• 标 题:滴水逆向学习收获1-双进程无dll注入(1楼,17楼,21楼,27楼,30楼,33楼)[已更新至33楼]
  • 作 者:Goobo
  • 时 间:2011-11-08 17:30:07
  • 链 接:http://bbs.pediy.com/showthread.php?t=142554

程序执行的过程为:
1.点击注入按钮:调用InitEGWork函数完成创建事件
2. CreateThread(NULL,NULL,CreateRemoteThreadProc,NULL,0,0);
  创建线程完成将注入代码写入到被注入进程中,并执行注入代码
3.注入到被注入进程的代码为
DWORD WINAPI RemoteThread(void *lpParameter)
{
  ThreadParam_t *ThreadParamp;

  DWORD Id;
  DWORD dwWaitResult;
  HANDLE hMapFile;
  
  IoEvnet_t IoEvnet;
  MapFile_t *MapFilep;



  VOID (__stdcall *LocalSleep)(DWORD dwMilliseconds);
  BOOL (__stdcall *LocalSetEvent)(HANDLE hEvent);
  DWORD (__stdcall *LocalWaitForSingleObject)(HANDLE hHandle,DWORD dwMilliseconds);

  //--------------------------------------------------------

  ThreadParamp = (ThreadParam_t*)lpParameter;
  ThreadParamp->ok = 1;

  LocalSleep = ThreadParamp->Sleep;
  LocalSetEvent = ThreadParamp->SetEvent;
  LocalWaitForSingleObject = ThreadParamp->WaitForSingleObject;

  Id = 0;
  dwWaitResult = 0;

  IoEvnet.InEvent = ThreadParamp->OpenEventA(EVENT_ALL_ACCESS, TRUE, ThreadParamp->EVENT_NAMEUI);
  IoEvnet.OutEvent = ThreadParamp->OpenEventA(EVENT_ALL_ACCESS, TRUE, ThreadParamp->EVENT_NAMEEG);
  
  if (IoEvnet.InEvent==NULL||
    IoEvnet.OutEvent==NULL)
  {
    ThreadParamp->MessageBoxA(NULL,ThreadParamp->OpenIoEvnetError,ThreadParamp->Tip,MB_OK);
  }
  
  hMapFile = ThreadParamp->OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,ThreadParamp->FILEMAP_NAME);
  if (hMapFile==NULL)
  {
    ThreadParamp->MessageBoxA(NULL,ThreadParamp->OpenFileMapError,ThreadParamp->Tip,MB_OK);
  }
  IoEvnet.MapViewpBuff =(BYTE *)ThreadParamp->MapViewOfFile(hMapFile,FILE_MAP_ALL_ACCESS,0,0,MAPFILESIZE);
  if (IoEvnet.MapViewpBuff==NULL)
  {
    ThreadParamp->MessageBoxA(NULL,ThreadParamp->MapViewOfFileError,ThreadParamp->Tip,MB_OK);
  }

  IoEvnet.MapViewpBuff += MAPFILEOFFSET;

  MapFilep = (MapFile_t *)(IoEvnet.MapViewpBuff+8);

  ThreadParamp->ok++;
  //if (ThreadParamp->ThreadId==1)
  {
    ThreadParamp->MessageBoxA(NULL,ThreadParamp->Text,ThreadParamp->Caption,MB_OK);
  }

  
  __asm
  {
    jmp tcgbegin
    __asm {__emit('T')} __asm {__emit('C')} __asm {__emit('G')}
    __asm {__emit('B')} __asm {__emit('E')} __asm {__emit('G')} __asm {__emit('I')} __asm {__emit('N')}

tcgbegin:
  }


  for (;;)
  {
    dwWaitResult =  LocalWaitForSingleObject(IoEvnet.InEvent,-1);

    if (dwWaitResult==WAIT_OBJECT_0)
    {  
      //--------------------------------------
      //decode
      //------------------------------------------------------------------------------------------------------------------
      Id = *(DWORD*)(IoEvnet.MapViewpBuff+0);
      if (Id==1)
      {
        //------------------------------------------------------------------------------------------------------------------
        ((void (*)(MapFile_t *MapFilep,ULONG* InBuffer,ULONG InLength,ULONG *OutBuffer,ULONG OutLength,ULONG *OutLengthp))(DWORD)MapFilep->PipeFunCodeBuffer)(
          MapFilep,MapFilep->PipeInBuffer,MapFilep->InLength,MapFilep->PipeOutBuffer,MapFilep->OutLength,&MapFilep->OutLengthReal);
        //------------------------------------------------------------------------------------------------------------------
      }

      
      //------------------------------------------------------------------------------------------------------------------
      LocalSetEvent(IoEvnet.OutEvent);
      //------------------------------------------------------------------------------------------------------------------
    }
  }

  __asm
  {
    jmp labelmark
    __asm {__emit('L')} __asm {__emit('A')} __asm {__emit('B')} __asm {__emit('E')} __asm {__emit('L')}
    __asm {__emit('M')} __asm {__emit('A')} __asm {__emit('R')}
labelmark:
  }

  FUNLENGTHMARK
  return 0;
}

4.点击Test按钮程序会把函数IoTGBTestFunction拷贝到被注入进程中并执行


该程序源码在附件里,欢迎大家下载和我交流。

上传的附件 2ProcessInject.rar
TestApp.rar