zoukankan      html  css  js  c++  java
  • 动态库注入远程线程

    • 现在一般很少有人使用远程线程这种方法来注入动态库或者ShellCode,一般就用来作为一种注入方法来学习。
    • 实现流程

       a根据进程ID得到进程句柄。

        b在kernel32.dll中得到LoadLibrary()函数的地址。

        c在目标进程中申请内存,并写入动态库的地址(作为LoadLibrary函数的参数)。

        d调用CreateRemoteThread()创建远程线程。

          

      CreateRemoteThread(ProcessHandle,None,0,LoadlibraryAddr,DLL_PATH_ADDR,0,byref(thread_id))
    • 代码实现
      # -*- coding:utf-8 -*-
      from ctypes import *
      import ctypes
      import os
      import psutil
      import re
      import sys
      
      
      def InjectDll(pid,dll_Path):
          PAGE_RW_PRIV = 0x04
          PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
          VIRTUAL_MEM = (0x1000 | 0x2000)
      
          kernel32 = windll.kernel32
          print ("[+] Starting DLL Injector")
          dllLength = len(dll_path)
          print("[+] Getting Process Handle From ProcessId %d" ,pid)
          #打开进程的进程句柄
          ProcessHandle = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,pid)
          if ProcessHandle == None:
              print("Unable to Get Process Handle")
              sys.exit(0)
      
          print("In TargetProcess Alloc Buffer Space")
          #在对方虚拟内存地址中申请内存 ,存放DLL的地址
          DLL_PATH_ADDR = kernel32.VirtualAllocEX(ProcessHandle,
                                                  0,
                                                  dllLength,
                                                  VIRTUAL_MEM,
                                                  PAGE_RW_PRIV)
          bool_Write = c_int(0)
          print("Writing Dll Path to Target Process Space")
          #将动态库的地址写入目标进程中
          kernel32.WriteProcessMemory(ProcessHandle,
                                    DLL_PATH_ADDR,
                                    dll_Path,
                                    dllLength,
                                    byref(bool_Write))
      
          #得kernel32.dll模块的地址
          print("\t[+] Resolving Call Spacific function & librarise")
          kernel32DllHandle = kernel32.GetModuleHandleA("kernel32.dll")
      
          #得LoadLibrary函数地址
          LoadlibraryAddr = kernel32.GetProcAddress(kernel32DllHandle)
      
          thread_id = c_ulong(0)
          ThreadHandle = kernel32.CreateRemoteThread(ProcessHandle,
                                                    None,
                                                    0,
                                                    LoadlibraryAddr,
                                                    DLL_PATH_ADDR,
                                                    0,byref(thread_id))
      
          if not ThreadHandle:
              print("Injection Failed exiting ")
              sys.exit(0)
          else:
              print("Remote Thread Id %d" ,thread_id)
      
      
      
      
      
      
      if __name__ == "__main__":
      
          pid = input("输入进程ID")
          target = []
          i = 0
          # 判断计算机版本
          if str(ctypes.sizeof(ctypes.c_voidp)) == '4':
              print("Runing on a X86 machine seleteing DLL")
              dll_path = os.path.abspath("vminjector32.dll")
          else:
              print("Running on a x64 machine selecting DLL")
              dll_path = os.path.abspath("vminjector64.dll")
      
          print('Configured DLL path to %s \n' % dll_path)
          InjectDll(pid,dll_path)
  • 相关阅读:
    DAG:区块链行业下一个引爆点?
    php7的新特性
    Linux中的冷热页机制概述
    撰写后台需求文档需要注意的那些事儿
    poj 1201 Intervals
    poj 1364
    poj Candies
    hdu 1429
    poj A Round Peg in a Ground Hole
    poj 1113Wall
  • 原文地址:https://www.cnblogs.com/banchen/p/6682864.html
Copyright © 2011-2022 走看看