5. No DLL Injection
In the third method, when we start a remote thread, the address of the loadlibrary function obtained from kernel32.dll is the address of the thread function, in fact, we can directly write the thread function body and function parameters into the address space of the target process, and then create a remote thread.
When using this method, pay attention to the following issues:
(1) functions other than kernel32.dll and user32.dll cannot be used in remote thread functions. Because the relative addresses of the two modules are the same in each process, if you must use other functions, you must write the function body into the target process space.
(2) You cannot use any string constant, because the String constant is stored in the. Data section of the PE file. The function only saves the relative address.
(3) Remove the/GZ compilation option of the compiler. This option is used to enable stack frame run-time error checking. When this option is enabled, the compiler adds some Code Used to check whether ESP is changed in the function body, but the address of these checks may be different in different PE files.
(4) do not use the incremental Link (incremental linking ). The incremental link is the processing done by the compiler to reduce the link time. Instead of using a JMP command to replace the function body, the content of the function can be changed without modifying the call command.
(5) do not use a local variable larger than 4 kb in the function body. Local variables are stored in the stack. For example, the following function
Void dummy (void ){
Byte var [256];
VaR [0] = 0;
VaR [1] = 1;
VaR [255] = 255;
}
This is the case when allocating local variable space.
: 00401000 push EBP
: 00401001 mov EBP, ESP
: 00401003 sub ESP, 00000100; change esp as storage
; Local variables is needed
: 00401006 mov byte PTR [esp], 00; var [0] = 0;
: 0040100a mov byte PTR [esp + 01], 01; var [1] = 1;
: 0040100f mov byte PTR [esp + ff], ff; var [255] = 255;
: 00401017 mov ESP, EBP; restore Stack pointer
: 00401019 pop EBP
: 0040101a RET
However, when the local variable size exceeds 4 kb, the stack pointer does not directly change, but calls another function to allocate memory. This function may have different addresses in different processes.
(6) The switch statement in the function body should contain no more than three cases. Otherwise, the compiler will use the jump table in the PE file, which may not exist in the target process. Below is an example of non-DLL injection:
// Parameter structure;
Typedef struct _ remotepara {
Pvoid dwmessagebox;
Wchar_t strmessagebox [12];
} Remotepara; // remote thread execution body
DWORD _ stdcall threadproc (remotepara * para)
{
Typedef int (/* _ stdcall */* pmessagebox) (hwnd, lpctstr, lpctstr, uint );
Pmessagebox messageboxfunc = (pmessagebox) para-> dwmessagebox;
Messageboxfunc (null, para-> strmessagebox, para-> strmessagebox, mb_ OK );
Return 0;
} DWORD threadsize = 1024;
DWORD pid = 4688;
DWORD byte_write;
Handle hremoteprocess, hthread;
Remotepara myremotepara, * premotepara;
Void * premotethread;
Hinstance huser32; hremoteprocess = OpenProcess (process_all_access, false, pid );
If (! Hremoteprocess) return 0;
// Allocate virtual memory in the remote process address space
Premotethread = virtualallocex (hremoteprocess, 0, threadsize, mem_commit | mem_reserve, page_execute_readwrite );
If (! Premotethread) return 0;
// Write the thread execution body threadproc to a remote process
If (! Writeprocessmemory (hremoteprocess, premotethread, & threadproc, threadsize, 0) return 0;
Zeromemory (& myremotepara, sizeof (remotepara ));
Huser32 = loadlibrary (L "user32.dll ");
Myremotepara. dwmessagebox = (pvoid) getprocaddress (huser32, "messageboxw ");
Wcscat (myremotepara. strmessagebox, l "Hello! "); // Copy the parameters of the MessageBox Function
// Write it into the target process
Premotepara = (remotepara *) virtualallocex (hremoteprocess, 0, sizeof (remotepara), mem_commit, page_readwrite );
If (! Premotepara) return 0;
If (! Writeprocessmemory (hremoteprocess, premotepara, & myremotepara, sizeof myremotepara, 0) return 0;
// Start the thread
Hthread = createremotethread (hremoteprocess, 0,0, (bytes) premotethread, premotepara, 0, & byte_write); freelibrary (huser32); closehandle (hremoteprocess); References:
Http://www.codeproject.com/threads/winspy.asp? DF = 100 & forumid = 16291 & select = 1025152 & MSG = 1025152 # section_2
Http://hi.baidu.com/sunshineboys/blog/item/828f4136c46534dda2cc2b35.html
Trackback: http://tb.blog.csdn.net/TrackBack.aspx? Postid = 1672630
