1. 首页
  2. 文章中心
  3. 操作系统

注入(3)--远程线程注入(CreateRemoteThread)

90 阅读 0 评论
我是靠谱客的博主 秀丽猎豹,这篇文章主要介绍注入(3)--远程线程注入(CreateRemoteThread),现在分享给大家,希望可以做个参考。

复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
远程线程注入的核心思想是利用windows提供的远程机制,在目标进程中开启一个加载模块的远程线程,使钩子被该远程线程加载到目标地址空间中。
远程线程使用的关键API有WriteProcessMemory、CreateRemoteThread、和LoadLibrary.
原型如下:
BOOL
WINAPI
WriteProcessMemory(
    _In_ HANDLE hProcess,
    _In_ LPVOID lpBaseAddress,
    _In_reads_bytes_(nSize) LPCVOID lpBuffer,
    _In_ SIZE_T nSize,
    _Out_opt_ SIZE_T * lpNumberOfBytesWritten
    );
hProcess:远程线程句柄
lpBaseAddress:远程进程待写地址
lpBuffer:本进程空间buffer地址
nSize:lpBuffer所指空间的大小
lpNumberOfBytesWritten:返回实际写入远近程的字节数


HANDLE
WINAPI
CreateRemoteThread(
    _In_ HANDLE hProcess,
    _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
    _In_ SIZE_T dwStackSize,
    _In_ LPTHREAD_START_ROUTINE lpStartAddress,
    _In_opt_ LPVOID lpParameter,
    _In_ DWORD dwCreationFlags,
    _Out_opt_ LPDWORD lpThreadId
    );
hProcess:远近程句柄
lpThreadAttributes:线程安全描述字,指向SECURITY_ATTRIBUTES结构的指针
dwStackSize:线程栈大小,以字节为单位表示
lpStartAddress:一个LPTHREAD_START_ROUTINE类型的指针,指向在远程进程中执行的函数地址
lpParameter:传入参数
dwCreationFlags:创建线程的其他标志
lpThreadId:线程ID,如果为NULL则不反回


HMODULE
WINAPI
LoadLibraryW(
    _In_ LPCWSTR lpLibFileName
    );
lpLibFileName:待加载模块的文件路径
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
// CreatRemoteThread.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <iostream>
using namespace std;

enum TargetType
{
	WOW_86,
	WOW_64,
	WOW_ERROR
};
BOOL EnableDebugPrivilege();
TargetType GetWowByReadFile(ULONG32  ulProcessID);
HMODULE GetModuleBaseAddressByProcessHandle(HANDLE ProcessHandle);
BOOL  InjectDllByRemoteThread(ULONG32 ulProcessID, WCHAR* wzDllFullPath);
int main()
{
	if (EnableDebugPrivilege() == FALSE)
	{
		return 0;
	}
	ULONG32 ulProcessID = 0;
	printf("Input A ProcessID to Inject:rn");
	scanf_s("%d", &ulProcessID, sizeof(ULONG32));

	DWORD iOk = GetWowByReadFile(ulProcessID);
	switch (iOk)
	{
	case WOW_64:
		if (InjectDllByRemoteThread(ulProcessID, L"InjectTest64.dll"))
		{
			printf("Inject Success!rn");
		}
	case WOW_86:
		if (InjectDllByRemoteThread(ulProcessID, L"InjectTest32.dll"))
		{
			printf("Inject Success!rn");
		}
	default:
		break;
	}
    return 0;
}

//提权函数 提权操作一共四步 1.Open打开 2.Lookup查看当前 3.Adjust调整 4.Close关闭
BOOL EnableDebugPrivilege()
{

	HANDLE TokenHandle = NULL;
	TOKEN_PRIVILEGES TokenPrivilege;
	LUID uID;

	//打开权限令牌
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))  
	{
		return FALSE;
	}

	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID))
	{

		CloseHandle(TokenHandle);
		TokenHandle = INVALID_HANDLE_VALUE;
		return FALSE;
	}

	TokenPrivilege.PrivilegeCount = 1;
	TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	TokenPrivilege.Privileges[0].Luid = uID;

	//在这里我们进行调整权限
	if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivilege, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
	{
		CloseHandle(TokenHandle);
		TokenHandle = INVALID_HANDLE_VALUE;
		return  FALSE;
	}

	CloseHandle(TokenHandle);
	TokenHandle = INVALID_HANDLE_VALUE;
	return TRUE;
}
//通过解析exe文件(magic数)判断进程是x64还是x86
TargetType GetWowByReadFile(ULONG32  ulProcessID)
{
	HANDLE  ProcessHandle = INVALID_HANDLE_VALUE;
	ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ulProcessID);

	if (ProcessHandle == NULL)
	{
		return WOW_ERROR;
	}
	//获得Exe模块基地址
	ULONG64 ulModuleBaseAddress = (ULONG64)GetModuleBaseAddressByProcessHandle(ProcessHandle);

	if (ulModuleBaseAddress == NULL)
	{
		CloseHandle(ProcessHandle);
		return WOW_ERROR;
	}

	IMAGE_DOS_HEADER   DosHeader = { 0 };
	//读取Dos头
	if (ReadProcessMemory(ProcessHandle, (PVOID)ulModuleBaseAddress, &DosHeader, sizeof(IMAGE_DOS_HEADER), NULL) == FALSE)
	{
		CloseHandle(ProcessHandle);
		return WOW_ERROR;
	}

	WORD  wMagic = 0;
	//模块加载基地址+Dos头部e_lfanew成员(PE头相对于文件的偏移 4字节)+标准PE头+4字节
	if (ReadProcessMemory(ProcessHandle, (PVOID)(ulModuleBaseAddress + DosHeader.e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER)), &wMagic, sizeof(WORD), NULL) == FALSE)
	{
		CloseHandle(ProcessHandle);
		return WOW_ERROR;
	}

	CloseHandle(ProcessHandle);
	if (wMagic == 0x20b)//x64
	{
		return WOW_64;
	}
	else if (wMagic == 0x10b)//x86
	{
		return WOW_86;
	}
	else
	{
		return WOW_ERROR;
	}
}

HMODULE GetModuleBaseAddressByProcessHandle(HANDLE ProcessHandle)
{
	HMODULE ModulesHandle[1024] = { 0 };
	DWORD dwReturn = 0;
	if (EnumProcessModules(ProcessHandle, ModulesHandle, sizeof(ModulesHandle), &dwReturn))
	{
		return ModulesHandle[0];
	}
	return NULL;
}

BOOL  InjectDllByRemoteThread(ULONG32 ulProcessID, WCHAR* wzDllFullPath)
{
	HANDLE  ProcessHandle = NULL;
	ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ulProcessID);

	if (ProcessHandle==NULL)
	{
		return FALSE;
	}

	WCHAR* VirtualAddress = NULL;

	ULONG32 ulDllLength = (ULONG32)_tcslen(wzDllFullPath) + 1;

	VirtualAddress = (WCHAR*)VirtualAllocEx(ProcessHandle, NULL, ulDllLength * sizeof(WCHAR),
		MEM_COMMIT, PAGE_READWRITE);


	if (VirtualAddress==NULL)
	{
		CloseHandle(ProcessHandle);
		return FALSE;
	}
	// 在目标进程的内存空间中写入所需参数(模块名)
	if (!WriteProcessMemory(ProcessHandle, VirtualAddress, (LPVOID)wzDllFullPath, ulDllLength * sizeof(WCHAR), NULL))
	{
		VirtualFreeEx(ProcessHandle, VirtualAddress, ulDllLength, MEM_DECOMMIT);
		CloseHandle(ProcessHandle);
		return FALSE;
	}


	LPTHREAD_START_ROUTINE FunctionAddress = NULL;

	FunctionAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");

	HANDLE ThreadHandle = INVALID_HANDLE_VALUE;
	//启动远程线程
	ThreadHandle = ::CreateRemoteThread(ProcessHandle, NULL, 0, FunctionAddress, VirtualAddress, 0, NULL);
	if (ThreadHandle==FALSE)
	{
		VirtualFreeEx(ProcessHandle, VirtualAddress, ulDllLength, MEM_DECOMMIT);
		CloseHandle(ProcessHandle);
		return FALSE;
	}

	// 等待远程线程结束
	WaitForSingleObject(ThreadHandle, INFINITE);
	// 清理
	VirtualFreeEx(ProcessHandle, VirtualAddress, ulDllLength, MEM_DECOMMIT);
	CloseHandle(ThreadHandle);
	CloseHandle(ProcessHandle);
	return TRUE;
}


转载于:https://www.cnblogs.com/Toring/p/6628286.html

最后

以上就是秀丽猎豹最近收集整理的关于注入(3)--远程线程注入(CreateRemoteThread)的全部内容,更多相关注入(3)--远程线程注入(CreateRemoteThread)内容请搜索靠谱客的其他文章。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(60)

相关文章

GNU汇编程序中的分段
GNU汇编程序中的分段
分页技术
分页技术
汇编语言-求分段函数值
汇编语言-求分段函数值
汇编语言11---基本语法与分段
汇编语言11---基本语法与分段
注入(3)--远程线程注入(CreateRemoteThread)
注入(3)--远程线程注入(CreateRemoteThread)
信息学奥赛一本通:1051:分段函数
信息学奥赛一本通:1051:分段函数
汇编程序:计算分段函数
汇编程序:计算分段函数
API Hook完全手册
API Hook完全手册

评论列表共有 0 条评论

立即
投稿
返回
顶部