Dll注入:x86/X64 SetThreadContext 注入
在《Windows核心编程》第七章说到了线程优先级等知识,其中谈到了ThreadContext线程上下背景文。
其中介绍了GetThreadContext函数来查看线程内核对象的内部,并获取当前CPU寄存器状态的集合。
BOOL GetThreadContext (
HANDLE hThread,
PCONTEXT pContext);
若要调用该函数,只需指定一个CONTEXT结构,对某些标志(该结构的ContextFlags成员)进行初始化,指明想要收回哪些寄存器,并将该结构的地址传递给GetThreadContext 。然后该函数将数据填入你要求的成员。
在调用GetThreadContext函数之前,应该调用SuspendThread,否则,线程可能刚好被调度,这样一来,线程的上下文就和所获取的信息不一致了。
示例代码如下:
CONTEXT Context; //定义一个CONTEXT结构
Context.ContextFlags = CONTEXT_CONTROL; //告诉系统我们想获取线程控制寄存器的内容
GetThreadContext(hThread, &Context); //调用GetThreadContext获取相关信息
Ps:在调用GetThreadContext函数之前,必须首先初始化CONTEXT结构的ContextFlags成员。
要获得线程的所有重要的寄存器(也就是微软认为最常用的寄存器),应该像下面一样初始化ContextFlags:
Context.ContextFlags = CONTEXT_FULL;
通过vs2015的<winnt.h>中的定义可知CONTEXT的结构:
typedef struct _CONTEXT {
//
// The flags values within this flag control the contents of
// a CONTEXT record.
//
// If the context record is used as an input parameter, then
// for each portion of the context record controlled by a flag
// whose value is set, it is assumed that that portion of the
// context record contains valid context. If the context record
// is being used to modify a threads context, then only that
// portion of the threads context will be modified.
//
// If the context record is used as an IN OUT parameter to capture
// the context of a thread, then only those portions of the thread's
// context corresponding to set flags will be returned.
//
// The context record is never used as an OUT only parameter.
//
DWORD ContextFlags;
//
// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
// included in CONTEXT_FULL.
//
DWORD Dr0;
DWORD Dr1;
DWORD Dr2;
DWORD Dr3;
DWORD Dr6;
DWORD Dr7;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
//
FLOATING_SAVE_AREA FloatSave;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_SEGMENTS.
//
DWORD SegGs;
DWORD SegFs;
DWORD SegEs;
DWORD SegDs;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_INTEGER.
//
DWORD Edi;
DWORD Esi;
DWORD Ebx;
DWORD Edx;
DWORD Ecx;
DWORD Eax;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_CONTROL.
//
DWORD Ebp;
DWORD Eip;
DWORD SegCs; // MUST BE SANITIZED
DWORD EFlags; // MUST BE SANITIZED
DWORD Esp;
DWORD SegSs;
//
// This section is specified/returned if the ContextFlags word
// contains the flag CONTEXT_EXTENDED_REGISTERS.
// The format and contexts are processor specific
//
BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
} CONTEXT;
在WinNT. h头文件中,定义了CONTEXT_FULL为CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS。
当然,我们还可以通过调用SetThreadContext函数来改变结构中的成员,并把新的寄存器值放回线程的内核对象中
BOOL SetThreadContext (
HANDLE hThread,
CONST CONTEXT *pContext);
由此考虑到可以修改EIP的值,来执行我们的代码,实现注入。首先我们先挂起目标线程,
CONTEXT Context; //定义一个CONTEXT结构
SuspendThread(hThread); //挂起线程
ThreadContext.ContextFlags = CONTEXT_ALL; //修改对Context操作的权限
GetThreadContext(hThread, &Context); //获得Context信息
BufferData = VirtualAllocEx() //在目标线程申请内存 来执行我们的shellcode
编写shellcode
WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL) // 写入shellcode
ThreadContext.Eip = (UINT32)BufferData //修改EIP指向
Context.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(hThread, &Context); //重新设置线程上下文
ResumeThread(hThread); //恢复线程,现在线程开始从BufferData这个地方开始执行指令
// SetThreadContext.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <vector>
#include <iostream> using namespace std; BOOL GrantPriviledge(WCHAR* PriviledgeName);
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId);
BOOL GetThreadIdByProcessId(UINT32 ProcessId, vector<UINT32>& ThreadIdVector);
BOOL Inject(UINT32 ProcessId, UINT32 ThreadId); #ifdef _WIN64 UINT8 ShellCode[0x100] = {
0x48,0x83,0xEC,0x28, 0x48,0x8D,0x0d,
0x00,0x00,0x00,0x00, 0xff,0x15,
0x00,0x00,0x00,0x00, 0x48,0x83,0xc4,0x28, 0xff,0x25,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00, };
#else UINT8 ShellCode[0x100] = {
0x60,
0x9c,
0x68,
0x00,0x00,0x00,0x00,
0xff,0x15,
0x00,0x00,0x00,0x00,
0x9d,
0x61,
0xff,0x25,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00
}; #endif CHAR DllFullPath[MAX_PATH] = { }; int main()
{
// 提权
if (GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
} UINT32 ProcessId = ; GetCurrentDirectoryA(MAX_PATH, DllFullPath); #ifdef _WIN64
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId); strcat_s(DllFullPath, "\\x64Dll.dll");
#else
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId);
strcat_s(DllFullPath, "\\x86Dll.dll");
#endif //枚举到线程id
vector<UINT32> ThreadIdVector;
GetThreadIdByProcessId(ProcessId, ThreadIdVector); for (UINT32 ThreadId : ThreadIdVector)
{
Inject(ProcessId, ThreadId);
break;
} Sleep(); return ;
} UINT32 Count = ;
BOOL Inject(UINT32 ProcessId, UINT32 ThreadId)
{
HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); // 首先挂起线程
SuspendThread(ThreadHandle); CONTEXT ThreadContext = { };
ThreadContext.ContextFlags = CONTEXT_ALL;
if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE)
{
cout << GetLastError() << endl;
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return FALSE;
} PVOID BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (BufferData != NULL)
{
UINT_PTR LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
if (LoadLibraryAddress != NULL)
{
#ifdef _WIN64 // ShellCode + 43
PUINT8 v1 = ShellCode + ;
memcpy(v1, DllFullPath, strlen(DllFullPath) + );
UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + ) - ((PUINT8)BufferData + ) - );
*(PUINT32)(ShellCode + ) = DllNameOffset; // ShellCode + 35
*(PUINT64)(ShellCode + ) = (UINT64)LoadLibraryAddress;
UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + ) - ((PUINT8)BufferData + ) - );
*(PUINT32)(ShellCode + ) = LoadLibraryAddressOffset; *(PUINT64)(ShellCode + ) = ThreadContext.Rip; if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
return FALSE;
}
ThreadContext.Rip = (UINT64)BufferData; #else
PUINT8 v1 = ShellCode + ; memcpy((char*)v1, DllFullPath, strlen(DllFullPath) + );
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ; *(PUINT32)(ShellCode + ) = LoadLibraryAddress;
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ; *(PUINT32)(ShellCode + ) = ThreadContext.Eip;
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ;
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
printf("write Process Error\n");
return FALSE;
}
ThreadContext.Eip = (UINT32)BufferData; #endif
if (!SetThreadContext(ThreadHandle, &ThreadContext))
{
printf("set thread context error\n");
return FALSE;
}
ResumeThread(ThreadHandle); printf("ShellCode 注入完成: %d\r\n", ++Count);
}
} CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return TRUE;
} //获得线程ID
BOOL GetThreadIdByProcessId(UINT32 ProcessId, vector<UINT32>& ThreadIdVector)
{
HANDLE ThreadSnapshotHandle = NULL;
THREADENTRY32 ThreadEntry32 = { }; ThreadEntry32.dwSize = sizeof(THREADENTRY32); ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, );
if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
} Thread32First(ThreadSnapshotHandle, &ThreadEntry32);
do
{
if (ThreadEntry32.th32OwnerProcessID == ProcessId)
{
ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID); // 把该进程的所有线程id压入模板
}
} while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32)); CloseHandle(ThreadSnapshotHandle);
ThreadSnapshotHandle = NULL;
return TRUE;
} BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId)
{
HANDLE ProcessSnapshotHandle = NULL;
PROCESSENTRY32 ProcessEntry32 = { }; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ); if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
} Process32First(ProcessSnapshotHandle, &ProcessEntry32);
do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == )
{
*TargetProcessId = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32)); CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = NULL;
return TRUE;
} // 提限
BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
DWORD dwReturnLength = sizeof(OldPrivileges);
HANDLE TokenHandle = NULL;
LUID uID; // 打开权限令牌
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
{
if (GetLastError() != ERROR_NO_TOKEN)
{
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
} //查看权限令牌
if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID))
{
CloseHandle(TokenHandle);
return FALSE;
} TokenPrivileges.PrivilegeCount = ;
TokenPrivileges.Privileges[].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[].Luid = uID; // 调整权限
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
{
CloseHandle(TokenHandle);
return FALSE;
} CloseHandle(TokenHandle);
return TRUE;
}
该方法注入explorer,只能注入一次,然后需要重启电脑。
Dll注入:x86/X64 SetThreadContext 注入的更多相关文章
- 『开源重编译』System.Data.SQLite.dll 自适应 x86 x64 AnyCPU 重编译
背景: > System.Data.SQLite.dll 程序集 不能良好的支持 AngCPU 格式 System.Data.SQLite.dll 在 适应 x86 和 x64 有三个方案: & ...
- Windows x86 x64使用SetThreadContext注入shellcode的方式加载DLL
一.前言 注入DLL的方式有很多,在R3就有远程线程CreateRemoteThread.SetWindowsHookEx.QueueUserApc.SetThreadContext 在R0可以使用a ...
- Dll注入:注册表注入
在系统中每一个进程加载User32.dll时,会受到DLL_PROCESS_ATTACH通知,当User32.dll对其进行处理时,会取得注册表键值HKEY_LOCAL_MACHINE\Softwar ...
- Dll注入技术之ComRes注入
DLL注入技术之ComRes注入 ComRes注入的原理是利用Windows 系统中C:\WINDOWS\system32目录下的ComRes.dll这个文件,当待注入EXE如果使用CoCreateI ...
- Dll注入技术之输入法注入
DLL注入技术之输入法注入 输入法注入原理是利用Windows系统中在切换输入法需要输入字符时,系统就会把这个输入法需要的ime文件装载到当前进程中,而由于这个Ime文件本质上只是个存放在C:\WIN ...
- 关于VS项目平台的x86,x64,Any CPU以及Debug和Release的区别
相信对于很多刚接触打包程序的同志来说,关于x86,x64,Any CPU这三个项目平台,以及解决方案配置Debug和Release有什么区别?这个问题一定有许多的困惑,甚至不乏一些已经工作了很久的老程 ...
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(6)-Unity 2.x依赖注入by运行时注入[附源码]
原文:构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(6)-Unity 2.x依赖注入by运行时注入[附源码] Unity 2.x依赖注入(控制反转)IOC,对 ...
- 关于.NET编译的目标平台(AnyCPU,x86,x64) (转)
关于.NET编译的目标平台(AnyCPU,x86,x64)(转) 今天有项目的代码收到客户的反馈,要求所有的EXE工程的目标平台全部指定成x86,而所有DLL工程的目标平台全部指定成AnyCPU . ...
- Spring.NET依赖注入框架学习--简单对象注入
Spring.NET依赖注入框架学习--简单对象注入 在前面的俩篇中讲解了依赖注入的概念以及Spring.NET框架的核心模块介绍,今天就要看看怎么来使用Spring.NET实现一个简单的对象注入 常 ...
随机推荐
- python学习笔记11 ----线程、进程、协程
进程.线程.协程的概念 进程和线程是操作系统中两个很重要的概念,对于一般的程序,可能有若干个进程,每一个进程有若干个同时执行的线程.进程是资源管理的最小单位,线程是程序执行的最小单位(线程可共享同一进 ...
- 【并发编程】Future模式添加Callback及Promise 模式
Future Future是Java5增加的类,它用来描述一个异步计算的结果.你可以使用 isDone 方法检查计算是否完成,或者使用 get 方法阻塞住调用线程,直到计算完成返回结果.你也可以使用 ...
- python接口自动化(三十五)-封装与调用--流程类接口关联(详解)
简介 流程相关的接口,主要用 session 关联,如果写成函数(如上篇),s 参数每个函数都要带,每个函数多个参数,这时候封装成类会更方便.在这里我们还是以博客园为例,带着小伙伴们实践一下. 接口封 ...
- Linux系列教程-----Linux安装centos6.8
转发:https://www.cnblogs.com/ysocean/p/7689146.html
- Codeforces Round #527 (Div. 3)C(多重集,STRING)
#include<bits/stdc++.h>using namespace std;const int maxn=1e6+7;pair<string,int>p[maxn]; ...
- sqoop 安装与命令
1. 下载: wget http://mirrors.shu.edu.cn/apache/sqoop/1.4.7/sqoop-1.4.7.bin__hadoop-2.6.0.tar.gz 2. 解 ...
- any cpu ×86 ×64
On a 32-bit machine: Any CPU: runs as a 32-bit process, can load Any CPU and x86 assemblies, will ge ...
- express-http-proxy 的基础使用
const app = express() app.use(matchPath, proxy(serverAddress, { proxyReqPathResolver: function(req) ...
- PAT天梯赛L3-005 垃圾箱分布
题目链接:点击打开链接 大家倒垃圾的时候,都希望垃圾箱距离自己比较近,但是谁都不愿意守着垃圾箱住.所以垃圾箱的位置必须选在到所有居民点的最短距离最长的地方,同时还要保证每个居民点都在距离它一个不太远的 ...
- BZOJ 4165 矩阵 堆
先把每个长为$mina$,宽为$minb$的矩阵扔到堆里,然后由于矩阵中的数都是正的,所以我们每取出来一个矩形,,就把他向四个方向扩张一行,再把这新的且更大的四个矩形扔到堆里.注意判重,于是我比较懒用 ...