有没有办法将x86 DLL从WOW64进程注入(inject)到x64进程?我知道根据 MSDN,这通常是不可能的:
On 64-bit Windows, a 64-bit process cannot load a 32-bit dynamic-link library (DLL). Additionally, a 32-bit process cannot load a 64-bit DLL
但我发现了以下code在 Metasploit 的存储库中,想知道如何在我的项目中使用它:
/*
* Attempt to gain code execution in a native x64 process from a wow64 process by transitioning out of the wow64 (x86)
* enviroment into a native x64 enviroment and accessing the native win64 API's.
* Note: On Windows 2003 the injection will work but in the target x64 process issues occur with new
* threads (kernel32!CreateThread will return ERROR_NOT_ENOUGH_MEMORY). Because of this we filter out
* Windows 2003 from this method of injection, however the APC injection method will work on 2003.
*/
DWORD inject_via_remotethread_wow64( HANDLE hProcess, LPVOID lpStartAddress, LPVOID lpParameter, HANDLE * pThread )
{
DWORD dwResult = ERROR_SUCCESS;
EXECUTEX64 pExecuteX64 = NULL;
X64FUNCTION pX64function = NULL;
WOW64CONTEXT * ctx = NULL;
OSVERSIONINFO os = {0};
do
{
os.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );
if( !GetVersionEx( &os ) )
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: GetVersionEx failed" )
// filter out Windows 2003
if ( os.dwMajorVersion == 5 && os.dwMinorVersion == 2 )
{
SetLastError( ERROR_ACCESS_DENIED );
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: Windows 2003 not supported." )
}
// alloc a RWX buffer in this process for the EXECUTEX64 function
pExecuteX64 = (EXECUTEX64)VirtualAlloc( NULL, sizeof(migrate_executex64), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( !pExecuteX64 )
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: VirtualAlloc pExecuteX64 failed" )
// alloc a RWX buffer in this process for the X64FUNCTION function (and its context)
pX64function = (X64FUNCTION)VirtualAlloc( NULL, sizeof(migrate_wownativex)+sizeof(WOW64CONTEXT), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( !pX64function )
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: VirtualAlloc pX64function failed" )
// copy over the wow64->x64 stub
memcpy( pExecuteX64, &migrate_executex64, sizeof(migrate_executex64) );
// copy over the native x64 function
memcpy( pX64function, &migrate_wownativex, sizeof(migrate_wownativex) );
// set the context
ctx = (WOW64CONTEXT *)( (BYTE *)pX64function + sizeof(migrate_wownativex) );
ctx->h.hProcess = hProcess;
ctx->s.lpStartAddress = lpStartAddress;
ctx->p.lpParameter = lpParameter;
ctx->t.hThread = NULL;
dprintf( "[INJECT] inject_via_remotethread_wow64: pExecuteX64=0x%08X, pX64function=0x%08X, ctx=0x%08X", pExecuteX64, pX64function, ctx );
// Transition this wow64 process into native x64 and call pX64function( ctx )
// The native function will use the native Win64 API's to create a remote thread in the target process.
if( !pExecuteX64( pX64function, (DWORD)ctx ) )
{
SetLastError( ERROR_ACCESS_DENIED );
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: pExecuteX64( pX64function, ctx ) failed" )
}
if( !ctx->t.hThread )
{
SetLastError( ERROR_INVALID_HANDLE );
BREAK_ON_ERROR( "[INJECT] inject_via_remotethread_wow64: ctx->t.hThread is NULL" )
}
// Success! grab the new thread handle from of the context
*pThread = ctx->t.hThread;
dprintf( "[INJECT] inject_via_remotethread_wow64: Success, hThread=0x%08X", ctx->t.hThread );
} while( 0 );
if( pExecuteX64 )
VirtualFree( pExecuteX64, 0, MEM_DECOMMIT );
if( pX64function )
VirtualFree( pX64function, 0, MEM_DECOMMIT );
return dwResult;
}
我尝试使用以下代码:
#include <boost/scope_exit.hpp>
#include <Windows.h>
#include <cstdlib>
#include <iostream>
typedef struct _WOW64CONTEXT
{
union
{
HANDLE hProcess;
BYTE bPadding2[8];
} h;
union
{
LPVOID lpStartAddress;
BYTE bPadding1[8];
} s;
union
{
LPVOID lpParameter;
BYTE bPadding2[8];
} p;
union
{
HANDLE hThread;
BYTE bPadding2[8];
} t;
} WOW64CONTEXT, *LPWOW64CONTEXT;
typedef BOOL(WINAPI * X64FUNCTION)(DWORD dwParameter);
typedef DWORD(WINAPI * EXECUTEX64)(X64FUNCTION pFunction, DWORD dwParameter);
BYTE migrate_executex64[] = "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00"
"\x58\x83\xC0\x25\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
"\x89\x02\xE8\x09\x00\x00\x00\x83\xC4\x14\x5F\x5E\x5D\xC2\x08\x00"
"\x8B\x3C\x24\xFF\x2A\x48\x31\xC0\x57\xFF\xD6\x5F\x50\xC7\x44\x24"
"\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C\x24";
BYTE migrate_wownativex[] = "\xFC\x48\x89\xCE\x48\x89\xE7\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00"
"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48"
"\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A"
"\x4D\x31\xC9\x48\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9"
"\x0D\x41\x01\xC1\xE2\xED\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C"
"\x48\x01\xD0\x66\x81\x78\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00"
"\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40"
"\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6"
"\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0"
"\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40"
"\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0"
"\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58"
"\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A"
"\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF\x5D\x4D\x31\xC9\x41\x51\x48\x8D"
"\x46\x18\x50\xFF\x76\x10\xFF\x76\x08\x41\x51\x41\x51\x49\xB8\x01"
"\x00\x00\x00\x00\x00\x00\x00\x48\x31\xD2\x48\x8B\x0E\x41\xBA\xC8"
"\x38\xA4\x40\xFF\xD5\x48\x85\xC0\x74\x0C\x48\xB8\x00\x00\x00\x00"
"\x00\x00\x00\x00\xEB\x0A\x48\xB8\x01\x00\x00\x00\x00\x00\x00\x00"
"\x48\x83\xC4\x50\x48\x89\xFC\xC3";
int main(int argc, char* argv[])
{
if (argc != 2)
{
std::cout << "Usage: " << argv[0] << " [pid]" << std::endl;
return EXIT_SUCCESS;
}
int pid = std::atoi(argv[1]);
if (pid == 0)
{
std::cerr << "Invalid pid" << std::endl;
return EXIT_FAILURE;
}
HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (process_handle == NULL)
{
std::cerr << "An error occurred while using function OpenProcess. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
BOOST_SCOPE_EXIT_ALL(process_handle)
{
CloseHandle(process_handle);
};
LPVOID load_library_addr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if (load_library_addr == NULL)
{
std::cerr << "An error occurred while using function GetProcAddress. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
const char* dll_path = "D:\\helper.dll";
LPVOID dll_path_memory = VirtualAllocEx(process_handle, NULL, strlen(dll_path) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (dll_path_memory == NULL)
{
std::cerr << "An error occurred while using function VirtualAllocEx. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
BOOL res = WriteProcessMemory(process_handle, dll_path_memory, dll_path, strlen(dll_path) + 1, NULL);
if (res == 0)
{
std::cerr << "An error occurred while using function WriteProcessMemory. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
HANDLE thread_handle = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)load_library_addr, dll_path_memory, 0, NULL);
if (thread_handle == NULL)
{
std::cerr << "An error occurred while using function CreateRemoteThread. Error code: " << GetLastError() << std::endl;
EXECUTEX64 pExecuteX64 = (EXECUTEX64)VirtualAlloc(NULL, sizeof(migrate_executex64), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pExecuteX64 == NULL)
{
std::cerr << "An error occurred while using function VirtualAlloc. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
X64FUNCTION pX64function = (X64FUNCTION)VirtualAlloc(NULL, sizeof(migrate_wownativex) + sizeof(WOW64CONTEXT), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pX64function == NULL)
{
std::cerr << "An error occurred while using function VirtualAlloc. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
std::memcpy(pExecuteX64, &migrate_executex64, sizeof(migrate_executex64));
std::memcpy(pX64function, &migrate_wownativex, sizeof(migrate_wownativex));
WOW64CONTEXT* ctx = (WOW64CONTEXT *)((BYTE *)pX64function + sizeof(migrate_wownativex));
ctx->h.hProcess = process_handle;
ctx->s.lpStartAddress = load_library_addr;
ctx->p.lpParameter = dll_path_memory;
ctx->t.hThread = NULL;
if (!pExecuteX64(pX64function, (DWORD)ctx))
{
std::cerr << "Error" << std::endl;
return EXIT_FAILURE;
}
if (!ctx->t.hThread)
{
std::cerr << "ctx->t.hThread is NULL" << std::endl;
return EXIT_FAILURE;
}
HANDLE hThread = ctx->t.hThread;
if (ResumeThread(hThread) == (DWORD)-1)
{
std::cerr << "An error occurred while using function ResumeThread. Error code: " << GetLastError() << std::endl;
return EXIT_FAILURE;
}
}
WaitForSingleObject(thread_handle, INFINITE);
std::cout << "Done" << std::endl;
}
在将 x86 DLL 注入(inject)到 x86 进程的情况下它可以完美运行,但在将 x86 DLL 注入(inject)到 x64 进程的情况下则不能运行(注入(inject)的进程只会崩溃)。
我做错了什么?我该如何修复它?
提前致谢。
最佳答案
并非如此。
64 位 Windows 操作系统可以 native 运行 64 位代码,也可以使用 WOW64 运行 32 位代码。然而,每个进程可能只有一个或另一个。
进入内部后,您可以看到每个进程都标记为 32 位或 64 位。当操作系统指示 CPU 运行与该进程关联的线程时,它将跳转为 32 位或 64 位代码。
因此,如果您以某种方式将 32 位字节码(无论它从哪里编码,无论是 DLL 还是其他东西)加载到 64 位进程中,当操作系统运行它时,该进程将崩溃,因为该进程将处于 64 位模式,并将操作码解释为 64 位操作码。
在 32 位代码上运行 64 位代码也是如此。
编辑:
事实上,x32 WOW64进程执行x64代码是可能的。根据这个article 。但是,我找不到有关运行 x86 代码的 x64 进程的资源。
关于c++ - 如何将x86 DLL从WOW64进程注入(inject)到x64进程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30263890/