QueueUserAPC

时间:2018-09-19 10:08:48

标签: code-injection dll-injection

我尝试使用QueueUserAPC实现注入。但是它等待着无限的时间。代码附在下面。首先,我获得了过程的处理权。然后获取其主线程ID并实现APC调用。我该如何调用..我正在尝试向Chrome进程中注入一些代码。  `

    /* Obtain a handle the process */
hproc = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, proc32.th32ProcessID);
if (hproc == NULL) {
    printf("\t[+] OpenProcess error \n");
}

printf("\n\t[+] Opened process handle: 0x%Ix\n", (SIZE_T)hproc);

shctrl->pidtab[ninj] =  proc32.th32ProcessID;   // store process id (if inject fails, next attempt will overwrite it)
printf("\t[+]*************Calling injectionQUAPC*************\n");
injectQUAPC(hproc, proc32.th32ProcessID);
printf("\t[+] Returned value of thread[nink] after injection is %d\n", threadid[ninj]);

我已经修改了此功能/ DWORD GetMainThreadId(DWORD dwPid) /

DWORD GetMainThreadId( DWORD dwProcessId )
{
THREADENTRY32 te32 = { sizeof( THREADENTRY32 ) };
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, dwProcessId );  
if( hSnapshot == INVALID_HANDLE_VALUE )
    return NULL;    if( Thread32First( hSnapshot, &te32 ) )
{
    do {
        if( te32.th32OwnerProcessID == dwProcessId )
        {
            CloseHandle( hSnapshot );
            return te32.th32ThreadID;
        }
    } while( Thread32Next( hSnapshot, &te32 ) );
}   CloseHandle( hSnapshot );
return NULL;
}

我的这个函数调用上面的函数,并验证了使用工具ProcessthreadView返回的线程ID `

void injectQUAPC( HANDLE hproc, DWORD dwProcessId ){
HANDLE          hThread;                        // snapshot and current process handles
PROCESSENTRY32W proc32;                                 // process entry
ushort          ninj = 0;                               // number of injected processes so far
int             skip;                                   // internal flag
LPVOID  funst, funent;                                  // executer() entry point in current and remote process
ULONG   funsz;                                          // executer() size
LPBYTE  p;                                              // auxilary pointer
DWORD   nwritten;                             // written bytes and thread ID

printf("\n************Inside injectQUAPC*************\n");
DWORD threadid;
/* Get thread id from process id */

printf("\t[+] Getting main thread id for proc id: %d\n", dwProcessId);  
threadid = GetMainThreadId(dwProcessId);
if (hThread == NULL){
    printf("\t[-] Error getting main thread. press enter to skip\n");
    getch();
}   

/* Getting thread hanlle from thread id */
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadid);
printf("\t[+] Thread opened successfully.\n");
printf("\t[+] Thread handle: 0x%Ix\r\n", (SIZE_T)hThread);

if (!hThread){
    printf("[-] Couldn't open thread:  0x%Ix, trying next one...\r\n", (SIZE_T)hThread);
//  continue;
}

funst = executer;
funsz = sizeof(executer);

_tprintf(_T("\t[+] Allocating space for the path of the executor code\n"));
funent = VirtualAllocEx(hproc, NULL, funsz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (funent == NULL) {
    printf("\t[-] VirtualAllocEx error \n");
    getch();
}
BOOL bStatus;
/* Write to the remote process */
printf("\t[+] Writing into the current process space at 0x%p\n", funent);
bStatus = WriteProcessMemory(hproc, funent, funst, funsz, NULL);
if (bStatus == NULL) {
    printf("\t[+] WriteProcessMemory errror \n");
    getch();
}
else printf("\t[+] WriteProcessMemory status %d \n", bStatus);


DWORD dResult;
/* Injection Happen here */
if (!QueueUserAPC((PAPCFUNC)hproc, hThread, (ULONG_PTR)funent)){

    printf("\t[-] QueueUserAPC error, trying next thread...\r\n");
    getch();
}   
else {
    printf("\t[+] QueueUserAPC successfully completed on thread ID %d....\n", threadid);
    printf("Waiting on thread %d.\n", threadid);
    WaitForSingleObject(hThread, INFINITE);
}   
printf("\t[+] Closing process handle.\n");
CloseHandle(hThread);
CloseHandle( hproc );   
printf("\t[+] Returning thread handle for thread ID %d....\n", threadid);

}

0 个答案:

没有答案