Process injection
挑了适合攻击背景的进程注入方式
Execute shellcode loader
- TLS Code Execute
- SEH Code Execute
Search Target Process
- SnapShot
- QuerySystemInformation
Open Remote Process
- OpenProcess
- NtOpenProcess
- DLL注入
- 注册表
- 挂钩
Transfer Shellcode across Processes (Write-What-Where)
https://modexp.wordpress.com/2018/07/15/process-injection-sharing-payload/
- Classical
- VirtualAllocEx + WriteProcessMemory
- NtAllocateVirtualMemory + NtWriteProcessMemory
- Dll Hollowing
- Dll + WriteProcessMemory
- Mapping (CreateSection)
- CreateFileMapping → MapViewOfFile → MapViewOfFile2 + memcpy
- NtCreateSection → NtMapViewOfSection +memcpy
- CreateFileMapping → MapViewOfFile → NtMapViewOfSection +memcpy
- ROP链 (AtomBombing/ PowerLoaderEx/ Ghost-Writing)
- NtOpenSection
- NtMapViewOfSection
- Ghost-Writing代码实例https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
- AtomBombing (中间涉及到APC, 多一步注入)
- GlobalAddAtom + NtQueueApcThread + GlobalGetAtomName
- memset/memmove (Thread must be in alertable state)
Trigger Shellcode
https://modexp.wordpress.com/2018/07/12/process-injection-writing-payload/
-
Thread procedure (CreateRemoteThread)
- CreateRemoteThread
- RtlCreateUserThread
- NtCreateThreadEx
- ZwCreateThreadEx
-
Asynchronous Procedure Call (APC/ Early Bird)
- QueueUserAPC
- NtQueueApcThread (能调用三个参数)
- NtQueueApcThreadEx
- ZwQueueApcThread
- ZwQueueApcThreadEx
- RtlQueueApcWow64Thread
-
Thread Hijack (Ghost Writing)
- SetThreadContext + ResumeThread
- Variant: use NtQueueApcThread(thread,SetThreadContext,-2 /* GetCurrentThread pseudo handle */,context,NULL) https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
-
Kernel Callback Table (切换虚表)
- SendMessage
-
ALPC callback (重写虚表)
- VirtualQueryEx
- NtDuplicateObject
- NtConnectPort
- ReadProcessMemory
-
DLL
- Via CreateRemoteThread
- Windows hook
- App_init