从零开始的白加黑免杀
type
status
date
slug
summary
tags
category
icon
password
Dll劫持技术介绍
DLL劫持(Dynamic Link Library Hijacking)是一种攻击技术,利用目标系统中的软件程序在加载动态链接库(DLL)时存在的漏洞,替换合法的DLL文件为恶意的DLL文件,从而实现攻击者对目标系统的控制。AheadLib是一个常用的工具,用于进行DLL劫持攻击。
Dll载入优先规则
- 程序所在目录
- 程序加载目录
- 系统目录即SYSTEM32目录
- 16位系统目录即SYSTEM目录
- Windows目录
- PATH环境变量中列出的目录
同时,还通过“Know DLLs注册表项”确定应用程序所要调用的DLL的路径
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
在此项下的DLL会被禁止从EXE自身所在目录下调用,而只能从系统目录即SYSTEM32目录下调用。所以dll劫持要选择不包含在“Know DLLs注册表项”中的dll。
实现过程
劫持应用DLL
只要宿主没有对自己的DLL做校检的话就可以进行劫持替换。
Note:当我们找到了一个可以劫持的DLL的时候,用于劫持的DLL文件需要劫持原DLL文件的所有导出函数,不然无法正常执行。可以用工具辅助生成DLL,例如:AheadLib
案例分析
本文以WPS为例。
在尝试的过程中发现et.exe单独复制出来运行会产生报错缺少dll文件。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff98d144f-8293-4003-b653-f06d45131015%2FUntitled.png?table=block&id=ae39dae3-389b-4c90-a5fc-d55ac2ec2183&t=ae39dae3-389b-4c90-a5fc-d55ac2ec2183&width=892&cache=v2)
将缺失的dll文件复制到相同文件夹后即可成功运行,而且他并没有对dll文件做签名校验。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc21b1367-7e86-40ce-958e-3a27d788c8c6%2FUntitled.png?table=block&id=12b1a639-afbc-43af-935a-77cbede685f0&t=12b1a639-afbc-43af-935a-77cbede685f0&width=1137&cache=v2)
使用劫持 dll 源代码生成器
首先打开GUI文件,再将dll拖入其中即可。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F44c51a46-44be-45c6-88a4-d95d487af343%2FUntitled.png?table=block&id=733be688-0003-4c1c-8951-862506cde0c7&t=733be688-0003-4c1c-8951-862506cde0c7&width=1355&cache=v2)
右键利用Aheadlib将dll函数模仿导出到指定文件夹。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F421ef58d-97f7-4ddb-9feb-e705d7ada9f8%2FUntitled.png?table=block&id=56148572-b74f-423e-bb15-7baf8720167f&t=56148572-b74f-423e-bb15-7baf8720167f&width=1355&cache=v2)
生成之后总共是三个文件 .c .h .asm
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F446624cc-d965-432c-a17c-e8146ec8c807%2FUntitled.png?table=block&id=393cb397-a2e3-4d30-a8be-f673f52201df&t=393cb397-a2e3-4d30-a8be-f673f52201df&width=1096&cache=v2)
编写新DLL
Visual Studio创建新项目
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F106bcca9-fb9b-49c6-803b-a63092c579c5%2FUntitled.png?table=block&id=7fbe4179-3548-4bb6-901a-31bd40aa6608&t=7fbe4179-3548-4bb6-901a-31bd40aa6608&width=1533&cache=v2)
选择动态链接库
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcf3d3725-8493-4c5e-8e3f-ca25df9c3955%2FUntitled.png?table=block&id=1b2700ad-de53-4685-b1d3-cfa0a81fc070&t=1b2700ad-de53-4685-b1d3-cfa0a81fc070&width=1531&cache=v2)
点击创建
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F92076bfb-f9f2-41cf-a329-a2170a319229%2FUntitled.png?table=block&id=484711f4-db31-46dd-9373-958954514391&t=484711f4-db31-46dd-9373-958954514391&width=1533&cache=v2)
将之前生成的三个文件复制到项目文件夹后手动拖入到解决方案,并在入口处引用头文件。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa79471df-eada-49a6-80d7-e2c3cf48805e%2FUntitled.png?table=block&id=8389e84e-8a91-4e18-8939-e936203258a6&t=8389e84e-8a91-4e18-8939-e936203258a6&width=1918&cache=v2)
指针会去改变原本的函数地址进行链接,使用汇编的方式进行跳转,也就是krpt_jump.asm这个文件。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8c7f63f9-9ed7-4e41-ba4f-c6c982b599e9%2FUntitled.png?table=block&id=e5aedb3f-869d-435f-8181-5cbd6eada905&t=e5aedb3f-869d-435f-8181-5cbd6eada905&width=2149&cache=v2)
由于不需要用到跳转所以采用最笨的方法,去汇编文件内手动删除跳转。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcbd8b33f-db5e-4adc-9880-1f93b0eb4e44%2FUntitled.png?table=block&id=7b70ae5a-981d-4993-9a75-7099effebefc&t=7b70ae5a-981d-4993-9a75-7099effebefc&width=2149&cache=v2)
汇编文件需要手动配置,具体怎么配置在文件最开始处已经标明了。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6bf1eccf-59a6-4246-b208-f98ba6d7bf08%2FUntitled.png?table=block&id=c3480589-a33e-4625-8903-139a8509f403&t=c3480589-a33e-4625-8903-139a8509f403&width=1980&cache=v2)
尝试生成,发现可以成功生成就可以了。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa0059b4f-c2ed-4abb-a0c2-bbbfe6989e38%2FUntitled.png?table=block&id=8986b1e4-f1d4-4a3a-bad0-4e198c854b23&t=8986b1e4-f1d4-4a3a-bad0-4e198c854b23&width=1931&cache=v2)
然后我们可以在源码中插入我们需要的恶意代码。 为了验证漏洞,我们让其在劫持成功的时候弹出消息提示窗口。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3e4ff35a-f0b6-47b0-a5ae-bf0281cb9a6e%2FUntitled.png?table=block&id=2125fddc-7b55-4d88-aa09-91cc8fad995b&t=2125fddc-7b55-4d88-aa09-91cc8fad995b&width=1413&cache=v2)
编译生成同名的“krpt.dll”DLL文件,与et.exe放在同一文件夹内,双击运行,可以看到弹窗成功
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F21945085-3dcd-4feb-bf24-60254dcf283c%2FUntitled.png?table=block&id=42c8ffa3-350b-451c-a343-355a9a56f13d&t=42c8ffa3-350b-451c-a343-355a9a56f13d&width=1121&cache=v2)
工具
参考资料
https://www.freebuf.com/articles/system/243791.html https://www.anquanke.com/post/id/225911 https://bbs.pediy.com/thread-263668.htm https://blog.csdn.net/Dome_/article/details/100623838
Loading...