Injecting a DLL Using Remote Threads - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Injecting a DLL Using Remote Threads

Description:

Windows 2000 Only Injecting a DLL Using Remote Threads process thread LoadLibrary DLL ... – PowerPoint PPT presentation

Number of Views:139
Avg rating:3.0/5.0
Slides: 18
Provided by: debutCis6
Category:

less

Transcript and Presenter's Notes

Title: Injecting a DLL Using Remote Threads


1
Injecting a DLL Using Remote Threads
Windows 2000 Only
?????
2
????
  • ?? ??process ? thread ?? LoadLibrary ?????????
    DLL
  • Windows ???????????? process ? thread, ????????
  • ? ??process ??? thread

?? process
??? ?
?????? DLL
3
Create a thread in another process
??Process ??????? thread
?CreateThread ?????
HANDLE CreateRemoteThread( HANDLE hProcess,
PSECURITY_ATTRIBUTES psa,
DWORD dwStackSize,

PTHREAD_START_ROUTINE pfnStartAddr,
PVOID
pvParam, DWORD fdwCreate,
PDWORD pdwThreadId)
????? thread
?? thread function ???? (????????? ??Process)
Windows 2000 Only
4
??????????? process ?? thread !
CreateRemoteThread
????? ??? process ??? LoadLibraryA function ?
????????? thread ????????DLL ?????
??? MSDN LoadLibrary
  • ??? thread ???? function,??? LoadLibraryA ?
    LoadLibraryW ???

HANDLE hThread CreateRemoteThread
(hProcessRemote, NULL, 0
,
LoadLibraryA, "C\\MyLib.dll",

0, NULL)
???????? ??? DLL
??
5
???????? -- LoadLibraryA ????
  • ?????? LoadLibraryA ???
  • ??? LoadLibraryA ??????? DLL ? function.
  • ???????GetProcAddress???LoadLibraryA?????

LoadLibraryA
Import section
LoadLibraryA()
Trunks
Kernel32.dll
Exe module
6
LoadLibraryA ????
  • ?????? CreateRemoteThread ????

Process Bs virtual space
Process As virtual space
Process A
Process B
processA.exe
CreateRemoteThread(..0xABCD)
Kernel32.dll
Kernel32.dll
0xABCD
LoadLibraryA ( )
0xABCD
LoadLibraryA ( )
7
LoadLibraryA ??????
?????????? ProcessA ? ??process ? LoadLibraryA
????????
// Step 1 ??? kernel32.dll ?? LoadLibraryA
?????? PTHREAD_START_ROUTINE pfnThreadRtn pfnThre
adRtn (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")),


"LoadLibraryA") // Step 2 ??? process
?, ???? LoadLibraryA ? thread HANDLE hThread
CreateRemoteThread(hProcessRemote, NULL, 0,
pfnThreadRtn, "C\\MyLib.dll", 0, NULL)
Process As virtual space
processA.exe
Kernel32.dll
0xABCD
LoadLibraryA ( )
CreateRemoteThread( ?? process, NULL, 0,
8
????? ????????
// Step 2 ??? process ?, ???? LoadLibraryA ?
thread HANDLE hThread CreateRemoteThread(hProce
ssRemote, NULL, 0,

pfnThreadRtn, "C\\MyLib.dll",

0, NULL)
??????? Process A ???
???? Process B ??????, ????. ?? Process B
????????????
9
????????
  • ???????, ????
  • Step 1 ?DLL??????????????????
  • Step 2 ????,?? CreateRemoteThread ?

????? ?? process s address space ? ??????? !!
VirtualAllocEx(HANDLE hProcess, PVOID pvAddress,
SIZE_T dwSize, DWORD
flAllocationType, DWORD
flProtect)
10
// ??????? BOOL VirtualFreeEx(HANDLE hProcess,
PVOID pvAddress,
SIZE_T dwSize, DWORD dwFreeType)
?? process
???????????
Type Release ? dwSize0 Decommit ?
???????? (bytes ???) ??? page ???
dwFreeType ??? MEM_DECOMMIT ? page ??
reserved ?? MEM_RELEASE ? page ?? free ??
11
// ?????????? BOOL WriteProcessMemory( HANDLE
hProcess, PVOID pvAddressRemote,
PVOID
pvBufferLocal, DWORD dwSize,
PDWORD
pdwNumBytesWritten)
??????????
?? process
??????????????
?????byte??
???????byte??
// ?????????? BOOL ReadProcessMemory( HANDLE
hProcess, PVOID pvAddressRemote,
PVOID
pvBufferLocal, DWORD dwSize,
PDWORD
pdwNumBytesWritten)
12
????
????
ProcessB.exes Image
include ltstdio.hgt include ltwindows.hgt int
g_int void main() for(int i0ilt1000i)
g_inti printf("Process B gt d
\n",g_int) Sleep(1000)
3
????
Query
?? g_int ???
2
4
?????
BOOL CMyDLLAppInitInstance() //
?? Dialog CMyDLLDlg dlg INT_PTR
nResponse dlg.DoModal()
MyDll.dll
1
13
???????
BOOL CMyDLLAppInitInstance()
CWinAppInitInstance() // ?? Dialog
CMyDLLDlg dlg INT_PTR
nResponse dlg.DoModal() //
return TRUE
// Step 4 ?????? Query ????, //
???? g_int ????? // Note // ?? ????
Title"Jenny" BEGIN_MESSAGE_MAP(CMyDLLDlg,
CDialog) ON_WM_ACTIVATE() ON_MESSAGE (WM_APP ,
OnQuery) END_MESSAGE_MAP() afx_msg LRESULT
CMyDLLDlgOnQuery (WPARAM wParam, LPARAM
lParam) HWND hwndReturn FindWindow(NULL,
"Jenny") SendMessage(hwndReturn, WM_APP,
\
VirtualAddress, NULL) return TRUE
MyDll.cpp
void CMyDLLDlgOnActivate() // ?? Dialog
Window Title this-gtSetWindowText("Jing")
Query
?? ProcessB Global variable ? virtual address ??
VirtualAddress ???
MyDllDlg.cpp
?? g_int ???
MyDllDlg.cpp
14
MyDLL ???
?????? ?? project output ? c\Debug
15
????
void CDialogTestDlgOnBnClickedButton2() //
Step 1 ?? ProcessB ? handle hRemoteProcessGetPr
ocessHandle("ProcessB.exe") // Step 2 ?
Process B ??????? (??? MyDll.dll ??) char
pszLibFile"MyDll.dll" int cb 1
lstrlen(pszLibFile) // ?? "MyDll.dll"
????? pszLibFileRemote (char)
VirtualAllocEx(hRemoteProcess, NULL, cb, \

MEM_COMMIT,
PAGE_READWRITE) // Step 3 ????? ProcessB
?? WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (PVOID) pszLibFile \


, cb, NULL) // Step 4 ??
LoadLibrary ? ProcessB ????? (????????) PTHREAD_S
TART_ROUTINE pfnThreadRtn (PTHREAD_START_ROUTINE
) \ GetProcAddress(GetM
oduleHandle("Kernel32"), "LoadLibraryA") //
Step 5 ?? RemoteThread ? MyDll.dll ???
ProcessB RemoteThread CreateRemoteThread(hRemot
eProcess, NULL, 0, \
pfnThreadRtn, pszLibFileRemote, 0,
NULL) MessageBox(NULL,"?? MyDll
??","Success",MB_OK) bIsInjectedtrue
?? ????,?? Error ???????, ?????????
DialogTestDlg.cpp
16
BEGIN_MESSAGE_MAP(CDialogTestDlg, CDialog)
//
ON_MESSAGE (WM_APP , OnAnswer) //
"????" ???? //
END_MESSAGE_MAP()
// Step 3 ???????? CDialogTestDlg Dlg //
??????? Dialog afx_msg LRESULT CDialogTestDlgOnA
nswer (WPARAM wParam, LPARAM lParam) CStatic
text text(CStatic) Dlg-gtGetDlgItem(IDC_ST
ATIC) int data(int)wParam char
buffer100 sprintf(buffer,"Process B ??
g_int?? d",data) text-gtSetWindowText(buffer)
return TRUE
? Process B ? g_init ????????
DialogTestDlg.cpp
17
?? ??????
  • Debugging Functions
  • ????? functions ?????? process ???. ?
    ReadProcessMemory, WriteProcessMemory,
Write a Comment
User Comments (0)
About PowerShow.com