[求助]关于动态静态修改dll导出函数的问题-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]关于动态静态修改dll导出函数的问题 0.00雪花

发表于: 2009-3-8 08:48 2898

[旧帖] [求助]关于动态静态修改dll导出函数的问题 0.00雪花

忍忠

2009-3-8 08:48

2898

我想感染系统中指定的DLL，分别采用追加，替换，空洞的三种策略感染，具体思路及用到的函数是什么？？动态感染和静态感染的区别？？另外在使用替换方法时是替换的函数是否必须和原函数参数内型一样？？？我如何将一段代码任意插入到dll中，重定位问题似乎很难！！！我想用vc 6.0汇编只是略知一二。
我的部分源码如下：
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"

int main(int argc, char* argv[])
{
DWORD base;
PIMAGE_DOS_HEADER pDH=NULL;
PIMAGE_NT_HEADERS pNH=NULL;
PIMAGE_OPTIONAL_HEADER pOH=NULL;
PIMAGE_EXPORT_DIRECTORY pExport=NULL;
DWORD addr_sub;
DWORD addr_add;
DWORD OldAttrib;
DWORD RecAttrib;
SIZE_T * WrittenCount=NULL;
DWORD BeWriten;

base=(DWORD)LoadLibrary("dll.dll");
if(base==NULL)
{
printf("Can't load dll!!");
return 0;
}

/////////////////////////////////////////////////////////////
//Get function address;
////////////////////////////////////////////////////////////

addr_sub=(DWORD)::GetProcAddress((HMODULE)base,"sub");
if(addr_sub==NULL)
printf("Faile!!!");
else
printf("Sub Function address is:%X\n",addr_sub);

addr_add=(DWORD)::GetProcAddress((HMODULE)base,"add");
if(addr_add==NULL)
printf("Faile!!!");
else
printf("Add Function address is:%X\n",addr_add);
/////////////////////////////////////////////////////////////////////////////////
//PE file information;
/////////////////////////////////////////////////////////////////////////////////

pDH=(PIMAGE_DOS_HEADER)base;
pNH=(PIMAGE_NT_HEADERS)((DWORD)pDH+pDH->e_lfanew);
pOH=&pNH->OptionalHeader;
pExport=PIMAGE_EXPORT_DIRECTORY((DWORD)pDH+(pOH->DataDirectory[0].VirtualAddress));

/////////////////////////////////////////////////////////////////////////////////
//dynamic modify add function address;
///////////////////////////////////////////////////////////////////////////////
if(::VirtualProtect(pExport,
sizeof(*pExport),
PAGE_EXECUTE_READWRITE,
&OldAttrib)==0)                         //modify page memory attrib;
{
printf("Faile!!!!\n");
      return 0;
}

if(::IsBadWritePtr(pExport,sizeof(*pExport))!=0)
{
printf("Have no access!!\n");
      return 0;
}

if(::WriteProcessMemory(::GetCurrentProcess(), //write sub address in the memory;
   LPVOID((DWORD)pDH+(pExport->AddressOfFunctions)),
      &addr_sub,
   2,
      WrittenCount))
printf("WriteProcessMemorySuccess!!\n");
else
{
   printf("WriteProcessMemory Faile!!\n");
   return 0;
}

if(::VirtualProtect(pExport,
sizeof(*pExport),
OldAttrib,
&RecAttrib)==0)                      //recovery memory attrib
{
printf("Faile!!!!\n");
      return 0;
}

if(::FlushInstructionCache(::GetCurrentProcess(),
      LPVOID((DWORD)pDH+(pExport->AddressOfFunctions)),
   2))                                  //flush cache
   printf("FlushInstructionCache OK!!\n");
else
{
      printf("FlushInstructionCache Faile!!!\n");
   return 0;
}

addr_add=(DWORD)::GetProcAddress((HMODULE)base,"add"); //New address
if(addr_add==NULL)
printf("Faile!!!");
else
printf("New add function address is:%X\n",addr_add);

/////////////////////////////////////////////////////////////////////
//static modify  dll export;
////////////////////////////////////////////////////////////////////
DWORD Rva_add;
HANDLE hfile;
if(!(hfile=CreateFile("dll.dll",
                  GENERIC_ALL,
   FILE_SHARE_READ,
   NULL,
   OPEN_EXISTING,
   FILE_ATTRIBUTE_NORMAL,
   NULL)))
{
   printf("Open file faile!!\n");
   return 0;
}

if(!(::SetFilePointer(hfile,
(pExport->AddressOfFunctions),
NULL,
FILE_BEGIN)))                //modify pointer to be written;
{
   printf("SetFilePointer Faile\n!!");
   return 0;
}

if(!(::WriteFile(hfile,
&addr_sub,
2,
&BeWriten,
NULL)))                         //write new address;
{
   printf("WriteFile Faile!!\n");
   return 0;
}

FreeLibrary((HMODULE)base);

return 0;
}

[课程]Linux pwn 探索篇！

收藏・1

免费・0

支持