代码注入-通过创建远程线程的汇编实现

selph
selph
发布于 2020-10-13 / 467 阅读
0
0

代码注入-通过创建远程线程的汇编实现

原理介绍

原理同上一篇一样,这里使用汇编语言进行实现代码注入的功能

使用汇编来编写ThreadProc函数,然后直接把汇编指令写入目标内容进行调用,比上一节少了计算函数大小的步骤

本节进行讲解汇编的写法,和注入代码的写法

汇编实现

使用x32dbg打开一个测试用的exe,用来编写汇编代码:

我这里用到还是之前的hello world程序

image-20201012090155033

拉到最上面,右键,设置新的运行点,把eip设置过来(这种方式不改变栈和寄存器的内容)

然后就可以开始编写汇编代码了:

image-20201012154719026

这里很妙的一个地方就是,对call的巧用:call指令其实是push+jmp的组合,将下一条命令push入栈,而这里call下一行是字符串,然后jmp到指定地方,就是下一个参数的位置,通过call巧妙的在代码段中将字符串入栈作为参数

然后其他的很简单,没什么好说的了,都在注释里

右键选中修改的区域,然后二进制,复制,得到我们写的汇编:

55 8B EC 8B 75 08 68 6C 6C 00 00 68 33 32 2E 64
68 75 73 65 72 54 FF 16 68 6F 78 41 00 68 61 67
65 42 68 4D 65 73 73 54 50 FF 56 04 6A 00 E8 06
00 00 00 68 65 6C 6C 6F 00 E8 06 00 00 00 45 52
52 4F 52 00 6A 00 FF D0 33 C0 8B E5 5D C3

稍作修改得到如下样子:加上0x和逗号

image-20201012154909240

准备工作就完成了,就可以开始写代码了

代码实现

#include<stdio.h>
#include<windows.h>

//Thread Parameter
typedef struct _THREAD_PARAM {
	FARPROC pFunc[2];
}THREAD_PARAM, * PTHREAD_PARAM;

BYTE g_InjectionCode[] = {
	0x55,0x8B,0xEC,0x8B,0x75,0x08,0x68,0x6C,0x6C,0x00,0x00,0x68,0x33,0x32,0x2E,0x64,
	0x68,0x75,0x73,0x65,0x72,0x54,0xFF,0x16,0x68,0x6F,0x78,0x41,0x00,0x68,0x61,0x67,
	0x65,0x42,0x68,0x4D,0x65,0x73,0x73,0x54,0x50,0xFF,0x56,0x04,0x6A,0x00,0xE8,0x06,
	0x00,0x00,0x00,0x68,0x65,0x6C,0x6C,0x6F,0x00,0xE8,0x06,0x00,0x00,0x00,0x45,0x52,
	0x52,0x4F,0x52,0x00,0x6A,0x00,0xFF,0xD0,0x33,0xC0,0x8B,0xE5,0x5D,0xC3
};


BOOL InjectCode(DWORD dwPid)
{
	HMODULE hMod = GetModuleHandleA("kernel32.dll");
	THREAD_PARAM param = { 0, };
	param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");
	param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");

	//Open Process
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

	//Allocation for THREAD_PARAM
	DWORD dwWrittenSize = 0;
	DWORD dwSize = sizeof(THREAD_PARAM);
	LPVOID pRemoteBuf[2] = { 0, };
	pRemoteBuf[0] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, pRemoteBuf[0], &param, dwSize, &dwWrittenSize);

	//Allocation for ThreadFunc
	dwSize = sizeof(g_InjectionCode);
	pRemoteBuf[1] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, pRemoteBuf[1], (LPVOID)&g_InjectionCode, dwSize, &dwWrittenSize);

	//code injection
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0, NULL);
	//WaitForSingleObject(hThread, INFINITE);

	CloseHandle(hThread);
	CloseHandle(hProcess);
	return TRUE;
}


int main(int argc, char* argv[]) {
	//DWORD dwPid = (DWORD)atol(argv[1]);
	DWORD dwPid = 1036;
	InjectCode(dwPid);
}

效果演示

image-20201012155044764

为啥老用这个CM来做演示呢?主要是懒,这个应用就在桌面上,点开即用哈哈哈哈

当然,对其他应用也有用,比如刚好已经打开了的TIM:

image-20201012155508524


评论