{"id":208,"date":"2022-06-11T16:35:45","date_gmt":"2022-06-11T08:35:45","guid":{"rendered":"http:\/\/www.aqwu.net\/wp\/?p=208"},"modified":"2022-06-11T16:36:15","modified_gmt":"2022-06-11T08:36:15","slug":"importdllinjection-%e9%80%9a%e8%bf%87%e4%bf%ae%e6%94%b9%e5%86%85%e5%ad%98%e4%b8%ad%e7%9a%84-pe-%e5%a4%b4%e6%9d%a5%e6%b3%a8%e5%85%a5-dll-%e7%9a%84%e5%8f%a6%e4%b8%80%e7%a7%8d%e6%96%b9%e6%b3%95","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=208","title":{"rendered":"ImportDLLInjection – \u901a\u8fc7\u4fee\u6539\u5185\u5b58\u4e2d\u7684 PE \u5934\u6765\u6ce8\u5165 DLL \u7684\u53e6\u4e00\u79cd\u65b9\u6cd5"},"content":{"rendered":"\n

\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/www.x86matthew.com\/view_post?id=import_dll_injection<\/p>\n\n\n\n

\u8fd9\u7bc7\u6587\u7ae0\u5c55\u793a\u4e86\u6211\u6700\u8fd1\u63d0\u51fa\u7684\u4e00\u4e2a\u76f8\u5f53\u7b80\u5355\u7684 DLL \u6ce8\u5165\u60f3\u6cd5\u3002\u6211\u5728\u7f51\u4e0a\u5feb\u901f\u6d4f\u89c8\u4e86\u4e00\u4e0b\uff0c\u770b\u770b\u6709\u6ca1\u6709\u5176\u4ed6\u4eba\u4f7f\u7528\u8fc7\u8fd9\u79cd\u65b9\u6cd5\uff0c\u4f46\u627e\u4e0d\u5230\u4efb\u4f55\u7ed3\u679c\u3002\uff08\u66f4\u65b0\uff1ahasherezade \u63d0\u5230\u5fae\u8f6f\u5728 MSDetours \u4e2d\u540d\u4e3a DetourCreateProcessWithDlls \u7684\u51fd\u6570\u4e2d\u4f7f\u7528\u4e86\u975e\u5e38\u76f8\u4f3c\u7684\u65b9\u6cd5\uff09<\/p>\n\n\n\n

\u6b64\u65b9\u6cd5\u4e0d\u9700\u8981\u521b\u5efa\u4e34\u65f6\u7ebf\u7a0b\u3001\u4fee\u6539\u53ef\u6267\u884c\u4ee3\u7801\u6216\u66f4\u6539\u7ebf\u7a0b\u4e0a\u4e0b\u6587\u3002<\/p>\n\n\n\n

\u7b80\u800c\u8a00\u4e4b\uff0c\u6211\u4eec\u5c06\u4fee\u6539\u65b0\u521b\u5efa\u8fdb\u7a0b\u5185\u5b58\u4e2d\u7684 PE \u6807\u5934\uff0c\u4ee5\u5c06\u6211\u4eec\u81ea\u5df1\u7684 DLL \u6dfb\u52a0\u5230\u5bfc\u5165\u63cf\u8ff0\u7b26\u5217\u8868\u4e2d\u3002<\/p>\n\n\n\n

\u6211\u7684\u60f3\u6cd5\u5982\u4e0b\uff1a <\/p>\n\n\n\n

1. \u4f7f\u7528\u5e26\u6709CREATE_SUSPENDED\u7684CreateProcess \u521b\u5efa\u76ee\u6807 EXE \u8fdb\u7a0b\u7684\u6302\u8d77\u5b9e\u4f8b\u65d7\u5e1c\u3002\n2. \u4f7f\u7528NtQueryInformationProcess \u8ba1\u7b97\u76ee\u6807 EXE \u7684\u57fa\u5730\u5740\uff0c\u8bfb\u53d6\u76ee\u6807\u8fdb\u7a0b\u7684 PEB \u5730\u5740\uff0c\u4f7f\u7528ReadProcessMemory\u8bfb\u53d6ImageBaseAddress\u5b57\u6bb5\u503c\u3002\n3. \u4f7f\u7528ReadProcessMemory\u4ece\u76ee\u6807\u8fdb\u7a0b \u8bfb\u53d6\u4e3b PE \u5934 ( IMAGE_NT_HEADERS ) \u3002\n4. \u4e3a\u4ee5\u540e\u5b58\u50a8\u672a\u4fee\u6539\u7684IMAGE_NT_HEADERS\u7ed3\u6784 \u7684\u526f\u672c\u3002 \n5. \u5728 PE \u5934\u4e2d\u7684\u5bfc\u5165\u63cf\u8ff0\u7b26\u5217\u8868\u4e2d\u6dfb\u52a0\u4e00\u4e2a\u989d\u5916\u7684 DLL \u6761\u76ee\uff08ImageNtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]\uff09\u3002\u8fd8\u9700\u8981\u5728\u76ee\u6807\u8fdb\u7a0b\u4e2d\u5206\u914d\u6a21\u5757\u8def\u5f84\u3001\u5bfc\u5165\u67e5\u627e\u8868\u548c\u5bfc\u5165\u5730\u5740\u8868\u3002\u5bfc\u5165\u8868\u5c06\u5305\u62ec\u4e00\u4e2a\u6761\u76ee\uff1aordinal #1\u3002\n6. \u4f7f\u7528WriteProcessMemory\u5c06\u66f4\u65b0\u7684 PE \u5934\u5199\u56de\u76ee\u6807\u8fdb\u7a0b\u3002 \n7. \u4f7f\u7528ResumeThread\u6062\u590d\u76ee\u6807\u8fdb\u7a0b\u7684\u6267\u884c\u3002\n8.\u5faa\u73af\u4f7f\u7528ReadProcessMemory \u8bfb\u53d6\u6ce8\u5165DLL \u7684\u65b0\u5bfc\u5165\u5730\u5740\u8868\u3002\u7b49\u5230\u76ee\u6807\u8fdb\u7a0b\u66f4\u65b0\u4e86\u5355\u4e2a\u5bfc\u5165\uff08\u5e8f\u6570 #1\uff09\u7684\u5730\u5740\u3002 \n9. DLL \u73b0\u5728\u5df2\u7ecf\u88ab\u6ce8\u5165\u5230\u76ee\u6807\u8fdb\u7a0b\u4e2d\u3002\u91ca\u653e\u4efb\u4f55\u4e34\u65f6\u5185\u5b58\u5e76\u4ece\u7b2c 4 \u6b65\u6062\u590d\u539f\u59cb PE \u6807\u5934\u3002 <\/code><\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\u8fd9\u662f\u6709\u6548\u7684\uff0c\u56e0\u4e3a\u65b0\u521b\u5efa\u7684\u6302\u8d77\u8fdb\u7a0b\u53ea\u6709ntdll.dll\u6700\u521d\u52a0\u8f7d – \u8fd9\u610f\u5473\u7740\u6211\u4eec\u53ef\u4ee5\u5728\u52a0\u8f7d\u5269\u4f59\u7684 DLL \u4e4b\u524d\u64cd\u4f5c\u5185\u5b58\u4e2d\u7684\u5bfc\u5165\u8868\u3002\u8fd9\u79cd\u65b9\u6cd5\u53ef\u9760\uff0c\u5728\u6211\u7684\u6d4b\u8bd5\u4e2d\u6548\u679c\u5f88\u597d\u3002<\/p>\n\n\n\n
\u8fd9\u79cd\u65b9\u6cd5\u7684\u4e3b\u8981\u7f3a\u70b9\u662f\u5b83\u53ea\u80fd\u7528\u4e8e\u5c06 DLL \u6ce8\u5165\u65b0\u8fdb\u7a0b\u3002\u65e0\u6cd5\u4f7f\u7528\u6b64\u65b9\u6cd5\u6ce8\u5165\u5df2\u8fd0\u884c\u7684\u8fdb\u7a0b\uff0c\u56e0\u4e3a\u4ec5\u5728\u8fdb\u7a0b\u9996\u6b21\u542f\u52a8\u65f6\u624d\u5904\u7406\u5bfc\u5165\u63cf\u8ff0\u7b26\u5217\u8868\u3002<\/p>\n\n\n\n
\u6b64\u65b9\u6cd5\u7684\u53e6\u4e00\u4e2a\u5c0f\u7f3a\u70b9\u662f\u76ee\u6807 DLL \u9700\u8981\u5bfc\u51fa\u81f3\u5c11\u4e00\u4e2a\u51fd\u6570\u3002Windows \u4e0d\u4f1a\u52a0\u8f7d\u5177\u6709\u7a7a\u767d\u5bfc\u5165\u67e5\u627e\u8868\uff08\u81f3\u5c11\u5728\u6211\u7684\u7cfb\u7edf\u4e0a\uff09\u7684\u5bfc\u5165 DLL\uff0c\u56e0\u6b64\u6211\u5728\u5bfc\u5165\u5e8f\u53f7 #1 \u7684\u67e5\u627e\u8868\u4e2d\u6dfb\u52a0\u4e86\u4e00\u4e2a\u6761\u76ee\u3002\u6b64\u5bfc\u51fa\u6761\u76ee\u5fc5\u987b\u5b58\u5728\u4e8e\u76ee\u6807 DLL \u4e2d\uff0c\u5426\u5219\u76ee\u6807\u8fdb\u7a0b\u5c06\u65e0\u6cd5\u542f\u52a8\u3002\u6211\u5c06\u5728\u672c\u6587\u672b\u5c3e\u5305\u542b\u793a\u4f8b DLL \u7684\u4ee3\u7801\u3002<\/p>\n\n\n\n
\u6211\u4eec\u4e0d\u80fd\u4fdd\u8bc1\u6709\u8db3\u591f\u7684\u7a7a\u95f4\u5728\u73b0\u6709\u7684 PE \u5934\u6570\u636e\u4e2d\u6dfb\u52a0\u989d\u5916\u7684\u6a21\u5757\u6761\u76ee\u3002\u4e3a\u4e86\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0c\u6211\u5c06\u73b0\u6709\u7684\u5bfc\u5165\u63cf\u8ff0\u7b26\u5217\u8868\u590d\u5236\u5230\u6211\u5728\u5185\u5b58\u4e2d\u5206\u914d\u7684\u66f4\u5927\u7684\u7f13\u51b2\u533a\u4e2d\u3002\u7136\u540e\u5c06\u65b0\u7684 DLL \u9644\u52a0\u5230\u6b64\u5217\u8868\u4e2d\uff0c\u5e76\u5728VirtualAddress\u548cSize\u5b57\u6bb5\u4e2dIMAGE_DIRECTORY_ENTRY_IMPORT\u66f4\u65b0\u4e3a\u6307\u5411\u65b0\u5217\u8868\u3002<\/p>\n\n\n\n
\u6210\u529f\u6ce8\u5165\u540e\u6062\u590d\u539f\u59cb PE \u6807\u5934\u53ef\u6d88\u9664\u4efb\u4f55\u7be1\u6539\u8ff9\u8c61\u3002\u4f46\u662f\uff0c\u76ee\u6807 DLL \u4e0d\u4f1a\u4ee5\u4efb\u4f55\u65b9\u5f0f\u9690\u85cf – \u5b83\u5c06\u50cf\u4efb\u4f55\u5176\u4ed6\u5408\u6cd5\u52a0\u8f7d\u7684 DLL \u4e00\u6837\u5728\u5185\u5b58\u4e2d\u516c\u5f00\u53ef\u89c1\u3002<\/p>\n\n\n\n
\u5b8c\u6574\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n
#include <stdio.h>\n#include <windows.h>\n\nDWORD (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, DWORD *ReturnLength);\n\nstruct PROCESS_BASIC_INFORMATION\n{\n\tDWORD ExitStatus;\n\tvoid *PebBaseAddress;\n\tDWORD AffinityMask;\n\tDWORD BasePriority;\n\tDWORD UniqueProcessId;\n\tDWORD InheritedFromUniqueProcessId;\n};\n\nDWORD LaunchTargetProcess(char *pExePath, HANDLE *phProcess, HANDLE *phProcessMainThread)\n{\n\tPROCESS_INFORMATION ProcessInfo;\n\tSTARTUPINFO StartupInfo;\n\n\t\/\/ initialise startup data\n\tmemset((void*)&StartupInfo, 0, sizeof(StartupInfo));\n\tStartupInfo.cb = sizeof(StartupInfo);\n\n\tprintf(\"Launching target process...\\n\");\n\n\t\/\/ create target process (suspended)\n\tmemset((void*)&ProcessInfo, 0, sizeof(ProcessInfo));\n\tif(CreateProcess(NULL, pExePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &StartupInfo, &ProcessInfo) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ store handles\n\t*phProcess = ProcessInfo.hProcess;\n\t*phProcessMainThread = ProcessInfo.hThread;\n\n\treturn 0;\n}\n\nDWORD InjectDll(HANDLE hProcess, HANDLE hProcessMainThread, char *pDllPath)\n{\n\tIMAGE_DOS_HEADER ImageDosHeader;\n\tIMAGE_NT_HEADERS ImageNtHeader;\n\tIMAGE_NT_HEADERS ImageNtHeader_Original;\n\tPROCESS_BASIC_INFORMATION ProcessBasicInfo;\n\tDWORD dwExeBaseAddrPebPtr = 0;\n\tDWORD dwExeBaseAddr = 0;\n\tDWORD dwNtHeaderAddr = 0;\n\tDWORD dwDllPathLength = 0;\n\tvoid *pRemoteAlloc_DllPath = NULL;\n\tvoid *pRemoteAlloc_ImportLookupTable = NULL;\n\tvoid *pRemoteAlloc_ImportAddressTable = NULL;\n\tvoid *pRemoteAlloc_NewImportDescriptorList = NULL;\n\tDWORD dwImportLookupTable[2];\n\tDWORD dwExistingImportDescriptorEntryCount = 0;\n\tDWORD dwNewImportDescriptorEntryCount = 0;\n\tBYTE *pNewImportDescriptorList = NULL;\n\tIMAGE_IMPORT_DESCRIPTOR NewDllImportDescriptors[2];\n\tDWORD dwExistingImportDescriptorAddr = 0;\n\tBYTE *pCopyImportDescriptorDataPtr = NULL;\n\tDWORD dwNewImportDescriptorListDataLength = 0;\n\tDWORD dwOriginalProtection = 0;\n\tDWORD dwOriginalProtection2 = 0;\n\tDWORD dwCurrentImportAddressTable[2];\n\n\tprintf(\"Reading image base address from PEB...\\n\");\n\n\t\/\/ get process info\n\tmemset(&ProcessBasicInfo, 0, sizeof(ProcessBasicInfo));\n\tif(NtQueryInformationProcess(hProcess, 0, &ProcessBasicInfo, sizeof(ProcessBasicInfo), NULL) != 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ get target exe base address from PEB\n\tdwExeBaseAddrPebPtr = (DWORD)ProcessBasicInfo.PebBaseAddress + 8;\n\tif(ReadProcessMemory(hProcess, (void*)dwExeBaseAddrPebPtr, (void*)&dwExeBaseAddr, sizeof(DWORD), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\tprintf(\"Reading PE headers...\\n\");\n\n\t\/\/ read PE header from target process\n\tmemset((void*)&ImageDosHeader, 0, sizeof(ImageDosHeader));\n\tif(ReadProcessMemory(hProcess, (void*)dwExeBaseAddr, (void*)&ImageDosHeader, sizeof(ImageDosHeader), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ read NT header from target process\n\tdwNtHeaderAddr = dwExeBaseAddr + ImageDosHeader.e_lfanew;\n\tmemset((void*)&ImageNtHeader, 0, sizeof(ImageNtHeader));\n\tif(ReadProcessMemory(hProcess, (void*)dwNtHeaderAddr, (void*)&ImageNtHeader, sizeof(ImageNtHeader), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ save a copy of the original NT header\n\tmemcpy((void*)&ImageNtHeader_Original, (void*)&ImageNtHeader, sizeof(ImageNtHeader_Original));\n\n\t\/\/ calculate dll path length\n\tdwDllPathLength = strlen(pDllPath) + 1;\n\n\t\/\/ allocate buffer for the dll path in the remote process\n\tpRemoteAlloc_DllPath = VirtualAllocEx(hProcess, NULL, dwDllPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tif(pRemoteAlloc_DllPath == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ write dll path to remote process buffer\n\tif(WriteProcessMemory(hProcess, (void*)pRemoteAlloc_DllPath, pDllPath, dwDllPathLength, NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set import lookup table values (import ordinal #1)\n\tdwImportLookupTable[0] = 0x80000001;\n\tdwImportLookupTable[1] = 0;\n\n\t\/\/ allocate buffer for the new import lookup table in the remote process\n\tpRemoteAlloc_ImportLookupTable = VirtualAllocEx(hProcess, NULL, sizeof(dwImportLookupTable), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tif(pRemoteAlloc_ImportLookupTable == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ write import lookup table to remote process buffer\n\tif(WriteProcessMemory(hProcess, (void*)pRemoteAlloc_ImportLookupTable, (void*)dwImportLookupTable, sizeof(dwImportLookupTable), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ allocate buffer for the new import address table in the remote process\n\tpRemoteAlloc_ImportAddressTable = VirtualAllocEx(hProcess, NULL, sizeof(dwImportLookupTable), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tif(pRemoteAlloc_ImportAddressTable == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ write import address table to remote process buffer (initially the same values as the import lookup table)\n\tif(WriteProcessMemory(hProcess, (void*)pRemoteAlloc_ImportAddressTable, (void*)dwImportLookupTable, sizeof(dwImportLookupTable), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ set import descriptor values for injected dll\n\tNewDllImportDescriptors[0].OriginalFirstThunk = (DWORD)pRemoteAlloc_ImportLookupTable - dwExeBaseAddr;\n\tNewDllImportDescriptors[0].TimeDateStamp = 0;\n\tNewDllImportDescriptors[0].ForwarderChain = 0;\n\tNewDllImportDescriptors[0].Name = (DWORD)pRemoteAlloc_DllPath - dwExeBaseAddr;\n\tNewDllImportDescriptors[0].FirstThunk = (DWORD)pRemoteAlloc_ImportAddressTable - dwExeBaseAddr;\n\n\t\/\/ end of import descriptor chain\n\tNewDllImportDescriptors[1].OriginalFirstThunk = 0;\n\tNewDllImportDescriptors[1].TimeDateStamp = 0;\n\tNewDllImportDescriptors[1].ForwarderChain = 0;\n\tNewDllImportDescriptors[1].Name = 0;\n\tNewDllImportDescriptors[1].FirstThunk = 0;\n\n\t\/\/ calculate existing number of imported dll modules\n\tdwExistingImportDescriptorEntryCount = ImageNtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size \/ sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\n\tif(dwExistingImportDescriptorEntryCount == 0)\n\t{\n\t\t\/\/ the target process doesn't have any imported dll entries - this is highly unusual but not impossible\n\t\tdwNewImportDescriptorEntryCount = 2;\n\t}\n\telse\n\t{\n\t\t\/\/ add one extra dll entry\n\t\tdwNewImportDescriptorEntryCount = dwExistingImportDescriptorEntryCount + 1;\n\t}\n\n\t\/\/ allocate new import description list (local)\n\tdwNewImportDescriptorListDataLength = dwNewImportDescriptorEntryCount * sizeof(IMAGE_IMPORT_DESCRIPTOR);\n\tpNewImportDescriptorList = (BYTE*)malloc(dwNewImportDescriptorListDataLength);\n\tif(pNewImportDescriptorList == NULL)\n\t{\n\t\treturn 1;\n\t}\n\n\tif(dwExistingImportDescriptorEntryCount != 0)\n\t{\n\t\t\/\/ read existing import descriptor entries\n\t\tdwExistingImportDescriptorAddr = dwExeBaseAddr + ImageNtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;\n\t\tif(ReadProcessMemory(hProcess, (void*)dwExistingImportDescriptorAddr, pNewImportDescriptorList, dwExistingImportDescriptorEntryCount * sizeof(IMAGE_IMPORT_DESCRIPTOR), NULL) == 0)\n\t\t{\n\t\t\tfree(pNewImportDescriptorList);\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\t\/\/ copy the new dll import (and terminator entry) to the end of the list\n\tpCopyImportDescriptorDataPtr = pNewImportDescriptorList + dwNewImportDescriptorListDataLength - sizeof(NewDllImportDescriptors);\n\tmemcpy(pCopyImportDescriptorDataPtr, (void*)NewDllImportDescriptors, sizeof(NewDllImportDescriptors));\n\n\t\/\/ allocate buffer for the new import descriptor list in the remote process\n\tpRemoteAlloc_NewImportDescriptorList = VirtualAllocEx(hProcess, NULL, dwNewImportDescriptorListDataLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tif(pRemoteAlloc_NewImportDescriptorList == NULL)\n\t{\n\t\tfree(pNewImportDescriptorList);\n\t\treturn 1;\n\t}\n\n\t\/\/ write new import descriptor list to remote process buffer\n\tif(WriteProcessMemory(hProcess, (void*)pRemoteAlloc_NewImportDescriptorList, pNewImportDescriptorList, dwNewImportDescriptorListDataLength, NULL) == 0)\n\t{\n\t\tfree(pNewImportDescriptorList);\n\t\treturn 1;\n\t}\n\n\t\/\/ free local import descriptor list buffer\n\tfree(pNewImportDescriptorList);\n\n\tprintf(\"Updating PE headers...\\n\");\n\n\t\/\/ change the import descriptor address in the remote NT header to point to the new list\n\tImageNtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)pRemoteAlloc_NewImportDescriptorList - dwExeBaseAddr;\n\tImageNtHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = dwNewImportDescriptorListDataLength;\n\n\t\/\/ make NT header writable\n\tif(VirtualProtectEx(hProcess, (LPVOID)dwNtHeaderAddr, sizeof(ImageNtHeader), PAGE_EXECUTE_READWRITE, &dwOriginalProtection) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ write updated NT header to remote process\n\tif(WriteProcessMemory(hProcess, (void*)dwNtHeaderAddr, (void*)&ImageNtHeader, sizeof(ImageNtHeader), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\tprintf(\"Resuming process...\\n\");\n\n\t\/\/ resume target process execution\n\tResumeThread(hProcessMainThread);\n\n\tprintf(\"Waiting for target DLL...\\n\");\n\n\t\/\/ wait for the target process to load the DLL\n\tfor(;;)\n\t{\n\t\t\/\/ read the IAT table for the injected DLL\n\t\tmemset((void*)dwCurrentImportAddressTable, 0, sizeof(dwCurrentImportAddressTable));\n\t\tif(ReadProcessMemory(hProcess, (void*)pRemoteAlloc_ImportAddressTable, (void*)dwCurrentImportAddressTable, sizeof(dwCurrentImportAddressTable), NULL) == 0)\n\t\t{\n\t\t\treturn 1;\n\t\t}\n\n\t\t\/\/ check if the IAT table has been processed\n\t\tif(dwCurrentImportAddressTable[0] == dwImportLookupTable[0])\n\t\t{\n\t\t\t\/\/ IAT table for injected DLL not yet processed - try again in 100ms\n\t\t\tSleep(100);\n\n\t\t\tcontinue;\n\t\t}\n\n\t\t\/\/ DLL has been loaded by target process\n\t\tbreak;\n\t}\n\n\tprintf(\"Restoring original PE headers...\\n\");\n\n\t\/\/ restore original NT headers in target process\n\tif(WriteProcessMemory(hProcess, (void*)dwNtHeaderAddr, (void*)&ImageNtHeader_Original, sizeof(ImageNtHeader), NULL) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ restore original protection value for remote NT headers\n\tif(VirtualProtectEx(hProcess, (LPVOID)dwNtHeaderAddr, sizeof(ImageNtHeader), dwOriginalProtection, &dwOriginalProtection2) == 0)\n\t{\n\t\treturn 1;\n\t}\n\n\t\/\/ free temporary memory in remote process\n\tVirtualFreeEx(hProcess, pRemoteAlloc_DllPath, 0, MEM_RELEASE);\n\tVirtualFreeEx(hProcess, pRemoteAlloc_ImportLookupTable, 0, MEM_RELEASE);\n\tVirtualFreeEx(hProcess, pRemoteAlloc_ImportAddressTable, 0, MEM_RELEASE);\n\tVirtualFreeEx(hProcess, pRemoteAlloc_NewImportDescriptorList, 0, MEM_RELEASE);\n\n\treturn 0;\n}\n\nint main(int argc, char *argv[])\n{\n\tHANDLE hProcess = NULL;\n\tHANDLE hProcessMainThread = NULL;\n\tchar *pExePath = NULL;\n\tchar *pInjectDllPath = NULL;\n\tchar szInjectDllFullPath[512];\n\n\tprintf(\"ImportDLLInjection - www.x86matthew.com\\n\\n\");\n\n\tif(argc != 3)\n\t{\n\t\tprintf(\"Usage: %s [exe_path] [inject_dll_path]\\n\\n\", argv[0]);\n\n\t\treturn 1;\n\t}\n\n\t\/\/ get params\n\tpExePath = argv[1];\n\tpInjectDllPath = argv[2];\n\n\t\/\/ get full path from dll filename\n\tmemset(szInjectDllFullPath, 0, sizeof(szInjectDllFullPath));\n\tif(GetFullPathName(pInjectDllPath, sizeof(szInjectDllFullPath) - 1, szInjectDllFullPath, NULL) == 0)\n\t{\n\t\tprintf(\"Invalid DLL path\\n\");\n\n\t\treturn 1;\n\t}\n\n\t\/\/ get NtQueryInformationProcess function ptr\n\tNtQueryInformationProcess = (unsigned long (__stdcall *)(void *,unsigned long,void *,unsigned long,unsigned long *))GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryInformationProcess\");\n\tif(NtQueryInformationProcess == NULL)\n\t{\n\t\tprintf(\"Failed to find NtQueryInformationProcess function\\n\");\n\n\t\treturn 1;\n\t}\n\n\t\/\/ launch target process\n\tif(LaunchTargetProcess(pExePath, &hProcess, &hProcessMainThread) != 0)\n\t{\n\t\tprintf(\"Failed to launch target process\\n\");\n\n\t\treturn 1;\n\t}\n\n\t\/\/ inject DLL into target process\n\tif(InjectDll(hProcess, hProcessMainThread, szInjectDllFullPath) != 0)\n\t{\n\t\tprintf(\"Failed to inject DLL\\n\");\n\n\t\t\/\/ error\n\t\tTerminateProcess(hProcess, 0);\n\t\tCloseHandle(hProcessMainThread);\n\t\tCloseHandle(hProcess);\n\n\t\treturn 1;\n\t}\n\n\tprintf(\"Finished\\n\");\n\n\t\/\/ close handles\n\tCloseHandle(hProcessMainThread);\n\tCloseHandle(hProcess);\n\n\treturn 0;\n}<\/code><\/pre>\n\n\n\n
Sample DLL:<\/p>\n\n\n\n
#include <stdio.h>\n#include <windows.h>\n\n\/\/ a blank exported function - this will be ordinal #1\n__declspec(dllexport) void __cdecl ExportedFunction(void)\n{\n}\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\n{\n\tif(fdwReason == DLL_PROCESS_ATTACH)\n\t{\n\t\t\/\/ display a message box\n\t\tMessageBox(NULL, \"MessageBox from injected DLL\", \"www.x86matthew.com\", MB_OK);\n\t}\n\n    return 1;\n}\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/www.x86matthew.com\/view_post?id=import_dll […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[58,45,37,43],"tags":[68],"class_list":["post-208","post","type-post","status-publish","format-standard","hentry","category-windows","category-x86matthew-com","category-samples","category-infoarticle","tag-injection"],"views":1863,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=208"}],"version-history":[{"count":1,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/208\/revisions"}],"predecessor-version":[{"id":209,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/208\/revisions\/209"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}