zoukankan      html  css  js  c++  java
  • 远程注入/卸载/自我删除(RtlCreateUserThread)

    原文地址:http://blog.csdn.net/chenhui530/archive/2008/10/21/3119107.aspx  作者:chenhui530(大仙级人物)

     最近才发现的“RtlCreateUserThread”(下步调用ZwCreateThread)这可是个好东西,可以创建远程线程,也可以用来写多线程程序,但是在VB里好像还是不是很稳定只能用API。

    这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程,实现注入和卸载功能。对于一些编写外挂,或者对Shellcode感兴趣的人是非常有用的学习资料。

    多线程实例

    Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
        Dim hThread As Long
        Dim ntStatus As Long
        ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
        CreateThread = hThread
    End Function

     

    Public Sub ThreadProc(ByVal Parameter As Long)
        Do While gblnRunning
            Form1.List1.AddItem CStr(Parameter)
            Parameter = Parameter + 1
        Loop
        RtlExitUserThread 0
    End Sub

     

     ----------------------------------------------------------------------------------------

     in form

     

    Option Explicit

    Private Sub cmdDelMe_Click()
        DeleteMe Val(txtInput(0).Text)
        Unload Me
    End Sub

    Private Sub cmdInject_Click()
        If Not IsNumeric(txtInput(0).Text) Then
            MsgBox "请输入正确的PID!!", vbCritical, "提示"
            txtInput(0).SetFocus
            Exit Sub
        End If
        If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
            MsgBox "DLL不存在!!", vbCritical, "提示"
            txtInput(1).SetFocus
            Exit Sub
        End If
        InjectDll Val(txtInput(0).Text), txtInput(1).Text
    End Sub

    Private Sub cmdUnInject_Click()
        If Not IsNumeric(txtInput(0).Text) Then
            MsgBox "请输入正确的PID!!", vbCritical, "提示"
            txtInput(0).SetFocus
            Exit Sub
        End If
        If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
            MsgBox "DLL不存在!!", vbCritical, "提示"
            txtInput(1).SetFocus
            Exit Sub
        End If
        UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
    End Sub
    in module

     

     ----------------------------------------------------------------------------------------------------------

    Option Explicit

    Public Type CLIENT_ID
        UniqueProcess As Long
        UniqueThread  As Long
    End Type

    Private Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
                                                                  ByRef ThreadSecurityDescriptor As Any, _
                                                                  ByVal CreateSuspended As Long, _
                                                                  ByVal ZeroBits As Long, _
                                                                  ByVal MaximumStackSize As Long, _
                                                                  ByVal CommittedStackSize As Long, _
                                                                  ByVal StartAddress As Long, _
                                                                  ByVal Parameter As Long, _
                                                                  ByRef hThread As Long, _
                                                                  ByRef ClientId As CLIENT_ID) As Long

    Private Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
    Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
    Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)


    Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
    Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
    Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long

    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
    Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long

    Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long

    Private Const INFINITE =
    Private Const MEM_COMMIT =
    Public Const MEM_RELEASE =
    Private Const PAGE_EXECUTE_READWRITE =
    Private Const PAGE_READWRITE =
    Private Const SYNCHRONIZE As Long =
    Private Const STANDARD_RIGHTS_REQUIRED As Long =
    Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)


    Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
        Dim hThread As Long
        Dim ntStatus As Long
        ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
        CreateThread = hThread
    End Function

    Public Function EndThread(ByVal hThread As Long) As Boolean
        EndThread = TerminateThread(hThread, 0)
    End Function

    Public Function InjectDll(ByVal dwProcessId As Long, ByVal strFileName As String) As Boolean
        Dim hProcess As Long
        Dim nSize As Long
        Dim pBase As Long
        Dim ShellCode() As Byte
        Dim hThread As Long
        Dim Cid As CLIENT_ID
        Dim dwFunAddress As Long
        strFileName = strFileName & Chr(0)
        nSize = LenB(strFileName)
        ReDim ShellCode(nSize + 31 - 1)
        ShellCode(0) =
        ShellCode(1) =
        ShellCode(2) =
        ShellCode(3) =
        ShellCode(4) = &H0 'call $5
        ShellCode(5) = &H5D 'pop ebp
        ShellCode(6) =
        ShellCode(7) = &HC5 'mov eax,ebp
        ShellCode(8) =
        ShellCode(9) =
        ShellCode(10) = &H1A 'add eax,1a '指向dll路径
        ShellCode(11) = &H50 ' push eax
       
        ShellCode(12) =
        ShellCode(13) =
        ShellCode(14) =
        ShellCode(15) =
        ShellCode(16) = &H0 'mov eax,LoadLibraryW
        ShellCode(17) =
        ShellCode(18) = &HD0 'call eax
        ShellCode(19) =
        ShellCode(20) = &H0 'push 0
        ShellCode(21) =
        ShellCode(22) =
        ShellCode(23) =
        ShellCode(24) =
        ShellCode(25) = &H0 'mov eax,ExitThread
        ShellCode(26) =
        ShellCode(27) = &HD0 'call eax
       
        ShellCode(28) =
        ShellCode(29) = &H4 'ret 4
        ShellCode(30) =
        CopyMemory ShellCode(31), ByVal StrPtr(strFileName), nSize
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW")
        CopyMemory ShellCode(13), dwFunAddress, 4
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
        CopyMemory ShellCode(22), dwFunAddress, 4
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
        If hProcess Then
            pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 31, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            If pBase Then
                If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 31, ByVal 0&) Then
                    hThread = CreateThread(hProcess, pBase, 0, Cid)
                    If hThread Then
                        WaitForSingleObject hThread, INFINITE
                        CloseHandle hThread
                        InjectDll = True
                    End If
                End If
                VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
            End If
            CloseHandle hProcess
        End If
    End Function

    Public Function UnInjectDll(ByVal dwProcessId As Long, ByVal strFileName As String) As Boolean
        Dim hProcess As Long
        Dim nSize As Long
        Dim pBase As Long
        Dim ShellCode() As Byte
        Dim hThread As Long
        Dim Cid As CLIENT_ID
        Dim dwFunAddress As Long
        strFileName = strFileName & Chr(0)
        nSize = LenB(strFileName)
        ReDim ShellCode(nSize + 32 - 1)
        ShellCode(0) =
        ShellCode(1) =
        ShellCode(2) =
        ShellCode(3) =
        ShellCode(4) = &H0 'call $5
        ShellCode(5) = &H5D 'pop ebp
        ShellCode(6) =
        ShellCode(7) = &HC5 'mov eax,ebp
        ShellCode(8) =
        ShellCode(9) =
        ShellCode(10) = &H1B 'add eax,1b '指向dll路径
        ShellCode(11) = &H50 ' push eax
       
        ShellCode(12) =
        ShellCode(13) =
        ShellCode(14) =
        ShellCode(15) =
        ShellCode(16) = &H0 'mov eax,GetModuleHandleW
        ShellCode(17) =
        ShellCode(18) = &HD0 'call eax
       
        ShellCode(19) =
        ShellCode(20) = &H0 'push 0
        ShellCode(21) = &H50 'push eax
        ShellCode(22) =
        ShellCode(23) =
        ShellCode(24) =
        ShellCode(25) =
        ShellCode(26) = &H0 'mov eax,FreeLibraryAndExitThread
        ShellCode(27) =
        ShellCode(28) = &HD0 'call eax
       
        ShellCode(29) =
        ShellCode(30) = &H4 'ret 4
        ShellCode(31) =
        CopyMemory ShellCode(32), ByVal StrPtr(strFileName), nSize
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "GetModuleHandleW")
        CopyMemory ShellCode(13), dwFunAddress, 4
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibraryAndExitThread")
        CopyMemory ShellCode(23), dwFunAddress, 4
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
        If hProcess Then
            pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 32, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            If pBase Then
                If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 32, ByVal 0&) Then
                    hThread = CreateThread(hProcess, pBase, 0, Cid)
                    If hThread Then
                        WaitForSingleObject hThread, INFINITE
                        CloseHandle hThread
                        UnInjectDll = True
                    End If
                End If
                VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
            End If
            CloseHandle hProcess
        End If
    End Function

    Public Function DeleteMe(ByVal dwProcessId As Long) As Boolean
        Dim AppName As String
        Dim hProcess As Long
        Dim nSize As Long
        Dim pBase As Long
        Dim ShellCode() As Byte
        Dim hThread As Long
        Dim Cid As CLIENT_ID
        Dim dwFunAddress As Long
        AppName = String(260, Chr(0))
        GetModuleFileName 0, AppName, 260
        AppName = Left(AppName, InStr(AppName, Chr(0)) - 1)
        AppName = AppName & Chr(0)
        nSize = LenB(AppName)
        ReDim ShellCode(nSize + 35 - 1)
        ShellCode(0) =
        ShellCode(1) =
        ShellCode(2) =
        ShellCode(3) =
        ShellCode(4) = &H0 'call $5
        ShellCode(5) = &H5D 'pop ebp
        ShellCode(6) =
        ShellCode(7) = &HC5 'mov eax,ebp
        ShellCode(8) =
        ShellCode(9) =
        ShellCode(10) = &H1E 'add eax,1e '指向主程序路径
        ShellCode(11) = &H50 ' push eax
       
        ShellCode(12) =
        ShellCode(13) =
        ShellCode(14) =
        ShellCode(15) =
        ShellCode(16) = &H0 'mov eax,DeleteFileW
        ShellCode(17) =
        ShellCode(18) = &HD0 'call eax
        ShellCode(19) =
        ShellCode(20) = &HC0 'test eax,eax
        ShellCode(21) =
        ShellCode(22) = &HEF 'jz &ShellCode(6)
       
        ShellCode(23) =
        ShellCode(24) = &H0 'push 0
        ShellCode(25) =
        ShellCode(26) =
        ShellCode(27) =
        ShellCode(28) =
        ShellCode(29) = &H0 'mov eax,ExitThread
        ShellCode(30) =
        ShellCode(31) = &HD0 'call eax
       
        ShellCode(32) =
        ShellCode(33) = &H4 'ret 4
        ShellCode(34) =
        CopyMemory ShellCode(35), ByVal StrPtr(AppName), nSize
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "DeleteFileW")
        CopyMemory ShellCode(13), dwFunAddress, 4
        dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
        CopyMemory ShellCode(26), dwFunAddress, 4
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
        If hProcess Then
            pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 35, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
            If pBase Then
                If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 35, ByVal 0&) Then
                    hThread = CreateThread(hProcess, pBase, 0, Cid)
                    If hThread Then
    '                    WaitForSingleObject hThread, INFINITE
    '                    CloseHandle hThread
                        DeleteMe = True
                    End If
                End If
    '            VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
            End If
            CloseHandle hProcess
        End If

    End Function

    /Files/xxaxx/工程1.rar
  • 相关阅读:
    react: redux-devTools
    react: menuService
    react: navigator
    react style: 二级菜单
    spark复习笔记(5):API分析
    spark复习笔记(4):spark脚本分析
    maven 打包Scala代码到jar包
    spark复习笔记(3)
    mongoDB学习笔记(2)
    sparkStreaming复习笔记(1)
  • 原文地址:https://www.cnblogs.com/xxaxx/p/1610972.html
Copyright © 2011-2022 走看看