-
-
[分享]Wow64环境下32位程序注入64位DLL到64位进程
-
发表于: 1天前 506
-
#include "wow64ext.h"
#pragma comment(lib, "wow64ext.lib")
//unsigned char injectCode[] = {
// 0x48, 0x83, 0xEC, 0x28, // sub rsp, 0x28
// 0x48, 0x31, 0xC9, // xor rcx, rcx // SearchPath = NULL
// 0x48, 0x31, 0xD2, // xor rdx, rdx // LoadFlags = 0
// 0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, ... // mov r8, ModuleFileName
// 0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, ... // mov r9, ModuleHandle
// 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, ... // mov rax, LdrLoadDll
// 0xFF, 0xD0, // call rax
// 0x48, 0x31, 0xC9, // xor rcx, rcx // Status = STATUS_SUCCESS
// 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, ... // mov rax, RtlExitUserThread
// 0xFF, 0xD0, // call rax
//};
#pragma pack(push, 1)
struct InjectCode {
unsigned char code0[12] = { 0x48, 0x83, 0xEC, 0x28, 0x48, 0x31, 0xC9, 0x48, 0x31, 0xD2, 0x49, 0xB8 };
DWORD64 moduleFileName = 0;
unsigned char code1[2] = { 0x49, 0xB9 };
DWORD64 moduleHandle = 0;
unsigned char code2[2] = { 0x48, 0xB8 };
DWORD64 ldrLoadDll = 0;
unsigned char code3[7] = { 0xFF, 0xD0, 0x48, 0x31, 0xC9, 0x48, 0xB8 };
DWORD64 rtlExitUserThread = 0;
unsigned char code4[2] = { 0xFF, 0xD0 };
};
struct InjectMemory {
InjectCode injectCode;
DWORD64 moduleHandle = 0;
_UNICODE_STRING_T<DWORD64> moduleFileNameUnicode = {};
WCHAR moduleFileName[MAX_PATH] = {};
};
#pragma pack(pop)
BOOL Inject32To64(DWORD dwProcessId, PCWSTR moduleFileName) {
BOOL result = FALSE;
HANDLE hProcess;
InjectMemory injectMemory;
DWORD64 injectMemoryAddr;
SIZE_T dwNumberOfBytesWritten;
DWORD64 hRemoteThread = 0;
UCHAR client_id[16] = { 0 };
wcscpy_s(injectMemory.moduleFileName, MAX_PATH, moduleFileName);
DWORD64 ntdll64 = GetModuleHandle64(L"ntdll.dll");
DWORD64 ntdll_LdrLoadDll = GetProcAddress64(ntdll64, "LdrLoadDll");
DWORD64 ntdll_RtlExitUserThread = GetProcAddress64(ntdll64, "RtlExitUserThread");
DWORD64 ntdll_RtlCreateUserThread = GetProcAddress64(ntdll64, "RtlCreateUserThread");
if (ntdll_LdrLoadDll == 0 || ntdll_RtlExitUserThread == 0 || ntdll_RtlCreateUserThread == 0)
goto END_0;
injectMemory.injectCode.ldrLoadDll = ntdll_LdrLoadDll;
injectMemory.injectCode.rtlExitUserThread = ntdll_RtlExitUserThread;
hProcess = OpenProcess(
PROCESS_CREATE_THREAD |
PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE |
PROCESS_VM_READ, FALSE, dwProcessId);
if (!hProcess) goto END_0;
injectMemoryAddr = VirtualAllocEx64(hProcess, NULL, sizeof(injectMemory), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (injectMemoryAddr == 0) goto END_1;
injectMemory.injectCode.moduleHandle = injectMemoryAddr + offsetof(InjectMemory, moduleHandle);
injectMemory.injectCode.moduleFileName = injectMemoryAddr + offsetof(InjectMemory, moduleFileNameUnicode);
injectMemory.moduleFileNameUnicode.Length = (USHORT)(wcslen(moduleFileName) * sizeof(WCHAR));
injectMemory.moduleFileNameUnicode.MaximumLength = (USHORT)(MAX_PATH * sizeof(WCHAR));
injectMemory.moduleFileNameUnicode.Buffer = injectMemoryAddr + offsetof(InjectMemory, moduleFileName);
if (!WriteProcessMemory64(hProcess, injectMemoryAddr, &injectMemory, sizeof(injectMemory), &dwNumberOfBytesWritten)) goto END_2;
X64Call(ntdll_RtlCreateUserThread, 10,
(DWORD64)hProcess, // ProcessHandle
(DWORD64)NULL, // SecurityDescriptor
(DWORD64)FALSE, // CreateSuspended
(DWORD64)0, // StackZeroBits
(DWORD64)NULL, // StackReserved
(DWORD64)NULL, // StackCommit
injectMemoryAddr, // StartAddress
(DWORD64)NULL, // StartParameter
(DWORD64)&hRemoteThread, // ThreadHandle
(DWORD64)&client_id); // ClientID
if (hRemoteThread == 0) goto END_2;
CloseHandle((HANDLE)hRemoteThread);
result = TRUE;
goto END_1;
END_2:
VirtualFreeEx64(hProcess, injectMemoryAddr, sizeof(injectMemory), MEM_RELEASE);
END_1:
CloseHandle(hProcess);
END_0:
return result;
}
[内核课程]《Windows内核攻防实战》!从零到实战,融合AI与Windows内核攻防全技术栈,打造具备自动化能力的内核开发高手。
赞赏
- [分享]Wow64环境下32位程序注入64位DLL到64位进程 506
- [分享] 010 注册机的实现 1311
- [分享]od为何进程列表显示不全 1245
- [原创]王之凝视修改资源数量 1277