- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
一提到远程线程,一般都想到DLL注入啊,shellcode运行啊~
其实这两种根本不给力啊~
现在让我们来说一种新模型哦~
不借助shellcode,不借助不给力的DLL注入,我们直接在远程运行EXE里的代码~
当然API还是那个API,这里涉及到PE文件的一些知识,就不多说了,直接上代码~- LPVOID CopyModule(HANDLE proc, LPVOID image)
- {
- PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
- PIMAGE_DATA_DIRECTORY datadir;
- DWORD size = headers->OptionalHeader.SizeOfImage;
- LPVOID mem = NULL;
- LPBYTE buf = NULL;
- BOOL ok = FALSE;
- if (headers->Signature != IMAGE_NT_SIGNATURE)
- return NULL;
- if (IsBadReadPtr(image, size))
- return NULL;
- mem = VirtualAllocEx(proc, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (mem != NULL) {
- buf = (LPBYTE)VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (buf != NULL) {
- RtlCopyMemory(buf, image, size);
- datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
- if (datadir->Size > 0 && datadir->VirtualAddress > 0) {
- DWORD_PTR delta = (DWORD_PTR)((LPBYTE)mem - headers->OptionalHeader.ImageBase);
- DWORD_PTR olddelta = (DWORD_PTR)((LPBYTE)image - headers->OptionalHeader.ImageBase);
- PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(buf + datadir->VirtualAddress);
- while(reloc->VirtualAddress != 0) {
- if (reloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) {
- DWORD count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
- LPWORD list = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
- DWORD i;
- for (i = 0; i < count; i++) {
- if (list[i] > 0) {
- DWORD_PTR *p = (DWORD_PTR *)(buf + (reloc->VirtualAddress + (0x0FFF & (list[i]))));
- *p -= olddelta;
- *p += delta;
- }
- }
- }
- reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
- }
- ok = WriteProcessMemory(proc, mem, buf, size, NULL);
- }
- VirtualFree(buf, 0, MEM_RELEASE); // release buf
- }
- if (!ok) {
- VirtualFreeEx(proc, mem, 0, MEM_RELEASE);
- mem = NULL;
- }
- }
- return mem;
- }
- BOOL NewInject(DWORD pid, LPTHREAD_START_ROUTINE start)
- {
- HANDLE proc, thread;
- HMODULE module, newmodule;
- BOOL ok = FALSE;
- proc = OpenProcess(PROCESS_QUERY_INFORMATION |
- PROCESS_VM_OPERATION |
- PROCESS_VM_WRITE |
- PROCESS_VM_READ |
- PROCESS_CREATE_THREAD |
- PROCESS_DUP_HANDLE,
- FALSE, pid);
- if (proc != NULL) {
- module = GetModuleHandle(NULL);
- newmodule = (HMODULE)CopyModule(proc, module);
- if (newmodule != NULL) {
- LPTHREAD_START_ROUTINE entry = (LPTHREAD_START_ROUTINE)((LPBYTE)newmodule + (DWORD_PTR)((LPBYTE)start - (LPBYTE)module));
- thread = CreateRemoteThread(proc, NULL, 0, entry, NULL, 0, NULL);
- if (thread != NULL) {
- CloseHandle(thread);
- ok = TRUE;
- }
- else {
- VirtualFreeEx(proc, module, 0, MEM_RELEASE);
- }
- }
- CloseHandle(proc);
- }
- return ok;
- }
复制代码- //提权DEBUG后
- NewInject(GetProcessIdByName(L"Diablo III.exe"), ThreadProc);
复制代码 |
|