所以我编写了一个小程序,将一些 shellcode 复制到调用 LdrLoadDll 的指定进程中(如 stub )。问题是,只有当我指定要使用的程序与我编写的程序相同时,它才有效。如果我选择任何其他程序,该程序就会崩溃。难道是我的函数原型(prototype)吗?
这是我的代码:
#include <Windows.h>
#pragma comment(lib, "ntdll.lib")
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
using f_LdrLoadDll = NTSTATUS(NTAPI*)(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle);
typedef NTSTATUS(NTAPI *pdef_LdrLoadDll)(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle);
EXTERN_C NTSYSAPI VOID WINAPI RtlInitUnicodeString(PUNICODE_STRING, PCWSTR);
struct LOADER_STUB_INFO
{
pdef_LdrLoadDll LdrLoadDllDef;
UNICODE_STRING filename;
f_LdrLoadDll LdrLoadDll = LdrLoadDllDef;
};
void __stdcall ldrstub(LOADER_STUB_INFO * ldrInfo);
int main()
{ //only works with GetCurrentProcessId();
HANDLE proc = OpenProcess(GENERIC_ALL, 0, GetCurrentProcessId());
LOADER_STUB_INFO loaderInfo;
LPVOID ldrFuncAddr = GetProcAddress(GetModuleHandle("ntdll.dll"), "LdrLoadDll");
pdef_LdrLoadDll LdrLoadDll = (pdef_LdrLoadDll)ldrFuncAddr;
loaderInfo.LdrLoadDll = LdrLoadDll;
UNICODE_STRING file;
RtlInitUnicodeString(&file, L"C:\\Users\\Arush\\Desktop\\test.dll");
loaderInfo.filename = file;
LPVOID structAddr = VirtualAllocEx(proc, nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(proc, structAddr, &loaderInfo, sizeof(loaderInfo), nullptr);
LPVOID codeAddr = VirtualAllocEx(proc, nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(proc, codeAddr, ldrstub, 0x1000, nullptr);
CreateRemoteThread(proc, nullptr, 0, (LPTHREAD_START_ROUTINE)codeAddr, reinterpret_cast<LOADER_STUB_INFO*>(structAddr), 0, nullptr);
system("pause");
return 0;
}
void __stdcall ldrstub(LOADER_STUB_INFO * ldrInfo)
{
auto _LdrLoadDll = ldrInfo->LdrLoadDll;
HANDLE handee;
_LdrLoadDll(nullptr, 0, &ldrInfo->filename, &handee);
}
最佳答案
UNICODE_STRING filename; 位于 LOADER_STUB_INFO 内,包含指针 - Buffer。您将此指针初始化为 L"C:\\Users\\Arush\\Desktop\\test.dll" 并按原样复制到远程进程。但在远程进程中,Buffer 当然无效。您需要分配并复制要加载到远程进程的 dll 名称,而不是从本地进程指向它的指针
关于windows - 远程执行时短 LdrLoadDll stub 崩溃,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50767857/