本文为看雪论坛精华文章
看雪论坛作者ID:一半人生
概述
本篇环境
1. wdk 7600 or Up new wdk
2. vs2015/17/19
3. Windows Win7 x86 sp1 / x64
4. IE Version 10/11
知识点
安全
假设/构造
IE部署问题
1. Ie8 部分CVE_js/vbs启动调试崩溃,解决方案更新至10/11。
2. 升级IE 11之前需要安装必备的补丁包,链接如下:
https://docs.microsoft.com/zh-cn/troubleshoot/browsers/prerequisite-updates-for-ie-11
3. 升级IE 11,F12 Debug空白,仿真报错,安装补丁IE11-Windows6.1-KB3008923-x86即可解决。
4. js支持友好,vbs支持不友好,仿真兼容改成5。如果vbs还是不友好,Poc中加入VB函数,Windbg可以下断识,做为单步来Windbg观察。
vbs/js有些可以不使用IE调试,能触发就行(触发和利用两个概念)。
构造方案
代码实现
通信流程如下(端口一对一模式):
enum CommandofCodeID
{
ALPC_DRIVER_DLL_INJECTENABLE = 1,
ALPC_DRIVER_DLL_INJECTDISABLE,
ALPC_DRIVER_CONNECTSERVER = 10,
ALPC_DRIVER_CONNECTSERVER_RECV,
ALPC_DLL_CONNECTSERVER,
ALPC_DLL_CONNECTSERVER_RECV,
ALPC_UNCONNECTSERVER,
ALPC_DLL_MONITOR_CVE = 30,
ALPC_DLL_INJECT_SUCCESS,
ALPC_DLL_INJECT_FAILUER
};
PsCreateSystemThread(
&g_Recvhandle,
THREAD_ALL_ACCESS,
NULL,
NtCurrentProcess(),
NULL,
(PKSTART_ROUTINE)AlpcRecvServerMsgROUTINE,
NULL);
status = PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)PsLoadImageCallbacks);
if (NULL != wcsstr(FullImageName->Buffer, L"Windows\\System32\\oleaut32.dll"))
// Send MSG r3 Server to Process HookMsg
DIRVER_INJECT_DLL drinjectdll = { 0, };
INT32 Pids = 0;
drinjectdll.ImageBase = ImageInfo->ImageBase;
drinjectdll.Pids = PsGetCurrentProcessId();
drinjectdll.univermsg.ControlId = ALPC_DRIVER_DLL_INJECTENABLE;
AlpcSendMsgtoInjectDll(&drinjectdll);
//
// Wait Inject Process
//
if (&g_kEvent)
{
// KeWaitForSingleObject(g_pInjectEvent, Executive, KernelMode, FALSE, NULL); // INFINITE
// Wait
KeWaitForSingleObject(&g_kEvent, Executive, KernelMode, FALSE, NULL);
DbgBreakPoint();
KeClearEvent(&g_kEvent);
}
// APC注入
KAPC* Apc;
Apc = (PKAPC)ExAllocatePool(NonPagedPool, sizeof(KAPC));
RtlSecureZeroMemory(Apc, sizeof(KAPC));
KeInitializeApc(Apc, KeGetCurrentThread(), 0, (PKKERNEL_ROUTINE)APCInjectorRoutine, 0, 0, KernelMode, 0);
KeInsertQueueApc(Apc, 0, 0, IO_NO_INCREMENT);
UNIVERMSG univermsg = { 0, };
if (nStatus)
univermsg.ControlId = ALPC_DLL_INJECT_SUCCESS;
else
univermsg.ControlId = ALPC_DLL_INJECT_FAILUER;
AlpcSendtoClientMsg(*SendtoPort, &univermsg, msgid);
NTSTATUS InitVariantChangeTypeExHook(
PVOID oleauthandle
)
{
// Get VariantChangeTypeEx Address Save Old Addr or Virtual Mem Copy Opecode to VirMemory
PVOID VariantChangeTypeExaddr = GetProcAddress((HMODULE)oleauthandle, "VariantChangeTypeEx");
do
{
// Check ArgAddr
if ((0 >= !VariantChangeTypeExaddr) || (0 >= !VariantChangeTypeExHook_Callback))
break;
// inline Hook
syscall_VariantChangeTypeEx = (FnVariantChangeTypeExHook)Dll_Hook(VariantChangeTypeExaddr, VariantChangeTypeExHook_Callback);
} while (false);
return 0;
}
case ALPC_DLL_MONITOR_CVE:
/*++
通知UI需要处理命中事件,等待UI返回
--*/
{
MONITORCVEINFO* MonCveInfo = (MONITORCVEINFO*)((BYTE*)lpMem + sizeof(PORT_MESSAGE));
if (!pipobj)
break;
pipobj->PipSendMsg((wchar_t*)MonCveInfo, sizeof(MONITORCVEINFO));
// pipobj->PipClose();
}
if (g_PipServerPortHandle)
{
do
{
// PeekNamePipe用来预览一个管道中的数据,用来判断管道中是否为空
if (!PeekNamedPipe(g_PipServerPortHandle, NULL, NULL, &dwRead, &dwAvail, NULL) || dwAvail <= 0)
{
break;
}
if (ReadFile(g_PipServerPortHandle, Databuffer, BUFSIZE, &dwRead, NULL))
{
if (dwRead != 0)
{
// 直接提示处理
}
}
} while (TRUE);
}
return 0;
// strcpy(packheader.protocol, "TCP");
while (true)
{
if (-1 == g_pipui.PipSendMsg(&packheader, sizeof(IPPACKHANDER)))
{
printf("[3+]Client Pip inactive!\r\n");
// 关闭Pip,失败意味着客户端已经关闭匿名管道
g_pipui.PipClose();
// 重新开启匿名管道,等待客户端上线
if (-1 == g_pipui.StartServerPip())
{
auto error = GetLastError();
printf("[~]Error: %d\r\n", error);
}
}
Sleep(5000);
}
看雪ID:一半人生
https://bbs.pediy.com/user-home-819685.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!