[原创]创建进程时注入DLL-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]创建进程时注入DLL

发表于: 2013-11-7 22:19 38705

[原创]创建进程时注入DLL

IamHuskar

2013-11-7 22:19

38705

注入DLL时有可能出现这样的情况，需要在程序运行之前注入，这样就需要一个启动器。
当然可以为添加导入表，或者DLL劫持。问题是这样万一程序更新又要重新弄一次。

我写了个简单的启动器，创建进程，并且注入一个DLL

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

#include "windows.h"
#include "stdio.h"
 
BOOL StartHook(HANDLE hProcess,HANDLE hThread);
 
BOOL EnableDebugPriv();
int main()
{
    EnableDebugPriv();
    STARTUPINFO sti;
    PROCESS_INFORMATION proci;
    memset(&sti,0,sizeof(STARTUPINFO));
    memset(&proci,0,sizeof(PROCESS_INFORMATION));
    sti.cb=sizeof(STARTUPINFO);
 
    wchar_t ExeName[]=L"notepad.exe";
    DWORD valc=CreateProcess(ExeName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL\
        ,&sti,&proci);
    if (valc==NULL)
    {
        printf("Creaet Process Failed ERROR=%d\n",GetLastError());
        getchar();
        return 0;
    }
    if (!StartHook(proci.hProcess,proci.hThread))
    {
        TerminateProcess(proci.hProcess,0);
        printf("失败\n");
        getchar();
        return 0;
    }
    ResumeThread(proci.hThread);
    CloseHandle(proci.hProcess);
    CloseHandle(proci.hThread);
    return 0;
}
BYTE ShellCode[64]=
                    {
                    0x60,
                    0x9c,
                    0x68,
                    0xaa,0xbb,0xcc,0xdd,//dll path
                    0xff,0x15,
                    0xdd,0xcc,0xbb,0xaa,//call [xxxx]
                    0x9d,
                    0x61,
                    0xff,0x25,
                    0xaa,0xbb,0xcc,0xdd,// jmp [xxxxx]
                    0xaa,0xaa,0xaa,0xaa,// loadaddr
                    0xaa,0xaa,0xaa,0xaa//  jmpaddr
                    };
/*
{
00973689 >    60                PUSHAD
0097368A      9C                PUSHFD
0097368B      68 50369700       PUSH notepad.00973650
00973690      FF15 70369700     CALL DWORD PTR DS:[973670]
00973696      9D                POPFD
00973697      61                POPAD
00973698    - FF25 30369700     JMP DWORD PTR DS:[973630]
 
 
}
*/
BYTE *DllPath;
BOOL StartHook(HANDLE hProcess,HANDLE hThread)
{
 
 
    CONTEXT ctx;
    ctx.ContextFlags=CONTEXT_ALL;
    if (!GetThreadContext(hThread,&ctx))
    {
        printf("GetThreadContext Error\n");
        return FALSE;
    }
    LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,64,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    if (LpAddr==NULL)
    {
        printf("VirtualAlloc Error\n");
        return FALSE;
    }
    DWORD LoadDllAAddr=(DWORD)GetProcAddress(GetModuleHandle(L"kernel32.dll"),"LoadLibraryA");
    if (LoadDllAAddr==NULL)
    {
        printf("LoadDllAddr error\n");
        return FALSE;
    }
    //printf("eip=0x%08x\n",ctx.Eip);
    //printf("lpAddr=0x%08x\n",LpAddr);
    //printf("LoadLibraryAAddr=0x%08x\n",LoadDllAAddr);
 
    /////////////
    _asm mov esp,esp
    DllPath=ShellCode+29;
    strcpy((char*)DllPath,"SomeHook.dll");//这里是要注入的DLL名字
    *(DWORD*)(ShellCode+3)=(DWORD)LpAddr+29;
    ////////////////
    *(DWORD*)(ShellCode+21)=LoadDllAAddr;
    *(DWORD*)(ShellCode+9)=(DWORD)LpAddr+21;
    //////////////////////////////////
    *(DWORD*)(ShellCode+25)=ctx.Eip;
    *(DWORD*)(ShellCode+17)=(DWORD)LpAddr+25;
    ////////////////////////////////////
    if (!WriteProcessMemory(hProcess,LpAddr,ShellCode,64,NULL))
    {
        printf("write Process Error\n");
        return FALSE;
    }
    ctx.Eip=(DWORD)LpAddr;
    if (!SetThreadContext(hThread,&ctx))
    {
        printf("set thread context error\n");
        return FALSE;
    }
    return TRUE;
};
 
 
BOOL EnableDebugPriv() 
{
    HANDLE   hToken; 
    LUID   sedebugnameValue; 
    TOKEN_PRIVILEGES   tkp;
    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 
    { 
        return   FALSE; 
    } 
 
    if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)) 
    { 
        CloseHandle(hToken); 
        return   FALSE; 
    } 
    tkp.PrivilegeCount   =   1; 
    tkp.Privileges[0].Luid   =   sedebugnameValue; 
    tkp.Privileges[0].Attributes   =   SE_PRIVILEGE_ENABLED; 
 
    if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL)) 
    { 
        return   FALSE; 
    }   
    CloseHandle(hToken); 
    return TRUE;
 
} 

把这个exe还有要注入的DLL 和目标程序放在一个目录。
使用这个exe就可以在启动程序时注入DLL.只是目标EXE申请的内存没有释放掉
简单易行。不知道有没有更简单的办法

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・84

点赞・2

支持

赞赏记录

参与人

雪币

留言

时间

psycongroo

为你点赞~

2020-9-14 16:48

winways

为你点赞~

2020-2-12 20:24

最新回复 (39)

grusirna

雪币： 85

活跃值： (51)

能力值：

( LV5，RANK：60 )

在线值：

发帖

回帖

167

粉丝

关注

私信

grusirna 1: 2 楼

感谢楼主分享,简单的方法有很多,隐蔽才是王道

2013-11-7 22:29

tihty

雪币： 27

活跃值： (122)

能力值：

( LV8，RANK：120 )

在线值：

发帖

回帖

1095

粉丝

关注

私信

tihty 2: 3 楼

感谢楼主分享，应该不错吧。

2013-11-7 22:53

sidyh

雪币： 160

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

134

粉丝

关注

私信

sidyh: 4 楼

shellcode有冗余，鉴定完毕

2013-11-7 23:02

小调调

雪币： 3436

活跃值： (3736)

能力值：

( LV4，RANK：40 )

在线值：

发帖

回帖

380

粉丝

关注

私信

小调调: 5 楼

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

#include "stdafx.h"
#include <Windows.h>
 
// 函数声明
typedef BOOL (WINAPI* Proc_CreateProcessW)(LPCWSTR lpApplicationName,
                                           LPWSTR lpCommandLine,
                                           LPSECURITY_ATTRIBUTES lpProcessAttributes,
                                           LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                           BOOL bInheritHandles,
                                           DWORD dwCreationFlags,
                                           LPVOID lpEnvironment,
                                           LPCWSTR lpCurrentDirectory,
                                           LPSTARTUPINFOW lpStartupInfo,
                                           LPPROCESS_INFORMATION lpProcessInformation);
 
typedef HMODULE (WINAPI* Func_LoadLibraryW)(LPCWSTR lpLibFileName);
 
 
BYTE* mov_eax_xx(BYTE* lpCurAddres, DWORD eax)
{
    *lpCurAddres = 0xB8;
    *(DWORD*)(lpCurAddres + 1) = eax;
    return lpCurAddres + 5;
}
 
BYTE* mov_ebx_xx(BYTE* lpCurAddres, DWORD ebx)
{
    *lpCurAddres = 0xBB;
    *(DWORD*)(lpCurAddres + 1) = ebx;
    return lpCurAddres + 5;
}
 
BYTE* mov_ecx_xx(BYTE* lpCurAddres, DWORD ecx)
{
    *lpCurAddres = 0xB9;
    *(DWORD*)(lpCurAddres + 1) = ecx;
    return lpCurAddres + 5;
}
 
BYTE* mov_edx_xx(BYTE* lpCurAddres, DWORD edx)
{
    *lpCurAddres = 0xBA;
    *(DWORD*)(lpCurAddres + 1) = edx;
    return lpCurAddres + 5;
}
 
BYTE* mov_esi_xx(BYTE* lpCurAddres, DWORD esi)
{
    *lpCurAddres = 0xBE;
    *(DWORD*)(lpCurAddres + 1) = esi;
    return lpCurAddres + 5;
}
 
BYTE* mov_edi_xx(BYTE* lpCurAddres, DWORD edi)
{
    *lpCurAddres = 0xBF;
    *(DWORD*)(lpCurAddres + 1) = edi;
    return lpCurAddres + 5;
}
 
BYTE* mov_ebp_xx(BYTE* lpCurAddres, DWORD ebp)
{
    *lpCurAddres = 0xBD;
    *(DWORD*)(lpCurAddres + 1) = ebp;
    return lpCurAddres + 5;
}
 
BYTE* mov_esp_xx(BYTE* lpCurAddres, DWORD esp)
{
    *lpCurAddres = 0xBC;
    *(DWORD*)(lpCurAddres + 1) = esp;
    return lpCurAddres + 5;
}
 
BYTE* mov_eip_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
    if ( !newEip )
    {
        newEip = (DWORD)lpCurAddres;
    }
 
    *lpCurAddres = 0xE9;
    *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
    return lpCurAddres + 5;
}
 
BYTE* push_xx(BYTE* lpCurAddres, DWORD dwAdress)
{
 
    *lpCurAddres = 0x68;
    *(DWORD*)(lpCurAddres + 1) = dwAdress;
 
    return lpCurAddres + 5;
}
 
BYTE* Call_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
    if ( !newEip )
    {
        newEip = (DWORD)lpCurAddres;
    }
 
    *lpCurAddres = 0xE8;
    *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
    return lpCurAddres + 5;
}
 
BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAdress, const BYTE * lpShellCode, size_t uCodeSize)
{
    SIZE_T NumberOfBytesWritten = 0;
    BYTE ShellCodeBuf[0x480];
    CONTEXT Context;
    DWORD flOldProtect = 0;
    LPBYTE lpCurESPAddress = NULL;
    LPBYTE lpCurBufAdress = NULL;
    BOOL bResult = FALSE;
     
 
    // 挂载起线程
    SuspendThread(hThread);
 
    memset(&Context,0,sizeof(Context));
    Context.ContextFlags = CONTEXT_FULL;
 
    if ( GetThreadContext(hThread, &Context))
    {
        // 在对方线程中开辟一个 0x480 大小的局部空
        lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0);
         
        // 获取指针 用指针来操作
        lpCurBufAdress = &ShellCodeBuf[0];
 
        if (lpShellCode)
        {
            memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize);
            lpCurBufAdress = push_xx(lpCurBufAdress, (DWORD)lpCurESPAddress + 128); // push
            lpCurBufAdress = Call_xx(lpCurBufAdress, dwFuncAdress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); //Call
        }
 
        lpCurBufAdress = mov_eax_xx(lpCurBufAdress, Context.Eax);
        lpCurBufAdress = mov_ebx_xx(lpCurBufAdress, Context.Ebx);
        lpCurBufAdress = mov_ecx_xx(lpCurBufAdress, Context.Ecx);
        lpCurBufAdress = mov_edx_xx(lpCurBufAdress, Context.Edx);
        lpCurBufAdress = mov_esi_xx(lpCurBufAdress, Context.Esi);
        lpCurBufAdress = mov_edi_xx(lpCurBufAdress, Context.Edi);
        lpCurBufAdress = mov_ebp_xx(lpCurBufAdress, Context.Ebp);
        lpCurBufAdress = mov_esp_xx(lpCurBufAdress, Context.Esp);
        lpCurBufAdress = mov_eip_xx(lpCurBufAdress, Context.Eip, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf);
        Context.Esp = (DWORD)(lpCurESPAddress - 4);
        Context.Eip = (DWORD)lpCurESPAddress;
         
        if ( VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect)
            && WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten)
            && FlushInstructionCache(hProcess, lpCurESPAddress, 0x480)
            && SetThreadContext(hThread, &Context) )
        {
            bResult = TRUE;
        }
 
    }
     
    // 回复线程
    ResumeThread(hThread);
 
    return TRUE;
}
 
DWORD GetFuncAdress()
{
    return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryW");
}
 
BOOL WINAPI CreateProcessWithDllW(  LPCWSTR lpApplicationName,
                                    LPWSTR lpCommandLine,
                                    LPSECURITY_ATTRIBUTES lpProcessAttributes,
                                    LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                    BOOL bInheritHandles,
                                    DWORD dwCreationFlags,
                                    LPVOID lpEnvironment,
                                    LPCWSTR lpCurrentDirectory,
                                    LPSTARTUPINFOW lpStartupInfo,
                                    LPPROCESS_INFORMATION lpProcessInformation,
                                    LPWSTR lpDllFullPath,
                                    Proc_CreateProcessW FuncAdress
                                    )
{
    BOOL bResult = FALSE;
    size_t uCodeSize = 0;
    DWORD dwCreaFlags;
    PROCESS_INFORMATION pi;
    ZeroMemory( &pi, sizeof(pi) );
 
    if (FuncAdress == NULL)
    {
        FuncAdress = CreateProcessW;
    }
     
 
    // 设置创建就挂起进程
    dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED;
    if (CreateProcessW(lpApplicationName, 
                        lpCommandLine, 
                        lpProcessAttributes, 
                        lpThreadAttributes, 
                        bInheritHandles, 
                        dwCreaFlags, 
                        lpEnvironment,
                        lpCurrentDirectory,
                        lpStartupInfo,
                        &pi
                     ))
    {
        if ( lpDllFullPath )
            uCodeSize = 2 * wcslen(lpDllFullPath) + 2;
        else
            uCodeSize = 0;
 
        // 得到LoadLibraryW 的地址
        DWORD dwLoadDllProc = GetFuncAdress();
 
        // 挂起线程 写入Shellcode
        if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize))
        {
            if ( lpProcessInformation )
                memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION));
 
            if ( !(dwCreationFlags & CREATE_SUSPENDED) )
                ResumeThread(pi.hThread);
 
            bResult = TRUE;
        }
    }
 
    return bResult;
}
 
 
int _tmain(int argc, _TCHAR* argv[])
{   
    WCHAR wszPath[] = L"D:\\TestCreateProcessWithDll.exe";
    WCHAR wszDll[] = L"D:\\SampleDLL.dll";
 
    STARTUPINFOW si;
    PROCESS_INFORMATION pi;
     
    ZeroMemory( &si, sizeof(si) );
    si.cb = sizeof(si);
    ZeroMemory( &pi, sizeof(pi) );
    CreateProcessWithDllW(NULL, wszPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi, wszDll, NULL);
 
    return 0;
}