首页
社区
课程
招聘
未解决 [求助][求助]驱动创建远程线程实现远程CALL
发表于: 2020-2-8 19:43 4212

未解决 [求助][求助]驱动创建远程线程实现远程CALL

2020-2-8 19:43
4212
怎么在内核实现啊,程序有保护,应用层不行,求代码

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 9941
活跃值: (2163)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
2

搜索一下,马上出来

NTSTATUS InjectCreateThread64(HANDLE ProcessId, PUNICODE_STRING pDllPath)
{
    ULONG ReturnLength;
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PEPROCESS Process = NULL;
    HANDLE ProcessHandle = NULL;
    PVOID pNtDllBase64;
    PVOID pfnLdrLoadDll64;

    status = PsLookupProcessByProcessId((HANDLE)ProcessId, &Process);
    if (NT_SUCCESS(status))
    {
        //Do not inject WOW64 process
        status = STATUS_UNSUCCESSFUL;
        if (PsGetProcessWow64Process(Process) == NULL)
        {
            status = ObOpenObjectByPointer(Process, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &ProcessHandle);
            if (NT_SUCCESS(status))
            {
                pNtDllBase64 = PsNtDllBase64;
                pfnLdrLoadDll64 = fnLdrLoadDll64;

                if (!pfnLdrLoadDll64)
                {
                    UNICODE_STRING NtdllName;
                    KAPC_STATE kApc;

                    KeStackAttachProcess(Process, &kApc);
                    RtlInitUnicodeString(&NtdllName, L"ntdll.dll");
                    pNtDllBase64 = BBGetUserModule(Process, &NtdllName, FALSE);
                    if (pNtDllBase64)
                    {
                        pfnLdrLoadDll64 = BBGetModuleExport(pNtDllBase64, "LdrLoadDll");
                    }
                    KeUnstackDetachProcess(&kApc);
                }

                if (pfnLdrLoadDll64)
                {
                    PINJECT_BUFFER pBuffer = GetThreadInjectCode64(ProcessHandle, pNtDllBase64, pfnLdrLoadDll64, pDllPath);
                    if (pBuffer)
                    {
                        HANDLE hThread = NULL;
                        OBJECT_ATTRIBUTES ob = { 0 };

                        InitializeObjectAttributes(&ob, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);

                        status = ZwCreateThreadEx(
                            &hThread, THREAD_ALL_ACCESS, &ob,
                            ProcessHandle, pBuffer, NULL,
                            THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH | THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER,
                            0, 0x1000, 0x100000, NULL);

                        if (hThread)
                            ZwClose(hThread);
                    }                    
                }
                ZwClose(ProcessHandle);
            }            
        }
        ObDereferenceObject(Process);
    }

    return status;
}
2020-2-8 21:32
0
雪    币: 9941
活跃值: (2163)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
3
[原创]从内核在WOW64进程中执行用户态shellcode        
https://bbs.pediy.com/thread-190596.htm
2020-2-8 21:44
0
雪    币: 2510
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
帮顶
2020-2-9 14:11
2
游客
登录 | 注册 方可回帖
返回
//