Windows x86/ x64 Ring3层注入Dll总结

Posted 天边的黑雪

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Windows x86/ x64 Ring3层注入Dll总结相关的知识,希望对你有一定的参考价值。

欢迎转载,转载请注明出处:http://www.cnblogs.com/uAreKongqi/p/6012353.html 

0x00.前言

  提到Dll的注入,立马能够想到的方法就有很多,比如利用远程线程、Apc等等,这里我对Ring3层的Dll注入学习做一个总结吧。

  我把注入的方法分成六类,分别是:1.创建新线程、2.设置线程上下背景文,修改寄存器、3.插入Apc队列、4.修改注册表、5.挂钩窗口消息、6.远程手动实现LoadLibrary。

  那么下面就开始学习之旅吧!

0x01.预备工作

  在涉及到注入的程序中,提升程序的权限自然是必不可少的,这里我提供了两个封装的函数,都可以用于提权。第一个是通过权限令牌来调整权限;第二个是通过ntdll.dll的导出的未文档化函数RtlAdjustPrivilege来调整权限。

// 传入参数 SE_DEBUG_NAME,提升到调试权限

BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
    TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
    DWORD             dwReturnLength = sizeof(OldPrivileges);
    HANDLE             TokenHandle = NULL;
    LUID             uID;

    // 打开权限令牌
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
    {
        if (GetLastError() != ERROR_NO_TOKEN)
        {
            return FALSE;
        }
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
        {
            return FALSE;
        }
    }

    if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID))        // 通过权限名称查找uID
    {
        CloseHandle(TokenHandle);
        return FALSE;
    }

    TokenPrivileges.PrivilegeCount = 1;        // 要提升的权限个数
    TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;    // 动态数组,数组大小根据Count的数目
    TokenPrivileges.Privileges[0].Luid = uID;

    // 在这里我们进行调整权限
    if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
    {
        CloseHandle(TokenHandle);
        return FALSE;
    }

    // 成功了
    CloseHandle(TokenHandle);
    return TRUE;
}
权限令牌
// 传入参数 SE_DEBUG_PRIVILEGE,提升到调试权限

#define SE_DEBUG_PRIVILEGE                (20L)

typedef
NTSTATUS(NTAPI * pfnRtlAdjustPrivilege)(
    UINT32 Privilege,
    BOOLEAN Enable,
    BOOLEAN Client,
    PBOOLEAN WasEnabled);

BOOL GrantPriviledge(IN UINT32 Priviledge)
{
    pfnRtlAdjustPrivilege    RtlAdjustPrivilege = NULL;
    BOOLEAN                    WasEnable = FALSE;

    RtlAdjustPrivilege = (pfnRtlAdjustPrivilege)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlAdjustPrivilege");
    if (RtlAdjustPrivilege == NULL)
    {
        return FALSE;
    }

    RtlAdjustPrivilege(Priviledge, TRUE, FALSE, &WasEnable);

    return TRUE;
}
RtlAdjustPrivilege

  紧接着,既然我们要对目标进程注入Dll,那么获得目标进程的Id是不可或缺的吧,因为OpenProcess是肯定会使用的,这里我也提供了两种通过目标进程映像名称获得进程Id的方法。第一种是最常见的使用TlHelp创建系统的进程快照;第二种是借助Psapi枚举系列函数,不过这个方法我实现的有缺憾,32位下不能得到64位进程的Id。

// 使用ToolHelp系列函数

#include <TlHelp32.h>

BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId)
{
    HANDLE            ProcessSnapshotHandle = INVALID_HANDLE_VALUE;
    PROCESSENTRY32    ProcessEntry32 = { 0 };

    ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);        // 初始化PROCESSENTRY32结构

    ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);    // 给系统所有的进程快照
    if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }

    if (Process32First(ProcessSnapshotHandle, &ProcessEntry32))        // 找到第一个
    {
        do
        {
            if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0)        // 不区分大小写
            {
                *ProcessId = ProcessEntry32.th32ProcessID;
                break;
            }
        } while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));
    }

    CloseHandle(ProcessSnapshotHandle);
    ProcessSnapshotHandle = INVALID_HANDLE_VALUE;

    if (*ProcessId == 0)
    {
        return FALSE;
    }

    return TRUE;
}
TlHelp
// 使用Psapi系列枚举函数

#include <Psapi.h>

BOOL GetProcessIdByProcessImageName(IN PWCHAR wzProcessImageName, OUT PUINT32 ProcessId)
{
    DWORD    dwProcessesId[1024] = { 0 };
    DWORD    BytesReturned = 0;
    UINT32    ProcessCount = 0;

    // 获得当前操作系统中的所有进程Id,保存在dwProcessesId数组里
    if (!EnumProcesses(dwProcessesId, sizeof(dwProcessesId), &BytesReturned))
    {
        return FALSE;
    }

    ProcessCount = BytesReturned / sizeof(DWORD);

    // 遍历
    for (INT i = 0; i < ProcessCount; i++)
    {
        HMODULE    ModuleBase = NULL;
        WCHAR    wzModuleBaseName[MAX_PATH] = { 0 };
        HANDLE    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessesId[i]);

        if (ProcessHandle == NULL)
        {
            continue;
        }

        if (EnumProcessModulesEx(ProcessHandle, &ModuleBase, sizeof(HMODULE), &BytesReturned, LIST_MODULES_ALL))
        {
            // 获得进程第一模块名称
            GetModuleBaseName(ProcessHandle, ModuleBase, wzModuleBaseName, MAX_PATH * sizeof(WCHAR));
        }
    
        CloseHandle(ProcessHandle);
        ProcessHandle = NULL;

        if (lstrcmpi(wzModuleBaseName, wzProcessImageName) == 0)        // 不区分大小写
        {
            *ProcessId = dwProcessesId[i];
            break;
        }
    }

    if (*ProcessId == 0)
    {
        return FALSE;
    }

    return TRUE;
}
Psapi

  然后在比如插入Apc队列、挂起线程等等操作中,需要对目标进程的线程操作,所以获得线程Id也有必要,同样的我也提供了两种通过进程Id获得线程Id的方法。第一个仍然是使用TlHelp创建系统的线程快照,把所有的线程存入vector模板里(供Apc注入使用);第二个是利用ZwQuerySystemInformation大法,枚举系统进程信息,这个方法我只返回了一个线程Id,已经够用了。

// 枚举指定进程Id的所有线程,压入模板中

#include <vector>
#include <TlHelp32.h>
using namespace std;

BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT vector<UINT32>& ThreadIdVector)
{
    HANDLE            ThreadSnapshotHandle = NULL;
    THREADENTRY32    ThreadEntry32 = { 0 };

    ThreadEntry32.dwSize = sizeof(THREADENTRY32);

    ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);        // 给系统所有的线程快照
    if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }

    if (Thread32First(ThreadSnapshotHandle, &ThreadEntry32))
    {
        do
        {
            if (ThreadEntry32.th32OwnerProcessID == ProcessId)
            {
                ThreadIdVector.emplace_back(ThreadEntry32.th32ThreadID);        // 把该进程的所有线程id压入模板
            }
        } while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32));
    }
    
    CloseHandle(ThreadSnapshotHandle);
    ThreadSnapshotHandle = NULL;
    return TRUE;
}
TlHelp
// ZwQuerySystemInformation+SystemProcessInformation

typedef
NTSTATUS(NTAPI * pfnZwQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN UINT32 SystemInformationLength,
    OUT PUINT32 ReturnLength OPTIONAL);

BOOL GetThreadIdByProcessId(IN UINT32 ProcessId, OUT PUINT32 ThreadId)
{
    BOOL                        bOk = FALSE;
    NTSTATUS                    Status = 0;
    PVOID                        BufferData = NULL;
    PSYSTEM_PROCESS_INFO        spi = NULL;
    pfnZwQuerySystemInformation ZwQuerySystemInformation = NULL;

    ZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQuerySystemInformation");
    if (ZwQuerySystemInformation == NULL)
    {
        return FALSE;
    }

    BufferData = malloc(1024 * 1024);
    if (!BufferData)
    {
        return FALSE;
    }

    // 在QuerySystemInformation系列函数中,查询SystemProcessInformation时,必须提前申请好内存,不能先查询得到长度再重新调用
    Status = ZwQuerySystemInformation(SystemProcessInformation, BufferData, 1024 * 1024, NULL);
    if (!NT_SUCCESS(Status))
    {
        free(BufferData);
        return FALSE;
    }

    spi = (PSYSTEM_PROCESS_INFO)BufferData;

    // 遍历进程,找到我们的目标进程
    while (TRUE)
    {
        bOk = FALSE;
        if (spi->UniqueProcessId == (HANDLE)ProcessId)
        {
            bOk = TRUE;
            break;
        }
        else if (spi->NextEntryOffset)
        {
            spi = (PSYSTEM_PROCESS_INFO)((PUINT8)spi + spi->NextEntryOffset);
        }
        else
        {
            break;
        }
    }

    if (bOk)
    {
        for (INT i = 0; i < spi->NumberOfThreads; i++)
        {
            // 返出找到的线程Id
            *ThreadId = (UINT32)spi->Threads[i].ClientId.UniqueThread;
            break;
        }
    }

    if (BufferData != NULL)
    {
        free(BufferData);
    }

    return bOk;
}
ZwQuerySystemInformation

  嗯,目前为止,预备工作差不多完工,那我们就开始正题吧!

0x02.注入方法一 -- 创建新线程

  创建新线程,也就是在目标进程里,创建一个线程为我们服务,而创建线程的方法我找到的有三种:1.CreateRemoteThread;2.NtCreateThreadEx;3.RtlCreateUserThread。

  基本思路是:1.在目标进程内存空间申请内存;2.在刚申请的内存中写入Dll完整路径;3.创建新线程,去执行LoadLibrary,从而完成注入Dll。

  ps:这里直接使用从自己加载的kernel32模块导出表中获得LoadLibrary地址,是因为一般情况下,所有进程加载这类系统库在内存中的地址相同!

  因为只是创线程所使用的函数不一样,所以下面的代码随便放开一个创线程的步骤,屏蔽其他两个,都是可以成功的,这里我放开的是NtCreateThreadEx。

typedef NTSTATUS(NTAPI* pfnNtCreateThreadEx)
(
    OUT PHANDLE hThread,
    IN ACCESS_MASK DesiredAccess,
    IN PVOID ObjectAttributes,
    IN HANDLE ProcessHandle,
    IN PVOID lpStartAddress,
    IN PVOID lpParameter,
    IN ULONG Flags,
    IN SIZE_T StackZeroBits,
    IN SIZE_T SizeOfStackCommit,
    IN SIZE_T SizeOfStackReserve,
    OUT PVOID lpBytesBuffer);

#define NT_SUCCESS(x) ((x) >= 0)

typedef struct _CLIENT_ID {
    HANDLE UniqueProcess;
    HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef NTSTATUS(NTAPI * pfnRtlCreateUserThread)(
    IN HANDLE ProcessHandle,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
    IN BOOLEAN CreateSuspended,
    IN ULONG StackZeroBits OPTIONAL,
    IN SIZE_T StackReserve OPTIONAL,
    IN SIZE_T StackCommit OPTIONAL,
    IN PTHREAD_START_ROUTINE StartAddress,
    IN PVOID Parameter OPTIONAL,
    OUT PHANDLE ThreadHandle OPTIONAL,
    OUT PCLIENT_ID ClientId OPTIONAL);


BOOL InjectDll(UINT32 ProcessId)
{
    HANDLE ProcessHandle = NULL;

    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);

    // 在对方进程空间申请内存,存储Dll完整路径
    UINT32    DllFullPathLength = (strlen(DllFullPath) + 1);
    PVOID     DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (DllFullPathBufferData == NULL)
    {
        CloseHandle(ProcessHandle);
        return FALSE;
    }

    // 将DllFullPath写进刚刚申请的内存中
    SIZE_T    ReturnLength;
    BOOL bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1, &ReturnLength);

    LPTHREAD_START_ROUTINE    LoadLibraryAddress = NULL;
    HMODULE                    Kernel32Module = GetModuleHandle(L"Kernel32");

    LoadLibraryAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(Kernel32Module, "LoadLibraryA");


    pfnNtCreateThreadEx NtCreateThreadEx = (pfnNtCreateThreadEx)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");
    if (NtCreateThreadEx == NULL)
    {
        CloseHandle(ProcessHandle);
        return FALSE;
    }

    HANDLE ThreadHandle = NULL;
    // 0x1FFFFF #define THREAD_ALL_ACCESS         (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
    NtCreateThreadEx(&ThreadHandle, 0x1FFFFF, NULL, ProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, DllFullPathBufferData, FALSE, NULL, NULL, NULL, NULL);

/*
pfnRtlCreateUserThread RtlCreateUserThread = (pfnRtlCreateUserThread)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlCreateUserThread");

    HANDLE ThreadHandle = NULL;
    NTSTATUS Status = RtlCreateUserThread(ProcessHandle, NULL, FALSE, 0, 0, 0, LoadLibraryAddress, DllFullPathBufferData, &ThreadHandle, NULL);    
*/

/*
HANDLE ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 0, LoadLibraryAddress, DllFullPathBufferData, 0, NULL);        // CreateRemoteThread 函数
*/


    if (ThreadHandle == NULL)
    {
        CloseHandle(ProcessHandle);
        return FALSE;
    }

    if (WaitForSingleObject(ThreadHandle, INFINITE) == WAIT_FAILED)
    {
        return FALSE;
    }

    CloseHandle(ProcessHandle);
    CloseHandle(ThreadHandle);

    return TRUE;
}

0x03.注入方法二 -- 设置线程上下背景文

  设置线程上下背景文的主要目的是让目标进程的某一线程转去执行我们的代码,然后再回来做他该做的事,而我们的代码,就是一串由汇编硬编码组成的ShellCode。

  这串ShellCode做了三件事:1.传入Dll完整路径参数;2.呼叫LoadLibrary函数地址;3.返回原先的Eip或Rip。

  这里我选用的呼叫指令是ff 15 和 ff 25,在32位下为跳转到15(25)指令后面字节码对应地址里面存放的地址,在64位下15(25)指令后面四字节存放的是偏移,该跳转为跳转到换算出来的地址里面存放的地址,这里我把偏移写成0,以便于计算。

#ifdef _WIN64
// 测试 64 位 dll被注,Bug已修复

/*
0:019> u 0x000002b5d5f80000
000002b5`d5f80000 4883ec28        sub     rsp,28h
000002b5`d5f80004 488d0d20000000  lea     rcx,[000002b5`d5f8002b]
000002b5`d5f8000b ff1512000000    call    qword ptr [000002b5`d5f80023]
000002b5`d5f80011 4883c428        add     rsp,28h
000002b5`d5f80015 ff2500000000    jmp     qword ptr [000002b5`d5f8001b]
*/

UINT8    ShellCode[0x100] = {
    0x48,0x83,0xEC,0x28,    // sub rsp ,28h

    0x48,0x8D,0x0d,            // [+4] lea rcx,
    0x00,0x00,0x00,0x00,    // [+7] DllNameOffset = [+43] - [+4] - 7

    // call 跳偏移,到地址,解*号
    0xff,0x15,                // [+11]
    0x00,0x00,0x00,0x00,    // [+13] 

    0x48,0x83,0xc4,0x28,    // [+17] add rsp,28h

    // jmp 跳偏移,到地址,解*号
    0xff,0x25,                // [+21]
    0x00,0x00,0x00,0x00,    // [+23] LoadLibraryAddressOffset

    // 存放原先的 rip
    0x00,0x00,0x00,0x00,    // [+27]
    0x00,0x00,0x00,0x00,    // [+31]

    // 跳板 loadlibrary地址
    0x00,0x00,0x00,0x00,    // [+35] 
    0x00,0x00,0x00,0x00,    // [+39]

// 存放dll完整路径
//    0x00,0x00,0x00,0x00,    // [+43]
//    0x00,0x00,0x00,0x00        // [+47]
//    ......
};
#else
// 测试 32 位 配合新写的Dll可重复注入

/*
0:005> u 0x00ca0000
00000000`00ca0000 60              pusha
00000000`00ca0001 9c              pushfq
00000000`00ca0002 681d00ca00      push    0CA001Dh
00000000`00ca0007 ff151900ca00    call    qword ptr [00000000`01940026]
00000000`00ca000d 9d              popfq
00000000`00ca000e 61              popa
00000000`00ca000f ff251500ca00    jmp     qword ptr [00000000`0194002a]

*/

UINT8    ShellCode[0x100] = {
    0x60,                    // [+0] pusha
    0x9c,                    // [+1] pushf
    0x68,                    // [+2] push
    0x00,0x00,0x00,0x00,    // [+3] ShellCode + 
    0xff,0x15,                // [+7] call    
    0x00,0x00,0x00,0x00,    // [+9] LoadLibrary Addr  Addr
    0x9d,                    // [+13] popf
    0x61,                    // [+14] popa
    0xff,0x25,                // [+15] jmp
    0x00,0x00,0x00,0x00,    // [+17] jmp  eip

    // eip 地址
    0x00,0x00,0x00,0x00,    // [+21]
    // LoadLibrary 地址
    0x00,0x00,0x00,0x00,    // [+25] 
    // DllFullPath 
    0x00,0x00,0x00,0x00        // [+29] 
};

#endif

  整个注入过程由这些步骤组成:在目标进程申请内存(可执行内存) ---> 填充ShellCode需要的地址码 ---> 将ShellCode写入申请的内存 ---> SuspendThread(挂起线程)--->GetThreadContext(获得线程上下背景文)---> 修改Context的Eip或Rip为ShellCode首地址 ---> SetThreadContext(设置刚修改过的Context)---> ResumeThread(恢复线程执行)。

BOOL Inject(IN UINT32 ProcessId, IN UINT32 ThreadId)
{
    BOOL        bOk = FALSE;
    CONTEXT        ThreadContext = { 0 };
    PVOID        BufferData = NULL;

    HANDLE        ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
    HANDLE        ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);


    // 首先挂起线程
    SuspendThread(ThreadHandle);


    ThreadContext.ContextFlags = CONTEXT_ALL;
    if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE)
    {
        CloseHandle(ThreadHandle);
        CloseHandle(ProcessHandle);
        return FALSE;
    }

    BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (BufferData != NULL)
    {

        if (LoadLibraryWAddress != NULL)
        {
#ifdef _WIN64

            // ShellCode + 43处 存放完整路径
            PUINT8    v1 = ShellCode + 43;
            memcpy(v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR));
            UINT32    DllNameOffset = (UINT32)(((PUINT8)BufferData + 43) - ((PUINT8)BufferData + 4) - 7);
            *(PUINT32)(ShellCode + 7) = DllNameOffset;

            // ShellCode + 35处 放置 LoadLibrary 函数地址
            *(PUINT64)(ShellCode + 35) = (UINT64)LoadLibraryWAddress;
            UINT32    LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + 35) - ((PUINT8)BufferData + 11) - 6);
            *(PUINT32)(ShellCode + 13) = LoadLibraryAddressOffset;

            // 放置 rip 地址
            *(PUINT64)(ShellCode + 27) = ThreadContext.Rip;

            if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
            {
                return FALSE;
            }
            ThreadContext.Rip = (UINT64)BufferData;

#else
            PUINT8    v1 = ShellCode + 29;

            memcpy((char*)v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR));    //这里是要注入的DLL名字
            *(PUINT32)(ShellCode + 3) = (UINT32)BufferData + 29;

            *(PUINT32)(ShellCode + 25) = LoadLibraryWAddress;   //loadlibrary地址放入shellcode中
            *(PUINT32)(ShellCode + 9) = (UINT32)BufferData + 25;//修改call 之后的地址 为目标空间存放 loaddlladdr的地址
                                                                //////////////////////////////////
            *(PUINT32)(ShellCode + 21) = ThreadContext.Eip;
            *(PUINT32)(ShellCode + 17) = (UINT32)BufferData + 21;//修改jmp 之后为原来eip的地址
            if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
            {
                printf("write Process Error\\n");
                return FALSE;
            }
            ThreadContext.Eip = (UINT32)BufferData;

#endif            
            if (!SetThreadContext(ThreadHandle, &ThreadContext))
            {
                printf("set thread context error\\n");
                return FALSE;
            }
            ResumeThread(ThreadHandle);


            printf("ShellCode 注入完成\\r\\n");
        }
    }

    CloseHandle(ThreadHandle);
    CloseHandle(ProcessHandle);
    return TRUE;
}

0x04.插入Apc队列

  Ring3层的Apc注入是不太稳定的,我的做法就是暴力的向目标进程的所有线程的UserMode Apc队列(线程有两个Apc队列:Kernel和User)上插入Apc对象,等待他去执行该Apc里注册的函数。而只有当线程处于alterable状态时,才会查看Apc队列是否有需要执行的注册函数。

  ps:正是因为不知道哪个线程会去处理Apc,所以感觉Ring3层Apc注入不如其他方法好使,不过Ring0层Apc注入还是比较稳定的。之前测试xp和win10都成功,win7下注explorer进程总是崩溃,后来捯饬半天,发现遍历线程的时候从后往前遍历着插入就不会崩溃Orz

int main()
{
    ......

    ThreadCount = ThreadIdVector.size();
    for (INT i = ThreadCount - 1; i >= 0; i--)
    {
        UINT32 ThreadId = ThreadIdVector[i];
        InjectDllByApc(ProcessId, ThreadId);
    }
    ......
}

BOOL InjectDllByApc(IN UINT32 ProcessId, IN UINT32 ThreadId)
{
    BOOL        bOk = 0;
    HANDLE        ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
    HANDLE        ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
    UINT_PTR    LoadLibraryAddress = 0;
    SIZE_T        ReturnLength = 0;
    UINT32        DllFullPathLength = (strlen(DllFullPath) + 1);

    // 全局,申请一次内存
    if (DllFullPathBufferData == NULL)
    {
        //申请内存
        DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        if (DllFullPathBufferData == NULL)
        {
            CloseHandle(ProcessHandle);
            CloseHandle(ThreadHandle);
            return FALSE;
        }
    }

    // 避免之前写操作失败,每次重复写入

    bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, strlen(DllFullPath) + 1,
        &ReturnLength);
    if (bOk == FALSE)
    {
        CloseHandle(ProcessHandle);
        CloseHandle(ThreadHandle);
        return FALSE;
    }

    LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
    if (LoadLibraryAddress == NULL)
    {
        CloseHandle(ProcessHandle);
        CloseHandle(ThreadHandle);
        return FALSE;
    }

    __try
    {

        QueueUserAPC((PAPCFUNC)LoadLibraryAddress, ThreadHandle, (UINT_PTR)DllFullPathBufferData);

    }
    __except (EXCEPTION_CONTINUE_EXECUTION)
    {
    }


    CloseHandle(ProcessHandle);
    CloseHandle(ThreadHandle);

    return TRUE;
}

0x05.修改注册表

  注册表注入算得上是全局Hook了吧,毕竟新创建的进程在加载User32.dll时,都会自动调用LoadLibrary去加载注册表中某个表项键值里写入的Dll路径。

  我们关心的这个注册表项键是:

  x64下:HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows

  x86下:HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows

  我们要设置的键值是AppInit_DLLs = “Dll完整路径”,LoadAppInit_Dlls = 1(让系统使用这个注册表项) 

  ps:由于注入的Dll在进程创建的早期,所以在Dll中使用函数要格外小心,因为有的库可能还没加载上。

int main()
{
    LSTATUS Status = 0;

#ifdef _WIN64
    WCHAR* wzSubKey = L"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows";
#else
    WCHAR* wzSubKey = L"SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows";
#endif // _WIN64


    HKEY    hKey = NULL;

    // 打开注册表
    Status = RegOpenKeyExW(HKEY_LOCAL_MACHINE,        // 要打开的主键
        wzSubKey,            // 要打开的子键名字地址
        0,                    // 保留,传0
        KEY_ALL_ACCESS,        // 打开的方式
        &hKey);                // 返回的子键句柄
    if (Status != ERROR_SUCCESS)
    {
        return 0;
    }

    WCHAR*    wzValueName = L"AppInit_DLLs";
    DWORD    dwValueType = 0;
    UINT8    ValueData[MAX_PATH] = { 0 };
    DWORD    dwReturnLength = 0;

    // 查询注册表
    Status = RegQueryValueExW(hKey,        // 子键句柄
        wzValueName,        // 待查询键值的名称
        NULL,                // 保留
        &dwValueType,        // 数据类型
        ValueData,            // 键值
        &dwReturnLength);


    WCHAR    wzDllFullPath[MAX_PATH] = { 0 };
    GetCurrentDirectoryW(MAX_PATH, wzDllFullPath);

#ifdef _WIN64
    wcscat_s(wzDllFullPath, L"\\\\x64NormalDll.dll");
#else
    wcscat_s(wzDllFullPath, L"\\\\x86NormalDll.dll");
#endif

    // 设置键值
    Status = RegSetValueExW(hKey,
        wzValueName,
        NULL,
        dwValueType,
        (CONST BYTE*)wzDllFullPath,
        (lstrlen(wzDllFullPath) + 1) * sizeof(WCHAR));
    if (Status !=以上是关于Windows x86/ x64 Ring3层注入Dll总结的主要内容,如果未能解决你的问题,请参考以下文章

使用来自 x64 注入器的 x86 dll 注入 x86 目标

APC注入(Ring3层)

ring0

如何从WOW64进程注入x86 DLL到x64进程

CPU的Ring等级

Intel X86 CPU之特权级别