-
-
[原创]反射式DLL注入实现(ManualMap,手动解析PE并映射到目标进程再运行)
-
2022-4-30 21:58
-
一般而言要注入DLL到一个目标进程最简单的方法 就是先获取DLL文件路径,然后在目标进程分配内存空间将路径写入到目标进程,写入到目标进程后再调用CreateRemoteThread()/NtCreateThread()/RtlCreateUserThread()函数来运行LoadLibraryA/W函数调用自己的DLL,这种方法的缺陷也很明显那就是容易被游戏检测到,很容易被游戏拦截,比如CSGO最新版就已经有这个限制了。
想要突破CSGO的限制注入DLL进去,我们可以采用反射式注入的方法(也可以先恢复CSGOhook的api进行远程线程注入),那么什么是反射式注入呢?又有什么有点呢?
反射式dll注入与常规dll注入类似,而不同的地方在于反射式dll注入技术自己实现了一个reflective loader()函数来代替LoadLibaryA()函数去加载dll,示意图如下图所示。蓝色的线表示与用常规dll注入相同的步骤,红框中的是reflective loader()函数行为,也是下面重点描述的地方。
Reflective loader实现思路如下:
1.获得被注入进程未解析的dll的基地址。
2.获得必要的dll句柄和函数为修复导入表做准备。
3.分配一块新内存去取解析dll,并把pe头复制到新内存中和将各节复制到新内存中。
4.修复导入表和重定向表。
5.执行DllMain()函数。
核心代码如下:
ManualMapInject.h
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | #pragma once#include "Injector.h"using f_LoadLibraryA = HINSTANCE(WINAPI*)(const char* lpLibFilename);using f_GetProcAddress = FARPROC(WINAPI*)(HMODULE hModule, LPCSTR lpProcName);using f_DLL_ENTRY_POINT = BOOL(WINAPI*)(void* hDll, DWORD dwReason, void* pReserved);#ifdef _WIN64using f_RtlAddFunctionTable = BOOL(WINAPIV*)(PRUNTIME_FUNCTION FunctionTable, DWORD EntryCount, DWORD64 BaseAddress);#endifstruct MANUAL_MAPPING_DATA{ f_LoadLibraryA pLoadLibraryA; f_GetProcAddress pGetProcAddress;#ifdef _WIN64 f_RtlAddFunctionTable pRtlAddFunctionTable;#endif BYTE* pbase; HINSTANCE hMod; DWORD fdwReasonParam; LPVOID reservedParam; BOOL SEHSupport;};//Note: Exception support only x64 with build params /EHa or /EHcbool ManualMapDll(HANDLE hProc, BYTE* pSrcData, SIZE_T FileSize, bool ClearHeader = true, bool ClearNonNeededSections = true, bool AdjustProtections = true, bool SEHExceptionSupport = true, DWORD fdwReason = DLL_PROCESS_ATTACH, LPVOID lpReserved = 0);void __stdcall Shellcode(MANUAL_MAPPING_DATA* pData);class CManualMapInject :public CInjector{public: CManualMapInject(); virtual ~CManualMapInject(); virtual bool InjectorDLL(TCHAR* szPath,DWORD dwPid);}; |
ManualMapInject.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 | #include "pch.h"#include "ManualMapInject.h"#ifdef _WIN64#define CURRENT_ARCH IMAGE_FILE_MACHINE_AMD64#else#define CURRENT_ARCH IMAGE_FILE_MACHINE_I386#endif#define RELOC_FLAG32(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_HIGHLOW)#define RELOC_FLAG64(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_DIR64)#ifdef _WIN64#define RELOC_FLAG RELOC_FLAG64#else#define RELOC_FLAG RELOC_FLAG32#endifCManualMapInject::CManualMapInject(){}CManualMapInject::~CManualMapInject(){}bool CManualMapInject::InjectorDLL(TCHAR* szPath, DWORD dwPid){ HANDLE hProc = GetProcessHandle(dwPid); if (!hProc || !IsCorrectTargetArchitecture(hProc) || GetFileAttributes(szPath) == INVALID_FILE_ATTRIBUTES) { return false; }// std::ifstream File(szPath, std::ios::binary | std::ios::ate);//// if (File.fail())// {// printf("Opening the file failed: %X\n", (DWORD)File.rdstate());// File.close();// CloseHandle(hProc);// system("PAUSE");// return -5;// }//// auto FileSize = File.tellg();// if (FileSize < 0x1000)// {// printf("Filesize invalid.\n");// File.close();// CloseHandle(hProc);// system("PAUSE");// return -6;// }//// BYTE* pSrcData = new BYTE[(UINT_PTR)FileSize];// if (!pSrcData)// {// printf("Can't allocate dll file.\n");// File.close();// CloseHandle(hProc);// system("PAUSE");// return -7;// }//// File.seekg(0, std::ios::beg);// File.read((char*)(pSrcData), FileSize);// File.close(); CFile file; file.Open(szPath, CFile::modeRead); ULONGLONG nFileSize = file.GetLength(); BYTE* pSrcData = new BYTE[nFileSize]; ZeroMemory(pSrcData,nFileSize); file.SeekToBegin(); file.Read(pSrcData,nFileSize); file.Close(); if (!ManualMapDll(hProc, pSrcData, nFileSize)) { delete[] pSrcData; CloseHandle(hProc); return false; } delete[] pSrcData; CloseHandle(hProc); return false;}bool ManualMapDll(HANDLE hProc, BYTE* pSrcData, SIZE_T FileSize, bool ClearHeader, bool ClearNonNeededSections, bool AdjustProtections, bool SEHExceptionSupport, DWORD fdwReason, LPVOID lpReserved) { IMAGE_NT_HEADERS* pOldNtHeader = nullptr; IMAGE_OPTIONAL_HEADER* pOldOptHeader = nullptr; IMAGE_FILE_HEADER* pOldFileHeader = nullptr; BYTE* pTargetBase = nullptr; if (reinterpret_cast<IMAGE_DOS_HEADER*>(pSrcData)->e_magic != 0x5A4D)//"MZ" { return false; } pOldNtHeader = reinterpret_cast<IMAGE_NT_HEADERS*>(pSrcData + reinterpret_cast<IMAGE_DOS_HEADER*>(pSrcData)->e_lfanew); pOldOptHeader = &pOldNtHeader->OptionalHeader; pOldFileHeader = &pOldNtHeader->FileHeader; if (pOldFileHeader->Machine != CURRENT_ARCH) { return false; } pTargetBase = reinterpret_cast<BYTE*>(VirtualAllocEx(hProc, nullptr, pOldOptHeader->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)); if (!pTargetBase) { return false; } DWORD oldp = 0; VirtualProtectEx(hProc, pTargetBase, pOldOptHeader->SizeOfImage, PAGE_EXECUTE_READWRITE, &oldp); MANUAL_MAPPING_DATA data{ 0 }; data.pLoadLibraryA = LoadLibraryA; data.pGetProcAddress = GetProcAddress;#ifdef _WIN64 data.pRtlAddFunctionTable = (f_RtlAddFunctionTable)RtlAddFunctionTable;#else SEHExceptionSupport = false;#endif data.pbase = pTargetBase; data.fdwReasonParam = fdwReason; data.reservedParam = lpReserved; data.SEHSupport = SEHExceptionSupport; //PE header if (!WriteProcessMemory(hProc, pTargetBase, pSrcData, 0x1000, nullptr)) //only first 0x1000 bytes for the header { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); return false; } IMAGE_SECTION_HEADER* pSectionHeader = IMAGE_FIRST_SECTION(pOldNtHeader); for (UINT i = 0; i != pOldFileHeader->NumberOfSections; ++i, ++pSectionHeader) { if (pSectionHeader->SizeOfRawData) { if (!WriteProcessMemory(hProc, pTargetBase + pSectionHeader->VirtualAddress, pSrcData + pSectionHeader->PointerToRawData, pSectionHeader->SizeOfRawData, nullptr)) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); return false; } } } //Mapping params BYTE* MappingDataAlloc = reinterpret_cast<BYTE*>(VirtualAllocEx(hProc, nullptr, sizeof(MANUAL_MAPPING_DATA), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)); if (!MappingDataAlloc) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); return false; } if (!WriteProcessMemory(hProc, MappingDataAlloc, &data, sizeof(MANUAL_MAPPING_DATA), nullptr)) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); return false; } //Shell code void* pShellcode = VirtualAllocEx(hProc, nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!pShellcode) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); return false; } if (!WriteProcessMemory(hProc, pShellcode, Shellcode, 0x1000, nullptr)) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); VirtualFreeEx(hProc, pShellcode, 0, MEM_RELEASE); return false; } HANDLE hThread = CreateRemoteThread(hProc, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(pShellcode), MappingDataAlloc, 0, nullptr); if (!hThread) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); VirtualFreeEx(hProc, pShellcode, 0, MEM_RELEASE); return false; } WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); HINSTANCE hCheck = NULL; while (!hCheck) { DWORD exitcode = 0; GetExitCodeProcess(hProc, &exitcode); if (exitcode != STILL_ACTIVE) { return false; } MANUAL_MAPPING_DATA data_checked{ 0 }; ReadProcessMemory(hProc, MappingDataAlloc, &data_checked, sizeof(data_checked), nullptr); hCheck = data_checked.hMod; if (hCheck == (HINSTANCE)0x404040) { VirtualFreeEx(hProc, pTargetBase, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); VirtualFreeEx(hProc, pShellcode, 0, MEM_RELEASE); return false; } else if (hCheck == (HINSTANCE)0x505050) { //Exception support failed! } Sleep(10); } BYTE* emptyBuffer = (BYTE*)malloc(1024 * 1024 * 20); if (emptyBuffer == nullptr) { return false; } memset(emptyBuffer, 0, 1024 * 1024 * 20); //CLEAR PE HEAD if (ClearHeader) { WriteProcessMemory(hProc, pTargetBase, emptyBuffer, 0x1000, nullptr); } //END CLEAR PE HEAD if (ClearNonNeededSections) { pSectionHeader = IMAGE_FIRST_SECTION(pOldNtHeader); for (UINT i = 0; i != pOldFileHeader->NumberOfSections; ++i, ++pSectionHeader) { if (pSectionHeader->Misc.VirtualSize) { if ((SEHExceptionSupport ? 0 : strcmp((char*)pSectionHeader->Name, ".pdata") == 0) || strcmp((char*)pSectionHeader->Name, ".rsrc") == 0 || strcmp((char*)pSectionHeader->Name, ".reloc") == 0) { WriteProcessMemory(hProc, pTargetBase + pSectionHeader->VirtualAddress, emptyBuffer, pSectionHeader->Misc.VirtualSize, nullptr); } } } } if (AdjustProtections) { pSectionHeader = IMAGE_FIRST_SECTION(pOldNtHeader); for (UINT i = 0; i != pOldFileHeader->NumberOfSections; ++i, ++pSectionHeader) { if (pSectionHeader->Misc.VirtualSize) { DWORD old = 0; DWORD newP = PAGE_READONLY; if ((pSectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE) > 0) { newP = PAGE_READWRITE; } else if ((pSectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) > 0) { newP = PAGE_EXECUTE_READ; } VirtualProtectEx(hProc, pTargetBase + pSectionHeader->VirtualAddress, pSectionHeader->Misc.VirtualSize, newP, &old); } } DWORD old = 0; VirtualProtectEx(hProc, pTargetBase, IMAGE_FIRST_SECTION(pOldNtHeader)->VirtualAddress, PAGE_READONLY, &old); } WriteProcessMemory(hProc, pShellcode, emptyBuffer, 0x1000, nullptr); VirtualFreeEx(hProc, pShellcode, 0, MEM_RELEASE); VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE); return true;}//#pragma runtime_checks( "", off )//#pragma optimize( "", off )void __stdcall Shellcode(MANUAL_MAPPING_DATA* pData){ if (!pData) { pData->hMod = (HINSTANCE)0x404040; return; } BYTE* pBase = pData->pbase; auto* pOpt = &reinterpret_cast<IMAGE_NT_HEADERS*>(pBase + reinterpret_cast<IMAGE_DOS_HEADER*>((uintptr_t)pBase)->e_lfanew)->OptionalHeader; auto _LoadLibraryA = pData->pLoadLibraryA; auto _GetProcAddress = pData->pGetProcAddress;#ifdef _WIN64 auto _RtlAddFunctionTable = pData->pRtlAddFunctionTable;#endif auto _DllMain = reinterpret_cast<f_DLL_ENTRY_POINT>(pBase + pOpt->AddressOfEntryPoint); BYTE* LocationDelta = pBase - pOpt->ImageBase; if (LocationDelta) { if (pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size) { auto* pRelocData = reinterpret_cast<IMAGE_BASE_RELOCATION*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); const auto* pRelocEnd = reinterpret_cast<IMAGE_BASE_RELOCATION*>(reinterpret_cast<uintptr_t>(pRelocData) + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); while (pRelocData < pRelocEnd && pRelocData->SizeOfBlock) { UINT AmountOfEntries = (pRelocData->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD); WORD* pRelativeInfo = reinterpret_cast<WORD*>(pRelocData + 1); for (UINT i = 0; i != AmountOfEntries; ++i, ++pRelativeInfo) { if (RELOC_FLAG(*pRelativeInfo)) { UINT_PTR* pPatch = reinterpret_cast<UINT_PTR*>(pBase + pRelocData->VirtualAddress + ((*pRelativeInfo) & 0xFFF)); *pPatch += reinterpret_cast<UINT_PTR>(LocationDelta); } } pRelocData = reinterpret_cast<IMAGE_BASE_RELOCATION*>(reinterpret_cast<BYTE*>(pRelocData) + pRelocData->SizeOfBlock); } } } if (pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size) { auto* pImportDescr = reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while (pImportDescr->Name) { char* szMod = reinterpret_cast<char*>(pBase + pImportDescr->Name); HINSTANCE hDll = _LoadLibraryA(szMod); ULONG_PTR* pThunkRef = reinterpret_cast<ULONG_PTR*>(pBase + pImportDescr->OriginalFirstThunk); ULONG_PTR* pFuncRef = reinterpret_cast<ULONG_PTR*>(pBase + pImportDescr->FirstThunk); if (!pThunkRef) pThunkRef = pFuncRef; for (; *pThunkRef; ++pThunkRef, ++pFuncRef) { if (IMAGE_SNAP_BY_ORDINAL(*pThunkRef)) { *pFuncRef = (ULONG_PTR)_GetProcAddress(hDll, reinterpret_cast<char*>(*pThunkRef & 0xFFFF)); } else { auto* pImport = reinterpret_cast<IMAGE_IMPORT_BY_NAME*>(pBase + (*pThunkRef)); *pFuncRef = (ULONG_PTR)_GetProcAddress(hDll, pImport->Name); } } ++pImportDescr; } } if (pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size) { auto* pTLS = reinterpret_cast<IMAGE_TLS_DIRECTORY*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); auto* pCallback = reinterpret_cast<PIMAGE_TLS_CALLBACK*>(pTLS->AddressOfCallBacks); for (; pCallback && *pCallback; ++pCallback) (*pCallback)(pBase, DLL_PROCESS_ATTACH, nullptr); } bool ExceptionSupportFailed = false;#ifdef _WIN64 if (pData->SEHSupport) { auto excep = pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION]; if (excep.Size) { if (!_RtlAddFunctionTable( reinterpret_cast<IMAGE_RUNTIME_FUNCTION_ENTRY*>(pBase + excep.VirtualAddress), excep.Size / sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY), (DWORD64)pBase)) { ExceptionSupportFailed = true; } } }#endif _DllMain(pBase, pData->fdwReasonParam, pData->reservedParam); if (ExceptionSupportFailed) pData->hMod = reinterpret_cast<HINSTANCE>(0x505050); else pData->hMod = reinterpret_cast<HINSTANCE>(pBase);} |
运行效果如下:
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2022-5-6 22:05
被_DriverEntry编辑
,原因: 之前图片没显示出来
|
|
|---|---|
|
|
|
|
|
这个不用 |
|
|
|
|
|
DLL可以做处理,可以不做处理。不做处理就是需要先注入一段shellcode或者一个特殊的dll,调用那注入的代码进行加载DLL。 如果不做进程内加载dll工作,调用的第三方dll就有限制,只能利用已加载,其他就需要自己load(也就是改需要注入dll的代码了) |
|
|
|
|
|
|
|
|
感谢分享 |
|
|
|
|
|
|
|
|
|
|
|
关键函数喽,CreateRemoteThread这种的 |
|
|
最后于 2023-8-1 16:24
被Uioa编辑
,原因:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
攻防这事没有尽头的,线程方式可以使用 DLL_THREAD_ATTACH 互调处理,但是你也可以不开辟线程,使用已有的线程 SetThreadContext 设置Eip指向shellcode(但shellcode要做好返回原地址执行的操作),也可以 用这种方法先用 DisableThreadLibraryCalls 废掉线程回调。检测内存遍历,对应就是抹掉PE头。检测所有线程运行地址是否在自己模块或者系统模块内,使用栈回溯看是否被其他非法模块调用,,,,,《游戏外挂攻防艺术》里面总结比较好了 |
|
|
|
|
|
|
