APC注入
2017-07-14 16:40
239 查看
目的:
向本机指定进程中 注入特定Dll
核心:
QueueUserAPC((PAPCFUNC)LoadLibraryWAddress, ThreadHandle,
(UINT_PTR)DllFullPathBufferData);
加载函数的得到 LoadLibraryWAddress =
(UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"),
"LoadLibrary");
该函数 用于当进程发生软中断时,向当前进程APC队列中注入LoadLibrary指针,由于该函数需要ThreadID
故需要通过当前进程ID来找到进程
关于当前得到当前进程ID,是通过CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,
0),得到本机系统的进程快照,枚举进程,与目标进程名称相比较,
然后得到ProcessID。
得到ProessID,再通过如上方法得到ThreadID,不过由于一个进程往往有较多的线程,故需要一个类似数组的数据结构来存储得到线程,
故采用模板vector ThreadIDVector,QueueUserAPC函数 向线程中注入Dll
此方法 存在局限性 就本机测试而言 Taskmgr 无法打开
自己编写的程序能够实现注入
#include "stdafx.h"
#include
#include
#include
#include
using namespace std;
BOOL GrantPriviledge(IN PWCHAR PriviledgeName);
BOOL GetThreadIDByProcessID(IN UINT32 ProcessID, OUT vector
&ThreadIDVector);
BOOL GetProcessIDByProcessImageName(IN PWCHAR ProcessImageName,OUT
PUINT32 ProcessID);
BOOL InjectDllByAPC(UINT32 ProcessID, UINT32 ThreadID);
WCHAR
DllFullPath[MAX_PATH] = { 0 }; //补丁路径
PVOID DllFullPathBufferData = NULL;
int main()
{
if
(GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
}
GetCurrentDirectory(MAX_PATH, DllFullPath);
wcscat(DllFullPath, L"\\Dll.dll");
UINT32
ProcessID = 0;
if
(GetProcessIDByProcessImageName(L"TeamViewer_Service.exe",
&ProcessID) == FALSE)
{
return
0;
}
vector
ThreadIDVector;
if
(GetThreadIDByProcessID(ProcessID, ThreadIDVector) == FALSE)
{
return
0;
}
size_t
ThreadCount = ThreadIDVector.size();
cout
<< ThreadCount;
for (INT_PTR
i = ThreadCount - 1; i >= 0; i--)
{
UINT32
ThreadID = ThreadIDVector[i];
InjectDllByAPC(ProcessID, ThreadID);
}
}
提权函数
()
BOOL GrantPriviledge(IN PWCHAR PriviledgeName)
{
HANDLE
TokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges;
TOKEN_PRIVILEGES OldTokenPrivileges;
DWORD
ReturnLength;
LUID
uID;
if
(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY,FALSE, &TokenHandle)) //使用windows函数API
{
if
(GetLastError() != ERROR_NO_TOKEN)
{
return
FALSE;
}
if
(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &TokenHandle))
{
return
FALSE;
}
} //WHY 先打开线程后打开进程
if
(!LookupPrivilegeValue(NULL, PriviledgeName, &uID))
{
CloseHandle(TokenHandle);
TokenHandle
= NULL;
return
FALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[0].Luid = uID;
if
(!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), &OldTokenPrivileges,
&ReturnLength))
{
CloseHandle(TokenHandle);
TokenHandle
= NULL;
return
FALSE;
}
向本机指定进程中 注入特定Dll
核心:
QueueUserAPC((PAPCFUNC)LoadLibraryWAddress, ThreadHandle,
(UINT_PTR)DllFullPathBufferData);
加载函数的得到 LoadLibraryWAddress =
(UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"),
"LoadLibrary");
该函数 用于当进程发生软中断时,向当前进程APC队列中注入LoadLibrary指针,由于该函数需要ThreadID
故需要通过当前进程ID来找到进程
关于当前得到当前进程ID,是通过CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,
0),得到本机系统的进程快照,枚举进程,与目标进程名称相比较,
然后得到ProcessID。
得到ProessID,再通过如上方法得到ThreadID,不过由于一个进程往往有较多的线程,故需要一个类似数组的数据结构来存储得到线程,
故采用模板vector ThreadIDVector,QueueUserAPC函数 向线程中注入Dll
此方法 存在局限性 就本机测试而言 Taskmgr 无法打开
自己编写的程序能够实现注入
#include "stdafx.h"
#include
#include
#include
#include
using namespace std;
BOOL GrantPriviledge(IN PWCHAR PriviledgeName);
BOOL GetThreadIDByProcessID(IN UINT32 ProcessID, OUT vector
&ThreadIDVector);
BOOL GetProcessIDByProcessImageName(IN PWCHAR ProcessImageName,OUT
PUINT32 ProcessID);
BOOL InjectDllByAPC(UINT32 ProcessID, UINT32 ThreadID);
WCHAR
DllFullPath[MAX_PATH] = { 0 }; //补丁路径
PVOID DllFullPathBufferData = NULL;
int main()
{
if
(GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
}
GetCurrentDirectory(MAX_PATH, DllFullPath);
wcscat(DllFullPath, L"\\Dll.dll");
UINT32
ProcessID = 0;
if
(GetProcessIDByProcessImageName(L"TeamViewer_Service.exe",
&ProcessID) == FALSE)
{
return
0;
}
vector
ThreadIDVector;
if
(GetThreadIDByProcessID(ProcessID, ThreadIDVector) == FALSE)
{
return
0;
}
size_t
ThreadCount = ThreadIDVector.size();
cout
<< ThreadCount;
for (INT_PTR
i = ThreadCount - 1; i >= 0; i--)
{
UINT32
ThreadID = ThreadIDVector[i];
InjectDllByAPC(ProcessID, ThreadID);
}
}
提权函数
()
BOOL GrantPriviledge(IN PWCHAR PriviledgeName)
{
HANDLE
TokenHandle = NULL;
TOKEN_PRIVILEGES TokenPrivileges;
TOKEN_PRIVILEGES OldTokenPrivileges;
DWORD
ReturnLength;
LUID
uID;
if
(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY,FALSE, &TokenHandle)) //使用windows函数API
{
if
(GetLastError() != ERROR_NO_TOKEN)
{
return
FALSE;
}
if
(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &TokenHandle))
{
return
FALSE;
}
} //WHY 先打开线程后打开进程
if
(!LookupPrivilegeValue(NULL, PriviledgeName, &uID))
{
CloseHandle(TokenHandle);
TokenHandle
= NULL;
return
FALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[0].Luid = uID;
if
(!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), &OldTokenPrivileges,
&ReturnLength))
{
CloseHandle(TokenHandle);
TokenHandle
= NULL;
return
FALSE;
}
相关文章推荐
- Dll注入技术之APC注入
- DLL注入-APC注入
- 使用异步过程调用(APC)实现模块注入
- APC 基本概念及APC注入的实现(Ring3 + Ring0)----概念介绍
- windows sdk编程系列文章 ---- 利用APC实现向一个运行中的进程注入自己的代码
- DLL注入技术之APC注入
- 进程注入DLL实现(APC和远程线程创建)
- DLL注入技术之APC注入
- Hook : APC注入技术
- 使用异步过程调用(APC)实现模块注入
- Dll注入技术之APC注入
- Dll注入技术之APC注入
- 内核中通过给线程插apc注入dll
- 通过异步过程调用(APC)注入DLL
- 使用异步过程调用(APC)实现模块注入
- Dll注入技术之APC注入
- 通过异步过程调用(APC)注入DLL
- 注入(2)--APC(Asynchronous Procedure Call)注入(异步过程调用)
- 这个是APC注入?
- 0.ring3-APC注入