另类远程线程模式

scjazf

一提到远程线程，一般都想到DLL注入啊，shellcode运行啊~
其实这两种根本不给力啊~
现在让我们来说一种新模型哦~
不借助shellcode,不借助不给力的DLL注入，我们直接在远程运行EXE里的代码~
当然API还是那个API,这里涉及到PE文件的一些知识，就不多说了，直接上代码~

1. LPVOID CopyModule(HANDLE proc, LPVOID image)
   
2. {
   
3.   PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
   
4.   PIMAGE_DATA_DIRECTORY datadir;
   
5.   DWORD size = headers->OptionalHeader.SizeOfImage;
   
6.   LPVOID mem = NULL;
   
7.   LPBYTE buf = NULL;
   
8.   BOOL ok = FALSE;
   
9. 
   
10.   if (headers->Signature != IMAGE_NT_SIGNATURE)
    
11.     return NULL;
    
12. 
    
13.   if (IsBadReadPtr(image, size))
    
14.     return NULL;
    
15. 
    
16.   mem = VirtualAllocEx(proc, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
17. 
    
18.   if (mem != NULL) {
    
19.     buf = (LPBYTE)VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
20. 
    
21.     if (buf != NULL) {
    
22.       RtlCopyMemory(buf, image, size);
    
23. 
    
24.       datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
    
25. 
    
26.       if (datadir->Size > 0 && datadir->VirtualAddress > 0) {
    
27.         DWORD_PTR delta = (DWORD_PTR)((LPBYTE)mem - headers->OptionalHeader.ImageBase);
    
28.         DWORD_PTR olddelta = (DWORD_PTR)((LPBYTE)image - headers->OptionalHeader.ImageBase);
    
29.         PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(buf + datadir->VirtualAddress);
    
30. 
    
31.         while(reloc->VirtualAddress != 0) {
    
32.           if (reloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) {
    
33.             DWORD count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
    
34.             LPWORD list = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
    
35.             DWORD i;
    
36. 
    
37.             for (i = 0; i < count; i++) {
    
38.               if (list[i] > 0) {
    
39.                 DWORD_PTR *p = (DWORD_PTR *)(buf + (reloc->VirtualAddress + (0x0FFF & (list[i]))));
    
40. 
    
41.                 *p -= olddelta;
    
42.                 *p += delta;
    
43.               }
    
44.             }
    
45.           }
    
46. 
    
47.           reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
    
48.         }
    
49. 
    
50.         ok = WriteProcessMemory(proc, mem, buf, size, NULL);
    
51.       }
    
52. 
    
53.       VirtualFree(buf, 0, MEM_RELEASE); // release buf
    
54.     }
    
55. 
    
56.     if (!ok) {
    
57.       VirtualFreeEx(proc, mem, 0, MEM_RELEASE);
    
58.       mem = NULL;
    
59.     }
    
60.   }
    
61. 
    
62.   return mem;
    
63. }
    
64. 
    
65. BOOL NewInject(DWORD pid, LPTHREAD_START_ROUTINE start)
    
66. {
    
67.   HANDLE proc, thread;
    
68.   HMODULE module, newmodule;
    
69.   BOOL ok = FALSE;
    
70. 
    
71.   proc = OpenProcess(PROCESS_QUERY_INFORMATION |
    
72.     PROCESS_VM_OPERATION |
    
73.     PROCESS_VM_WRITE |
    
74.     PROCESS_VM_READ |
    
75.     PROCESS_CREATE_THREAD |
    
76.     PROCESS_DUP_HANDLE,
    
77.     FALSE, pid);
    
78. 
    
79.   if (proc != NULL) {
    
80.     module = GetModuleHandle(NULL);
    
81. 
    
82.     newmodule = (HMODULE)CopyModule(proc, module);
    
83. 
    
84.     if (newmodule != NULL) {
    
85.       LPTHREAD_START_ROUTINE entry = (LPTHREAD_START_ROUTINE)((LPBYTE)newmodule + (DWORD_PTR)((LPBYTE)start - (LPBYTE)module));
    
86. 
    
87.       thread = CreateRemoteThread(proc, NULL, 0, entry, NULL, 0, NULL);
    
88. 
    
89.       if (thread != NULL) {
    
90.         CloseHandle(thread);
    
91.         ok = TRUE;
    
92.       }
    
93.       else {
    
94.         VirtualFreeEx(proc, module, 0, MEM_RELEASE);
    
95.       }
    
96.     }
    
97. 
    
98.     CloseHandle(proc);
    
99.   }
    
100. 
     
101.   return ok;
     
102. }
     

复制代码

1. //提权DEBUG后
   
2. NewInject(GetProcessIdByName(L"Diablo III.exe"), ThreadProc);
   

复制代码