0x07.挂钩窗口消息
挂钩窗口消息使用了MS提供的一个API接口SetWindowsHookEx,他的工作原理是给带窗口的目标进程的某个线程的某个消息挂钩上我们Dll导出的函数,一旦消息触发,则导出函数就会被调用。前面学习到的几种方法归根结底是调用了LoadLibrary,而这个方法并没有。
// 注入exe关键代码 给目标线程的指定消息上下钩,走进Dll导出函数
BOOL Inject(IN UINT32 ThreadId, OUT HHOOK& HookHandle)
{
HMODULE DllModule = LoadLibraryA(DllFullPath);
FARPROC FunctionAddress = GetProcAddress(DllModule, "Sub_1");
HookHandle = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)FunctionAddress, DllModule, ThreadId);
if (HookHandle == NULL)
{
return FALSE;
}
return TRUE;
}
// 动态库中导出函数
extern "C"
__declspec(dllexport)
VOID Sub_1() // 导出函数
{
MessageBox(0, 0, 0, 0);
}
0x08.远程手动实现LoadLibrary
该方法学习自github上名叫ReflevtiveDllInjection,大体上分为两个部分,exe和dll,下面分别简述。
exe:作为注入启动程序,在目标进程申请一块儿PAGE_EXECUTE_READWRITE内存,将Dll以文件格式直接写入目标进程内存空间中,然后获得导出函数"LoadDllByOEP"在文件中的偏移,使用CreateRemoteThread直接让目标进程去执行LoadDllByOEP函数。
Dll:最关键导出 LoadDllByOEP 函数,在该函数里,首先通过目标进程加载模块ntdll.dll的导出表中获得NtFlushInstructionCache函数地址,在Kernel32.dll的导出表中获得LoadLibraryA、GetProcAddress、VirtualAlloc函数地址;然后在进程内存空间里重新申请内存,拷贝自己的PE结构到内存里,接着修正IAT和重定向块,最后调用模块OEP,完成了手动实现LoadLibrary!
ps:写代码时参考《Windows PE权威指南》,对整个PE结构又有了新的认识。我有for循环强迫症。。这份代码就全贴上了。
// InjectDllByOEP.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
using namespace std;
BOOL GrantPriviledge(WCHAR* PriviledgeName);
UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer);
UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader);
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId);
HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam);
CHAR DllFullPath[MAX_PATH] = { 0 };
int main()
{
// 首先提权一波
if (GrantPriviledge(SE_DEBUG_NAME) == FALSE)
{
printf("GrantPriviledge Errorrn");
}
// 接着通过进程名得到进程id
UINT32 ProcessId = 0;
GetCurrentDirectoryA(MAX_PATH, DllFullPath);
#ifdef _WIN64
// GetProcessIdByProcessImageName(L"Taskmgr.exe", &ProcessId);
GetProcessIdByProcessImageName(L"explorer.exe", &ProcessId);
strcat_s(DllFullPath, "x64LoadRemoteDll.dll");
#else
GetProcessIdByProcessImageName(L"notepad++.exe", &ProcessId);
strcat_s(DllFullPath, "x86LoadRemoteDll.dll");
#endif
// 获得dll句柄
HANDLE FileHandle = CreateFileA(DllFullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (FileHandle == INVALID_HANDLE_VALUE)
{
printf("Open File Errorrn");
return 0;
}
// 获得dll文件长度
UINT32 FileSize = GetFileSize(FileHandle, NULL);
if (FileSize == INVALID_FILE_SIZE || FileSize == 0)
{
printf("Get File Size Errorrn");
CloseHandle(FileHandle);
return 0;
}
// 申请内存,保存
PVOID FileData = HeapAlloc(GetProcessHeap(), 0, FileSize);
if (FileData == NULL)
{
printf("HeapAlloc Errorrn");
CloseHandle(FileHandle);
return 0;
}
DWORD ReturnLength = 0;
BOOL bOk = ReadFile(FileHandle, FileData, FileSize, &ReturnLength, NULL);
CloseHandle(FileHandle);
if (bOk == FALSE)
{
printf("ReadFile Errorrn");
HeapFree(GetProcessHeap(), 0, FileData);
return 0;
}
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
if (ProcessHandle == NULL)
{
printf("OpenProcess Errorrn");
HeapFree(GetProcessHeap(), 0, FileData);
return 0;
}
// 执行Dll中的导出函数LoadDllByOEP,让目标进程实现LoadLibrary功能
HANDLE ThreadHandle = LoadRemoteDll(ProcessHandle, FileData, FileSize, NULL);
if (ThreadHandle == NULL)
{
goto _Clear;
}
WaitForSingleObject(ThreadHandle, INFINITE);
_Clear:
if (FileData)
{
HeapFree(GetProcessHeap(), 0, FileData);
}
if (ProcessHandle)
{
CloseHandle(ProcessHandle);
}
return 0;
}
/************************************************************************
* Name : LoadRemoteDll
* Param: ProcessHandle 进程句柄 (IN)
* Param: ModuleBaseAddress 模块基地址
* Param: ModuleLength 模块在文件中的大小
* Param: lParam 模块句柄
* Ret : HANDLE
* 将Dll以文件格式写入目标进程内存,并执行Dll的导出函数LoadDllByOEP
************************************************************************/
HANDLE WINAPI LoadRemoteDll(HANDLE ProcessHandle, PVOID ModuleFileBaseAddress, UINT32 ModuleFileSize, LPVOID lParam)
{
HANDLE ThreadHandle = NULL;
__try
{
if (ProcessHandle == NULL || ModuleFileBaseAddress == NULL || ModuleFileSize == 0)
{
return NULL;
}
// 导出函数相对于 ModuelBaseAddress 的 Offset
UINT32 FunctionOffset = GetLoadDllByOEPOffsetInFile(ModuleFileBaseAddress);
if (FunctionOffset == 0)
{
return NULL;
}
// 在目标进程申请内存
PVOID RemoteBufferData = VirtualAllocEx(ProcessHandle, NULL, ModuleFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (RemoteBufferData == NULL)
{
return NULL;
}
// 把Dll文件写入目标进程内存空间
BOOL bOk = WriteProcessMemory(ProcessHandle, RemoteBufferData, ModuleFileBaseAddress, ModuleFileSize, NULL);
if (bOk == FALSE)
{
return NULL;
}
// 以文件格式去执行 Dll 中的 LoadDllByOEP
LPTHREAD_START_ROUTINE RemoteThreadCallBack = (LPTHREAD_START_ROUTINE)((PUINT8)RemoteBufferData + FunctionOffset);
ThreadHandle = CreateRemoteThread(ProcessHandle, NULL, 1024 * 1024, RemoteThreadCallBack, lParam, 0, NULL);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ThreadHandle = NULL;
}
return ThreadHandle;
}
/************************************************************************
* Name : LoadRemoteDll
* Param: ProcessHandle 进程句柄
* Ret : HANDLE
* 获得LoadDllByOEP在Dll文件中的偏移量
************************************************************************/
UINT32 GetLoadDllByOEPOffsetInFile(PVOID DllBuffer)
{
UINT_PTR BaseAddress = (UINT_PTR)DllBuffer;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
DosHeader = (PIMAGE_DOS_HEADER)BaseAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)BaseAddress + DosHeader->e_lfanew);
/*
#define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
#define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
#define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
*/
if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // pe32
{
}
else if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // pe64
{
}
else
{
return 0;
}
UINT32 ExportDirectoryRVA = NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)BaseAddress + RVAToOffset(ExportDirectoryRVA, NtHeader));
UINT32 AddressOfNamesRVA = ExportDirectory->AddressOfNames;
PUINT32 AddressOfNames = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfNamesRVA, NtHeader));
UINT32 AddressOfFunctionsRVA = ExportDirectory->AddressOfFunctions;
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)BaseAddress + RVAToOffset(AddressOfFunctionsRVA, NtHeader));
UINT32 AddressOfNameOrdinalsRVA = ExportDirectory->AddressOfNameOrdinals;
PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)BaseAddress + RVAToOffset(AddressOfNameOrdinalsRVA, NtHeader));
for (UINT32 i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
CHAR* ExportFunctionName = (CHAR*)((PUINT8)BaseAddress + RVAToOffset(*AddressOfNames, NtHeader));
if (strstr(ExportFunctionName, "LoadDllByOEP") != NULL)
{
UINT16 ExportFunctionOrdinals = AddressOfNameOrdinals[i];
return RVAToOffset(AddressOfFunctions[ExportFunctionOrdinals], NtHeader);
}
}
return 0;
}
/************************************************************************
* Name : RVAToOffset
* Param: RVA 内存中偏移
* Param: NtHeader Nt头
* Ret : UINT32
* 内存中偏移转换成文件中偏移
************************************************************************/
UINT32 RVAToOffset(UINT32 RVA, PIMAGE_NT_HEADERS NtHeader)
{
UINT32 i = 0;
PIMAGE_SECTION_HEADER SectionHeader = NULL;
SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
if (RVA < SectionHeader[0].PointerToRawData)
{
return RVA;
}
for (i = 0; i < NtHeader->FileHeader.NumberOfSections; i++)
{
if (RVA >= SectionHeader[i].VirtualAddress && RVA < (SectionHeader[i].VirtualAddress + SectionHeader[i].SizeOfRawData))
{
return (RVA - SectionHeader[i].VirtualAddress + SectionHeader[i].PointerToRawData);
}
}
return 0;
}
/************************************************************************
* Name : GetProcessIdByProcessImageName
* Param: wzProcessImageName 进程映像名称 (IN)
* Param: TargetProcessId 进程Id (OUT)
* Ret : BOOLEAN
* 使用ToolHelp系列函数通过进程映像名称获得进程Id
************************************************************************/
BOOL GetProcessIdByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessId)
{
HANDLE ProcessSnapshotHandle = NULL;
PROCESSENTRY32 ProcessEntry32 = { 0 };
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); // 初始化PROCESSENTRY32结构
ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 给系统所有的进程快照
if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
}
Process32First(ProcessSnapshotHandle, &ProcessEntry32); // 找到第一个
do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName) == 0) // 不区分大小写
{
*TargetProcessId = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));
CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = NULL;
return TRUE;
}
/************************************************************************
* Name : GrantPriviledge
* Param: PriviledgeName 想要提升的权限
* Ret : BOOLEAN
* 提升自己想要的权限
************************************************************************/
BOOL GrantPriviledge(WCHAR* PriviledgeName)
{
TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges;
DWORD dwReturnLength = sizeof(OldPrivileges);
HANDLE TokenHandle = NULL;
LUID uID;
// 打开权限令牌
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle))
{
if (GetLastError() != ERROR_NO_TOKEN)
{
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
{
return FALSE;
}
}
if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 通过权限名称查找uID
{
CloseHandle(TokenHandle);
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1; // 要提升的权限个数
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 动态数组,数组大小根据Count的数目
TokenPrivileges.Privileges[0].Luid = uID;
// 在这里我们进行调整权限
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength))
{
CloseHandle(TokenHandle);
return FALSE;
}
// 成功了
CloseHandle(TokenHandle);
return TRUE;
}
// LoadRemoteDll.h
#include <Windows.h>
#include <intrin.h>
#ifdef LOADREMOTEDLL_EXPORTS
#define LOADREMOTEDLL_API __declspec(dllexport)
#else
#define LOADREMOTEDLL_API __declspec(dllimport)
#endif
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define NTDLLDLL_HASH 0x3CFA685D
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
#define IMAGE_REL_BASED_ARM_MOV32A 5
#define IMAGE_REL_BASED_ARM_MOV32T 7
#define HASH_KEY 13
#pragma intrinsic( _rotr )
__forceinline UINT32 ror(UINT32 d)
{
return _rotr(d, HASH_KEY);
}
__forceinline UINT32 hash(char * c)
{
register UINT32 h = 0;
do
{
h = ror(h);
h += *c;
} while (*++c);
return h;
}
//////////////////////////////////////////////////////////////////////////
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA_WIN7_X64
{
UINT32 Length;
UINT8 Initialized;
UINT8 _PADDING0_[0x3];
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
UINT8 ShutdownInProgress;
UINT8 _PADDING1_[0x7];
PVOID ShutdownThreadId;
}PEB_LDR_DATA_WIN7_X64, *PPEB_LDR_DATA_WIN7_X64;
typedef struct _PEB_LDR_DATA_WINXP_X86
{
UINT32 Length;
UINT8 Initialized;
UINT8 _PADDING0_[0x3];
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
}PEB_LDR_DATA_WINXP_X86, *PPEB_LDR_DATA_WINXP_X86;
#ifdef _WIN64
#define PPEB_LDR_DATA PPEB_LDR_DATA_WIN7_X64
#define PEB_LDR_DATA PEB_LDR_DATA_WIN7_X64
#else
#define PPEB_LDR_DATA PPEB_LDR_DATA_WINXP_X86
#define PEB_LDR_DATA PEB_LDR_DATA_WINXP_X86
#endif
typedef struct _CURDIR
{
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS_WINXP_X86 {
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
HANDLE ConsoleHandle;
UINT32 ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment;
UINT32 StartingX;
UINT32 StartingY;
UINT32 CountX;
UINT32 CountY;
UINT32 CountCharsX;
UINT32 CountCharsY;
UINT32 FillAttribute;
UINT32 WindowFlags;
UINT32 ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
UINT32 CurrentDirectores[8];
}RTL_USER_PROCESS_PARAMETERS_WINXP_X86, *PRTL_USER_PROCESS_PARAMETERS_WINXP_X86;
typedef struct _RTL_USER_PROCESS_PARAMETERS_WIN7_X64 {
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
HANDLE ConsoleHandle;
UINT32 ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment;
UINT32 StartingX;
UINT32 StartingY;
UINT32 CountX;
UINT32 CountY;
UINT32 CountCharsX;
UINT32 CountCharsY;
UINT32 FillAttribute;
UINT32 WindowFlags;
UINT32 ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
UINT32 CurrentDirectores[8];
UINT64 EnvironmentSize;
UINT64 EnvironmentVersion;
}RTL_USER_PROCESS_PARAMETERS_WIN7_X64, *PRTL_USER_PROCESS_PARAMETERS_WIN7_X64;
#ifdef _WIN64
#define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WIN7_X64
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WIN7_X64
#else
#define PRTL_USER_PROCESS_PARAMETERS PRTL_USER_PROCESS_PARAMETERS_WINXP_X86
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_WINXP_X86
#endif
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
#ifndef _WIN64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#endif
typedef UINT32 GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
// PEB结构
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN SpareBits : 1;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
UINT32 CrossProcessFlags;
struct
{
UINT32 ProcessInJob : 1;
UINT32 ProcessInitializing : 1;
UINT32 ProcessUsingVEH : 1;
UINT32 ProcessUsingVCH : 1;
UINT32 ProcessUsingFTH : 1;
UINT32 ReservedBits0 : 27;
};
UINT32 EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
UINT32 SystemReserved[1];
UINT32 AtlThunkSListPtr32;
PVOID ApiSetMap;
UINT32 TlsExpansionCounter;
PVOID TlsBitmap;
UINT32 TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
UINT32 NumberOfProcessors;
UINT32 NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
UINT32 NumberOfHeaps;
UINT32 MaximumNumberOfHeaps;
PVOID* ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
UINT32 GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
UINT32 OSMajorVersion;
UINT32 OSMinorVersion;
UINT16 OSBuildNumber;
UINT16 OSCSDVersion;
UINT32 OSPlatformId;
UINT32 ImageSubsystem;
UINT32 ImageSubsystemMajorVersion;
UINT32 ImageSubsystemMinorVersion;
UINT_PTR ImageProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
UINT32 TlsExpansionBitmapBits[32];
UINT32 SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
UNICODE_STRING CSDVersion;
PVOID ActivationContextData;
PVOID ProcessAssemblyStorageMap;
PVOID SystemDefaultActivationContextData;
PVOID SystemAssemblyStorageMap;
SIZE_T MinimumStackCommit;
PVOID* FlsCallback;
LIST_ENTRY FlsListHead;
PVOID FlsBitmap;
UINT32 FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(UINT32) * 8)];
UINT32 FlsHighIndex;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
PVOID pContextData;
PVOID pImageHeaderHash;
union
{
UINT32 TracingFlags;
struct
{
UINT32 HeapTracingEnabled : 1;
UINT32 CritSecTracingEnabled : 1;
UINT32 LibLoaderTracingEnabled : 1;
UINT32 SpareTracingBits : 29;
};
};
UINT64 CsrServerReadOnlySharedMemoryBase;
} PEB, *PPEB;
// Ldr 三根链表结构
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
UINT32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Flags;
UINT16 LoadCount;
UINT16 TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
UINT32 CheckSum;
};
};
union {
struct {
UINT32 TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef const struct _LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;
LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam);
// LoadRemoteDll.cpp
// LoadRemoteDll.cpp : 定义 DLL 应用程序的导出函数。
//
#include "stdafx.h"
#include "LoadRemoteDll.h"
#pragma intrinsic(_ReturnAddress)
__declspec(noinline)
UINT_PTR caller()
{
return (UINT_PTR)_ReturnAddress(); // #include <intrin.h>
}
typedef
HMODULE
(WINAPI * pfnLoadLibraryA)(LPCSTR lpLibFileName);
typedef
FARPROC
(WINAPI * pfnGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
typedef
LPVOID
(WINAPI * pfnVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef
LONG // NTSTATUS
(NTAPI * pfnNtFlushInstructionCache)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length);
typedef
BOOL
(APIENTRY * pfnDllMain)(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
LOADREMOTEDLL_API UINT_PTR WINAPI LoadDllByOEP(PVOID lParam)
{
UINT_PTR LibraryAddress = 0;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
pfnLoadLibraryA LoadLibraryAAddress = NULL;
pfnGetProcAddress GetProcAddressAddress = NULL;
pfnVirtualAlloc VirtualAllocAddress = NULL;
pfnNtFlushInstructionCache NtFlushInstructionCacheAddress = NULL;
LibraryAddress = caller(); // 获得下一步指令的地址,其实就是为了获得当前指令地址,为后面寻找PE头提供起点
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
while (TRUE)
{
if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE &&
DosHeader->e_lfanew >= sizeof(IMAGE_DOS_HEADER) &&
DosHeader->e_lfanew < 1024)
{
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
if (NtHeader->Signature == IMAGE_NT_SIGNATURE)
{
break;
}
}
LibraryAddress--;
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
}
// 获得PEB
#ifdef _WIN64
PPEB Peb = (PPEB)__readgsqword(0x60);
#else
PPEB Peb = (PPEB)__readfsdword(0x30);
#endif
PPEB_LDR_DATA Ldr = Peb->Ldr;
// 1.从Dll导出表中获取函数地址
for (PLIST_ENTRY TravelListEntry = (PLIST_ENTRY)Ldr->InLoadOrderModuleList.Flink;
TravelListEntry != &Ldr->InLoadOrderModuleList; // 空头节点
TravelListEntry = TravelListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)TravelListEntry;
UINT32 FunctionCount = 0;
// WCHAR* DllName = (WCHAR*)LdrDataTableEntry->BaseDllName.Buffer;
UINT_PTR DllName = (UINT_PTR)LdrDataTableEntry->BaseDllName.Buffer;
UINT32 DllLength = LdrDataTableEntry->BaseDllName.Length;
UINT_PTR DllBaseAddress = (UINT_PTR)LdrDataTableEntry->DllBase;
DosHeader = (PIMAGE_DOS_HEADER)DllBaseAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)DllBaseAddress + DosHeader->e_lfanew);
IMAGE_DATA_DIRECTORY ExportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)DllBaseAddress + ExportDataDirectory.VirtualAddress);
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfFunctions);
PUINT32 AddressOfNames = (PUINT32)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNames);
PUINT16 AddressOfNameOrdinals = (PUINT16)((PUINT8)DllBaseAddress + ExportDirectory->AddressOfNameOrdinals);
UINT16 Ordinal = 0;
UINT_PTR ExportFunctionAddress = 0;
UINT32 HashValue = 0;
// 将Dll名称转换成Hash值
do
{
HashValue = ror((UINT32)HashValue);
if (*((PUINT8)DllName) >= 'a')
{
HashValue += *((PUINT8)DllName) - 0x20;
}
else
{
HashValue += *((PUINT8)DllName);
}
DllName++;
} while (--DllLength);
if (HashValue == KERNEL32DLL_HASH)
{
FunctionCount = 3;
for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
if (FunctionCount == 0)
{
break;
}
CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);
HashValue = hash(szExportFunctionName);
if (HashValue == LOADLIBRARYA_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
LoadLibraryAAddress = (pfnLoadLibraryA)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
else if (HashValue == GETPROCADDRESS_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
GetProcAddressAddress = (pfnGetProcAddress)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
else if (HashValue == VIRTUALALLOC_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
VirtualAllocAddress = (pfnVirtualAlloc)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
}
}
else if (HashValue == NTDLLDLL_HASH)
{
FunctionCount = 1;
for (INT i = 0; i < ExportDirectory->NumberOfFunctions; i++)
{
if (FunctionCount == 0)
{
break;
}
CHAR* szExportFunctionName = (CHAR*)((PUINT8)DllBaseAddress + AddressOfNames[i]);
HashValue = hash(szExportFunctionName);
if (HashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
{
Ordinal = AddressOfNameOrdinals[i];
NtFlushInstructionCacheAddress = (pfnNtFlushInstructionCache)((PUINT8)DllBaseAddress + AddressOfFunctions[Ordinal]);
FunctionCount--;
}
}
}
if (LoadLibraryAAddress != NULL &&
GetProcAddressAddress != NULL &&
VirtualAllocAddress != NULL &&
NtFlushInstructionCacheAddress != NULL)
{
break;
}
}
// 2.申请内存,重新加载我们的Dll
// 再次更新DosHeader和NtHeader
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
// 重新申请内存(SizeOfImage就是PE在内存中的大小)
/* _asm
{
int 3;
}
*/
// 这个自己重新申请的头指针不敢随便移动,使用一个变量来替代
UINT_PTR NewBaseAddress = (UINT_PTR)VirtualAllocAddress(NULL, NtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
UINT_PTR OldPtr = LibraryAddress;
UINT_PTR BasePtr = NewBaseAddress;
// 2.1首先拷贝头 + 节表
UINT32 SizeOfHeaders = NtHeader->OptionalHeader.SizeOfHeaders;
while (SizeOfHeaders--)
{
*(PUINT8)BasePtr++ = *(PUINT8)OldPtr++;
}
// memcpy((PVOID)NewBaseAddress, (PVOID)LibraryAddress, NtHeader->OptionalHeader.SizeOfHeaders);
/*
PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader);
UINT32 NumberOfSections = NtHeader->FileHeader.NumberOfSections;
while (NumberOfSections--)
{
UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader->VirtualAddress);
UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader->PointerToRawData);
UINT32 SizeOfRawData = SectionHeader->SizeOfRawData;
while (SizeOfRawData--)
{
*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;
}
SectionHeader = (PIMAGE_SECTION_HEADER)((PUINT8)SectionHeader + sizeof(IMAGE_SECTION_HEADER));
}
*/
// 2.2拷贝节区
PIMAGE_SECTION_HEADER SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
for (INT i = 0; i < NtHeader->FileHeader.NumberOfSections; i++)
{
if (SectionHeader[i].VirtualAddress == 0 || SectionHeader[i].SizeOfRawData == 0) // 节块里面没有数据
{
continue;
}
// 定位该节块在内存中的位置
UINT_PTR NewSectionAddress = (UINT_PTR)((PUINT8)NewBaseAddress + SectionHeader[i].VirtualAddress);
UINT_PTR OldSectionAddress = (UINT_PTR)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData);
// 复制节块数据到虚拟内存
UINT32 SizeOfRawData = SectionHeader[i].SizeOfRawData;
while (SizeOfRawData--)
{
*(PUINT8)NewSectionAddress++ = *(PUINT8)OldSectionAddress++;
}
//memcpy(SectionAddress, (PVOID)((PUINT8)LibraryAddress + SectionHeader[i].PointerToRawData), SectionHeader[i].SizeOfRawData);
}
// 2.3修正导入表(IAT)
IMAGE_DATA_DIRECTORY ImportDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)NewBaseAddress + ImportDataDirectory.VirtualAddress);
/*
_asm
{
int 3;
}
*/
/*
while (ImportDescriptor->Characteristics != 0)
{
PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->FirstThunk);
PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor->OriginalFirstThunk);
// 获取导入模块名称
// char szModuleName[MAX_PATH] = { 0 };
PCHAR ModuleName = (PCHAR)((PUINT8)NewBaseAddress + ImportDescriptor->Name);
HMODULE Dll = LoadLibraryAAddress(ModuleName);
UINT_PTR FunctionAddress = 0;
for (INT i = 0; OriginalFirstThunk[i].u1.Function != 0; i++)
{
if (IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[i].u1.Ordinal))
{
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[i].u1.Ordinal))));
}
else
{
PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[i].u1.AddressOfData);
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通过函数名称得到函数地址
}
FirstThunk[i].u1.Function = FunctionAddress;
}
ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PUINT8)ImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
*/
for (INT i = 0; ImportDescriptor[i].Name != NULL; i++)
{
// 加载导入动态库
HMODULE Dll = LoadLibraryAAddress((const CHAR*)((PUINT8)NewBaseAddress + ImportDescriptor[i].Name));
PIMAGE_THUNK_DATA OriginalFirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].OriginalFirstThunk);
PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((PUINT8)NewBaseAddress + ImportDescriptor[i].FirstThunk);
UINT_PTR FunctionAddress = 0;
// 遍历每个导入模块的函数
for (INT j = 0; OriginalFirstThunk[j].u1.Function; j++)
{
if (&OriginalFirstThunk[j] && IMAGE_SNAP_BY_ORDINAL(OriginalFirstThunk[j].u1.Ordinal))
{
// 序号导入---->这里直接从Dll的导出表中找到函数地址
// FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, MAKEINTRESOURCEA((IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal)))); // 除去最高位即为序号
DosHeader = (PIMAGE_DOS_HEADER)Dll;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)Dll + DosHeader->e_lfanew);
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PUINT8)Dll + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// 导出函数地址RVA数组
PUINT32 AddressOfFunctions = (PUINT32)((PUINT8)Dll + ExportDirectory->AddressOfFunctions);
UINT16 Ordinal = IMAGE_ORDINAL(OriginalFirstThunk[j].u1.Ordinal - ExportDirectory->Base); // 导出函数编号 - Base(导出函数编号的起始值) = 导出函数在函数地址表中序号
FunctionAddress = (UINT_PTR)((PUINT8)Dll + AddressOfFunctions[Ordinal]);
}
else
{
// 名称导入
PIMAGE_IMPORT_BY_NAME ImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PUINT8)NewBaseAddress + OriginalFirstThunk[j].u1.AddressOfData);
FunctionAddress = (UINT_PTR)GetProcAddressAddress(Dll, (CHAR*)ImageImportByName->Name); // 通过函数名称得到函数地址
}
// 更新IAT
FirstThunk[j].u1.Function = FunctionAddress;
}
}
// 2.4修正重定向表
DosHeader = (PIMAGE_DOS_HEADER)LibraryAddress;
NtHeader = (PIMAGE_NT_HEADERS)((PUINT8)LibraryAddress + DosHeader->e_lfanew);
// UINT_PTR Delta = NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
IMAGE_DATA_DIRECTORY BaseRelocDataDirectory = (IMAGE_DATA_DIRECTORY)(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
// 有无重定向表
if (BaseRelocDataDirectory.Size != 0)
{
PIMAGE_BASE_RELOCATION BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)NewBaseAddress + BaseRelocDataDirectory.VirtualAddress);
while (BaseRelocation->SizeOfBlock != 0)
{
typedef struct _IMAGE_RELOC
{
UINT16 Offset : 12; // 低12位---偏移
UINT16 Type : 4; // 高4位---类型
} IMAGE_RELOC, *PIMAGE_RELOC;
// 定位到重定位块
PIMAGE_RELOC RelocationBlock = (PIMAGE_RELOC)((PUINT8)BaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
// 计算需要修正的重定向位项的数目
UINT32 NumberOfRelocations = (BaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
for (INT i = 0; i < NumberOfRelocations; i++)
{
if (RelocationBlock[i].Type == IMAGE_REL_BASED_DIR64)
{
// 64 位
PUINT64 Address = (PUINT64)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + RelocationBlock[i].Offset);
UINT64 Delta = (UINT64)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
*Address += Delta;
}
else if (RelocationBlock[i].Type == IMAGE_REL_BASED_HIGHLOW)
{
// 32 位
PUINT32 Address = (PUINT32)((PUINT8)NewBaseAddress + BaseRelocation->VirtualAddress + (RelocationBlock[i].Offset));
UINT32 Delta = (UINT32)NewBaseAddress - NtHeader->OptionalHeader.ImageBase;
*Address += Delta;
}
}
// 转到下一张重定向表
BaseRelocation = (PIMAGE_BASE_RELOCATION)((PUINT8)BaseRelocation + BaseRelocation->SizeOfBlock);
}
}
// 3.获得模块OEP
UINT_PTR AddressOfEntryPoint = (UINT_PTR)((PUINT8)NewBaseAddress + NtHeader->OptionalHeader.AddressOfEntryPoint);
NtFlushInstructionCacheAddress(INVALID_HANDLE_VALUE, NULL, 0);
// 调用通过OEP去调用DllMain
((pfnDllMain)AddressOfEntryPoint)((HMODULE)NewBaseAddress, DLL_PROCESS_ATTACH, lParam);
/* _asm
{
int 3;
}
*/
return AddressOfEntryPoint;
}
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
MessageBoxA(0, 0, 0, 0);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
