首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 求助问答
    3. 发新帖
未解决 [已解决][求助]代码注入问题
发表于: 2024-5-9 16:45 1685

未解决 [已解决][求助]代码注入问题

内存管理 活跃值
2024-5-9 16:45
1685

在VirtualAllocEx 和 WriteProcessMemory都成功了
代码也注入进去了 但是执行远程线程CreateRemoteThread 后 注入的程序就崩溃了
源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
// CodeInjection.cpp 
// reversecore@gmail.com 
// http://www.reversecore.com 
 
#include "windows.h" 
#include "stdio.h" 
 
typedef struct _THREAD_PARAM
{
    FARPROC pFunc[2];               // LoadLibraryA(), GetProcAddress() 
    //char    szBuf[4][128];          // "user32.dll", "MessageBoxA", "www.reversecore.com", "ReverseCore" 
} THREAD_PARAM, * PTHREAD_PARAM;
 
typedef HMODULE(WINAPI* PFLOADLIBRARYA)
(
    LPCSTR lpLibFileName
    );
 
typedef FARPROC(WINAPI* PFGETPROCADDRESS)
(
    HMODULE hModule,
    LPCSTR lpProcName
    );
 
typedef int (WINAPI* PFMESSAGEBOXA)
(
    HWND hWnd,
    LPCSTR lpText,
    LPCSTR lpCaption,
    UINT uType
    );
 
BYTE g_InjectionCode[] = {
    0x55, 0x8B, 0xEC, 0x8B, 0x75, 0x08, 0x68, 0x6C, 0x6C, 0x00,
    0x00, 0x68, 0x33, 0x32, 0x2E, 0x64, 0x68, 0x75, 0x73, 0x65 ,
    0x72, 0x54, 0xFF, 0x16, 0x68, 0x6F, 0x78, 0x41, 0x00, 0x68,
    0x61, 0x67, 0x65, 0x42, 0x68, 0x4D, 0x65, 0x73, 0x73, 0x54,
    0x50, 0xFF, 0x56, 0x04, 0x6A, 0x00, 0xE8, 0xD9, 0xB6, 0x34,
    0x89, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x43, 0x6F,
    0x72, 0x65, 0x00, 0x00, 0xE8, 0xE0, 0xB6, 0x34, 0x89, 0x77,
    0x77, 0x77, 0x2E, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65,
    0x63 ,0x6F ,0x72 ,0x65 ,0x2E ,0x63 ,0x6F ,0x6D ,0x00 ,0x00 ,
    0xFF ,0xD0 ,0x33 ,0xC0 ,0x8B, 0xE5, 0x5D, 0xC3
};
 
/*DWORD WINAPI ThreadProc(LPVOID lParam)
{
    PTHREAD_PARAM   pParam = (PTHREAD_PARAM)lParam;
    HMODULE         hMod = NULL;
    FARPROC         pFunc = NULL;
 
    // LoadLibrary() 
    hMod = ((PFLOADLIBRARYA)pParam->pFunc[0])(pParam->szBuf[0]);    // "user32.dll" 
    if (!hMod)
        return 1;
 
    // GetProcAddress() 
    pFunc = (FARPROC)((PFGETPROCADDRESS)pParam->pFunc[1])(hMod, pParam->szBuf[1]);  // "MessageBoxA" 
    if (!pFunc)
        return 1;
 
    // MessageBoxA() 
    ((PFMESSAGEBOXA)pFunc)(NULL, pParam->szBuf[2], pParam->szBuf[3], MB_OK);
 
    return 0;
}*/
 
BOOL InjectCode(DWORD dwPID)
{
    HMODULE         hMod = NULL;
    THREAD_PARAM    param = { 0, };
    HANDLE          hProcess = NULL;
    HANDLE          hThread = NULL;
    LPVOID          pRemoteBuf[2] = { 0, };
    DWORD           dwSize = 0;
 
    hMod = GetModuleHandleA("kernel32.dll");
 
    // set THREAD_PARAM 
    param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");
    param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");
    /*strcpy_s(param.szBuf[0], "user32.dll");
    strcpy_s(param.szBuf[1], "MessageBoxA");
    strcpy_s(param.szBuf[2], "www.zhanglingshuang.com");
    strcpy_s(param.szBuf[3], "ReverseCore");*/
 
    // Open Process 
    if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS,   // dwDesiredAccess 
        FALSE,                // bInheritHandle 
        dwPID)))             // dwProcessId 
    {
        printf("OpenProcess() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
 
    // Allocation for THREAD_PARAM 
    dwSize = sizeof(THREAD_PARAM);
    if (!(pRemoteBuf[0] = VirtualAllocEx(hProcess,          // hProcess 
        NULL,                 // lpAddress 
        dwSize,               // dwSize 
        MEM_COMMIT | MEM_RESERVE,           // flAllocationType 
        PAGE_EXECUTE_READWRITE)))    // flProtect 
    {
        printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
 
    if (!WriteProcessMemory(hProcess,                       // hProcess 
        pRemoteBuf[0],                  // lpBaseAddress 
        (LPVOID)&param,              // lpBuffer 
        dwSize,                         // nSize 
        NULL))                         // [out] lpNumberOfBytesWritten 
    {
        printf("WriteProcessMemory() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
 
    // Allocation for ThreadProc() 
    //dwSize = (DWORD)InjectCode - (DWORD)ThreadProc;
    if (!(pRemoteBuf[1] = VirtualAllocEx(hProcess,          // hProcess 
        NULL,                 // lpAddress 
        sizeof(g_InjectionCode),               // dwSize 
        MEM_COMMIT | MEM_RESERVE,           // flAllocationType 
        PAGE_EXECUTE_READWRITE)))    // flProtect 
    {
        printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
 
    if (!WriteProcessMemory(hProcess,                       // hProcess 
        pRemoteBuf[1],                  // lpBaseAddress 
        (LPVOID)&g_InjectionCode,             // lpBuffer 
        sizeof(g_InjectionCode),                         // nSize 
        NULL))                         // [out] lpNumberOfBytesWritten 
    {
        printf("WriteProcessMemory() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
    if (!(hThread = CreateRemoteThread(hProcess,            // hProcess 
        NULL,                // lpThreadAttributes 
        0,                   // dwStackSize 
        (LPTHREAD_START_ROUTINE)pRemoteBuf[1],     // dwStackSize 
        pRemoteBuf[0],       // lpParameter 
        0,                   // dwCreationFlags 
        NULL)))             // lpThreadId 
    {
        printf("CreateRemoteThread() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
 
    WaitForSingleObject(hThread, INFINITE);
 
    CloseHandle(hThread);
    CloseHandle(hProcess);
 
    return TRUE;
}
 
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
    TOKEN_PRIVILEGES tp;
    HANDLE hToken;
    LUID luid;
 
    if (!OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
        &hToken))
    {
        printf("OpenProcessToken error: %u\n", GetLastError());
        return FALSE;
    }
 
    if (!LookupPrivilegeValue(NULL,           // lookup privilege on local system 
        lpszPrivilege,  // privilege to lookup  
        &luid))        // receives LUID of privilege 
    {
        printf("LookupPrivilegeValue error: %u\n", GetLastError());
        return FALSE;
    }
 
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;
 
    // Enable the privilege or disable all privileges. 
    if (!AdjustTokenPrivileges(hToken,
        FALSE,
        &tp,
        sizeof(TOKEN_PRIVILEGES),
        (PTOKEN_PRIVILEGES)NULL,
        (PDWORD)NULL))
    {
        printf("AdjustTokenPrivileges error: %u\n", GetLastError());
        return FALSE;
    }
 
    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
    {
        printf("The token does not have the specified privilege. \n");
        return FALSE;
    }
 
    return TRUE;
}
 
int main(int argc, char* argv[])
{
    /*DWORD dwPID = 0;
 
    if (argc != 2)
    {
        printf("\n USAGE  : %s <pid>\n", argv[0]);
        return 1;
    }
    */
    // change privilege 
    if (!SetPrivilege(SE_DEBUG_NAME, TRUE))
        return 1;
 
    // code injection 
    //dwPID = (DWORD)atol(argv[1]);
    InjectCode(13512);
 
    return 0;
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2024-5-10 01:49 被内存管理编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//