dll注入與代碼注入

學習《逆向工程核心原理》，在x64下dll注入與代碼注入。

dll注入主要用到CreateRemoteThread，

HANDLE WINAPI CreateRemoteThread(

__in HANDLE hProcess,

__in LPSECURITY_ATTRIBUTES lpThreadAttributes,

__in SIZE_T dwStackSize,

__in LPTHREAD_START_ROUTINE lpStartAddress,

__in LPVOID lpParameter,

__in DWORD dwCreationFlags,

__out LPDWORD lpThreadId

);

利用獲取到的LoadLibraryW地址作為lpStartAddress，需注入進程中分配保存的dll名稱作為lpParameter，實現動態加載dll

代碼注入類似，主要用到VirtualAllocEx，WriteProcessMemory，在需注入的進程中開辟空間，寫入代碼，變量。

 

#include "pch.h"
#include <windows.h>
#include <tchar.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <shlobj.h>
extern void checkAdmin();

//遍歷輸出進程pid
int TraversalProcess() {
    HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProceessnap == INVALID_HANDLE_VALUE)
    {
        printf_s("創建進行快照失敗\n");
        return -1;
    }
    else
    {
        PROCESSENTRY32 pe32;
        pe32.dwSize = sizeof(pe32);
        BOOL hProcess = Process32First(hProceessnap, &pe32);
        while (hProcess)
        {
            /*WCHAR * ProcessName =(WCHAR *)L"ProcessID.exe";
            if (!wcscmp(pe32.szExeFile, ProcessName))
            {*/
                printf("進程名：%-10ls ----------------進程ID：%6d\n", pe32.szExeFile, pe32.th32ProcessID);
            /*    break;
            }*/
            hProcess = Process32Next(hProceessnap, &pe32);
        }
    }
    CloseHandle(hProceessnap);
}

//設置權限
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
    TOKEN_PRIVILEGES tp;
    HANDLE hToken;
    LUID luid;

    if (!OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
        &hToken))
    {
        _tprintf(L"OpenProcessToken error: %u\n", GetLastError());
        return FALSE;
    }

    if (!LookupPrivilegeValue(NULL,           // lookup privilege on local system
        lpszPrivilege,  // privilege to lookup 
        &luid))        // receives LUID of privilege
    {
        _tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
        return FALSE;
    }

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;

    // Enable the privilege or disable all privileges.
    if (!AdjustTokenPrivileges(hToken,
        FALSE,
        &tp,
        sizeof(TOKEN_PRIVILEGES),
        (PTOKEN_PRIVILEGES)NULL,
        (PDWORD)NULL))
    {
        _tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError());
        return FALSE;
    }

    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
    {
        _tprintf(L"The token does not have the specified privilege. \n");
        return FALSE;
    }

    return TRUE;
}

//dll注入
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
    HANDLE hProcess = NULL, hThread = NULL;
    HMODULE hMod = NULL;
    LPVOID pRemoteBuf = NULL;
    DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
    LPTHREAD_START_ROUTINE pThreadProc;

    // #1. 使用dwPID請求對象進程(notepad.exe)的HANDLE。
    if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
    {
        _tprintf(L"OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());
        return FALSE;
    }

    // #2. 在目標進程(notepad.exe)內存中分配與szDllName大小相同的內存。
    pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);

    // #3. 在分配的內存中使用dll路徑
    WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);

    // #4. 請求到LoadLibraryA() API地址。
    hMod = GetModuleHandle(L"kernel32.dll");
    pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");

    // #5. 在notepad.exe進程中運行線程
    hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
    //通過CreateRemoteThread，調用pThreadProc，即LoadLibraryW，參數為在需注入進程中開辟的內存（存儲了dll路徑）

    WaitForSingleObject(hThread, INFINITE);

    CloseHandle(hThread);
    CloseHandle(hProcess);

    return TRUE;
}
//卸載dll
BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName)
{
    BOOL bMore = FALSE, bFound = FALSE;
    HANDLE hSnapshot, hProcess, hThread;
    HMODULE hModule = NULL;
    MODULEENTRY32 me = { sizeof(me) };
    LPTHREAD_START_ROUTINE pThreadProc;
    // dwPID = notepad 進程 ID
    // 使用TH32CS_SNAPMODULE參數獲得載入notepad程序的DLL名稱
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);

    bMore = Module32First(hSnapshot, &me);
    for (; bMore; bMore = Module32Next(hSnapshot, &me))
    {
        if (!_tcsicmp((LPCTSTR)me.szModule, szDllName) ||
            !_tcsicmp((LPCTSTR)me.szExePath, szDllName))
        {
            bFound = TRUE;
            break;
        }
    }

    if (!bFound)
    {
        CloseHandle(hSnapshot);
        return FALSE;
    }

    if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
    {
        _tprintf(L"OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());
        return FALSE;
    }

    hModule = GetModuleHandle(L"kernel32.dll");
    pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
    hThread = CreateRemoteThread(hProcess, NULL, 0,
        pThreadProc, me.modBaseAddr,
        0, NULL);
    WaitForSingleObject(hThread, INFINITE);

    CloseHandle(hThread);
    CloseHandle(hProcess);
    CloseHandle(hSnapshot);

    return TRUE;
}


//代碼注入所需結構體
typedef struct _THREAD_PARAM
{
    FARPROC pFunc[2];               // LoadLibraryA(), GetProcAddress()
    char    szBuf[4][128];          // "user32.dll", "MessageBoxA", "www.reversecore.com", "ReverseCore"
} THREAD_PARAM, *PTHREAD_PARAM;

typedef HMODULE(WINAPI *PFLOADLIBRARYA)
(
    LPCSTR lpLibFileName
    );

typedef FARPROC(WINAPI *PFGETPROCADDRESS)
(
    HMODULE hModule,
    LPCSTR lpProcName
    );

typedef int (WINAPI *PFMESSAGEBOXA)
(
    HWND hWnd,
    LPCSTR lpText,
    LPCSTR lpCaption,
    UINT uType
    );

//需注入的代碼
DWORD WINAPI ThreadProc(LPVOID lParam)
{
    PTHREAD_PARAM   pParam = (PTHREAD_PARAM)lParam;
    HMODULE         hMod = NULL;
    FARPROC         pFunc = NULL;
    //調用 LoadLibrary()  加載 "user32.dll"
    hMod = ((PFLOADLIBRARYA)pParam->pFunc[0])(pParam->szBuf[0]);    // "user32.dll"
    if (!hMod)
        return 1;

    //調用 GetProcAddress() 獲取"MessageBoxA"
    pFunc = (FARPROC)((PFGETPROCADDRESS)pParam->pFunc[1])(hMod, pParam->szBuf[1]);  // "MessageBoxA"
    if (!pFunc)
        return 1;

    // 調用MessageBoxA()
    ((PFMESSAGEBOXA)pFunc)(NULL, pParam->szBuf[2], pParam->szBuf[3], MB_OK);
    return 0;
}

//實現代碼注入
BOOL InjectCode(DWORD dwPID)
{
    HMODULE         hMod = NULL;
    THREAD_PARAM    param = { 0, };
    HANDLE          hProcess = NULL;
    HANDLE          hThread = NULL;
    LPVOID          pRemoteBuf[2] = { 0, };
    DWORD           dwSize = 0;

    hMod = GetModuleHandleA("kernel32.dll");

    // set THREAD_PARAM   
    param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");
    param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");
    strcpy_s(param.szBuf[0], "user32.dll");
    strcpy_s(param.szBuf[1], "MessageBoxA");
    strcpy_s(param.szBuf[2], "這是code inject");
    strcpy_s(param.szBuf[3], "好開心！");

    // Open Process
    if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS,   // dwDesiredAccess
        FALSE,                // bInheritHandle
        dwPID)))             // dwProcessId
    {
        printf("OpenProcess() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }

    // Allocation for THREAD_PARAM       寫入代碼注入所需的data
    dwSize = sizeof(THREAD_PARAM);
    if (!(pRemoteBuf[0] = VirtualAllocEx(hProcess,          // hProcess
        NULL,                 // lpAddress
        dwSize,               // dwSize
        MEM_COMMIT,           // flAllocationType
        PAGE_READWRITE)))    // flProtect
    {
        printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
    SIZE_T sz = 0;
    if (!WriteProcessMemory(hProcess,                       // hProcess
        pRemoteBuf[0],                  // lpBaseAddress
        (LPVOID)&param,                 // lpBuffer
        dwSize,                         // nSize
        &sz))                         // [out] lpNumberOfBytesWritten
    {
        printf("寫入大小:%d\n", sz);
        printf("THREAD_PARAM  WriteProcessMemory() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }

    // Allocation for ThreadProc()     寫入代碼
    dwSize = abs((int)((DWORD)InjectCode - (DWORD)ThreadProc));
    
    printf("dwSize:%d\n", dwSize);
    //dwSize = 1024;
    if (!(pRemoteBuf[1] = VirtualAllocEx(hProcess,          // hProcess
        NULL,                 // lpAddress
        dwSize,               // dwSize
        MEM_COMMIT,           // flAllocationType
        PAGE_EXECUTE_READWRITE)))    // flProtect
    {
        printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
    sz = 0;
    if (!WriteProcessMemory(hProcess,                       // hProcess
        pRemoteBuf[1],                  // lpBaseAddress
        (LPVOID)ThreadProc,             // lpBuffer
        dwSize,                         // nSize
        &sz))                         // [out] lpNumberOfBytesWritten
    {
        printf("寫入大小:%d\n", sz);
        printf("ThreadProc() WriteProcessMemory() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }
    printf("ThreadProc()寫入大小:%d\n", sz);
    if (!(hThread = CreateRemoteThread(hProcess,            // hProcess
        NULL,                // lpThreadAttributes
        0,                   // dwStackSize
        (LPTHREAD_START_ROUTINE)pRemoteBuf[1],     // dwStackSize
        pRemoteBuf[0],       // lpParameter
        0,                   // dwCreationFlags
        NULL)))             // lpThreadId
    {
        printf("CreateRemoteThread() fail : err_code = %d\n", GetLastError());
        return FALSE;
    }

    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    printf("code inject end\n");
    return TRUE;
}


int _tmain(int argc, TCHAR *argv[])
{
    /*if (argc != 3)
    {
        _tprintf(L"USAGE : %s <pid> <dll_path>\n", argv[0]);
        return 1;
    }*/
    // change privilege
      // 判斷當前進程是否以管理員身份運行
    checkAdmin();
    /*if (!SetPrivilege(SE_DEBUG_NAME, TRUE))
        return 1;*/
    //TraversalProcess();
    TCHAR pid[10];
    TCHAR path[MAX_PATH];
    system("tasklist");
    printf("ok\n");
    printf("輸入要注入的進程pid：\n");
    scanf_s("%ls", pid, 10);
    printf("請選擇功能：1.dll注入 2.代碼注入\n");
    int flag = 0;
    scanf_s("%d", &flag, 1);
    if (flag == 1) {
    printf("輸入要注入的dll路徑：");
    scanf_s("%ls", path,MAX_PATH);
    // inject dll
    if (InjectDll((DWORD)_tstol(pid), path))
        _tprintf(L"InjectDll(\"%s\") success!!!\n", path);
    else
        _tprintf(L"InjectDll(\"%s\") failed!!!\n", path);
    printf("輸入q 卸載dll\n");
    while (getchar() != 'q');
    TCHAR *p = _tcsrchr(path, '\\');
    if(EjectDll((DWORD)_tstol(pid), p+1))
        printf("卸載dll成功！\n");
    else 
    {
        printf("卸載失敗！\n");
    }

    system("pause");
    return 0;
    }
    else if (flag == 2)
    {
        InjectCode((DWORD)_tstol(pid));
        system("pause");
        return 0;
    }
    else
    {
        system("pause");
        return 0;
    }
}

判斷當前運行時的權限，以管理員身份運行。

BOOL    IsAdmin(HANDLE hProcess)
{
    HANDLE hToken = NULL;
    OpenProcessToken(hProcess, TOKEN_QUERY, &hToken);

    TOKEN_ELEVATION_TYPE tokenType = TokenElevationTypeDefault; // 用於接收令牌類型

    DWORD dwRetSize = 0; // 用於接收函數輸出信息的字節數

    // 2. 查詢進程令牌中的權限提升值.( 這個值會記錄當前的令牌是何種類型( 細節在17_權限管理_令牌的獲取.cpp ) )
    GetTokenInformation(hToken,
        TokenElevationType,// 獲取令牌的當前提升等級
        &tokenType,
        sizeof(tokenType),
        &dwRetSize // 所需緩沖區的字節數
    );


    // 根據令牌的類型來輸出相應的信息
    if (TokenElevationTypeFull == tokenType) {
        // 3. 如果令牌是TokenElevationTypeFull , 則擁有至高無上的能力,可以給令牌添加任何特權
        printf("管理員賬戶,並擁有全部的權限,可以給令牌添加任何特權\n");
        return TRUE;
    }
    // 4. 如果是其他的, 則需要以管理員身份重新運行本進程. 這樣就能以第三步的方法解決剩下的問題.
    else if (TokenElevationTypeDefault == tokenType) {
        printf("默認用戶, 可能是一個普通用戶, 可能是關閉UAC時登錄的管理員用戶\n");

        // 調用系統函數IsUserAnAdmin, 進一步確定是普通用戶還是管理員用戶
        return IsUserAnAdmin();
    }
    else if (TokenElevationTypeLimited == tokenType) {

        // 判斷受限制的用戶是管理員
        // 如果是管理員, 則這個令牌中會保存有管理員的SID

        // 1. 獲取系統內鍵管理員用戶的SID
        SID adminSid;
        DWORD dwSize = sizeof(adminSid);
        CreateWellKnownSid(WinBuiltinAdministratorsSid, // 獲取SID的類型,這里是系統內鍵管理員
            NULL, // 傳NULL,獲取本地計算機的管理員
            &adminSid,// 函數輸出的管理員SID
            &dwSize // 輸入結構的大小,也作為輸出
        );

        // 獲取本令牌的連接令牌(受限制的令牌都會有一個連接的令牌,受限制的令牌正式由主令牌所創建的. )
        TOKEN_LINKED_TOKEN linkToken;
        GetTokenInformation(hToken,
            TokenLinkedToken, // 獲取連接的令牌句柄
            &linkToken,
            sizeof(linkToken),
            &dwSize
        );

        // 在連接的令牌中查找是否具有管理員的SID
        BOOL    bIsContain = FALSE; // 用於保存是否包含.
        CheckTokenMembership(linkToken.LinkedToken, // 在這個令牌中檢查
            &adminSid,             // 檢查令牌中是否包含此SID
            &bIsContain);           // 輸出TRUE則包含,反之不包含



        if (bIsContain) {
            printf("權限被閹割的受限制管理員賬戶, 部分權限被移處理\n");
        }


        return bIsContain; // 不是以管理員權限運行
    }

    return FALSE;
}

void checkAdmin() {
    if (!IsAdmin(GetCurrentProcess())) {

        // 以管理員身份運行本進程
        //  1 獲取本進程的文件路徑.
        TCHAR path[MAX_PATH] = { 0 }; // 需要初始化
        DWORD dwPathSize = MAX_PATH;
        QueryFullProcessImageName(GetCurrentProcess(), 0,
            path,
            &dwPathSize);

        // 2 調用創建進程的API運行本進程.
        ShellExecute(NULL,            // 窗口句柄,沒有則填NULL
            _T("runas"),   // 以管理員身份運行的重要參數
            path,            // 所有運行的程序的路徑(這里是本進程)
            NULL,            // 命令行參數
            NULL,            // 新進程的工作目錄的路徑
            SW_SHOW           // 創建后的顯示標志(最小化,最大化, 顯示,隱藏等)
        );

        // 退出本進程
        ExitProcess(0);
    }
}