Dll注入:x86/X64 SetThreadContext 注入
在《Windows核心编程》第七章说到了线程优先级等知识,其中谈到了ThreadContext线程上下背景文。
其中介绍了GetThreadContext函数来查看线程内核对象的内部,并获取当前CPU寄存器状态的集合。
BOOL GetThreadContext (
HANDLE hThread,
PCONTEXT pContext);
若要调用该函数,只需指定一个CONTEXT结构,对某些标志(该结构的ContextFlags成员)进行初始化,指明想要收回哪些寄存器,并将该结构的地址传递给GetThreadContext 。然后该函数将数据填入你要求的成员。
在调用GetThreadContext函数之前,应该调用SuspendThread,否则,线程可能刚好被调度,这样一来,线程的上下文就和所获取的信息不一致了。
示例代码如下:
CONTEXT Context; //定义一个CONTEXT结构
Context.ContextFlags = CONTEXT_CONTROL; //告诉系统我们想获取线程控制寄存器的内容
GetThreadContext(hThread, &Context); //调用GetThreadContext获取相关信息
Ps:在调用GetThreadContext函数之前,必须首先初始化CONTEXT结构的ContextFlags成员。
要获得线程的所有重要的寄存器(也就是微软认为最常用的寄存器),应该像下面一样初始化ContextFlags:
Context.ContextFlags = CONTEXT_FULL;
通过vs2015的<winnt.h>中的定义可知CONTEXT的结构:
typedef struct _CONTEXT {
//
// The flags values within this flag control the contents of
// a CONTEXT record.
//
// If the context record is used as an input parameter, then
// for each portion of the context record controlled by a flag
// whose value is set, it is assumed that that portion of the
// context record contains valid context. If the context record
// is being used to modify a threads context, then only that
// portion of the threads context will be modified.
//
// If the context record is used as an IN OUT parameter to capture
// the context of a thread, then only those portions of the thread's
// context corresponding to set flags will be returned.
//
// The context record is never used as an OUT only parameter.
//
DWORD ContextFlags;
//
// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
// included in CONTEXT_FULL.
//
DWORD Dr0;
DWORD Dr1;
DWORD Dr2;
DWORD Dr3;
DWORD Dr6;
DWORD Dr7;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
//
FLOATING_SAVE_AREA FloatSave;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_SEGMENTS.
//
DWORD SegGs;
DWORD SegFs;
DWORD SegEs;
DWORD SegDs;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_INTEGER.
//
DWORD Edi;
DWORD Esi;
DWORD Ebx;
DWORD Edx;
DWORD Ecx;
DWORD Eax;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_CONTROL.
//
DWORD Ebp;
DWORD Eip;
DWORD SegCs; // MUST BE SANITIZED
DWORD EFlags; // MUST BE SANITIZED
DWORD Esp;
DWORD SegSs;
//
// This section is specified/returned if the ContextFlags word
// contains the flag CONTEXT_EXTENDED_REGISTERS.
// The format and contexts are processor specific
//
BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
} CONTEXT;
在WinNT. h头文件中,定义了CONTEXT_FULL为CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS。
当然,我们还可以通过调用SetThreadContext函数来改变结构中的成员,并把新的寄存器值放回线程的内核对象中
BOOL SetThreadContext (
HANDLE hThread,
CONST CONTEXT *pContext);
由此考虑到可以修改EIP的值,来执行我们的代码,实现注入。首先我们先挂起目标线程,
CONTEXT Context; //定义一个CONTEXT结构
SuspendThread(hThread); //挂起线程
ThreadContext.ContextFlags = CONTEXT_ALL; //修改对Context操作的权限
GetThreadContext(hThread, &Context); //获得Context信息
BufferData = VirtualAllocEx() //在目标线程申请内存 来执行我们的shellcode
编写shellcode
WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL) // 写入shellcode
ThreadContext.Eip = (UINT32)BufferData //修改EIP指向
Context.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(hThread, &Context); //重新设置线程上下文
ResumeThread(hThread); //恢复线程,现在线程开始从BufferData这个地方开始执行指令
// SetThreadContext.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <vector>
#include <iostream> using namespace std; BOOL GrantPriviledge(WCHAR* PriviledgeName);
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId);
BOOL GetThreadIdByProcessId(UINT32 ProcessId, vector<UINT32>& ThreadIdVector);
BOOL Inject(UINT32 ProcessId, UINT32 ThreadId); #ifdef _WIN64 UINT8 ShellCode[0x100] = {
0x48,0x83,0xEC,0x28, 0x48,0x8D,0x0d,
0x00,0x00,0x00,0x00, 0xff,0x15,
0x00,0x00,0x00,0x00, 0x48,0x83,0xc4,0x28, 0xff,0x25,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00, };
#else UINT8 ShellCode[0x100] = {
0x60,
0x9c,
0x68,
0x00,0x00,0x00,0x00,
0xff,0x15,
0x00,0x00,0x00,0x00,
0x9d,
0x61,
0xff,0x25,
0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00
}; #endif CHAR DllFullPath[MAX_PATH] = { }; int main()
{
// 提权
if (GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
} UINT32 ProcessId = ; GetCurrentDirectoryA(MAX_PATH, DllFullPath); #ifdef _WIN64
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId); strcat_s(DllFullPath, "\\x64Dll.dll");
#else
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId);
strcat_s(DllFullPath, "\\x86Dll.dll");
#endif //枚举到线程id
vector<UINT32> ThreadIdVector;
GetThreadIdByProcessId(ProcessId, ThreadIdVector); for (UINT32 ThreadId : ThreadIdVector)
{
Inject(ProcessId, ThreadId);
break;
} Sleep(); return ;
} UINT32 Count = ;
BOOL Inject(UINT32 ProcessId, UINT32 ThreadId)
{
HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); // 首先挂起线程
SuspendThread(ThreadHandle); CONTEXT ThreadContext = { };
ThreadContext.ContextFlags = CONTEXT_ALL;
if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE)
{
cout << GetLastError() << endl;
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return FALSE;
} PVOID BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (BufferData != NULL)
{
UINT_PTR LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
if (LoadLibraryAddress != NULL)
{
#ifdef _WIN64 // ShellCode + 43
PUINT8 v1 = ShellCode + ;
memcpy(v1, DllFullPath, strlen(DllFullPath) + );
UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + ) - ((PUINT8)BufferData + ) - );
*(PUINT32)(ShellCode + ) = DllNameOffset; // ShellCode + 35
*(PUINT64)(ShellCode + ) = (UINT64)LoadLibraryAddress;
UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + ) - ((PUINT8)BufferData + ) - );
*(PUINT32)(ShellCode + ) = LoadLibraryAddressOffset; *(PUINT64)(ShellCode + ) = ThreadContext.Rip; if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
return FALSE;
}
ThreadContext.Rip = (UINT64)BufferData; #else
PUINT8 v1 = ShellCode + ; memcpy((char*)v1, DllFullPath, strlen(DllFullPath) + );
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ; *(PUINT32)(ShellCode + ) = LoadLibraryAddress;
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ; *(PUINT32)(ShellCode + ) = ThreadContext.Eip;
*(PUINT32)(ShellCode + ) = (UINT32)BufferData + ;
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
printf("write Process Error\n");
return FALSE;
}
ThreadContext.Eip = (UINT32)BufferData; #endif
if (!SetThreadContext(ThreadHandle, &ThreadContext))
{
printf("set thread context error\n");
return FALSE;
}
ResumeThread(ThreadHandle); printf("ShellCode 注入完成: %d\r\n", ++Count);
}
} CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return TRUE;
} //获得线程ID
BOOL GetThreadIdByProcessId(UINT32 ProcessId, vector<UINT32>& ThreadIdVector)
{
HANDLE ThreadSnapshotHandle = NULL;
THREADENTRY32 ThreadEntry32 = { }; ThreadEntry32.dwSize = sizeof(THREADENTRY32); ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, );
if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
} Thread32First(ThreadSnapshotHandle, &ThreadEntry32);
do
{
if (ThreadEntry32.th32OwnerProcessID == ProcessId)
{
ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID); // 把该进程的所有线程id压入模板
}
} while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32)); CloseHandle(ThreadSnapshotHandle);
ThreadSnapshotHandle = NULL;
return TRUE;
} BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId)
{
HANDLE ProcessSnapshotHandle = NULL;
PROCESSENTRY32 ProcessEntry32 = { }; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ); if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
} Process32First(ProcessSnapshotHandle, &ProcessEntry32);
do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == )
{
*TargetProcessId = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32)); CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = NULL;
return TRUE;
} // 提限
BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
DWORD dwReturnLength = sizeof(OldPrivileges);
HANDLE TokenHandle = NULL;
LUID uID; // 打开权限令牌
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
{
if (GetLastError() != ERROR_NO_TOKEN)
{
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
} //查看权限令牌
if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID))
{
CloseHandle(TokenHandle);
return FALSE;
} TokenPrivileges.PrivilegeCount = ;
TokenPrivileges.Privileges[].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[].Luid = uID; // 调整权限
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
{
CloseHandle(TokenHandle);
return FALSE;
} CloseHandle(TokenHandle);
return TRUE;
}
该方法注入explorer,只能注入一次,然后需要重启电脑。
Dll注入:x86/X64 SetThreadContext 注入的更多相关文章
- 『开源重编译』System.Data.SQLite.dll 自适应 x86 x64 AnyCPU 重编译
背景: > System.Data.SQLite.dll 程序集 不能良好的支持 AngCPU 格式 System.Data.SQLite.dll 在 适应 x86 和 x64 有三个方案: & ...
- Windows x86 x64使用SetThreadContext注入shellcode的方式加载DLL
一.前言 注入DLL的方式有很多,在R3就有远程线程CreateRemoteThread.SetWindowsHookEx.QueueUserApc.SetThreadContext 在R0可以使用a ...
- Dll注入:注册表注入
在系统中每一个进程加载User32.dll时,会受到DLL_PROCESS_ATTACH通知,当User32.dll对其进行处理时,会取得注册表键值HKEY_LOCAL_MACHINE\Softwar ...
- Dll注入技术之ComRes注入
DLL注入技术之ComRes注入 ComRes注入的原理是利用Windows 系统中C:\WINDOWS\system32目录下的ComRes.dll这个文件,当待注入EXE如果使用CoCreateI ...
- Dll注入技术之输入法注入
DLL注入技术之输入法注入 输入法注入原理是利用Windows系统中在切换输入法需要输入字符时,系统就会把这个输入法需要的ime文件装载到当前进程中,而由于这个Ime文件本质上只是个存放在C:\WIN ...
- 关于VS项目平台的x86,x64,Any CPU以及Debug和Release的区别
相信对于很多刚接触打包程序的同志来说,关于x86,x64,Any CPU这三个项目平台,以及解决方案配置Debug和Release有什么区别?这个问题一定有许多的困惑,甚至不乏一些已经工作了很久的老程 ...
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(6)-Unity 2.x依赖注入by运行时注入[附源码]
原文:构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(6)-Unity 2.x依赖注入by运行时注入[附源码] Unity 2.x依赖注入(控制反转)IOC,对 ...
- 关于.NET编译的目标平台(AnyCPU,x86,x64) (转)
关于.NET编译的目标平台(AnyCPU,x86,x64)(转) 今天有项目的代码收到客户的反馈,要求所有的EXE工程的目标平台全部指定成x86,而所有DLL工程的目标平台全部指定成AnyCPU . ...
- Spring.NET依赖注入框架学习--简单对象注入
Spring.NET依赖注入框架学习--简单对象注入 在前面的俩篇中讲解了依赖注入的概念以及Spring.NET框架的核心模块介绍,今天就要看看怎么来使用Spring.NET实现一个简单的对象注入 常 ...
随机推荐
- PostgreSQL 务实应用(四/5)JSON
JSON 可谓风靡互联网,在数据交换使用上,其优势特别明显,其结构简洁.可读易读.形式灵活.很多 API 接口的数据都采用 JSON 来表示. PostgreSQL 对 JSON 提供了良好的支持.具 ...
- SAS笔记(4) FIRST.和LAST.临时变量
FIRST.和LAST.临时变量是SAS很有特色的一点,我在R和Python中暂时没有发现类似的功能(也许它们也有这个功能,我不知道而已).考虑这样一种场景:我们有患者就诊的数据,每一条观测对应一个患 ...
- Unable to round-trip http request to upstream: EOF问题
Unable to round-trip http request to upstream: EOF, 今天我用的phpstudy环境中的网站页面忽然打不开了,报错“Unable to round-t ...
- GoWeb开发_Iris框架讲解(二):Get、Post、Put等请求及数据返回格式
数据请求方式的分类 所有的项目中使用的请求都遵循HTTP协议标准,HTTP协议经过了1.0和1.1两个版本的发展. HTTP1.0定义了三种请求方法: GET, POST 和 HEAD方法. HTTP ...
- Zjoi2011 看电影
最近在学习一些概率的东西.. 一个随机试验称为 Laplace 试验,当且仅当它满足如下两个条件: (ⅰ) 试验结果 (样本点) 的个数是有限的.(Ω 是有限集) (ⅱ) 任意两个基本事件的概率均相等 ...
- 【转载】C#中可使用Unity容器实现属性注入
简介 Unity :Unity是微软团队开发的一个轻量级,可扩展的依赖注入容器,为松散耦合应用程序提供了很好的解决方案,支持构造器注入,属性注入,方法注入. 控制反转:(Inversion of Co ...
- 2019南昌邀请赛网络赛:J distance on the tree
1000ms 262144K DSM(Data Structure Master) once learned about tree when he was preparing for NOIP(N ...
- windows下安装python包
1.windows下成功安装好python后,在安装目录的Scripts目录下有easy_install和pip工具 2.如果没有安装pip,进入命令行,切换到python的安装目录下的Scripts ...
- CAS操作
CAS操作: Compare and Swap,比较并操作,CPU指令,在大多数处理器架构,包括IA32.Space中采用的都是CAS指令,CAS的语义是“我认为V的值应该为A,如果是,那么将V的值更 ...
- 4 - Channelhandler和ChannelPipeline
4.1 Channelhandler 4.1.1 Channel声明周期(状态事件) 方法 描述 ChannelUnregistered Channnel已创建,但是未注册到EventLoop Cha ...