SetThreadContext Inject 테스트

-
void __declspec(naked) InjectFunction()
{
 __asm
 {
  PUSHAD
   MOV EAX, 0xAAAAAAAA //eventually the address of LoadLibraryA
   PUSH 0xBBBBBBBB //eventually the module name
   call EAX
   POPAD
   //vc is pissy and requires us to emit the hardcoded jump
   __emit 0xE9
   __emit 0xCC
   __emit 0xCC
   __emit 0xCC
   __emit 0xCC
 }
}
void __declspec(naked) AfterFunction()
{
}
void InjectDll( HANDLE hProc, HANDLE hThread, char *DllName )
{
 //hold up
 SuspendThread( hThread );
 //get the thread context
 CONTEXT ThreadContext;
 ThreadContext.ContextFlags = CONTEXT_FULL;
 GetThreadContext( hThread, &ThreadContext );
 //copy the function to a tmp buffer
 ULONG FunctionSize = (PBYTE)AfterFunction - (PBYTE)InjectFunction;
 PBYTE LocalFunction = new BYTE[FunctionSize];
 memcpy( LocalFunction, InjectFunction, FunctionSize );
 //allocate a remote buffer
 PBYTE InjData =
  (PBYTE)VirtualAllocEx( hProc, NULL, FunctionSize + strlen(DllName)+1,
  MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 //fixup the tmp buff
 for( ULONG i = 0;i < FunctionSize-3; i++ )
 {
  if ( *(PULONG)&LocalFunction[i] == 0xAAAAAAAA )
  {
   *(PULONG)&LocalFunction[i] = (ULONG)GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );
  }
  if ( *(PULONG)&LocalFunction[i] == 0xBBBBBBBB )
  {
   *(PULONG)&LocalFunction[i] = (ULONG)InjData + FunctionSize;
  }
  if ( *(PULONG)&LocalFunction[i] == 0xCCCCCCCC )
  {
   *(PULONG)&LocalFunction[i] = ThreadContext.Eip - ((ULONG)&InjData[i] + 4) ;
  }
 }
 //write the tmp buff + dll
 //Format: [RemoteFunction][DllName][null char]
 ULONG dwWritten;
 WriteProcessMemory( hProc, InjData, LocalFunction, FunctionSize, &dwWritten );
 WriteProcessMemory( hProc, InjData + FunctionSize, DllName, strlen(DllName)+1, &dwWritten );
 //set the EIP
 ThreadContext.Eip = (ULONG)InjData;
 SetThreadContext( hThread, &ThreadContext );
 //resume the thread
 ResumeThread( hThread );
}


아래 출처
https://progamercity.net/code-tut/3016-dll-injection-queueuserapc.html

#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <ntdef.h>

DWORD APCInject(PCHAR sProcName,PCHAR sDllName)
{
    DWORD dRet=0;
    //define type and pointer to function
    typedef NTSTATUS (WINAPI *tNtMapViewOfSection)(HANDLE,HANDLE,LPVOID,ULONG,SIZE_T,LARGE_INTEGER*,SIZE_T*,SECTION_INHERIT,ULONG,ULONG);
    tNtMapViewOfSection NtMapViewOfSection=(tNtMapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtMapViewOfSection");
    if(!NtMapViewOfSection)return -1;

    //create buffer
    HANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);
    if(!hFile) return -2;
    PCHAR hView=MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);
    if(!hView){
        CloseHandle(hFile);
        return -3;
    }
    else//set value to buffer
        strcpy(hView,sDllName);

    // Starting target process
    PROCESS_INFORMATION pi;STARTUPINFO st;
    ZeroMemory(&pi,sizeof(pi));
    ZeroMemory(&st,sizeof(st));
    st.cb=sizeof(STARTUPINFO);

    //create suspended process
    if( CreateProcess(sProcName,NULL,NULL,NULL,FALSE, CREATE_SUSPENDED, NULL,NULL,&st,&pi) ){
        LPVOID RemoteString=NULL;
        ULONG ViewSize=0;
        if(NtMapViewOfSection(hFile,pi.hProcess,&RemoteString,0,0,NULL,&ViewSize,ViewShare,0,PAGE_READONLY)==0){
            LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
            if(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)RemoteString))
                dRet=-6;
        }else
            dRet=-5;
        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }else
        dRet=-4;
    UnmapViewOfFile(hView);
    CloseHandle(hFile);
    return dRet;
}

int main(void){
    DWORD dwRet=APCInject("C:\\Games\\Counter-Strike\\hl.exe","C:\\cheat.dll");
    if(!dwRet)
        puts("Injection Ok!");
    else
        printf("Injection fail -> %d!",dwRet);
    system("pause");
    return 0;
}


#define _WIN32_WINNT 0x0400
        #include <windows.h>
 
 //Press Thanks to USDL :)
//Press Thanks to USDL :)
//Press Thanks to USDL :)

        typedef LONG NTSTATUS, *PNTSTATUS;
        #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
 
        typedef enum _SECTION_INHERIT
        {
        ViewShare = 1,
        ViewUnmap = 2
        } SECTION_INHERIT;
 
 
 
        typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE,
        HANDLE,
        LPVOID,
        ULONG,
        SIZE_T,
        LARGE_INTEGER*,
        SIZE_T*,
        _INHERIT,
        ULONG,
        ULONG );
 
        func_NtMapViewOfSection NtMapViewOfSection = NULL;
 
 
 
 
 
 
 
 
 
 
        LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess,
        HANDLE hFileMappingObject,
        DWORD dwDesiredAccess,
        DWORD dwFileOffsetHigh,
        DWORD dwFileOffsetLow,
        DWORD dwNumberOfBytesToMap,
        LPVOID lpBaseAddress )
        {
        NTSTATUS Status;
        LARGE_INTEGER SectionOffset;
        ULONG ViewSize;
        ULONG Protect;
        LPVOID ViewBase;
 
 
        // Convert the offset
        SectionOffset.LowPart = dwFileOffsetLow;
        SectionOffset.HighPart = dwFileOffsetHigh;
 
        // Save the size and base
        ViewBase = lpBaseAddress;
        ViewSize = dwNumberOfBytesToMap;
 
        // Convert flags to NT Protection Attributes
        if (dwDesiredAccess & FILE_MAP_WRITE)
        {
        Protect = PAGE_READWRITE;
        }
        else if (dwDesiredAccess & FILE_MAP_READ)
        {
        Protect = PAGE_READONLY;
        }
        else if (dwDesiredAccess & FILE_MAP_COPY)
        {
        Protect = PAGE_WRITECOPY;
        }
        else
        {
        Protect = PAGE_NOACCESS;
        }
 
        // Map the section
        Status = NtMapViewOfSection(hFileMappingObject,
        hProcess,
        &ViewBase,
        0,
        0,
        &SectionOffset,
        &ViewSize,
        ViewShare,
        0,
        Protect);
        if (!NT_SUCCESS(Status))
        {
        // We failed
        return NULL;
        }
 
        // Return the base
        return ViewBase;
        }
 
 
 
 
        int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
        {
        HMODULE hDll = LoadLibrary( "ntdll.dll" );
        NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
        // Getting a shellcode, use whatever you want
        HANDLE hFile = CreateFile ("C:\\shellcode.txt",
        GENERIC_READ,
        0,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL);
        HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
        // Starting target process
        STARTUPINFO st;
        ZeroMemory (&st, sizeof(st));
        st.cb = sizeof (STARTUPINFO);
        PROCESS_INFORMATION pi;
        ZeroMemory (&pi, sizeof(pi));
        CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe",
        NULL,
        NULL,
        NULL,
        FALSE,
        CREATE_SUSPENDED,
        NULL,
        NULL,
        &st,
        &pi);
        // Injecting the shellcode into target process address space
        LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess,
        hMappedFile,
        FILE_MAP_READ,
        0,
        0,
        0,
        NULL);
        // Create a new APC which will be executed at first when the thread resume
        QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
        ResumeThread (pi.hThread);
        CloseHandle (hFile);
        CloseHandle (hMappedFile);
        CloseHandle (pi.hThread);
        CloseHandle (pi.hProcess);
        return 0;
        }

댓글

댓글 쓰기

이 블로그의 인기 게시물

[WinAPI] 모달리스 다이얼로그 설명

-
이미지
출처 : http://www.winprog.org/tutorial/modeless_dialogs.html Now we take a look at CreateDialog() , DialogBox() 's sister function. The difference is that while DialogBox() implements it's own message loop and does not return untill the dialog is closed, CreateDialog() acts more like a window created with CreateWindowEx() in that it returns immediately and depends on your message loop to pump the messages as it does for your main window. This is termed Modeless , whereas DialogBox() creates Modal dialogs. You can create the dialog resource just like you did for the last dialog example, you might also want to set the "Tool window" extended style to give it's title bar the typical smaller caption of toolbars. The dialog resource I created follows: IDD_TOOLBAR DIALOGEX 0, 0, 98, 52 STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION EXSTYLE WS_EX_TOOLWINDOW CAPTION "My Dialog Toolbar" FONT 8, "MS Sans Serif" BEGIN PUSHBUTTON "...
자세한 내용 보기

[WinDbg] Debugging a stack overflow

-
참조 : http://msdn.microsoft.com/en-us/library/windows/hardware/ff540620(v=vs.85).aspx Debugging a Stack Overflow 5 out of 11 rated this helpful - Rate this topic A stack overflow is an error that user-mode threads can encounter. There are three possible causes for this error: A thread uses the entire stack reserved for it. This is often caused by infinite recursion. A thread cannot extend the stack because the page file is maxed out, and therefore no additional pages can be committed to extend the stack. A thread cannot extend the stack because the system is within the brief period used to extend the page file. When a function running on a thread allocates local variables, the variables are put on the thread's call stack. The amount of stack space required by the function could be as large as the sum of the sizes of all the local variables. However, the compiler usually performs optimizations that reduce the stack space required by a function. For example, if two...
자세한 내용 보기

[WinDbg] first-chance, second-chance Exception

-
First-chance Exception 이란 디버거에서 프로그램이 실행 중일 때 SEH 같은 Exception 처리 구문이 들어가 있는 코드를 실행 하다가 어떠한 이유에서 던지 Exception 이 일어 났고 그 Exception 에 대한 처리 코드가 존재 하여 처리가 되었음을 디버거에 알리는 것입니다. 이 Exception이 꼭 프로그램에 심각한 오류가 있음을 말하는 것은 아니며 Exception 처리 코드에 의해 해당 Exception이 안전하게 처리가 되었고 계속 실행할 수 있음을 의미 할 수 있습니다.(대개는 대부분 별 문제 없는 경우입니다.) 만약 그런 Exception에 대한 처리가 없는 경우 디버거는 이를 인지 하고 사용자에게 직접 Exception이 났음 을 알리는데 이를 Second Chance Exception 이라고 하고 이것이 우리가 프로그램 디버깅 중 흔히 보는 에러 상황이 되겠습니다. http://support.microsoft.com/kb/105675              __try              {                            bReturn = IsBadReadPtr(buffer, sizeof(buffer));                     ...
자세한 내용 보기