S.l.e!ep.￠%

起因:哇卡卡同學(xué)昨天叫我?guī)退匆粋€進程代碼注入的程序問題,運行到CreateRemoteThread就出錯,由于之前沒做過這種事情看了一下他寫的代碼大體上就明白怎么做了,于是自己重新又做了一個,遇到多少艱辛就不說了,不過讓我有種寫shellcode的感覺:-D,自己run一次才是自己的東西嘛.

方法很多種,下面只是介紹其中的一種而已.

大體思路:首先明確目標(biāo)在NOTEPAD.EXE中彈出MessageBox.現(xiàn)在系統(tǒng)中找出NOTEPAD.EXE進程,兩次用VirtualAllocEx在NOTEPAD.EXE進程聲明一塊可讀寫運行的內(nèi)存塊,用WriteProcessMemory寫入我們代碼注入的線程函數(shù)和傳給線程函數(shù)的參數(shù),最后運用CreateRemoteThread,變可讓我們之前寫入的線程函數(shù)運行.

技巧一:我們這里使用形如下面的形式來計算需要寫入函數(shù)的大小:

#pragma check_stack (off)

static DWORD WINAPI ThreadProc (LPVOID lpParameter){}

static void AfterThreadProc (void) { }

#pragma check_stack

DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;

技巧二:我們這里聲明一個HYPINJECT結(jié)構(gòu),里面存放一些函數(shù)的地址,然后傳遞給線程函數(shù),不然直接在線程函數(shù)里面寫Win 32 API函數(shù),可能導(dǎo)致崩潰.結(jié)構(gòu)如下:

typedef struct tagHYPINJECT {

?????? ProcLoadLibrary??? fnLoad;

?????? ProcGetProcAddress fnGetProc;

?????? char MsgStr [MAX_PATH];

?????? char DLLName [MAX_PATH];

?????? char ProcName [MAX_PATH];

} HYPINJECT;

關(guān)于編寫線程函數(shù)的注意事項: (自己總結(jié)加網(wǎng)上資料)

線程函數(shù)里面最好不要調(diào)用除Kernel32和User32以外的所有函數(shù),貌似User32里面的部分函數(shù)在調(diào)用的時候也會出現(xiàn)崩潰的局面,如果要調(diào)用其他庫的函數(shù)可以把LoadLibrary和GetProcAddress的地址當(dāng)作線程函數(shù)的參數(shù)傳過去(下面的代碼就是這么實現(xiàn)的),不過如果已知某動態(tài)鏈接庫已經(jīng)加載了,最好還是使用GetModuleHandle取代LoadLibrary.當(dāng)然如果你想調(diào)用自己寫的函數(shù)的話也要把函數(shù)代碼復(fù)制到目標(biāo)進程里面去,然后把地址通過線程函數(shù)的參數(shù)傳過去.

而且不要使用任何的靜態(tài)字符串,線程函數(shù)最好寫成靜態(tài)(貌似也可以直接禁止 增量鏈接 ), 函數(shù)和變量之類大小也不要太大不然可能在VirtualAllocEx的時候就不能成功

……

全部代碼如下:

#include <windows.h>

#include <Tlhelp32.h.>

typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);

typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);

typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);

typedef struct tagHYPINJECT {

?????? ProcLoadLibrary??? fnLoad;

?????? ProcGetProcAddress fnGetProc;

?????? char MsgStr [MAX_PATH];

?????? char DLLName [MAX_PATH];

?????? char ProcName [MAX_PATH];

} HYPINJECT;

#pragma check_stack (off)

static DWORD WINAPI ThreadProc (LPVOID lpParameter)

{

?????? HYPINJECT* p = (HYPINJECT*)lpParameter;

?????? HMODULE hDLL = p->fnLoad (p->DLLName);

??? ProcGetProcAddress GetProc = p->fnGetProc;

?????? ProcMessageBox MsgBox = (ProcMessageBox)GetProc(hDLL,p->ProcName);

??? MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK);

?????? return 0;

}

static void AfterThreadProc (void) { }

#pragma check_stack

HYPINJECT hypInject;

BOOL InjectFunc(DWORD PID)

{

?????? HMODULE hk = LoadLibrary ("kernel32.dll");

?????? hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");

?????? hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");

?????? strcpy(hypInject.MsgStr," hyp's Knowledge Base");

?????? strcpy (hypInject.DLLName, "user32.dll");

?????? strcpy (hypInject.ProcName, "MessageBoxA");

?????? PVOID pCode = NULL;

?????? PVOID pData = NULL;

?????? BOOL bc = FALSE;

?????? DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;

?????? HANDLE hProc = OpenProcess(

????????????? PROCESS_QUERY_INFORMATION |??

????????????? PROCESS_CREATE_THREAD???? |

????????????? PROCESS_VM_OPERATION????? |

????????????? PROCESS_VM_WRITE,???????????

????????????? FALSE, PID);

?????? if (hProc == NULL)

?????? {

????????????? return FALSE;

?????? }

??????

?????? pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

?????? if(pCode == NULL)

?????? {

????????????? return FALSE;

?????? }

?????? bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);

?????? if (!bc)

?????? {

????????????? return FALSE;

?????? }

?????? pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);

?????? if(pData == NULL)

?????? {

????????????? return FALSE;

?????? }

?????? bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);

?????? if (!bc)

?????? {

????????????? return FALSE;

?????? }

?????? HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);

?????? if(ht == NULL)

?????? {

????????????? return FALSE;

?????? }

?????? CloseHandle(hProc);

?????? return TRUE;

}

int main()

{

?????? HANDLE hSnapshot = NULL;

?????? hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

?????? PROCESSENTRY32 pe;

?????? pe.dwSize = sizeof(PROCESSENTRY32);

?????? Process32First(hSnapshot,&pe);

?????? do

?????? {

????????????? if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)

????????????? {

???????????????????? InjectFunc(pe.th32ProcessID);

???????????????????? break;

????????????? }

?????? }

?????? while(Process32Next(hSnapshot,&pe)==TRUE);

?????? CloseHandle (hSnapshot);????

?????? return 0;

}