-
-
这个简单的注入在win7 x64下为什么不支持呢?
-
发表于:
2017-3-1 11:00
3387
-
这个简单的注入在win7 x64下为什么不支持呢?
STARTUPINFOW si = { 0 };
PROCESS_INFORMATION pi = { 0 };
si.cb = sizeof(STARTUPINFOW);
::CreateProcessW(pProcessPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
CONTEXT ct = { 0 };
ct.ContextFlags = CONTEXT_ALL;
GetThreadContext(pi.hThread, &ct);
DWORD dwSize = sizeof(WCHAR) * 1024;
BYTE *pProcessMem = (BYTE *)::VirtualAllocEx(pi.hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD dwWrited = 0;
::WriteProcessMemory(pi.hProcess, (pProcessMem + 0x100), pDllPath, (wcslen(pDllPath) + 1) * sizeof(WCHAR), &dwWrited);
FARPROC pLoadLibraryW = (FARPROC)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "LoadLibraryW");
BYTE ShellCode[32] = { 0 };
DWORD *pdwAddr = NULL;
ShellCode[0] = 0x60; // pushad
ShellCode[1] = 0x9c; // pushfd
ShellCode[2] = 0x68; // push
pdwAddr = (DWORD *)&ShellCode[3]; // ShellCode[3/4/5/6]
*pdwAddr = (DWORD)(pProcessMem + 0x100);
ShellCode[7] = 0xe8;
pdwAddr = (DWORD *)&ShellCode[8]; // ShellCode[8/9/10/11]
*pdwAddr = (DWORD)pLoadLibraryW - (DWORD)(pProcessMem + 7) - 5;
ShellCode[12] = 0x9d; // popfd
ShellCode[13] = 0x61; // popad
ShellCode[14] = 0xe9; // jmp
pdwAddr = (DWORD *)&ShellCode[15]; // ShellCode[15/16/17/18]
*pdwAddr = ct.Eip - (DWORD)(pProcessMem + 14) - 5;
::WriteProcessMemory(pi.hProcess, pProcessMem, ShellCode, sizeof(ShellCode), &dwWrited);
ct.Eip = (DWORD)pProcessMem;
::SetThreadContext(pi.hThread, &ct);
::ResumeThread(pi.hThread);
::CloseHandle(pi.hProcess);
::CloseHandle(pi.hThread);
用OD调试 shellcode已经写进去了 但是好像没有执行 (就在shellcode下断 没有断下来 被注入的程序就直接跑起来了)
前段时间还好用 奇怪 哪位大侠指点下 谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课