32位進程注入64位進程

在以前寫注入都是32位exe文件注入32位dll到32位exe文件中，或者都是64位。可是以前看到關於32位進程注入64位進程的方法，將學習筆記記錄下來。

以前的文章：注入小結

咱們須要藉助GitHub上的開源庫rewolf-wow64ext 這個庫的目的就是讓運行在Wow64環境中的x86應用程序能夠直接調用x64下ntdll.dll中的Native API。經過這個開源項目咱們大體能夠知道：

    ①在x64下的進程，無論是32位或者是64位，實際上都映射了兩個地址空間，一個是32位，一個是64位。至關於一個進程的兩種工做模式，並且這兩種工做模式是能夠進行切換的;

    ②Wow64進程中的r12寄存器指向64位的TEB結構(TEB64);

    ③每一個32位進程都會加劇ntdll32.dll和ntdll.dll模塊。其中ntdll.dll是64位模塊，咱們能夠將進程的32位模式改成64位模式，而後再去操做64位進程。

具體的操做：

    ① 進程的32位模式改爲64位模式

#define X64_Start() X64_Start_with_CS(0x33)
#define X64_End() X64_End_with_CS(0x23)

 在wow64ext中對x64 api進程調用時，使用X64_Start_with_CS(0x33)設置進程的'運行模式"爲64位。

#define EMIT(a) __asm __emit (a)

#define X64_Start_with_CS(_cs) \
    { \
    EMIT(0x6A) EMIT(_cs)                         /*  push   _cs             */ \
    EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0)   /*  call   $+5             */ \
    EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(5)        /*  add    dword [esp], 5  */ \
    EMIT(0xCB)                                   /*  retf                   */ \
    }

#define X64_End_with_CS(_cs) \
    { \
    EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0)                                 /*  call   $+5                   */ \
    EMIT(0xC7) EMIT(0x44) EMIT(0x24) EMIT(4) EMIT(_cs) EMIT(0) EMIT(0) EMIT(0) /*  mov    dword [rsp + 4], _cs  */ \
    EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(0xD)                                    /*  add    dword [rsp], 0xD      */ \
    EMIT(0xCB)                                                                 /*  retf                         */ \
    }

能夠看到主要是藉助retf將CS寄存器的值設置爲0x33。這裏提一下題外話，能夠百度一下ret，iret和retf三者之間的區別。

②得到目標函數所在模塊(ntdll.dll)在x64模式下的加載基地址：

#define X64_Push(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x50 | ((r) & 7))

DWORD64 getTEB64()
{
    reg64 reg;
    reg.v = 0;   
    X64_Start();
    // R12 register should always contain pointer to TEB64 in WoW64 processes
    X64_Push(_R12);
    // below pop will pop QWORD from stack, as we're in x64 mode now
    __asm pop reg.dw[0]
    X64_End();
    return reg.v;
}

關於TEB的得到是經過r12-->TEB64--->PEB--->LDR匹配到ntdll.dll來找到ntdll.dll的加載基地址。

③解析PE結構找到目標函數在"x64模式"下的真實地址(GetProcAddr())。

④經過函數地址調用"x64模式"下的目標函數。這裏要注意x64函數調用約定的改變，前4個參數經過rcx,rdx,r8,r9來傳遞，以後經過堆棧傳遞。X64Call()已經封裝好了。

接下來咱們能夠開始實際的工做了。

NTSTATUS
NTAPI
RtlCreateUserThread(
    _In_ HANDLE processHandle,
    _In_ SECURITY_DESCRIPTOR* securityDescriptor,
    _In_ BOOLEAN createSuspended,
    _In_ ULONG stackZeroBits,
    _Inout_opt_ size_t* stackReserved,
    _Inout_opt_ size_t* stackCommit,
    _In_ const void* startAddress,
    _In_ void* startParameter,
    _Inout_ HANDLE* threadHandle,
    _Inout_opt_ CLIENT_ID* clientID
    );

NTSTATUS
NTAPI
LdrLoadDll(
    _In_opt_ PWSTR SearchPath,
    _In_opt_ PULONG LoadFlags,
    _In_ PUNICODE_STRING Name,
    _Out_opt_ PVOID *BaseAddress
    );

VOID
NTAPI
RtlExitUserThread(
    _In_ NTSTATUS Status
    );

不一樣於以前利用CreateRemoteThread()來建立線程。由於CreateRemoteThread()是由Kernel32.dll導出的，wow64ext這個庫只針對ntdll.dll(同理LoadLibrary也不能調用)。因此採用ntdll中未文檔化的RtlCreateUserThread()來建立遠程線程，LdrLoadDll()加載dll，在遠程線程中調用RtlExitUserThread()終止遠程線程。

// Wow64Injectx64.cpp : 定義控制檯應用程序的入口點。
//

#include "stdafx.h"
#include "Wow64Injectx64.h"
#include <memory>
#include <string>
#include <Windows.h>
#include "wow64ext.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif

#pragma comment(lib,"wow64ext.lib")

// 惟一的應用程序對象
CWinApp theApp;

using namespace std;

typedef struct _UNICODE_STRING {
    USHORT    Length;     //UNICODE佔用的內存字節數，個數*2；
    USHORT      MaximumLength; 
    DWORD64   Buffer;     //注意這裏指針的問題
} UNICODE_STRING ,*PUNICODE_STRING;



unsigned char shell_code[] = {
    0x48, 0x89, 0x4c, 0x24, 0x08,                               // mov       qword ptr [rsp+8],rcx 
    0x57,                                                       // push      rdi
    0x48, 0x83, 0xec, 0x20,                                     // sub       rsp,20h
    0x48, 0x8b, 0xfc,                                           // mov       rdi,rsp
    0xb9, 0x08, 0x00, 0x00, 0x00,                               // mov       ecx,8
    0xb8, 0xcc, 0xcc, 0xcc, 0xcc,                               // mov       eac,0CCCCCCCCh
    0xf3, 0xab,                                                 // rep stos  dword ptr [rdi]
    0x48, 0x8b, 0x4c, 0x24, 0x30,                               // mov       rcx,qword ptr [__formal]
    0x49, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       r9,0  //PVOID*  BaseAddr opt
    0x49, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       r8,0  //PUNICODE_STRING Name
    0x48, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       rdx,0
    0x48, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       rcx,0
    0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       rax,0 
    0xff, 0xd0,                                                 // call      rax   LdrLoadDll
    0x48, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       rcx,0
    0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov       rax,0
    0xff, 0xd0                                                  // call      rax
};


enum  InjectResult{
    OK,
    Error_NoSuchFile,
    Error_OpenProcess,
    Error_VirtualAllocEx,
    Error_GetProcAddress,
    Error_WriteProcessMemory,
    Error_CreateRemoteThread
};


InjectResult Wow64Injectx64(DWORD processid,const TCHAR* file_path);

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    cout<<"查看要注入進程的ID"<<endl;   
    ULONG_PTR ProcessID = 0;
    
    printf("Input ProcessID\r\n");
    cin>>ProcessID;
    WCHAR file_path[] = L"E:\\Messagebox.dll";

    
    if (OK==Wow64Injectx64(ProcessID,file_path))
    {
        printf("Inject Success!\n");
    }
    return 0;
}


InjectResult Wow64Injectx64(DWORD processid,const TCHAR* file_path)
{
    
    if (!PathFileExists(file_path))
    {
        return Error_NoSuchFile;
    }

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processid);
    if (INVALID_HANDLE_VALUE == handle)
    {
        return Error_OpenProcess;
    }

    size_t file_path_mem_length = (size_t)::_tcslen(file_path);
    size_t paramemter_size = (file_path_mem_length+1)*sizeof(TCHAR) + sizeof(UNICODE_STRING) + sizeof(DWORD64);
    DWORD64 paramemter_mem_addr = (DWORD64)VirtualAllocEx64(handle,NULL,paramemter_size,MEM_COMMIT,PAGE_READWRITE);
    DWORD64  shell_code_addr = (DWORD64)VirtualAllocEx64(handle,NULL,sizeof(shell_code),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    if ((!paramemter_mem_addr) || (!shell_code_addr))
    {
        return Error_VirtualAllocEx;
    }
    
    char * paramemter_mem_local = new char[paramemter_size];
    memset(paramemter_mem_local,0,paramemter_size);

    PUNICODE_STRING ptr_unicode_string = (PUNICODE_STRING)(paramemter_mem_local + sizeof(DWORD64));
    ptr_unicode_string->Length = file_path_mem_length;
    ptr_unicode_string->MaximumLength = file_path_mem_length*2;
    wcscpy((WCHAR*)(ptr_unicode_string+1),file_path);
    ptr_unicode_string->Buffer = (DWORD64)((char*)paramemter_mem_addr+sizeof(DWORD64)+sizeof(UNICODE_STRING));

    DWORD64 ntdll64 = GetModuleHandle64(L"ntdll.dll");
    DWORD64 ntdll_LdrLoadDll = GetProcAddress64(ntdll64,"LdrLoadDll");
    DWORD64 ntdll_RtlCreateUserThread = GetProcAddress64(ntdll64,"RtlCreateUserThread");
    DWORD64 ntdll_RtlExitThread = GetProcAddress64(ntdll64,"RtlExitUserThread");
    if (NULL == ntdll_LdrLoadDll || NULL==ntdll_RtlCreateUserThread || NULL==ntdll_RtlExitThread)
    {
        return Error_GetProcAddress;
    }

    //r9
    memcpy(shell_code+32,&paramemter_mem_addr,sizeof(DWORD64));

    //r8
    DWORD64 ptr = paramemter_mem_addr+sizeof(DWORD64);
    memcpy(shell_code+42,&ptr,sizeof(PUNICODE_STRING));

    //LdrLoaddll
    memcpy(shell_code+72,&ntdll_LdrLoadDll,sizeof(DWORD64));

    //RtlExitUserThread
    memcpy(shell_code+94,&ntdll_RtlExitThread,sizeof(DWORD64));
    size_t write_size = 0;
    if (!WriteProcessMemory64(handle,paramemter_mem_addr,paramemter_mem_local,paramemter_size,NULL) ||
        !WriteProcessMemory64(handle,shell_code_addr,shell_code,sizeof(shell_code),NULL))
    {
        return Error_WriteProcessMemory;
    }
    DWORD64 hRemoteThread = 0;
    struct {
        DWORD64 UniqueProcess;
        DWORD64 UniqueThread;
    } client_id;
    int a = X64Call(ntdll_RtlCreateUserThread,10,
        (DWORD64)handle,                    // ProcessHandle
        (DWORD64)NULL,                      // SecurityDescriptor
        (DWORD64)FALSE,                     // CreateSuspended
        (DWORD64)0,                         // StackZeroBits
        (DWORD64)NULL,                      // StackReserved
        (DWORD64)NULL,                      // StackCommit
        shell_code_addr,                    // StartAddress
        (DWORD64)NULL,                      // StartParameter
        (DWORD64)&hRemoteThread,            // ThreadHandle
        (DWORD64)&client_id);               // ClientID)
    if (INVALID_HANDLE_VALUE == (HANDLE)hRemoteThread)
    {
        return Error_CreateRemoteThread;
    }
    return OK;
}

 

完整Demo地址：https://github.com/ChengChengCC/Ark-tools/tree/master/Wow64Injectx64

 

關於Windows x64的學習，《Windows Internals》（中文譯版《深刻解析Windows操做系統》，潘老師譯的）不錯。順便吐槽下學校把那麼多的好書都放在閱覽室，只能看，不能借，好多全新的書上都是灰！