一、什么是进程注入?
进程注入是将代码或者dll插入另一个目标进程的地址空间中,并强制该进程执行注入的代码。与dll注入不同,直接代码注入相对隐蔽,不需要额外的DLL文件。该技术通常会有如下应用场景:
- 游戏外挂开发
- 安全软件检测
- 进程监控
- 恶意软件分析
二、实现注入程序
注入程序实现思路如下:
- 通过窗口标题找到扫雷程序
- 获取目标进程ID
- 打开目标进程获取句柄
- 在目标进程中分配可执行内存
- 获取MessageBoxA函数地址
- 创建远程线程执行注入代码
实现代码如下;
.586
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
InjectCode proto
.data
gameWindowCaption db "扫雷",0
injectionSuccessTitle db "注入成功",0
injectionMessage db "扫雷进程被注入!",0
.code
InjectedCodeStart:
invoke MessageBox, NULL, offset injectionMessage, offset injectionSuccessTitle, MB_OK
; ---------------------------------------------------------------------------
InjectCode proc
LOCAL @hwndMinesweeper :HWND
LOCAL @dwTargetProcessId :DWORD
LOCAL @hTargetProcess :HANDLE
LOCAL @lpRemoteCode :LPVOID
LOCAL @dwBytesWritten :DWORD
invoke FindWindow, NULL, offset gameWindowCaption
mov @hwndMinesweeper, eax
invoke GetWindowThreadProcessId, @hwndMinesweeper, addr @dwTargetProcessId
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, @dwTargetProcessId
mov @hTargetProcess, eax
invoke VirtualAllocEx, @hTargetProcess, NULL, 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov @lpRemoteCode, eax
invoke WriteProcessMemory, @hTargetProcess, @lpRemoteCode,
offset InjectedCodeStart, offset InjectCode - offset InjectedCodeStart,
addr @dwBytesWritten
invoke CreateRemoteThread, @hTargetProcess, NULL, 0, @lpRemoteCode, NULL, 0, NULL
mov eax, 0
ret
InjectCode endp
start:
invoke InjectCode
invoke ExitProcess, eax
end start
经过编译执行上述代码后,我们发现扫雷进程会自动退出。通过使用OD进行调试,可以确认WriteProcessMemory操作执行成功。因此,现在使用OD附加到扫雷进程,并对扫雷进程中写入地址出设设置断点(也可以直接在注入的代码中增加int 3指令),写入到进程中的代码如下:
这里明显有问题,地址0x403005和0x40300E是注入进程中的地址。在数据窗口中搜索,发现不存在:
这引出一个核心问题:如何正确处理注入到目标进程的代码重定位。解决方案是通过计算注入进程与目标进程的地址差值,然后为注入代码中的字符串地址和函数地址加上这个差值即可实现重定位。与此同时,我们的注入程序中的funcMessageBox是在代码段,当前只有可读和执行权限,因此需要修改内存属性。重定位原理示意图如下所示:
修正后的代码如下:
.586
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
InjectCode proto
.data
gameWindowCaption db "扫雷",0
szUser32 db "user32.dll", 0
szMessageBox db "MessageBoxA", 0
.code
InjectedCodeStart:
jmp MsgBox
injectionSuccessTitle db "Injection successful",0
injectionMessage db "The winmine process was injected!",0
funcMessageBox dd 0
MsgBox:
pushad
call Next
Next:
pop ebx
sub ebx ,offset Next
push MB_OK
mov eax, offset injectionSuccessTitle
add eax, ebx
push eax
mov eax, offset injectionMessage
add eax, ebx
push eax
push NULL
mov eax, offset funcMessageBox
add eax, ebx
call dword ptr [eax]
popad
ret
InjectedCodeStart_End:
dwCodeSize dd offset InjectedCodeStart_End - offset InjectedCodeStart
; ---------------------------------------------------------------------------
InjectCode proc
LOCAL @hwndMinesweeper :HWND
LOCAL @dwTargetProcessId :DWORD
LOCAL @hTargetProcess :HANDLE
LOCAL @lpRemoteCode :LPVOID
LOCAL @dwBytesWritten :DWORD
LOCAL @dwOldProc:DWORD
LOCAL @hUser32:DWORD
invoke LoadLibrary, offset szUser32
mov @hUser32, eax
;修改内存属性
invoke VirtualProtect, offset funcMessageBox, size funcMessageBox, PAGE_EXECUTE_READWRITE, addr @dwOldProc
invoke GetProcAddress, @hUser32, offset szMessageBox
mov funcMessageBox, eax
;还原内存属性
invoke VirtualProtect, offset funcMessageBox, size funcMessageBox, @dwOldProc, addr @dwOldProc
invoke FindWindow, NULL, offset gameWindowCaption
mov @hwndMinesweeper, eax
invoke GetWindowThreadProcessId, @hwndMinesweeper, addr @dwTargetProcessId
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, @dwTargetProcessId
mov @hTargetProcess, eax
invoke VirtualAllocEx, @hTargetProcess, NULL, 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov @lpRemoteCode, eax
invoke WriteProcessMemory, @hTargetProcess, @lpRemoteCode, offset InjectedCodeStart, dwCodeSize,addr @dwBytesWritten
invoke CreateRemoteThread, @hTargetProcess, NULL, 0, @lpRemoteCode, NULL, 0, NULL
mov eax, 0
ret
InjectCode endp
start:
invoke InjectCode
invoke ExitProcess, eax
end start
执行结果如下所示:
