Windows x86/ x64 Ring3层注入Dll总结

BOOL Inject(IN UINT32 ProcessId, IN UINT32 ThreadId)
{
BOOL bOk = FALSE;
CONTEXT ThreadContext = { 0 };
PVOID BufferData = NULL;
HANDLE ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadId);
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
// 首先挂起线程
SuspendThread(ThreadHandle);
ThreadContext.ContextFlags = CONTEXT_ALL;
if (GetThreadContext(ThreadHandle, &ThreadContext) == FALSE)
{
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return FALSE;
}
BufferData = VirtualAllocEx(ProcessHandle, NULL, sizeof(ShellCode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (BufferData != NULL)
{
if (LoadLibraryWAddress != NULL)
{
#ifdef _WIN64
// ShellCode + 43处 存放完整路径
PUINT8 v1 = ShellCode + 43;
memcpy(v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR));
UINT32 DllNameOffset = (UINT32)(((PUINT8)BufferData + 43) - ((PUINT8)BufferData + 4) - 7);
*(PUINT32)(ShellCode + 7) = DllNameOffset;
// ShellCode + 35处 放置 LoadLibrary 函数地址
*(PUINT64)(ShellCode + 35) = (UINT64)LoadLibraryWAddress;
UINT32 LoadLibraryAddressOffset = (UINT32)(((PUINT8)BufferData + 35) - ((PUINT8)BufferData + 11) - 6);
*(PUINT32)(ShellCode + 13) = LoadLibraryAddressOffset;
// 放置 rip 地址
*(PUINT64)(ShellCode + 27) = ThreadContext.Rip;
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
return FALSE;
}
ThreadContext.Rip = (UINT64)BufferData;
#else
PUINT8 v1 = ShellCode + 29;
memcpy((char*)v1, DllFullPath, (wcslen(DllFullPath) + 1) * sizeof(WCHAR)); //这里是要注入的DLL名字
*(PUINT32)(ShellCode + 3) = (UINT32)BufferData + 29;
*(PUINT32)(ShellCode + 25) = LoadLibraryWAddress; //loadlibrary地址放入shellcode中
*(PUINT32)(ShellCode + 9) = (UINT32)BufferData + 25;//修改call 之后的地址 为目标空间存放 loaddlladdr的地址
//////////////////////////////////
*(PUINT32)(ShellCode + 21) = ThreadContext.Eip;
*(PUINT32)(ShellCode + 17) = (UINT32)BufferData + 21;//修改jmp 之后为原来eip的地址
if (!WriteProcessMemory(ProcessHandle, BufferData, ShellCode, sizeof(ShellCode), NULL))
{
printf("write Process Errorn");
return FALSE;
}
ThreadContext.Eip = (UINT32)BufferData;
#endif 
if (!SetThreadContext(ThreadHandle, &ThreadContext))
{
printf("set thread context errorn");
return FALSE;
}
ResumeThread(ThreadHandle);
printf("ShellCode 注入完成rn");
}
}
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return TRUE;
}

0x05.插入Apc队列

　　Ring3层的Apc注入是不太稳定的，我的做法就是暴力的向目标进程的所有线程的UserMode Apc队列（线程有两个Apc队列：Kernel和User）上插入Apc对象，等待他去执行该Apc里注册的函数。而只有当线程处于alterable状态时，才会查看Apc队列是否有需要执行的注册函数。

　　ps：正是因为不知道哪个线程会去处理Apc，所以感觉Ring3层Apc注入不如其他方法好使，不过Ring0层Apc注入还是比较稳定的。之前测试xp和win10都成功，win7下注explorer进程总是崩溃，后来捯饬半天，发现遍历线程的时候从后往前遍历着插入就不会崩溃Orz