无痕注入核心原理

无痕注入

注入在应用层留下的痕迹在PEB中,即使删除了PEB中的模块信息,在驱动层依旧会留下痕迹。

无痕注入技术,是做到在应用层完成驱动层也检测不到模块的做法。

1.思路

  • 注入模块(LoadLibrary)

  • 复制模块区域的代码

  • 卸载模块(FreeLibrary)

  • 将复制的代码写入到原模块加载的地址

2.实现

int main()
{
    //加载dll
	auto hMod = LoadLibrary(L"Dlls.dll");		
	//计算dll大小
	PIMAGE_DOS_HEADER PDosHeader = (PIMAGE_DOS_HEADER)hMod;
	PIMAGE_NT_HEADERS PNTHeader = (PIMAGE_NT_HEADERS)((unsigned)hMod + PDosHeader->e_lfanew);
	PIMAGE_OPTIONAL_HEADER POPHeader = (PIMAGE_OPTIONAL_HEADER)(&PNTHeader->OptionalHeader);
	DWORD dImageSize = POPHeader->SizeOfImage;
	//分配内存,修改内存属性
	DWORD dOld;
	LPVOID dllCode = VirtualAlloc(0, dImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	VirtualProtect(hMod, dImageSize, PAGE_EXECUTE_READWRITE, &dOld);
	//复制dll代码
	memcpy(dllCode, hMod, dImageSize);
	//释放dll
	FreeLibrary(hMod);
	
    //将代码写入到原来dll的地址
	LPVOID dllCodeNew = VirtualAlloc(hMod, dImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	memcpy(dllCodeNew, dllCode, dImageSize);
    
    //释放内存
	VirtualFree(dllCode, 0, MEM_RELEASE);
    
    return 0;
}
发布于