#include "lyshark.h"
PINJECT_BUFFER GetNative64Code(IN PVOID LdrLoadDll, IN PUNICODE_STRING DllFullPath)
{
NTSTATUS Status = STATUS_SUCCESS;
PINJECT_BUFFER InjectBuffer = NULL;
SIZE_T Size = PAGE_SIZE;
UCHAR Code[] = {
0x48, 0x83, 0xEC, 0x28,
0x48, 0x31, 0xC9,
0x48, 0x31, 0xD2,
0x49, 0xB8, 0, 0, 0, 0, 0, 0, 0, 0,
0x49, 0xB9, 0, 0, 0, 0, 0, 0, 0, 0,
0x48, 0xB8, 0, 0, 0, 0, 0, 0, 0, 0,
0xFF, 0xD0,
0x48, 0xBA, 0, 0, 0, 0, 0, 0, 0, 0,
0xC7, 0x02, 0x7E, 0x1E, 0x37, 0xC0,
0x48, 0xBA, 0, 0, 0, 0, 0, 0, 0, 0,
0x89, 0x02,
0x48, 0x83, 0xC4, 0x28,
0xC3
};
Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), &InjectBuffer, 0, &Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NT_SUCCESS(Status))
{
PUNICODE_STRING UserPath = &InjectBuffer->Path64;
UserPath->Length = 0;
UserPath->MaximumLength = sizeof(InjectBuffer->Buffer);
UserPath->Buffer = InjectBuffer->Buffer;
RtlUnicodeStringCopy(UserPath, DllFullPath);
memcpy(InjectBuffer, Code, sizeof(Code));
*(ULONGLONG*)((PUCHAR)InjectBuffer + 12) = (ULONGLONG)UserPath;
*(ULONGLONG*)((PUCHAR)InjectBuffer + 22) = (ULONGLONG)&InjectBuffer->ModuleHandle;
*(ULONGLONG*)((PUCHAR)InjectBuffer + 32) = (ULONGLONG)LdrLoadDll;
*(ULONGLONG*)((PUCHAR)InjectBuffer + 44) = (ULONGLONG)&InjectBuffer->Complete;
*(ULONGLONG*)((PUCHAR)InjectBuffer + 60) = (ULONGLONG)&InjectBuffer->Status;
return InjectBuffer;
}
UNREFERENCED_PARAMETER(DllFullPath);
return NULL;
}
PINJECT_BUFFER GetNative32Code(IN PVOID LdrLoadDll, IN PUNICODE_STRING DllFullPath)
{
NTSTATUS Status = STATUS_SUCCESS;
PINJECT_BUFFER InjectBuffer = NULL;
SIZE_T Size = PAGE_SIZE;
UCHAR Code[] = {
0x68, 0, 0, 0, 0,
0x68, 0, 0, 0, 0,
0x6A, 0,
0x6A, 0,
0xE8, 0, 0, 0, 0,
0xBA, 0, 0, 0, 0,
0xC7, 0x02, 0x7E, 0x1E, 0x37, 0xC0,
0xBA, 0, 0, 0, 0,
0x89, 0x02,
0xC2, 0x04, 0x00
};
Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), &InjectBuffer, 0, &Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NT_SUCCESS(Status))
{
PUNICODE_STRING32 pUserPath = &InjectBuffer->Path32;
pUserPath->Length = DllFullPath->Length;
pUserPath->MaximumLength = DllFullPath->MaximumLength;
pUserPath->Buffer = (ULONG)(ULONG_PTR)InjectBuffer->Buffer;
memcpy((PVOID)pUserPath->Buffer, DllFullPath->Buffer, DllFullPath->Length);
memcpy(InjectBuffer, Code, sizeof(Code));
*(ULONG*)((PUCHAR)InjectBuffer + 1) = (ULONG)(ULONG_PTR)&InjectBuffer->ModuleHandle;
*(ULONG*)((PUCHAR)InjectBuffer + 6) = (ULONG)(ULONG_PTR)pUserPath;
*(ULONG*)((PUCHAR)InjectBuffer + 15) = (ULONG)((ULONG_PTR)LdrLoadDll - ((ULONG_PTR)InjectBuffer + 15) - 5 + 1);
*(ULONG*)((PUCHAR)InjectBuffer + 20) = (ULONG)(ULONG_PTR)&InjectBuffer->Complete;
*(ULONG*)((PUCHAR)InjectBuffer + 31) = (ULONG)(ULONG_PTR)&InjectBuffer->Status;
return InjectBuffer;
}
UNREFERENCED_PARAMETER(DllFullPath);
return NULL;
}
NTSTATUS NTAPI SeCreateThreadEx(OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID StartAddress, IN PVOID Parameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList)
{
NTSTATUS Status = STATUS_SUCCESS;
LPFN_NTCREATETHREADEX NtCreateThreadEx = (LPFN_NTCREATETHREADEX)(GetSSDTFuncCurAddr(GetIndexByName((UCHAR *)"NtCreateThreadEx")));
DbgPrint("线程函数地址: %p --> 开始执行地址: %p \n", NtCreateThreadEx, StartAddress);
if (NtCreateThreadEx)
{
PUCHAR pPrevMode = (PUCHAR)PsGetCurrentThread() + 0x232;
UCHAR prevMode = *pPrevMode;
*pPrevMode = KernelMode;
Status = NtCreateThreadEx(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, StartAddress, Parameter, Flags, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, AttributeList);
*pPrevMode = prevMode;
}
else
{
Status = STATUS_NOT_FOUND;
}
return Status;
}
NTSTATUS ExecuteInNewThread(IN PVOID BaseAddress, IN PVOID Parameter, IN ULONG Flags, IN BOOLEAN Wait, OUT PNTSTATUS ExitStatus)
{
HANDLE ThreadHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
NTSTATUS Status = SeCreateThreadEx(&ThreadHandle, THREAD_QUERY_LIMITED_INFORMATION, &ObjectAttributes, ZwCurrentProcess(), BaseAddress, Parameter, Flags, 0, 0x1000, 0x100000, NULL);
if (NT_SUCCESS(Status) && Wait != FALSE)
{
LARGE_INTEGER Timeout = { 0 };
Timeout.QuadPart = -(60ll * 10 * 1000 * 1000);
Status = ZwWaitForSingleObject(ThreadHandle, TRUE, &Timeout);
if (NT_SUCCESS(Status))
{
THREAD_BASIC_INFORMATION ThreadBasicInfo = { 0 };
ULONG ReturnLength = 0;
Status = ZwQueryInformationThread(ThreadHandle, ThreadBasicInformation, &ThreadBasicInfo, sizeof(ThreadBasicInfo), &ReturnLength);
if (NT_SUCCESS(Status) && ExitStatus)
{
*ExitStatus = ThreadBasicInfo.ExitStatus;
}
else if (!NT_SUCCESS(Status))
{
DbgPrint("%s: ZwQueryInformationThread failed with status 0x%X\n", __FUNCTION__, Status);
}
}
else
{
DbgPrint("%s: ZwWaitForSingleObject failed with status 0x%X\n", __FUNCTION__, Status);
}
}
else
{
DbgPrint("%s: ZwCreateThreadEx failed with status 0x%X\n", __FUNCTION__, Status);
}
if (ThreadHandle)
{
ZwClose(ThreadHandle);
}
return Status;
}
NTSTATUS AttachAndInjectProcess(IN HANDLE ProcessID, PWCHAR DllPath)
{
PEPROCESS EProcess = NULL;
KAPC_STATE ApcState;
NTSTATUS Status = STATUS_SUCCESS;
if (ProcessID == NULL)
{
Status = STATUS_UNSUCCESSFUL;
return Status;
}
Status = PsLookupProcessByProcessId(ProcessID, &EProcess);
if (Status != STATUS_SUCCESS)
{
return Status;
}
BOOLEAN IsWow64 = (PsGetProcessWow64Process(EProcess) != NULL) ? TRUE : FALSE;
KeStackAttachProcess((PRKPROCESS)EProcess, &ApcState);
__try
{
PVOID NtdllAddress = NULL;
PVOID LdrLoadDll = NULL;
UNICODE_STRING NtdllUnicodeString = { 0 };
UNICODE_STRING DllFullPath = { 0 };
RtlInitUnicodeString(&NtdllUnicodeString, L"Ntdll.dll");
NtdllAddress = GetUserModuleAddress(EProcess, &NtdllUnicodeString, IsWow64);
if (!NtdllAddress)
{
Status = STATUS_NOT_FOUND;
}
if (NT_SUCCESS(Status))
{
LdrLoadDll = GetModuleExportAddress(NtdllAddress, "LdrLoadDll", EProcess);
if (!LdrLoadDll)
{
Status = STATUS_NOT_FOUND;
}
}
PINJECT_BUFFER InjectBuffer = NULL;
if (IsWow64)
{
RtlInitUnicodeString(&DllFullPath, DllPath);
InjectBuffer = GetNative32Code(LdrLoadDll, &DllFullPath);
DbgPrint("[*] 注入32位DLL \n");
}
else
{
RtlInitUnicodeString(&DllFullPath, DllPath);
InjectBuffer = GetNative64Code(LdrLoadDll, &DllFullPath);
DbgPrint("[*] 注入64位DLL \n");
}
ExecuteInNewThread(InjectBuffer, NULL, THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, TRUE, &Status);
if (!NT_SUCCESS(Status))
{
DbgPrint("ExecuteInNewThread Failed\n");
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess(&ApcState);
ObDereferenceObject(EProcess);
return Status;
}
VOID Unload(PDRIVER_OBJECT pDriverObj)
{
DbgPrint("[-] 驱动卸载 \n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath)
{
DbgPrint("Hello LyShark \n");
KeServiceDescriptorTable = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTable64(DriverObject);
HANDLE processid = GetProcessID("x32.exe");
DbgPrint("进程PID = %d \n", processid);
AttachAndInjectProcess(processid, L"C:\\hook.dll");
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
|
