其他分享
首页 > 其他分享> > 远程线程注入

远程线程注入

作者:互联网

在这里,我们使用两个方法,第一个是CreateRemoteThread方法,第二个是NtCreateThreadEx方法。通过查看源码可以发现CreaeteRemoteThread函数实现中调用了NtCreateThread函数的。

代码的最后,还给出用远程线程函数去启动一个ShellCode硬编码的线程函数 ,实现注入并弹出对话框。

 

一.使用CreateRemoteThread方法

一、启动远程线程去执行LoadLibrary(在目标进程家得到的函数的绝对地址/或者直接用当前进程的LoadLibrary的地址也可以)去执行在目标进程中已经写入的文件粒度对齐的DLL

#include "Ring3导入表Hook.h"

void _tmain(int argc, TCHAR *argv[], TCHAR *envp[])
{
    //获得目标进程句柄
    _tsetlocale(LC_ALL,_T("Chinese-simplified"));
    TCHAR v1[MAX_PATH] = { 0 };
    HANDLE ProcessHandle = NULL;
    _stscanf(argv[0], _T("%p"), &ProcessHandle);    //通过命令行接收父进程传递的目标进程的ProcessHandle

    //提权
    if (SunEnableSeDebugPrivilege(_T("SeDebugPrivilege"), TRUE) == FALSE)
    {
        return;
    }
    //获得动态库的完整路径
        //获得当前.exe文件的位置
    GetCurrentDirectory(MAX_PATH, v1);
    //通过目标进程的完整路径进行数据的读取

#ifdef _WIN64
    _tcscat_s(v1, _T("\\x64\\Dll.dll"));
#else
    _tcscat_s(v1, _T("\\x86\\Dll.dll"));
#endif

    //将该Dll注入到目标进程中(远程线程注入)
    SunInjectionByRemoteThread(v1, ProcessHandle);

    
    if (SunEnableSeDebugPrivilege(_T("SeDebugPrivilege"), FALSE) == FALSE)
    {
        return;
    }
    _tprintf(_T("Input AnyKey To Exit\r\n"));
    _gettchar();
}
//提权
BOOL SunEnableSeDebugPrivilege(IN const TCHAR*  PriviledgeName, BOOL IsEnable)
{
    // 打开权限令牌
    HANDLE  ProcessHandle = GetCurrentProcess();
    HANDLE  TokenHandle = NULL;
    TOKEN_PRIVILEGES TokenPrivileges = { 0 };
    if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
    {
        return FALSE;
    }
    LUID             v1;
    if (!LookupPrivilegeValue(NULL, PriviledgeName, &v1))
    {
        CloseHandle(TokenHandle);
        TokenHandle = NULL;
        return FALSE;
    }

    TokenPrivileges.PrivilegeCount = 1;
    TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0;
    TokenPrivileges.Privileges[0].Luid = v1;


    if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
        sizeof(TOKEN_PRIVILEGES), NULL, NULL))
    {
        _tprintf(_T("LastError:%d\r\n"), GetLastError());
        CloseHandle(TokenHandle);
        TokenHandle = NULL;
        return FALSE;
    }
    CloseHandle(TokenHandle);
    TokenHandle = NULL;
    return TRUE;
}
// 向目标进程写入DLL,并获得目标进程的Loadlibrary的函数地址,启动CreateRemoteThread去执行Loadlibrary加载DLL
BOOL SunInjectionByRemoteThread(TCHAR* DllFullPath, HANDLE ProcessHandle)
{

    ULONG32 DllFullPathLength = 0;
    PVOID   VirtualAddress = NULL;

    //在目标进程空间中申请内存
    DllFullPathLength = (_tcslen(DllFullPath) + 1) * sizeof(TCHAR);

    //目标进程空间中申请内存
    VirtualAddress = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (VirtualAddress == NULL)
    {

        int LastError = GetLastError();
        _tprintf(_T("LastError:%d\r\n", LastError));
        _tprintf(_T("VirtualAllocEx() Error\r\n"));

        return FALSE;
    }

    //写入数据到目标进程空间
    if (WriteProcessMemory(ProcessHandle, VirtualAddress, DllFullPath,
        DllFullPathLength, NULL) == FALSE)
    {
        int LastError = GetLastError();
        VirtualFreeEx(ProcessHandle, VirtualAddress, DllFullPathLength, MEM_RELEASE);
        _tprintf(_T("WriteProcessMemory() Error\r\n"));

        return FALSE;
    }

    PVOID LoadLibrary = NULL;
//得到导出函数Function(LoadLibrary)在目标进程下的绝对地址
#ifdef _UNICODE
    LoadLibrary = (PVOID)SeGetProcAddressExW(ProcessHandle, L"Kernel32.dll", "LoadLibraryW");    //得到当前进程LoadLibraryW函数地址
#else 
    LoadLibrary = (PVOID)SeGetProcAddressExA(ProcessHandle, "Kernel32.dll", "LoadLibraryA");

#endif

    // CreateRemoteThread --->让目标进程创建线程,去执行LoadLibrary(目标进程家的函数地址)加载目标进程中已经写入了文件粒度的DLL 
    // VirtualAddress是注入的DLL的地址
    HANDLE ThreadHandle = CreateRemoteThread(ProcessHandle,
        NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary,
        VirtualAddress, 0, NULL);
    if (ThreadHandle == NULL)
    {
        _tprintf(_T("CreateRemoteThread() Error\r\n"));
        VirtualFreeEx(ProcessHandle, VirtualAddress, DllFullPathLength, MEM_RELEASE);

        return FALSE;
    }

    // 等待远程线程结束
    WaitForSingleObject(ThreadHandle, INFINITE);


    if (VirtualAddress!=NULL)
    {
        VirtualFreeEx(ProcessHandle, VirtualAddress, DllFullPathLength, MEM_RELEASE);
    }
    // 清理

    if (ProcessHandle!=NULL)
    {
        CloseHandle(ProcessHandle);
    }

    return T RUE;
}
//得到导出函数Function(LoadLibrary)在目标进程下的绝对地址
ULONG_PTR SunGetProcAddressExA(HANDLE ProcessHandle, const char* ModuleName, const char* FunctionName)
{
    WCHAR v1[MAX_PATH] = { 0 };
    if (MultiByteToWideChar(CP_ACP, NULL, ModuleName, -1, v1, _countof(v1)))
    {
        return SeGetProcAddressExW(ProcessHandle, v1, FunctionName);
    }
    else
    {
        return 0;
    }
}
//得到导出函数Function(LoadLibrary)在目标进程下的绝对地址
ULONG_PTR SunGetProcAddressExW(HANDLE ProcessHandle, const wchar_t* ModuleName, const char* FunctionName)
{
    if (!ProcessHandle) //no process specified
    {

        ProcessHandle = GetCurrentProcess();

    }
    //枚举目标进程的模块信息(ProcessHandle传的是目标进程的句柄)
    DWORD ReturnLength = 0;
    if (EnumProcessModules(ProcessHandle, 0, 0, &ReturnLength))    //预读,返回长度
    {
        HMODULE* ModulesHandle = (HMODULE*)malloc(ReturnLength * sizeof(HMODULE));    //申请内存
        if (EnumProcessModules(ProcessHandle, ModulesHandle, ReturnLength, &ReturnLength))    //枚举模块信息,基地址返回到ModulesHandle
        {
            for (unsigned int i = 0; i < ReturnLength / sizeof(HMODULE); i++)
            {
                wchar_t ModuleFullPath[MAX_PATH] = L"";
                //获得模块完整路径
                if (GetModuleFileNameExW(ProcessHandle, ModulesHandle[i], ModuleFullPath, _countof(ModuleFullPath)))
                {
                    wchar_t* v1 = wcsrchr(ModuleFullPath, L'\\');    //阶段完整路径,得到模块名字
                    if (v1)
                    {
                        v1++;
                        //此时我们ModuleName传参是Kernel32.dll
                        if (!_wcsicmp(v1, ModuleName))        //找到了我们要的模块
                        {
                            //获得当前进程下模块基地址
                            HMODULE ModuleBase =
                                LoadLibraryExW(ModuleFullPath, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
                            if (ModuleBase)
                            {
                                //获得目标函数(LoadLibrary)在当前进程下的地址
                                ULONG_PTR FunctionAddress = (ULONG_PTR)GetProcAddress(ModuleBase, FunctionName);    

                                if (FunctionAddress)
                                {
                                    FunctionAddress -= (ULONG_PTR)ModuleBase; //rva 计算Function的相对地址
                                    FreeLibrary(ModuleBase);
                                    return FunctionAddress + (ULONG_PTR)ModulesHandle[i]; 
                                    //va    返回Function(LoadLibrary)在目标进程下的绝对地址
                                }
                            }
                            break;
                        }
                    }
                }
            }
        }
        free(ModulesHandle);
    }
    return 0;
}

 

二、使用NtCreateThreadEx方法

区别在于NtCreateThreadEx是未导出的Nt系列的函数,其实并没有技术的升级,而是进行了创建远程线程函数的升级,通过查看源码可以发现CreaeteRemoteThread函数实现中调用了NtCreateThread函数的。

void Nt创建线程扩展()
{
    TCHAR ImageName[MAX_PATH] = { 0 };
    HANDLE ProcessHandle = NULL;
    HANDLE ThreadHandle = NULL;
    LPVOID VirtualAddress = NULL;
    HANDLE ProcessIdentify = INVALID_HANDLE_VALUE;
    NTSTATUS Status = STATUS_UNSUCCESSFUL;
    LPFN_NTCREATETHREADEX NtCreateThreadEx = NULL;

    // 输入目标进程名称
    SunInputImageName(ImageName);

    {
        GetCurrentDirectory(MAX_PATH, __DllFullPath);
        _tcscat_s(__DllFullPath, _T("\\Dll.dll"));
    }
    //__DllFullPath = 0x00007ff641b8a560 L"Z:\\X-Project\\X-Project\\Dll.dll"

    // 枚举进程,找到目标进程的ID
    if (SunGetProcessIdentifyByImageName(ImageName, &ProcessIdentify) == FALSE)
    {
        goto Exit;
    }

    // 当前exe模块中没有该函数导入
    NtCreateThreadEx = (LPFN_NTCREATETHREADEX)GetProcAddress(GetModuleHandle(_T("NTDLL.DLL")),
        "NtCreateThreadEx");

    if (NtCreateThreadEx == NULL)
    {
        goto Exit;
    }

    // 通过进程ID获取进程句柄
    ProcessHandle = SunOpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessIdentify);

    if (ProcessHandle == NULL)
    {
        goto Exit;
    }


    SIZE_T DllFullPathLength = 0;
    // 在目标进程空间中申请内存
    DllFullPathLength = (_tcslen(__DllFullPath) + 1) * sizeof(TCHAR);

    // 目标进程空间中申请内存
    VirtualAddress = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT, PAGE_READWRITE);
    if (VirtualAddress != NULL)
    {
        // 将DLL写入到目标进程中
        if (!SunProcessMemoryWriteSafe(ProcessHandle, VirtualAddress, __DllFullPath, DllFullPathLength, NULL))
        {
            goto Exit;
        }

        // 在目标进程中启动线程
        Status = NtCreateThreadEx(&ThreadHandle,
            THREAD_ALL_ACCESS, NULL, ProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibrary, VirtualAddress,
            FALSE, NULL, NULL, NULL, NULL);
        if (!NT_SUCCESS(Status))
        {
            goto Exit;
        }

    }
    WaitForSingleObject(ThreadHandle, INFINITE);
Exit:
    if (VirtualAddress != NULL)
    {
        VirtualFreeEx(ProcessHandle, VirtualAddress, sizeof(__ShellCode), MEM_RELEASE);
        VirtualAddress = NULL;
    }

    if (ThreadHandle != NULL)
    {
        SunCloseHandle(ThreadHandle);
        ThreadHandle = NULL;
    }

    if (ProcessHandle != NULL)
    {
        SunCloseHandle(ProcessHandle);
        ProcessHandle = NULL;
    }
}

 

三、

我们还可以用远程线程函数做一些其他的事情
如去启动一个ShellCode硬编码的线程函数 

这里我们使用ShellCode去注入,弹出一个对话框。

#include "stdafx.h"
#include <Windows.h>

#define TOUPPER(x) ((((x)>='a')&&((x)<='z'))?((x)-32):(x))
#define TOLOWER(x) ((((x)>='A')&&((x)<='Z'))?((x)+32):(x))

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
    DWORD Length;
    bool Initialized;
    PVOID SsHandle;    
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA,*PPEB_LDR_DATA;

typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID DllBase;
    PVOID EntryPoint;
    UINT32 SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    UINT32 Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    LIST_ENTRY HashLinks;
    PVOID SectionPointer;
    UINT32 CheckSum;
    UINT32 TimeDateStamp;
    PVOID LoadedImports;
    PVOID EntryPointActivationContext;
    PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

typedef HMODULE (WINAPI * PLOADLIBRARYA)(LPCSTR);
typedef DWORD (WINAPI * PGETPROCADDRESS)(HMODULE, LPCSTR);
typedef DWORD (WINAPI * PMESSAGEBOXA)(HWND, LPCSTR,LPCSTR,UINT);

DWORD WINAPI ShellCode(PVOID lpThreadParameter);

void PrintHexArray(PVOID startAddr, size_t nBytes);

unsigned char ShellCodebuff[] = {
    0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x0C, 0x01, 0x00, 0x00, 0x53, 0x56, 0x57, 0xC7, 0x45, 0xFC, 0x00,
    0x00, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00,
    0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00, 0xC7,
    0x45, 0xE8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x45, 0xC0,
    0x6B, 0xC6, 0x45, 0xC1, 0x00, 0xC6, 0x45, 0xC2, 0x65, 0xC6, 0x45, 0xC3, 0x00, 0xC6, 0x45, 0xC4,
    0x72, 0xC6, 0x45, 0xC5, 0x00, 0xC6, 0x45, 0xC6, 0x6E, 0xC6, 0x45, 0xC7, 0x00, 0xC6, 0x45, 0xC8,
    0x65, 0xC6, 0x45, 0xC9, 0x00, 0xC6, 0x45, 0xCA, 0x6C, 0xC6, 0x45, 0xCB, 0x00, 0xC6, 0x45, 0xCC,
    0x33, 0xC6, 0x45, 0xCD, 0x00, 0xC6, 0x45, 0xCE, 0x32, 0xC6, 0x45, 0xCF, 0x00, 0xC6, 0x45, 0xD0,
    0x2E, 0xC6, 0x45, 0xD1, 0x00, 0xC6, 0x45, 0xD2, 0x64, 0xC6, 0x45, 0xD3, 0x00, 0xC6, 0x45, 0xD4,
    0x6C, 0xC6, 0x45, 0xD5, 0x00, 0xC6, 0x45, 0xD6, 0x6C, 0xC6, 0x45, 0xD7, 0x00, 0xC6, 0x45, 0xD8,
    0x00, 0xC6, 0x45, 0xD9, 0x00, 0xC6, 0x45, 0xB4, 0x75, 0xC6, 0x45, 0xB5, 0x73, 0xC6, 0x45, 0xB6,
    0x65, 0xC6, 0x45, 0xB7, 0x72, 0xC6, 0x45, 0xB8, 0x33, 0xC6, 0x45, 0xB9, 0x32, 0xC6, 0x45, 0xBA,
    0x2E, 0xC6, 0x45, 0xBB, 0x64, 0xC6, 0x45, 0xBC, 0x6C, 0xC6, 0x45, 0xBD, 0x6C, 0xC6, 0x45, 0xBE,
    0x00, 0xC6, 0x45, 0xA4, 0x47, 0xC6, 0x45, 0xA5, 0x65, 0xC6, 0x45, 0xA6, 0x74, 0xC6, 0x45, 0xA7,
    0x50, 0xC6, 0x45, 0xA8, 0x72, 0xC6, 0x45, 0xA9, 0x6F, 0xC6, 0x45, 0xAA, 0x63, 0xC6, 0x45, 0xAB,
    0x41, 0xC6, 0x45, 0xAC, 0x64, 0xC6, 0x45, 0xAD, 0x64, 0xC6, 0x45, 0xAE, 0x72, 0xC6, 0x45, 0xAF,
    0x65, 0xC6, 0x45, 0xB0, 0x73, 0xC6, 0x45, 0xB1, 0x73, 0xC6, 0x45, 0xB2, 0x00, 0xC6, 0x45, 0x94,
    0x4C, 0xC6, 0x45, 0x95, 0x6F, 0xC6, 0x45, 0x96, 0x61, 0xC6, 0x45, 0x97, 0x64, 0xC6, 0x45, 0x98,
    0x4C, 0xC6, 0x45, 0x99, 0x69, 0xC6, 0x45, 0x9A, 0x62, 0xC6, 0x45, 0x9B, 0x72, 0xC6, 0x45, 0x9C,
    0x61, 0xC6, 0x45, 0x9D, 0x72, 0xC6, 0x45, 0x9E, 0x79, 0xC6, 0x45, 0x9F, 0x41, 0xC6, 0x45, 0xA0,
    0x00, 0xC6, 0x45, 0x88, 0x4D, 0xC6, 0x45, 0x89, 0x65, 0xC6, 0x45, 0x8A, 0x73, 0xC6, 0x45, 0x8B,
    0x73, 0xC6, 0x45, 0x8C, 0x61, 0xC6, 0x45, 0x8D, 0x67, 0xC6, 0x45, 0x8E, 0x65, 0xC6, 0x45, 0x8F,
    0x42, 0xC6, 0x45, 0x90, 0x6F, 0xC6, 0x45, 0x91, 0x78, 0xC6, 0x45, 0x92, 0x41, 0xC6, 0x45, 0x93,
    0x00, 0xC6, 0x85, 0x78, 0xFF, 0xFF, 0xFF, 0x48, 0xC6, 0x85, 0x79, 0xFF, 0xFF, 0xFF, 0x65, 0xC6,
    0x85, 0x7A, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7B, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7C,
    0xFF, 0xFF, 0xFF, 0x6F, 0xC6, 0x85, 0x7D, 0xFF, 0xFF, 0xFF, 0x53, 0xC6, 0x85, 0x7E, 0xFF, 0xFF,
    0xFF, 0x68, 0xC6, 0x85, 0x7F, 0xFF, 0xFF, 0xFF, 0x65, 0xC6, 0x45, 0x80, 0x6C, 0xC6, 0x45, 0x81,
    0x6C, 0xC6, 0x45, 0x82, 0x43, 0xC6, 0x45, 0x83, 0x6F, 0xC6, 0x45, 0x84, 0x64, 0xC6, 0x45, 0x85,
    0x65, 0xC6, 0x45, 0x86, 0x00, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x89, 0x45,
    0xE8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 0x0C, 0x89, 0x45, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x08, 0x89,
    0x4D, 0xE0, 0x8B, 0x45, 0xE0, 0x89, 0x85, 0x74, 0xFF, 0xFF, 0xFF, 0x8D, 0x45, 0xC0, 0x89, 0x85,
    0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x30, 0x89, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF,
    0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84,
    0xD7, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75,
    0x19, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75, 0x0C, 0xC7, 0x45,
    0xDC, 0x01, 0x00, 0x00, 0x00, 0xE9, 0xB1, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,
    0x0F, 0xBE, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x22, 0x8B, 0x95, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE,
    0x02, 0x83, 0xF8, 0x7A, 0x7F, 0x14, 0x8B, 0x8D, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11, 0x83,
    0xEA, 0x20, 0x89, 0x95, 0xF8, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,
    0x0F, 0xBE, 0x08, 0x89, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,
    0xBE, 0x02, 0x83, 0xF8, 0x61, 0x7C, 0x22, 0x8B, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11,
    0x83, 0xFA, 0x7A, 0x7F, 0x14, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x83, 0xE9,
    0x20, 0x89, 0x8D, 0xF4, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,
    0xBE, 0x02, 0x89, 0x85, 0xF4, 0xFE, 0xFF, 0xFF, 0x8B, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x3B, 0x8D,
    0xF4, 0xFE, 0xFF, 0xFF, 0x74, 0x02, 0xEB, 0x23, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x83, 0xC0,
    0x02, 0x89, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x02,
    0x89, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0xE9, 0x1C, 0xFF, 0xFF, 0xFF, 0x83, 0x7D, 0xDC, 0x00, 0x74,
    0x0B, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x18, 0x89, 0x4D, 0xFC, 0xEB, 0x14, 0x8B, 0x45, 0xE0, 0x8B,
    0x08, 0x89, 0x4D, 0xE0, 0x8B, 0x45, 0xE4, 0x3B, 0x45, 0xE0, 0x0F, 0x85, 0xD2, 0xFE, 0xFF, 0xFF,
    0x83, 0x7D, 0xFC, 0x00, 0x0F, 0x84, 0x92, 0x01, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x89, 0x85, 0x68,
    0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x68, 0xFF, 0xFF, 0xFF, 0x03,
    0x48, 0x3C, 0x89, 0x8D, 0x64, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x48,
    0x3C, 0x8B, 0x95, 0x68, 0xFF, 0xFF, 0xFF, 0x8D, 0x44, 0x0A, 0x04, 0x89, 0x85, 0x60, 0xFF, 0xFF,
    0xFF, 0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x14, 0x89, 0x85, 0x5C, 0xFF, 0xFF, 0xFF,
    0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x48, 0x10, 0x03, 0x8D, 0x5C, 0xFF, 0xFF, 0xFF,
    0x89, 0x8D, 0x58, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x5C, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03,
    0x48, 0x60, 0x89, 0x8D, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D,
    0xFC, 0x03, 0x48, 0x1C, 0x89, 0x8D, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF,
    0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x20, 0x89, 0x8D, 0x4C, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF,
    0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x24, 0x89, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0xC7, 0x85,
    0x44, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0F, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF,
    0x83, 0xC0, 0x01, 0x89, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B,
    0x8D, 0x44, 0xFF, 0xFF, 0xFF, 0x3B, 0x48, 0x18, 0x0F, 0x8D, 0xBC, 0x00, 0x00, 0x00, 0x8D, 0x45,
    0xA4, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x4C,
    0xFF, 0xFF, 0xFF, 0x8B, 0x55, 0xFC, 0x03, 0x14, 0x81, 0x89, 0x95, 0x3C, 0xFF, 0xFF, 0xFF, 0xC7,
    0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x74, 0x5B, 0x8B,
    0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x16, 0x8B, 0x85, 0x3C, 0xFF,
    0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x09, 0xC7, 0x45, 0xDC, 0x01, 0x00, 0x00, 0x00,
    0xEB, 0x38, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x8B, 0x95, 0x3C, 0xFF, 0xFF,
    0xFF, 0x0F, 0xBE, 0x02, 0x3B, 0xC8, 0x74, 0x02, 0xEB, 0x20, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF,
    0x83, 0xC0, 0x01, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0x83,
    0xC0, 0x01, 0x89, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0xEB, 0x9C, 0x83, 0x7D, 0xDC, 0x00, 0x74, 0x25,
    0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x14, 0x41,
    0x8B, 0x85, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x0C, 0x90, 0x8B, 0x95, 0x5C, 0xFF, 0xFF, 0xFF, 0x03,
    0x4A, 0x1C, 0x89, 0x4D, 0xF4, 0xE9, 0x20, 0xFF, 0xFF, 0xFF, 0xEB, 0x07, 0xB8, 0x01, 0x00, 0x00,
    0x00, 0xEB, 0x38, 0x8D, 0x45, 0x94, 0x50, 0x8B, 0x4D, 0xFC, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45,
    0xF0, 0x8D, 0x45, 0xB4, 0x50, 0xFF, 0x55, 0xF0, 0x89, 0x45, 0xF8, 0x8D, 0x45, 0x88, 0x50, 0x8B,
    0x4D, 0xF8, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45, 0xEC, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x85, 0x78,
    0xFF, 0xFF, 0xFF, 0x50, 0x6A, 0x00, 0xFF, 0x55, 0xEC, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5,
    0x5D, 0xC2, 0x04, 0x00}; // 0x4F4

// 提权函数:提升为DEBUG权限
BOOL EnableDebugPrivilege()
{
    HANDLE hToken;
    BOOL fOk=FALSE;
    if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
    {
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount=1;
        LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
        
        tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
        
        fOk=(GetLastError()==ERROR_SUCCESS);
        CloseHandle(hToken);
    }
    return fOk;
}


int main(int argc, char* argv[])
{
    //CreateThread(0,0,ShellCode,0,0,0);
    // 打印shellcode
    //printf("输入ShellCode的地址: ");
    //DWORD dwAddr;
    //scanf("%x",&dwAddr);
    //getchar();
    //PrintHexArray((PVOID)dwAddr, 0x4F4);

    //DWORD dwOldProtect;
    //VirtualProtect(ShellCodebuff,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProtect);
    //CreateThread(0,0,(LPTHREAD_START_ROUTINE)&ShellCodebuff,0,0,0);

    EnableDebugPrivilege();
    DWORD dwWritten;
    DWORD pid;
    printf("请输入要注入的进程PID: ");
    scanf("%d", &pid);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
    PVOID pAddr = VirtualAllocEx(hProcess,0,0x1000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);    //在目标进程的内存空间中申请一块内存
    WriteProcessMemory(hProcess,pAddr,ShellCodebuff,0x4F4,&dwWritten);    //将ShellCode的硬编码写进去
    CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)pAddr,0,0,0);        //启动远程线程去执行ShellCode

    
    getchar();
    return 0;
}

//这个函数就是我们上面写的硬编码,在这里再次写出是为了对照,并没有调用
DWORD WINAPI ShellCode(PVOID lpThreadParameter)
{
    HMODULE hKernel32 = NULL;
    HMODULE hUser32 = NULL;
    PGETPROCADDRESS pGetProcAddress = NULL;
    PLOADLIBRARYA pLoadLibraryA = NULL;
    PMESSAGEBOXA pMessageBoxA = NULL;
    PPEB_LDR_DATA pLDR = NULL;
    PLDR_DATA_TABLE_ENTRY pLdteHead;
    PLDR_DATA_TABLE_ENTRY pLdteCur;
    BOOL bEqual = FALSE;

    char szKernel32[] = {'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0}; // Unicode
    char szUser32[] = {'u','s','e','r','3','2','.','d','l','l',0};
    char szGetProcAddress[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};
    char szLoadLibrary[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0};
    char szMessageBoxA[] = {'M','e','s','s','a','g','e','B','o','x','A',0};
    char szHelloShellCode[] = {'H','e','l','l','o','S','h','e','l','l','C','o','d','e',0};
    __asm
    {
        mov eax,fs:[0x30] // PEB
        mov eax,[eax+0x0C] // PEB->LDR
        mov pLDR,eax
    }
    
    // PEB的Ldr查询模块,找到kernel32.dll基地址(在目标进程家的)
    // find kernel32.dll
    pLdteHead = (PLDR_DATA_TABLE_ENTRY)(&pLDR->InLoadOrderModuleList);
    pLdteCur = (PLDR_DATA_TABLE_ENTRY)(pLdteHead->InLoadOrderLinks.Flink);    
    do 
    {        
        PLDR_DATA_TABLE_ENTRY pLdte = CONTAINING_RECORD(pLdteCur, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);        
        char *p1 = szKernel32;
        char *p2 = (char*)pLdteCur->BaseDllName.Buffer;        
        bEqual = FALSE;
        while (1)
        {            
            if (*(PWORD)p1 == 0 && *(PWORD)p2 == 0)
            {
                bEqual = TRUE;
                break;
            }        
            if (TOUPPER(*p1) != TOUPPER(*p2))
            {
                break;
            }
            p1+=2;
            p2+=2;
        }
        if (bEqual)
        {
            hKernel32 = (HMODULE)pLdteCur->DllBase;            
            break;
        }
        pLdteCur = (PLDR_DATA_TABLE_ENTRY)pLdteCur->InLoadOrderLinks.Flink;
    } while (pLdteHead != pLdteCur);

    // 对kernel32.dll进程PE分析,从导出表中获取GetProcAddress地址
    // 利用GetProcAddress得到LoadLibraryA函数地址,从而加载我们需要的User32.Dll到目标进程中
    // 然后我们就可以调取User32.Dll里的MasageBox函数去弹出我们想要的窗口了
    if (hKernel32 != NULL)
    {
        // find GetProcAddress
        PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hKernel32;
        PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
        PIMAGE_FILE_HEADER pPEHeader = (PIMAGE_FILE_HEADER)((DWORD)pDosHeader + pDosHeader->e_lfanew + 4);
        PIMAGE_OPTIONAL_HEADER32 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + sizeof(IMAGE_FILE_HEADER));
        PIMAGE_SECTION_HEADER pSectionHeader = \
            (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);
        PIMAGE_EXPORT_DIRECTORY pExportDirectory = \
            (PIMAGE_EXPORT_DIRECTORY)((DWORD)hKernel32 + pOptionHeader->DataDirectory[0].VirtualAddress);

        PDWORD AddressOfFunctions = (PDWORD)((DWORD)hKernel32 + pExportDirectory->AddressOfFunctions);
        PDWORD AddressOfNames = (PDWORD)((DWORD)hKernel32 + pExportDirectory->AddressOfNames);
        PWORD AddressOfNameOridinals = (PWORD)((DWORD)hKernel32 + pExportDirectory->AddressOfNameOrdinals);
        int i;
        for (i = 0; i < (int)pExportDirectory->NumberOfNames; i++)
        {
            char *p1 = szGetProcAddress;
            char *p2 = (char *)((DWORD)hKernel32 + AddressOfNames[i]);
            bEqual = FALSE;
            while (1)
            {                
                if (*p1 == 0 && *p2 == 0)
                {
                    bEqual = TRUE;
                    break;
                }                
                if (*p1 != *p2)
                {
                    break;
                }
                p1++;
                p2++;
            }
            if (bEqual)
            {
                //从导出表中获得GetProcAddress地址
                pGetProcAddress = (PGETPROCADDRESS)(AddressOfFunctions[AddressOfNameOridinals[i]] + pOptionHeader->ImageBase);
            }
        }
    }
    else
    {
        return 1;
    }
    // Loadlibrary
    pLoadLibraryA = (PLOADLIBRARYA)pGetProcAddress(hKernel32,szLoadLibrary);    
    // test
    hUser32 = pLoadLibraryA(szUser32);
    pMessageBoxA = (PMESSAGEBOXA)pGetProcAddress(hUser32,szMessageBoxA);
    pMessageBoxA(0,szHelloShellCode,0,MB_OK);

    return 0;
}

void PrintHexArray(PVOID startAddr, size_t nBytes)
{
    for (size_t i = 0; i < nBytes; i++)
    {
        printf("0x%02X, ", ((PBYTE)startAddr)[i]);
        if ((i + 1) % 16 == 0) putchar('\n');
    }
    putchar('\n');
}

 

注入前:

 

 

 注入后:

 

标签:return,FALSE,VirtualAddress,ProcessHandle,进程,线程,NULL,远程,注入
来源: https://www.cnblogs.com/renleiguanchashi/p/16063830.html