谢谢,学习!!!!!
mikewolf2k 发表于 2019-5-9 09:35
学习了,原来原理是木马,拷贝正常元素数据的同时,偷偷在另一个地方拷贝了个标志。
不知道能否告知详细一 ...
暴力寻找法,在某段地址一个个找,找到这个标志,就修改它,然后教育版就去掉了。对电脑来说,就相当于做几百次加减法,是一件很容易的事情。
DXF的办法我没用过,但应该会丢失DWG的一些信息,所以这种方法不完美。
感谢分享好程序
highflybird 发表于 2019-5-9 15:09
暴力寻找法,在某段地址一个个找,找到这个标志,就修改它,然后教育版就去掉了。对电脑来说,就相当于做 ...
怎么知道这个是标志?
假设找到的地址,是直接修改二进制文件么?某个地址的00改着01之类的,完全不是用ACAD功能修改?
DXF方法具体没用过,dwg到dxf会有损失么?不知道。
谢谢。
谢谢大师的分享。。。
本帖最后由 1005100717 于 2019-5-9 16:12 编辑
自从用了net,发现还是net写起来方便,没有c++配置那么复杂我也来贡献一个net版的,2008-2019 32 64通杀
Imports Autodesk.AutoCAD.ApplicationServices
Imports Autodesk.AutoCAD.DatabaseServices
Imports Autodesk.AutoCAD.PlottingServices
Imports Autodesk.AutoCAD.EditorInput
Imports Autodesk.AutoCAD.Geometry
Imports Autodesk.AutoCAD.Runtime
Imports Autodesk.AutoCAD.Customization
Imports System.Collections.Specialized
Imports System.Runtime.InteropServices
Public Class cadFunc
<DllImport("kernel32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
Public Shared Function GetModuleHandle(ByVal lpModuleName As String) As IntPtr
End Function
<DllImport("kernel32.dll", SetLastError:=True, CharSet:=CharSet.Ansi, ExactSpelling:=True)> _
Private Shared Function GetProcAddress(ByVal hModule As IntPtr, ByVal procName As String) As IntPtr
End Function
<DllImport("kernel32.dll", SetLastError:=True)> _
Public Shared Function ReadProcessMemory( _
ByVal hProcess As IntPtr, _
ByVal lpBaseAddress As IntPtr, _
<Out()> ByVal lpBuffer As Byte(), _
ByVal dwSize As Integer, _
ByRef lpNumberOfBytesRead As Integer) As Boolean
End Function
<DllImport("kernel32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
Public Shared Function VirtualProtect(ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
End Function
Public Shared Function getAcadVersion() As Double
Return CDbl(Application.GetSystemVariable("acadver").ToString().Substring(0, 4))
End Function
Public Shared Function noEMR() As String
Dim dllName As String = "acdb" + getAcadVersion().ToString.Substring(0, 2) + ".dll"
Dim handle As IntPtr = GetModuleHandle(dllName)
If handle = 0 Then Return "找不到模块:" + dllName
Dim funcname As String
If IntPtr.Size = 4 Then
Dim bin() As Byte = {63}
funcname = System.Text.Encoding.Unicode.GetString(bin) + "isEMR@AcDbDatabase@@QBE_NXZ"
Else
Dim bin() As Byte = {63}
funcname = System.Text.Encoding.Unicode.GetString(bin) + "isEMR@AcDbDatabase@@QEBA_NXZ"
End If
Dim funcAdress As IntPtr = GetProcAddress(handle, funcname)
If funcAdress = 0 Then Return "无法找指定函数:" + funcname
'寻找关键字0x33,0x39,0x0f
Dim ptr As IntPtr
If IntPtr.Size = 4 Then
ptr = New IntPtr(funcAdress.ToInt32() + 3)
Else
ptr = New IntPtr(funcAdress.ToInt64() + 4)
End If
If Not EMRcheckFunc(ptr, 51, 2) Then Return "无法验证函数体:0x33"
Dim destPtr As IntPtr = ptr
If Not EMRcheckFunc(ptr, 57, 6) Then Return "无法验证函数体:0x39"
If Not EMRcheckFunc(ptr, 15, 2) Then Return "无法验证函数体:0x0F"
'修改内存
Dim flag As UInteger, tccc As UInteger
If Not VirtualProtect(destPtr, 100, 64, flag) Then Return "内存模式修改失败!1"
Marshal.WriteByte(destPtr, 137) '0x89
VirtualProtect(destPtr, 100, flag, tccc)
Return ""
End Function
Private Shared Function EMRcheckFunc(ByRef adress As IntPtr, ByVal val As Byte, ByVal len As Integer) As Boolean
'检查是否时跳转,跳转符号 E9
If Marshal.ReadByte(adress) = 233 Then
If IntPtr.Size = 4 Then
Dim pass As Integer = Marshal.ReadInt32(New IntPtr(adress.ToInt32() + 1))
adress = New IntPtr(adress.ToInt32() + pass + 5)
Else
Dim pass As Integer = Marshal.ReadInt32(New IntPtr(adress.ToInt64() + 1))
adress = New IntPtr(adress.ToInt64() + pass + 5)
End If
End If
'检查是否为指定值,如果不是返回0
If Marshal.ReadByte(adress) = val Then
If IntPtr.Size = 4 Then
adress = New IntPtr(adress.ToInt32() + len)
Else
adress = New IntPtr(adress.ToInt64() + len)
End If
Return True
Else
Return False
End If
End Function
End Class
mikewolf2k 发表于 2019-5-9 15:28
怎么知道这个是标志?
假设找到的地址,是直接修改二进制文件么?某个地址的00改着01之类的,完全不是用 ...
ARX有个函数可以判断,你看看代码,isEMR
highflybird 发表于 2019-5-9 16:34
ARX有个函数可以判断,你看看代码,isEMR
惭愧,不会ARX,只会VBA。
只能通过ARX函数判断,没有其它方法?那我就只能放弃了。谢谢。
mikewolf2k 发表于 2019-5-9 16:50
惭愧,不会ARX,只会VBA。
只能通过ARX函数判断,没有其它方法?那我就只能放弃了。谢谢。
16楼的代码你可以参考一下,可以用VBA的方式做到
highflybird 发表于 2019-5-9 16:56
16楼的代码你可以参考一下,可以用VBA的方式做到
懒得去钻研了,我也用不着这个功能,就不花太多精力去钻研这个了。谢谢!