Remote thread embedding technology

zhaozj2021-02-08  241

Remote thread embedding technology

Remote thread technology refers to the memory address space of that process by creating a remote thread in another process. We know that in the process, we can create threads through the CreateThread function, the new thread and the main thread (that is, the thread that is automatically established when the process starts) shared address space and other resources. But few people know that by CreateremoteThread can also create new threads in another process. The created remote thread can also share the address space of the remote process (which is a remote process. ", In fact, we pass a remote Threads, entered the memory address space of the remote process, which has the right permission that the remote process. For example, starting a DLL Trojan within the remote process (compared to the inside of the process, starting a DLL Trojan is a little means, in fact we can withdraw the data of the remote process.

First, we open the process we try to embed through OpenProcess (if the remote process is not allowed to open, then embedding can not be carried out, this is often caused by insufficient permissions, the solution is to enhance the right to local processes)

HREMOTEPROCESS = OpenProcess (Process_create_thread | file: // Allow remote creating thread process_vm_operation | file: // Allow remote VM to operate process_vm_write, // Allow remote VM to write false, dwremoteProcessID)

Since we will need to write to the memory address space of the remote process and establish a remote thread, you need to apply enough permissions (Process_create_thread, VM_OPERATION, VM_WRITE).

Then we can build a loadLibraryw function This thread is to launch our DLL Trojan. The loadLibraryw function is defined in kernel32.dll, used to load the DLL file, which only one parameter is the absolute path name of the DLL file, (that is Trojan DLL's full path file name), but because Trojan DLL is called within the remote process, we must first copy this file name to the remote address space: (otherwise the remote thread is not read)

File: / / Calculate the memory space required by the DLL path name INT CB = (1 lstrlenw (pszlibfilename)) * sizeof (wchar); file: // Using the VirtualaLalkEx function to allocate a DLL file name buffer PszlibFileRemote = (PWSTR) VirtualAllocEx (hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); file: // use WriteProcessMemory function to copy the DLL path name to the remote process memory space iReturnCode = WriteProcessMemory (hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb , NULL); file: // computing LoadLibraryW entry address PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE) GetProcAddress (GetModuleHandle (TEXT ( "Kernel32")), "LoadLibraryW"); OK, everything is ready, we address through the establishment of a remote thread PfnStartAddr (actually the entrance address of LoadLibraryw) and passed Parameters pszlibfileremote (actually we copy the full path file name of the past Trojan DLL) launched our Trojan DLL within the remote process:

File: // Start the remote thread LoadLibraryw, call the user's DLL file through the remote thread HREMOTHREAD = CreateRemoteThread (HremoteProcess, Null, 0, PfnStartaddr, PszlibfileRemote, 0, NULL);

At this point, the remote embedding is successfully completed. In order to test our DLL, it has been running in the remote thread, I have written the following test DLL:

BOOL APIENTRY DllMain (HANDLE hModule, DWORD reason, LPVOID lpReserved) {char szProcessId [64]; switch (reason) {case DLL_PROCESS_ATTACH: {file: // Get the current process ID _itoa (GetCurrentProcessId (), szProcessId, 10); MessageBox ( NULL, SZPROCESSID, "Remotedll", MB_OK;} DEFAULT: RETURN TRUE;}}

When I use the RMTDLL.EXE program to embed this TestDLL.DLL after the Explorer.exe process (PID = 1208), the test DLL pops up 1208 words confirmation box, and can also see the PS tool.

Process ID: 1208 C: /WinNT/Explorer.exe (0x00400000) ... C: /Testdll.dll (0x100000000) ......

This proof TestDLL.dll has been running correctly within the Explorer.exe process.

转载请注明原文地址:https://www.9cbs.com/read-2765.html

New Post(0)