YLLEN

代码注入：

1. 打开目标进程

2. 申请内存

3. 写入参数

4. 写入CODE

5. 创建远程线程

代码注入 隐蔽性好，很像shellcode，

#include "stdafx.h"

#include "windows.h"

BOOL InjectCode(int);

BOOL SetPrivilege(LPCTSTR , BOOL);//提权

typedef struct _THREAD_PARAM

{

FARPROC pFunc[2];// LoadLiraryA(),GetProAddress()

}THREAD_PARAM,*PTHREAD_PARAM;

BYTE g_InjectionCode[] =

{

1. 0x55, 0x8B, 0xEC, 0x8B, 0x75, 0x08, 0x68, 0x6C, 0x6C, 0x00,

2. 0x00, 0x68, 0x33, 0x32, 0x2E, 0x64, 0x68, 0x75, 0x73, 0x65,

3. 0x72, 0x54, 0xFF, 0x16, 0x68, 0x6F, 0x78, 0x41, 0x00, 0x68,

4. 0x61, 0x67, 0x65, 0x42, 0x68, 0x4D, 0x65, 0x73, 0x73, 0x54,

5. 0x50, 0xFF, 0x56, 0x04, 0x6A, 0x00, 0xE8, 0x0C, 0x00, 0x00,

6. 0x00, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x43, 0x6F,

7. 0x72, 0x65, 0x00, 0xE8, 0x14, 0x00, 0x00, 0x00, 0x77, 0x77,

8. 0x77, 0x2E, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x63,

9. 0x6F, 0x72, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x00, 0x6A, 0x00,

10. 0xFF, 0xD0, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3

};

int _tmain(int argc, _TCHAR* argv[])

{

DWORD dwPid = 0;

if (argc != 2)

{

printf("\nUSAGE: %s pid\n",argv[0]);

return 1;

}

if (!SetPrivilege(SE_DEBUG_NAME, TRUE))

return 1;

dwPid = (DWORD)atol(argv[1]);

InjectCode(dwPid);

return 0;

}

BOOL InjectCode(int dwPid){

HMODULEhMod= NULL;

THREAD_PARAMparam={ 0, };

HANDLEhProcess= NULL;

HANDLE          hThread= NULL;

LPVOID          pRemoteBuf[2]= { 0, };

//函数地址

hMod = LoadLibraryA("Kernel32.dll");

param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");

param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");

printf("\nLoadLibraryA : %X\n", param.pFunc[0]);

printf("\GetProcAddress : %X\n", param.pFunc[1]);

//1. Open Process

if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS,               // dwDesiredAccess

FALSE,  // bInheritHandle

dwPid)))  // dwProcessId

{

printf("OpenProcess() fail : err_code = %d\n", GetLastError());

return FALSE;

}

//2.Allocation for thread_param

    if (!(pRemoteBuf[0] = VirtualAllocEx(

    hProcess,  // hProcess

    NULL,  // lpAddress

    sizeof(THREAD_PARAM),  // dwSize

    MEM_COMMIT,  // flAllocationType

    PAGE_READWRITE) // flProtect

))

{

printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());

return FALSE;

}

//3.write in

if (!WriteProcessMemory(hProcess,                               // hProcess

pRemoteBuf[0],                          // lpBaseAddress

(LPVOID)&param,                         // lpBuffer

sizeof(THREAD_PARAM),                   // nSize

NULL))                                 // [out] lpNumberOfBytesWritten

{

printf("WriteProcessMemory() fail : err_code = %d\n", GetLastError());

return FALSE;

}

// 4. Allocation for ThreadProc()

if (!(pRemoteBuf[1] = VirtualAllocEx(hProcess,                  // hProcess

NULL,                      // lpAddress

sizeof(g_InjectionCode),   // dwSize

MEM_COMMIT,                // flAllocationType

PAGE_EXECUTE_READWRITE))) // flProtect

{

printf("VirtualAllocEx() fail : err_code = %d\n", GetLastError());

return FALSE;

}

// 写入 执行体

if (!WriteProcessMemory(hProcess,                               // hProcess

pRemoteBuf[1],                          // lpBaseAddress

(LPVOID)&g_InjectionCode,               // lpBuffer

sizeof(g_InjectionCode),                // nSize

NULL))                                 // [out] lpNumberOfBytesWritten

{

printf("WriteProcessMemory() fail : err_code = %d\n", GetLastError());

return FALSE;

}

if (!(hThread = CreateRemoteThread(hProcess,                    // hProcess

NULL,                        // lpThreadAttributes

0,                           // dwStackSize

(LPTHREAD_START_ROUTINE)pRemoteBuf[1],//执行体首地址

pRemoteBuf[0],               // lpParameter

0,                           // dwCreationFlags

NULL)))                     // lpThreadId

{

printf("CreateRemoteThread() fail : err_code = %d\n", GetLastError());

return FALSE;

}

WaitForSingleObject(hThread, INFINITE);

CloseHandle(hThread);

CloseHandle(hProcess);

return TRUE;

}

BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)

{

TOKEN_PRIVILEGES tp;

HANDLE hToken;

LUID luid;

if (!OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,

&hToken))

{

printf("OpenProcessToken error: %u\n", GetLastError());

return FALSE;

}

if (!LookupPrivilegeValue(NULL,           // lookup privilege on local system

lpszPrivilege,  // privilege to lookup

&luid))        // receives LUID of privilege

{

printf("LookupPrivilegeValue error: %u\n", GetLastError());

return FALSE;

}

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = luid;

if (bEnablePrivilege)

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

else

tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

if (!AdjustTokenPrivileges(hToken,

FALSE,

&tp,

sizeof(TOKEN_PRIVILEGES),

(PTOKEN_PRIVILEGES)NULL,

(PDWORD)NULL))

{

printf("AdjustTokenPrivileges error: %u\n", GetLastError());

return FALSE;

}

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

{

printf("The token does not have the specified privilege. \n");

return FALSE;

}

return TRUE;

}