【免杀思路】进程创建下可用API平替

admin
admin
admin
0
文章
0
评论
2026-01-23 12:10:43 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 本文详细介绍了Windows系统中可用于进程创建的多种API函数,作为CreateProcess的替代方案以实现免杀效果。文中涵盖CreateProcessAsUserA、CreateProcessWithLogonW、WinExec及ShellExecute等函数,并附带C++验证代码。此外,作者提及WMI、COM等创建方式,并推广了专注于红队对抗与免杀技术的付费知识圈子。 综合评分: 75 文章分类: 免杀,红队,安全开发

cover_image

【免杀思路】进程创建下可用API平替

原创

Hello888 Hello888

安全天书

2026年1月22日 14:15 广西

0x01 标准进程创建API函数

CreateProcess

BOOL CreateProcessA(  [in, optional]      LPCSTR                lpApplicationName,  [in, out, optional] LPSTR                 lpCommandLine,  [in, optional]      LPSECURITY_ATTRIBUTES lpProcessAttributes,  [in, optional]      LPSECURITY_ATTRIBUTES lpThreadAttributes,  [in]                BOOL                  bInheritHandles,  [in]                DWORD                 dwCreationFlags,  [in, optional]      LPVOID                lpEnvironment,  [in, optional]      LPCSTR                lpCurrentDirectory,  [in]                LPSTARTUPINFOA        lpStartupInfo,  [out]               LPPROCESS_INFORMATION lpProcessInformation);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<tchar.h>void&nbsp;_tmain(int&nbsp;argc, TCHAR* argv[]){&nbsp; &nbsp; STARTUPINFO si;&nbsp; &nbsp; PROCESS_INFORMATION pi;&nbsp; &nbsp; ZeroMemory(&si,&nbsp;sizeof(si));&nbsp; &nbsp; si.cb =&nbsp;sizeof(si);&nbsp; &nbsp; ZeroMemory(&pi,&nbsp;sizeof(pi));&nbsp; &nbsp;&nbsp;if&nbsp;(argc !=&nbsp;2)&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; printf("Usage: %s [cmdline]\n", argv[0]);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// Start the child process.&nbsp;&nbsp; &nbsp;&nbsp;if&nbsp;(!CreateProcess(NULL, &nbsp;&nbsp;// No module name (use command line)&nbsp; &nbsp; &nbsp; &nbsp; argv[1], &nbsp; &nbsp; &nbsp; &nbsp;// Command line&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// Process handle not inheritable&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// Thread handle not inheritable&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;FALSE, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// Set handle inheritance to FALSE&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// No creation flags&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// Use parent's environment block&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// Use parent's starting directory&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &si, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// Pointer to STARTUPINFO structure&nbsp; &nbsp; &nbsp; &nbsp; &pi) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// Pointer to PROCESS_INFORMATION structure&nbsp; &nbsp; &nbsp; &nbsp; )&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; printf("CreateProcess failed (%d).\n", GetLastError());&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// Wait until child process exits.&nbsp; &nbsp; WaitForSingleObject(pi.hProcess, INFINITE);&nbsp; &nbsp;&nbsp;// Close process and thread handles.&nbsp;&nbsp; &nbsp; CloseHandle(pi.hProcess);&nbsp; &nbsp; CloseHandle(pi.hThread);}

CreateProcessAsUserA

BOOL CreateProcessAsUserA(&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; HANDLE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;hToken,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpApplicationName,&nbsp;&nbsp;[in, out, optional]&nbsp;LPSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpCommandLine,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPSECURITY_ATTRIBUTES lpProcessAttributes,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPSECURITY_ATTRIBUTES lpThreadAttributes,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; BOOL &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;bInheritHandles,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DWORD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dwCreationFlags,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPVOID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpEnvironment,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpCurrentDirectory,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LPSTARTUPINFOA &nbsp; &nbsp; &nbsp; &nbsp;lpStartupInfo,&nbsp;&nbsp;[out]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LPPROCESS_INFORMATION lpProcessInformation);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>int&nbsp;main(){&nbsp; &nbsp; HANDLE hToken =&nbsp;NULL;&nbsp; &nbsp; OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hToken);&nbsp; &nbsp; HANDLE hDuplicatedToken =&nbsp;NULL;&nbsp; &nbsp; DuplicateTokenEx(&nbsp; &nbsp; &nbsp; &nbsp; hToken, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 源令牌&nbsp; &nbsp; &nbsp; &nbsp; TOKEN_ALL_ACCESS, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 请求的访问权限&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 安全描述符&nbsp; &nbsp; &nbsp; &nbsp; SecurityImpersonation, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 模拟级别&nbsp; &nbsp; &nbsp; &nbsp; TokenPrimary, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 令牌类型(主令牌)&nbsp; &nbsp; &nbsp; &nbsp; &hDuplicatedToken);&nbsp; &nbsp; STARTUPINFOA si = {&nbsp;0&nbsp;};&nbsp; &nbsp; PROCESS_INFORMATION pi = {&nbsp;0&nbsp;};&nbsp; &nbsp; ZeroMemory(&si,&nbsp;sizeof(STARTUPINFOA));&nbsp; &nbsp; si.cb =&nbsp;sizeof(STARTUPINFOA);&nbsp; &nbsp; si.lpDesktop = (LPSTR)"winsta0\\default"; &nbsp; &nbsp;&nbsp;// 指定桌面&nbsp; &nbsp; si.dwFlags = STARTF_USESHOWWINDOW; &nbsp; &nbsp;// 使用wShowWindow&nbsp; &nbsp; si.wShowWindow = SW_SHOW; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 显示窗口&nbsp; &nbsp;&nbsp;// 7. 使用复制的令牌创建进程&nbsp; &nbsp; CreateProcessAsUserA(&nbsp; &nbsp; &nbsp; &nbsp; hDuplicatedToken, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 用户令牌&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"C:\\Windows\\System32\\calc.exe", &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 应用程序名&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 命令行&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 进程安全属性&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 线程安全属性&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;FALSE, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 不继承句柄&nbsp; &nbsp; &nbsp; &nbsp; CREATE_NEW_CONSOLE, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 创建新控制台&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 环境变量&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 当前目录&nbsp; &nbsp; &nbsp; &nbsp; &si, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 启动信息&nbsp; &nbsp; &nbsp; &nbsp; &pi); &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 进程信息&nbsp; &nbsp;&nbsp;return&nbsp;0;}

CreateProcessWithLogonW

BOOL CreateProcessWithLogonW(&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpUsername,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpDomain,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpPassword,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DWORD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dwLogonFlags,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpApplicationName,&nbsp;&nbsp;[in, out, optional]&nbsp;LPWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpCommandLine,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DWORD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dwCreationFlags,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPVOID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpEnvironment,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpCurrentDirectory,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LPSTARTUPINFOW &nbsp; &nbsp; &nbsp; &nbsp;lpStartupInfo,&nbsp;&nbsp;[out]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LPPROCESS_INFORMATION lpProcessInformation);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<wchar.h>int&nbsp;main(){&nbsp; &nbsp; STARTUPINFOW si = {&nbsp;0&nbsp;};&nbsp; &nbsp; PROCESS_INFORMATION pi = {&nbsp;0&nbsp;};&nbsp; &nbsp; WCHAR szDesktop[] =&nbsp;L"winsta0\\default";&nbsp; &nbsp;&nbsp;wchar_t&nbsp;username[] =&nbsp;L"test"; &nbsp;// 必须提供用户名&nbsp; &nbsp;&nbsp;wchar_t&nbsp;password[] =&nbsp;L"test"; &nbsp;&nbsp;// 必须提供密码&nbsp; &nbsp;&nbsp;wchar_t&nbsp;application[] =&nbsp;L"C:\\Windows\\System32\\calc.exe";&nbsp; &nbsp;&nbsp;printf("正在创建计算器进程...\n");&nbsp; &nbsp;&nbsp;// 1. 设置启动信息&nbsp; &nbsp;&nbsp;ZeroMemory(&si,&nbsp;sizeof(STARTUPINFOW));&nbsp; &nbsp; si.cb =&nbsp;sizeof(STARTUPINFOW);&nbsp; &nbsp; si.lpDesktop = szDesktop; &nbsp; &nbsp; &nbsp;// 使用宽字符&nbsp; &nbsp; si.dwFlags = STARTF_USESHOWWINDOW;&nbsp; &nbsp; si.wShowWindow = SW_SHOW;&nbsp; &nbsp;&nbsp;wprintf(L"用户: %s\n", username);&nbsp; &nbsp;&nbsp;wprintf(L"应用: %s\n", application);&nbsp; &nbsp;&nbsp;// 2. 创建进程&nbsp; &nbsp; BOOL bResult =&nbsp;CreateProcessWithLogonW(&nbsp; &nbsp; &nbsp; &nbsp; username, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 用户名&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;L".", &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 域 (本机使用.)&nbsp; &nbsp; &nbsp; &nbsp; password, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 密码&nbsp; &nbsp; &nbsp; &nbsp; LOGON_NETCREDENTIALS_ONLY, &nbsp; &nbsp;&nbsp;// 登录标志&nbsp; &nbsp; &nbsp; &nbsp; application, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 应用程序路径&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 命令行参数&nbsp; &nbsp; &nbsp; &nbsp; CREATE_NEW_CONSOLE, &nbsp; &nbsp;&nbsp;// 创建标志&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 环境变量&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 当前目录&nbsp; &nbsp; &nbsp; &nbsp; &si, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 启动信息&nbsp; &nbsp; &nbsp; &nbsp; &pi); &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 进程信息&nbsp; &nbsp;&nbsp;// 3. 检查结果&nbsp; &nbsp;&nbsp;if&nbsp;(bResult)&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("✓ 进程创建成功!\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("进程ID: %d\n", pi.dwProcessId);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 关闭句柄&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(pi.hProcess);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(pi.hThread);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; DWORD error =&nbsp;GetLastError();&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("✗ 创建进程失败: %d\n", error);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 常见错误解释&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;switch&nbsp;(error)&nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;case&nbsp;1326: &nbsp;// ERROR_LOGON_FAILURE&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("错误: 用户名或密码不正确\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("请检查: \n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("1. 用户名是否正确\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("2. 密码是否正确\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("3. 用户是否有登录权限\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;case&nbsp;5: &nbsp;// ERROR_ACCESS_DENIED&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("错误: 访问被拒绝\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("请以管理员身份运行\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;case&nbsp;1311: &nbsp;// ERROR_NO_SUCH_PRIVILEGE&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("错误: 没有所需权限\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;case&nbsp;1314: &nbsp;// ERROR_PRIVILEGE_NOT_HELD&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("错误: 权限不足\n");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;default:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("未知错误,代码: %d\n", error);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;bResult ?&nbsp;0&nbsp;:&nbsp;1;}

CreateProcessWithTokenW

BOOL CreateProcessWithTokenW(&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HANDLE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;hToken,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DWORD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dwLogonFlags,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpApplicationName,&nbsp;&nbsp;[in, out, optional]&nbsp;LPWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpCommandLine,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DWORD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dwCreationFlags,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPVOID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpEnvironment,&nbsp;&nbsp;[in, optional]&nbsp; &nbsp; &nbsp; LPCWSTR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpCurrentDirectory,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LPSTARTUPINFOW &nbsp; &nbsp; &nbsp; &nbsp;lpStartupInfo,&nbsp;&nbsp;[out]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LPPROCESS_INFORMATION lpProcessInformation);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>int&nbsp;main(){&nbsp; &nbsp; HANDLE hToken =&nbsp;NULL;&nbsp; &nbsp; HANDLE hTokenDup =&nbsp;NULL;&nbsp; &nbsp; STARTUPINFOW si = {&nbsp;0&nbsp;};&nbsp; &nbsp; PROCESS_INFORMATION pi = {&nbsp;0&nbsp;};&nbsp; &nbsp; WCHAR szDesktop[] =&nbsp;L"winsta0\\default";&nbsp; &nbsp;&nbsp;printf("正在使用当前用户令牌创建进程...\n");&nbsp; &nbsp;&nbsp;// 1. 获取当前进程令牌&nbsp; &nbsp;&nbsp;if&nbsp;(!OpenProcessToken(GetCurrentProcess(),&nbsp; &nbsp; &nbsp; &nbsp; TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY,&nbsp; &nbsp; &nbsp; &nbsp; &hToken))&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("获取当前进程令牌失败: %d\n",&nbsp;GetLastError());&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;printf("✓ 获取令牌成功\n");&nbsp; &nbsp;&nbsp;// 2. 复制令牌&nbsp; &nbsp;&nbsp;if&nbsp;(!DuplicateTokenEx(hToken,&nbsp; &nbsp; &nbsp; &nbsp; MAXIMUM_ALLOWED,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,&nbsp; &nbsp; &nbsp; &nbsp; SecurityIdentification,&nbsp; &nbsp; &nbsp; &nbsp; TokenPrimary,&nbsp; &nbsp; &nbsp; &nbsp; &hTokenDup))&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("复制令牌失败: %d\n",&nbsp;GetLastError());&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(hToken);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;printf("✓ 复制令牌成功\n");&nbsp; &nbsp;&nbsp;// 3. 设置启动信息&nbsp; &nbsp;&nbsp;ZeroMemory(&si,&nbsp;sizeof(STARTUPINFOW));&nbsp; &nbsp; si.cb =&nbsp;sizeof(STARTUPINFOW);&nbsp; &nbsp; si.lpDesktop = szDesktop;&nbsp; &nbsp; si.dwFlags = STARTF_USESHOWWINDOW;&nbsp; &nbsp; si.wShowWindow = SW_SHOW;&nbsp; &nbsp;&nbsp;// 4. 使用令牌创建进程&nbsp; &nbsp; BOOL bResult =&nbsp;CreateProcessWithTokenW(&nbsp; &nbsp; &nbsp; &nbsp; hTokenDup, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 用户令牌&nbsp; &nbsp; &nbsp; &nbsp; LOGON_NETCREDENTIALS_ONLY, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 登录标志&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;L"C:\\Windows\\System32\\calc.exe", &nbsp;// 应用程序&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 命令行&nbsp; &nbsp; &nbsp; &nbsp; CREATE_NEW_CONSOLE, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 创建标志&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 环境变量&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 当前目录&nbsp; &nbsp; &nbsp; &nbsp; &si, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 启动信息&nbsp; &nbsp; &nbsp; &nbsp; &pi); &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 进程信息&nbsp; &nbsp;&nbsp;if&nbsp;(bResult)&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("========================================\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("✓ 进程创建成功!\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("进程ID: %d\n", pi.dwProcessId);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("线程ID: %d\n", pi.dwThreadId);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("========================================\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(pi.hProcess);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(pi.hThread);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("创建进程失败: %d\n",&nbsp;GetLastError());&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// 清理&nbsp; &nbsp;&nbsp;if&nbsp;(hTokenDup)&nbsp;CloseHandle(hTokenDup);&nbsp; &nbsp;&nbsp;if&nbsp;(hToken)&nbsp;CloseHandle(hToken);&nbsp; &nbsp;&nbsp;return&nbsp;0;}

0x02 Shell执行API函数

system

int&nbsp;system(&nbsp; &nbsp;const&nbsp;char&nbsp;*command);int&nbsp;_wsystem(&nbsp; &nbsp;const&nbsp;wchar_t&nbsp;*command);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<wchar.h>int&nbsp;main(){    system("calc.exe");}

WinExec

UINT WinExec(&nbsp;&nbsp;[in]&nbsp;LPCSTR lpCmdLine,&nbsp;&nbsp;[in]&nbsp;UINT &nbsp; uCmdShow);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<wchar.h>int&nbsp;main(){    WinExec("C:\\Windows\\System32\\calc.exe", SW_HIDE);}

ShellExecute

HINSTANCE ShellExecuteA(&nbsp;&nbsp;[in, optional]&nbsp;HWND &nbsp; hwnd,&nbsp;&nbsp;[in, optional]&nbsp;LPCSTR lpOperation,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LPCSTR lpFile,&nbsp;&nbsp;[in, optional]&nbsp;LPCSTR lpParameters,&nbsp;&nbsp;[in, optional]&nbsp;LPCSTR lpDirectory,&nbsp;&nbsp;[in]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;INT &nbsp; &nbsp;nShowCmd);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<wchar.h>int&nbsp;main(){&nbsp; &nbsp;&nbsp;ShellExecuteW(&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 父窗口句柄&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;L"open", &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 操作&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;L"notepad.exe", &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 文件&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 参数&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 工作目录&nbsp; &nbsp; &nbsp; &nbsp; SW_SHOWNORMAL &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 显示方式&nbsp; &nbsp; );}

ShellExecuteExW

BOOL&nbsp;ShellExecuteExW(&nbsp; [in,&nbsp;out] SHELLEXECUTEINFOW *pExecInfo);

验证代码

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<wchar.h>int&nbsp;main(){    SHELLEXECUTEINFOW sei = {&nbsp;sizeof(sei) };   sei.lpFile =&nbsp;L"C:\\Windows\\System32\\calc.exe";   sei.nShow = SW_HIDE;    sei.fMask = SEE_MASK_NOCLOSEPROCESS;    ShellExecuteExW(&sei);}

0x03 结语

这里只介绍了部分用于创建进程的API或者方法,在Windows上还有很多方式方法可以创建进程,比如WMI、COM、RPC等!

****0x04 红蓝偶像练习生小圈子

圈子主要研究方向渗透测试、红蓝对抗、钓鱼手法思路、武器化作,红队工具二开与免杀。圈内不定期分享红队技术文章,攻防经验总结,学习笔记以及自研工具与插件,目前圈子已满300人,欢迎各位进圈子交流学习!

**圈子目前更新相关技术文章:

* HeavenlyBypassAV内部版-轻松免杀各大杀软

  • 冰蝎webshell免杀工具

  • 哥斯拉webshell免杀工具

  • 红队场景下lnk钓鱼Bypass国内AV

  • 1日和0日POC

  • lnk钓鱼思路视频讲解

  • lnk钓鱼Bypass天擎

  • msi钓鱼

  • chm钓鱼

  • Kill360核晶

  • AV对抗-致盲AV(核晶)

  • 捆绑免杀360

  • 杀火绒

  • 火绒6.0内存免杀

  • kill-windows Defender

  • Defender分离免杀

  • Defender知识点

  • HeavenlyProtectionCS内部CS插件

  • EDR对抗思路

  • 进程注入知识点

  • 自启动思路

  • 多种维权手法

  • Fscan免杀核晶

  • QVM解决思路

  • 红队思路-钓鱼环境下小窗口截屏窃取

  • 免杀Todesk/向日葵读取工具

  • 渗透测试文章思路

  • 内网对抗文章思路

  • 还有更多红队思路文章!期待您的加入!!!

**

免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:安全天书 Hello888 Hello888《【免杀思路】进程创建下可用API平替》

版权声明

本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。

ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
网络协议—RIPv2协议 网络安全文章

网络协议—RIPv2协议

文章总结: 文章系统梳理RIPv2原理与实战:对比v1/v2/ng差异,详解30秒组播更新、跳数度量、15跳上限及环路抑制四机制;给出拓扑配置、报文逐层解析,指
01-230 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0