編寫一個帶有socket通信功能的插件,x64dbg運行後,用戶點擊鏈接按鈕可直接連接到外部的python中,python作為服務端,當x64dbg內部出現某個事件後,自動將消息推送到外部python腳本上,實現反向傳參的目的。 ...
編寫一個帶有socket通信功能的插件,x64dbg運行後,用戶點擊鏈接按鈕可直接連接到外部的python中,python作為服務端,當x64dbg內部出現某個事件後,自動將消息推送到外部python腳本上,實現反向傳參的目的。
首先編寫插件端代碼,代碼中直接初始化套接字,用戶服務端啟動後點擊connect按鈕鏈接到服務端,鏈接成功後,一但調試器載入了程式則自動觸發CBINITDEBUG(CBTYPE cbType, PLUG_CB_INITDEBUG* info)回調函數,並通過socket將參數送出到外部。
#include "pluginmain.h"
#include <Windows.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")
#define IP "127.0.0.1"
#define PORT 9999
int pluginHandle;
HWND hwndDlg;
int hMenu;
int hMenuDisasm;
int hMenuDump;
int hMenuStack;
WSADATA WSAData;
SOCKET sock;
struct sockaddr_in ClientAddr;
// 在這裡初始化插件數據。
bool pluginInit(PLUG_INITSTRUCT* initStruct)
{
// 返回false以取消載入插件。
return true;
}
// 在此處取消初始化插件數據。
void pluginStop()
{
}
// 在這裡做GUI/菜單相關的事情。
void pluginSetup()
{
}
// 導出函數
extern "C" __declspec(dllexport) void plugsetup(PLUG_SETUPSTRUCT* setupStruct);
extern "C" __declspec(dllexport) bool pluginit(PLUG_INITSTRUCT* initStruct);
// 導出自定義的兩個功能
extern "C" __declspec(dllexport) void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info);
extern "C" __declspec(dllexport) void CBINITDEBUG(CBTYPE cbType, PLUG_CB_INITDEBUG* info);
// 菜單回調函數(初始化時自動發送套接字)附加進程觸發
void CBINITDEBUG(CBTYPE cbType, PLUG_CB_INITDEBUG* info)
{
send(sock, (char *)&info, 1024, 0);
_plugin_logprintf("size = %d \n", sizeof(PLUG_CB_INITDEBUG));
_plugin_logprintf("func = %s \n", info->szFileName);
}
// --------------------------------------------------------------------
// 基礎功能
// --------------------------------------------------------------------
// 命令觸發: 開啟Socket的命令
bool ConnectSocket(int argc, char **argv)
{
_plugin_logprintf("start socket \n");
if (WSAStartup(MAKEWORD(2, 0), &WSAData) != SOCKET_ERROR)
{
ClientAddr.sin_family = AF_INET;
ClientAddr.sin_port = htons(PORT);
ClientAddr.sin_addr.s_addr = inet_addr(IP);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
int Ret = connect(sock, (LPSOCKADDR)&ClientAddr, sizeof(ClientAddr));
return Ret;
}
// 命令觸發: 關閉Socket的命令
bool CloseSocket(int argc, char **argv)
{
_plugin_logprintf("stop socket \n");
send(sock, "SocketClose", 11, 0);
closesocket(sock);
WSACleanup();
return true;
}
// 菜單被點擊觸發此回調
void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info)
{
switch (info->hEntry)
{
case 1:
ConnectSocket(0, 0);
break;
case 2:
CloseSocket(0, 0);
break;
}
}
PLUG_EXPORT bool pluginit(PLUG_INITSTRUCT* initStruct)
{
initStruct->pluginVersion = PLUGIN_VERSION;
initStruct->sdkVersion = PLUG_SDKVERSION;
strncpy_s(initStruct->pluginName, PLUGIN_NAME, _TRUNCATE);
pluginHandle = initStruct->pluginHandle;
// 插件初始化
const char *name = "LyScriptCallBack";
memset(initStruct->pluginName, 0, 128);
memcpy(initStruct->pluginName, name, strlen(name));
return pluginInit(initStruct);
}
PLUG_EXPORT bool plugstop()
{
pluginStop();
return true;
}
PLUG_EXPORT void plugsetup(PLUG_SETUPSTRUCT* setupStruct)
{
hwndDlg = setupStruct->hwndDlg;
hMenu = setupStruct->hMenu;
hMenuDisasm = setupStruct->hMenuDisasm;
hMenuDump = setupStruct->hMenuDump;
hMenuStack = setupStruct->hMenuStack;
// 增加連接選項
char sub_connect[] = "Connect";
_plugin_menuaddentry(setupStruct->hMenu, 1, sub_connect);
// 添加關閉連接選項
char sub_close[] = "CloseConnect";
_plugin_menuaddentry(setupStruct->hMenu, 2, sub_close);
// 註冊ConnectSocket開啟Socket命令
_plugin_registercommand(pluginHandle, "ConnectSocket", ConnectSocket, true);
// 註冊CloseSocket關閉Socket命令
_plugin_registercommand(pluginHandle, "CloseSocket", CloseSocket, true);
pluginSetup();
}
客戶端則負責接收參數,收到後直接使用MyStruct(Structure)類,格式化為特定結構體,並輸出內部成員參數。
import socket
import struct
from ctypes import *
ip_addr=("localhost",9999)
server = socket.socket()
server.bind(ip_addr)
server.listen(5)
class MyStruct(Structure):
_pack_ = 1
_fields_ = [
("szFileName", c_char * 256)
]
def unpack(self,buffer):
(self.szFileName) = struct.unpack("< 256s",buffer)
while True:
conn,addr=server.accept()
print(addr)
while True:
try:
recv_data = str(conn.recv(8192), encoding="utf-8")
if len(recv_data) == 11 and recv_data == "SocketClose":
conn.close()
print("close")
else:
recv_struct = MyStruct()
recv_struct.unpack(recv)
print(recv_struct.szFileName)
except Exception:
break
server.close()
首先運行python腳本讓其偵聽特定埠,然後再x64dbg中點擊connect鏈接按鈕,鏈接成功後即可看到輸出信息。
版權聲明:本博客文章與代碼均為學習時整理的筆記,文章 [均為原創] 作品,轉載請 [添加出處] ,您添加出處是我創作的動力!
轉載文章,請遵守《中華人民共和國著作權法》相關規定或遵守《署名CC BY-ND 4.0國際》禁止演繹規範,合理合規,攜帶原創出處轉載。
