远程线程作为一项"合法"的代码注入技术,在windows上被大量使用, 它的本质就是把一块可执行代码写入到对方进程,然后让其起运行起来。
一般它的实现过程是这样的, 通过VirtualAllocEx在目标进程分配内存空间,然后通过WriteProcessMemory将我们的可执行代码写入到目标进程,最后通过CreateRemoteThread让我们的可执行代码在目标进程里运行起来。
一般实现远程线程有2种方法, 一种是《windows核心编程》里介绍的,通过线程函数和LoadLibrary API函数申明的相似性, 直接在目标进程里调用LoadLibrary加载我们DLL,这样我们只要在DLL_PROCESS_ATTACH里执行我们的代码就可以了。代码如下, 通过InjectLib在目标进程加载我们的DLL, 通过EjectLib卸载我们的DLL:
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile)
{
BOOL fOk = FALSE; // Assume that the function fails
HANDLE hProcess = NULL, hThread = NULL;
PWSTR pszLibFileRemote = NULL;
__try {
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, dwProcessId);
if (hProcess == NULL)
{
__leave;
}
// Calculate the number of bytes needed for the DLL's pathname
int cch = 1 + lstrlenW(pszLibFile);
int cb = cch * sizeof(WCHAR);
// Allocate space in the remote process for the pathname
pszLibFileRemote = (PWSTR)
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if (pszLibFileRemote == NULL)
{
__leave;
}
// Copy the DLL's pathname to the remote process's address space
if (!WriteProcessMemory(hProcess, pszLibFileRemote,
(PVOID) pszLibFile, cb, NULL))
{
__leave;
}
// Get the real address of LoadLibraryW in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
if (pfnThreadRtn == NULL)
{
__leave;
}
// Create a remote thread that calls LoadLibraryW(DLLPathname)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, pszLibFileRemote, 0, NULL);
if (hThread == NULL)
{
__leave;
}
// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
fOk = TRUE; // Everything executed successfully
}
__finally { // Now, we can clean everthing up
// Free the remote memory that contained the DLL's pathname
if (pszLibFileRemote != NULL)
VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(fOk);
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI InjectLibA(DWORD dwProcessId, PCSTR pszLibFile)
{
// Allocate a (stack) buffer for the Unicode version of the pathname
PWSTR pszLibFileW = (PWSTR)
_alloca((lstrlenA(pszLibFile) + 1) * sizeof(WCHAR));
// Convert the ANSI pathname to its Unicode equivalent
wsprintfW(pszLibFileW, L"%S", pszLibFile);
// Call the Unicode version of the function to actually do the work.
return(InjectLibW(dwProcessId, pszLibFileW));
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile)
{
BOOL fOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == INVALID_HANDLE_VALUE)
{
__leave;
}
// Get the HMODULE of the desired library
MODULEENTRY32W me = { sizeof(me) };
BOOL fFound = FALSE;
BOOL fMoreMods = Module32FirstW(hthSnapshot, &me);
for (; fMoreMods; fMoreMods = Module32NextW(hthSnapshot, &me)) {
fFound = (lstrcmpiW(me.szModule, pszLibFile) == 0) ||
(lstrcmpiW(me.szExePath, pszLibFile) == 0);
if (fFound) break;
}
if (!fFound)
{
__leave;
}
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL)
{
__leave;
}
// Get the real address of LoadLibraryW in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
if (pfnThreadRtn == NULL)
{
__leave;
}
// Create a remote thread that calls LoadLibraryW(DLLPathname)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL)
{
__leave;
}
// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
fOk = TRUE; // Everything executed successfully
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(fOk);
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI EjectLibA(DWORD dwProcessId, PCSTR pszLibFile)
{
// Allocate a (stack) buffer for the Unicode version of the pathname
PWSTR pszLibFileW = (PWSTR)
_alloca((lstrlenA(pszLibFile) + 1) * sizeof(WCHAR));
// Convert the ANSI pathname to its Unicode equivalent
wsprintfW(pszLibFileW, L"%S", pszLibFile);
// Call the Unicode version of the function to actually do the work.
return(EjectLibW(dwProcessId, pszLibFileW));
}
///////////////////////////////////////////////////////////////////////////////
上面这种方法注入的代码它的优点是开发比较简单,我们只要用C++写一个DLL,然后调用InjectLibW(processID, dllName)就可以了,但是因为代码是运行在一个DLL里,别人可以通过一些枚举模块的工具看到我们的DLL,所以隐蔽性不是很好。
还有一种远程线程的实现方法是罗云彬《Windows环境下32位汇编语言程序设计》里介绍的,
我们不通过DLL,而是直接把可执行代码拷贝到目标进程后运行,所以它是真正的远程线程,通过这种方法,我们的代码和目标进程已经完全融为一体,其他人根本无法察觉。
用这种方法实现, 它的要点是:
(1) Kernel32.DLL加载的基址在任何进程里都是一样的(其实上一种LoadLibrary方法也用到了这点), 所以GetProcAddress,GetModuleHandleA(W), LoadLibraryA(W)这些API的地址在任何进程里都是一样的, 所以我们在其他进程中用和本进程相同的地址调用这些API。
(2) 因为涉及到全局变量的重定位问题, 所以注入的代码需要用汇编编写, 并用以下汇编解决重定位问题