这是我阅读BlackBone源码从里面扣出来的关于内核线程注入方法的使用。
主要通过Ring0层驱动Attach到目标进程然后调用NtCreateThreadEx来执行ShellCode,ShellCode做了一个注入Dll的简单行为。
关键函数如下:
//切换到目标进程创建内核线程进行注入
NTSTATUS AttachAndInjectProcess(IN HANDLE ProcessID)
{
PEPROCESS EProcess = NULL;
KAPC_STATE ApcState;
NTSTATUS Status = STATUS_SUCCESS;
if (ProcessID == NULL)
{
Status = STATUS_UNSUCCESSFUL;
return Status;
}
//获取EProcess
Status = PsLookupProcessByProcessId(ProcessID, &EProcess);
if (Status != STATUS_SUCCESS)
{
DbgPrint(("PsLookupProcessByProcessId函数失败\n"));
return Status;
}
//KeStackAttachProcess例程 将当前线程连接到目标进程的地址空间。
KeStackAttachProcess((PRKPROCESS)EProcess, &ApcState);
__try
{
PVOID NtdllAddress = NULL;
PVOID LdrLoadDll = NULL;
UNICODE_STRING NtdllUnicodeString = { 0 };
UNICODE_STRING DllFullPath = { 0 };
//获取ntdll模块基地址
RtlInitUnicodeString(&NtdllUnicodeString, L"Ntdll.dll");
NtdllAddress = GetUserModule(EProcess, &NtdllUnicodeString);
if (!NtdllAddress)
{
DbgPrint("%s: Failed to get Ntdll base\n", __FUNCTION__);
&n