首页
社区
课程
招聘
[求助]x64系统劫持32位进程的线程,修改eip,有时候成功,有时候无效,是什么问题?
发表于: 2024-12-7 20:40 3262

[求助]x64系统劫持32位进程的线程,修改eip,有时候成功,有时候无效,是什么问题?

2024-12-7 20:40
3262

HANDLE hThread = NULL;

PETHREAD pThread = NULL;


KAPC_STATE kApcState = { 0 };

KeStackAttachProcess(pProcess, &kApcState);


NTSTATUS status = NtGetNextThread(NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, &hThread);

if (NT_SUCCESS(status))

{

    status = ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, &pThread, NULL);

    if (!NT_SUCCESS(status))

    {

        pThread = NULL;

    }


    NtClose(hThread);

}


status = PsSuspendThread(pThread, NULL); // 每次都成功


if (NT_SUCCESS(status))

{

    PUCHAR ShellCodeAddress = ulAllocatedAddress + 199;

    memcpy(ShellCodeAddress, pShellCode_Kernel, ulShellCodeSize);

    *(ShellCodeAddress + ulShellCodeSize) = 0xC3;


    PVOID pWow64Process = PsGetProcessWow64Process(pProcess);

    if (pWow64Process)

    {

        // x86进程

        PUCHAR pTeb64 = (PUCHAR)PsGetThreadTeb(pThread);


        ULONG_PTR ulNumberOfBytesCopied = NULL;

        MmCopyVirtualMemory(pProcess, (PULONG64)(pTeb64 + 0x1488), pProcess, (PULONG64)(pTeb64 + 0x1488), 8, UserMode, &ulNumberOfBytesCopied);

        PUCHAR pWow64Context = (PUCHAR)(*(PULONG64)(pTeb64 + 0x1488));


        CHAR pMachineCode[] =

        {

            0x60, // pushad

            0xB8, 0x78, 0x56, 0x34, 0x12, // mov eax,ShellCode地址

            0x83, 0xEC, 0x40, // sub esp,40

            0xFF, 0xD0, // call eax

            0x83, 0xC4, 0x40, // add esp,40

            0xB8, 0x78, 0x56, 0x34, 0x12, // mov eax,完成标志地址

            0xC7, 0x00, 0x01, 0x00, 0x00, 0x00, // mov dword ptr ds:[eax],1

            0x61, // popad

            0xE9, 0x00, 0x00, 0x00, 0x00 // jmp 原来的eip

         };


        *(PULONG)&pMachineCode[2] = ShellCodeAddress;

        *(PULONG)&pMachineCode[15] = ulAllocatedAddress + 150;

        *(PULONG)&pMachineCode[27] = *(PULONG)(pWow64Context + 0xBC) - ((ULONG)ulAllocatedAddress + sizeof(pMachineCode));


        memcpy(ulAllocatedAddress, pMachineCode, sizeof(pMachineCode));


        *(PULONG)(pWow64Context + 0xBC) = ulAllocatedAddress; // 每次都能执行

    }


    PsResumeThread(pThread, NULL);

}


KeUnstackDetachProcess(&kApcState);


下断点调试发现PsSuspendThread(pThread, NULL)每次都成功,*(PULONG)(pWow64Context + 0xBC) = ulAllocatedAddress这里修改EIP也每次都能执行,但是有时候就是不执行ShellCode,感觉是不是还有别的地方存放了EIP,或者是其他什么原因?有大佬能指点下吗,万分感谢!


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (4)
雪    币: 218
活跃值: (55)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
NTSTATUS
PsSuspendThread (
    IN PETHREAD Thread,
    OUT PULONG PreviousSuspendCount OPTIONAL
    )

有没有可能是有的线程当时的PreviousSuspendCount 不等于0
2024-12-9 13:42
0
雪    币: 0
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
狼小蜘 NTSTATUS PsSuspendThread ( IN PETHREAD Thread, OUT PULONG PreviousSuspendCount OPTIONAL ...
这个不影响
2024-12-10 01:12
0
雪    币: 4482
活跃值: (4463)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
ShellCodeAddress  内存块属性中没有可执行权限   PAGE_EXECUTE
2024-12-10 21:31
0
雪    币: 0
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
5
Mxixihaha ShellCodeAddress 内存块属性中没有可执行权限 PAGE_EXECUTE
申请内存的时候设置有执行权限的
2024-12-11 00:28
0
游客
登录 | 注册 方可回帖
返回
//