代码注入

0x00 原理简述

代码注入,也是一种注入技术,通过CreateRemoteThread,创建远程线程,线程函数可自写,传入参数要注意,如果有多个参数,需要定义一个结构用来存放参数。详细代码如下:

0x01 代码实现

本次注入CreateFile

1,定义一个结构体存放CreateFile参数,及函数地址。

typedef struct {
DWORD addr;
LPCTSTR lpFileName;
DWORD dwDesiredAccess;
DWORD dwShareMode;
LPSECURITY_ATTRIBUTES lpSecurityAttributes;
DWORD dwCreationDisposition;
DWORD dwFlagsAndAttributes;
HANDLE hTemplateFile;
}Point;

2,远程注入的函数如下:

DWORD _stdcall hCreateFile(LPVOID lParam)
{
typedef HANDLE (WINAPI * PFN_CreateFile)(
LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
Point *p=(Point *)lParam;
PFN_CreateFile pfnCreateFile;
pfnCreateFile =(PFN_CreateFile)p->addr;
pfnCreateFile(p->lpFileName,p->dwDesiredAccess,p->dwShareMode,p->lpSecurityAttributes,
p->dwCreationDisposition,p->dwFlagsAndAttributes,p->hTemplateFile);
return 0;
}

3,获得CreateFile函数地址,定义注入函数hCreateFile的参数,其中LPCTSTR lpFileName这个参数是一个指向字符串的指针,所以我们要在目标进程里面分配一个空间,并写入路径字符串。

DWORD dwThreadFunSize=0x400;
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetPid("crackme.exe"));
Point p;
char str[]="D:\\787.txt";
HMODULE mod=GetModuleHandle("kernel32.dll");
DWORD addr=(DWORD)GetProcAddress(mod,"CreateFileA");
FreeLibrary(mod);
p.addr=addr;
p.dwDesiredAccess=GENERIC_READ|GENERIC_WRITE;
p.dwShareMode=0;
p.lpSecurityAttributes=NULL;
p.dwCreationDisposition=OPEN_ALWAYS ;
p.dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL;
p.hTemplateFile=NULL;
LPVOID lpAllocAddr=VirtualAllocEx(hProcess,NULL,strlen(str)+1,MEM_COMMIT,PAGE_READWRITE);
BOOL bRet = WriteProcessMemory(hProcess,lpAllocAddr,str,strlen(str)+1,0);
p.lpFileName=(LPSTR)(lpAllocAddr);

4,将hCreateFile函数地址和参数结构体对象地址写入目标进程,最后调用CreateRemoteThread().

LPVOID lpAllocAddr1=VirtualAllocEx(hProcess,NULL,sizeof(Point),MEM_COMMIT,PAGE_READWRITE);
BOOL bRet1 = WriteProcessMemory(hProcess,lpAllocAddr1,&p,sizeof(Point),0);
LPVOID lpAllocAddr2=VirtualAllocEx(hProcess,NULL,dwThreadFunSize,MEM_COMMIT,PAGE_READWRITE);
BOOL bRet2 = WriteProcessMemory(hProcess,lpAllocAddr2,(LPVOID)hCreateFile,dwThreadFunSize,0);
HANDLE hThread =CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpAllocAddr2,lpAllocAddr1,0,NULL);
CloseHandle(hProcess);

0x02 完整代码

目标进程为crackme.exe,在D盘的根目录,创建一个test.txt.

#include<stdio.h>
#include<windows.h>
#include<stdlib.h>
#include<Tlhelp32.h.>
#include<string.h>
typedef struct {
DWORD addr;
LPCTSTR lpFileName;
DWORD dwDesiredAccess;
DWORD dwShareMode;
LPSECURITY_ATTRIBUTES lpSecurityAttributes;
DWORD dwCreationDisposition;
DWORD dwFlagsAndAttributes;
HANDLE hTemplateFile;
}Point;
DWORD GetPid(char *szName)
{
HANDLE hprocessSnap=NULL;
PROCESSENTRY32 pe32 ={0};
hprocessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hprocessSnap == (HANDLE)-1){return 0;}
pe32.dwSize=sizeof(PROCESSENTRY32);
if(Process32First(hprocessSnap,&pe32))
{
do{
if(!strcmp(szName,pe32.szExeFile))
return (int)pe32.th32ProcessID;
}while(Process32Next(hprocessSnap,&pe32));
}
else
CloseHandle(hprocessSnap);
return 0;
}
DWORD _stdcall hCreateFile(LPVOID lParam)
{
typedef HANDLE (WINAPI * PFN_CreateFile)(
LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
Point *p=(Point *)lParam;
PFN_CreateFile pfnCreateFile;
pfnCreateFile =(PFN_CreateFile)p->addr;
pfnCreateFile(p->lpFileName,p->dwDesiredAccess,p->dwShareMode,p->lpSecurityAttributes,
p->dwCreationDisposition,p->dwFlagsAndAttributes,p->hTemplateFile);
return 0;
}
void main()
{
DWORD dwThreadFunSize=0x400;
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetPid("crackme.exe"));
Point p;
char str[]="D:\\test.txt";
HMODULE mod=GetModuleHandle("kernel32.dll");
DWORD addr=(DWORD)GetProcAddress(mod,"CreateFileA");
FreeLibrary(mod);
p.addr=addr;
p.dwDesiredAccess=GENERIC_READ|GENERIC_WRITE;
p.dwShareMode=0;
p.lpSecurityAttributes=NULL;
p.dwCreationDisposition=OPEN_ALWAYS ;
p.dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL;
p.hTemplateFile=NULL;
LPVOID lpAllocAddr=VirtualAllocEx(hProcess,NULL,strlen(str)+1,MEM_COMMIT,PAGE_READWRITE);
BOOL bRet = WriteProcessMemory(hProcess,lpAllocAddr,str,strlen(str)+1,0);
p.lpFileName=(LPSTR)(lpAllocAddr);
LPVOID lpAllocAddr1=VirtualAllocEx(hProcess,NULL,sizeof(Point),MEM_COMMIT,PAGE_READWRITE);
BOOL bRet1 = WriteProcessMemory(hProcess,lpAllocAddr1,&p,sizeof(Point),0);
LPVOID lpAllocAddr2=VirtualAllocEx(hProcess,NULL,dwThreadFunSize,MEM_COMMIT,PAGE_READWRITE);
BOOL bRet2 = WriteProcessMemory(hProcess,lpAllocAddr2,(LPVOID)hCreateFile,dwThreadFunSize,0);
HANDLE hThread =CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpAllocAddr2,lpAllocAddr1,0,NULL);
CloseHandle(hProcess);
}

0x03 运行结果

测试环境为win10 x64

在D盘根目录创建一个test.txt文档,不能删除,除非关闭掉目标进程。