几种可作为工具使用的常用注入姿势

转眼国庆假期已经过去了两天,又对游戏安全感兴趣的我,就来复习复习注入姿势好了,个人认为作为工具使用还比较方便的注入方法。注入的方式很多书籍都谈到了,诸如《逆向工程核心原理》《Windows核心编程》,网站也有很多,像腾讯的游戏安全实验室就有专门介绍的,网上相关的博客介绍也很多,我也是从这些地方学到的。

消息钩子

这种方式仅适用于GUI程序,而且要确定钩取的消息,还是觉得不太方便。23333,功能是键盘按下,弹窗。现在好多程序都防着钩子了,感觉没什么用。

Message_Hook.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
#include <conio.h>
#include <windows.h>

#define DEF_DLL_NAME "My_Hook_Dll.dll"
#define DEF_HOOKSTART "HookStart"
#define DEF_HOOKSTOP "HookStop"

typedef void (*PFN_HOOKSTART)();
typedef void (*PFN_HOOKSTOP)();

void main()
{
HMODULE hDll = NULL;
PFN_HOOKSTART HookStart = NULL;
PFN_HOOKSTOP HookStop = NULL;
char ch = 0;

hDll = LoadLibraryA(DEF_DLL_NAME);
if( hDll == NULL )
{
printf("LoadLibrary(%s) failed!!! [%d]", DEF_DLL_NAME, GetLastError());
return;
}
HookStart = (PFN_HOOKSTART)GetProcAddress(hDll, DEF_HOOKSTART);
HookStop = (PFN_HOOKSTOP)GetProcAddress(hDll, DEF_HOOKSTOP);

HookStart();

printf("press 'q' to quit!\n");
while( _getch() != 'q' ) ;

HookStop();
FreeLibrary(hDll);
}

dllmain.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"

#define DEF_PROCESS_NAME "notepad.exe"

HINSTANCE g_hInstance = NULL;
HHOOK g_hHook = NULL;
HWND g_hWnd = NULL;

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
g_hInstance = hinstDLL;
break;

case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
char szPath[MAX_PATH] = {0,};
char *p = NULL;

if( nCode >= 0 )
{
// bit 31 : 0 => press, 1 => release
if( !(lParam & 0x80000000) )
{
GetModuleFileNameA(NULL, szPath, MAX_PATH);
p = strrchr(szPath, '\\');

if( !_stricmp(p + 1, DEF_PROCESS_NAME) )
MessageBoxA(NULL,"Inject successful!","Congratulations!",MB_OK);
}
}

return CallNextHookEx(g_hHook, nCode, wParam, lParam);
}

#ifdef __cplusplus
extern "C" {
#endif
__declspec(dllexport) void HookStart()
{
g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, 0);
}

__declspec(dllexport) void HookStop()
{
if( g_hHook )
{
UnhookWindowsHookEx(g_hHook);
g_hHook = NULL;
}
}
#ifdef __cplusplus
}
#endif

远程注入

原理什么的就不讲了,直接上代码,功能也是完成一个弹窗,具体要做什么的时候,修改一下就好了。

dllmain.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include "stdafx.h"

BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL,"Injection Success!","Congratulations!",MB_OK);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

Injection.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#include<windows.h>
#include<stdio.h>
#include<string.h>

BOOL SetPrivilege(LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;

if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
wprintf(L"OpenProcessToken Failed!CODE(%u)\n",GetLastError());
return FALSE;
}
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
wprintf(L"LookupPrivilegeValue Failed!CODE(%u)\n",GetLastError());
return FALSE;
}
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
if(bEnablePrivilege)
{
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes=0;
}
//Enable the privilege开启或关闭权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
{
wprintf(L"AdjustTokenPrivileges Failed!CODE(%u)\n",GetLastError());
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}

BOOL Remotethread_Injection(int PID,char *pDllName)
{
HANDLE hProcess;
DWORD dwDllNameLen = strlen(pDllName) + 2;
BYTE *pBufaddr = NULL;
HANDLE hRemoteThread = NULL;
PTHREAD_START_ROUTINE pfnRemoteThreadProc = NULL;
__try
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,(DWORD)PID);
if(!hProcess)
{
printf("OpenProcess Error!code(%d)\n",GetLastError());
return FALSE;
}
pBufaddr = (BYTE *)VirtualAllocEx(hProcess,NULL,dwDllNameLen,MEM_COMMIT,PAGE_READWRITE);
if(!pBufaddr)
{
printf("VirtualAllocEx Error!code(%d)\n",GetLastError());
CloseHandle(hProcess);
return FALSE;
}
if(!WriteProcessMemory(hProcess,pBufaddr,pDllName,dwDllNameLen,NULL))
{
printf("WriteProcessMemory Error!code(%d)\n",GetLastError());
VirtualFreeEx(hProcess,(PVOID)pBufaddr,0,MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
pfnRemoteThreadProc = (PTHREAD_START_ROUTINE)GetProcAddress((HMODULE)LoadLibraryA("kernel32.dll"),"LoadLibraryA");
if(!pfnRemoteThreadProc)
{
printf("GetProcAddress Error!code(%d)\n",GetLastError());
VirtualFreeEx(hProcess,(PVOID)pBufaddr,0,MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
hRemoteThread = CreateRemoteThread(hProcess,NULL,0,pfnRemoteThreadProc,(PVOID)pBufaddr,0,NULL);
if(!hRemoteThread)
{
printf("CreateRemoteThreadEx Error!code(%d)\n",GetLastError());
VirtualFreeEx(hProcess,(PVOID)pBufaddr,0,MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
WaitForSingleObject(hRemoteThread,INFINITE);
}
__finally
{
if(hRemoteThread)
{
CloseHandle(hRemoteThread);
}
if(pBufaddr)
{
VirtualFreeEx(hProcess,(PVOID)pBufaddr,0,MEM_RELEASE);
}
if(hProcess)
{
CloseHandle(hProcess);
}
}
return TRUE;
}

int main(int argc,char* argv[])
{
DWORD PID = 0;
if(!argv[1])
{
printf("USAGE: %s <dll_path>\n",argv[0]);
return 0;
}
printf("Please Input process PID(大于100):\n");
scanf("%d",&PID);
if(!SetPrivilege(SE_DEBUG_NAME,TRUE))
{
return 1;
}
if(Remotethread_Injection(PID,argv[1]))
{
printf("Inject Successful!\n");
}
return 0;
}

我常用的就是这两种,其他的注入方式还有DLL劫持,就是大家最熟悉的替换dll名称啦;还有挂起进程注入,先让要运行的程序挂起,再让注入的线程挂起,最后先恢复程序,再恢复线程,代码过程和远程注入基本相似,最大的区别就是挂起标识位要修改;除此以外,还有APC注入,修改输入表等骚操作。23333。emmmmmm,差不多就这些吧。

要好好想想接下来5天要怎么有意义的度过了,23333。