-
Notifications
You must be signed in to change notification settings - Fork 126
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
17 changed files
with
778 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| ##Wow64进程注入x64进程 | ||
| 在Win7 Ultimate Sp1 测试成功 | ||
| [http://www.cnblogs.com/lanrenxinxin/p/4821152.html](http://www.cnblogs.com/lanrenxinxin/p/4821152.html) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
|
|
||
| Microsoft Visual Studio Solution File, Format Version 11.00 | ||
| # Visual Studio 2010 | ||
| Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Wow64Injectx64", "Wow64Injectx64\Wow64Injectx64.vcxproj", "{D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}" | ||
| EndProject | ||
| Global | ||
| GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
| Debug|Win32 = Debug|Win32 | ||
| Release|Win32 = Release|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
| {D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}.Debug|Win32.ActiveCfg = Debug|Win32 | ||
| {D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}.Debug|Win32.Build.0 = Debug|Win32 | ||
| {D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}.Release|Win32.ActiveCfg = Release|Win32 | ||
| {D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}.Release|Win32.Build.0 = Release|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(SolutionProperties) = preSolution | ||
| HideSolutionNode = FALSE | ||
| EndGlobalSection | ||
| EndGlobal |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| //{{NO_DEPENDENCIES}} | ||
| // Microsoft Visual C++ generated include file. | ||
| // Used by Wow64Injectx64.rc | ||
| // | ||
|
|
||
| #define IDS_APP_TITLE 103 | ||
|
|
||
| // жÔÏóµÄÏÂÒ»×éĬÈÏÖµ | ||
| // | ||
| #ifdef APSTUDIO_INVOKED | ||
| #ifndef APSTUDIO_READONLY_SYMBOLS | ||
| #define _APS_NEXT_RESOURCE_VALUE 101 | ||
| #define _APS_NEXT_COMMAND_VALUE 40001 | ||
| #define _APS_NEXT_CONTROL_VALUE 1000 | ||
| #define _APS_NEXT_SYMED_VALUE 101 | ||
| #endif | ||
| #endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,161 @@ | ||
| // Wow64Injectx64.cpp : 定义控制台应用程序的入口点。 | ||
| // | ||
|
|
||
| #include "stdafx.h" | ||
| #include "Wow64Injectx64.h" | ||
| #include <memory> | ||
| #include <string> | ||
| #include <Windows.h> | ||
| #include "wow64ext.h" | ||
| #ifdef _DEBUG | ||
| #define new DEBUG_NEW | ||
| #endif | ||
|
|
||
| #pragma comment(lib,"wow64ext.lib") | ||
|
|
||
| // 唯一的应用程序对象 | ||
| CWinApp theApp; | ||
|
|
||
| using namespace std; | ||
|
|
||
| typedef struct _UNICODE_STRING { | ||
| USHORT Length; //UNICODE占用的内存字节数,个数*2; | ||
| USHORT MaximumLength; | ||
| DWORD64 Buffer; //注意这里指针的问题 | ||
| } UNICODE_STRING ,*PUNICODE_STRING; | ||
|
|
||
|
|
||
|
|
||
| unsigned char shell_code[] = { | ||
| 0x48, 0x89, 0x4c, 0x24, 0x08, // mov qword ptr [rsp+8],rcx | ||
| 0x57, // push rdi | ||
| 0x48, 0x83, 0xec, 0x20, // sub rsp,20h | ||
| 0x48, 0x8b, 0xfc, // mov rdi,rsp | ||
| 0xb9, 0x08, 0x00, 0x00, 0x00, // mov ecx,8 | ||
| 0xb8, 0xcc, 0xcc, 0xcc, 0xcc, // mov eac,0CCCCCCCCh | ||
| 0xf3, 0xab, // rep stos dword ptr [rdi] | ||
| 0x48, 0x8b, 0x4c, 0x24, 0x30, // mov rcx,qword ptr [__formal] | ||
| 0x49, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r9,0 //PVOID* BaseAddr opt | ||
| 0x49, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r8,0 //PUNICODE_STRING Name | ||
| 0x48, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rdx,0 | ||
| 0x48, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rcx,0 | ||
| 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax,0 | ||
| 0xff, 0xd0, // call rax LdrLoadDll | ||
| 0x48, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rcx,0 | ||
| 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax,0 | ||
| 0xff, 0xd0 // call rax | ||
| }; | ||
|
|
||
|
|
||
| enum InjectResult{ | ||
| OK, | ||
| Error_NoSuchFile, | ||
| Error_OpenProcess, | ||
| Error_VirtualAllocEx, | ||
| Error_GetProcAddress, | ||
| Error_WriteProcessMemory, | ||
| Error_CreateRemoteThread | ||
| }; | ||
|
|
||
|
|
||
| InjectResult Wow64Injectx64(DWORD processid,const TCHAR* file_path); | ||
|
|
||
| int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) | ||
| { | ||
| cout<<"查看要注入进程的ID"<<endl; | ||
| ULONG_PTR ProcessID = 0; | ||
|
|
||
| printf("Input ProcessID\r\n"); | ||
| cin>>ProcessID; | ||
| WCHAR file_path[] = L"E:\\Messagebox.dll"; | ||
|
|
||
|
|
||
| if (OK==Wow64Injectx64(ProcessID,file_path)) | ||
| { | ||
| printf("Inject Success!\n"); | ||
| } | ||
| return 0; | ||
| } | ||
|
|
||
|
|
||
| InjectResult Wow64Injectx64(DWORD processid,const TCHAR* file_path) | ||
| { | ||
|
|
||
| if (!PathFileExists(file_path)) | ||
| { | ||
| return Error_NoSuchFile; | ||
| } | ||
|
|
||
| HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processid); | ||
| if (INVALID_HANDLE_VALUE == handle) | ||
| { | ||
| return Error_OpenProcess; | ||
| } | ||
|
|
||
| size_t file_path_mem_length = (size_t)::_tcslen(file_path); | ||
| size_t paramemter_size = (file_path_mem_length+1)*sizeof(TCHAR) + sizeof(UNICODE_STRING) + sizeof(DWORD64); | ||
| DWORD64 paramemter_mem_addr = (DWORD64)VirtualAllocEx64(handle,NULL,paramemter_size,MEM_COMMIT,PAGE_READWRITE); | ||
| DWORD64 shell_code_addr = (DWORD64)VirtualAllocEx64(handle,NULL,sizeof(shell_code),MEM_COMMIT,PAGE_EXECUTE_READWRITE); | ||
| if ((!paramemter_mem_addr) || (!shell_code_addr)) | ||
| { | ||
| return Error_VirtualAllocEx; | ||
| } | ||
|
|
||
| char * paramemter_mem_local = new char[paramemter_size]; | ||
| memset(paramemter_mem_local,0,paramemter_size); | ||
|
|
||
| PUNICODE_STRING ptr_unicode_string = (PUNICODE_STRING)(paramemter_mem_local + sizeof(DWORD64)); | ||
| ptr_unicode_string->Length = file_path_mem_length; | ||
| ptr_unicode_string->MaximumLength = file_path_mem_length*2; | ||
| wcscpy((WCHAR*)(ptr_unicode_string+1),file_path); | ||
| ptr_unicode_string->Buffer = (DWORD64)((char*)paramemter_mem_addr+sizeof(DWORD64)+sizeof(UNICODE_STRING)); | ||
|
|
||
| DWORD64 ntdll64 = GetModuleHandle64(L"ntdll.dll"); | ||
| DWORD64 ntdll_LdrLoadDll = GetProcAddress64(ntdll64,"LdrLoadDll"); | ||
| DWORD64 ntdll_RtlCreateUserThread = GetProcAddress64(ntdll64,"RtlCreateUserThread"); | ||
| DWORD64 ntdll_RtlExitThread = GetProcAddress64(ntdll64,"RtlExitUserThread"); | ||
| if (NULL == ntdll_LdrLoadDll || NULL==ntdll_RtlCreateUserThread || NULL==ntdll_RtlExitThread) | ||
| { | ||
| return Error_GetProcAddress; | ||
| } | ||
|
|
||
| //r9 | ||
| memcpy(shell_code+32,¶memter_mem_addr,sizeof(DWORD64)); | ||
|
|
||
| //r8 | ||
| DWORD64 ptr = paramemter_mem_addr+sizeof(DWORD64); | ||
| memcpy(shell_code+42,&ptr,sizeof(PUNICODE_STRING)); | ||
|
|
||
| //LdrLoaddll | ||
| memcpy(shell_code+72,&ntdll_LdrLoadDll,sizeof(DWORD64)); | ||
|
|
||
| //RtlExitUserThread | ||
| memcpy(shell_code+94,&ntdll_RtlExitThread,sizeof(DWORD64)); | ||
| size_t write_size = 0; | ||
| if (!WriteProcessMemory64(handle,paramemter_mem_addr,paramemter_mem_local,paramemter_size,NULL) || | ||
| !WriteProcessMemory64(handle,shell_code_addr,shell_code,sizeof(shell_code),NULL)) | ||
| { | ||
| return Error_WriteProcessMemory; | ||
| } | ||
| DWORD64 hRemoteThread = 0; | ||
| struct { | ||
| DWORD64 UniqueProcess; | ||
| DWORD64 UniqueThread; | ||
| } client_id; | ||
| int a = X64Call(ntdll_RtlCreateUserThread,10, | ||
| (DWORD64)handle, // ProcessHandle | ||
| (DWORD64)NULL, // SecurityDescriptor | ||
| (DWORD64)FALSE, // CreateSuspended | ||
| (DWORD64)0, // StackZeroBits | ||
| (DWORD64)NULL, // StackReserved | ||
| (DWORD64)NULL, // StackCommit | ||
| shell_code_addr, // StartAddress | ||
| (DWORD64)NULL, // StartParameter | ||
| (DWORD64)&hRemoteThread, // ThreadHandle | ||
| (DWORD64)&client_id); // ClientID) | ||
| if (INVALID_HANDLE_VALUE == (HANDLE)hRemoteThread) | ||
| { | ||
| return Error_CreateRemoteThread; | ||
| } | ||
| return OK; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| #pragma once | ||
|
|
||
| #include "resource.h" |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <ItemGroup Label="ProjectConfigurations"> | ||
| <ProjectConfiguration Include="Debug|Win32"> | ||
| <Configuration>Debug</Configuration> | ||
| <Platform>Win32</Platform> | ||
| </ProjectConfiguration> | ||
| <ProjectConfiguration Include="Release|Win32"> | ||
| <Configuration>Release</Configuration> | ||
| <Platform>Win32</Platform> | ||
| </ProjectConfiguration> | ||
| </ItemGroup> | ||
| <PropertyGroup Label="Globals"> | ||
| <ProjectGuid>{D39AFEDB-19C8-4F2E-AAD2-8F25A75D581C}</ProjectGuid> | ||
| <Keyword>Win32Proj</Keyword> | ||
| <RootNamespace>Wow64Injectx64</RootNamespace> | ||
| </PropertyGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>true</UseDebugLibraries> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| <UseOfMfc>Dynamic</UseOfMfc> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>false</UseDebugLibraries> | ||
| <WholeProgramOptimization>true</WholeProgramOptimization> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| <UseOfMfc>Dynamic</UseOfMfc> | ||
| </PropertyGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> | ||
| <ImportGroup Label="ExtensionSettings"> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <PropertyGroup Label="UserMacros" /> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <LinkIncremental>true</LinkIncremental> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <LinkIncremental>false</LinkIncremental> | ||
| </PropertyGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <ClCompile> | ||
| <PrecompiledHeader>Use</PrecompiledHeader> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <Optimization>Disabled</Optimization> | ||
| <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <ClCompile> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <PrecompiledHeader>Use</PrecompiledHeader> | ||
| <Optimization>MaxSpeed</Optimization> | ||
| <FunctionLevelLinking>true</FunctionLevelLinking> | ||
| <IntrinsicFunctions>true</IntrinsicFunctions> | ||
| <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| <EnableCOMDATFolding>true</EnableCOMDATFolding> | ||
| <OptimizeReferences>true</OptimizeReferences> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemGroup> | ||
| <None Include="ReadMe.txt" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClInclude Include="Resource.h" /> | ||
| <ClInclude Include="stdafx.h" /> | ||
| <ClInclude Include="targetver.h" /> | ||
| <ClInclude Include="wow64ext.h" /> | ||
| <ClInclude Include="Wow64Injectx64.h" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClCompile Include="stdafx.cpp"> | ||
| <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> | ||
| <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> | ||
| </ClCompile> | ||
| <ClCompile Include="Wow64Injectx64.cpp" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ResourceCompile Include="Wow64Injectx64.rc" /> | ||
| </ItemGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> | ||
| <ImportGroup Label="ExtensionTargets"> | ||
| </ImportGroup> | ||
| </Project> |
50 changes: 50 additions & 0 deletions
50
Wow64Injectx64/Wow64Injectx64/Wow64Injectx64.vcxproj.filters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <ItemGroup> | ||
| <Filter Include="源文件"> | ||
| <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> | ||
| <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> | ||
| </Filter> | ||
| <Filter Include="头文件"> | ||
| <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> | ||
| <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> | ||
| </Filter> | ||
| <Filter Include="资源文件"> | ||
| <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> | ||
| <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> | ||
| </Filter> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <None Include="ReadMe.txt" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClInclude Include="stdafx.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| <ClInclude Include="targetver.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| <ClInclude Include="Resource.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| <ClInclude Include="Wow64Injectx64.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| <ClInclude Include="wow64ext.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClCompile Include="stdafx.cpp"> | ||
| <Filter>源文件</Filter> | ||
| </ClCompile> | ||
| <ClCompile Include="Wow64Injectx64.cpp"> | ||
| <Filter>源文件</Filter> | ||
| </ClCompile> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ResourceCompile Include="Wow64Injectx64.rc"> | ||
| <Filter>资源文件</Filter> | ||
| </ResourceCompile> | ||
| </ItemGroup> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| // stdafx.cpp : 只包括标准包含文件的源文件 | ||
| // Wow64Injectx64.pch 将作为预编译头 | ||
| // stdafx.obj 将包含预编译类型信息 | ||
|
|
||
| #include "stdafx.h" | ||
|
|
||
| // TODO: 在 STDAFX.H 中 | ||
| // 引用任何所需的附加头文件,而不是在此文件中引用 |
Oops, something went wrong.