Mirrors
/
Windows-Rootkits
miroir de https://github.com/ciyze0101/Windows-Rootkits
6
0
Bifurcation 0
Code Tickets Projets Publications Wiki Activité

support more os 

support more os
Cette révision appartient à :
LycorisGuard 2018-08-14 16:13:05 +08:00
Parent 640a13d621
révision cfb0b2c937
3 fichiers modifiés avec 152 ajouts et 116 suppressions
Voir les Statistiques Télécharger le Fichier Patch Télécharger le Fichier des Différences Développer tous les fichiers Réduire tous les fichiers

255
Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.cpp
Voir le fichier

@ -4,6 +4,7 @@ x64
*/
#include "stdafx.h"
#include "CreateRemoteThread.h"
#include <strsafe.h>
#ifdef _DEBUG
#define new DEBUG_NEW
@ -18,87 +19,83 @@ using namespace std;
typedef enum _WIN_VERSION
{
WindowsNT,
Windows2000,
WindowsXP,
Windows2003,
WindowsVista,
Windows7,
Windows8,
WinUnknown
WindowsNT,
Windows2000,
WindowsXP,
Windows2003,
WindowsVista,
Windows7,
Windows8,
Windows10,
WinUnknown
}WIN_VERSION;
typedef NTSTATUS( NTAPI* fnRtlGetVersion )(PRTL_OSVERSIONINFOW lpVersionInformation);
VOID InjectDll(ULONG_PTR ProcessID);
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath);
WIN_VERSION GetWindowsVersion();
BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
WIN_VERSION WinVersion = WinUnknown;
BOOL EnableDebugPrivilege();
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;
typedef long (__stdcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
WIN_VERSION WinVersion = WinUnknown;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
cout<<"查看要注入进程的ID"<<endl;
ULONG_PTR ProcessID = 0;
WinVersion = GetWindowsVersion();
printf("Input ProcessID\r\n");
cin>>ProcessID;
InjectDll(ProcessID);
return 0;
WinVersion = GetWindowsVersion();
if(argc == 3)
{
ULONG ProcessId = 0;
swscanf_s(argv[1], L"%d", &ProcessId);
InjectDll(ProcessId, argv[2]);
}
return 0;
}
VOID InjectDll(ULONG_PTR ProcessID)
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath)
{
CString strPath32 = L"Dllx86.dll"; //32位dll注入32位系统
CString strPath64 = L"Dllx64.dll";
if (ProcessID == 0)
WCHAR wzPath[MAX_PATH] = {0};
if (ProcessID == 0 || strPath == NULL)
{
printf("Inject Fail ProcessId or strPath is not exists \r\n");
return;
}
if (PathFileExists(strPath32)&&PathFileExists(strPath64))
GetCurrentDirectory(260,wzPath);
wcsncat_s(wzPath, L"\\", 2);
wcsncat_s(wzPath, strPath, wcslen(strPath));//dll完整路径
if (!PathFileExists(wzPath))
{
switch(WinVersion)
{
case Windows7: //这里用的是Win7 x64 sp1
{
WCHAR wzPath[MAX_PATH] = {0};
GetCurrentDirectory(260,wzPath);
wcsncat_s(wzPath, L"\\", 2);
wcsncat_s(wzPath, strPath64.GetBuffer(), strPath64.GetLength());//dll完整路径
strPath32.ReleaseBuffer();
if (!InjectDllByRemoteThread64(wzPath,ProcessID))
printf("Inject Fail\r\n");
else printf ("Inject Success\r\n");
break;
}
case WindowsXP: //WinXp x86 sp3
{
WCHAR wzPath[MAX_PATH] = {0};
GetCurrentDirectory(260,wzPath);
wcsncat_s(wzPath, L"\\", 2);
wcsncat_s(wzPath, strPath32.GetBuffer(), strPath32.GetLength());
strPath32.ReleaseBuffer();
if (!InjectDllByRemoteThread32(wzPath,ProcessID))
printf("Inject Fail\r\n");
else printf("Inject Success\r\n");
break;
}
}
printf("Inject Fail strPath is not exists LastError [%d]\r\n", GetLastError());
return;
}
printf("Inject Target [%d], strPath [%S]\n", ProcessID, wzPath);
if(WinVersion >= Windows7)
{
if (!InjectDllByRemoteThreadWin7(wzPath,ProcessID))
printf("Inject Fail\r\n");
else
printf ("Inject Success\r\n");
}
else
{
if (!InjectDllByRemoteThreadXP(wzPath,ProcessID))
printf("Inject Fail\r\n");
else
printf("Inject Success\r\n");
}
}
BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
{
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
{
@ -122,7 +119,13 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
return FALSE;
}
#ifdef _WIN64
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege = NULL;
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
#else
pfnRtlAdjustPrivilege32 RtlAdjustPrivilege = NULL;
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege32)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
#endif
if (RtlAdjustPrivilege==NULL)
{
@ -140,7 +143,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
if (NULL == hProcess)
{
printf("Open Process Fail\r\n");
printf("Open Process Fail lastError [%d]\r\n", GetLastError());
return FALSE;
}
@ -149,7 +152,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (NULL == VirtualAddress)
{
printf("Virtual Process Memory Fail\r\n");
printf("Virtual Process Memory Fail lastError [%d]\r\n", GetLastError());
CloseHandle(hProcess);
return FALSE;
}
@ -157,7 +160,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
// 在目标进程的内存空间中写入所需参数(模块名)
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
{
printf("Write Data Fail\r\n");
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
@ -166,7 +169,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (NULL == hThread)
{
printf("CreateRemoteThread Fail\r\n");
printf("CreateRemoteThread Fail lastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
@ -178,11 +181,10 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
{
// 参数无效
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
@ -194,11 +196,18 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
DWORD dwSize = 0;
TCHAR* VirtualAddress = NULL;
LPTHREAD_START_ROUTINE FuncAddress = NULL;
if(!EnableDebugPrivilege())
{
printf("EnableDebugPrivilege fail lasterror is [%d]\n", GetLastError());
return FALSE;
}
// 获取目标进程句柄
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, ProcessId);
if (NULL == hProcess)
{
printf("Open Process Fail\r\n");
printf("Open Process Fail LastError [%d]\r\n", GetLastError());
return FALSE;
}
// 在目标进程中分配内存空间
@ -206,14 +215,14 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (NULL == VirtualAddress)
{
printf("Virtual Process Memory Fail\r\n");
printf("Virtual Process Memory Fail LastError [%d]\r\n", GetLastError());
CloseHandle(hProcess);
return FALSE;
}
// 在目标进程的内存空间中写入所需参数(模块名)
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
{
printf("Write Data Fail\r\n");
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
@ -227,7 +236,7 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
if (NULL == FuncAddress)
{
printf("Get LoadLibrary Fail\r\n");
printf("Get LoadLibrary Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return false;
@ -237,7 +246,7 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (NULL == hThread)
{
printf("CreateRemoteThread Fail\r\n");
printf("CreateRemoteThread Fail LastError [%d]\r\n", GetLastError());
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
@ -255,50 +264,74 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
WIN_VERSION GetWindowsVersion()
{
OSVERSIONINFOEX OsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型
switch (OsVerInfoEx.dwPlatformId)
RTL_OSVERSIONINFOEXW verInfo = { 0 };
verInfo.dwOSVersionInfoSize = sizeof( verInfo );
fnRtlGetVersion RtlGetVersion = (fnRtlGetVersion)GetProcAddress( GetModuleHandleW( L"ntdll.dll" ), "RtlGetVersion" );
if(RtlGetVersion != NULL && RtlGetVersion((PRTL_OSVERSIONINFOW)&verInfo) == 0)
{
case VER_PLATFORM_WIN32_NT:
if (verInfo.dwMajorVersion <= 4 )
{
if (OsVerInfoEx.dwMajorVersion <= 4 )
{
return WindowsNT;
}
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
{
return Windows2000;
}
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
{
return WindowsXP;
}
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
{
return Windows2003;
}
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
{
return WindowsVista;
}
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
{
return Windows7;
}
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2 )
{
return Windows8;
}
break;
return WindowsNT;
}
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 0)
{
return Windows2000;
}
default:
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 1)
{
return WinUnknown;
return WindowsXP;
}
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 2)
{
return Windows2003;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 0)
{
return WindowsVista;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 1)
{
return Windows7;
}
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 2 )
{
return Windows8;
}
if (verInfo.dwMajorVersion == 10 && verInfo.dwMinorVersion == 0 && verInfo.dwBuildNumber >= 10240)
{
return Windows10;
}
}
}
return WinUnknown;
}
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivilege;
LUID uID;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken is Error\n");
return FALSE;
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
{
printf("LookupPrivilegeValue is Error\n");
return FALSE;
}
TokenPrivilege.PrivilegeCount = 1;
TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivilege.Privileges[0].Luid = uID;
//在这里我们进行调整权限
if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
printf("AdjuestTokenPrivileges is Error\n");
return FALSE;
}
return TRUE;
}

10
Inject/CreateRemoteThread/CreateRemoteThread/Resource.h
Voir le fichier

@ -3,15 +3,15 @@
// Used by CreateRemoteThread.rc
//
#define IDS_APP_TITLE 103
#define IDS_APP_TITLE 103
// 新对象的下一组默认值
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

3
Inject/CreateRemoteThread/ReadMe.txt
Voir le fichier

@ -2,3 +2,6 @@
64 bit process Inject The dll to 64 bit process
sometimes you maybe fail to inject because cann't openprocess successful
and many safe software will protect it avoiding you to inject
support more OS.