-
-
[原创]VC黑防日记(一):DLL隐藏和逆向(上)
-
发表于: 2020-1-6 15:40
-
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
①DLL编写:
添加C语言代码如下:
然后进行编译生成:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
这样的话,我们就把FreeLibrary阉割了,阉割后,就没有办法将DLL从内存中清出去,且擦出了注入的痕迹
这就好比隔壁老王办完事儿把床铺床单收拾整齐,擦出了痕迹,然后躲在了衣柜里~
这里的办事儿当然指的是隔壁老王去找隔壁老李媳妇儿打游戏啦,别多想
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x01:何为DLL?又为何要将其隐藏?
①何为DLL?
动态链接库英文为DLL,是Dynamic Link Library的缩写。DLL是一个包含可由多个程序,同时使用的代码和数据的库。例如,在 Windows 操作系统中,Comdlg32.dll 执行与对话框有关的常见函数。因此,每个程序都可以使用该 DLL 中包含的功能来实现“打开”对话框。这有助于避免代码重用和促进内存的有效使用。 通过使用 DLL,程序可以实现模块化,由相对独立的组件组成。例如,一个计帐程序可以按模块来销售。可以在运行时将各个模块加载到主程序中(如果安装了相应模块)。因为模块是彼此独立的,所以程序的加载速度更快,而且模块只在相应的功能被请求时才加载。
https://encyclopedia.thefreedictionary.com/Dynamic-link+library
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x01:何为DLL?又为何要将其隐藏?
①何为DLL?
动态链接库英文为DLL,是Dynamic Link Library的缩写。DLL是一个包含可由多个程序,同时使用的代码和数据的库。例如,在 Windows 操作系统中,Comdlg32.dll 执行与对话框有关的常见函数。因此,每个程序都可以使用该 DLL 中包含的功能来实现“打开”对话框。这有助于避免代码重用和促进内存的有效使用。 通过使用 DLL,程序可以实现模块化,由相对独立的组件组成。例如,一个计帐程序可以按模块来销售。可以在运行时将各个模块加载到主程序中(如果安装了相应模块)。因为模块是彼此独立的,所以程序的加载速度更快,而且模块只在相应的功能被请求时才加载。
动态链接库英文为DLL,是Dynamic Link Library的缩写。DLL是一个包含可由多个程序,同时使用的代码和数据的库。例如,在 Windows 操作系统中,Comdlg32.dll 执行与对话框有关的常见函数。因此,每个程序都可以使用该 DLL 中包含的功能来实现“打开”对话框。这有助于避免代码重用和促进内存的有效使用。 通过使用 DLL,程序可以实现模块化,由相对独立的组件组成。例如,一个计帐程序可以按模块来销售。可以在运行时将各个模块加载到主程序中(如果安装了相应模块)。因为模块是彼此独立的,所以程序的加载速度更快,而且模块只在相应的功能被请求时才加载。
动态链接库英文为DLL,是Dynamic Link Library的缩写。DLL是一个包含可由多个程序,同时使用的代码和数据的库。例如,在 Windows 操作系统中,Comdlg32.dll 执行与对话框有关的常见函数。因此,每个程序都可以使用该 DLL 中包含的功能来实现“打开”对话框。这有助于避免代码重用和促进内存的有效使用。 通过使用 DLL,程序可以实现模块化,由相对独立的组件组成。例如,一个计帐程序可以按模块来销售。可以在运行时将各个模块加载到主程序中(如果安装了相应模块)。因为模块是彼此独立的,所以程序的加载速度更快,而且模块只在相应的功能被请求时才加载。
https://encyclopedia.thefreedictionary.com/Dynamic-link+library
https://encyclopedia.thefreedictionary.com/Dynamic-link+library
②DLL为什么要被隐藏?
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x02:DLL隐藏常见手法
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x03:DLL编写与注入测试-小白入门
①DLL编写:
添加C语言代码如下:
#include <Windows.h>
BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
DisableThreadLibraryCalls(hDll);
if (dwReason == DLL_PROCESS_ATTACH)
{
//================================== OPTIONAL =========================================
MessageBoxA(0, "Message Test","Message Title", 0);
}
return 1;
}
然后进行编译生成:
#include <Windows.h>
BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
DisableThreadLibraryCalls(hDll);
if (dwReason == DLL_PROCESS_ATTACH)
{
//================================== OPTIONAL =========================================
MessageBoxA(0, "Message Test","Message Title", 0);
}
return 1;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x04:手写代码实现注入
#include <Windows.h>
void Inject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
//申请一块内存给DLL路径
LPVOID pReturnAddress = VirtualAllocEx(hProcess, NULL, strlen(Path) + 1, MEM_COMMIT, PAGE_READWRITE);
//写入路径到上一行代码申请的内存中
WriteProcessMemory(hProcess, pReturnAddress, Path, strlen(Path) + 1, NULL);
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
int main()
{
//传dll路径
const char* a = "C:\\Users\\asus\\Desktop\\C++\\FirstDll.dll";
//传入进程ID
Inject(12944, (char*)a);
return 0;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x04:与 LoadLibrary相对的FreeLibrary
//获取模块句柄
HMODULE GetProcessModuleHandleByName(DWORD pid, LPCSTR ModuleName)
{
MODULEENTRY32 ModuleInfo;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (!hSnapshot)
{
return 0;
}
ZeroMemory(&ModuleInfo, sizeof(MODULEENTRY32));
ModuleInfo.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hSnapshot, &ModuleInfo))
{
return 0;
}
do
{
if (!lstrcmpi(ModuleInfo.szModule, ModuleName))
{
CloseHandle(hSnapshot);
return ModuleInfo.hModule;
}
} while (Module32Next(hSnapshot, &ModuleInfo));
CloseHandle(hSnapshot);
return 0;
}
//获取进程id
DWORD GetProcessIDByName(const char* pName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot) {
return NULL;
}
PROCESSENTRY32 pe = { sizeof(pe) };
for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) {
if (strcmp(pe.szExeFile, pName) == 0) {
CloseHandle(hSnapshot);
return pe.th32ProcessID;
}
//printf("%-6d %s\n", pe.th32ProcessID, pe.szExeFile);
}
CloseHandle(hSnapshot);
return 0;
}
#include <Windows.h>
#include <stdio.h>
#include "tlhelp32.h"
void Inject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
//申请一块内存给DLL路径
LPVOID pReturnAddress = VirtualAllocEx(hProcess, NULL, strlen(Path) + 1, MEM_COMMIT, PAGE_READWRITE);
//写入路径到上一行代码申请的内存中
WriteProcessMemory(hProcess, pReturnAddress, Path, strlen(Path) + 1, NULL);
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
HMODULE GetProcessModuleHandleByName(DWORD pid, LPCSTR ModuleName)
{
MODULEENTRY32 ModuleInfo;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (!hSnapshot)
{
return 0;
}
ZeroMemory(&ModuleInfo, sizeof(MODULEENTRY32));
ModuleInfo.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hSnapshot, &ModuleInfo))
{
return 0;
}
do
{
if (!lstrcmpi(ModuleInfo.szModule, ModuleName))
{
CloseHandle(hSnapshot);
return ModuleInfo.hModule;
}
} while (Module32Next(hSnapshot, &ModuleInfo));
CloseHandle(hSnapshot);
return 0;
}
DWORD GetProcessIDByName(const char* pName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot) {
return NULL;
}
PROCESSENTRY32 pe = { sizeof(pe) };
for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) {
if (strcmp(pe.szExeFile, pName) == 0) {
CloseHandle(hSnapshot);
return pe.th32ProcessID;
}
//printf("%-6d %s\n", pe.th32ProcessID, pe.szExeFile);
}
CloseHandle(hSnapshot);
return 0;
}
void UnInject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
LPVOID pReturnAddress = GetProcessModuleHandleByName(GetProcessIDByName("代码注入器.exe"), "mydll.dll");
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
int main()
{
const char* a = "C:\\Users\\86186\\Desktop\\mydll.dll";
UnInject(GetProcessIDByName("代码注入器.exe"), (char*)a);
getchar();
return 0;
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x05:FreeLibrary卸载DLL跟DLL隐藏有什么关系?
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x06:分析FreeLibrary
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x07:逆向FreeLibrary
The ZwUnmapViewOfSection routine unmaps a view of a section from the virtual address space of a subject process.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x07:Patch函数首地址阉割FreeLibrary
这样的话,我们就把FreeLibrary阉割了,阉割后,就没有办法将DLL从内存中清出去,且擦出了注入的痕迹
这就好比隔壁老王办完事儿把床铺床单收拾整齐,擦出了痕迹,然后躲在了衣柜里~
这里的办事儿当然指的是隔壁老王去找隔壁老李媳妇儿打游戏啦,别多想
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x08:ShellCode代码实现
DWORD a = GetProcAddress(LoadLibrary("ntdll.dll"), "ZwUnmapViewOfSection");
DWORD dwOldProtect;
VirtualProtectEx(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIDByName("代码注入器.exe")),
addrfun,
6,
PAGE_EXECUTE_READWRITE,
&dwOldProtect); BYTE shellcode[] = { 0xc2, 0x08 , 0x00 , 0x90 , 0x90 };
WriteProcessMemory(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIDByName("代码注入器.exe")), addrfun, shellcode, 5, NULL);
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x09:DLL隐藏测试
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x10:总结
后续:干掉吾爱破解OD这类工具DLL的检测
欲知后事如何,且听我下回分晓~
#include <Windows.h>
#include <stdio.h>
#include "tlhelp32.h"
void Inject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
//申请一块内存给DLL路径
LPVOID pReturnAddress = VirtualAllocEx(hProcess, NULL, strlen(Path) + 1, MEM_COMMIT, PAGE_READWRITE);
//写入路径到上一行代码申请的内存中
WriteProcessMemory(hProcess, pReturnAddress, Path, strlen(Path) + 1, NULL);
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
HMODULE GetProcessModuleHandleByName(DWORD pid, LPCSTR ModuleName)
{
MODULEENTRY32 ModuleInfo;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (!hSnapshot)
{
return 0;
}
ZeroMemory(&ModuleInfo, sizeof(MODULEENTRY32));
ModuleInfo.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hSnapshot, &ModuleInfo))
{
return 0;
}
do
{
if (!lstrcmpi(ModuleInfo.szModule, ModuleName))
{
CloseHandle(hSnapshot);
return ModuleInfo.hModule;
}
} while (Module32Next(hSnapshot, &ModuleInfo));
CloseHandle(hSnapshot);
return 0;
}
DWORD GetProcessIDByName(const char* pName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot) {
return NULL;
}
PROCESSENTRY32 pe = { sizeof(pe) };
for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) {
if (strcmp(pe.szExeFile, pName) == 0) {
CloseHandle(hSnapshot);
return pe.th32ProcessID;
}
//printf("%-6d %s\n", pe.th32ProcessID, pe.szExeFile);
}
CloseHandle(hSnapshot);
return 0;
}
void UnInject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
//WriteProcessMemory("")
LPVOID pReturnAddress = GetProcessModuleHandleByName(GetProcessIDByName("代码注入器.exe"), "mydll.dll");
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
int main()
{
const char* a = "C:\\Users\\86186\\Desktop\\mydll.dll";
HANDLE hToken = NULL;
//打开当前进程的访问令牌
int hRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if (hRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
//取得描述权限的LUID
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//调整访问令牌的权限
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
}
//定位函数地址
DWORD addrfun = GetProcAddress(LoadLibrary("ntdll.dll"), "ZwUnmapViewOfSection");
printf("%x \n\n", addrfun);
DWORD dwOldProtect;
//修改内存属性
VirtualProtectEx(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIDByName("代码注入器.exe")), addrfun, 6, PAGE_EXECUTE_READWRITE, &dwOldProtect);
//阉割函数
BYTE shellcode[] = { 0xc2, 0x08 , 0x00 , 0x90 , 0x90 };
WriteProcessMemory(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIDByName("代码注入器.exe")), addrfun, shellcode, 5, NULL);
//调用FreeLibrary实现卸载
UnInject(GetProcessIDByName("代码注入器.exe"), (char*)a);
//还原原函数
//B8 27 00 00 00
BYTE Oldcode[] = { 0xB8, 0x27 , 0x00 , 0x00 , 0x00 };
WriteProcessMemory(OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIDByName("代码注入器.exe")), addrfun, Oldcode, 5, NULL);
getchar();
return 0;
}
#include <Windows.h>
void Inject(int pID, char* Path)
{
//获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
//申请一块内存给DLL路径
LPVOID pReturnAddress = VirtualAllocEx(hProcess, NULL, strlen(Path) + 1, MEM_COMMIT, PAGE_READWRITE);
//写入路径到上一行代码申请的内存中
WriteProcessMemory(hProcess, pReturnAddress, Path, strlen(Path) + 1, NULL);
//获取LoadLibraryA函数的地址
HMODULE hModule = LoadLibrary("KERNEL32.DLL");
LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
//创建远程线程-并获取线程的句柄
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, lpStartAddress, pReturnAddress, 0, NULL);
//等待线程事件
WaitForSingleObject(hThread, 2000);
//防止内存泄露
CloseHandle(hThread);
CloseHandle(hProcess);
}
int main()
{
//传dll路径
const char* a = "C:\\Users\\asus\\Desktop\\C++\\FirstDll.dll";
//传入进程ID
Inject(12944, (char*)a);
return 0;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
 搞了半天一大堆废话. 最后是对Freelibrary下HOOK. 调用ZwUnMapViewOfSection 思路不错.加油. 总结为一句话 HOOK Freelibrary 调用Freelibrary. HOOK位置是不让调用真正的ZwUnmapViewOfSection 最后还原.FreeLibrary.
|
|
|
 那写文章不得有头有尾儿啊,得让技术不好的也能看懂才行
|
|
|
|
|
|
写技术文章我感觉都是娱乐活动,写毕业论文实在是煎熬...另外数学也让我难受呀 |
|
|
这倒是,哈哈.鼓励鼓励.继续发原创帖 
|
|
|
|
|
|
|
|
|
|
|
|
第一次发现隐藏DLL是这么的简单
|
|
|
|
|
|
|
|
|
写的很风趣啊,支持一下! 
|
|
|
|
|
|
|
|
|
|
|
|
加油哦 |
|
|
我水平也不到家
|
|
|
加油,我写的帖子还是比较倾向于初学者的,以诙谐幽默的教学形式来撰写文章,希望大家能够喜欢并学到真东西 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
小迪xiaodi
