/* * ----------------------------------------------------------------------- * Author : * Rewrite : NSFocus Security Team * Create : 2005 * Modify : 2006-07-21 16:12 * ----------------------------------------------------------------------- * The only thing they can't take from us are our minds. !H * * 1.1.0.79 - 2.5.0.151 * * 将loader放在Skype.exe所在目录,双击执行。可以绕过对SoftICE的检测,即时 * 聊天、语音通信均可,满足自校验。 */ #include #include #include #include static unsigned char * GetCharacterAddr ( unsigned char *in, unsigned int insize, unsigned char *pattern, unsigned int patternsize, unsigned char *wildcard ) { unsigned char *addr = NULL, *p; unsigned int i; if ( NULL == in || 0 == insize || NULL == pattern || 0 == patternsize || insize < patternsize ) { goto GetCharacterAddr_exit; } p = in; while ( p + patternsize <= in + insize ) { for ( i = 0; i < patternsize; i++ ) { if ( NULL != wildcard ) { if ( *wildcard != pattern[i] && p[i] != pattern[i] ) { p++; break; } } else { if ( p[i] != pattern[i] ) { p++; break; } } } /* end of for */ if ( i == patternsize ) { addr = p; break; } } /* end of while */ GetCharacterAddr_exit: return( addr ); } /* end of GetCharacterAddr */ int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hprevInstance, LPSTR lpCmdLine, int nShowCmd ) { int ret = EXIT_FAILURE; char path[MAX_PATH] = ""; unsigned char *p; unsigned int i, j; HANDLE h; STARTUPINFO si; PROCESS_INFORMATION pi; unsigned char *begin = ( unsigned char * )0x00A00000, *end = ( unsigned char * )0x00F00000; unsigned char *buf = NULL; unsigned int buflen = 0x10000; unsigned char pattern[] = { 0x84, 0xC0, 0x74, 0x1A, 0x6A, 0x00, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8 }; unsigned char wildcard = 0xCC; unsigned char patch[] = { 0x30 }; ZeroMemory( ( unsigned char * )&pi, sizeof( pi ) ); if ( 0 == GetModuleFileName( NULL, path, sizeof( path ) ) ) { goto WinMain_exit; } p = strrchr( path, '\\' ) + 1; strcpy( p, "Skype.exe" ); h = CreateFile ( path, GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if ( INVALID_HANDLE_VALUE == h ) { goto WinMain_exit; } CloseHandle( h ); buf = ( unsigned char * )HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, buflen ); if ( NULL == buf ) { goto WinMain_exit; } GetStartupInfo( &si ); if ( FALSE == CreateProcess ( NULL, path, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) ) { goto WinMain_exit; } p = NULL; while ( begin + sizeof( pattern ) <= end ) { if ( begin + buflen <= end ) { i = buflen; } else { i = end - begin; } if ( FALSE == ReadProcessMemory ( pi.hProcess, begin, buf, i, &j ) ) { goto WinMain_0; } if ( j < sizeof( pattern ) ) { break; } p = GetCharacterAddr ( buf, j, pattern, sizeof( pattern ), &wildcard ); if ( NULL != p ) { p = p - buf + begin; if ( FALSE == WriteProcessMemory ( pi.hProcess, p, patch, sizeof( patch ), NULL ) ) { p = NULL; goto WinMain_0; } CopyMemory( patch, p - begin + buf, sizeof( patch ) ); break; } begin += j - sizeof( pattern ) + 1; } /* end of while */ WinMain_0: if ( -1 == ResumeThread( pi.hThread ) ) { goto WinMain_exit; } if ( NULL != p ) { if ( 0 != WaitForInputIdle( pi.hProcess, INFINITE ) ) { goto WinMain_exit; } if ( FALSE == WriteProcessMemory ( pi.hProcess, p, patch, sizeof( patch ), NULL ) ) { goto WinMain_exit; } ret = EXIT_SUCCESS; } WinMain_exit: if ( NULL != buf ) { HeapFree( GetProcessHeap(), 0, buf ); buf = NULL; } if ( NULL != pi.hThread ) { CloseHandle( pi.hThread ); pi.hThread = NULL; } if ( NULL != pi.hProcess ) { CloseHandle( pi.hProcess ); pi.hProcess = NULL; } return( ret ); } /* end of WinMain */