远程注入代码测试

避免写shellcode, 还是依赖的硬编码


// 远程代码注入.cpp : 定义控制台应用程序的入口点。
 //
 
 #include "stdafx.h"
 #include <windows.h>
 //自己定义个结构体,方面后面参数使用
 /************************************************************************/
 /* 远程线程实现CreateFile                                                                     */
 /************************************************************************/
 typedef struct 
 {
 
     DWORD dwCreateAPIAddr;                //Createfile函数的地址
     LPCTSTR lpFileName;                    //下面都是CreateFile所需要用到的参数
     DWORD dwDesiredAccess;
     DWORD dwShareMode;
     LPSECURITY_ATTRIBUTES lpSecurityAttributes;
     DWORD dwCreationDisposition;
     DWORD dwFlagsAndAttributes;
     HANDLE hTemplateFile;
 }CREATEFILE_PARAM;
 
 //定义一个函数指针
 typedef HANDLE(WINAPI* PFN_CreateFile)
 (LPCTSTR lpFileName,
     DWORD dwDesiredAccess,
     DWORD dwShareMode,
     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
     DWORD dwCreationDisposition,
     DWORD dwFlagsAndAttributes,
     HANDLE hTemplateFile);
 
 
 //编写要复制到目标进程的函数 2 
 DWORD _stdcall CreateFileThreadProc(LPVOID lparam)
 {
     CREATEFILE_PARAM* Gcreate = (CREATEFILE_PARAM*)lparam;
     PFN_CreateFile pfnCreateFile;
     pfnCreateFile =(PFN_CreateFile) Gcreate->dwCreateAPIAddr;
     //creatFile结构体全部参数 1
     pfnCreateFile(
	 Gcreate->lpFileName, Gcreate->dwDesiredAccess, 
	 Gcreate->dwShareMode,
     Gcreate->lpSecurityAttributes, 
	 Gcreate->dwCreationDisposition, 
	 Gcreate->dwFlagsAndAttributes,
     Gcreate->hTemplateFile);
     
     return 0; 
 
 }
 
 //远程创建文件
 BOOL RemotCreateFile(DWORD dwProcessID, char* szFilePathName)
 {
     BOOL bRet;
     DWORD dwThread;
     HANDLE hProcess;
     HANDLE hThread;
     DWORD dwThreadFunSize;
     CREATEFILE_PARAM GCreateFile;
     LPVOID lpFilePathName;
     LPVOID lpRemotThreadAddr;
     LPVOID lpFileParamAddr;
     DWORD dwFunAddr;
     HMODULE hModule;
     
 
     bRet = 0;
     hProcess = 0;
     dwThreadFunSize = 0x400;
     //1.获取进程的句柄
     hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
     if (hProcess == NULL)
     {
         OutputDebugString("OpenProcessError!\n");
         return FALSE;
     }
     //2.分配3段内存:存储参数,线程函数,文件名
     //2.1 用来存储文件名,//+1是要计算到结尾处
     lpFilePathName = VirtualAllocEx(hProcess, NULL, strlen(szFilePathName)+1, MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
     
     //2.2 用来存储线程函数
     lpRemotThreadAddr = VirtualAllocEx(hProcess, NULL, dwThreadFunSize, MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
 
     //2.3 用来存储文件参数
     lpFileParamAddr = VirtualAllocEx(hProcess, NULL, sizeof(CREATEFILE_PARAM), MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
 
 
     //3. 初始化CreateFile参数
     GCreateFile.dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;
     GCreateFile.dwShareMode = 0;
     GCreateFile.lpSecurityAttributes = NULL;
     GCreateFile.dwCreationDisposition = OPEN_ALWAYS;
     GCreateFile.dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL;
     GCreateFile.hTemplateFile = NULL;
     
     //4.获取CreateFile的地址
     /*因为每个进程中的LoadLibrary函数都在Kernel32,dll中,而且此dll的物理页是共享的,所以
     我们进程中获得的LoadLibrary地址和别的进程都是一样的*/
     hModule = GetModuleHandle("kernel32.dll");
     GCreateFile.dwCreateAPIAddr = (DWORD)GetProcAddress(hModule, "CreateFileA");
     FreeLibrary(hModule);
 
     //5.初始化CreatFile文件名
     GCreateFile.lpFileName = (LPCTSTR)lpFilePathName;
 
     //6.修改线程函数起始地址
     dwFunAddr = (DWORD)CreateFileThreadProc;
     
     //间接跳
     if (*((BYTE*)dwFunAddr) == 0xE9)
     {
         dwFunAddr = dwFunAddr + 5 + *(DWORD*)(dwFunAddr + 1);
     }
 
     //7.开始复制
     //7.1 拷贝文件名
     WriteProcessMemory(hProcess, lpFilePathName, szFilePathName, strlen(szFilePathName) + 1, 0);
 
     //7.2 拷贝线程函数
     WriteProcessMemory(hProcess, lpRemotThreadAddr, (LPVOID)dwFunAddr, dwThreadFunSize, 0);
 
     //7.3拷贝参数
     WriteProcessMemory(hProcess, lpFileParamAddr, &GCreateFile, sizeof(CREATEFILE_PARAM), 0);
 
 
     //8.创建远程线程
 
     hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemotThreadAddr, lpFileParamAddr, 0, &dwThread);//lpAllocAddr传给线程函数的参数.因为dll名字分配在内存中
     if (hThread == NULL)
     {
         OutputDebugString("CreateRemoteThread Error!\n");
         CloseHandle(hProcess);
         CloseHandle(hModule);
         return FALSE;
     }
     //9.关闭资源
     CloseHandle(hProcess);
     CloseHandle(hThread);
     CloseHandle(hModule);
     return TRUE;
 
 }
 
 
 int main()
 {
     RemotCreateFile(PID, "文件名");
	 return 0;
 }

原文链接: 远程注入代码测试 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙 ( https://gyarmy.com/post-614.html )

发表评论

1则评论给“远程注入代码测试”

  1. 流沙

    111111111111111

    回复