目标我正在尝试一个简单的shell代码练习-使用CreateRemoteThread在远程进程上调用"OutputDebugStringA",它将激活shell代码-这个练习没有dll注入!
问题我不知道"OutputDebugStringA"在远程进程的地址,只知道本地进程的地址。
到目前为止我一直在尝试什么
int main() {
char ShellCode[] = "x48x8dx0cx25x10x9cx8cx4cxffx14x25x00x01x8dx4c";
/*
* Get process handle passing in the process ID.
*/
int32_t nProcID = 21440;
const HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nProcID);
if (NULL == hProcess) {
printf("Error: the specified process couldn't be found.n");
}
const LPVOID arg = (LPVOID)VirtualAllocEx(hProcess, NULL, sizeof(ShellCode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == arg) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the memory could not be allocated inside the chosen process. Error code - %d.n", nLastErrorCode);
}
const int32_t nBytesWritten = WriteProcessMemory(hProcess, arg, ShellCode, sizeof(ShellCode), NULL);
if (0 == nBytesWritten) {
int32_t nLastErrorCode = GetLastError();
printf("Error: there was no bytes written to the process's address space. Error code - %d.n", nLastErrorCode);
}
const HANDLE hThreadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)arg , NULL, NULL, NULL);
if (NULL == hThreadID) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the remote thread could not be created. Error code - %d.n", nLastErrorCode);
}
else {
printf("Success: the remote thread was successfully created.n");
}
/*
* Close the handle to the process, because we've already injected the DLL.
*/
CloseHandle(hProcess);
getchar();
return 0;
}
我尝试了什么分解输出DebugStringA图片1然后在线将其转换为shell代码,然后用新的shell代码调用我的代码。但是远程进程并不熟悉这些地址。
如果您唯一想知道的是OutputDebugStringA的地址(假设您的shell代码确实有效(,那么它与当前进程相同。所以你可以通过做LPVOID function_addr = reinterpret_cast<LPVOID>(GetProcAddress(GetModuleHandleA("kernel32.dll"), "OutputDebugStringA"));来获得它。然后你可以随心所欲地使用function_addr。
因为kernel32.dll在每个进程中都有相同的基地址,所以相对的虚拟地址将是相同的,因此,地址将是一样的。