{"id":1520,"date":"2023-03-05T04:10:21","date_gmt":"2023-03-04T20:10:21","guid":{"rendered":"https:\/\/www.aqwu.net\/wp\/?p=1520"},"modified":"2023-03-05T04:10:21","modified_gmt":"2023-03-04T20:10:21","slug":"%e4%ba%ab%e5%8f%97keepass2%e7%9a%84%e4%b9%90%e8%b6%a3%ef%bc%9adll%e5%8a%ab%e6%8c%81%e5%92%8c%e6%8c%82%e9%92%a9api","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=1520","title":{"rendered":"\u4eab\u53d7KeePass2\u7684\u4e50\u8da3\uff1aDLL\u52ab\u6301\u548c\u6302\u94a9API"},"content":{"rendered":"\n<p>\u968f\u7740\u6700\u8fd1&nbsp;<strong>KeePass2<\/strong>&nbsp;\u6709\u4e89\u8bae\u7684&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-24055\">CVE-2023-24055<\/a>&nbsp;\u4ee5\u53ca\u56f4\u7ed5\u5b83\u7684\u6240\u6709\u5927\u60ca\u5c0f\u602a\uff0c\u5b83\u6fc0\u52b1\u6211\u5b8c\u6210\u6211\u53bb\u5e74\u5f00\u59cb\u7684\u4e00\u4e2a\u5c0f\u9879\u76ee\u3002<\/p>\n\n\n\n<p>\u6211\u7684\u76ee\u6807\u662f\u770b\u770b\u6211\u662f\u5426\u80fd\u627e\u5230\u4e00\u79cd\u65b9\u6cd5\u6765\u62e6\u622a<strong>KeePass2<\/strong>\u6570\u636e\u5e93\u7684\u4e3b<strong>\u5bc6\u7801<\/strong>\u3002<br><strong>\u4e3a\u4e86\u597d\u73a9\u548c\u5b66\u4e60ofc\u3002<\/strong><\/p>\n\n\n\n<p>\u5728\u672c\u6587\u4e2d\uff0c\u6211\u4eec\u5c06\u4ecb\u7ecd\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DLL \u52ab\u6301<\/li>\n\n\n\n<li>\u6302\u94a9\u7a97\u53e3 API<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"introduction\"><strong>\u4ecb\u7ecd<\/strong><\/h1>\n\n\n\n<p>\u60f3\u8c61\u4e00\u4e0b\u8fd9\u4e2a\u3002<br>\u60a8\u6b63\u5728\u53c2\u4e0e\uff0c\u5de5\u4f5c\u7ad9\u4e0a\u7684\u7ba1\u7406\u5458\uff0c\u521a\u521a\u68c0\u7d22\u5230\u6570\u636e\u5e93\u3002<code>KeePass2<\/code><\/p>\n\n\n\n<p>\u95ee\u9898\uff1a<a href=\"https:\/\/github.com\/denandz\/KeeFarce\">KeeFarce<\/a>\/<a href=\"https:\/\/github.com\/GhostPack\/KeeThief\">KeeThief<\/a>\u4e0d\u518d\u5de5\u4f5c\u4e86\u3002<\/p>\n\n\n\n<p>\u8ba9\u6211\u4eec\u627e\u5230\u53e6\u4e00\u79cd\u65b9\u6cd5\u6765\u83b7\u5f97\u5b83.<code>Master Password<\/code><\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"table-of-content\"><strong>\u76ee\u5f55<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#dll-hijacking\"><strong>DLL \u52ab\u6301<\/strong><\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#was-ist-das\"><strong>\u662f\u53f2\u8482\u592b\u8fbe\u65af\u5417\uff1f<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#does-this-also-apply-to-keepass\"><strong>\u8fd9\u4e5f\u9002\u7528\u4e8eKeePass\u5417\uff1f<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#target-dll\"><strong>\u76ee\u6807 DLL<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#hooking-windows-apis\"><strong>\u6302\u94a9\u7a97\u53e3 API<\/strong><\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#messageboxw-example\"><strong>\u6d88\u606f\u6846\u793a\u4f8b<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#hook-the-box\"><strong>\u94a9\u4f4f\u76d2\u5b50<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#automatic-code-generation\"><strong>\u81ea\u52a8\u4ee3\u7801\u751f\u6210<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#when-everything-comes-together\"><strong>\u5f53\u4e00\u5207\u90fd\u8d70\u5230\u4e00\u8d77<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#conclusion\"><strong>\u7ed3\u8bba<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/skr1x.github.io\/keepass-dll-hijacking\/#useful-links\"><strong>\u6709\u7528\u7684\u94fe\u63a5<\/strong><\/a><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"dll-hijacking\"><strong>DLL \u52ab\u6301<\/strong><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"was-ist-das\"><strong>\u662f\u53f2\u8482\u592b\u8fbe\u65af\u5417\uff1f<\/strong><\/h2>\n\n\n\n<p>DLL \u52ab\u6301\u662f\u4e00\u79cd\u653b\u51fb\u7c7b\u578b\uff0c\u60a8\u53ef\u4ee5\u5728\u5176\u4e2d\u5229\u7528\u5e94\u7528\u7a0b\u5e8f\u7684\u641c\u7d22\u987a\u5e8f\u6765\u52a0\u8f7d\u52a8\u6001\u94fe\u63a5\u5e93\u3002<\/p>\n\n\n\n<p>\u5f53\u5e94\u7528\u7a0b\u5e8f\u5c1d\u8bd5\u52a0\u8f7d DLL \u6587\u4ef6\u65f6\uff0c\u5b83\u5c06\u6309<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/dlls\/dynamic-link-library-search-order#factors-that-affect-searchingpp\">\u7279\u5b9a\u987a\u5e8f<\/a>\u641c\u7d22\u8be5\u6587\u4ef6\u3002\u987a\u5e8f\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4ece\u4e2d\u52a0\u8f7d\u5e94\u7528\u7a0b\u5e8f\u7684\u76ee\u5f55<\/li>\n\n\n\n<li>\u7cfb\u7edf\u76ee\u5f55\uff1a<code>C:\\Windows\\System32<\/code><\/li>\n\n\n\n<li>16 \u4f4d\u7cfb\u7edf\u76ee\u5f55\uff1a<code>C:\\Windows\\System<\/code><\/li>\n\n\n\n<li>\u89c6\u7a97\u76ee\u5f55\uff1a<code>C:\\Windows<\/code><\/li>\n\n\n\n<li>\u5f53\u524d\u76ee\u5f55<\/li>\n\n\n\n<li>\u73af\u5883\u53d8\u91cf\u4e2d\u6307\u5b9a\u7684\u76ee\u5f55<code>PATH<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u5982\u679c\u653b\u51fb\u8005\u80fd\u591f\u5c06\u6076\u610f DLL \u6587\u4ef6\u653e\u7f6e\u5728\u4e0e\u5408\u6cd5 DLL \u6587\u4ef6\u540c\u540d\u7684\u5176\u4e2d\u4e00\u4e2a\u76ee\u5f55\u4e2d\uff0c\u5219\u5e94\u7528\u7a0b\u5e8f\u5c06\u52a0\u8f7d\u6076\u610f DLL \u800c\u4e0d\u662f\u5408\u6cd5 DLL\uff0c\u4ece\u800c\u5141\u8bb8\u653b\u51fb\u8005\u5728\u6b64\u8fc7\u7a0b\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"does-this-also-apply-to-keepass\"><strong>\u8fd9\u4e5f\u9002\u7528\u4e8eKeePass\u5417\uff1f<\/strong><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"target-dll\"><strong>\u76ee\u6807 DLL<\/strong><\/h2>\n\n\n\n<p>\u67e5\u627e\u6f5c\u5728\u53ef\u52ab\u6301 DLL \u7684\u6700\u7b80\u5355\u65b9\u6cd5\u662f\u4f7f\u7528&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/\">promon<\/a>&nbsp;\u8fdb\u884c\u641c\u7d22\u3002\u5728\u8fd4\u56de\u9519\u8bef \u7684 DLL \u4e0a\u641c\u7d22\uff0c\u4f8b\u5982\u6b64\u5904\u7684\uff1a<code>CreateFile<\/code><code>NAME NOT FOUND<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/procmon.png\" alt=\"\u666e\u7f57\u514b\u8499\u6d1e\u7a74\u5b66\"\/><\/figure>\n\n\n\n<p>\u53d1\u751f\u4e86\u4ec0\u4e48\u4e8b\u60c5\uff1f<br>\u5728\u8fd9\u91cc\uff0cKeePass \u5c1d\u8bd5\u8bbf\u95ee\u540d\u4e3a \u7684 DLL\uff0c\u4f46\u5c1d\u8bd5\u5c06\u5176\u52a0\u8f7d\u5230\u81ea\u5df1\u7684\u5b89\u88c5\u6587\u4ef6\u5939\u4e2d\u3002<br>\u4f46\u662f\uff0c\u8fd9\u901a\u5e38\u662f\u7cfb\u7edf DLL\uff0c\u5b58\u5728\u4e8e \uff1a<code>UxTheme.dll<\/code><code>C:\\Program Files\\KeePass Password Safe 2<\/code><code>C:\\Windows\\System32<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/real_dll.png\" alt=\"UxTheme.dll in System32\"\/><\/figure>\n\n\n\n<p>\u56e0\u6b64\uff0c\u6b64 DLL \u53ef\u80fd\u662f\u52ab\u6301\u7684\u826f\u597d\u5019\u9009\u9879\u3002<\/p>\n\n\n\n<p>\u8ba9\u6211\u4eec\u7f16\u8bd1\u4e00\u4e2a DLL\uff0c\u5e76\u5c1d\u8bd5\u67e5\u770b\u5982\u679c\u6211\u4eec\u91cd\u547d\u540d\u5b83\u662f\u5426\u4f1a\u52a0\u8f7d\u5b83\u3002\u6211\u4eec\u5c06\u4f7f\u7528\u6b64\u4ee3\u7801\uff1a<code>KeePass2<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>BOOL APIENTRY <strong>DllMain<\/strong>(\n    HMODULE hModule,\n    DWORD  ul_reason_for_call,\n    LPVOID lpReserved\n)\n{\n    WPP_INIT_TRACING(L\"Test\");\n\n    <strong>switch<\/strong> (ul_reason_for_call)\n    {\n    <strong>case<\/strong> DLL_PROCESS_ATTACH:\n        TraceEvents(TRACE_LEVEL_VERBOSE, GENERAL, \"&#91;+ dllmain] DLL_PROCESS_ATTACH\\n\");\n    }\n    <strong>return<\/strong> TRUE;\n}\n<\/code><\/pre>\n\n\n\n<p>\u8bf7\u6ce8\u610f\u8c03\u7528 \u800c\u4e0d\u662f .\u8fd9\u662f\u56e0\u4e3a\u5f53\u6211\u4eec\u4f7f\u7528 DLL \u65f6\uff0c\u6ca1\u6709\u7b80\u5355\u7684\u65b9\u6cd5\u6765\u83b7\u53d6\u5176\u8f93\u51fa\u3002<code>TraceEvents<\/code><code>printf<\/code><\/p>\n\n\n\n<p><code>TraceEvents<\/code>\u4f7f\u7528&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/wpp-software-tracing\">Windows \u8f6f\u4ef6\u8ddf\u8e2a\u9884\u5904\u7406\u5668 \uff08WPP\uff09\uff0c<\/a>\u5b83\u662f&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/event-tracing-for-windows--etw-\">ETW<\/a>&nbsp;\u7684\u4e00\u4e2a\u7ec4\u4ef6\u3002<br>\u6211\u4eec\u5c06\u80fd\u591f\u5728&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/traceview\">TraceView<\/a>&nbsp;\u4e2d\u770b\u5230\u6211\u4eec\u7684\u4e8b\u4ef6\u3002<\/p>\n\n\n\n<p>\u73b0\u5728\u6211\u4eec\u6709\u4e86 DLL\uff0c\u8ba9\u6211\u4eec\u5c06\u5176\u79fb\u52a8\u5230\u5e76\u5c06\u5176\u91cd\u547d\u540d\u4e3a \uff1a<code>C:\\Program Files\\KeePass Password Safe 2<\/code><code>UxTheme.dll<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/dll_in_folder.png\" alt=\"\u5c06 DLL \u653e\u5728 KeePass \u7684\u6587\u4ef6\u5939\u4e2d\"\/><\/figure>\n\n\n\n<p>\u5e76\u8fd0\u884cKeePass\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/dll_hijacking.png\" alt=\"\u542f\u52a8KeePass2\u65f6DLL_PROCESS_ATTACH\"\/><\/figure>\n\n\n\n<p>\u662f\u7684\uff01\uff01\u6210\u529f\u4e86\u3002\u6211\u4eec\u5728&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/traceview\">TraceView<\/a>&nbsp;\u4e2d\u6709\u4e00\u4e2a\u65e5\u5fd7\uff0c\u663e\u793a\u6211\u4eec\u7684 DLL \u52a0\u8f7d\u5728 .<code>KeePass2<\/code><\/p>\n\n\n\n<p>\u8fd9\u5f88\u5bb9\u6613\u3002\u73b0\u5728\u600e\u4e48\u529e\uff1f<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"hooking-windows-apis\"><strong>\u6302\u94a9\u7a97\u53e3 API<\/strong><\/h1>\n\n\n\n<p>\u6302\u94a9\u5141\u8bb8\u60a8\u62e6\u622a\u548c\/\u6216\u4fee\u6539\u7ed9\u5b9a\u7a0b\u5e8f\u8c03\u7528\u7684\u51fd\u6570\u7684\u884c\u4e3a\u3002\u5728\u6211\u4eec\u7684\u4f8b\u5b50\u4e2d\uff0c\u6211\u4eec\u5e0c\u671b\u80fd\u591f\u8bb0\u5f55\u53c2\u6570\u5e76\u8fd4\u56deWindows API\u8c03\u7528\u7684\u503c\u3002<\/p>\n\n\n\n<p>\u5728\u4e0b\u56fe\u4e2d\uff0c\u60a8\u53ef\u4ee5\u770b\u5230\u6b63\u5e38\u7684 API \u8c03\u7528\uff08\u7eff\u8272\uff09\u4e0e\u6302\u94a9\u7684 API \u8c03\u7528\uff08\u7ea2\u8272\uff09\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/hooked_graph.png\" alt=\"\u6302\u673a\u547c\u53eb\"\/><\/figure>\n\n\n\n<p>\u6709\u8da3\u7684\u662f\uff0c\u8fd9\u4e5f\u662f\u7528\u6237\u7a7a\u95f4AV \/ EDR\u76d1\u63a7API\u8c03\u7528\u7684\u65b9\u5f0f\u3002<\/p>\n\n\n\n<p>\u6211\u5f00\u59cb\u7814\u7a76\u4e00\u4e2a\u81ea\u5b9a\u4e49\u94a9\u5b50\u5f15\u64ce\uff0c\u7136\u540e\u5076\u7136\u53d1\u73b0\u4e86\u5fae\u8f6f\u81ea\u5df1\u7684\u5e93\u6765\u505a\u5230\u8fd9\u4e00\u70b9\uff1a&nbsp;<a href=\"https:\/\/github.com\/microsoft\/Detours\">\u7ed5\u9053\u800c\u884c<\/a><\/p>\n\n\n\n<p>\u6211\u4e0d\u4f1a\u8be6\u7ec6\u4ecb\u7ecd\u94a9\u5b50\u7684\u5b9e\u73b0\uff0c\u56e0\u4e3a\u6587\u6863\u53ef\u5728\u7ebf\u83b7\u5f97\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"messageboxw-example\"><strong>\u6d88\u606f\u6846\u793a\u4f8b<\/strong><\/h2>\n\n\n\n<p>\u8ba9\u6211\u4eec\u4ece\u7b80\u5355\u7684\u901a\u8bdd\u5f00\u59cb\u3002<code>MessageBoxW<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MessageBoxW(\n    NULL,\n    TEXT(\"Hello Twitter!\"),\n    TEXT(\"SimpleEXE\"),\n    MB_OK\n);\n<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u6211\u4eec\u770b\u4e00\u4e0b MSDN \u4e0a\u7684&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-messageboxw\">MessageBoxW<\/a>&nbsp;\u6587\u6863\uff0c\u6211\u4eec\u4f1a\u5f97\u5230\u8fd9\u4e2a\u51fd\u6570\u539f\u578b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>int<\/strong> <strong>MessageBoxW<\/strong>(\n  &#91;in, optional] HWND    hWnd,\n  &#91;in, optional] LPCWSTR lpText,\n  &#91;in, optional] LPCWSTR lpCaption,\n  &#91;in]           UINT    uType\n);\n<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u8bb0\u5f55 and \u53c2\u6570\u7684\u94a9\u5b50\u51fd\u6570\u770b\u8d77\u6765\u50cf\u8fd9\u6837\uff1a<code>lpText<\/code><code>lpCaption<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>int<\/strong> (<strong>*<\/strong>real_MessageBoxW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType) <strong>=<\/strong> MessageBoxW;\n<strong>int<\/strong> <strong>hook_MessageBoxW<\/strong>(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)\n{\n    TraceEvents(TRACE_LEVEL_VERBOSE, GENERAL, \"&#91;+ Hook] MessageBoxW(lpText=%ls, lpCaption=%ls, uType=%u)\", lpText, lpCaption, uType);\n    <strong>return<\/strong> real_MessageBoxW(hWnd, lpText, lpCaption, uType);\n}\n<\/code><\/pre>\n\n\n\n<p>\u8fd9\u6bb5\u4ee3\u7801\u975e\u5e38\u7b80\u5355\u3002\u5f53\u88ab\u8c03\u7528\u65f6\uff0c\u5b83\u5c06\u9996\u5148\u8bb0\u5f55\u53c2\u6570\u4f7f\u7528\uff0c\u7136\u540e\u518d\u6062\u590d\u6267\u884c\u5230\u201creal\u201d\u3002<code>MessageBoxW<\/code><code>TraceEvents<\/code><code>MessageBoxW<\/code><\/p>\n\n\n\n<p>\u8ba9\u6211\u4eec\u8bd5\u8bd5\u5427\uff01<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hook-the-box\"><strong>\u94a9\u4f4f\u76d2\u5b50<\/strong><\/h2>\n\n\n\n<p>\u8fd9\u662f\u4f7f\u7528\u81ea\u5b9a\u4e49\u52a0\u8f7d\u7a0b\u5e8f\u8fdb\u884c\u6d4b\u8bd5\u7684\uff0c\u8be5\u52a0\u8f7d\u7a0b\u5e8f\u5728\u542f\u52a8\u8fdb\u7a0b\u65f6\u6ce8\u5165 DLL\u3002\u5f53\u51fa\u73b0\u65f6\uff1a<code>MessageBox<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/detour_mb.png\" alt=\"\u5728\u8ddf\u8e2a\u89c6\u56fe\u4e2d\u8bb0\u5f55\u5bc6\u7801\"\/><\/figure>\n\n\n\n<p>\u51fd\u6570\u8c03\u7528\u8bb0\u5f55\u5728\u8ddf\u8e2a\u89c6\u56fe\u4e2d\uff01\u6709\u4e86\u8bba\u636e\u548c\u6240\u6709\u3002<\/p>\n\n\n\n<p>\u73b0\u5728\uff0c\u60f3\u8c61\u4e00\u4e0b\u80fd\u591f\u5728\u654f\u611f<strong>\u8fdb\u7a0b\u4e2d\u8fd0\u884c\u4ee3\u7801<\/strong>\u5e76\u80fd\u591f<strong>\u62e6\u622a\u5904\u7406\u654f\u611f\u6570\u636e\u7684\u51fd\u6570<\/strong>\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"automatic-code-generation\"><strong>\u81ea\u52a8\u4ee3\u7801\u751f\u6210<\/strong><\/h1>\n\n\n\n<p>\u4f46\u9996\u5148\uff0c\u4ee3\u7801\u751f\u6210\u3002<\/p>\n\n\n\n<p>\u73b0\u5728\u6211\u4eec\u6709\u4e86\u7b2c\u4e00\u4e2a\u94a9\u5b50\u7684\u5de5\u4f5c\u793a\u4f8b\uff0c\u6211\u4eec\u5fc5\u987b\u6269\u5927\u5b83\u3002Windows API\u4e2d\u6709\u5f88\u591a\u529f\u80fd\u3002\u8bf7\u8bb0\u4f4f\uff0c\u6211\u4eec\u7684\u76ee\u6807\u662f\u5728\u952e\u5165\u6570\u636e\u5e93\u65f6\u622a\u83b7\u6570\u636e\u5e93\u7684\u4e3b<strong>\u5bc6\u7801<\/strong>\u3002<\/p>\n\n\n\n<p>\u6211\u663e\u7136\u4e0d\u662f\u81ea\u5df1\u4e3a\u6bcf\u4e2aWindows API\u51fd\u6570\u7f16\u5199\u4ee3\u7801\u3002\u4e0d\u662f\u6ca1\u6709\u4eba\u6709\u65f6\u95f4\u8fd9\u6837\u505a\u3002\u6211\u4f7f\u7528\u4e86\u4e00\u4e2a Python \u811a\u672c\u548c\u4e00\u4e2a Json \u6587\u4ef6\u6765\u751f\u6210\u6302\u94a9 dll \u7684\u4ee3\u7801\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/\">MSDN<\/a>&nbsp;\u662f\u6587\u6863\u7684\u6700\u4f73\u670b\u53cb\uff0c\u6216\u8005\u60a8\u4e5f\u53ef\u4ee5\u5728 Visual Studio \u4e2d\u68c0\u67e5\u5934\u6587\u4ef6\u3002<br>\u4ee5\u4e0b\u662f json \u6587\u4ef6\u7684\u5feb\u901f\u9009\u62e9\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/json.png\" alt=\"\u5e26\u6709\u529f\u80fd\u539f\u578b\u7684 Json \u6587\u4ef6\"\/><\/figure>\n\n\n\n<p>\u800c\u8fd9\u4e00\u4ee3\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/dll_generation.png\" alt=\"DLL \u751f\u6210\u8f93\u51fa\"\/><\/figure>\n\n\n\n<p>\u9ed8\u8ba4\u4ee3\u7801\u751f\u6210\u8c03\u7528\u4ee5\u8bb0\u5f55\u51fd\u6570\u8c03\u7528\u548c\u53c2\u6570\u3002\u4e0b\u9762\u662f\u751f\u6210\u7684\u4ee3\u7801\u7684\u793a\u4f8b\uff1a<code>TraceEvents<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/generated_code2.png\" alt=\"\u751f\u6210\u7684\u4ee3\u7801\"\/><\/figure>\n\n\n\n<p>\u5b83\u770b\u8d77\u6765\u5f88\u50cf\u6211\u4eec\u7b2c\u4e00\u4e2a\u793a\u4f8b\u4e2d\u7684\u4ee3\u7801\uff0c\u4f46\u53ea\u8981\u5c06\u51fd\u6570\u6dfb\u52a0\u5230 json \u6587\u4ef6\u4e2d\uff0c\u5b83\u5c31\u4f1a\u81ea\u52a8\u751f\u6210\u3002\u6211\u8fd8\u6dfb\u52a0\u4e86\u81ea\u5b9a\u4e49\u4ee3\u7801\u7247\u6bb5\uff0c\u4ee5\u5728\u5fc5\u8981\u65f6\u6269\u5c55\u529f\u80fd\u3002\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u8bb0\u5f55\u8fd4\u56de\u503c\uff0c\u4ee5\u7279\u5b9a\u65b9\u5f0f\u6253\u5370\u53c2\u6570\u7b49\u3002<\/p>\n\n\n\n<p>\u5c31\u8fd9\u6837\uff0c\u6211\u4eec\u6709\u5de5\u4f5c\u4ee3\u7801\u751f\u6210\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5c06\u539f\u578b\u6dfb\u52a0\u5230 json \u6587\u4ef6\u4e2d\u6765\u76d1\u63a7\u6211\u4eec\u60f3\u8981\u7684\u4efb\u4f55 Windows API \u51fd\u6570\uff01<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"when-everything-comes-together\"><strong>\u5f53\u4e00\u5207\u90fd\u8d70\u5230\u4e00\u8d77<\/strong><\/h1>\n\n\n\n<p>\u5728\u6d4b\u8bd5\u65f6\uff0c\u6211\u5c06\u641c\u7d22\u8303\u56f4\u7f29\u5c0f\u5230\u5904\u7406\u5b57\u7b26\u4e32\u548c\u526a\u8d34\u677f\u6d3b\u52a8\u7684\u51fd\u6570\u3002\u7ecf\u8fc7\u4e00\u4e9b\u7814\u7a76\uff0c\u6211\u4e3a\u6211\u4eec\u7684\u7528\u4f8b\u53d1\u73b0\u4e86\u4e24\u4e2a\u6709\u8da3\u7684 API \u8c03\u7528\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bbe\u7f6e\u526a\u8d34\u677f\u6570\u636e\uff1a\u4ee5\u6307\u5b9a\u7684\u526a<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-setclipboarddata\">\u8d34\u677f<\/a>\u683c\u5f0f\u5c06\u6570\u636e\u653e\u5728\u526a\u8d34\u677f\u4e0a<code>HANDLE <strong>SetClipboardData<\/strong>( [in] UINT uFormat, [in, optional] HANDLE hMem );<\/code><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-tounicodeex\">ToUnicodeEx<\/a>\uff1a\u5c06\u6307\u5b9a\u7684\u865a\u62df\u952e\u4ee3\u7801\u548c\u952e\u76d8\u72b6\u6001\u8f6c\u6362\u4e3a\u76f8\u5e94\u7684\u4e00\u4e2a\u6216\u591a\u4e2a Unicode \u5b57\u7b26<code><strong>int<\/strong> <strong>ToUnicodeEx<\/strong>( [in] UINT wVirtKey, [in] UINT wScanCode, [in] <strong>const<\/strong> BYTE <strong>*<\/strong>lpKeyState, [out] LPWSTR pwszBuff, [in] <strong>int<\/strong> cchBuff, [in] UINT wFlags, [in, optional] HKL dwhkl );<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u4e3a\u8fd9\u4e24\u4e2a\u51fd\u6570\u751f\u6210\u94a9\u5b50\u540e\uff0c\u6211\u4eec\u5c06 DLL \u590d\u5236\u5230\u5e76\u5c06\u5176\u91cd\u547d\u540d\u4e3a .<code>C:\\Program Files\\KeePass Password Safe 2<\/code><code>UxTheme.dll<\/code><\/p>\n\n\n\n<p>\u73b0\u5728\uff0c\u8ba9\u6211\u4eec\u518d\u6b21\u8fd0\u884c\u5e76\u952e\u5165\u5bc6\u7801\u4ee5\u89e3\u9501\u6570\u636e\u5e93\uff1a<code>KeePass2<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/hello_twitter.png\" alt=\"\u5728\u8ddf\u8e2a\u89c6\u56fe\u4e2d\u8bb0\u5f55\u5bc6\u7801\"\/><\/figure>\n\n\n\n<p>\u8fd9\u6709\u591a\u9177\uff1f\u5bc6\u7801\u8bb0\u5f55\u5728\u8ddf\u8e2a\u89c6\u56fe\u4e2d\uff01<\/p>\n\n\n\n<p>\u6570\u636e\u5e93\u4e2d\u7684\u6761\u76ee\u4e5f\u53ef\u4ee5\u5728\u6309\u4e0b\u65f6\u88ab\u62e6\u622a\uff0c\u8fd9\u8981\u5f52\u529f\u4e8e\u94a9\u5b50\uff1a<code>CTRL+C<\/code><code>SetClipboardData<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/skr1x.github.io\/assets\/keepass-dll-hijacking\/clipboard_hook.png\" alt=\"\u526a\u8d34\u677f\u6302\u94a9\"\/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"conclusion\"><strong>\u7ed3\u8bba<\/strong><\/h1>\n\n\n\n<p>\u6211\u8fd8\u6709\u4e00\u4e9b\u5de5\u4f5c\u8981\u505a\u624d\u80fd\u5c06\u5bc6\u7801\u5199\u5165\u6587\u4ef6\uff0c\u4f46\u4f60\u660e\u767d\u4e86\u3002\u5e0c\u671b\u4f60\u559c\u6b22\u4f60\u4eca\u5929\u8bfb\u5230\u7684\u4e1c\u897f\u5e76\u5b66\u5230\u4e86\u4e00\u4e9b\u65b0\u4e1c\u897f\u3002<\/p>\n\n\n\n<p>\u6211\u6ca1\u6709\u8bc4\u8bba\u90e8\u5206\uff0c\u4f46\u5728\u5e73\u53f0\u6d88\u5931\u4e4b\u524d\u5728<a href=\"https:\/\/twitter.com\/skr1x_\">Twitter<\/a>\u4e0a\u7ed9\u6211\u53d1\u4e86\u4e00\u6761\u6d88\u606f\u54c8\u54c8\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"useful-links\"><strong>\u6709\u7528\u7684\u94fe\u63a5<\/strong><\/h1>\n\n\n\n<p><a href=\"https:\/\/keepass.info\/\">https:\/\/keepass.info\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/\">https:\/\/learn.microsoft.com\/en-us\/sysinternals\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/microsoft\/Detours\">https:\/\/github.com\/microsoft\/Detours<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/traceview\">https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/traceview<\/a>&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/wpp-software-tracing\">https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/wpp-software-tracing<\/a><\/p>\n\n\n\n<p>\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/skr1x.github.io\/keepass-dll-hijacking\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u968f\u7740\u6700\u8fd1&nbsp;KeePass2&nbsp;\u6709\u4e89\u8bae\u7684&nbsp;CVE-2023-24055&nbsp;\u4ee5 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[102,43],"tags":[337,339,338],"class_list":["post-1520","post","type-post","status-publish","format-standard","hentry","category-windows-infoarticle","category-infoarticle","tag-dll-","tag-keepass2","tag-api"],"views":1616,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1520"}],"version-history":[{"count":1,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1520\/revisions"}],"predecessor-version":[{"id":1521,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1520\/revisions\/1521"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}