Windows x86/ x64 Ring3層注入Dll總結

更新時間：2016年10月30日 10:42:00 作者：天邊的黑雪

這篇文章主要介紹了Windows x86/ x64 Ring3層注入Dll總結的相關資料,需要的朋友可以參考下

0x01.前言

　　提到Dll的注入，立馬能夠想到的方法就有很多，比如利用遠程線程、Apc等等，這里我對Ring3層的Dll注入學習做一個總結吧。

　　我把注入的方法分成六類，分別是：1.創(chuàng)建新線程、2.設置線程上下背景文，修改寄存器、3.插入Apc隊列、4.修改注冊表、5.掛鉤窗口消息、6.遠程手動實現(xiàn)LoadLibrary。

　　那么下面就開始學習之旅吧！

0x02.預備工作

　　在涉及到注入的程序中，提升程序的權限自然是必不可少的，這里我提供了兩個封裝的函數(shù)，都可以用于提權。第一個是通過權限令牌來調(diào)整權限；第二個是通過ntdll.dll的導出的未文檔化函數(shù)RtlAdjustPrivilege來調(diào)整權限。

// 傳入?yún)?shù) SE_DEBUG_NAME，提升到調(diào)試權限
BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
DWORD dwReturnLength = sizeof(OldPrivileges);
HANDLE TokenHandle = NULL;
LUID uID;
// 打開權限令牌
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
{
if (GetLastError() != ERROR_NO_TOKEN)
{
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
}
if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 通過權限名稱查找uID
{
CloseHandle(TokenHandle);
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1; // 要提升的權限個數(shù)
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態(tài)數(shù)組，數(shù)組大小根據(jù)Count的數(shù)目
TokenPrivileges.Privileges[0].Luid = uID;
// 在這里我們進行調(diào)整權限
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
{
CloseHandle(TokenHandle);
return FALSE;
}
// 成功了
CloseHandle(TokenHandle);
return TRUE;
}

　　緊接著，既然我們要對目標進程注入Dll，那么獲得目標進程的Id是不可或缺的吧，因為OpenProcess是肯定會使用的，這里我也提供了兩種通過目標進程映像名稱獲得進程Id的方法。第一種是最常見的使用TlHelp創(chuàng)建系統(tǒng)的進程快照；第二種是借助Psapi枚舉系列函數(shù)，不過這個方法我實現(xiàn)的有缺憾，32位下不能得到64位進程的Id。

// 使用ToolHelp系列函數(shù)
#include <TlHelp32.h>
BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId)
{
HANDLE ProcessSnapshotHandle = INVALID_HANDLE_VALUE;
PROCESSENTRY32 ProcessEntry32 = { 0 };
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構
ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統(tǒng)所有的進程快照
if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
}
if (Process32First(ProcessSnapshotHandle, &ProcessEntry32)) // 找到第一個
{
do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區(qū)分大小寫
{
*ProcessId = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));
}
CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = INVALID_HANDLE_VALUE;
if (*ProcessId == 0)
{
return FALSE;
}
return TRUE;
}
// 使用Psapi系列枚舉函數(shù)
#include <Psapi.h>
BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId)
{
DWORD dwProcessesId[1024] = { 0 };
DWORD BytesReturned = 0;
UINT32 ProcessCount = 0;
// 獲得當前操作系統(tǒng)中的所有進程Id，保存在dwProcessesId數(shù)組里
if (!EnumProcesses(dwProcessesId, sizeof(dwProcessesId), &BytesReturned))
{
return FALSE;
}
ProcessCount = BytesReturned / sizeof(DWORD);
// 遍歷
for (INT i = 0; i < ProcessCount; i++)
{
HMODULE ModuleBase = NULL;
WCHAR wzModuleBaseName[MAX_PATH] = { 0 };
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessesId[i]);
if (ProcessHandle == NULL)
{
continue;
}
if (EnumProcessModulesEx(ProcessHandle, &ModuleBase, sizeof(HMODULE), &BytesReturned, LIST_MODULES_ALL))
{
// 獲得進程第一模塊名稱
GetModuleBaseName(ProcessHandle, ModuleBase, wzModuleBaseName, MAX_PATH * sizeof(WCHAR));
}
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
if (lstrcmpi(wzModuleBaseName, wzProcessImageName) == 0) // 不區(qū)分大小寫
{
*ProcessId = dwProcessesId[i];
break;
}
}
if (*ProcessId == 0)
{
return FALSE;
}
return TRUE;
}

　　然后在比如插入Apc隊列、掛起線程等等操作中，需要對目標進程的線程操作，所以獲得線程Id也有必要，同樣的我也提供了兩種通過進程Id獲得線程Id的方法。第一個仍然是使用TlHelp創(chuàng)建系統(tǒng)的線程快照，把所有的線程存入vector模板里（供Apc注入使用）；第二個是利用ZwQuerySystemInformation大法，枚舉系統(tǒng)進程信息，這個方法我只返回了一個線程Id，已經(jīng)夠用了。

// 枚舉指定進程Id的所有線程，壓入模板中
#include <vector>
#include <TlHelp32.h>
using namespace std;
BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT vector<UINT32>& ThreadIdVector)
{
HANDLE ThreadSnapshotHandle = NULL;
THREADENTRY32 ThreadEntry32 = { 0 };
ThreadEntry32.dwSize = sizeof(THREADENTRY32);
ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); // 給系統(tǒng)所有的線程快照
if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
}
if (Thread32First(ThreadSnapshotHandle, &ThreadEntry32))
{
do
{
if (ThreadEntry32.th32OwnerProcessID == ProcessId)
{
ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID); // 把該進程的所有線程id壓入模板
}
} while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32));
}
CloseHandle(ThreadSnapshotHandle);
ThreadSnapshotHandle = NULL;
return TRUE;
}

// ZwQuerySystemInformation+SystemProcessInformation

typedef
NTSTATUS(NTAPI * pfnZwQuerySystemInformation)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN UINT32 SystemInformationLength,
OUT PUINT32 ReturnLength OPTIONAL);

BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT PUINT32 ThreadId)
{
BOOL bOk = FALSE;
NTSTATUS Status = 0;
PVOID BufferData = NULL;
PSYSTEM_PROCESS_INFO spi = NULL;
pfnZwQuerySystemInformation ZwQuerySystemInformation = NULL;
ZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQuerySystemInformation");
if (ZwQuerySystemInformation == NULL)
{
return FALSE;
}
BufferData = malloc(1024 * 1024);
if (!BufferData)
{
return FALSE;
}
// 在QuerySystemInformation系列函數(shù)中，查詢SystemProcessInformation時，必須提前申請好內(nèi)存，不能先查詢得到長度再重新調(diào)用
Status = ZwQuerySystemInformation(SystemProcessInformation, BufferData, 1024 * 1024, NULL);
if (!NT_SUCCESS(Status))
{
free(BufferData);
return FALSE;
}
spi = (PSYSTEM_PROCESS_INFO)BufferData;
// 遍歷進程，找到我們的目標進程
while (TRUE)
{
bOk = FALSE;
if (spi->UniqueProcessId == (HANDLE)ProcessId)
{
bOk = TRUE;
break;
}
else if (spi->NextEntryOffset)
{
spi = (PSYSTEM_PROCESS_INFO)((PUINT8)spi + spi->NextEntryOffset);
}
else
{
break;
}
}
if (bOk)
{
for (INT i = 0; i < spi->NumberOfThreads; i++)
{
// 返出找到的線程Id
*ThreadId = (UINT32)spi->Threads[i].ClientId.UniqueThread;
break;
}
}
if (BufferData != NULL)
{
free(BufferData);
}
return bOk;
}

　　嗯，目前為止，預備工作差不多完工，那我們就開始正題吧！

0x03.注入方法一 -- 創(chuàng)建新線程

　　創(chuàng)建新線程，也就是在目標進程里，創(chuàng)建一個線程為我們服務，而創(chuàng)建線程的方法我找到的有三種：1.CreateRemoteThread；2.NtCreateThreadEx；3.RtlCreateUserThread。

　　基本思路是：1.在目標進程內(nèi)存空間申請內(nèi)存；2.在剛申請的內(nèi)存中寫入Dll完整路徑；3.創(chuàng)建新線程，去執(zhí)行LoadLibrary，從而完成注入Dll。

　　ps：這里直接使用從自己加載的kernel32模塊導出表中獲得LoadLibrary地址，是因為一般情況下，所有進程加載這類系統(tǒng)庫在內(nèi)存中的地址相同！

　　因為只是創(chuàng)線程所使用的函數(shù)不一樣，所以下面的代碼隨便放開一個創(chuàng)線程的步驟，屏蔽其他兩個，都是可以成功的，這里我放開的是NtCreateThreadEx。

typedef NTSTATUS(NTAPI* pfnNtCreateThreadEx)
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN PVOID lpStartAddress,
IN PVOID lpParameter,
IN ULONG Flags,
IN SIZE_T StackZeroBits,
IN SIZE_T SizeOfStackCommit,
IN SIZE_T SizeOfStackReserve,
OUT PVOID lpBytesBuffer);
#define NT_SUCCESS(x) ((x) >= 0)
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef NTSTATUS(NTAPI * pfnRtlCreateUserThread)(
IN HANDLE ProcessHandle,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN BOOLEAN CreateSuspended,
IN ULONG StackZeroBits OPTIONAL,
IN SIZE_T StackReserve OPTIONAL,
IN SIZE_T StackCommit OPTIONAL,
IN PTHREAD_START_ROUTINE StartAddress,
IN PVOID Parameter OPTIONAL,
OUT PHANDLE ThreadHandle OPTIONAL,
OUT PCLIENT_ID ClientId OPTIONAL);
BOOL InjectDll(UINT32 ProcessId)
{
HANDLE ProcessHandle = NULL;
ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
// 在對方進程空間申請內(nèi)存,存儲Dll完整路徑
UINT32 DllFullPathLength = (strlen(DllFullPath) + 1);
PVOID DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (DllFullPathBufferData == NULL)
{
CloseHandle(ProcessHandle);
return FALSE;
}
// 將DllFullPath寫進剛剛申請的內(nèi)存中
SIZE_T ReturnLength;
BOOL bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1, &ReturnLength);
LPTHREAD_START_ROUTINE LoadLibraryAddress = NULL;
HMODULE Kernel32Module = GetModuleHandle(L"Kernel32");
LoadLibraryAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(Kernel32Module, "LoadLibraryA");
pfnNtCreateThreadEx NtCreateThreadEx = (pfnNtCreateThreadEx)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");
if (NtCreateThreadEx == NULL)
{
CloseHandle(ProcessHandle);
return FALSE;
}
HANDLE ThreadHandle = NULL;
// 0x1FFFFF #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
NtCreateThreadEx(&ThreadHandle, 0x1FFFFF, NULL, ProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, DllFullPathBufferData, FALSE, NULL, NULL, NULL, NULL);
/*
pfnRtlCreateUserThread RtlCreateUserThread = (pfnRtlCreateUserThread)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlCreateUserThread");
HANDLE ThreadHandle = NULL;
NTSTATUS Status = RtlCreateUserThread(ProcessHandle, NULL, FALSE, 0, 0, 0, LoadLibraryAddress, DllFullPathBufferData, &ThreadHandle, NULL); 
*/
/*
HANDLE ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 0, LoadLibraryAddress, DllFullPathBufferData, 0, NULL); // CreateRemoteThread 函數(shù)
*/
if (ThreadHandle == NULL)
{
CloseHandle(ProcessHandle);
return FALSE;
}
if (WaitForSingleObject(ThreadHandle, INFINITE) == WAIT_FAILED)
{
return FALSE;
}
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return TRUE;
}

0x04.注入方法二 -- 設置線程上下背景文

　　設置線程上下背景文的主要目的是讓目標進程的某一線程轉去執(zhí)行我們的代碼，然后再回來做他該做的事，而我們的代碼，就是一串由匯編硬編碼組成的ShellCode。

　　這串ShellCode做了三件事：1.傳入Dll完整路徑參數(shù)；2.呼叫LoadLibrary函數(shù)地址；3.返回原先的Eip或Rip。

　　這里我選用的呼叫指令是ff 15 和 ff 25，在32位下為跳轉到15(25)指令后面字節(jié)碼對應地址里面存放的地址，在64位下15(25)指令后面四字節(jié)存放的是偏移，該跳轉為跳轉到換算出來的地址里面存放的地址，這里我把偏移寫成0，以便于計算。

#ifdef _WIN64
// 測試 64 位 dll被注，Bug已修復
/*
0:019> u 0x000002b5d5f80000
000002b5`d5f80000 4883ec28 sub rsp,28h
000002b5`d5f80004 488d0d20000000 lea rcx,[000002b5`d5f8002b]
000002b5`d5f8000b ff1512000000 call qword ptr [000002b5`d5f80023]
000002b5`d5f80011 4883c428 add rsp,28h
000002b5`d5f80015 ff2500000000 jmp qword ptr [000002b5`d5f8001b]
*/
UINT8 ShellCode[0x100] = {
0x48,0x83,0xEC,0x28, // sub rsp ,28h
0x48,0x8D,0x0d, // [+4] lea rcx,
0x00,0x00,0x00,0x00, // [+7] DllNameOffset = [+43] - [+4] - 7
// call 跳偏移，到地址，解*號
0xff,0x15, // [+11]
0x00,0x00,0x00,0x00, // [+13] 
0x48,0x83,0xc4,0x28, // [+17] add rsp,28h
// jmp 跳偏移，到地址，解*號
0xff,0x25, // [+21]
0x00,0x00,0x00,0x00, // [+23] LoadLibraryAddressOffset
// 存放原先的 rip
0x00,0x00,0x00,0x00, // [+27]
0x00,0x00,0x00,0x00, // [+31]
// 跳板 loadlibrary地址
0x00,0x00,0x00,0x00, // [+35] 
0x00,0x00,0x00,0x00, // [+39]
// 存放dll完整路徑
// 0x00,0x00,0x00,0x00, // [+43]
// 0x00,0x00,0x00,0x00 // [+47]
// ......
};
#else
// 測試 32 位 配合新寫的Dll可重復注入
/*
0:005> u 0x00ca0000
00000000`00ca0000 60 pusha
00000000`00ca0001 9c pushfq
00000000`00ca0002 681d00ca00 push 0CA001Dh
00000000`00ca0007 ff151900ca00 call qword ptr [00000000`01940026]
00000000`00ca000d 9d popfq
00000000`00ca000e 61 popa
00000000`00ca000f ff251500ca00 jmp qword ptr [00000000`0194002a]
*/
UINT8 ShellCode[0x100] = {
0x60, // [+0] pusha
0x9c, // [+1] pushf
0x68, // [+2] push
0x00,0x00,0x00,0x00, // [+3] ShellCode + 
0xff,0x15, // [+7] call 
0x00,0x00,0x00,0x00, // [+9] LoadLibrary Addr Addr
0x9d, // [+13] popf
0x61, // [+14] popa
0xff,0x25, // [+15] jmp
0x00,0x00,0x00,0x00, // [+17] jmp eip
// eip 地址
0x00,0x00,0x00,0x00, // [+21]
// LoadLibrary 地址
0x00,0x00,0x00,0x00, // [+25] 
// DllFullPath 
0x00,0x00,0x00,0x00 // [+29] 
};
#endif

　　整個注入過程由這些步驟組成：在目標進程申請內(nèi)存（可執(zhí)行內(nèi)存） ---> 填充ShellCode需要的地址碼 ---> 將ShellCode寫入申請的內(nèi)存 ---> SuspendThread（掛起線程）--->GetThreadContext（獲得線程上下背景文）---> 修改Context的Eip或Rip為ShellCode首地址 ---> SetThreadContext（設置剛修改過的Context）---> ResumeThread（恢復線程執(zhí)行）。

BOOL Inject(IN UINT32 ProcessId, IN UINT32 ThreadId)
{
BOOL bOk = FALSE;
CONTEXT ThreadContext = { 0 };
PVOID BufferData = NULL;
HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
// 首先掛起線程
SuspendThread(ThreadHandle);
ThreadContext.ContextFlags = CONTEXT_ALL;
if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE)
{
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return FALSE;
}
BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (BufferData != NULL)
{
if (LoadLibraryWAddress != NULL)
{
#ifdef _WIN64
// ShellCode + 43處 存放完整路徑
PUINT8 v1 = ShellCode + 43;
memcpy(v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR));
UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + 43) - ((PUINT8)BufferData + 4) - 7);
*(PUINT32)(ShellCode + 7) = DllNameOffset;
// ShellCode + 35處 放置 LoadLibrary 函數(shù)地址
*(PUINT64)(ShellCode + 35) = (UINT64)LoadLibraryWAddress;
UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + 35) - ((PUINT8)BufferData + 11) - 6);
*(PUINT32)(ShellCode + 13) = LoadLibraryAddressOffset;
// 放置 rip 地址
*(PUINT64)(ShellCode + 27) = ThreadContext.Rip;
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
return FALSE;
}
ThreadContext.Rip = (UINT64)BufferData;
#else
PUINT8 v1 = ShellCode + 29;
memcpy((char*)v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR)); //這里是要注入的DLL名字
*(PUINT32)(ShellCode + 3) = (UINT32)BufferData + 29;
*(PUINT32)(ShellCode + 25) = LoadLibraryWAddress; //loadlibrary地址放入shellcode中
*(PUINT32)(ShellCode + 9) = (UINT32)BufferData + 25;//修改call 之后的地址 為目標空間存放 loaddlladdr的地址
//////////////////////////////////
*(PUINT32)(ShellCode + 21) = ThreadContext.Eip;
*(PUINT32)(ShellCode + 17) = (UINT32)BufferData + 21;//修改jmp 之后為原來eip的地址
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
printf("write Process Error\n");
return FALSE;
}
ThreadContext.Eip = (UINT32)BufferData;
#endif 
if (!SetThreadContext(ThreadHandle, &ThreadContext))
{
printf("set thread context error\n");
return FALSE;
}
ResumeThread(ThreadHandle);
printf("ShellCode 注入完成\r\n");
}
}
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return TRUE;
}

0x05.插入Apc隊列

　　Ring3層的Apc注入是不太穩(wěn)定的，我的做法就是暴力的向目標進程的所有線程的UserMode Apc隊列（線程有兩個Apc隊列：Kernel和User）上插入Apc對象，等待他去執(zhí)行該Apc里注冊的函數(shù)。而只有當線程處于alterable狀態(tài)時，才會查看Apc隊列是否有需要執(zhí)行的注冊函數(shù)。

　　ps：正是因為不知道哪個線程會去處理Apc，所以感覺Ring3層Apc注入不如其他方法好使，不過Ring0層Apc注入還是比較穩(wěn)定的。之前測試xp和win10都成功，win7下注explorer進程總是崩潰，后來捯飭半天，發(fā)現(xiàn)遍歷線程的時候從后往前遍歷著插入就不會崩潰Orz

int main()
{
......
ThreadCount = ThreadIdVector.size();
for (INT i = ThreadCount - 1; i >= 0; i--)
{
UINT32 ThreadId = ThreadIdVector[i];
InjectDllByApc(ProcessId, ThreadId);
}
......
}
BOOL InjectDllByApc(IN UINT32 ProcessId, IN UINT32 ThreadId)
{
BOOL bOk = 0;
HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
UINT_PTR LoadLibraryAddress = 0;
SIZE_T ReturnLength = 0;
UINT32 DllFullPathLength = (strlen(DllFullPath) + 1);
// 全局，申請一次內(nèi)存
if (DllFullPathBufferData == NULL)
{
//申請內(nèi)存
DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (DllFullPathBufferData == NULL)
{
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return FALSE;
}
}
// 避免之前寫操作失敗，每次重復寫入
bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1,
&ReturnLength);
if (bOk == FALSE)
{
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return FALSE;
}
LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
if (LoadLibraryAddress == NULL)
{
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return FALSE;
}
__try
{
QueueUserAPC((PAPCFUNC)LoadLibraryAddress, ThreadHandle, (UINT_PTR)DllFullPathBufferData);
}
__except (EXCEPTION_CONTINUE_EXECUTION)
{
}
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return TRUE;
}

0x06.修改注冊表

　　注冊表注入算得上是全局Hook了吧，畢竟新創(chuàng)建的進程在加載User32.dll時，都會自動調(diào)用LoadLibrary去加載注冊表中某個表項鍵值里寫入的Dll路徑。

　　我們關心的這個注冊表項鍵是：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows，我們要設置的鍵值是AppInit_DLLs = “Dll完整路徑”，LoadAppInit_Dlls = 1（讓系統(tǒng)使用這個注冊表項）

　　ps：由于注入的Dll在進程創(chuàng)建的早期，所以在Dll中使用函數(shù)要格外小心，因為有的庫可能還沒加載上。

int main()
{
LSTATUS Status = 0;
WCHAR* wzSubKey = L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
HKEY hKey = NULL;
// 打開注冊表
Status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, // 要打開的主鍵
wzSubKey, // 要打開的子鍵名字地址
0, // 保留，傳0
KEY_ALL_ACCESS, // 打開的方式
&hKey); // 返回的子鍵句柄
if (Status != ERROR_SUCCESS)
{
return 0;
}
WCHAR* wzValueName = L"AppInit_DLLs";
DWORD dwValueType = 0;
UINT8 ValueData[MAX_PATH] = { 0 };
DWORD dwReturnLength = 0;
// 查詢注冊表
Status = RegQueryValueExW(hKey, // 子鍵句柄
wzValueName, // 待查詢鍵值的名稱
NULL, // 保留
&dwValueType, // 數(shù)據(jù)類型
ValueData, // 鍵值
&dwReturnLength);
WCHAR wzDllFullPath[MAX_PATH] = { 0 };
GetCurrentDirectoryW(MAX_PATH, wzDllFullPath);
#ifdef _WIN64
wcscat_s(wzDllFullPath, L"\\x64NormalDll.dll");
#else
wcscat_s(wzDllFullPath, L"\\x86NormalDll.dll");
#endif
// 設置鍵值
Status = RegSetValueExW(hKey,
wzValueName,
NULL,
dwValueType,
(CONST BYTE*)wzDllFullPath,
(lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR));
if (Status != ERROR_SUCCESS)
{
return 0;
}
wzValueName = L"LoadAppInit_DLLs";
DWORD dwLoadAppInit = 1;
// 查詢注冊表
Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);
// 設置鍵值
Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD));
if (Status != ERROR_SUCCESS)
{
return 0;
}
printf("Input Any Key To Resume\r\n");
getchar();
getchar();
// 恢復鍵值
dwLoadAppInit = 0;
Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);
Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)&dwLoadAppInit, sizeof(DWORD));
wzValueName = L"AppInit_DLLs";
ZeroMemory(wzDllFullPath, (lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR));
Status = RegQueryValueExW(hKey, wzValueName, NULL, &dwValueType, ValueData, &dwReturnLength);
Status = RegSetValueExW(hKey, wzValueName, NULL, dwValueType, (CONST BYTE*)wzDllFullPath, 0);
return 0;
}

0x07.掛鉤窗口消息

　　掛鉤窗口消息使用了MS提供的一個API接口SetWindowsHookEx，他的工作原理是給帶窗口的目標進程的某個線程的某個消息掛鉤上我們Dll導出的函數(shù)，一旦消息觸發(fā)，則導出函數(shù)就會被調(diào)用。前面學習到的幾種方法歸根結底是調(diào)用了LoadLibrary，而這個方法并沒有。

// 注入exe關鍵代碼 給目標線程的指定消息上下鉤，走進Dll導出函數(shù)
BOOL Inject(IN UINT32 ThreadId, OUT HHOOK& HookHandle)
{
HMODULE DllModule = LoadLibraryA(DllFullPath);
FARPROC FunctionAddress = GetProcAddress(DllModule, "Sub_1");
HookHandle = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)FunctionAddress, DllModule, ThreadId);
if (HookHandle == NULL)
{
return FALSE;
}
return TRUE;
}
// 動態(tài)庫中導出函數(shù)
extern "C"
__declspec(dllexport)
VOID Sub_1() // 導出函數(shù)
{
MessageBox(0, 0, 0, 0);
}

0x08.遠程手動實現(xiàn)LoadLibrary

　　該方法學習自github上名叫ReflevtiveDllInjection，大體上分為兩個部分，exe和dll，下面分別簡述。

　　exe：作為注入啟動程序，在目標進程申請一塊兒PAGE_EXECUTE_READWRITE內(nèi)存，將Dll以文件格式直接寫入目標進程內(nèi)存空間中，然后獲得導出函數(shù)"LoadDllByOEP"在文件中的偏移，使用CreateRemoteThread直接讓目標進程去執(zhí)行LoadDllByOEP函數(shù)。

　　Dll：最關鍵導出 LoadDllByOEP 函數(shù)，在該函數(shù)里，首先通過目標進程加載模塊ntdll.dll的導出表中獲得NtFlushInstructionCache函數(shù)地址，在Kernel32.dll的導出表中獲得LoadLibraryA、GetProcAddress、VirtualAlloc函數(shù)地址；然后在進程內(nèi)存空間里重新申請內(nèi)存，拷貝自己的PE結構到內(nèi)存里，接著修正IAT和重定向塊，最后調(diào)用模塊OEP，完成了手動實現(xiàn)LoadLibrary！

　　ps：寫代碼時參考《Windows PE權威指南》，對整個PE結構又有了新的認識。我有for循環(huán)強迫癥。。這份代碼就全貼上了。

// InjectDllByOEP.cpp : 定義控制臺應用程序的入口點。
//
#include "stdafx.h"
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
using namespace std;
BOOL GrantPriviledge(WCHAR* PriviledgeName);
UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer);
UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader);
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId);
HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam);
CHAR DllFullPath[MAX_PATH] = { 0 };
int main()
{
// 首先提權一波
if (GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Error\r\n");
}
// 接著通過進程名得到進程id
UINT32 ProcessId = 0;
GetCurrentDirectoryA(MAX_PATH, DllFullPath);
#ifdef _WIN64
// GetProcessIdByProcessImageName(L"Taskmgr.exe", &ProcessId);
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId);
strcat_s(DllFullPath, "\\x64LoadRemoteDll.dll");
#else
GetProcessIdByProcessImageName(L"notepad++.exe", &ProcessId);
strcat_s(DllFullPath, "\\x86LoadRemoteDll.dll");
#endif
// 獲得dll句柄
HANDLE FileHandle = CreateFileA(DllFullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (FileHandle == INVALID_HANDLE_VALUE)
{
printf("Open File Error\r\n");
return 0;
}
// 獲得dll文件長度
UINT32 FileSize = GetFileSize(FileHandle, NULL);
if (FileSize == INVALID_FILE_SIZE || FileSize == 0)
{
printf("Get File Size Error\r\n");
CloseHandle(FileHandle);
return 0;
}
// 申請內(nèi)存，保存
PVOID FileData = HeapAlloc(GetProcessHeap(), 0, FileSize);
if (FileData == NULL)
{
printf("HeapAlloc Error\r\n");
CloseHandle(FileHandle);
return 0;
}
DWORD ReturnLength = 0;
BOOL bOk = ReadFile(FileHandle, FileData, FileSize, &ReturnLength, NULL);
CloseHandle(FileHandle);
if (bOk == FALSE)
{
printf("ReadFile Error\r\n");
HeapFree(GetProcessHeap(), 0, FileData);
return 0;
}
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
if (ProcessHandle == NULL)
{
printf("OpenProcess Error\r\n");
HeapFree(GetProcessHeap(), 0, FileData);
return 0;
}
// 執(zhí)行Dll中的導出函數(shù)LoadDllByOEP，讓目標進程實現(xiàn)LoadLibrary功能
HANDLE ThreadHandle = LoadRemoteDll(ProcessHandle, FileData, FileSize, NULL);
if (ThreadHandle == NULL)
{
goto _Clear;
}
WaitForSingleObject(ThreadHandle, INFINITE);
_Clear:
if (FileData)
{
HeapFree(GetProcessHeap(), 0, FileData);
}
if (ProcessHandle)
{
CloseHandle(ProcessHandle);
}
return 0;
}
/************************************************************************
* Name : LoadRemoteDll
* Param: ProcessHandle 進程句柄 （IN）
* Param: ModuleBaseAddress 模塊基地址
* Param: ModuleLength 模塊在文件中的大小
* Param: lParam 模塊句柄
* Ret : HANDLE
* 將Dll以文件格式寫入目標進程內(nèi)存，并執(zhí)行Dll的導出函數(shù)LoadDllByOEP
************************************************************************/
HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam)
{
HANDLE ThreadHandle = NULL;
__try
{
if (ProcessHandle == NULL || ModuleFileBaseAddress == NULL || ModuleFileSize == 0)
{
return NULL;
}
// 導出函數(shù)相對于 ModuelBaseAddress 的 Offset
UINT32 FunctionOffset = GetLoadDllByOEPOffsetInFile(ModuleFileBaseAddress);
if (FunctionOffset == 0)
{
return NULL;
}
// 在目標進程申請內(nèi)存
PVOID RemoteBufferData = VirtualAllocEx(ProcessHandle, NULL, ModuleFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (RemoteBufferData == NULL)
{
return NULL;
}
// 把Dll文件寫入目標進程內(nèi)存空間
BOOL bOk = WriteProcessMemory(ProcessHandle, RemoteBufferData, ModuleFileBaseAddress, ModuleFileSize, NULL);
if (bOk == FALSE)
{
return NULL;
}
// 以文件格式去執(zhí)行 Dll 中的 LoadDllByOEP
LPTHREAD_START_ROUTINE RemoteThreadCallBack = (LPTHREAD_START_ROUTINE)((PUINT8)RemoteBufferData + FunctionOffset);
ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 1024 * 1024, RemoteThreadCallBack, lParam, 0, NULL);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ThreadHandle = NULL;
}
return ThreadHandle;
}
/************************************************************************
* Name : LoadRemoteDll
* Param: ProcessHandle 進程句柄
* Ret : HANDLE
* 獲得LoadDllByOEP在Dll文件中的偏移量
************************************************************************/
UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer)
{
UINT_PTR BaseAddress = (UINT_PTR)DllBuffer;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
DosHeader = (PIMAGE_DOS_HEADER)BaseAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)BaseAddress + DosHeader->e_lfanew);
/*
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
*/
if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // pe32
{
}
else if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // pe64
{
}
else
{
return 0;
}
UINT32 ExportDirectoryRVA = NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)BaseAddress + RVAToOffset(ExportDirectoryRVA, NtHeader));
UINT32 AddressOfNamesRVA = ExportDirectory->AddressOfNames;
PUINT32 AddressOfNames = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfNamesRVA, NtHeader));
UINT32 AddressOfFunctionsRVA = ExportDirectory->AddressOfFunctions;
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfFunctionsRVA, NtHeader));
UINT32 AddressOfNameOrdinalsRVA = ExportDirectory->AddressOfNameOrdinals;
PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)BaseAddress + RVAToOffset(AddressOfNameOrdinalsRVA, NtHeader));
for (UINT32 i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
CHAR* ExportFunctionName = (CHAR*)((PUINT8)BaseAddress + RVAToOffset(*AddressOfNames, NtHeader));
if (strstr(ExportFunctionName, "LoadDllByOEP") != NULL)
{
UINT16 ExportFunctionOrdinals = AddressOfNameOrdinals[i];
return RVAToOffset(AddressOfFunctions[ExportFunctionOrdinals], NtHeader);
}
}
return 0;
}
/************************************************************************
* Name : RVAToOffset
* Param: RVA 內(nèi)存中偏移
* Param: NtHeader Nt頭
* Ret : UINT32
* 內(nèi)存中偏移轉換成文件中偏移
************************************************************************/
UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader)
{
UINT32 i = 0;
PIMAGE_SECTION_HEADER SectionHeader = NULL;
SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
if (RVA < SectionHeader[0].PointerToRawData)
{
return RVA;
}
for (i = 0; i < NtHeader->FileHeader.NumberOfSections; i++)
{
if (RVA >= SectionHeader[i].VirtualAddress && RVA < (SectionHeader[i].VirtualAddress + SectionHeader[i].SizeOfRawData))
{
return (RVA - SectionHeader[i].VirtualAddress + SectionHeader[i].PointerToRawData);
}
}
return 0;
}
/************************************************************************
* Name : GetProcessIdByProcessImageName
* Param: wzProcessImageName 進程映像名稱 （IN）
* Param: TargetProcessId 進程Id （OUT）
* Ret : BOOLEAN
* 使用ToolHelp系列函數(shù)通過進程映像名稱獲得進程Id
************************************************************************/
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId)
{
HANDLE ProcessSnapshotHandle = NULL;
PROCESSENTRY32 ProcessEntry32 = { 0 };
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32結構
ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 給系統(tǒng)所有的進程快照
if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
}
Process32First(ProcessSnapshotHandle, &ProcessEntry32); // 找到第一個
do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不區(qū)分大小寫
{
*TargetProcessId = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));
CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = NULL;
return TRUE;
}
/************************************************************************
* Name : GrantPriviledge
* Param: PriviledgeName 想要提升的權限
* Ret : BOOLEAN
* 提升自己想要的權限
************************************************************************/
BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
DWORD dwReturnLength = sizeof(OldPrivileges);
HANDLE TokenHandle = NULL;
LUID uID;
// 打開權限令牌
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
{
if (GetLastError() != ERROR_NO_TOKEN)
{
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
}
if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 通過權限名稱查找uID
{
CloseHandle(TokenHandle);
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1; // 要提升的權限個數(shù)
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 動態(tài)數(shù)組，數(shù)組大小根據(jù)Count的數(shù)目
TokenPrivileges.Privileges[0].Luid = uID;
// 在這里我們進行調(diào)整權限
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
{
CloseHandle(TokenHandle);
return FALSE;
}
// 成功了
CloseHandle(TokenHandle);
return TRUE;
}
// LoadRemoteDll.h
#include <Windows.h>
#include <intrin.h>
#ifdef LOADREMOTEDLL_EXPORTS
#define LOADREMOTEDLL_API __declspec(dllexport)
#else
#define LOADREMOTEDLL_API __declspec(dllimport)
#endif
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define NTDLLDLL_HASH 0x3CFA685D
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
#define IMAGE_REL_BASED_ARM_MOV32A 5
#define IMAGE_REL_BASED_ARM_MOV32T 7
#define HASH_KEY 13
#pragma intrinsic( _rotr )
__forceinline UINT32 ror(UINT32 d)
{
return _rotr(d, HASH_KEY);
}
__forceinline UINT32 hash(char * c)
{
register UINT32 h = 0;
do
{
h = ror(h);
h += *c;
} while (*++c);
return h;
}
//////////////////////////////////////////////////////////////////////////
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA_WIN7_X64
{
UINT32 Length;
UINT8 Initialized;
UINT8 _PADDING0_[0x3];
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
UINT8 ShutdownInProgress;
UINT8 _PADDING1_[0x7];
PVOID ShutdownThreadId;
}PEB_LDR_DATA_WIN7_X64, *PPEB_LDR_DATA_WIN7_X64;
typedef struct _PEB_LDR_DATA_WINXP_X86
{
UINT32 Length;
UINT8 Initialized;
UINT8 _PADDING0_[0x3];
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
}PEB_LDR_DATA_WINXP_X86, *PPEB_LDR_DATA_WINXP_X86;
#ifdef _WIN64
#define PPEB_LDR_DATA PPEB_LDR_DATA_WIN7_X64
#define PEB_LDR_DATA PEB_LDR_DATA_WIN7_X64
#else 
#define PPEB_LDR_DATA PPEB_LDR_DATA_WINXP_X86
#define PEB_LDR_DATA PEB_LDR_DATA_WINXP_X86
#endif
typedef struct _CURDIR
{
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS_WINXP_X86 {
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
HANDLE ConsoleHandle;
UINT32 ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment;
UINT32 StartingX;
UINT32 StartingY;
UINT32 CountX;
UINT32 CountY;
UINT32 CountCharsX;
UINT32 CountCharsY;
UINT32 FillAttribute;
UINT32 WindowFlags;
UINT32 ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
UINT32 CurrentDirectores[8];
}RTL_USER_PROCESS_PARAMETERS_WINXP_X86, *PRTL_USER_PROCESS_PARAMETERS_WINXP_X86;
typedef struct _RTL_USER_PROCESS_PARAMETERS_WIN7_X64 {
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
HANDLE ConsoleHandle;
UINT32 ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment;
UINT32 StartingX;
UINT32 StartingY;
UINT32 CountX;
UINT32 CountY;
UINT32 CountCharsX;
UINT32 CountCharsY;
UINT32 FillAttribute;
UINT32 WindowFlags;
UINT32 ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
UINT32 CurrentDirectores[8];
UINT64 EnvironmentSize;
UINT64 EnvironmentVersion;
}RTL_USER_PROCESS_PARAMETERS_WIN7_X64, *PRTL_USER_PROCESS_PARAMETERS_WIN7_X64;
#ifdef _WIN64
#define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WIN7_X64
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WIN7_X64
#else 
#define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WINXP_X86
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WINXP_X86
#endif
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
#ifndef _WIN64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#endif
typedef UINT32 GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
// PEB結構
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN SpareBits : 1;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
UINT32 CrossProcessFlags;
struct
{
UINT32 ProcessInJob : 1;
UINT32 ProcessInitializing : 1;
UINT32 ProcessUsingVEH : 1;
UINT32 ProcessUsingVCH : 1;
UINT32 ProcessUsingFTH : 1;
UINT32 ReservedBits0 : 27;
};
UINT32 EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
UINT32 SystemReserved[1];
UINT32 AtlThunkSListPtr32;
PVOID ApiSetMap;
UINT32 TlsExpansionCounter;
PVOID TlsBitmap;
UINT32 TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
UINT32 NumberOfProcessors;
UINT32 NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
UINT32 NumberOfHeaps;
UINT32 MaximumNumberOfHeaps;
PVOID* ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
UINT32 GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
UINT32 OSMajorVersion;
UINT32 OSMinorVersion;
UINT16 OSBuildNumber;
UINT16 OSCSDVersion;
UINT32 OSPlatformId;
UINT32 ImageSubsystem;
UINT32 ImageSubsystemMajorVersion;
UINT32 ImageSubsystemMinorVersion;
UINT_PTR ImageProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
UINT32 TlsExpansionBitmapBits[32];
UINT32 SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
UNICODE_STRING CSDVersion;
PVOID ActivationContextData;
PVOID ProcessAssemblyStorageMap;
PVOID SystemDefaultActivationContextData;
PVOID SystemAssemblyStorageMap;
SIZE_T MinimumStackCommit;
PVOID* FlsCallback;
LIST_ENTRY FlsListHead;
PVOID FlsBitmap;
UINT32 FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(UINT32) * 8)];
UINT32 FlsHighIndex;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
PVOID pContextData;
PVOID pImageHeaderHash;
union
{
UINT32 TracingFlags;
struct
{
UINT32 HeapTracingEnabled : 1;
UINT32 CritSecTracingEnabled : 1;
UINT32 LibLoaderTracingEnabled : 1;
UINT32 SpareTracingBits : 29;
};
};
UINT64 CsrServerReadOnlySharedMemoryBase;
} PEB, *PPEB;
// Ldr 三根鏈表結構
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
UINT32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Flags;
UINT16 LoadCount;
UINT16 TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
UINT32 CheckSum;
};
};
union {
struct {
UINT32 TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef const struct _LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;
LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam);
// LoadRemoteDll.cpp
// LoadRemoteDll.cpp : 定義 DLL 應用程序的導出函數(shù)。
//
#include "stdafx.h"
#include "LoadRemoteDll.h"
#pragma intrinsic(_ReturnAddress)
__declspec(noinline)
UINT_PTR caller()
{
return (UINT_PTR)_ReturnAddress(); // #include <intrin.h>
}
typedef
HMODULE
(WINAPI * pfnLoadLibraryA)(LPCSTR lpLibFileName);
typedef
FARPROC
(WINAPI * pfnGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
typedef
LPVOID
(WINAPI * pfnVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef
LONG // NTSTATUS
(NTAPI * pfnNtFlushInstructionCache)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length);
typedef
BOOL
(APIENTRY * pfnDllMain)(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam)
{
UINT_PTR LibraryAddress = 0;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
pfnLoadLibraryA LoadLibraryAAddress = NULL;
pfnGetProcAddress GetProcAddressAddress = NULL;
pfnVirtualAlloc VirtualAllocAddress = NULL;
pfnNtFlushInstructionCache NtFlushInstructionCacheAddress = NULL;
LibraryAddress = caller(); // 獲得下一步指令的地址，其實就是為了獲得當前指令地址，為后面尋找PE頭提供起點
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
while (TRUE)
{
if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE &&
DosHeader->e_lfanew >= sizeof(IMAGE_DOS_HEADER) &&
DosHeader->e_lfanew < 1024)
{
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
if (NtHeader->Signature == IMAGE_NT_SIGNATURE)
{
break;
}
}
LibraryAddress--;
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
}
// 獲得PEB
#ifdef _WIN64
PPEB Peb = (PPEB)__readgsqword(0x60);
#else
PPEB Peb = (PPEB)__readfsdword(0x30);
#endif
PPEB_LDR_DATA Ldr = Peb->Ldr;
// 1.從Dll導出表中獲取函數(shù)地址
for (PLIST_ENTRY TravelListEntry = (PLIST_ENTRY)Ldr->InLoadOrderModuleList.Flink;
TravelListEntry != &Ldr->InLoadOrderModuleList; // 空頭節(jié)點
TravelListEntry = TravelListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)TravelListEntry;
UINT32 FunctionCount = 0;
// WCHAR* DllName = (WCHAR*)LdrDataTableEntry->BaseDllName.Buffer;
UINT_PTR DllName = (UINT_PTR)LdrDataTableEntry->BaseDllName.Buffer;
UINT32 DllLength = LdrDataTableEntry->BaseDllName.Length;
UINT_PTR DllBaseAddress = (UINT_PTR)LdrDataTableEntry->DllBase;
DosHeader = (PIMAGE_DOS_HEADER)DllBaseAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)DllBaseAddress + DosHeader->e_lfanew);
IMAGE_DATA_DIRECTORY ExportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)DllBaseAddress + ExportDataDirectory.VirtualAddress);
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfFunctions);
PUINT32 AddressOfNames = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNames);
PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNameOrdinals);
UINT16 Ordinal = 0;
UINT_PTR ExportFunctionAddress = 0;
UINT32 HashValue = 0;
// 將Dll名稱轉換成Hash值
do
{
HashValue = ror((UINT32)HashValue);
if (*((PUINT8)DllName) >= 'a')
{
HashValue += *((PUINT8)DllName) - 0x20;
}
else
{
HashValue += *((PUINT8)DllName);
}
DllName++;
} while (--DllLength);
if (HashValue == KERNEL32DLL_HASH)
{
FunctionCount = 3;
for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
if (FunctionCount == 0)
{
break;
}
CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);
HashValue = hash(szExportFunctionName);
if (HashValue == LOADLIBRARYA_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
LoadLibraryAAddress = (pfnLoadLibraryA)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
else if (HashValue == GETPROCADDRESS_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
GetProcAddressAddress = (pfnGetProcAddress)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
else if (HashValue == VIRTUALALLOC_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
VirtualAllocAddress = (pfnVirtualAlloc)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
}
}
else if (HashValue == NTDLLDLL_HASH)
{
FunctionCount = 1;
for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
if (FunctionCount == 0)
{
break;
}
CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);
HashValue = hash(szExportFunctionName);
if (HashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
NtFlushInstructionCacheAddress = (pfnNtFlushInstructionCache)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
}
}
if (LoadLibraryAAddress != NULL &&
GetProcAddressAddress != NULL &&
VirtualAllocAddress != NULL &&
NtFlushInstructionCacheAddress != NULL)
{
break;
}
}
// 2.申請內(nèi)存，重新加載我們的Dll
// 再次更新DosHeader和NtHeader
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
// 重新申請內(nèi)存（SizeOfImage就是PE在內(nèi)存中的大?。?
/* _asm
{
int 3;
}
*/
// 這個自己重新申請的頭指針不敢隨便移動，使用一個變量來替代
UINT_PTR NewBaseAddress = (UINT_PTR)VirtualAllocAddress(NULL, NtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
UINT_PTR OldPtr = LibraryAddress;
UINT_PTR BasePtr = NewBaseAddress;
// 2.1首先拷貝頭 + 節(jié)表
UINT32 SizeOfHeaders = NtHeader->OptionalHeader.SizeOfHeaders;
while (SizeOfHeaders--)
{
*(PUINT8)BasePtr++ = *(PUINT8)OldPtr++;
}
// memcpy((PVOID)NewBaseAddress, (PVOID)LibraryAddress, NtHeader->OptionalHeader.SizeOfHeaders);
/*
PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader);
UINT32 NumberOfSections = NtHeader->FileHeader.NumberOfSections;
while (NumberOfSections--)
{
UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader->VirtualAddress);
UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader->PointerToRawData);
UINT32 SizeOfRawData = SectionHeader->SizeOfRawData;
while (SizeOfRawData--)
{
*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;
}
SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)SectionHeader + sizeof(IMAGE_SECTION_HEADER));
}
*/
// 2.2拷貝節(jié)區(qū)
PIMAGE_SECTION_HEADER SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
for (INT i = 0; i < NtHeader->FileHeader.NumberOfSections; i++)
{
if (SectionHeader[i].VirtualAddress == 0 || SectionHeader[i].SizeOfRawData == 0) // 節(jié)塊里面沒有數(shù)據(jù)
{
continue;
}
// 定位該節(jié)塊在內(nèi)存中的位置
UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader[i].VirtualAddress);
UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData);
// 復制節(jié)塊數(shù)據(jù)到虛擬內(nèi)存
UINT32 SizeOfRawData = SectionHeader[i].SizeOfRawData;
while (SizeOfRawData--)
{
*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;
}
//memcpy(SectionAddress, (PVOID)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData), SectionHeader[i].SizeOfRawData);
}
// 2.3修正導入表(IAT)
IMAGE_DATA_DIRECTORY ImportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)NewBaseAddress + ImportDataDirectory.VirtualAddress);
/* 
_asm
{
int 3;
}
*/
/*
while (ImportDescriptor->Characteristics != 0)
{
PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->FirstThunk);
PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->OriginalFirstThunk);
// 獲取導入模塊名稱
// char szModuleName[MAX_PATH] = { 0 };
PCHAR ModuleName = (PCHAR)((PUINT8)NewBaseAddress + ImportDescriptor->Name);
HMODULE Dll = LoadLibraryAAddress(ModuleName);
UINT_PTR FunctionAddress = 0;
for (INT i = 0; OriginalFirstThunk[i].u1.Function != 0; i++)
{
if (IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[i].u1.Ordinal))
{
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[i].u1.Ordinal))));
}
else
{
PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[i].u1.AddressOfData);
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通過函數(shù)名稱得到函數(shù)地址
}
FirstThunk[i].u1.Function = FunctionAddress;
}
ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)ImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
*/
for (INT i = 0; ImportDescriptor[i].Name != NULL; i++)
{
// 加載導入動態(tài)庫
HMODULE Dll = LoadLibraryAAddress((const CHAR*)((PUINT8)NewBaseAddress + ImportDescriptor[i].Name));
PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].OriginalFirstThunk);
PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].FirstThunk);
UINT_PTR FunctionAddress = 0;
// 遍歷每個導入模塊的函數(shù)
for (INT j = 0; OriginalFirstThunk[j].u1.Function; j++)
{
if (&OriginalFirstThunk[j] && IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[j].u1.Ordinal))
{
// 序號導入---->這里直接從Dll的導出表中找到函數(shù)地址
// FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)))); // 除去最高位即為序號
DosHeader = (PIMAGE_DOS_HEADER)Dll;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)Dll + DosHeader->e_lfanew);
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)Dll + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// 導出函數(shù)地址RVA數(shù)組
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)Dll + ExportDirectory->AddressOfFunctions);
UINT16 Ordinal = IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal - ExportDirectory->Base); // 導出函數(shù)編號 - Base(導出函數(shù)編號的起始值) = 導出函數(shù)在函數(shù)地址表中序號
FunctionAddress = (UINT_PTR)((PUINT8)Dll + AddressOfFunctions[Ordinal]);
}
else
{
// 名稱導入
PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[j].u1.AddressOfData);
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通過函數(shù)名稱得到函數(shù)地址
}
// 更新IAT
FirstThunk[j].u1.Function = FunctionAddress;
}
}
// 2.4修正重定向表
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
// UINT_PTR Delta = NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
IMAGE_DATA_DIRECTORY BaseRelocDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
// 有無重定向表
if (BaseRelocDataDirectory.Size != 0)
{
PIMAGE_BASE_RELOCATION BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)NewBaseAddress + BaseRelocDataDirectory.VirtualAddress);
while (BaseRelocation->SizeOfBlock != 0)
{
typedef struct _IMAGE_RELOC
{
UINT16 Offset : 12; // 低12位---偏移
UINT16 Type : 4; // 高4位---類型
} IMAGE_RELOC, *PIMAGE_RELOC;
// 定位到重定位塊
PIMAGE_RELOC RelocationBlock = (PIMAGE_RELOC)((PUINT8)BaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
// 計算需要修正的重定向位項的數(shù)目
UINT32 NumberOfRelocations = (BaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
for (INT i = 0; i < NumberOfRelocations; i++)
{
if (RelocationBlock[i].Type == IMAGE_REL_BASED_DIR64)
{
// 64 位
PUINT64 Address = (PUINT64)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + RelocationBlock[i].Offset);
UINT64 Delta = (UINT64)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
*Address += Delta;
}
else if (RelocationBlock[i].Type == IMAGE_REL_BASED_HIGHLOW)
{
// 32 位
PUINT32 Address = (PUINT32)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + (RelocationBlock[i].Offset));
UINT32 Delta = (UINT32)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
*Address += Delta;
}
}
// 轉到下一張重定向表
BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)BaseRelocation + BaseRelocation->SizeOfBlock);
}
}
// 3.獲得模塊OEP
UINT_PTR AddressOfEntryPoint = (UINT_PTR)((PUINT8)NewBaseAddress + NtHeader->OptionalHeader.AddressOfEntryPoint);
NtFlushInstructionCacheAddress(INVALID_HANDLE_VALUE, NULL, 0);
// 調(diào)用通過OEP去調(diào)用DllMain
((pfnDllMain)AddressOfEntryPoint)((HMODULE)NewBaseAddress, DLL_PROCESS_ATTACH, lParam);
/* _asm
{
int 3;
}
*/
return AddressOfEntryPoint;
}

// dllmain.cpp : 定義 DLL 應用程序的入口點。
#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
MessageBoxA(0, 0, 0, 0);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

0x09.總結

　　也許還有我沒有學習到的Ring3注入Dll的方法，正所謂，路漫漫其修遠兮，吾將上下而求索！

　　奉上代碼下載地址：https://github.com/YouArekongqi/InjectCollection.git

以上所述是小編給大家介紹的Windows x86/ x64 Ring3層注入Dll總結，希望對大家有所幫助！

您可能感興趣的文章:

Windows Server 2003 Service Pack 2 for x86 & x64 正式版發(fā)布

Microsoft Windows 2008 Server R2 iis7.5上傳文件限制200K更改
這篇文章主要介紹了Microsoft Windows 2008 Server R2上傳文件限制200K更改,需要的朋友可以參考下
2015-10-10
Win10下jdk安裝及環(huán)境變量配置詳細教程
本文詳細講解了Win10下jdk安裝及環(huán)境變量配置的詳細教程，文中通過示例代碼介紹的非常詳細。小編覺得挺不錯的，現(xiàn)在分享給大家，也給大家做個參考。一起跟隨小編過來看看吧
2021-11-11
在IIS6中安裝WebKnight的方法(iis防火墻)
由于WebKnight的配置很多，這里我只寫一下推薦配置，個人觀點，僅供參考，如果更好的建議，期待您的分享
2012-01-01
當前標識沒有對"Temporary ASP.NET Files"的寫訪問權限的解決辦法
這篇文章主要介紹了在IIS上部署程序后出現(xiàn)錯誤-當前標識(NT AUTHORITY/NETWORK SERVICE)沒有對C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files的寫訪問權限,需要的朋友可以參考下
2016-06-06
SERV-U打造最安全的FTP安全設置教程[圖文]
作為一款精典的FTP服務器軟件，SERV－U一直被大部分管理員所使用，它簡單的安裝和配置以及強大的管理功能的人性化也一直被管理員們稱頌。但是隨著使用者越來越多，該軟件的安全問題也逐漸顯露出來。
2008-10-10
Windows?server?2019?批量創(chuàng)建用戶的詳細教程
這篇文章主要介紹了Windows?server?2019?批量創(chuàng)建用戶,本文通過圖文并茂的形式給大家介紹的非常詳細，對大家的學習或工作具有一定的參考借鑒價值，需要的朋友可以參考下
2023-07-07
win2008 iis7設置取消執(zhí)行純腳本權限圖文步驟
win2008的iis7與win2003中的iis6在禁止某個目錄運行腳本木馬的設置上有所不一樣，具體的設置方法祥看本文希望可以幫助到你
2013-04-04
通過軟件修改Win2008默認遠程桌面連接端口3389
這篇文章主要介紹了通過軟件修改Win2008默認遠程桌面連接端口3389,需要的朋友可以參考下
2016-09-09
WEB 專用服務器的安全設置總結
web服務器常見的安全設置，大家可以根據(jù)自己的情況進行設置，最后先在自己的電腦上做實驗，最好用虛擬主機管理軟件，腳本之家有的下載。
2009-04-04
serv-u與屏保導致serv-u服務器經(jīng)常停止無法連接的解決方法
公司win2003服務器發(fā)現(xiàn)serv-u一直以來都有經(jīng)常暫停無法連接的問題只有重新啟動serv-u才能解決serv-u停止問題，還以為是版本或者流量的關系
2007-12-12