本文讲的是
32位程序对64位进程的远程注入实现,
0x00 前言
OpenProcess VirtualAllocEx WriteProcessMemory VirtualProtectEx CreateRemoteThread WaitForSingleObject
DWORD processNameToId(LPCTSTR lpszProcessName) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hSnapshot, &pe)) { MessageBox(NULL,"The frist entry of the process list has not been copyied to the buffer","Notice", MB_ICONINFORMATION | MB_OK); return 0; } while (Process32Next(hSnapshot, &pe)) { if (!strcmp(lpszProcessName, pe.szExeFile)) { return pe.th32ProcessID; } } return 0; }
根据进程ID打开进程,获得进程句柄 申请内存空间 写入数据 将内存改为可读可执行(可选) 创建线程 等待线程退出(可选)
void WINAPI GetNativeSystemInfo( _Out_ LPSYSTEM_INFO lpSystemInfo );
#include <windows.h> BOOL Is64BitOS() { typedef VOID (WINAPI *LPFN_GetNativeSystemInfo)( __out LPSYSTEM_INFO lpSystemInfo ); LPFN_GetNativeSystemInfo fnGetNativeSystemInfo = (LPFN_GetNativeSystemInfo)GetProcAddress( GetModuleHandle("kernel32"),"GetNativeSystemInfo"); if(fnGetNativeSystemInfo) { SYSTEM_INFO stInfo = {0}; fnGetNativeSystemInfo( &stInfo); if( stInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64 || stInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) { return TRUE; } } return FALSE; } int main() { if (Is64BitOS()) printf("x64\n"); else printf("x86\n"); return 0; }
BOOL WINAPI IsWow64Process( __in HANDLE hProcess, __out PBOOL Wow64Process );
#include <windows.h> #include <TlHelp32.h> BOOL IsWow64(HANDLE hProcess) { typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); LPFN_ISWOW64PROCESS fnIsWow64Process; BOOL bIsWow64 = FALSE; fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress( GetModuleHandle("kernel32"),"IsWow64Process"); if (NULL != fnIsWow64Process) { fnIsWow64Process(hProcess, &bIsWow64); } return bIsWow64; } DWORD processNameToId(LPCTSTR lpszProcessName) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hSnapshot, &pe)) { MessageBox(NULL, "The frist entry of the process list has not been copyied to the buffer","Notice", MB_ICONINFORMATION | MB_OK); return 0; } while (Process32Next(hSnapshot, &pe)) { if (!strcmp(lpszProcessName, pe.szExeFile)) { return pe.th32ProcessID; } } return 0; } int main() { BOOL bWow64; char *szExeName="calc.exe"; DWORD dwProcessId = processNameToId(szExeName); if (dwProcessId == 0) { MessageBox(NULL, "The target process have not been found !","Notice", MB_ICONINFORMATION | MB_OK); return -1; } HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (!hTargetProcess) { MessageBox(NULL, "Open target process failed !", "Notice", MB_ICONINFORMATION | MB_OK); return 0; } bWow64 = IsWow64(hTargetProcess); if(bWow64) printf("32-bit process\n"); else printf("64-bit process\n"); }
usage: pi [options] <proc name | proc id> -d Wait after memory allocation before running thread -e <cmd> Execute command in context of remote process (shows window) -f <file> Load a PIC file into remote process -l <dll> Load a DLL file into remote process -p List available processes on system -x <cpu> Exclude process running in cpu mode, 32 or 64
examples: pi -e "cmd /c echo this is a test > test.txt & notepad test.txt" -x32 iexplore.exe pi -l ws2_32.dll notepad.exe pi -f reverse_shell.bin chrome.exe
如果为32位系统, 调用系统api CreateRemoteThread,对目标进程尝试远程注入,弹出对话框 如果为64位系统,进入下一个分支,对进程判断
如果为32位,调用系统api CreateRemoteThread,对目标进程尝试远程注入,弹出对话框 如果为64位,调用自定义api CreateRemoteThread64,对目标进程尝试远程注入,执行payload:”cmd /c start calc.exe”
原文发布时间为:2017年2月21日
本文作者:3gstudent
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。