APC注入
来源:互联网 发布:手机摄影后期制作软件 编辑:程序博客网 时间:2024/05/16 08:42
目的:
向本机指定进程中 注入特定Dll
核心:
QueueUserAPC((PAPCFUNC)LoadLibraryWAddress, ThreadHandle,(UINT_PTR)DllFullPathBufferData);
加载函数的得到 LoadLibraryWAddress =(UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"),"LoadLibrary");
该函数 用于当进程发生软中断时,向当前进程APC队列中注入LoadLibrary指针,由于该函数需要ThreadID故需要通过当前进程ID来找到进程
关于当前得到当前进程ID,是通过CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0),得到本机系统的进程快照,枚举进程,与目标进程名称相比较,
然后得到ProcessID。
得到ProessID,再通过如上方法得到ThreadID,不过由于一个进程往往有较多的线程,故需要一个类似数组的数据结构来存储得到线程,
故采用模板vector ThreadIDVector,QueueUserAPC函数 向线程中注入Dll
此方法 存在局限性 就本机测试而言 Taskmgr 无法打开
自己编写的程序能够实现注入
#include "stdafx.h"
#include
#include
#include
#include
using namespace std;
BOOL GrantPriviledge(IN PWCHAR PriviledgeName);
BOOL GetThreadIDByProcessID(IN UINT32 ProcessID, OUT vector&ThreadIDVector);
BOOL GetProcessIDByProcessImageName(IN PWCHAR ProcessImageName,OUTPUINT32 ProcessID);
BOOL InjectDllByAPC(UINT32 ProcessID, UINT32 ThreadID);
WCHAR DllFullPath[MAX_PATH] = { 0 }; //补丁路径
PVOID DllFullPathBufferData = NULL;
int main()
{
if(GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
}
GetCurrentDirectory(MAX_PATH, DllFullPath);
wcscat(DllFullPath, L"\\Dll.dll");
UINT32ProcessID = 0;
if(GetProcessIDByProcessImageName(L"TeamViewer_Service.exe",&ProcessID) == FALSE)
{
return0;
}
vectorThreadIDVector;
if(GetThreadIDByProcessID(ProcessID, ThreadIDVector) == FALSE)
{
return0;
}
size_tThreadCount = ThreadIDVector.size();
cout<< ThreadCount;
for (INT_PTRi = ThreadCount - 1; i >= 0; i--)
{
UINT32ThreadID = ThreadIDVector[i];
InjectDllByAPC(ProcessID, ThreadID);
}
}
提权函数()
BOOL GrantPriviledge(IN PWCHAR PriviledgeName)
{
HANDLETokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges;
TOKEN_PRIVILEGES OldTokenPrivileges;
DWORDReturnLength;
LUIDuID;
if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY,FALSE, &TokenHandle)) //使用windows函数API
{
if(GetLastError() != ERROR_NO_TOKEN)
{
returnFALSE;
}
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY, &TokenHandle))
{
returnFALSE;
}
} //WHY 先打开线程后打开进程
if(!LookupPrivilegeValue(NULL, PriviledgeName, &uID))
{
CloseHandle(TokenHandle);
TokenHandle= NULL;
returnFALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[0].Luid = uID;
if(!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,sizeof(TOKEN_PRIVILEGES), &OldTokenPrivileges,&ReturnLength))
{
CloseHandle(TokenHandle);
TokenHandle= NULL;
returnFALSE;