利用线程名和APC实现高级进程注入技术（上）<\/h1>

一、前言<\/h2>

进程注入是攻击方武器库中的核心技术之一，主要用于：<\/p>

AV\/EDR躲避<\/strong>：将恶意代码隐藏在合法进程中<\/li>
操作现有进程<\/strong>：如dump lsass进程凭据<\/li>

权限提升<\/strong><\/li> <\/ol>
传统注入技术面临严格监控，因此需要研究新型注入方法。本文介绍基于线程描述(Thread Description)和APC(Asynchronous Procedure Call)的高级注入技术，可有效绕过大多数AV\/EDR的检测。<\/p>
二、线程名在攻击中的应用场景<\/h2>
2.1 IPC（进程间通信）<\/h3>

机制<\/strong>：通过SetThreadDescription<\/code>设置线程描述，GetThreadDescription<\/code>获取描述<\/li>
优势<\/strong>：提供隐蔽的进程间通信渠道<\/li>
参考实现<\/strong>：https:\/\/github.com\/LloydLabs\/dearg-thread-ipc-stealth<\/li> <\/ul> 2.2 躲避内存扫描<\/h3> 原理<\/strong>：将shellcode存储在线程名中（内核模式结构），规避用户模式内存扫描<\/li> 参考实现<\/strong>：https:\/\/gitlab.com\/ORCA000\/t.d.p<\/li> <\/ul> 2.3 辅助内核模式利用<\/h3> 用途<\/strong>：在用户层为内核层分配内存空间<\/li> 参考实现<\/strong>：https:\/\/web.archive.org\/web\/20221009194014\/https:\/\/blahcat.github.io\/posts\/2019\/03\/17\/small-dumps-in-the-big-pool.html<\/li> <\/ul> 2.4 进程注入变种<\/h3> 2.4.1 双管枪技术(Double Barrel)<\/h4> 技术特点<\/strong>：通过线程劫持+ROP链实现代码注入<\/li> 缺点<\/strong>：Windows版本依赖性强，可能导致目标应用不稳定<\/li> 代码实现<\/strong>：https:\/\/www.lodsb.com\/shellcode-injection-using-threadnameinformation<\/li> <\/ul> 2.4.2 线程名调用技术（本文重点）<\/h4> 技术特点<\/strong>：通过线程描述传递shellcode<\/li> 使用APC机制执行代码<\/li> 对shellcode无特殊限制<\/li> 不干扰原始线程执行<\/li> <\/ul> <\/li> 实现流程<\/strong>：通过线程描述发送shellcode到目标进程<\/li> 通过APC调用GetThreadDescription<\/code>获取描述<\/li> 修改内存权限为可执行<\/li> 通过另一个APC执行shellcode<\/li> <\/ol> <\/li> <\/ul> 2.4.3 DLL注入变种<\/h4> 特点<\/strong>：DLL路径通过线程名传递，替代传统的VirtualAllocEx<\/code>和WriteProcessMemory<\/code><\/li> <\/ul> 三、关键API详解<\/h2> 3.1 GetThreadDescription\/SetThreadDescription<\/h3> 3.1.1 函数原型<\/h4> HRESULT GetThreadDescription<\/span>( <\/span><\/span> [in] HANDLE hThread, <\/span><\/span> [out] PWSTR *<\/span>ppszThreadDescription <\/span><\/span>); <\/span><\/span> <\/span><\/span>HRESULT SetThreadDescription<\/span>( <\/span><\/span> [in] HANDLE hThread, <\/span><\/span> [in] PCWSTR lpThreadDescription <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.1.2 技术要求<\/h4> 系统版本<\/strong>：Windows 10 1607+<\/li> 权限要求<\/strong>：THREAD_SET_LIMITED_INFORMATION<\/code><\/li> 缓冲区限制<\/strong>：最大65536字节（16页），实际可用65534字节<\/li> 格式要求<\/strong>：Unicode字符串（以L'\0'结尾）<\/li> <\/ul> 3.1.3 底层实现<\/h4> \/\/ SetThreadDescription内部实现 <\/span><\/span><\/span><\/span>#define ThreadNameInformation 0x26 <\/span><\/span><\/span><\/span>HRESULT __stdcall<\/span> SetThreadDescription<\/span>(HANDLE hThread, PCWSTR lpThreadDescription) <\/span><\/span>{ <\/span><\/span> NTSTATUS status; <\/span><\/span> _UNICODE_STRING DestinationString; <\/span><\/span> <\/span><\/span> status =<\/span> RtlInitUnicodeStringEx(&<\/span>DestinationString, lpThreadDescription); <\/span><\/span> if<\/span> (status >=<\/span> 0<\/span>) <\/span><\/span> status =<\/span> NtSetInformationThread(hThread, ThreadNameInformation, <\/span><\/span> &<\/span>DestinationString, 0x10u<\/span>); <\/span><\/span> return<\/span> status |<\/span> 0x10000000<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.1.4 内核存储位置<\/h4> 存储位置<\/strong>：ETHREAD->ThreadName<\/code><\/li> 内存类型<\/strong>：NonPagedPoolNx（不可执行非分页池）<\/li> 监控能力<\/strong>：ETW已注册相关事件，可检测线程名设置操作<\/li> <\/ul> 3.2 空字节问题解决方案<\/h3> 3.2.1 问题描述<\/h4> 官方API要求线程名以空WCHAR(2字节)结尾，连续NULL字节会导致截断<\/p> 3.2.2 解决方案<\/h4> 传统方法<\/strong>：使用shellcode编码器消除空字节<\/li> 高级方法<\/strong>：直接操作UNICODE_STRING<\/code>结构，绕过空字节限制<\/li> 关键技术<\/strong>：使用RtlInitUnicodeStringEx<\/code>初始化指定长度的缓冲区<\/li> <\/ul> 3.3 NtQueueApcThreadEx2<\/h3> 3.3.1 APC API演进历程<\/h4> API版本<\/th> 引入系统<\/th> 特点<\/th> <\/tr> <\/thead> NtQueueApcThread<\/td> Windows NT 4.0<\/td> 传统APC实现<\/td> <\/tr> NtQueueApcThreadEx<\/td> Windows Vista<\/td> 扩展功能<\/td> <\/tr> QueueUserAPC2<\/td> Windows 10 1703<\/td> 用户层新API<\/td> <\/tr> NtQueueApcThreadEx2<\/td> Windows 10 1903<\/td> 最新内核API<\/td> <\/tr> <\/tbody> <\/table> 3.3.2 函数优势<\/h4> 绕过alertable限制<\/strong>：使用QUEUE_USER_APC_SPECIAL_USER_APC<\/code>标志<\/li> 参数传递<\/strong>：支持3个参数（优于线程创建的1参数限制）<\/li> 隐蔽性<\/strong>：避免触发线程创建回调(PsSetCreateThreadNotifyRoutine<\/code>)<\/li> <\/ul> 3.3.3 函数原型<\/h4> NTSTATUS NtQueueApcThreadEx2<\/span>( <\/span><\/span> [in] HANDLE ThreadHandle, <\/span><\/span> [in] HANDLE UserApcReserveHandle, <\/span><\/span> [in] PPS_APC_ROUTINE ApcRoutine, <\/span><\/span> [in] PVOID SystemArgument1, <\/span><\/span> [in] PVOID SystemArgument2, <\/span><\/span> [in] PVOID SystemArgument3 <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.4 RtlDispatchAPC<\/h3> 3.4.1 技术特点<\/h4> 合法代理函数<\/strong>：避免直接执行私有内存的检测<\/li> 参数兼容性<\/strong>：支持3个参数，完美匹配APC机制<\/li> 调用方式<\/strong>：通过序号调用（未导出函数名）<\/li> <\/ul> 3.4.2 使用要求<\/h4> \/\/ 调用参数要求 <\/span><\/span><\/span><\/span>RtlDispatchAPC( <\/span><\/span> shellcode_address, \/\/ 参数1: shellcode地址 <\/span><\/span><\/span><\/span> shellcode_param1, \/\/ 参数2: 自定义参数1 <\/span><\/span><\/span><\/span> shellcode_param2 \/\/ 参数3: 自定义参数2 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre>3.4.3 替代方案参考<\/h4> 其他可用于代理执行的回调函数（详见Hexacorn博客）：<\/p> https:\/\/www.hexacorn.com\/blog\/2016\/12\/17\/shellcode-ill-call-you-back\/<\/li> <\/ul> 四、检测与防御<\/h2> 4.1 检测方法<\/h3> ETW监控<\/strong>：检测线程名设置事件<\/li> API监控<\/strong>：监控NtSetInformationThread(ThreadNameInformation)<\/code>调用<\/li> 行为分析<\/strong>：检测异常APC队列操作<\/li> <\/ol> 4.2 防御建议<\/h3> 权限限制<\/strong>：严格控制THREAD_SET_LIMITED_INFORMATION<\/code>权限<\/li> 进程监控<\/strong>：加强对敏感进程的线程操作监控<\/li> 内存保护<\/strong>：监控非标准内存执行行为<\/li> <\/ol> 五、参考资源<\/h2> CheckPoint研究原文：https:\/\/research.checkpoint.com\/2024\/thread-name-calling-using-thread-name-for-offense\/<\/li> Windows进程注入技术大全：BlackHat UAS 2019演讲<\/li> 各种注入技术实现代码库<\/li> <\/ol> 下篇预告<\/strong>：将详细讲解具体实现代码、实战案例和高级规避技术。<\/p>

API版本<\/th>	引入系统<\/th>	特点<\/th> <\/tr> <\/thead>
NtQueueApcThread<\/td>	Windows NT 4.0<\/td>	传统APC实现<\/td> <\/tr>
NtQueueApcThreadEx<\/td>	Windows Vista<\/td>	扩展功能<\/td> <\/tr>
QueueUserAPC2<\/td>	Windows 10 1703<\/td>	用户层新API<\/td> <\/tr>
NtQueueApcThreadEx2<\/td>	Windows 10 1903<\/td>	最新内核API<\/td> <\/tr> <\/tbody> <\/table> 3.3.2 函数优势<\/h4> 绕过alertable限制<\/strong>：使用`QUEUE_USER_APC_SPECIAL_USER_APC<\/code>标志<\/li>` `参数传递<\/strong>：支持3个参数（优于线程创建的1参数限制）<\/li>` 隐蔽性<\/strong>：避免触发线程创建回调(PsSetCreateThreadNotifyRoutine<\/code>)<\/li> <\/ul> 3.3.3 函数原型<\/h4> NTSTATUS NtQueueApcThreadEx2<\/span>( <\/span><\/span> [in] HANDLE ThreadHandle, <\/span><\/span> [in] HANDLE UserApcReserveHandle, <\/span><\/span> [in] PPS_APC_ROUTINE ApcRoutine, <\/span><\/span> [in] PVOID SystemArgument1, <\/span><\/span> [in] PVOID SystemArgument2, <\/span><\/span> [in] PVOID SystemArgument3 <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.4 RtlDispatchAPC<\/h3> 3.4.1 技术特点<\/h4> 合法代理函数<\/strong>：避免直接执行私有内存的检测<\/li> 参数兼容性<\/strong>：支持3个参数，完美匹配APC机制<\/li> 调用方式<\/strong>：通过序号调用（未导出函数名）<\/li> <\/ul> 3.4.2 使用要求<\/h4> \/\/ 调用参数要求 <\/span><\/span><\/span><\/span>RtlDispatchAPC( <\/span><\/span> shellcode_address, \/\/ 参数1: shellcode地址 <\/span><\/span><\/span><\/span> shellcode_param1, \/\/ 参数2: 自定义参数1 <\/span><\/span><\/span><\/span> shellcode_param2 \/\/ 参数3: 自定义参数2 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre>3.4.3 替代方案参考<\/h4> 其他可用于代理执行的回调函数（详见Hexacorn博客）：<\/p> https:\/\/www.hexacorn.com\/blog\/2016\/12\/17\/shellcode-ill-call-you-back\/<\/li> <\/ul> 四、检测与防御<\/h2> 4.1 检测方法<\/h3> ETW监控<\/strong>：检测线程名设置事件<\/li> API监控<\/strong>：监控NtSetInformationThread(ThreadNameInformation)<\/code>调用<\/li> 行为分析<\/strong>：检测异常APC队列操作<\/li> <\/ol> 4.2 防御建议<\/h3> 权限限制<\/strong>：严格控制THREAD_SET_LIMITED_INFORMATION<\/code>权限<\/li> 进程监控<\/strong>：加强对敏感进程的线程操作监控<\/li> 内存保护<\/strong>：监控非标准内存执行行为<\/li> <\/ol> 五、参考资源<\/h2> CheckPoint研究原文：https:\/\/research.checkpoint.com\/2024\/thread-name-calling-using-thread-name-for-offense\/<\/li> Windows进程注入技术大全：BlackHat UAS 2019演讲<\/li> 各种注入技术实现代码库<\/li> <\/ol> 下篇预告<\/strong>：将详细讲解具体实现代码、实战案例和高级规避技术。<\/p>