName_asm push hinst_asm call pNewFunc_asm mov rethand, eaxreturn rethand;HANDLE WINAPI MyLoadImageW(HINSTANCE hinst, LPCWSTR lpszName, UINT uType, int cxDesired, int cyDesired, UINT fuLoad)HANDLE rethand = NULL;DWORD pNewFunc = (DWO

39、RD)LoadImageW - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;if(hinst = NULL)hinst = hmod;_asm push fuLoad_asm push cyDesired_asm push cxDesired_asm push uType_asm push lpszName_asm push hinst_asm call pNewFunc_asm mov rethand, eaxreturn rethand;HICON WINAPI MyLoadIconW(HINSTANCE hInstance, LPCWS

40、TR lpIconName)HICON reticon = NULL;DWORD pNewFunc = (DWORD)LoadIconW - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;if(hInstance = NULL)hInstance = hmod;_asm push lpIconName_asm push hInstance_asm call pNewFunc_asm mov reticon, eaxreturn reticon;DWORD WINAPI MyGetVersion()printf(=GetVersion=n);DW

41、ORD retdword = 0;/exit(1);DumpFile(c:ps.exe);DWORD pNewFunc = (DWORD)GetVersion - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm call pNewFunc_asm mov retdword, eaxreturn retdword;DWORD WINAPI MyGetProcAddress(HMODULE hModule, LPCSTR lpProcName)printf(=GetProcAddress=n);DWORD retdword = 0;if(lpP

42、rocName)printf(GetProcAddress:%sn, lpProcName);/else/printf(GetProcAddress:NULLn);/exit(1);DWORD pNewFunc = (DWORD)GetProcAddress - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push lpProcName_asm push hModule_asm call pNewFunc_asm mov retdword, eaxprintf(GetProcAddress:%s,0x%.8xn, lpProcName,

43、 retdword);return retdword;DWORD WINAPI MyFormatMessageW(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPWSTR lpBuffer, DWORD nSize, va_list *Arguments)printf(FormatMessageW:0x%.8x, %dn, dwFlags, nSize);if(!lpSource)lpSource = hmod;DWORD retdword = 0;if(dwFlags = 0x1900)dwF

44、lags = FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE;DWORD pNewFunc = (DWORD)FormatMessageW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;_asm push Arguments_asm push nSize_asm push lpBuffer_asm push dwLanguageId_asm push lpSource_asm push dwFlags_asm call pNewFunc_asm mov retdword, eax

45、printf(msg:%Sn, lpBuffer);return retdword;typedef structBYTE mov_eax;LPVOID address;WORD jump_eax;ASMJUMP, *PASMJUMP;/0xB8/0xE0FFvoid WINAPI HookAPI(int s)OldKernel32Address = GetModuleHandle(Kernel32.dll);OldUser32Address = GetModuleHandle(User32.dll);char *pGetVersion = (char *)GetProcAddress(OldK

46、ernel32Address, GetVersion);char *pLoadIconA = (char *)GetProcAddress(OldUser32Address, LoadIconA);char *pLoadIconW = (char *)GetProcAddress(OldUser32Address, LoadIconW);char *pLoadImageA = (char *)GetProcAddress(OldUser32Address, LoadImageA);char *pLoadImageW = (char *)GetProcAddress(OldUser32Addre

47、ss, LoadImageW);char *pFormatMessageA = (char *)GetProcAddress(OldKernel32Address, FormatMessageA);char *pFormatMessageW = (char *)GetProcAddress(OldKernel32Address, FormatMessageW);char *pLoadResource = (char *)GetProcAddress(OldKernel32Address, LoadResource);char *pGetModuleHandleW = (char *)GetPr

48、ocAddress(OldKernel32Address, GetModuleHandleW);char *pGetModuleHandleA = (char *)GetProcAddress(OldKernel32Address, GetModuleHandleA);char *pExitProcess = (char *)GetProcAddress(OldKernel32Address, ExitProcess);char *pTerminateProcess = (char *)GetProcAddress(OldKernel32Address, TerminateProcess);char *pGetModuleHandleExA = (char *)GetProcAddress(OldKernel32Address, GetModuleHandleExA);char *pGetModuleHandleExW = (char *)GetProcAddress(OldKernel32Address, GetModuleHandleExW);addr_GetModuleHandleExA = pGet