使用codecave注入线程

发布于 2024-10-16 03:24:03 字数 229 浏览 8 评论 0原文

通过使用“codecave”技术将代码注入另一个进程;是否可以注入代码来创建新线程(并为新线程注入代码)并让该线程与目标进程主线程并行执行?

我可以通过 dll 注入来管理这个问题,但我想知道是否可以仅通过纯代码注入来实现。

目的首先是了解不同的注入技术,但最终为随机进程创建心跳功能以监督执行(高可用性)。 Windows 是目标操作系统,语言是 C/C++(需要时使用内联 ASM)。

谢谢。

By using 'codecave' technique to inject code into another process; is it possible to inject code to create a new thread (and also inject the code for the new thread) and let that thread execute parallel with the target process main thread?

I can manage this with dll injection but I want to know if it is possible with just pure code injection.

The intention is first of all to learn about different injection techniques but in the end create a heartbeat feature for random processes in order to supervise execution (High Availability). Windows is the target OS and language is C/C++ (with inline ASM when required).

Thanks.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

小糖芽 2024-10-23 03:24:03

有CreateRemoteThread函数。

There is CreateRemoteThread function.

桃扇骨 2024-10-23 03:24:03

当使用诸如“Winject(调用 CreateRemoteThread 的那个)之类的 DLL 注入加载器时,很容易创建一直保留到目标进程关闭的线程。

只需在函数中创建线程即可:

void run_thread(void* ass)
{
  // do stuff until process terminates
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD result, LPVOID lpReserved)
{
  HANDLE handle = (HANDLE)_beginthread(run_thread, 0, 0);
}

问候,
迈克尔

When using a DLL injection loader such as "Winject (the one that calls CreateRemoteThread) it is very easy to create Threads that remain until the target process closes.

Just create the Thread within the function:

void run_thread(void* ass)
{
  // do stuff until process terminates
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD result, LPVOID lpReserved)
{
  HANDLE handle = (HANDLE)_beginthread(run_thread, 0, 0);
}

regards,
michael

年少掌心 2024-10-23 03:24:03

当然可以,但是您还必须将远程线程的代码注入到进程中(例如函数)。将整个函数注入远程进程是一件痛苦的事情,因为没有明确的方法来确定函数的大小。如果注入的代码很小,这种方法会更有效,在这种情况下,您只需注入一个短的程序集存根,然后调用 CreateRemoteThread。

事实上,与直接 DLL 注入相比,这样做有什么好处呢?您的“心跳”功能可以通过注入的 DLL 轻松实现。 (除非有人告诉我有很大的开销?)

Sure, but you would have to also inject the code for the remote thread into the process (e.g. a function). Injecting an entire function into a remote process is a pain because there is no clear-cut way to determine the size of a function. This approach would be far more effective if the injected code was small, in which case you would just inject a short assembly stub, then call CreateRemoteThread.

Really though, what would be a benefit of doing this over just straight-up DLL injection? Your 'heartbeat' feature could be implemented just as easily with an injected DLL. (unless someone is going to tell me there's significant overhead?)

缪败 2024-10-23 03:24:03

问题是,即使您将代码注入到进程中,除非您在注入代码的开头创建一个线程,否则它仍然不会运行。通常,要进行代码注入,您需要注入完整的 DLL。注入 DLL 的一种流行方法是:

  • 获取目标进程的句柄(EnumProcesses、CreateTool32Snapshot/Process32First/Process32Next、FindWindow/GetWindowThreadProcessId/OpenProcess 等)
  • 在目标进程中分配与指向字符串长度相同的内存到 DLL 的路径 (VirtualAllocEx)
  • 将指向 DLL 路径的字符串写入此分配的内存 (WriteProcessMemory)
  • 在 LoadLibrary 例程中创建一个远程线程(通过 GetModuleHandle/GetProcAddress 获取地址)并将指针传递给分配的内存内存作为参数 (CreateRemoteThread)
  • 释放分配的内存 (VirtualFreeEx)
  • 关闭所有打开的句柄(进程句柄、快照句柄等,使用 CloseHandle)

除非有特殊原因要避免使用此方法,否则它比复制更可取在您自己的代码中(WriteProcessMemory 并可能设置页面保护(VirtualProtectEx))。如果不加载库,您将需要手动映射变量、重新定位函数指针以及 LoadLibrary 所做的所有其他工作。

您之前询问过 CreateRemoteThread 的语义。它将在另一个进程中创建一个线程,该线程将继续运行,直到它自行终止或发生其他事情(有人调用 TerminateThread 或进程终止并调用 ExitProcess 等)。该线程将以与合法创建的线程相同的方式并行运行(上下文切换)。

The problem is, even if you inject your code into the process, unless you create a thread at the start of your injected code, it will still not run. Typically, to do code injection you would inject a full DLL. One of popular ways of injecting DLLs is to:

  • Get a handle to the target process (EnumProcesses, CreateTool32Snapshot/Process32First/Process32Next, FindWindow/GetWindowThreadProcessId/OpenProcess, etc.)
  • Allocate memory in the target process that is the same length as a string pointing to the path of your DLL (VirtualAllocEx)
  • Write a string pointing to the path of your DLL to this allocated memory (WriteProcessMemory)
  • Create a remote thread at the LoadLibrary routine (get the address by GetModuleHandle/GetProcAddress) and pass the pointer to the allocated memory as a parameter (CreateRemoteThread)
  • Release the allocated memory (VirtualFreeEx)
  • Close any opened handles (process handles, snapshot handles, etc. with CloseHandle)

Unless there is a particular reason you want to avoid this method, it is by far preferable to copying in the code yourself (WriteProcessMemory and probably setting up page protections (VirtualProtectEx)). Without loading a library you will need to manually map variables, relocate function pointers and all the other work LoadLibrary does.

You asked earlier about the semantics of CreateRemoteThread. It will create a thread in another process which will keep going until it terminates itself or something else does (someone calls TerminateThread or the process terminates and calls ExitProcess, etc.). The thread will run as parallel in the same way a thread that was legitimately created would (context switching).

一念一轮回 2024-10-23 03:24:03

您还可以使用 RtlCreateUserThread 函数来创建远程线程。

You can also use the RtlCreateUserThread function to create the remote thread.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文