歡迎轉載,轉載請註明出處:http://www.cnblogs.com/uAreKongqi/p/6012353.html html
0x00.前言ios
提到Dll的注入,立馬可以想到的方法就有不少,好比利用遠程線程、Apc等等,這裏我對Ring3層的Dll注入學習作一個總結吧。git
我把注入的方法分紅六類,分別是:1.建立新線程、2.設置線程上下背景文,修改寄存器、3.插入Apc隊列、4.修改註冊表、5.掛鉤窗口消息、6.遠程手動實現LoadLibrary。github
那麼下面就開始學習之旅吧!shell
0x01.預備工做api
在涉及到注入的程序中,提高程序的權限天然是必不可少的,這裏我提供了兩個封裝的函數,均可以用於提權。第一個是經過權限令牌來調整權限;第二個是經過ntdll.dll的導出的未文檔化函數RtlAdjustPrivilege來調整權限。數組
// 傳入參數 SE_DEBUG_NAME,提高到調試權限 BOOL GrantPriviledge(WCHAR* PriviledgeName) { TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges; DWORD dwReturnLength = sizeof(OldPrivileges); HANDLE TokenHandle = NULL; LUID uID; // 打開權限令牌 if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle)) { if (GetLastError() != ERROR_NO_TOKEN) { return FALSE; } if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)) { return FALSE; } } if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 經過權限名稱查找uID { CloseHandle(TokenHandle); return FALSE; } TokenPrivileges.PrivilegeCount = 1; // 要提高的權限個數 TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態數組,數組大小根據Count的數目 TokenPrivileges.Privileges[0].Luid = uID; // 在這裏咱們進行調整權限 if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength)) { CloseHandle(TokenHandle); return FALSE; } // 成功了 CloseHandle(TokenHandle); return TRUE; }
// 傳入參數 SE_DEBUG_PRIVILEGE,提高到調試權限 #define SE_DEBUG_PRIVILEGE (20L) typedef NTSTATUS(NTAPI * pfnRtlAdjustPrivilege)( UINT32 Privilege, BOOLEAN Enable, BOOLEAN Client, PBOOLEAN WasEnabled); BOOL GrantPriviledge(IN UINT32 Priviledge) { pfnRtlAdjustPrivilege RtlAdjustPrivilege = NULL; BOOLEAN WasEnable = FALSE; RtlAdjustPrivilege = (pfnRtlAdjustPrivilege)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlAdjustPrivilege"); if (RtlAdjustPrivilege == NULL) { return FALSE; } RtlAdjustPrivilege(Priviledge, TRUE, FALSE, &WasEnable); return TRUE; }
緊接着,既然咱們要對目標進程注入Dll,那麼得到目標進程的Id是不可或缺的吧,由於OpenProcess是確定會使用的,這裏我也提供了兩種經過目標進程映像名稱得到進程Id的方法。第一種是最多見的使用TlHelp建立系統的進程快照;第二種是藉助Psapi枚舉系列函數,不過這個方法我實現的有缺憾,32位下不能獲得64位進程的Id。ide
// 使用ToolHelp系列函數 #include <TlHelp32.h> BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId) { HANDLE ProcessSnapshotHandle = INVALID_HANDLE_VALUE; PROCESSENTRY32 ProcessEntry32 = { 0 }; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構 ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統全部的進程快照 if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE) { return FALSE; } if (Process32First(ProcessSnapshotHandle, &ProcessEntry32)) // 找到第一個 { do { if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區分大小寫 { *ProcessId = ProcessEntry32.th32ProcessID; break; } } while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32)); } CloseHandle(ProcessSnapshotHandle); ProcessSnapshotHandle = INVALID_HANDLE_VALUE; if (*ProcessId == 0) { return FALSE; } return TRUE; }
// 使用Psapi系列枚舉函數 #include <Psapi.h> BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId) { DWORD dwProcessesId[1024] = { 0 }; DWORD BytesReturned = 0; UINT32 ProcessCount = 0; // 得到當前操做系統中的全部進程Id,保存在dwProcessesId數組裏 if (!EnumProcesses(dwProcessesId, sizeof(dwProcessesId), &BytesReturned)) { return FALSE; } ProcessCount = BytesReturned / sizeof(DWORD); // 遍歷 for (INT i = 0; i < ProcessCount; i++) { HMODULE ModuleBase = NULL; WCHAR wzModuleBaseName[MAX_PATH] = { 0 }; HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessesId[i]); if (ProcessHandle == NULL) { continue; } if (EnumProcessModulesEx(ProcessHandle, &ModuleBase, sizeof(HMODULE), &BytesReturned, LIST_MODULES_ALL)) { // 得到進程第一模塊名稱 GetModuleBaseName(ProcessHandle, ModuleBase, wzModuleBaseName, MAX_PATH * sizeof(WCHAR)); } CloseHandle(ProcessHandle); ProcessHandle = NULL; if (lstrcmpi(wzModuleBaseName, wzProcessImageName) == 0) // 不區分大小寫 { *ProcessId = dwProcessesId[i]; break; } } if (*ProcessId == 0) { return FALSE; } return TRUE; }
而後在好比插入Apc隊列、掛起線程等等操做中,須要對目標進程的線程操做,因此得到線程Id也有必要,一樣的我也提供了兩種經過進程Id得到線程Id的方法。第一個仍然是使用TlHelp建立系統的線程快照,把全部的線程存入vector模板裏(供Apc注入使用);第二個是利用ZwQuerySystemInformation大法,枚舉系統進程信息,這個方法我只返回了一個線程Id,已經夠用了。函數
// 枚舉指定進程Id的全部線程,壓入模板中 #include <vector> #include <TlHelp32.h> using namespace std; BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT vector<UINT32>& ThreadIdVector) { HANDLE ThreadSnapshotHandle = NULL; THREADENTRY32 ThreadEntry32 = { 0 }; ThreadEntry32.dwSize = sizeof(THREADENTRY32); ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); // 給系統全部的線程快照 if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE) { return FALSE; } if (Thread32First(ThreadSnapshotHandle, &ThreadEntry32)) { do { if (ThreadEntry32.th32OwnerProcessID == ProcessId) { ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID); // 把該進程的全部線程id壓入模板 } } while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32)); } CloseHandle(ThreadSnapshotHandle); ThreadSnapshotHandle = NULL; return TRUE; }
// ZwQuerySystemInformation+SystemProcessInformation typedef NTSTATUS(NTAPI * pfnZwQuerySystemInformation)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN UINT32 SystemInformationLength, OUT PUINT32 ReturnLength OPTIONAL); BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT PUINT32 ThreadId) { BOOL bOk = FALSE; NTSTATUS Status = 0; PVOID BufferData = NULL; PSYSTEM_PROCESS_INFO spi = NULL; pfnZwQuerySystemInformation ZwQuerySystemInformation = NULL; ZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQuerySystemInformation"); if (ZwQuerySystemInformation == NULL) { return FALSE; } BufferData = malloc(1024 * 1024); if (!BufferData) { return FALSE; } // 在QuerySystemInformation系列函數中,查詢SystemProcessInformation時,必須提早申請好內存,不能先查詢獲得長度再從新調用 Status = ZwQuerySystemInformation(SystemProcessInformation, BufferData, 1024 * 1024, NULL); if (!NT_SUCCESS(Status)) { free(BufferData); return FALSE; } spi = (PSYSTEM_PROCESS_INFO)BufferData; // 遍歷進程,找到咱們的目標進程 while (TRUE) { bOk = FALSE; if (spi->UniqueProcessId == (HANDLE)ProcessId) { bOk = TRUE; break; } else if (spi->NextEntryOffset) { spi = (PSYSTEM_PROCESS_INFO)((PUINT8)spi + spi->NextEntryOffset); } else { break; } } if (bOk) { for (INT i = 0; i < spi->NumberOfThreads; i++) { // 返出找到的線程Id *ThreadId = (UINT32)spi->Threads[i].ClientId.UniqueThread; break; } } if (BufferData != NULL) { free(BufferData); } return bOk; }
嗯,目前爲止,預備工做差很少完工,那咱們就開始正題吧!學習
0x02.注入方法一 -- 建立新線程
建立新線程,也就是在目標進程裏,建立一個線程爲咱們服務,而建立線程的方法我找到的有三種:1.CreateRemoteThread;2.NtCreateThreadEx;3.RtlCreateUserThread。
基本思路是:1.在目標進程內存空間申請內存;2.在剛申請的內存中寫入Dll完整路徑;3.建立新線程,去執行LoadLibrary,從而完成注入Dll。
ps:這裏直接使用從本身加載的kernel32模塊導出表中得到LoadLibrary地址,是由於通常狀況下,全部進程加載這類系統庫在內存中的地址相同!
由於只是創線程所使用的函數不同,因此下面的代碼隨便放開一個創線程的步驟,屏蔽其餘兩個,都是能夠成功的,這裏我放開的是NtCreateThreadEx。
typedef NTSTATUS(NTAPI* pfnNtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer); #define NT_SUCCESS(x) ((x) >= 0) typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef NTSTATUS(NTAPI * pfnRtlCreateUserThread)( IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits OPTIONAL, IN SIZE_T StackReserve OPTIONAL, IN SIZE_T StackCommit OPTIONAL, IN PTHREAD_START_ROUTINE StartAddress, IN PVOID Parameter OPTIONAL, OUT PHANDLE ThreadHandle OPTIONAL, OUT PCLIENT_ID ClientId OPTIONAL); BOOL InjectDll(UINT32 ProcessId) { HANDLE ProcessHandle = NULL; ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); // 在對方進程空間申請內存,存儲Dll完整路徑 UINT32 DllFullPathLength = (strlen(DllFullPath) + 1); PVOID DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (DllFullPathBufferData == NULL) { CloseHandle(ProcessHandle); return FALSE; } // 將DllFullPath寫進剛剛申請的內存中 SIZE_T ReturnLength; BOOL bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1, &ReturnLength); LPTHREAD_START_ROUTINE LoadLibraryAddress = NULL; HMODULE Kernel32Module = GetModuleHandle(L"Kernel32"); LoadLibraryAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(Kernel32Module, "LoadLibraryA"); pfnNtCreateThreadEx NtCreateThreadEx = (pfnNtCreateThreadEx)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx"); if (NtCreateThreadEx == NULL) { CloseHandle(ProcessHandle); return FALSE; } HANDLE ThreadHandle = NULL; // 0x1FFFFF #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF) NtCreateThreadEx(&ThreadHandle, 0x1FFFFF, NULL, ProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, DllFullPathBufferData, FALSE, NULL, NULL, NULL, NULL); /* pfnRtlCreateUserThread RtlCreateUserThread = (pfnRtlCreateUserThread)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlCreateUserThread"); HANDLE ThreadHandle = NULL; NTSTATUS Status = RtlCreateUserThread(ProcessHandle, NULL, FALSE, 0, 0, 0, LoadLibraryAddress, DllFullPathBufferData, &ThreadHandle, NULL); */ /* HANDLE ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 0, LoadLibraryAddress, DllFullPathBufferData, 0, NULL); // CreateRemoteThread 函數 */ if (ThreadHandle == NULL) { CloseHandle(ProcessHandle); return FALSE; } if (WaitForSingleObject(ThreadHandle, INFINITE) == WAIT_FAILED) { return FALSE; } CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return TRUE; }
0x03.注入方法二 -- 設置線程上下背景文
設置線程上下背景文的主要目的是讓目標進程的某一線程轉去執行咱們的代碼,而後再回來作他該作的事,而咱們的代碼,就是一串由彙編硬編碼組成的ShellCode。
這串ShellCode作了三件事:1.傳入Dll完整路徑參數;2.呼叫LoadLibrary函數地址;3.返回原先的Eip或Rip。
這裏我選用的呼叫指令是ff 15 和 ff 25,在32位下爲跳轉到15(25)指令後面字節碼對應地址裏面存放的地址,在64位下15(25)指令後面四字節存放的是偏移,該跳轉爲跳轉到換算出來的地址裏面存放的地址,這裏我把偏移寫成0,以便於計算。
#ifdef _WIN64 // 測試 64 位 dll被注,Bug已修復 /* 0:019> u 0x000002b5d5f80000 000002b5`d5f80000 4883ec28 sub rsp,28h 000002b5`d5f80004 488d0d20000000 lea rcx,[000002b5`d5f8002b] 000002b5`d5f8000b ff1512000000 call qword ptr [000002b5`d5f80023] 000002b5`d5f80011 4883c428 add rsp,28h 000002b5`d5f80015 ff2500000000 jmp qword ptr [000002b5`d5f8001b] */ UINT8 ShellCode[0x100] = { 0x48,0x83,0xEC,0x28, // sub rsp ,28h 0x48,0x8D,0x0d, // [+4] lea rcx, 0x00,0x00,0x00,0x00, // [+7] DllNameOffset = [+43] - [+4] - 7 // call 跳偏移,到地址,解*號 0xff,0x15, // [+11] 0x00,0x00,0x00,0x00, // [+13] 0x48,0x83,0xc4,0x28, // [+17] add rsp,28h // jmp 跳偏移,到地址,解*號 0xff,0x25, // [+21] 0x00,0x00,0x00,0x00, // [+23] LoadLibraryAddressOffset // 存放原先的 rip 0x00,0x00,0x00,0x00, // [+27] 0x00,0x00,0x00,0x00, // [+31] // 跳板 loadlibrary地址 0x00,0x00,0x00,0x00, // [+35] 0x00,0x00,0x00,0x00, // [+39] // 存放dll完整路徑 // 0x00,0x00,0x00,0x00, // [+43] // 0x00,0x00,0x00,0x00 // [+47] // ...... }; #else // 測試 32 位 配合新寫的Dll可重複注入 /* 0:005> u 0x00ca0000 00000000`00ca0000 60 pusha 00000000`00ca0001 9c pushfq 00000000`00ca0002 681d00ca00 push 0CA001Dh 00000000`00ca0007 ff151900ca00 call qword ptr [00000000`01940026] 00000000`00ca000d 9d popfq 00000000`00ca000e 61 popa 00000000`00ca000f ff251500ca00 jmp qword ptr [00000000`0194002a] */ UINT8 ShellCode[0x100] = { 0x60, // [+0] pusha 0x9c, // [+1] pushf 0x68, // [+2] push 0x00,0x00,0x00,0x00, // [+3] ShellCode + 0xff,0x15, // [+7] call 0x00,0x00,0x00,0x00, // [+9] LoadLibrary Addr Addr 0x9d, // [+13] popf 0x61, // [+14] popa 0xff,0x25, // [+15] jmp 0x00,0x00,0x00,0x00, // [+17] jmp eip // eip 地址 0x00,0x00,0x00,0x00, // [+21] // LoadLibrary 地址 0x00,0x00,0x00,0x00, // [+25] // DllFullPath 0x00,0x00,0x00,0x00 // [+29] }; #endif
整個注入過程由這些步驟組成:在目標進程申請內存(可執行內存) ---> 填充ShellCode須要的地址碼 ---> 將ShellCode寫入申請的內存 ---> SuspendThread(掛起線程)--->GetThreadContext(得到線程上下背景文)---> 修改Context的Eip或Rip爲ShellCode首地址 ---> SetThreadContext(設置剛修改過的Context)---> ResumeThread(恢復線程執行)。
BOOL Inject(IN UINT32 ProcessId, IN UINT32 ThreadId) { BOOL bOk = FALSE; CONTEXT ThreadContext = { 0 }; PVOID BufferData = NULL; HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId); HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); // 首先掛起線程 SuspendThread(ThreadHandle); ThreadContext.ContextFlags = CONTEXT_ALL; if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE) { CloseHandle(ThreadHandle); CloseHandle(ProcessHandle); return FALSE; } BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (BufferData != NULL) { if (LoadLibraryWAddress != NULL) { #ifdef _WIN64 // ShellCode + 43處 存放完整路徑 PUINT8 v1 = ShellCode + 43; memcpy(v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR)); UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + 43) - ((PUINT8)BufferData + 4) - 7); *(PUINT32)(ShellCode + 7) = DllNameOffset; // ShellCode + 35處 放置 LoadLibrary 函數地址 *(PUINT64)(ShellCode + 35) = (UINT64)LoadLibraryWAddress; UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + 35) - ((PUINT8)BufferData + 11) - 6); *(PUINT32)(ShellCode + 13) = LoadLibraryAddressOffset; // 放置 rip 地址 *(PUINT64)(ShellCode + 27) = ThreadContext.Rip; if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL)) { return FALSE; } ThreadContext.Rip = (UINT64)BufferData; #else PUINT8 v1 = ShellCode + 29; memcpy((char*)v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR)); //這裏是要注入的DLL名字 *(PUINT32)(ShellCode + 3) = (UINT32)BufferData + 29; *(PUINT32)(ShellCode + 25) = LoadLibraryWAddress; //loadlibrary地址放入shellcode中 *(PUINT32)(ShellCode + 9) = (UINT32)BufferData + 25;//修改call 以後的地址 爲目標空間存放 loaddlladdr的地址 ////////////////////////////////// *(PUINT32)(ShellCode + 21) = ThreadContext.Eip; *(PUINT32)(ShellCode + 17) = (UINT32)BufferData + 21;//修改jmp 以後爲原來eip的地址 if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL)) { printf("write Process Error\n"); return FALSE; } ThreadContext.Eip = (UINT32)BufferData; #endif if (!SetThreadContext(ThreadHandle, &ThreadContext)) { printf("set thread context error\n"); return FALSE; } ResumeThread(ThreadHandle); printf("ShellCode 注入完成\r\n"); } } CloseHandle(ThreadHandle); CloseHandle(ProcessHandle); return TRUE; }
0x04.插入Apc隊列
Ring3層的Apc注入是不太穩定的,個人作法就是暴力的向目標進程的全部線程的UserMode Apc隊列(線程有兩個Apc隊列:Kernel和User)上插入Apc對象,等待他去執行該Apc裏註冊的函數。而只有當線程處於alterable狀態時,纔會查看Apc隊列是否有須要執行的註冊函數。
ps:正是由於不知道哪一個線程會去處理Apc,因此感受Ring3層Apc注入不如其餘方法好使,不過Ring0層Apc注入仍是比較穩定的。以前測試xp和win10都成功,win7下注explorer進程老是崩潰,後來捯飭半天,發現遍歷線程的時候從後往前遍歷着插入就不會崩潰Orz
int main() { ...... ThreadCount = ThreadIdVector.size(); for (INT i = ThreadCount - 1; i >= 0; i--) { UINT32 ThreadId = ThreadIdVector[i]; InjectDllByApc(ProcessId, ThreadId); } ...... } BOOL InjectDllByApc(IN UINT32 ProcessId, IN UINT32 ThreadId) { BOOL bOk = 0; HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId); HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); UINT_PTR LoadLibraryAddress = 0; SIZE_T ReturnLength = 0; UINT32 DllFullPathLength = (strlen(DllFullPath) + 1); // 全局,申請一次內存 if (DllFullPathBufferData == NULL) { //申請內存 DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (DllFullPathBufferData == NULL) { CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return FALSE; } } // 避免以前寫操做失敗,每次重複寫入 bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1, &ReturnLength); if (bOk == FALSE) { CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return FALSE; } LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA"); if (LoadLibraryAddress == NULL) { CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return FALSE; } __try { QueueUserAPC((PAPCFUNC)LoadLibraryAddress, ThreadHandle, (UINT_PTR)DllFullPathBufferData); } __except (EXCEPTION_CONTINUE_EXECUTION) { } CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return TRUE; }
0x05.修改註冊表
註冊表注入算得上是全局Hook了吧,畢竟新建立的進程在加載User32.dll時,都會自動調用LoadLibrary去加載註冊表中某個表項鍵值裏寫入的Dll路徑。
咱們關心的這個註冊表項鍵是:
x64下:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
x86下:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
咱們要設置的鍵值是AppInit_DLLs = 「Dll完整路徑」,LoadAppInit_Dlls = 1(讓系統使用這個註冊表項)
ps:因爲注入的Dll在進程建立的早期,因此在Dll中使用函數要格外當心,由於有的庫可能還沒加載上。
int main() { LSTATUS Status = 0;
#ifdef _WIN64
WCHAR* wzSubKey = L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
#else
WCHAR* wzSubKey = L"SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
#endif // _WIN64
HKEY hKey = NULL; // 打開註冊表 Status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, // 要打開的主鍵 wzSubKey, // 要打開的子鍵名字地址 0, // 保留,傳0 KEY_ALL_ACCESS, // 打開的方式 &hKey); // 返回的子鍵句柄 if (Status != ERROR_SUCCESS) { return 0; } WCHAR* wzValueName = L"AppInit_DLLs"; DWORD dwValueType = 0; UINT8 ValueData[MAX_PATH] = { 0 }; DWORD dwReturnLength = 0; // 查詢註冊表 Status = RegQueryValueExW(hKey, // 子鍵句柄 wzValueName, // 待查詢鍵值的名稱 NULL, // 保留 &dwValueType, // 數據類型 ValueData, // 鍵值 &dwReturnLength); WCHAR wzDllFullPath[MAX_PATH] = { 0 }; GetCurrentDirectoryW(MAX_PATH, wzDllFullPath); #ifdef _WIN64 wcscat_s(wzDllFullPath, L"\\x64NormalDll.dll"); #else wcscat_s(wzDllFullPath, L"\\x86NormalDll.dll"); #endif // 設置鍵值 Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)wzDllFullPath, (lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR)); if (Status != ERROR_SUCCESS) { return 0; } wzValueName = L"LoadAppInit_DLLs"; DWORD dwLoadAppInit = 1; // 查詢註冊表 Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength); // 設置鍵值 Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD)); if (Status != ERROR_SUCCESS) { return 0; } printf("Input Any Key To Resume\r\n"); getchar(); getchar(); // 恢復鍵值 dwLoadAppInit = 0; Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength); Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD)); wzValueName = L"AppInit_DLLs"; ZeroMemory(wzDllFullPath, (lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR)); Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength); Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)wzDllFullPath, 0); return 0; }
0x06.掛鉤窗口消息
掛鉤窗口消息使用了MS提供的一個API接口SetWindowsHookEx。
他的工做原理是給帶窗口的目標進程的某個線程的某個消息掛鉤上咱們Dll導出的函數,一旦消息觸發,則導出函數(處理該消息的鉤子程序,調用約定須要時__stdcall)就會被調用,這時還須要調用。前面學習到的幾種方法歸根結底是調用了LoadLibrary,而這個方法並無。
// 注入exe關鍵代碼 給目標線程的指定消息上下鉤,走進Dll導出函數 BOOL Inject(IN UINT32 ThreadId, OUT HHOOK& HookHandle) { HMODULE DllModule = LoadLibraryA(DllFullPath); FARPROC FunctionAddress = GetProcAddress(DllModule, "Sub_1"); HookHandle = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)FunctionAddress, DllModule, ThreadId); if (HookHandle == NULL) { return FALSE; } return TRUE; }
// 動態庫中導出函數
// 調試發現,這裏的調用約定要使用__stdcall,應該跟堆棧有關係
LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
MessageBox(0, 0, 0, 0);
return CallNextHookEx(NULL, nCode, wParam, lParam);
}
0x07.遠程手動實現LoadLibrary
該方法學習自github上名叫ReflevtiveDllInjection,大致上分爲兩個部分,exe和dll,下面分別簡述。
exe:做爲注入啓動程序,在目標進程申請一起PAGE_EXECUTE_READWRITE內存,將Dll以文件格式直接寫入目標進程內存空間中,而後得到導出函數"LoadDllByOEP"在文件中的偏移,使用CreateRemoteThread直接讓目標進程去執行LoadDllByOEP函數。
Dll:最關鍵導出 LoadDllByOEP 函數,在該函數裏,首先經過目標進程加載模塊ntdll.dll的導出表中得到NtFlushInstructionCache函數地址,在Kernel32.dll的導出表中得到LoadLibraryA、GetProcAddress、VirtualAlloc函數地址;而後在進程內存空間裏從新申請內存,拷貝本身的PE結構到內存裏,接着修正IAT和重定向塊,最後調用模塊OEP,完成了手動實現LoadLibrary!
ps:寫代碼時參考《Windows PE權威指南》,對整個PE結構又有了新的認識。我有for循環強迫症。。這份代碼就全貼上了。
// InjectDllByOEP.cpp : 定義控制檯應用程序的入口點。 // #include "stdafx.h" #include <Windows.h> #include <iostream> #include <TlHelp32.h> using namespace std; BOOL GrantPriviledge(WCHAR* PriviledgeName); UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer); UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader); BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId); HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam); CHAR DllFullPath[MAX_PATH] = { 0 }; int main() { // 首先提權一波 if (GrantPriviledge(SE_DEBUG_NAME) == FALSE) { printf("GrantPriviledge Error\r\n"); } // 接着經過進程名獲得進程id UINT32 ProcessId = 0; GetCurrentDirectoryA(MAX_PATH, DllFullPath); #ifdef _WIN64 // GetProcessIdByProcessImageName(L"Taskmgr.exe", &ProcessId); GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId); strcat_s(DllFullPath, "\\x64LoadRemoteDll.dll"); #else GetProcessIdByProcessImageName(L"notepad++.exe", &ProcessId); strcat_s(DllFullPath, "\\x86LoadRemoteDll.dll"); #endif // 得到dll句柄 HANDLE FileHandle = CreateFileA(DllFullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (FileHandle == INVALID_HANDLE_VALUE) { printf("Open File Error\r\n"); return 0; } // 得到dll文件長度 UINT32 FileSize = GetFileSize(FileHandle, NULL); if (FileSize == INVALID_FILE_SIZE || FileSize == 0) { printf("Get File Size Error\r\n"); CloseHandle(FileHandle); return 0; } // 申請內存,保存 PVOID FileData = HeapAlloc(GetProcessHeap(), 0, FileSize); if (FileData == NULL) { printf("HeapAlloc Error\r\n"); CloseHandle(FileHandle); return 0; } DWORD ReturnLength = 0; BOOL bOk = ReadFile(FileHandle, FileData, FileSize, &ReturnLength, NULL); CloseHandle(FileHandle); if (bOk == FALSE) { printf("ReadFile Error\r\n"); HeapFree(GetProcessHeap(), 0, FileData); return 0; } HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); if (ProcessHandle == NULL) { printf("OpenProcess Error\r\n"); HeapFree(GetProcessHeap(), 0, FileData); return 0; } // 執行Dll中的導出函數LoadDllByOEP,讓目標進程實現LoadLibrary功能 HANDLE ThreadHandle = LoadRemoteDll(ProcessHandle, FileData, FileSize, NULL); if (ThreadHandle == NULL) { goto _Clear; } WaitForSingleObject(ThreadHandle, INFINITE); _Clear: if (FileData) { HeapFree(GetProcessHeap(), 0, FileData); } if (ProcessHandle) { CloseHandle(ProcessHandle); } return 0; } /************************************************************************ * Name : LoadRemoteDll * Param: ProcessHandle 進程句柄 (IN) * Param: ModuleBaseAddress 模塊基地址 * Param: ModuleLength 模塊在文件中的大小 * Param: lParam 模塊句柄 * Ret : HANDLE * 將Dll以文件格式寫入目標進程內存,並執行Dll的導出函數LoadDllByOEP ************************************************************************/ HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam) { HANDLE ThreadHandle = NULL; __try { if (ProcessHandle == NULL || ModuleFileBaseAddress == NULL || ModuleFileSize == 0) { return NULL; } // 導出函數相對於 ModuelBaseAddress 的 Offset UINT32 FunctionOffset = GetLoadDllByOEPOffsetInFile(ModuleFileBaseAddress); if (FunctionOffset == 0) { return NULL; } // 在目標進程申請內存 PVOID RemoteBufferData = VirtualAllocEx(ProcessHandle, NULL, ModuleFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (RemoteBufferData == NULL) { return NULL; } // 把Dll文件寫入目標進程內存空間 BOOL bOk = WriteProcessMemory(ProcessHandle, RemoteBufferData, ModuleFileBaseAddress, ModuleFileSize, NULL); if (bOk == FALSE) { return NULL; } // 以文件格式去執行 Dll 中的 LoadDllByOEP LPTHREAD_START_ROUTINE RemoteThreadCallBack = (LPTHREAD_START_ROUTINE)((PUINT8)RemoteBufferData + FunctionOffset); ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 1024 * 1024, RemoteThreadCallBack, lParam, 0, NULL); } __except (EXCEPTION_EXECUTE_HANDLER) { ThreadHandle = NULL; } return ThreadHandle; } /************************************************************************ * Name : LoadRemoteDll * Param: ProcessHandle 進程句柄 * Ret : HANDLE * 得到LoadDllByOEP在Dll文件中的偏移量 ************************************************************************/ UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer) { UINT_PTR BaseAddress = (UINT_PTR)DllBuffer; PIMAGE_DOS_HEADER DosHeader = NULL; PIMAGE_NT_HEADERS NtHeader = NULL; DosHeader = (PIMAGE_DOS_HEADER)BaseAddress; NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)BaseAddress + DosHeader->e_lfanew); /* #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107 */ if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // pe32 { } else if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // pe64 { } else { return 0; } UINT32 ExportDirectoryRVA = NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)BaseAddress + RVAToOffset(ExportDirectoryRVA, NtHeader)); UINT32 AddressOfNamesRVA = ExportDirectory->AddressOfNames; PUINT32 AddressOfNames = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfNamesRVA, NtHeader)); UINT32 AddressOfFunctionsRVA = ExportDirectory->AddressOfFunctions; PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfFunctionsRVA, NtHeader)); UINT32 AddressOfNameOrdinalsRVA = ExportDirectory->AddressOfNameOrdinals; PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)BaseAddress + RVAToOffset(AddressOfNameOrdinalsRVA, NtHeader)); for (UINT32 i = 0; i < ExportDirectory->NumberOfFunctions; i++) { CHAR* ExportFunctionName = (CHAR*)((PUINT8)BaseAddress + RVAToOffset(*AddressOfNames, NtHeader)); if (strstr(ExportFunctionName, "LoadDllByOEP") != NULL) { UINT16 ExportFunctionOrdinals = AddressOfNameOrdinals[i]; return RVAToOffset(AddressOfFunctions[ExportFunctionOrdinals], NtHeader); } } return 0; } /************************************************************************ * Name : RVAToOffset * Param: RVA 內存中偏移 * Param: NtHeader Nt頭 * Ret : UINT32 * 內存中偏移轉換成文件中偏移 ************************************************************************/ UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader) { UINT32 i = 0; PIMAGE_SECTION_HEADER SectionHeader = NULL; SectionHeader = IMAGE_FIRST_SECTION(NtHeader); if (RVA < SectionHeader[0].PointerToRawData) { return RVA; } for (i = 0; i < NtHeader->FileHeader.NumberOfSections; i++) { if (RVA >= SectionHeader[i].VirtualAddress && RVA < (SectionHeader[i].VirtualAddress + SectionHeader[i].SizeOfRawData)) { return (RVA - SectionHeader[i].VirtualAddress + SectionHeader[i].PointerToRawData); } } return 0; } /************************************************************************ * Name : GetProcessIdByProcessImageName * Param: wzProcessImageName 進程映像名稱 (IN) * Param: TargetProcessId 進程Id (OUT) * Ret : BOOLEAN * 使用ToolHelp系列函數經過進程映像名稱得到進程Id ************************************************************************/ BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId) { HANDLE ProcessSnapshotHandle = NULL; PROCESSENTRY32 ProcessEntry32 = { 0 }; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構 ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統全部的進程快照 if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE) { return FALSE; } Process32First(ProcessSnapshotHandle, &ProcessEntry32); // 找到第一個 do { if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區分大小寫 { *TargetProcessId = ProcessEntry32.th32ProcessID; break; } } while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32)); CloseHandle(ProcessSnapshotHandle); ProcessSnapshotHandle = NULL; return TRUE; } /************************************************************************ * Name : GrantPriviledge * Param: PriviledgeName 想要提高的權限 * Ret : BOOLEAN * 提高本身想要的權限 ************************************************************************/ BOOL GrantPriviledge(WCHAR* PriviledgeName) { TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges; DWORD dwReturnLength = sizeof(OldPrivileges); HANDLE TokenHandle = NULL; LUID uID; // 打開權限令牌 if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle)) { if (GetLastError() != ERROR_NO_TOKEN) { return FALSE; } if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)) { return FALSE; } } if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 經過權限名稱查找uID { CloseHandle(TokenHandle); return FALSE; } TokenPrivileges.PrivilegeCount = 1; // 要提高的權限個數 TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態數組,數組大小根據Count的數目 TokenPrivileges.Privileges[0].Luid = uID; // 在這裏咱們進行調整權限 if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength)) { CloseHandle(TokenHandle); return FALSE; } // 成功了 CloseHandle(TokenHandle); return TRUE; }
// LoadRemoteDll.h #include <Windows.h> #include <intrin.h> #ifdef LOADREMOTEDLL_EXPORTS #define LOADREMOTEDLL_API __declspec(dllexport) #else #define LOADREMOTEDLL_API __declspec(dllimport) #endif #define KERNEL32DLL_HASH 0x6A4ABC5B #define NTDLLDLL_HASH 0x3CFA685D #define LOADLIBRARYA_HASH 0xEC0E4E8E #define GETPROCADDRESS_HASH 0x7C0DFCAA #define VIRTUALALLOC_HASH 0x91AFCA54 #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 #define IMAGE_REL_BASED_ARM_MOV32A 5 #define IMAGE_REL_BASED_ARM_MOV32T 7 #define HASH_KEY 13 #pragma intrinsic( _rotr ) __forceinline UINT32 ror(UINT32 d) { return _rotr(d, HASH_KEY); } __forceinline UINT32 hash(char * c) { register UINT32 h = 0; do { h = ror(h); h += *c; } while (*++c); return h; } ////////////////////////////////////////////////////////////////////////// typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _PEB_LDR_DATA_WIN7_X64 { UINT32 Length; UINT8 Initialized; UINT8 _PADDING0_[0x3]; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; UINT8 ShutdownInProgress; UINT8 _PADDING1_[0x7]; PVOID ShutdownThreadId; }PEB_LDR_DATA_WIN7_X64, *PPEB_LDR_DATA_WIN7_X64; typedef struct _PEB_LDR_DATA_WINXP_X86 { UINT32 Length; UINT8 Initialized; UINT8 _PADDING0_[0x3]; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; }PEB_LDR_DATA_WINXP_X86, *PPEB_LDR_DATA_WINXP_X86; #ifdef _WIN64 #define PPEB_LDR_DATA PPEB_LDR_DATA_WIN7_X64 #define PEB_LDR_DATA PEB_LDR_DATA_WIN7_X64 #else #define PPEB_LDR_DATA PPEB_LDR_DATA_WINXP_X86 #define PEB_LDR_DATA PEB_LDR_DATA_WINXP_X86 #endif typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, *PCURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS_WINXP_X86 { UINT32 MaximumLength; UINT32 Length; UINT32 Flags; UINT32 DebugFlags; HANDLE ConsoleHandle; UINT32 ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; // ProcessParameters UNICODE_STRING DllPath; // ProcessParameters UNICODE_STRING ImagePathName; // ProcessParameters UNICODE_STRING CommandLine; // ProcessParameters PVOID Environment; UINT32 StartingX; UINT32 StartingY; UINT32 CountX; UINT32 CountY; UINT32 CountCharsX; UINT32 CountCharsY; UINT32 FillAttribute; UINT32 WindowFlags; UINT32 ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; UINT32 CurrentDirectores[8]; }RTL_USER_PROCESS_PARAMETERS_WINXP_X86, *PRTL_USER_PROCESS_PARAMETERS_WINXP_X86; typedef struct _RTL_USER_PROCESS_PARAMETERS_WIN7_X64 { UINT32 MaximumLength; UINT32 Length; UINT32 Flags; UINT32 DebugFlags; HANDLE ConsoleHandle; UINT32 ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; // ProcessParameters UNICODE_STRING DllPath; // ProcessParameters UNICODE_STRING ImagePathName; // ProcessParameters UNICODE_STRING CommandLine; // ProcessParameters PVOID Environment; UINT32 StartingX; UINT32 StartingY; UINT32 CountX; UINT32 CountY; UINT32 CountCharsX; UINT32 CountCharsY; UINT32 FillAttribute; UINT32 WindowFlags; UINT32 ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; UINT32 CurrentDirectores[8]; UINT64 EnvironmentSize; UINT64 EnvironmentVersion; }RTL_USER_PROCESS_PARAMETERS_WIN7_X64, *PRTL_USER_PROCESS_PARAMETERS_WIN7_X64; #ifdef _WIN64 #define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WIN7_X64 #define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WIN7_X64 #else #define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WINXP_X86 #define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WINXP_X86 #endif #define GDI_HANDLE_BUFFER_SIZE32 34 #define GDI_HANDLE_BUFFER_SIZE64 60 #ifndef _WIN64 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 #else #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 #endif typedef UINT32 GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; // PEB結構 typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; union { BOOLEAN BitField; struct { BOOLEAN ImageUsesLargePages : 1; BOOLEAN IsProtectedProcess : 1; BOOLEAN IsLegacyProcess : 1; BOOLEAN IsImageDynamicallyRelocated : 1; BOOLEAN SkipPatchingUser32Forwarders : 1; BOOLEAN IsPackagedProcess : 1; BOOLEAN IsAppContainer : 1; BOOLEAN SpareBits : 1; }; }; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PRTL_CRITICAL_SECTION FastPebLock; PVOID AtlThunkSListPtr; PVOID IFEOKey; union { UINT32 CrossProcessFlags; struct { UINT32 ProcessInJob : 1; UINT32 ProcessInitializing : 1; UINT32 ProcessUsingVEH : 1; UINT32 ProcessUsingVCH : 1; UINT32 ProcessUsingFTH : 1; UINT32 ReservedBits0 : 27; }; UINT32 EnvironmentUpdateCount; }; union { PVOID KernelCallbackTable; PVOID UserSharedInfoPtr; }; UINT32 SystemReserved[1]; UINT32 AtlThunkSListPtr32; PVOID ApiSetMap; UINT32 TlsExpansionCounter; PVOID TlsBitmap; UINT32 TlsBitmapBits[2]; PVOID ReadOnlySharedMemoryBase; PVOID HotpatchInformation; PVOID* ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; UINT32 NumberOfProcessors; UINT32 NtGlobalFlag; LARGE_INTEGER CriticalSectionTimeout; SIZE_T HeapSegmentReserve; SIZE_T HeapSegmentCommit; SIZE_T HeapDeCommitTotalFreeThreshold; SIZE_T HeapDeCommitFreeBlockThreshold; UINT32 NumberOfHeaps; UINT32 MaximumNumberOfHeaps; PVOID* ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; UINT32 GdiDCAttributeList; PRTL_CRITICAL_SECTION LoaderLock; UINT32 OSMajorVersion; UINT32 OSMinorVersion; UINT16 OSBuildNumber; UINT16 OSCSDVersion; UINT32 OSPlatformId; UINT32 ImageSubsystem; UINT32 ImageSubsystemMajorVersion; UINT32 ImageSubsystemMinorVersion; UINT_PTR ImageProcessAffinityMask; GDI_HANDLE_BUFFER GdiHandleBuffer; PVOID PostProcessInitRoutine; PVOID TlsExpansionBitmap; UINT32 TlsExpansionBitmapBits[32]; UINT32 SessionId; ULARGE_INTEGER AppCompatFlags; ULARGE_INTEGER AppCompatFlagsUser; PVOID pShimData; PVOID AppCompatInfo; UNICODE_STRING CSDVersion; PVOID ActivationContextData; PVOID ProcessAssemblyStorageMap; PVOID SystemDefaultActivationContextData; PVOID SystemAssemblyStorageMap; SIZE_T MinimumStackCommit; PVOID* FlsCallback; LIST_ENTRY FlsListHead; PVOID FlsBitmap; UINT32 FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(UINT32) * 8)]; UINT32 FlsHighIndex; PVOID WerRegistrationData; PVOID WerShipAssertPtr; PVOID pContextData; PVOID pImageHeaderHash; union { UINT32 TracingFlags; struct { UINT32 HeapTracingEnabled : 1; UINT32 CritSecTracingEnabled : 1; UINT32 LibLoaderTracingEnabled : 1; UINT32 SpareTracingBits : 29; }; }; UINT64 CsrServerReadOnlySharedMemoryBase; } PEB, *PPEB; // Ldr 三根鏈表結構 typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; UINT32 SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; UINT32 Flags; UINT16 LoadCount; UINT16 TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; UINT32 CheckSum; }; }; union { struct { UINT32 TimeDateStamp; }; struct { PVOID LoadedImports; }; }; struct _ACTIVATION_CONTEXT * EntryPointActivationContext; PVOID PatchInformation; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef const struct _LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam);
// LoadRemoteDll.cpp // LoadRemoteDll.cpp : 定義 DLL 應用程序的導出函數。 // #include "stdafx.h" #include "LoadRemoteDll.h" #pragma intrinsic(_ReturnAddress) __declspec(noinline) UINT_PTR caller() { return (UINT_PTR)_ReturnAddress(); // #include <intrin.h> } typedef HMODULE (WINAPI * pfnLoadLibraryA)(LPCSTR lpLibFileName); typedef FARPROC (WINAPI * pfnGetProcAddress)(HMODULE hModule, LPCSTR lpProcName); typedef LPVOID (WINAPI * pfnVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); typedef LONG // NTSTATUS (NTAPI * pfnNtFlushInstructionCache)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length); typedef BOOL (APIENTRY * pfnDllMain)(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved); LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam) { UINT_PTR LibraryAddress = 0; PIMAGE_DOS_HEADER DosHeader = NULL; PIMAGE_NT_HEADERS NtHeader = NULL; pfnLoadLibraryA LoadLibraryAAddress = NULL; pfnGetProcAddress GetProcAddressAddress = NULL; pfnVirtualAlloc VirtualAllocAddress = NULL; pfnNtFlushInstructionCache NtFlushInstructionCacheAddress = NULL; LibraryAddress = caller(); // 得到下一步指令的地址,其實就是爲了得到當前指令地址,爲後面尋找PE頭提供起點 DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress; while (TRUE) { if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE && DosHeader->e_lfanew >= sizeof(IMAGE_DOS_HEADER) && DosHeader->e_lfanew < 1024) { NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew); if (NtHeader->Signature == IMAGE_NT_SIGNATURE) { break; } } LibraryAddress--; DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress; } // 得到PEB #ifdef _WIN64 PPEB Peb = (PPEB)__readgsqword(0x60); #else PPEB Peb = (PPEB)__readfsdword(0x30); #endif PPEB_LDR_DATA Ldr = Peb->Ldr; // 1.從Dll導出表中獲取函數地址 for (PLIST_ENTRY TravelListEntry = (PLIST_ENTRY)Ldr->InLoadOrderModuleList.Flink; TravelListEntry != &Ldr->InLoadOrderModuleList; // 空頭節點 TravelListEntry = TravelListEntry->Flink) { PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)TravelListEntry; UINT32 FunctionCount = 0; // WCHAR* DllName = (WCHAR*)LdrDataTableEntry->BaseDllName.Buffer; UINT_PTR DllName = (UINT_PTR)LdrDataTableEntry->BaseDllName.Buffer; UINT32 DllLength = LdrDataTableEntry->BaseDllName.Length; UINT_PTR DllBaseAddress = (UINT_PTR)LdrDataTableEntry->DllBase; DosHeader = (PIMAGE_DOS_HEADER)DllBaseAddress; NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)DllBaseAddress + DosHeader->e_lfanew); IMAGE_DATA_DIRECTORY ExportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)DllBaseAddress + ExportDataDirectory.VirtualAddress); PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfFunctions); PUINT32 AddressOfNames = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNames); PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNameOrdinals); UINT16 Ordinal = 0; UINT_PTR ExportFunctionAddress = 0; UINT32 HashValue = 0; // 將Dll名稱轉換成Hash值 do { HashValue = ror((UINT32)HashValue); if (*((PUINT8)DllName) >= 'a') { HashValue += *((PUINT8)DllName) - 0x20; } else { HashValue += *((PUINT8)DllName); } DllName++; } while (--DllLength); if (HashValue == KERNEL32DLL_HASH) { FunctionCount = 3; for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++) { if (FunctionCount == 0) { break; } CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]); HashValue = hash(szExportFunctionName); if (HashValue == LOADLIBRARYA_HASH) { Ordinal = AddressOfNameOrdinals[i]; LoadLibraryAAddress = (pfnLoadLibraryA)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]); FunctionCount--; } else if (HashValue == GETPROCADDRESS_HASH) { Ordinal = AddressOfNameOrdinals[i]; GetProcAddressAddress = (pfnGetProcAddress)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]); FunctionCount--; } else if (HashValue == VIRTUALALLOC_HASH) { Ordinal = AddressOfNameOrdinals[i]; VirtualAllocAddress = (pfnVirtualAlloc)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]); FunctionCount--; } } } else if (HashValue == NTDLLDLL_HASH) { FunctionCount = 1; for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++) { if (FunctionCount == 0) { break; } CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]); HashValue = hash(szExportFunctionName); if (HashValue == NTFLUSHINSTRUCTIONCACHE_HASH) { Ordinal = AddressOfNameOrdinals[i]; NtFlushInstructionCacheAddress = (pfnNtFlushInstructionCache)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]); FunctionCount--; } } } if (LoadLibraryAAddress != NULL && GetProcAddressAddress != NULL && VirtualAllocAddress != NULL && NtFlushInstructionCacheAddress != NULL) { break; } } // 2.申請內存,從新加載咱們的Dll // 再次更新DosHeader和NtHeader DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress; NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew); // 從新申請內存(SizeOfImage就是PE在內存中的大小) /* _asm { int 3; } */ // 這個本身從新申請的頭指針不敢隨便移動,使用一個變量來替代 UINT_PTR NewBaseAddress = (UINT_PTR)VirtualAllocAddress(NULL, NtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); UINT_PTR OldPtr = LibraryAddress; UINT_PTR BasePtr = NewBaseAddress; // 2.1首先拷貝頭 + 節表 UINT32 SizeOfHeaders = NtHeader->OptionalHeader.SizeOfHeaders; while (SizeOfHeaders--) { *(PUINT8)BasePtr++ = *(PUINT8)OldPtr++; } // memcpy((PVOID)NewBaseAddress, (PVOID)LibraryAddress, NtHeader->OptionalHeader.SizeOfHeaders); /* PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader); UINT32 NumberOfSections = NtHeader->FileHeader.NumberOfSections; while (NumberOfSections--) { UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader->VirtualAddress); UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader->PointerToRawData); UINT32 SizeOfRawData = SectionHeader->SizeOfRawData; while (SizeOfRawData--) { *(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++; } SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)SectionHeader + sizeof(IMAGE_SECTION_HEADER)); } */ // 2.2拷貝節區 PIMAGE_SECTION_HEADER SectionHeader = IMAGE_FIRST_SECTION(NtHeader); for (INT i = 0; i < NtHeader->FileHeader.NumberOfSections; i++) { if (SectionHeader[i].VirtualAddress == 0 || SectionHeader[i].SizeOfRawData == 0) // 節塊裏面沒有數據 { continue; } // 定位該節塊在內存中的位置 UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader[i].VirtualAddress); UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData); // 複製節塊數據到虛擬內存 UINT32 SizeOfRawData = SectionHeader[i].SizeOfRawData; while (SizeOfRawData--) { *(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++; } //memcpy(SectionAddress, (PVOID)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData), SectionHeader[i].SizeOfRawData); } // 2.3修正導入表(IAT) IMAGE_DATA_DIRECTORY ImportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]); PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)NewBaseAddress + ImportDataDirectory.VirtualAddress); /* _asm { int 3; } */ /* while (ImportDescriptor->Characteristics != 0) { PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->FirstThunk); PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->OriginalFirstThunk); // 獲取導入模塊名稱 // char szModuleName[MAX_PATH] = { 0 }; PCHAR ModuleName = (PCHAR)((PUINT8)NewBaseAddress + ImportDescriptor->Name); HMODULE Dll = LoadLibraryAAddress(ModuleName); UINT_PTR FunctionAddress = 0; for (INT i = 0; OriginalFirstThunk[i].u1.Function != 0; i++) { if (IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[i].u1.Ordinal)) { FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[i].u1.Ordinal)))); } else { PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[i].u1.AddressOfData); FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 經過函數名稱獲得函數地址 } FirstThunk[i].u1.Function = FunctionAddress; } ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)ImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR)); } */ for (INT i = 0; ImportDescriptor[i].Name != NULL; i++) { // 加載導入動態庫 HMODULE Dll = LoadLibraryAAddress((const CHAR*)((PUINT8)NewBaseAddress + ImportDescriptor[i].Name)); PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].OriginalFirstThunk); PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].FirstThunk); UINT_PTR FunctionAddress = 0; // 遍歷每一個導入模塊的函數 for (INT j = 0; OriginalFirstThunk[j].u1.Function; j++) { if (&OriginalFirstThunk[j] && IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)) { // 序號導入---->這裏直接從Dll的導出表中找到函數地址 // FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)))); // 除去最高位即爲序號 DosHeader = (PIMAGE_DOS_HEADER)Dll; NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)Dll + DosHeader->e_lfanew); PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)Dll + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); // 導出函數地址RVA數組 PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)Dll + ExportDirectory->AddressOfFunctions); UINT16 Ordinal = IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal - ExportDirectory->Base); // 導出函數編號 - Base(導出函數編號的起始值) = 導出函數在函數地址表中序號 FunctionAddress = (UINT_PTR)((PUINT8)Dll + AddressOfFunctions[Ordinal]); } else { // 名稱導入 PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[j].u1.AddressOfData); FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 經過函數名稱獲得函數地址 } // 更新IAT FirstThunk[j].u1.Function = FunctionAddress; } } // 2.4修正重定向表 DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress; NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew); // UINT_PTR Delta = NewBaseAddress - NtHeader->OptionalHeader.ImageBase; IMAGE_DATA_DIRECTORY BaseRelocDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]); // 有無重定向表 if (BaseRelocDataDirectory.Size != 0) { PIMAGE_BASE_RELOCATION BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)NewBaseAddress + BaseRelocDataDirectory.VirtualAddress); while (BaseRelocation->SizeOfBlock != 0) { typedef struct _IMAGE_RELOC { UINT16 Offset : 12; // 低12位---偏移 UINT16 Type : 4; // 高4位---類型 } IMAGE_RELOC, *PIMAGE_RELOC; // 定位到重定位塊 PIMAGE_RELOC RelocationBlock = (PIMAGE_RELOC)((PUINT8)BaseRelocation + sizeof(IMAGE_BASE_RELOCATION)); // 計算須要修正的重定向位項的數目 UINT32 NumberOfRelocations = (BaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16); for (INT i = 0; i < NumberOfRelocations; i++) { if (RelocationBlock[i].Type == IMAGE_REL_BASED_DIR64) { // 64 位 PUINT64 Address = (PUINT64)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + RelocationBlock[i].Offset); UINT64 Delta = (UINT64)NewBaseAddress - NtHeader->OptionalHeader.ImageBase; *Address += Delta; } else if (RelocationBlock[i].Type == IMAGE_REL_BASED_HIGHLOW) { // 32 位 PUINT32 Address = (PUINT32)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + (RelocationBlock[i].Offset)); UINT32 Delta = (UINT32)NewBaseAddress - NtHeader->OptionalHeader.ImageBase; *Address += Delta; } } // 轉到下一張重定向表 BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)BaseRelocation + BaseRelocation->SizeOfBlock); } } // 3.得到模塊OEP UINT_PTR AddressOfEntryPoint = (UINT_PTR)((PUINT8)NewBaseAddress + NtHeader->OptionalHeader.AddressOfEntryPoint); NtFlushInstructionCacheAddress(INVALID_HANDLE_VALUE, NULL, 0); // 調用經過OEP去調用DllMain ((pfnDllMain)AddressOfEntryPoint)((HMODULE)NewBaseAddress, DLL_PROCESS_ATTACH, lParam); /* _asm { int 3; } */ return AddressOfEntryPoint; }
// dllmain.cpp : 定義 DLL 應用程序的入口點。 #include "stdafx.h" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { MessageBoxA(0, 0, 0, 0); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
0x08.總結
也許還有我沒有學習到的Ring3注入Dll的方法,正所謂,路漫漫其修遠兮,吾將上下而求索!
奉上代碼下載地址:https://github.com/YouArekongqi/InjectCollection.git