首页
社区
课程
招聘
ShellCode注入程序
发表于: 2023-11-30 15:59 9502

ShellCode注入程序

2023-11-30 15:59
9502

程序功能是利用NtQueueApcThreadEx注入ShellCode到一个进程中,程序运行后会让你选择模式,按1为普通模式,所需的常规API接口都是使用Windows原本正常的API;在有游戏保护的进程中Windows原本正常的API无法使用,这时候需要选择内核模式,按2选择内核模式。

内核模式下使用的一些关键API都是我自己在ring0从0实现的,本帖仅开源普通模式下的代码。内核模式下使用的关键API以及调用框架不开源。

选择模式之后需要输入被注入进程的PID

项目包含三个源代码文件:1.源.cpp
2.fun.asm
3.fun.h

首先是源.cpp文件代码:

fun.asm文件

fun.h文件

shellCode的功能是给被注入进程设置一个键盘钩子,TAB键。

插入代码
```/*
* 函数原型:
NTSTATUS NtQueueTHreadApcEx(
_in HANDLE thread,
_in UCHAR flags,0:常规用户APC,1:特殊用户APC
_in PAPCFUNC apcRoutine,
_in PVOID context1,
_in PVOID arg1,
_in PVOID arg2
);
需要从Ntdll.dll模块显式导出(GetProcAddress)
 
*/
#define _CRT_SECURE_NO_WARNINGS
#include<stdio.h>
#include<Windows.h>
#include<Tlhelp32.h>
#include"fun.h"
HWND hwndG = 0;
BOOL CALLBACK EnumWindowsProc(
    HWND hwnd,
    LPARAM lParam)
{
    WCHAR path[MAX_PATH] = { 0 };
    WCHAR* text = (WCHAR*)lParam;
    GetWindowText(hwnd, path, MAX_PATH);
    if (lstrcmpW(text, path) == 0)
    {
        hwndG = hwnd;
        return FALSE;
    }
    else
    {
        hwndG = 0;
        return TRUE;
    }
}
 
DWORD WINAPI GetThreadIdByProcessId(DWORD dwProcessId)
{
 
 
    THREADENTRY32 th32;
    th32.dwSize = sizeof(THREADENTRY32);
    DWORD dwThreadId = 0;
    HANDLE hdTool = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessId);
    if (Thread32First(hdTool, &th32))
    {
        do
        {
            if (th32.th32OwnerProcessID == dwProcessId)
            {
                dwThreadId = th32.th32ThreadID;
                //printf("%d\n", dwThreadId);
                break;
            }
        } while (Thread32Next(hdTool, &th32));
    }
    else
    {
        DWORD dwErro = GetLastError();
        //printf("遍历进程失败!——%d", dwErro);
        return dwErro;
    }
     
    return dwThreadId;
}
 
BOOL WINAPI PrivilegeAdjust()
{
    BOOL flag;
    HANDLE token;
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
    {
        //printf("打开令牌失败!\n");
        flag = FALSE;
    }
    LUID pid;
    if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pid))
    {
        //printf("查看特权ID失败\n");
        flag = FALSE;
    }
    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = pid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
    {
        //printf("提升特权失败!\n");
        flag = FALSE;
    }
    return TRUE;
}
typedef BOOL(*MYTYPE)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);
typedef HANDLE(*OPPS)(DWORD, BOOL, DWORD);
typedef BOOL(*WRMEMEX)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);
typedef HANDLE(*OPTS)();
typedef ULONG64(*GETPEB)(DWORD);
typedef NTSTATUS(*NTQUEAPC)(HANDLE, UCHAR, PVOID, PVOID, PVOID, PVOID);
WRMEMEX Read;
WRMEMEX Write;
OPPS OpenPro;
OPTS OpenThr;
NTQUEAPC NtQueueUserApcEx;
VOID InitFrmak()
{
    printf("内核\n");
    NtQueueUserApcEx = NULL;
    HMODULE mod = LoadLibraryA("ApiSystemCall.dll");
 
    Read = (WRMEMEX)GetProcAddress(mod, "YhReadProcessMemory");
    Write = (WRMEMEX)GetProcAddress(mod, "YhWriteProcessMemory");
    OpenPro = (OPPS)GetProcAddress(mod, "YhOpenProcess");
    OpenThr = (OPTS)GetProcAddress(mod, "YhOpenThread");
    NtQueueUserApcEx = (NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");
    if (NtQueueUserApcEx == NULL)
    {
        MessageBoxA(NULL, "获取函数失败", 0, 0);
    }
}
 
VOID InitFrmakEx()
{
    NtQueueUserApcEx = NULL;
     
    printf("普通\n");
    Read = ReadProcessMemory;
    Write = WriteProcessMemory;
    OpenPro = OpenProcess;
    OpenThr = OpenThread;
    NtQueueUserApcEx = (NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");
    if (NtQueueUserApcEx == NULL)
    {
        MessageBoxA(NULL, "获取函数失败", 0, 0);
    }
}
 
typedef VOID(*FUN)();
int main()
{
    DWORD pid;
    SIZE_T size=0;
    CONTEXT text;
    VirtualProtect(fun, 0x60, PAGE_EXECUTE_READWRITE, &pid);
    *(ULONG64*)(&(((UCHAR*)fun2)[0x34])) = MessageBoxA;
    *(ULONG64*)(&(((UCHAR*)fun2)[0x9f])) = SetWindowsHookExA;
    //fun(NULL,NULL,NULL);
    printf("请输入模式:\n1.普通模式\n2.内核模式\n");
    scanf("%d", &size);
    (size==1)? InitFrmakEx(): InitFrmak();
    printf("请输入进程PID:\n");
    scanf("%d", &pid);
    PrivilegeAdjust();
     
    HANDLE hd = OpenPro(PROCESS_ALL_ACCESS, FALSE, pid);
    PVOID mem = VirtualAllocEx(hd, NULL, 0X1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    DWORD tid = GetThreadIdByProcessId(pid);
    HANDLE td;
    if (size == 1)
    {
        td = OpenThr(THREAD_ALL_ACCESS,FALSE,tid);
    }
    else
    {
        td = OpenThr(tid, hd, THREAD_ALL_ACCESS, FALSE);
    }
 
    if (!Write(hd, mem, fun2, 0x100, &size))
    {
        MessageBoxA(0, "写入失败", 0, 0);
    }
    SuspendThread(td);
    NTSTATUS code = NtQueueUserApcEx(td, 1, (PVOID)(((ULONG64)mem)+0x53), tid, 0, 0);
    if(code!=0)
    {
         
        printf("%x\n", code);
        MessageBox(0, 0, 0, 0);
    }
    ResumeThread(td);
    system("pause");
    return 0;
}
插入代码
```/*
* 函数原型:
NTSTATUS NtQueueTHreadApcEx(
_in HANDLE thread,
_in UCHAR flags,0:常规用户APC,1:特殊用户APC
_in PAPCFUNC apcRoutine,
_in PVOID context1,
_in PVOID arg1,
_in PVOID arg2
);
需要从Ntdll.dll模块显式导出(GetProcAddress)
 
*/
#define _CRT_SECURE_NO_WARNINGS
#include<stdio.h>
#include<Windows.h>
#include<Tlhelp32.h>
#include"fun.h"
HWND hwndG = 0;
BOOL CALLBACK EnumWindowsProc(
    HWND hwnd,
    LPARAM lParam)
{
    WCHAR path[MAX_PATH] = { 0 };
    WCHAR* text = (WCHAR*)lParam;
    GetWindowText(hwnd, path, MAX_PATH);
    if (lstrcmpW(text, path) == 0)
    {
        hwndG = hwnd;
        return FALSE;
    }
    else
    {
        hwndG = 0;
        return TRUE;
    }
}
 
DWORD WINAPI GetThreadIdByProcessId(DWORD dwProcessId)
{
 
 
    THREADENTRY32 th32;
    th32.dwSize = sizeof(THREADENTRY32);
    DWORD dwThreadId = 0;
    HANDLE hdTool = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessId);
    if (Thread32First(hdTool, &th32))
    {
        do
        {
            if (th32.th32OwnerProcessID == dwProcessId)
            {
                dwThreadId = th32.th32ThreadID;
                //printf("%d\n", dwThreadId);
                break;
            }
        } while (Thread32Next(hdTool, &th32));
    }
    else
    {
        DWORD dwErro = GetLastError();
        //printf("遍历进程失败!——%d", dwErro);
        return dwErro;
    }
     
    return dwThreadId;
}
 
BOOL WINAPI PrivilegeAdjust()
{
    BOOL flag;
    HANDLE token;
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
    {
        //printf("打开令牌失败!\n");
        flag = FALSE;
    }
    LUID pid;
    if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pid))
    {
        //printf("查看特权ID失败\n");
        flag = FALSE;
    }
    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = pid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
    {
        //printf("提升特权失败!\n");
        flag = FALSE;
    }
    return TRUE;
}
typedef BOOL(*MYTYPE)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);
typedef HANDLE(*OPPS)(DWORD, BOOL, DWORD);
typedef BOOL(*WRMEMEX)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);
typedef HANDLE(*OPTS)();
typedef ULONG64(*GETPEB)(DWORD);
typedef NTSTATUS(*NTQUEAPC)(HANDLE, UCHAR, PVOID, PVOID, PVOID, PVOID);
WRMEMEX Read;
WRMEMEX Write;
OPPS OpenPro;
OPTS OpenThr;
NTQUEAPC NtQueueUserApcEx;
VOID InitFrmak()
{
    printf("内核\n");
    NtQueueUserApcEx = NULL;
    HMODULE mod = LoadLibraryA("ApiSystemCall.dll");
 
    Read = (WRMEMEX)GetProcAddress(mod, "YhReadProcessMemory");
    Write = (WRMEMEX)GetProcAddress(mod, "YhWriteProcessMemory");
    OpenPro = (OPPS)GetProcAddress(mod, "YhOpenProcess");
    OpenThr = (OPTS)GetProcAddress(mod, "YhOpenThread");
    NtQueueUserApcEx = (NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");
    if (NtQueueUserApcEx == NULL)
    {
        MessageBoxA(NULL, "获取函数失败", 0, 0);
    }
}
 
VOID InitFrmakEx()
{
    NtQueueUserApcEx = NULL;
     
    printf("普通\n");
    Read = ReadProcessMemory;
    Write = WriteProcessMemory;
    OpenPro = OpenProcess;
    OpenThr = OpenThread;
    NtQueueUserApcEx = (NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");
    if (NtQueueUserApcEx == NULL)
    {
        MessageBoxA(NULL, "获取函数失败", 0, 0);
    }

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 3
支持
分享
最新回复 (1)
雪    币: 3573
活跃值: (31026)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2023-12-4 09:19
1
游客
登录 | 注册 方可回帖
返回
//