new

HackerCalico · Nov 14, 2024 · a5b9f37 · a5b9f37
1 parent d9b227a
commit a5b9f37
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/Example/BOF_Loader/Loader.cpp b/Example/BOF_Loader/Loader.cpp
@@ -11,6 +11,7 @@ PDWORD_PTR impFuncAddrList = NULL;
 __declspec(noinline) int GetHash(char* string, int length);
 __declspec(noinline) void XorData(PBYTE data, int dataLength, BYTE xor1, BYTE xor2);
 
+// 保证 RunPayload 在 .func 置顶
 #pragma code_seg(".func")
 
 int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPara, int commandParaLen, char*& outputData, int& outputDataLen, PVOID specialParaList[]) {
@@ -35,7 +36,7 @@ int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPa
     PBYTE pRdata = pBofFuncOffsetMap + bofFuncOffsetMapLen;
     PBYTE pObfCode = pRdata + rdataLen;
 
-    // 查找 bofFunc 偏移
+    //      bofFunc ƫ  
     int ifFind = 0;
     WORD bofFuncOffset;
     XorData(pBofFuncOffsetMap, bofFuncOffsetMapLen, xor1, xor2);
@@ -51,7 +52,7 @@ int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPa
         return 0;
     }
 
-    // 重定位
+    //  ض λ
     if (needReloc == 0x01) {
         if (dllHashList == NULL) {
             dllHashList = (int*)malloc(1000 * sizeof(int));
@@ -101,7 +102,7 @@ int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPa
             }
             // DLL
             else {
-                // 获取 DLL 基址
+                //   ȡ DLL   ַ
                 DWORD_PTR dllBase = 0;
                 for (int i = 0; i < dllNum; i++) {
                     if (dllHashList[i] == dllHash) {
@@ -112,7 +113,7 @@ int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPa
                 if (!dllBase) {
                     if (dllHash == -1499897628) { // Kernel32
                         PBYTE pVirtualAlloc = (PBYTE)VirtualAlloc;
-                        for (; *(PDWORD)pVirtualAlloc != 0x00905A4D; pVirtualAlloc--); // 查找 MZ
+                        for (; *(PDWORD)pVirtualAlloc != 0x00905A4D; pVirtualAlloc--); //      MZ
                         dllBase = (DWORD_PTR)pVirtualAlloc;
                     }
                     else {
@@ -126,7 +127,7 @@ int RunPayload(PBYTE pPayload, int payloadSize, int bofFuncHash, char* commandPa
                     dllBaseList[dllNum] = dllBase;
                     dllNum++;
                 }
-                // 获取导入函数指针
+                //   ȡ   뺯  ָ  
                 PDWORD_PTR pImpFunc = NULL;
                 for (int i = 0; i < impFuncNum; i++) {
                     if (impFuncHashList[i] == impFuncHash) {