<> background

Also known as process memory replacement , It means to clear the memory data of a process , Write whatever data we want to write , And change the execution order , Execute the data code we write .

The simple process is :

* Create a process that suspends the main thread ( You can also suspend the target process directly , Don't create it yourself )
* Request a piece of memory in the address space of the new process , Write our Shellcode
* Change the execution order of new processes , Implement our Shellcode code
<> Function introduction
// Get thread context BOOL WINAPI GetThreadContext( _In_ HANDLE hThread, _Inout_
LPCONTEXT lpContext); // set thread context BOOL WINAPI SetThreadContext( _In_ HANDLE
hThread, _In_ const CONTEXT *lpContext ); // Resume thread running DWORD WINAPI ResumeThread(
_In_ HANDLE hThread);
<> Detailed process

* first , use CreateProcess Function creation process , And set the flag of the creation process to CREATE_SUSPENDED, This means that the main thread of the new process is suspended .
* then , use VirtualAllocEx Function to request a block to be readable in a new process , Writable , Executable memory , And use WriteProcessMemory
Function write Shellcode data .
* next , use GetThreadContext, Set get flag to CONTEXT_FULL, That is to get all thread contexts in the new process . And modify the instruction pointer of the thread context
EIP Value of , Change the execution order of the main thread . Then set the modified thread context back to the main thread .
* last , We call ResumeThread Restore main thread , Let the process follow the modified EIP Keep running , Implement our Shellcode code .
It should be noted that , in use GetThreadContext When getting the thread context , You have to be right CONTEXT Institutional ContextFlags
Member assignment , Indicates which parts of the context of the thread are to be retrieved , Otherwise, the program will not achieve the desired effect . We can specify CONTEXT_FULL, Gets all thread context information .

<> code
// Create process and replace process memory data , Change execution order BOOL ReplaceProcess(char *pszFilePath, PVOID
pReplaceData, DWORD dwReplaceDataSize, DWORD dwRunOffset) { STARTUPINFO si = { 0
}; PROCESS_INFORMATION pi = { 0 }; CONTEXT threadContext = { 0 }; BOOL bRet =
FALSE; ::RtlZeroMemory(&si, sizeof(si)); ::RtlZeroMemory(&pi, sizeof(pi)); ::
RtlZeroMemory(&threadContext, sizeof(threadContext)); si.cb = sizeof(si); //
Create a process and suspend the main thread bRet = ::CreateProcess(pszFilePath, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi); if (FALSE == bRet) { ShowError(
"CreateProcess"); return FALSE; } // Request a block of memory in the replacement process LPVOID lpDestBaseAddr = ::
VirtualAllocEx(pi.hProcess, NULL, dwReplaceDataSize, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE); if (NULL == lpDestBaseAddr) { ShowError(
"VirtualAllocEx"); return FALSE; } // Write replacement data bRet = ::WriteProcessMemory(pi.
hProcess, lpDestBaseAddr, pReplaceData, dwReplaceDataSize, NULL); if (FALSE ==
bRet) { ShowError("WriteProcessError"); return FALSE; } // Get thread context //
Pay attention to the sign here , Be sure to write !!! threadContext.ContextFlags = CONTEXT_FULL; bRet = ::
GetThreadContext(pi.hThread, &threadContext); if (FALSE == bRet) { ShowError(
"GetThreadContext"); return FALSE; } // Modify the PE The entry address and image size of the file , Get the original process first PE Loading base address of structure
threadContext.Eip = (DWORD)lpDestBaseAddr + dwRunOffset; // Sets the thread context of the suspended process bRet =
::SetThreadContext(pi.hThread, &threadContext); if (FALSE == bRet) { ShowError(
"SetThreadContext"); return FALSE; } // Resume the thread of the suspended process ::ResumeThread(pi.hThread);
return TRUE; }
<> test

©2019-2020 Toolsou All rights reserved,
802.11 CCA and NAV mechanism docker Where is the image stored Software engineering career planning RISC-V_GD32VF103-TIMER0 timer interrupt Create a thread ——— Javaweb (3)MySQL The golden rule of :“ Do not use SELECT ”MYSQL database SQL Sentence practice experiment EXERCISES. 1 SIMPLE COMMANDSMySQL Basics Commonly used sentence ( Add / delete / modify query )pandas Multiply two columns in use Java Write a simple student management system