/*=====================================32位win*/
#include
#include
#include
#define PROC_NAME "target.exe"
#define DLL_NAME "injected.dll"
unsigned long GetTargetProcessIdFromProcname(char *procName);
unsigned long GetTargetThreadIdFromProcname(char *procName);
__declspec(naked) loadDll(void)
{
_asm{
// Placeholder for the return address
push 0xDEADBEEF
// Save the flags and registers
pushfd
pushad
// Placeholder for the string address and LoadLibrary
push 0xDEADBEEF
mov eax, 0xDEADBEEF
// Call LoadLibrary with the string parameter
call eax
// Restore the registers and flags
popad
popfd
// Return control to the hijacked thread
ret
}
}
__declspec(naked) loadDll_end(void)
{
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
void *dllString;
void *stub;
unsigned long wowID, threadID, stubLen, oldIP, oldprot, loadLibAddy;
HANDLE hProcess, hThread;
CONTEXT ctx;
stubLen = (unsigned long)loadDll_end - (unsigned long)loadDll;
loadLibAddy = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
wowID = GetTargetProcessIdFromProcname(PROC_NAME);
hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, wowID);
dllString = VirtualAllocEx(hProcess,
NULL,
(strlen(DLL_NAME) + 1),
MEM_COMMIT,
PAGE_READWRITE
);
stub = VirtualAllocEx(hProcess,
NULL,
stubLen,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
WriteProcessMemory(hProcess, dllString, DLL_NAME, strlen(DLL_NAME), NULL);
threadID = GetTargetThreadIdFromProcname(PROC_NAME);
hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME),
false,
threadID
);
SuspendThread(hThread);
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &ctx);
oldIP = ctx.Eip;
ctx.Eip = (DWORD)stub;
ctx.ContextFlags = CONTEXT_CONTROL;
VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4);
memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4);
memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4);
WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL);
SetThreadContext(hThread, &ctx);
ResumeThread(hThread);
Sleep(8000);
VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT);
VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
unsigned long GetTargetProcessIdFromProcname(char *procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot;
BOOL retval, ProcFound = false;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(thSnapshot == INVALID_HANDLE_VALUE)
{
MessageBox(NULL,
"Error: unable to create toolhelp snapshot",
"Loader",
NULL
);
return false;
}
pe.dwSize = sizeof(PROCESSENTRY32);
retval = Process32First(thSnapshot, &pe);
while(retval)
{
if(StrStrI(pe.szExeFile, procName) )
{
ProcFound = true;
break;
}
retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
CloseHandle(thSnapshot);
return pe.th32ProcessID;
}
unsigned long GetTargetThreadIdFromProcname(char *procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot, hProcess;
BOOL retval, ProcFound = false;
unsigned long pTID, threadID;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(thSnapshot == INVALID_HANDLE_VALUE)
{
MessageBox(NULL,
"Error: unable to create toolhelp snapshot",
"Loader",
NULL
);
return false;
}
pe.dwSize = sizeof(PROCESSENTRY32);
retval = Process32First(thSnapshot, &pe);
while(retval)
{
if(StrStrI(pe.szExeFile, procName) )
{
ProcFound = true;
break;
}
retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
CloseHandle(thSnapshot);
_asm {
mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax
}
hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID);
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
CloseHandle(hProcess);
return threadID;
}
/*=====================================64位win*/
unsigned char codeToInject[] =
{
// Placeholder for the return address
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // push 0AAAAAAAAh
// Save the flags
0x9c, // pushfq
// Save the registers
0x50, // push rax
0x51, // push rcx
0x52, // push rdx
0x53, // push rbx
0x55, // push rbp
0x56, // push rsi
0x57, // push rdi
0x41, 0x50, // push r8
0x41, 0x51, // push r9
0x41, 0x52, // push r10
0x41, 0x53, // push r11
0x41, 0x54, // push r12
0x41, 0x55, // push r13
0x41, 0x56, // push r14
0x41, 0x57, // push r15
// Placeholder for the string address and LoadLibrary
0x48, 0xB9, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, // mov rcx, 0BBBBBBBBBBBBBBBBh
0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh
// Call LoadLibrary with the string parameter
0xFF, 0xD0, // call rax
// Restore the registers
0x41, 0x5F, // pop r15
0x41, 0x5E, // pop r14
0x41, 0x5D, // pop r13
0x41, 0x5C, // pop r12
0x41, 0x5B, // pop r11
0x41, 0x5A, // pop r10
0x41, 0x59, // pop r9
0x41, 0x58, // pop r8
0x5F, // pop rdi
0x5E, // pop rsi
0x5D, // pop rbp
0x5B, // pop rbx
0x5A, // pop rdx
0x59, // pop rcx
0x58, // pop rax
// Restore the flags
0x9D, // popfq
0xC3 // ret
};
int WINAPI inject_lib_cave( HANDLE hProcess, HANDLE hThread, const char* lib_name )
{
void* dllString;
void* stub;
DWORD64 stubLen, loadLibAddr;
DWORD oldIP;
CONTEXT ctx;
BOOL result = FALSE;
DWORD suspend_result = -1;
stubLen = sizeof( codeToInject );
loadLibAddr = (DWORD64)GetProcAddress( GetModuleHandleA("Kernel32"),
"LoadLibraryA" );
dllString = VirtualAllocEx(hProcess, NULL, (strlen(lib_name) + 1),
MEM_COMMIT, PAGE_READWRITE);
stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if( dllString == NULL || stub == NULL )
{
if(dllString != NULL) free( dllString );
if(stub != NULL) free( stub );
MessageBoxA( NULL, "Virtual Alloc failed.", "My Msg", MB_OK );
goto clean_exit;
}
result = WriteProcessMemory(hProcess, dllString, lib_name, strlen(lib_name), NULL);
if ( !result )
{
MessageBoxA( NULL, "Could not write process memory for dllString.",
"My Msg", MB_OK );
goto clean_exit;
}
suspend_result = SuspendThread( hThread );
if ( suspend_result == -1 )
{
MessageBoxA( NULL, "Could not suspend thread.",
"My Msg", MB_OK );
goto clean_exit;
}
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &ctx);
oldIP = (DWORD)ctx.Rip;
ctx.Rip = (DWORD)stub;
ctx.ContextFlags = CONTEXT_CONTROL;
/*
* Insert the addresses into the local copy of the codeToInject before copying it to
* the remote process
*/
memcpy( codeToInject + 1, &oldIP, sizeof( oldIP ) );
memcpy( codeToInject + 31, &dllString, sizeof( dllString ) );
memcpy( codeToInject + 41, &loadLibAddr, sizeof( loadLibAddr ) );
result = WriteProcessMemory(hProcess, stub, codeToInject, stubLen, NULL);
if ( !result )
{
MessageBoxA( NULL, "Could not write process memory.",
"My Msg", MB_OK );
goto clean_exit;
}
result = SetThreadContext(hThread, &ctx);
if ( !result )
{
MessageBoxA( NULL, "Could not set thread context.",
"My Msg", MB_OK );
goto clean_exit;
}
clean_exit:
if ( suspend_result > -1 )
{
suspend_result = ResumeThread( hThread );
if ( suspend_result == -1 )
{
MessageBoxA( NULL, "Could not resume thread.",
"My Msg", MB_OK );
}
}
return result;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
