windows service 代码注入 x64

windows service 代码注入 x64

win7 32位我经过测试网上很多代码都通过了,但是win7 x64是真的处处碰壁 ,很多注入都是失败告终。最后用的CreateProcessAsUser进行的注入,其实就是在和taskmgr.exe同一个session中起了一个应用程序。感觉还是不怎么满意,现记录下。另外一个问题就是win32编译的服务在win32和x64上都能够运行,但是以x64编译服务后,在x64上不能运行,提示没有及时响应启动或控制请求,搞不懂为什么?


BOOL LaunchAppIntoDifferentSession()
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId,winlogonPid;
HANDLE hUserToken,hUserTokenDup,hPToken,hProcess;
DWORD dwCreationFlags;

// Log the client on to the local computer.

dwSessionId = WTSGetActiveConsoleSessionId();

//////////////////////////////////////////
// Find the winlogon process
////////////////////////////////////////

PROCESSENTRY32 procEntry;

HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
{
std::cout<<"here 1"<<std::endl;
return 1 ;
}

procEntry.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hSnap, &procEntry))
{
std::cout<<"here 2"<<std::endl;
return 1 ;
}

do
{
if (_stricmp(procEntry.szExeFile, "winlogon.exe") == 0)
{
// We found a winlogon process...
// make sure it's running in the console session
DWORD winlogonSessId = 0;
if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId)
&& winlogonSessId == dwSessionId)
{
winlogonPid = procEntry.th32ProcessID;
break;
}
}

} while (Process32Next(hSnap, &procEntry));

////////////////////////////////////////////////////////////////////////

WTSQueryUserToken(dwSessionId,&hUserToken);
dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
//si.cb= sizeof(STARTUPINFO);
//si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));
TOKEN_PRIVILEGES tp;
LUID luid;
hProcess = OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);

if(!::OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY
|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_ADJUST_SESSIONID
|TOKEN_READ|TOKEN_WRITE,&hPToken))
{
int abcd = GetLastError();
std::cout<<"Process token open Error: "<<GetLastError()<<std::endl;
}

if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
{
std::cout<<"Lookup Privilege value Error: "<<GetLastError()<<std::endl;
}
tp.PrivilegeCount =1;
tp.Privileges[0].Luid =luid;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;

DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,
SecurityIdentification,TokenPrimary,&hUserTokenDup);
int dup = GetLastError();

//Adjust Token privilege
SetTokenInformation(hUserTokenDup,
TokenSessionId,(void*)dwSessionId,sizeof(DWORD));

if (!AdjustTokenPrivileges(hUserTokenDup,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,NULL))
{
int abc =GetLastError();
std::cout<<"Adjust Privilege value Error:"<<GetLastError()<<std::endl;
}

if (GetLastError()== ERROR_NOT_ALL_ASSIGNED)
{
std::cout<<("Token does not have the provilege")<<std::endl;
}

LPVOID pEnv =NULL;

if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))
{
dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
}
else
pEnv=NULL;

// Launch the process in the client's logon session.

bResult = CreateProcessAsUser(
hUserTokenDup, // client's access token
TEXT("C:\\Users\\thin\\Desktop\\services.exe"), // file to execute
NULL, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
);
// End impersonation of client.

//GetLastError Shud be 0
std::cout<<"here 3"<<std::endl;
int iResultOfCreateProcessAsUser = GetLastError();
std::cout<<"here 4 "<<iResultOfCreateProcessAsUser<<std::endl;
Sleep(300);

//终止子进程
TerminateProcess(pi.hProcess, 300);
//Perform All the Close Handles tasks

CloseHandle(hProcess);
CloseHandle(hUserToken);
CloseHandle(hUserTokenDup);
CloseHandle(hPToken);

return 0;
}

参考:

https://www.codeproject.com/Articles/18367/Launch-your-application-in-Vista-under-the-local-s

https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

https://jiya.io/archives/something-about-windows-code-injection.html

https://bbs.pediy.com/thread-224143.htm

https://bbs.pediy.com/thread-224402.htm

http://www.freebuf.com/articles/system/94693.html

https://stackoverflow.com/questions/35995224/inject-dll-to-process-in-session-0-by-ntcreatethreadex

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注