CHANGMEN的个人博客,专注于网络安全领域。
从零编写一个水晶宫应用程序
最近更新:2026-04-14   |   字数总计:1.4k   |   阅读估时:7分钟   |   阅读量:
  1. 创建新项目
  2. 设计需求
  3. 主程序文件
  4. 编译
  5. windows运行
  6. hook编写
  7. 演示
  8. sleep mask

创建新项目

首先创建一个新项目,架构直接模仿的给的案例项目,新建核心文件等。

设计需求

我们这里简单的写一个

1.主要运行程序.c文件写一个dll,是用来一个sleep睡眠,睡三秒起来输出一句话,循环如此。

2.pic加载器,就是要link这个dll文件,然后拼接执行的,所以我们选择案例simple_rdl,根据这个基线进行更改。

3.功能方面,我们需要hook这个sleep函数,然后进行sleep masking。

主程序文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
/**
 * Sleep DLL - 简单的睡眠和打印演示
 * 
 * 功能:
 * 1. 睡眠3秒
 * 2. 打印字符串
 * 3. 再次睡眠
 */

#include <windows.h>
#include <stdio.h>

// DLL 入口点
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH: {
            // 禁用线程通知以提高性能
            DisableThreadLibraryCalls(hModule);
            
            // 在DLL加载时自动执行循环睡眠和打印
            printf("[SleepDLL] DLL loaded! Starting infinite loop demo...\n");
            
            // 无限循环:睡眠3秒 -> 打印 -> 睡眠3秒
            while (1) {
                printf("[SleepDLL] Sleeping for 3 seconds...\n");
                Sleep(3000);
                
                printf("[SleepDLL] Hello from SleepDLL! This is an infinite loop demo.\n");
                
                printf("[SleepDLL] Sleeping again for 3 seconds...\n");
                Sleep(3000);
            }
            break;
        }
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

编译

1
x86_64-w64-mingw32-gcc -Wall -O2 -shared -o bin/sleepdll.dll src/sleepdll.c

windows运行

219868b024bd4b3cb2e600342c727a38

hook编写

只需配置进行加入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
x64:
	load "bin/loader.x64.o"
		make pic +gofirst

		dfr "resolve" "ror13"
		mergelib "../libtcg/libtcg.x64.zip"

		push $DLL
			link "my_data"

		load "bin/hook.x64.o"
			make object +optimize
			mergelib "../libtcg/libtcg.x64.zip"
			
			addhook "KERNEL32$Sleep" "_Sleep"
			addhook "KERNEL32$GetProcAddress" "_GetProcAddress"
			
			filterhooks $DLL
			
			export
			link "my_hooks"
	
		export

然后新建一个hook.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <windows.h>
#include "tcg.h"

WINUSERAPI int WINAPI USER32$MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
WINBASEAPI VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds);

FARPROC __resolve_hook(DWORD funcHash);

FARPROC WINAPI _GetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
	if (((ULONG_PTR)lpProcName >> 16) != 0) {
		FARPROC hook = __resolve_hook(ror13hash(lpProcName));
		if (hook != NULL)
			return hook;
	}
	return GetProcAddress(hModule, lpProcName);
}

void WINAPI _Sleep(DWORD dwMilliseconds) {
	USER32$MessageBoxA(NULL, "Sleep Hooked Successfully! Sleeping now...", "Crystal Palace Hook", MB_OK);
	KERNEL32$Sleep(dwMilliseconds);
}

void go(IMPORTFUNCS * funcs) {
	funcs->GetProcAddress = (__typeof__(GetProcAddress) *)_GetProcAddress;
}

演示

627a0716d21777514b33112aa9307db4

sleep mask

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <windows.h>
#include "tcg.h"

WINUSERAPI int WINAPI USER32$MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
WINBASEAPI VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds);
WINBASEAPI WINBOOL WINAPI KERNEL32$VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);

FARPROC __resolve_hook(DWORD funcHash);

// 全局变量保存 DLL 的基址和大小,用于加密/解密
char * g_dllBase = NULL;
SIZE_T g_dllSize = 0;

// 简单的 XOR 加密/解密函数
void XorMask(char * buffer, SIZE_T size, char key) {
	for (SIZE_T i = 0; i < size; i++) {
		buffer[i] ^= key;
	}
}

FARPROC WINAPI _GetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
	if (((ULONG_PTR)lpProcName >> 16) != 0) {
		FARPROC hook = __resolve_hook(ror13hash(lpProcName));
		if (hook != NULL)
			return hook;
	}
	return GetProcAddress(hModule, lpProcName);
}

void WINAPI _Sleep(DWORD dwMilliseconds) {
	DWORD oldProtect;
	
	USER32$MessageBoxA(NULL, "Sleep Hooked! Encrypting DLL and sleeping...", "Crystal Palace Hook", MB_OK);
	
	// 1. 加密 DLL 内存 (Sleep Masking)
	if (g_dllBase != NULL && g_dllSize > 0) {
		// 修改内存权限为可读写
		if (KERNEL32$VirtualProtect(g_dllBase, g_dllSize, PAGE_READWRITE, &oldProtect)) {
			// 执行 XOR 加密
			XorMask(g_dllBase, g_dllSize, 0x5A);
		}
	}

	// 2. 调用真正的 Sleep
	KERNEL32$Sleep(dwMilliseconds);

	// 3. 解密 DLL 内存
	if (g_dllBase != NULL && g_dllSize > 0) {
		// 执行 XOR 解密 (再次异或相同的 key)
		XorMask(g_dllBase, g_dllSize, 0x5A);
		// 恢复原来的内存权限 (通常是 PAGE_EXECUTE_READWRITE)
		DWORD temp;
		KERNEL32$VirtualProtect(g_dllBase, g_dllSize, oldProtect, &temp);
	}
	
	USER32$MessageBoxA(NULL, "Woke up! DLL Decrypted.", "Crystal Palace Hook", MB_OK);
}

// 扩展 go 函数,接收 DLL 的基址和大小
void go(IMPORTFUNCS * funcs, char * dllBase, SIZE_T dllSize) {
	funcs->GetProcAddress = (__typeof__(GetProcAddress) *)_GetProcAddress;
	
	// 保存 DLL 信息供 Sleep Hook 使用
	g_dllBase = dllBase;
	g_dllSize = dllSize;
}

c7af147e899ff124272d654d89caba64

311c842f864c3eeaa0ac6c16e1d11a3a

但是现在这个弹窗,会卡住线程,我们换一种方式,使用dprinf进行打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#include <windows.h>
#include "tcg.h"

WINBASEAPI VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds);
WINBASEAPI WINBOOL WINAPI KERNEL32$VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);

FARPROC __resolve_hook(DWORD funcHash);

// 全局变量保存 DLL 的基址和大小,用于加密/解密
char * g_dllBase = NULL;
SIZE_T g_dllSize = 0;

// 简单的 XOR 加密/解密函数
void XorMask(char * buffer, SIZE_T size, char key) {
	for (SIZE_T i = 0; i < size; i++) {
		buffer[i] ^= key;
	}
}

FARPROC WINAPI _GetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
	if (((ULONG_PTR)lpProcName >> 16) != 0) {
		FARPROC hook = __resolve_hook(ror13hash(lpProcName));
		if (hook != NULL)
			return hook;
	}
	return GetProcAddress(hModule, lpProcName);
}

void WINAPI _Sleep(DWORD dwMilliseconds) {
	DWORD oldProtect;
	
	// dprintf 提供格式化的调试输出 (通过 OutputDebugStringA)
	dprintf("[Sleep Hook] Preparing to sleep for %d ms. DLL Base: 0x%p, Size: %lu bytes\n", dwMilliseconds, g_dllBase, g_dllSize);
	
	// 1. 加密 DLL 内存 (Sleep Masking)
	if (g_dllBase != NULL && g_dllSize > 0) {
		// 修改内存权限为可读写
		if (KERNEL32$VirtualProtect(g_dllBase, g_dllSize, PAGE_READWRITE, &oldProtect)) {
			dprintf("[Sleep Hook] Memory protection changed to PAGE_READWRITE. Encrypting...\n");
			// 执行 XOR 加密
			XorMask(g_dllBase, g_dllSize, 0x5A);
			dprintf("[Sleep Hook] Encryption complete.\n");
		} else {
			dprintf("[Sleep Hook] Failed to change memory protection for encryption!\n");
		}
	}

	dprintf("[Sleep Hook] Calling original Sleep()...\n");
	// 2. 调用真正的 Sleep
	KERNEL32$Sleep(dwMilliseconds);
	dprintf("[Sleep Hook] Woke up from Sleep().\n");

	// 3. 解密 DLL 内存
	if (g_dllBase != NULL && g_dllSize > 0) {
		dprintf("[Sleep Hook] Decrypting memory...\n");
		// 执行 XOR 解密 (再次异或相同的 key)
		XorMask(g_dllBase, g_dllSize, 0x5A);
		// 恢复原来的内存权限 (通常是 PAGE_EXECUTE_READWRITE)
		DWORD temp;
		if (KERNEL32$VirtualProtect(g_dllBase, g_dllSize, oldProtect, &temp)) {
			dprintf("[Sleep Hook] Decryption complete. Memory protection restored.\n");
		} else {
			dprintf("[Sleep Hook] Failed to restore memory protection after decryption!\n");
		}
	}
}

// 扩展 go 函数,接收 DLL 的基址和大小
void go(IMPORTFUNCS * funcs, char * dllBase, SIZE_T dllSize) {
	funcs->GetProcAddress = (__typeof__(GetProcAddress) *)_GetProcAddress;
	
	// 保存 DLL 信息供 Sleep Hook 使用
	g_dllBase = dllBase;
	g_dllSize = dllSize;
	
	dprintf("[Hook Setup] DLL Base: 0x%p, Size: %lu bytes recorded for Sleep Masking.\n", g_dllBase, g_dllSize);
}

7e572c5af398cf3647609cb72a7f5d61

这就完成了一个简单的使用水晶宫的小技术。

加密前

907a68fdac17ffacd744598813c89d1d

加密后

d85a89679b989d6e4f214bb2cafb0b95

在dbg里面看我们的dll内存地址在哪里

daf5fe7adffa0d1955a41f54baa1d9dc

项目地址:https://github.com/250wuyifan/crystal-sleep-masking-demo

2026-04-14 该篇文章被 CHANGMEN 打上标签: 免杀

上一篇:parallels虚拟机WIN11配置驱动开发环境 下一篇:解决sleep masking导致栈回溯失败的问题
© 2024 CHANGMEN | Network Security Enthusiast
🌊看过大海的人不会忘记海的广阔🌊 本站由Hexo驱动|使用Hexo-theme-A4主题