[转载]爆破内存中的SWF文件

[转载]爆破内存中的SWF文件 – zcsor ~~~ VB业余爱好者的窝 – 博客园.

因为最近有一点需要,所以想提取打开的网页里面的SWF文件出来,其实以前也做过,用个游戏修改器,搜索一下FWS然后挨个检查一下结果,手工复制 一下内存数据。这次的却比较多,挨个弄比较麻烦还容易出错。于是写了一小段程序。只是需要注意的是,很多浏览器并不是那个有启动窗口的进程是我们要的…… 哎……不提这个,只是提一下这个实现。其实嘿嘿,前面那个从OFFICE中提取的,也可以考虑一下用这个代替?~咕~~(╯﹏╰)b~速度,速度……慢点 点而已了

1、枚举进程,列表以供选择

2、枚举所选进程内存块,搜索FWS字样……貌似叫暴力……(其实只需稍加修改源程序就可以连同CWS一起搜索)

3、筛选,依据被定为这样几个:

A、版本(第四字节)为,7,8,9,10的

B、文件大小大于0(5-8字节)

C、文件结尾为0X40,0X00,0X00,0X00的

第一部分,枚举进程其实没什么好说的,Process类就可以了。

第二部分,其实就是核心内容了:内存检索,一般来说,应该先枚举进程所用的内存块及其属性,这样可以通过属性进行筛选,但实际在实现时,我是用ReadProcessMemory函数是否出错来决定是否继续搜索本块内存的……真是懒人啊~~~~

代码

Public Structure MEMORY_BASIC_INFORMATION
Dim BaseAddress As Integer
Dim AllocationBase As Integer
Dim AllocationProtect As Integer
Dim RegionSize As Integer
Dim State As Integer
Dim Protect As Integer
Dim lType As Integer
End Structure
‘出处http://www.cnblogs.com/zcsor/
Private Declare Function VirtualQueryEx Lib kernel32 (ByVal hProcess As Int32, ByVal lpAddress As IntPtr, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Int32) As Int32
Private Declare Function ReadProcessMemory Lib kernel32 (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
Private Shared m_phandle As Integer

这样就声明了所用的API函数,接下来是枚举过程:

代码

Private Shared Function GetMemoryInfo(ByVal pHandle As Integer) As ArrayList
Dim Infs As New ArrayList
Dim pAddr As Integer, dwTotalCommit As Integer, ret As Integer, miLen As Integer
Dim mi As New MEMORY_BASIC_INFORMATION
miLen
= Len(mi)
dwTotalCommit
= 0 这是结果
pAddr = 0 这个时查询起始地址,设为0,即进程虚拟地址开始处。
ret = VirtualQueryEx(pHandle, pAddr, mi, miLen) 从起始地址开始查询
Infs.Add(mi)
Do While (ret = miLen)
dwTotalCommit
= dwTotalCommit + mi.RegionSize
pAddr
= mi.BaseAddress + mi.RegionSize 跳过已经查询过的内存块,到未被查询的内存地址起始处
ret = VirtualQueryEx(pHandle, pAddr, mi, miLen) 再次查询,直到查询失败(所有可查询地址都已经查过了)
If mi.State = &H1000 Then Infs.Add(mi)
Loop
Return Infs
End Function

很简单,相信大家一看就懂~~~~~~~~~~接下来,就是读内存数据了,这里需要考虑这样一个问题:有些内存块大的……可怜的VB溢出了咋 办……前几天绘制一个几十万像素宽的图像就……咕~~(╯﹏╰)b,其实解决办法很简单的,分块即可,这里读写内存我们就分1024字节吧~~当然有一定 原因了~~分4096也许你喜欢?O(∩_∩)O~其实编码起来都差不多,只要你知道~~~原因

出处:http://www.cnblogs.com/zcsor/

代码


Public Shared Function Scan(ByVal pHandle As Integer) As ArrayList
m_phandle
= pHandle
If Not ToKen.ToKenPrivileges() Then MsgBox(提升权限失败,扫描结果可能有遗漏)
Dim Ret As New ArrayList
Dim int As ArrayList = GetMemoryInfo(pHandle)
For Each mi As MEMORY_BASIC_INFORMATION In int
Dim bLen As Integer = mi.RegionSize
Dim rLen As Integer
Dim mBaseAddr As Integer = mi.BaseAddress
Dim mStep As Integer = 1024
Dim test(3) As Byte
Do While bLen > 0
If bLen > mStep Then rLen = mStep Else rLen = bLen
bLen
-= mStep
Dim Bytes(rLen 1) As Byte
Dim read As Integer = ReadProcessMemory(pHandle, mBaseAddr, Bytes, rLen, 0)
If read = 0 Then Exit Do
For mIndex = 0 To mStep 3 Step 4
If Bytes(mIndex) = &H46 AndAlso Bytes(mIndex + 1) = &H57 AndAlso Bytes(mIndex + 2) = &H53 Then just FWS
Dim f As New Flash
f.addr
= mIndex + mBaseAddr
f.ver
= Bytes(mIndex + 3)
f.size
= System.BitConverter.ToInt32(Bytes, 4)
If f.size > 0 AndAlso f.ver > 6 AndAlso f.ver < 11 Then
read
= ReadProcessMemory(pHandle, mBaseAddr + mIndex + f.size 4, test, 4, 0)
If read = 0 Then
Exit Do
Else
If test(0) = &H40 AndAlso test(1) = 0 AndAlso test(2) = 0 AndAlso test(3) = 0 Then Ret.Add(f)
End If
End If
End If
Next
mBaseAddr
+= mStep
Loop
Next
Return Ret
End Function

Structure Flash
Public addr As Integer
Public ver As Integer
Public size As Integer
Public Overrides Function ToString() As String
Return addr: & Hex(addr) & vbCrLf & _
ver: & ver & vbCrLf & _
size: & Format(size, #,0.) & vbCrLf
End Function
End Structure

这样,大功告成了啊~得到了可读的内存空间内的全部貌似SWF文件的信息,接下来……保存它们吧!

代码

Shared Function Save2File(ByVal Pid As Integer, ByVal addr As Integer, ByVal size As Integer) As Boolean
Dim bs(size 1) As Byte
Dim read As Integer = ReadProcessMemory(m_phandle, addr, bs, size, 0)
If read = 0 Then
Return False
Else
My.Computer.FileSystem.WriteAllBytes(
c:\ & Hex(Pid) & _ & Hex(addr) & .swf, bs, False)
End If
End Function

呃,发现我确实很懒了吧……其实也检测了一下,当读内存失败的时候不保存(也没法保存嘛~),这是防止FWS字样出现的位置后面的字节数不够SIZE(超出内存段)时的错误,换句话说,就是如果代码没写错,那这个FWS一定不是一个FLASH文件~

’出处http://www.cnblogs.com/zcsor/

最后附上,成品~呃,其实你自己写一下修改修改我的代码,才真的是成品,这个里面不识别压缩的~~其实压缩的和这个一样的~~~~如果你愿意解压,那就解压吧~几句代码的事……不过我懒

/Files/zcsor/FLASH提取工具.7z

赞(0) 打赏
分享到: 更多 (0)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏