[求助][求助]驱动创建远程线程实现远程CALL-求助问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
VCKFC 雪币： 9941 活跃值： (2143) 能力值： ( LV3，RANK：20 ) 在线值：发帖 32 回帖 319 粉丝 16 关注私信	VCKFC 2 楼搜索一下,马上出来 NTSTATUS InjectCreateThread64(HANDLE ProcessId, PUNICODE_STRING pDllPath) { ULONG ReturnLength; NTSTATUS status = STATUS_UNSUCCESSFUL; PEPROCESS Process = NULL; HANDLE ProcessHandle = NULL; PVOID pNtDllBase64; PVOID pfnLdrLoadDll64; status = PsLookupProcessByProcessId((HANDLE)ProcessId, &Process); if (NT_SUCCESS(status)) { //Do not inject WOW64 process status = STATUS_UNSUCCESSFUL; if (PsGetProcessWow64Process(Process) == NULL) { status = ObOpenObjectByPointer(Process, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &ProcessHandle); if (NT_SUCCESS(status)) { pNtDllBase64 = PsNtDllBase64; pfnLdrLoadDll64 = fnLdrLoadDll64; if (!pfnLdrLoadDll64) { UNICODE_STRING NtdllName; KAPC_STATE kApc; KeStackAttachProcess(Process, &kApc); RtlInitUnicodeString(&NtdllName, L"ntdll.dll"); pNtDllBase64 = BBGetUserModule(Process, &NtdllName, FALSE); if (pNtDllBase64) { pfnLdrLoadDll64 = BBGetModuleExport(pNtDllBase64, "LdrLoadDll"); } KeUnstackDetachProcess(&kApc); } if (pfnLdrLoadDll64) { PINJECT_BUFFER pBuffer = GetThreadInjectCode64(ProcessHandle, pNtDllBase64, pfnLdrLoadDll64, pDllPath); if (pBuffer) { HANDLE hThread = NULL; OBJECT_ATTRIBUTES ob = { 0 }; InitializeObjectAttributes(&ob, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateThreadEx( &hThread, THREAD_ALL_ACCESS, &ob, ProcessHandle, pBuffer, NULL, THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH \| THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, 0, 0x1000, 0x100000, NULL); if (hThread) ZwClose(hThread); } } ZwClose(ProcessHandle); } } ObDereferenceObject(Process); } return status; } 2020-2-8 21:32 0
VCKFC 雪币： 9941 活跃值： (2143) 能力值： ( LV3，RANK：20 ) 在线值：发帖 32 回帖 319 粉丝 16 关注私信	VCKFC 3 楼 [原创]从内核在WOW64进程中执行用户态shellcode https://bbs.pediy.com/thread-190596.htm 2020-2-8 21:44 0
mb_xghoecki 雪币： 2510 能力值： ( LV1，RANK：0 ) 在线值：发帖 1 回帖 401 粉丝 1 关注私信	mb_xghoecki 4 楼帮顶 2020-2-9 14:11 2
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
VCKFC 雪币： 9941 活跃值： (2143) 能力值： ( LV3，RANK：20 ) 在线值：发帖 32 回帖 319 粉丝 16 关注私信	VCKFC 2 楼搜索一下,马上出来 NTSTATUS InjectCreateThread64(HANDLE ProcessId, PUNICODE_STRING pDllPath) { ULONG ReturnLength; NTSTATUS status = STATUS_UNSUCCESSFUL; PEPROCESS Process = NULL; HANDLE ProcessHandle = NULL; PVOID pNtDllBase64; PVOID pfnLdrLoadDll64; status = PsLookupProcessByProcessId((HANDLE)ProcessId, &Process); if (NT_SUCCESS(status)) { //Do not inject WOW64 process status = STATUS_UNSUCCESSFUL; if (PsGetProcessWow64Process(Process) == NULL) { status = ObOpenObjectByPointer(Process, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &ProcessHandle); if (NT_SUCCESS(status)) { pNtDllBase64 = PsNtDllBase64; pfnLdrLoadDll64 = fnLdrLoadDll64; if (!pfnLdrLoadDll64) { UNICODE_STRING NtdllName; KAPC_STATE kApc; KeStackAttachProcess(Process, &kApc); RtlInitUnicodeString(&NtdllName, L"ntdll.dll"); pNtDllBase64 = BBGetUserModule(Process, &NtdllName, FALSE); if (pNtDllBase64) { pfnLdrLoadDll64 = BBGetModuleExport(pNtDllBase64, "LdrLoadDll"); } KeUnstackDetachProcess(&kApc); } if (pfnLdrLoadDll64) { PINJECT_BUFFER pBuffer = GetThreadInjectCode64(ProcessHandle, pNtDllBase64, pfnLdrLoadDll64, pDllPath); if (pBuffer) { HANDLE hThread = NULL; OBJECT_ATTRIBUTES ob = { 0 }; InitializeObjectAttributes(&ob, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateThreadEx( &hThread, THREAD_ALL_ACCESS, &ob, ProcessHandle, pBuffer, NULL, THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH \| THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, 0, 0x1000, 0x100000, NULL); if (hThread) ZwClose(hThread); } } ZwClose(ProcessHandle); } } ObDereferenceObject(Process); } return status; } 2020-2-8 21:32 0
VCKFC 雪币： 9941 活跃值： (2143) 能力值： ( LV3，RANK：20 ) 在线值：发帖 32 回帖 319 粉丝 16 关注私信	VCKFC 3 楼 [原创]从内核在WOW64进程中执行用户态shellcode https://bbs.pediy.com/thread-190596.htm 2020-2-8 21:44 0
mb_xghoecki 雪币： 2510 能力值： ( LV1，RANK：0 ) 在线值：发帖 1 回帖 401 粉丝 1 关注私信	mb_xghoecki 4 楼帮顶 2020-2-9 14:11 2
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

未解决 [求助][求助]驱动创建远程线程实现远程CALL