windows下shellcode注入注意事项

2025-01-04 18:30:18 ctf

参考文章: 1.12 进程注入ShellCode套接字 | LyShark®


注入shellcode调用messagebox正常,调用NtAllocateVirtualMemory目标程序崩溃,发现调大SizeOfMyShell一千倍之后程序可以正常运行,查看注入的代码发现跳转到了shellcode以外的区域

跳转到这个地址发现没看出什么有用的线索


我们查看负责注入程序的函数指令,发现call了一个TestShellCode.__security_check_cookie这个东西

上网搜索得知TestShellCode.__security_check_cookie是vistual studio为了防止栈溢出的一个编译选项

我们在项目属性 --> c/c++ --> 代码生成 --> 安全检查 中关闭gs安全检查

恢复SizeOfMyShell ,程序正常注入运行


附上完整代码:


test.cpp:

#include
#include
using namespace std;


const int js_start=1;


int js(int a,int b) {
	return a+b;
} 


void js_end_func() {
	return ;
}


const int js_end=1;


int main() {
	printf("js_start address: %p     js_end address: %p\n",&js_start,&js_end);
	printf("js_address: %p\n      js_end_func_address%p\n",&js,&js_end_func);
	printf("sizeof js : %d\n",(uintptr_t)&js_end_func-(uintptr_t)&js); 
	printf("%p\n",&js_end-&js_start);
	while(true) {
		printf("1\n");
		Sleep(1000); 
	}
	return 0;
} 

TestShellCode.cpp

#include 
#include 
#include 


// Kernel32 调用约定定义
typedef HMODULE(WINAPI* LOADLIBRARY)(LPCTSTR lpFileName);
typedef FARPROC(WINAPI* GETPROCADDRESS) (HMODULE hModule, LPCSTR lpProcName);


// User32 中针对MessageBox的调用约定定义
typedef int(WINAPI* MESSAGEBOX)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);


// NtDll 调用约定定义
typedef NTSTATUS(WINAPI* NTALLOCATEVIRTUALMEMORY)(IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN ULONG ZeroBits, IN OUT PSIZE_T RegionSize, IN ULONG AllocationType, IN ULONG Protect);


//typedef NTSTATUS(WINAPI* NTALLOCATEVIRTUALMEMORY)(
//    HANDLE    ProcessHandle,
//    PVOID* BaseAddress,
//    ULONG_PTR ZeroBits,
//    PSIZE_T   RegionSize,
//    ULONG     AllocationType,
//    ULONG     Protect
//);


typedef struct _ShellBase
{
    // 针对Kernel32的操作
    HANDLE Kernel32Base;
    char KernelString[20]; // kernel32.dll


    LOADLIBRARY Kernel_LoadLibrary;
    GETPROCADDRESS Kernel_GetProcAddress;
    NTALLOCATEVIRTUALMEMORY Func_NtAllocateVirtualMemory;


    // 针对User32的操作
    HANDLE User32Base;
    char UserString[20];   // 存储 user32.dll 字符串
    char User_MsgBox[20];  // 存储 MessageBoxA 字符串


    HANDLE NtDllBase;
    char NtDllString[20]; // 存储 ntdll.dll 字符串
    char NtAllocateVirtualMemoryString[40];


    // 输出一段话
    char Text[32];


}ShellParametros;




void __stdcall MyShell(ShellParametros*);


// 定义远程线程函数
void __stdcall MyShell(ShellParametros* ptr)
{
    /*ptr->Kernel32Base = (HANDLE)(*ptr->Kernel_LoadLibrary)((const TCHAR*)ptr->KernelString);
    ptr->User32Base = (HANDLE)(*ptr->Kernel_LoadLibrary)((const TCHAR*)ptr->UserString);
    ptr->NtDllBase = (HANDLE)(*ptr->Kernel_LoadLibrary)((const TCHAR*)ptr->NtDllString);*/


     //printf("动态获取到Kernel32基地址 = %x \n", ptr->Kernel32Base);
     //printf("动态获取到User32基地址 = %x \n", ptr->User32Base);
    // printf("动态获取到NtDll基地址 = %x \n", ptr->NtDllBase);


    //// 调用NtDll中的NtAllocateVirtualMemory函数
    //NTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory = (NTALLOCATEVIRTUALMEMORY)GetProcAddress((HINSTANCE)ptr->NtDllBase, ptr->NtAllocateVirtualMemoryString);
    PVOID BaseAddress = NULL;
    SIZE_T RegionSize = 4096;
    //while (true);
    NTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory = ptr->Func_NtAllocateVirtualMemory;
    void* p = NtAllocateVirtualMemory;
    NTSTATUS status = NtAllocateVirtualMemory((HANDLE)-1, &BaseAddress, 0, &RegionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    //printf("NtAllocateVirtualMemory Address %p \r\n", NtAllocateVirtualMemory);
    //printf("NtAllocateVirtualMemory 调用结果 = %d \n", status);


    // MESSAGEBOX msgbox = (MESSAGEBOX)(*ptr->KernelGetProcAddress)((HINSTANCE)ptr->UserHandle, "MessageBoxA");
    //MESSAGEBOX msgbox = (MESSAGEBOX)(*ptr->Kernel_GetProcAddress)((HINSTANCE)ptr->User32Base, ptr->User_MsgBox);
    //MESSAGEBOX msgbox = ptr->Func_MessageBox;


    //printf("MessageBox 基地址 = %x \n", msgbox);
    //msgbox(0, ptr->Text, 0, 0);
}


void __stdcall MyShell_end(ShellParametros* ptr)
{
    ;
}


// 通过进程名获取进程ID
DWORD GetProcessId(const char* processName)
{
    DWORD processId = 0;
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);


    if (snapshot != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 processEntry;
        processEntry.dwSize = sizeof(processEntry);


        if (Process32First(snapshot, &processEntry))
        {
            do
            {
                // 将宽字符转换为多字节字符
                char exeName[MAX_PATH];
                WideCharToMultiByte(CP_ACP, 0, processEntry.szExeFile, -1,
                    exeName, MAX_PATH, NULL, NULL);


                if (_stricmp(exeName, processName) == 0)
                {
                    processId = processEntry.th32ProcessID;
                    break;
                }
                //printf("Process Name: %s, Process ID: %d\n", exeName, processEntry.th32ProcessID);
            } while (Process32Next(snapshot, &processEntry));
        }
        CloseHandle(snapshot);
    }
    return processId;
}


BOOL AdjustPrivilege()
{
    HANDLE hToken = NULL;
    TOKEN_PRIVILEGES priv = { 0 };


    //提权操作
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
        return FALSE;
    }


    priv.PrivilegeCount = 1;
    priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;


    if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
        AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL);


    CloseHandle(hToken);
    return TRUE;
}






int main()
{
    AdjustPrivilege();
    ShellParametros Param, * remote = NULL;
    HANDLE hProcess;
    void* p = NULL;


    // 进程PID
    int ProcessID = GetProcessId("test.exe");


    printf("notepad.exe PID = %d\n", ProcessID);


    // 得到加载基地址的工具函数
    Param.Kernel32Base = LoadLibraryA("kernel32.dll");
    printf("Kernel32Base: %p\r\n", Param.Kernel32Base);
    Param.Kernel_LoadLibrary = (LOADLIBRARY)GetProcAddress((HINSTANCE)Param.Kernel32Base, "LoadLibraryA");
    printf("Kernel_LoadLibrary: %p\r\n", Param.Kernel_LoadLibrary);
    Param.Kernel_GetProcAddress = (GETPROCADDRESS)GetProcAddress((HINSTANCE)Param.Kernel32Base, "GetProcAddress");
    // printf("获取到Kernel32.dll = %x", Param.KernelHandle);


    Param.User32Base = LoadLibraryA("User32.dll");
    // printf("获取到User32.dll = %x", Param.UserHandle);


    Param.NtDllBase = LoadLibraryA("ntdll.dll");
    // printf("获取到NtDll.dll = %x", Param.NtDllHandle);


    // 得到NtDll中的NtAllocateVirtualMemory函数
    Param.Func_NtAllocateVirtualMemory = (NTALLOCATEVIRTUALMEMORY)GetProcAddress((HINSTANCE)Param.NtDllBase, "NtAllocateVirtualMemory");


    SIZE_T SizeOfMyShell = (uintptr_t)MyShell_end - (uintptr_t)MyShell;
    SizeOfMyShell *= 1000;
    printf("address of MyShell: %p\n", MyShell);
    printf("address of MyShell_end: %p\n", MyShell_end);
    printf("sizeofmyshell: %d\n", SizeOfMyShell);
    printf("myshell address: %p\n", &MyShell);


    // 分别获取Kernel32与User32的对应字符串
    strcpy_s(Param.KernelString, "kernel32.dll");
    strcpy_s(Param.UserString, "user32.dll");
    strcpy_s(Param.NtDllString, "ntdll.dll");


    strcpy_s(Param.User_MsgBox, "MessageBoxA");
    strcpy_s(Param.Text, "hello lyshark");
    strcpy_s(Param.NtAllocateVirtualMemoryString, "NtAllocateVirtualMemory");


    NTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory = (NTALLOCATEVIRTUALMEMORY)GetProcAddress((HINSTANCE)Param.NtDllBase, Param.NtAllocateVirtualMemoryString);
    PVOID BaseAddress = NULL;
    SIZE_T RegionSize = 4096;
    NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &BaseAddress, 0, &RegionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    printf("NtAllocateVirtualMemory Address %p \r\n", NtAllocateVirtualMemory);
    printf("NtAllocateVirtualMemory 调用结果 = %d \n", status);
    printf("BaseAddress 地址 = %p \n", BaseAddress);


    // 根据PID注入代码到指定进程中
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
    p = VirtualAllocEx(hProcess, 0, SizeOfMyShell, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    remote = (ShellParametros*)VirtualAllocEx(hProcess, 0, sizeof(ShellParametros), MEM_COMMIT, PAGE_READWRITE);


    printf("shellcode address: %p\r\n", p);




    WriteProcessMemory(hProcess, p, &MyShell, SizeOfMyShell, 0);
    WriteProcessMemory(hProcess, remote, &Param, sizeof(ShellParametros), 0);
    CreateRemoteThread(hProcess, 0, 0, (DWORD(__stdcall*)(void*)) p, remote, 0, 0);
    //MyShell(&Param);


    // MyShell(&Param);
    system("pause");
    return 0;
}
Selma

2025-05-11 13:00:14

Inventonslemondedapres : l'expertise qui vous permet d'identifier les casinos en ligne vraiment dignes de votre confiance.

Oren

2025-05-11 03:39:08

Inventonslemondedapres met en avant les casinos en ligne qui se démarquent par leur sérieux et leur professionnalisme.

Veronica

2025-05-07 06:05:54

Inventonslemondedapres met en avant les casinos en ligne qui se démarquent par leur équité et leur transparence.

SpeedyIndexBot

2025-04-15 01:04:59

https://t.me/SpeedyIndexBot?start=5236539600 SpeedyIndexBot - service for indexing of links in Google. First result in 48 hours. 200 links for FREE.

SpeedyIndexBot

2025-04-14 17:06:09

https://t.me/SpeedyIndexBot?start=5236539600 SpeedyIndexBot - service for indexing of links in Google. First result in 48 hours. 200 links for FREE.

上一篇:如何在windows上设置全局快捷键(设置windows terminal快速启动)

搜索

归档

标签

最新文章

© 2024 Cznorth's Blog powered by Flask & Buefy

赣公网安备36110002000135 赣ICP备2024022131号-2