利用NativeAPI的内存映射进行代码注入的新方式,至少我以前没见过~收藏
新一篇: Windows rootkits of 2005, part one(翻译) | 旧一篇: 网游:新三国策IV的加解密机制分析及外挂方面的思考
<script>function StorePage(){d=document;t=d.selection?(d.selection.type!='None'?d.selection.createRange().text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://www.365key.com/storeit.aspx?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t),'keyit','scrollbars=no,width=475,height=575,left=75,top=20,status=no,resizable=yes'));keyit.focus();}</script> 代码注入的技术现在已经相当普及了,几个主要的方式包括A.动态库利用CreateRemoteThread()调用LoadLibrary的远程注入
B.动态库安装全局钩子被映射到所有进程空间
C.打开要注入的进程,用VirtualAllocEx分配块空间将代码copy过去,然后CreateRemoteThread执行
D.使用调试API的GetThreadContext(),SetThreadContext()等函数完成。不过这种情况跟上面几种比较,只是启动线程的方式不同而已。
还有些不太常用的或者说特殊的方式,比如Win9x下0x80000000以上的进程空间是所有进程共享的,hoho~~再比如我前面那篇麦英病毒的分析中提到的方法也是特殊处理过的。
而本文要说的重点就是通过一个Native Api来完成代码的注入。有了它,不需要动态库文件,不需要VirtualAllocEx,不需要WriteProcessMemory! 听起来不错吧~~哈哈~~答案揭晓,它就是~~铛铛铛~~:
NTSYSAPI NTSTATUS NTAPI ZwMapViewOfSection(IN HANDLE SectionHandle, IN HANDLE
, ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize
,IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize
, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect
);
Parameters:
SectionHandle
A handle to the section object that is to be mapped.The handle must grant access
compatible with the Protect parameter, which specifies the protection on the pages
that map the section.
ProcessHandle
A handle of an process object, representing the process for which the view should be
mapped.The handle must grant PROCESS_VM_OPERATION access.
BaseAddress
Points to a variable that will receive the base address of the view. If the initial value of
this variable is not null, the view is allocated starting at the specified address, possibly
rounded down.
ZeroBits
Specifies the number of high-order address bits that must be zero in the base address
of the section view.The value of this parameter must be less than 21 and is used only
when the operating system determines where to allocate the view, such as when
BaseAddress is null.
CommitSize
Specifies the size, in bytes, of the initially committed region of the view. CommitSize is
only meaningful for page-file backed sections; file backed sections, both data and
image, are effectively committed at section creation time.This value is rounded up to
the next page size boundary.
SectionOffset
Optionally points to a variable that contains the offset, in bytes, from the beginning of
the section to the view, possibly rounded down.
ViewSize
Points to a variable that will receive the actual size, in bytes, of the view. If the initial
value of this variable is zero, a view of the section will be mapped starting at the specified
section offset and continuing to the end of the section. Otherwise, the initial value
of this parameter specifies the size of the view, in bytes, and is rounded up to the next
page size boundary.
InheritDispostion
Specifies how the view is to be shared by a child process created with a create process
operation. Permitted values are drawn from the enumeration SECTION_INHERIT.
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
AllocationType
A set of flags that describes the type of allocation to be performed for the specified
region of pages.The permitted values include:
AT_EXTENDABLE_FILE 0x00002000 // Allow view to exceed section size
MEM_TOP_DOWN 0x00100000 // Allocate at highest possible address
SEC_NO_CHANGE 0x00400000 // Disable changes to protection of pages
AT_RESERVED 0x20000000 // Valid but ignored
AT_ROUND_TO_PAGE 0x40000000 // Adjust address and size if necessary
Protect
Specifies the protection for the region of initially committed pages.The protection
must be compatible with the protection specified when the section was created. (The
protection can be more but not less restrictive.)
嗯,看名字大概就能想到了,它就是MapViewOfFile的Native版本。参数虽然挺多的,不过基本上都差不多。最重要的两个参数就是ProcessHandle和BaseAddress了。ProcessHandle参数用于指定你要映射的进程的句柄。比如我们要映射到Explorer.exe的空间里,那么只要得到Explorer.exe的进程ID就能得到其句柄了,显然这很简单。函数成功返回后,BaseAddress记录了被映射到的地址。这个地址是被映射的进程空间中的地址。
有了这个函数,要注入就简单了,把要注入的代码在自己的进程空间先映射一份,然后再给目标进程映射一下,得到其映射地址,调一下CreateRemoteThread启动一下函数(因为知道映射地址,所以函数的地址就是已知的了)就ok拉~~Win2003上测试通过~~
903
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
