代碼注入之——c++代碼注入
0x00 代碼注入和DLL注入的區別
- DLL注入后DLL會通過線程常駐在某個process中,而代碼注入完成之后立即消失。
- 代碼注入體積小,不占內存
0x01 通過c++編寫注入代碼
1)編寫注入程序
代碼如下:
// CodeInjection.cpp : 此文件包含 "main" 函數。程序執行將在此處開始並結束。
//
#include "pch.h"
#include <iostream>
#include<stdio.h>
#include<Windows.h>
using namespace std;
//Thrad Parameter
typedef struct _THREAD_PARAM
{
FARPROC pFunc[2]; // LoadLibraryA(), GetProcAddress()
char szBuf[4][128]; // "user32.dll", "MessageBoxA", "www.reversecore.com", "ReverseCore"
} THREAD_PARAM, *PTHREAD_PARAM;
//LoadLibrary
typedef HMODULE(WINAPI *PFLOADLIBRARYA)
(
LPCSTR lpLibFileName
);
//GetProcessAddress
typedef HMODULE(WINAPI *PFGETPROCADDRESS)
(HMODULE hModule,LPCSTR lpProNmae );
//MessageBoxA()
typedef int (WINAPI *PFMESSAGEBOXA)
(
HWND hWnd,
LPCSTR lpText,
LPCSTR lpCaption,
UINT uType
);
//Thread Procedure
DWORD WINAPI ThreadProc(LPVOID lParam)
{
PTHREAD_PARAM pParam = (PTHREAD_PARAM)lParam;
HMODULE hMod = NULL;
FARPROC pFunc = NULL;
// LoadLibrary()
hMod = ((PFLOADLIBRARYA)pParam->pFunc[0])(pParam->szBuf[0]); // "user32.dll"
if (!hMod)
return 1;
// GetProcAddress()
pFunc = (FARPROC)((PFGETPROCADDRESS)pParam->pFunc[1])(hMod, pParam->szBuf[1]); // "MessageBoxA"
if (!pFunc)
return 1;
// MessageBoxA()
((PFMESSAGEBOXA)pFunc)(NULL, pParam->szBuf[2], pParam->szBuf[3], MB_OK);
return 0;
}
//注入函數
BOOL InjectCode(DWORD dwPID)
{
HMODULE hMod = NULL;
THREAD_PARAM param = { 0, };
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPVOID pRemoteBuf[2] = { 0, };
DWORD dwSize = 0;
hMod = GetModuleHandleA("kernel32.dll");
//set THREAD_PARAM
param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");
param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");
strcpy_s(param.szBuf[0], "user32.dll");
strcpy_s(param.szBuf[1], "MessageBoxA");
strcpy_s(param.szBuf[2], "www.reversecore.com");
strcpy_s(param.szBuf[3], "ReverseCore");
//open process
if (!(hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPID)))
{
printf("OpenProcess() fail : err_code = %d\n", GetLastError());
return FALSE;
}
//Allocation for THREAD_PARAM
dwSize = sizeof(THREAD_PARAM);
if (!(pRemoteBuf[0]=VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT, PAGE_READWRITE)))
{
printf("VirtualAllocEx() failed :err_code=%d/n", GetLastError());
return FALSE;
}
//WriteProcessMemory
if (!WriteProcessMemory(hProcess, // hProcess
pRemoteBuf[0], // lpBaseAddress
(LPVOID)¶m, // lpBuffer
dwSize, // nSize
NULL))
{
printf("Write THREAD_PARAM to Memory failed :err_code=%d/n",GetLastError());
return FALSE;
}
//Allocation for ThreadProc()
dwSize = (DWORD)InjectCode - (DWORD)ThreadProc;
if (!(pRemoteBuf[1]=VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
{
printf("Allocation for ThreadProc() failed :err_code=%d/n", GetLastError());
return FALSE;
}
//Write ThreadProc() to Memorary
if (!(WriteProcessMemory(hProcess, pRemoteBuf[1], (LPVOID)ThreadProc, dwSize, NULL)))
{
printf("Write ThreadProc to Memory failed :err_code=%d/n", GetLastError());
return FALSE;
}
//創建進程運行
if (!(hThread=CreateRemoteThread(hProcess,NULL,0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0,NULL)))
{
printf("CreateRemoteThread() fail : err_code = %d\n", GetLastError());
return FALSE;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
//提權函數
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error: %u\n", GetLastError());
return FALSE;
}
if (!LookupPrivilegeValue(NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
int main( int argc,char * argv[])
{
DWORD dwPID;
//查看是不是少了參數
if (argc!=2)
{
printf("\n USAGE : %s <pid>\n", argv[0]);
return 1;
}
//提權
if (!SetPrivilege(SE_DEBUG_NAME, TRUE))
return 1;
//代碼注入
dwPID = (DWORD)atol(argv[1]);
InjectCode(dwPID);
return 0;
}
編譯生成名稱為CodeInjection.exe的Released文件。
2)將被注入DLL文件和CodeInjection文件放在同一部目錄。打開指定要注入的目標程序,使用processExploer查看其PID。
如下圖:
可知notePad.exe的PID為16864
3)使用管理權限打開cmd,輸入d:轉至CodeInjection.exe所在目錄,輸入CodeInjection.exe 16864
如下圖:
很明顯,已經成功注入。我們在看看processExlpoer中的結果。如下圖:
我們發現注入的Msg.dll並沒有駐留在notepade進程中,而是注入完畢就消失了。
0x02 使用OD進行代碼注入調試
1)使用OD載入notepad.exe。點擊F9正常運行,如下圖:
2)點擊選項,點擊調試設置,點開事件,選擇在中斷與新線程(代碼注入原理就是使用createRemoteThread創建新線程運行)。如下圖:
3)依上一節所講的再次進行代碼注入:
4)此時OD停在了CodeInjection.exe程序的開始地址,如下圖:
下面就可以對CodeInjection的代碼進行逆向分析了。
再次按F9的話,程序就會注入成功。如下圖:
