-
-
[原创]重读老文章系列:另类远程线程模式
-
发表于:
2012-7-19 23:24
27179
-
一提到远程线程,一般都想到DLL注入啊,shellcode运行啊~
其实这两种根本不给力啊~
现在让我们来说一种新模型哦~
不借助shellcode,不借助不给力的DLL注入,我们直接在远程运行EXE里的代码~
当然API还是那个API,这里涉及到PE文件的一些知识,就不多说了,直接上代码~
PS:
一如既往,有意资助者请联系QQ:86879759
LPVOID CopyModule(HANDLE proc, LPVOID image)
{
PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
PIMAGE_DATA_DIRECTORY datadir;
DWORD size = headers->OptionalHeader.SizeOfImage;
LPVOID mem = NULL;
LPBYTE buf = NULL;
BOOL ok = FALSE;
if (headers->Signature != IMAGE_NT_SIGNATURE)
return NULL;
if (IsBadReadPtr(image, size))
return NULL;
mem = VirtualAllocEx(proc, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (mem != NULL) {
buf = (LPBYTE)VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (buf != NULL) {
RtlCopyMemory(buf, image, size);
datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (datadir->Size > 0 && datadir->VirtualAddress > 0) {
DWORD_PTR delta = (DWORD_PTR)((LPBYTE)mem - headers->OptionalHeader.ImageBase);
DWORD_PTR olddelta = (DWORD_PTR)((LPBYTE)image - headers->OptionalHeader.ImageBase);
PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(buf + datadir->VirtualAddress);
while(reloc->VirtualAddress != 0) {
if (reloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) {
DWORD count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
LPWORD list = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
DWORD i;
for (i = 0; i < count; i++) {
if (list[i] > 0) {
DWORD_PTR *p = (DWORD_PTR *)(buf + (reloc->VirtualAddress + (0x0FFF & (list[i]))));
*p -= olddelta;
*p += delta;
}
}
}
reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
}
ok = WriteProcessMemory(proc, mem, buf, size, NULL);
}
VirtualFree(buf, 0, MEM_RELEASE); // release buf
}
if (!ok) {
VirtualFreeEx(proc, mem, 0, MEM_RELEASE);
mem = NULL;
}
}
return mem;
}
BOOL NewInject(DWORD pid, LPTHREAD_START_ROUTINE start)
{
HANDLE proc, thread;
HMODULE module, newmodule;
BOOL ok = FALSE;
proc = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE |
PROCESS_VM_READ |
PROCESS_CREATE_THREAD |
PROCESS_DUP_HANDLE,
FALSE, pid);
if (proc != NULL) {
module = GetModuleHandle(NULL);
newmodule = (HMODULE)CopyModule(proc, module);
if (newmodule != NULL) {
LPTHREAD_START_ROUTINE entry = (LPTHREAD_START_ROUTINE)((LPBYTE)newmodule + (DWORD_PTR)((LPBYTE)start - (LPBYTE)module));
thread = CreateRemoteThread(proc, NULL, 0, entry, NULL, 0, NULL);
if (thread != NULL) {
CloseHandle(thread);
ok = TRUE;
}
else {
VirtualFreeEx(proc, module, 0, MEM_RELEASE);
}
}
CloseHandle(proc);
}
return ok;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
