Programming - [TestCode ] dll injection기법

글 수 68

[TestCode ] dll injection기법

hks9999

http://www.hks9999.com/4386

2009.06.03 16:30:40 (*.55.5.18)

1949

http://blog.naver.com/kyaru/130045340068

http://www.edgeofnowhere.cc/viewtopic.php?p=2483118

http://darksoft.co.kr/tc/256

주옥같은 자료들 감사합니다 (꾸벅)

위 참고하여 악성코드들이 어떻게 dll파일들을 실행중인 프로세서에 dll를 inject 하는지 구현해보자

최종목표는 실행중인 랜덤프로세서에 자유자재로 dll 인젝션 활동하기

아래 소스는 explorer.exe에 WSOCK32.dll를 인젝션 시키는 예제입니다.(위의 소스 참고)

테스트를 위한 예제이기때문에 warning은 신경쓰지 않았습니다;;

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <shlwapi.h>

#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

#define PROCESS_NAME "explorer.exe"
#define DLL_NAME "WSOCK32.dll"

BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);

unsigned long GetTargetProcessIdFromProcname(char *procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot;
BOOL retval, ProcFound = FALSE;

thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if(thSnapshot == INVALID_HANDLE_VALUE)
{
printf("Error: unable to create toolhelp snapshot");
return FALSE;
}

pe.dwSize = sizeof(PROCESSENTRY32);

retval = Process32First(thSnapshot, &pe);

while(retval)
{
  if(strstr(pe.szExeFile, procName) )
  {
   ProcFound = TRUE;
   break;
  }

retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}

return pe.th32ProcessID;
}

unsigned long GetTargetProcessIdFromWindow(char *className, char *windowName)
{
unsigned long procID;
HWND targetWnd;

targetWnd = FindWindow(className, windowName);
GetWindowThreadProcessId(targetWnd, &procID);

return procID;
}

unsigned long GetTargetThreadIdFromWindow(char *className, char *windowName)
{
HWND targetWnd;
HANDLE hProcess;
unsigned long processID, pTID, threadID;

targetWnd = FindWindow(className, windowName);
GetWindowThreadProcessId(targetWnd, &processID);

_asm {
  mov eax, fs:[0x18]
  add eax, 36
   mov [pTID], eax
}

hProcess = OpenProcess(PROCESS_VM_READ, FALSE, processID);
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
CloseHandle(hProcess);

return threadID;
}

unsigned long GetTargetThreadIdFromProcname(char *procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot, hProcess;
BOOL retval, ProcFound = FALSE;
unsigned long pTID, threadID;

thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if(thSnapshot == INVALID_HANDLE_VALUE)
{
printf("Error: unable to create toolhelp snapshot");
return FALSE;
}

pe.dwSize = sizeof(PROCESSENTRY32);

retval = Process32First(thSnapshot, &pe);

while(retval)
{
  if(strstr(pe.szExeFile, procName) )
  {
   ProcFound = TRUE;
   break;
  }

retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}

CloseHandle(thSnapshot);

_asm {
  mov eax, fs:[0x18]
  add eax, 36
   mov [pTID], eax
}

hProcess = OpenProcess(PROCESS_VM_READ, FALSE, pe.th32ProcessID);
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
CloseHandle(hProcess);

return threadID;
}

int IsWindowsNT(void)
{
// check current version of Windows
DWORD version = GetVersion();
// parse return
DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
return (version < 0x80000000);
}

BOOL InjectDLL(DWORD ProcessID, char *dllName)
{
HANDLE Proc;
char buf[50]={0};
LPVOID RemoteString, LoadLibAddy;

if(!ProcessID)
return FALSE;

Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
    // printf("%d",Proc);
if(!Proc)
{
  sprintf_s(buf, "OpenProcess() failed: %d", GetLastError());
  printf(buf);
  return FALSE;
}

//printf("before = %d",LoadLibAddy);
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
printf("before = %d",LoadLibAddy);

RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL);
CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
CloseHandle(Proc);
return TRUE;
}

BOOL LoadDll(char *procName, char *dllName)
{
DWORD ProcID = 0;
ProcID = GetTargetProcessIdFromProcname(procName);
//printf("procID=%d",ProcID);
if(!(InjectDLL(ProcID, dllName)))
printf("Process located, but injection failed");
return TRUE;
}

void main(void)
{
printf("%s=%d\n",PROCESS_NAME,GetTargetProcessIdFromProcname(PROCESS_NAME));
printf("%s=%d\n",PROCESS_NAME,GetTargetThreadIdFromProcname(PROCESS_NAME));
printf("IsWindowsNT=%d\n",IsWindowsNT());
LoadDll(PROCESS_NAME,DLL_NAME);
}

2009-06-05 오늘은 계산기 눌렀을때 '=' 누르게되면 메시지 박스로 답 출력하기를 해보자 ^o^

이 게시물을...

inject.jpg (32.5KB)(37)

엮인글 주소 : http://www.hks9999.com/4386/9c7/trackback

글쓴이 비밀번호 이메일 주소 홈페이지

» 편집 도구모음 건너뛰기

하이퍼링크

새 창으로
특수문자 삽입
선택한 기호
찾기/바꾸기
- 찾기
- 바꾸기
찾을 단어

찾을 단어
바꿀 단어

칸 수 지정

행
열

표 속성 지정

테두리 굵기
테두리 색
표 배경색

문서 첨부 제한 : 0Byte/ 2.00MB
파일 제한 크기 : 2.00MB (허용 확장자 : *.*)

번호	제목	글쓴이	날짜	조회 수
68	윈도우 언어를 확인할 때 사용하는 함수	hks9999	2010-07-03	66
67	Ifstream Usage	hks9999	2010-06-22	148
66	해쉬 함수 정리 잘된 곳!	hks9999	2010-06-22	117
65	SHA1 RFC	hks9999	2010-06-15	223
64	C언어 시간구하기	hks9999	2010-06-15	266
63	주의사항	hks9999	2010-06-15	245
62	Video ? (webcam) Capture	hks9999	2010-06-11	261
61	MSDN Reference	hks9999	2010-06-11	225
60	Firewall COM API	hks9999	2010-06-01	336
59	http://www.zlib.net/ ZIP LIbrary	hks9999	2010-05-27	300
58	UAC Setting	hks9999	2010-05-12	405
57	[TestCode] ODBC Connection	hks9999	2010-05-11	388
56	[TestCode] MDB File Create Example	hks9999	2010-05-11	348
55	프로세스를 실행시키고, 프로세스 종료 된것을 확인하는 방법	hks9999	2010-04-24	426
54	[TestCode] Add Firewall Rule(writing)	hks9999	2010-04-23	477
53	[TestCode] Communication Between Process to Process	hks9999	2010-04-17	404
52	[TestCode] Get File Information	hks9999	2010-04-16	446
51	[TestCode] OnDropFile on Windows	hks9999	2010-04-14	479
50	[TestCode] ClipBoard Copy Example	hks9999	2010-04-13	469
49	[TestCode] Find String in Textfile	hks9999	2010-04-12	465