13 Security Lab

Windows 7 dll Injection 본문

Computer Science/Programming

Windows 7 dll Injection

Maj0r Tom 2015. 5. 13. 13:36

CreateRemoteThread 이용 LoadLibrary 호출.... Fail

->   NtCreateThreadEx 이용하여 호출


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 70 
// NtCreateThreadEx 함수 원형
 
typedef DWORD (WINAPI *t_fNtCreateThreadEx)( 
    PHANDLE ThreadHandle, 
    ACCESS_MASK DesiredAccess, 
    LPVOID ObjectAttributes, 
    HANDLE ProcessHandle, 
    LPTHREAD_START_ROUTINE lpStartAddress, 
    LPVOID lpParameter, 
    BOOL CreateSuspended, 
    DWORD dwStackSize, 
    LPVOID Unknown1, 
    LPVOID Unknown2, 
    LPVOID Unknown3); 
 
 
void Inject(DWORD pid, LPCTSTR dllPath, DWORD pathBufLen)
{
        // LoadLibraryW 함수 포인터를 얻는다.
           LPVOID loadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibraryW"); 
 
        HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pid);
        if (hProcess == NULL) { continue; }
 
        // 타겟 프로세스에 LoadLibrary를 호출시 사용할 인자를 위한 공간을 할당한다.
        LPVOID paramAddr= (LPVOID)VirtualAllocEx(hProcess, NULL, pathBufLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 
 
        // LoadLibrary인자(인젝션할 dll경로) 를 입력한다.
        BOOL result = WriteProcessMemory(hProcess, paramAddr, dllPath, pathBufLen, NULL); 
        if (result)
        {
            // 타겟 프로세스에 스레드를 실행시킨다.
            CreateRemoteThread(hProcess, loadLibraryAddr , paramAddr);
        }
        CloseHandle(hProcess);
}
 
BOOL CreateRemoteThread(HANDLE processHandle, LPVOID startAddress, LPVOID parameter)
{
    if (IsWindowsVistaLater())
    {
        // 함수포인터 추출
        static t_fNtCreateThreadEx fNtCreateThreadEx = (t_fNtCreateThreadEx)GetProcAddress(LoadLibrary(_T("ntdll.dll")),"NtCreateThreadEx");
        if (fNtCreateThreadEx == NULL) { return FALSE; }
 
        // 함수 호출 
        HANDLE threadHandle = NULL;
        fNtCreateThreadEx(&threadHandle, 
                         0x1FFFFF
                         NULL
                         processHandle, 
                         (LPTHREAD_START_ROUTINE)((PBYTE)startAddress), 
                         parameter, 
                         FALSE, 
                         NULL
                         NULL
                         NULL
                         NULL);
        if(threadHandle == NULL) { return FALSE; }
 
        // 스레드 작업 종료 대기
        ::WaitForSingleObject(threadHandle, INFINITE); 
    }
    else
    {
        ::CreateRemoteThread(processHandle, NULLNULL, (LPTHREAD_START_ROUTINE)startAddress, parameter, NULLNULL);
    }
 
    return TRUE;
}




출처 : http://blog.naver.com/rkawk01/70046078078

REF : 

http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html

http://code.google.com/p/easyhook-continuing-detours/source/browse/trunk/EasyHook_Specific/RemoteHook/RemoteHooking.cpp?spec=svn9&r=9

공유하기 링크
'Computer Science/Programming' Related Articles more
Comments