Ring3下Dll注入方法整理汇总
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Ring3下Dll注⼊⽅法整理汇总
1.dll劫持,粗略整理了下,可以劫持的dll有(持续更新):
lpk.dll、usp10.dll、msimg32.dll、midimap.dll、ksuser.dll、comres.dll、ddraw.dll
以lpk为例,在win7下由于lpk被加⼊KnownDLLs且该注册表值不可修改,使得lpk强制从系统⽬录加载,
不过可以将lpk.dll加⼊ExcludeFromKnownDlls来解决,具体可以创建⼀个lpk.reg⽂件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"ExcludeFromKnownDlls"=hex(7):6c,00,70,00,6b,00,2e,00,64,00,6c,00,6c,00,00,00,\
00,00
成功导⼊后需要重新启动电脑才能⽣效。
另外win7下的lpk在编写⽅⾯需要注意:
WIN7有的程序调⽤LPK.DLL的LpkInitialize输出函数在LPK的初始化前⾯.
要在LpkInitialize这个函数中加⼊⼀些处理,并且这部分代码不能加密.
因此为了兼容各个系统,可以在DllMain和LpkInitialize⾥均做判断,如果没有初始化就进⾏初始化。
下⾯贴出完整代码:// lpk.cpp : Defines the entry point for the DLL application.
//
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 头⽂件
#include "stdafx.h"
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
#pragma comment(linker, "/EXPORT:LpkInitialize=_AheadLib_LpkInitialize,@1")
#pragma comment(linker, "/EXPORT:LpkTabbedTextOut=_AheadLib_LpkTabbedTextOut,@2")
#pragma comment(linker, "/EXPORT:LpkDllInitialize=_AheadLib_LpkDllInitialize,@3")
#pragma comment(linker, "/EXPORT:LpkDrawTextEx=_AheadLib_LpkDrawTextEx,@4")
//#pragma comment(linker, "/EXPORT:LpkEditControl=_AheadLib_LpkEditControl,@5")
#pragma comment(linker, "/EXPORT:LpkExtTextOut=_AheadLib_LpkExtTextOut,@6")
#pragma comment(linker, "/EXPORT:LpkGetCharacterPlacement=_AheadLib_LpkGetCharacterPlacement,@7")
#pragma comment(linker, "/EXPORT:LpkGetTextExtentExPoint=_AheadLib_LpkGetTextExtentExPoint,@8")
#pragma comment(linker, "/EXPORT:LpkPSMTextOut=_AheadLib_LpkPSMTextOut,@9")
#pragma comment(linker, "/EXPORT:LpkUseGDIWidthCache=_AheadLib_LpkUseGDIWidthCache,@10")
#pragma comment(linker, "/EXPORT:ftsWordBreak=_AheadLib_ftsWordBreak,@11")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 宏定义
#define EXTERNC extern "C"
#define NAKED __declspec(naked)
#define EXPORT __declspec(dllexport)
#define ALCPP EXPORT NAKED
#define ALSTD EXTERNC EXPORT NAKED void __stdcall
#define ALCFAST EXTERNC EXPORT NAKED void __fastcall
#define ALCDECL EXTERNC NAKED void __cdecl
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//LpkEditControl导出的是数组,不是单⼀的函数(by Backer)
EXTERNC void __cdecl AheadLib_LpkEditControl(void);
EXTERNC __declspec(dllexport) void (*LpkEditControl[14])() = {AheadLib_LpkEditControl};
////////////////////////////////////////////////////////////////////////////////////////////////
//添加全局变量
BOOL g_bInited = FALSE;
////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// AheadLib 命名空间
namespace AheadLib
{
HMODULE m_hModule = NULL; // 原始模块句柄
// 加载原始模块
BOOL WINAPI Load()
{
TCHAR tzPath[MAX_PATH];
TCHAR tzTemp[MAX_PATH * 2];
GetSystemDirectory(tzPath, MAX_PATH);
lstrcat(tzPath, TEXT("\\lpk.dll"));
OutputDebugString(tzPath);
m_hModule=LoadLibrary(tzPath);
if (m_hModule == NULL)
{
wsprintf(tzTemp, TEXT("⽆法加载 %s,程序⽆法正常运⾏。
"), tzPath);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
};
return (m_hModule != NULL);
}
// 释放原始模块
VOID WINAPI Free()
{
if (m_hModule)
{
FreeLibrary(m_hModule);
}
}
// 获取原始函数地址
FARPROC WINAPI GetAddress(PCSTR pszProcName)
{
FARPROC fpAddress;
CHAR szProcName[16];
TCHAR tzTemp[MAX_PATH];
fpAddress = GetProcAddress(m_hModule, pszProcName);
if (fpAddress == NULL)
{
if (HIWORD(pszProcName) == 0)
{
wsprintf(szProcName, "%d", pszProcName);
pszProcName = szProcName;
}
wsprintf(tzTemp, TEXT("⽆法找到函数 %hs,程序⽆法正常运⾏。
"), pszProcName);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
ExitProcess(-2);
}
return fpAddress;
}
}
using namespace AheadLib;
////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////
//函数声明
void WINAPIV Init(LPVOID pParam);
////////////////////////////////////////////////////////////////////////////////////////////////
void WINAPIV Init(LPVOID pParam)
{
//在这⾥添加DLL加载代码
return;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// ⼊⼝函数
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
if ( g_bInited==FALSE ){
Load();
g_bInited = TRUE;
}
//LpkEditControl这个数组有14个成员,必须将其复制过来
memcpy((LPVOID)(LpkEditControl+1), (LPVOID)((int*)GetAddress("LpkEditControl") + 1),52); _beginthread(Init,NULL,NULL);
}
else if (dwReason == DLL_PROCESS_DETACH)
{
Free();
}
return TRUE;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
ALCDECL AheadLib_LpkInitialize(void)
{
if ( g_bInited==FALSE ){
Load();
g_bInited = TRUE;
}
GetAddress("LpkInitialize");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkTabbedTextOut(void)
{
GetAddress("LpkTabbedTextOut");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkDllInitialize(void)
{
GetAddress("LpkDllInitialize");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkDrawTextEx(void)
{
GetAddress("LpkDrawTextEx");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkEditControl(void)
{
GetAddress("LpkEditControl");
__asm jmp DWORD ptr [EAX];//这⾥的LpkEditControl是数组,eax存的是函数指针}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkExtTextOut(void)
{
GetAddress("LpkExtTextOut");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkGetCharacterPlacement(void)
{
GetAddress("LpkGetCharacterPlacement");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkGetTextExtentExPoint(void)
{
GetAddress("LpkGetTextExtentExPoint");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkPSMTextOut(void)
{
GetAddress("LpkPSMTextOut");
__asm JMP EAX;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数
ALCDECL AheadLib_LpkUseGDIWidthCache(void)
{
GetAddress("LpkUseGDIWidthCache");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 导出函数
ALCDECL AheadLib_ftsWordBreak(void)
{
GetAddress("ftsWordBreak");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
2.通过CreateRemoteThread创建远程线程。
XP以下使⽤代码:
BOOL WINAPI RemoteLoadLibrary(LPCTSTR pszDllName, DWORD dwProcessId)
{
// 打开⽬标进程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
return FALSE;
// 在⽬标进程申请空间,存放字符串pszDllName,作为远程线程的参数
int cbSize = (::lstrlen(pszDllName) + 1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle (_T("kernel32.dll"));
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
return FALSE;
}
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
我参考上⾯资料和代码,稍作整理使之编译通过并能使⽤,⽬标进程打开时最好使⽤PROCESS_ALL_ACCESS权限。
vista的较为简单些,只要修改⼀个内存⾥的数值,这⾥不再实现。
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID,*PCLIENT_ID;
typedef struct _INITIAL_TEB
{
PVOID PreviousStackBase;
PVOID PreviousStackLimit;
PVOID StackBase;
PVOID StackLimit;
PVOID AllocatedStackBase;
} INITIAL_TEB, *PINITIAL_TEB;
typedef NTSTATUS (NTAPI *TZwAllocateVirtualMemory)(
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__inout PSIZE_T RegionSize,
__in ULONG AllocationType,
__in ULONG Protect
);
static TZwAllocateVirtualMemory ZwAllocateVirtualMemory = (TZwAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwAllocateVirtualMemory"); typedef NTSYSAPI NTSTATUS (NTAPI *TZwWriteVirtualMemory) ( IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN SIZE_T NumberOfBytesToWrite,
OUT PSIZE_T NumberOfBytesWritten
);
static TZwWriteVirtualMemory ZwWriteVirtualMemory = (TZwWriteVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwWriteVirtualMemory"); typedef NTSYSAPI NTSTATUS (NTAPI *TZwProtectVirtualMemory) ( IN HANDLE ProcessHandle,
IN PVOID * BaseAddress,
IN SIZE_T * NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
static TZwProtectVirtualMemory ZwProtectVirtualMemory = (TZwProtectVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwProtectVirtualMemory"); typedef NTSYSAPI NTSTATUS (NTAPI *TZwGetContextThread) ( IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);
static TZwGetContextThread ZwGetContextThread = (TZwGetContextThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwGetContextThread");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwCreateThread) ( OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB UserStack,
IN BOOLEAN CreateSuspended
);
static TZwCreateThread ZwCreateThread = (TZwCreateThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThread");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwResumeThread) ( IN HANDLE ThreadHandle,
OUT PULONG SuspendCount
);
static TZwResumeThread ZwResumeThread = (TZwResumeThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwResumeThread");
HANDLE WINAPI myCreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId)
{
//by 80695073(QQ)
//email kiss2008ufo@
CONTEXT context = {CONTEXT_FULL};
CLIENT_ID cid={hProcess};
DWORD ret;
HANDLE hThread = NULL;
DWORD StackReserve;
DWORD StackCommit = 0x1000;
ULONG_PTR Stack = 0;
INITIAL_TEB InitialTeb={};
ULONG x;
const CHAR myBaseThreadInitThunk[] =
{
// 00830000 8BFF mov edi, edi
'\x8B','\xFF',
// 00830002 55 push ebp
'\x55',
// 00830003 8BEC mov ebp, esp
'\x8B','\xEC',
// 00830005 51 push ecx //ntdll.RtlExitUserThread
'\x51',
// 00830006 53 push ebx //参数
'\x53',
// 00830007 FFD0 call eax //函数地址
'\xFF','\xD0',
// 00830009 59 pop ecx //恢复结束函数地址
'\x59',
// 0083000A 50 push eax //将刚才的结果压栈
'\x50',
// 0083000B FFD1 call ecx //调⽤RtlExitUserThread 结束
'\xFF','\xD1',
// 0083000D 90 nop
'\x90'
};
PVOID pBaseThreadThunk = NULL; //不能释放
//0、分配⾮OS的加载函数
StackReserve = 0x1000;
ret = ZwAllocateVirtualMemory(hProcess,
/*&stack.ExpandableStackBottom*/(PVOID*)&pBaseThreadThunk,
0,
&StackReserve,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory0 !\n");
goto myCreateRemoteThreadRet;
//end
}
ret = ZwWriteVirtualMemory(hProcess,
pBaseThreadThunk,
(LPVOID)myBaseThreadInitThunk,
sizeof(myBaseThreadInitThunk),&x);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory0 !\n");
goto myCreateRemoteThreadRet;
//end
}
//1、准备堆栈
StackReserve = 0x10000;
ret = ZwAllocateVirtualMemory(hProcess,
/*&stack.ExpandableStackBottom*/(PVOID*)&Stack,
0,
&StackReserve,
MEM_RESERVE,
PAGE_READWRITE);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory1!\n");
goto myCreateRemoteThreadRet;
//end
}
TRACE("OK myCreateRemoteThread:ZwAllocateVirtualMemory 0x%08x\n",Stack);
InitialTeb.AllocatedStackBase = (PVOID)Stack;
InitialTeb.StackBase = (PVOID)(Stack + StackReserve);
/* Update the Stack Position */
Stack += StackReserve - StackCommit;
Stack -= 0x1000;
StackCommit += 0x1000;
/* Allocate memory for the stack */
ret = ZwAllocateVirtualMemory(hProcess,
(PVOID*)&Stack,
0,
&StackCommit,
MEM_COMMIT,
PAGE_READWRITE);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory2!\n");
goto myCreateRemoteThreadRet;
//end
}
TRACE("OK myCreateRemoteThread:ZwAllocateVirtualMemory 2 0x%08x\n",Stack);
InitialTeb.StackLimit = (PVOID)Stack;
StackReserve = 0x1000;
ret = ZwProtectVirtualMemory(hProcess, (PVOID*)&Stack, &StackReserve, PAGE_READWRITE | PAGE_GUARD, &x);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwProtectVirtualMemory!\n");
goto myCreateRemoteThreadRet;
//end
}
/* Update the Stack Limit keeping in mind the Guard Page */
InitialTeb.StackLimit = (PVOID)((ULONG_PTR)InitialTeb.StackLimit - 0x1000);
//2、准备CONTEXT
// CONTEXT context = {CONTEXT_FULL};
ret = ZwGetContextThread(GetCurrentThread(),&context);
if (ret >= 0x80000000)
{
//失败
TRACE("Error IN myCreateRemoteThread ZwGetContextThread!\n");
goto myCreateRemoteThreadRet;
//end
}
context.Esp = (DWORD)InitialTeb.StackBase;
context.Eip = (DWORD)pBaseThreadThunk; //这⾥填写需要加载的地址,不过需要⾃⼰终结⾃⼰
context.Ebx = (DWORD)lpParameter;
//other init
//must
context.Eax = (DWORD)lpStartAddress;
context.Ecx = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlExitUserThread");//0x778B0859;/*win7*///0x77AEEC01;/*vista*/ //ntdll.RtlExitUserThread context.Edx = 0x00000000; //nouse
ret = ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &InitialTeb, TRUE);
if (ret >= 0x80000000)
{
//失败
TRACE("Error %d\n",GetLastError());
goto myCreateRemoteThreadRet;
}
if(lpThreadId)
{
*lpThreadId = (DWORD)cid.UniqueThread;
}
if (!(dwCreationFlags & CREATE_SUSPENDED))
{
ZwResumeThread(hThread, NULL);
}
myCreateRemoteThreadRet:
return hThread;
}
最后通⽤的使⽤⽅法是:
// 启动远程线程
HANDLE hRemoteThread = NULL;
OSVERSIONINFO svex = {sizeof(OSVERSIONINFO)};
GetVersionEx(&svex);
if( svex.dwMajorVersion<=5 ){
hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
}else{
hRemoteThread = myCreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
}
3.通过SetWindowsHookEx安装钩⼦,如WH_CALLWNDPROC,WH_KEYBOARD,WH_MOUSE,WH_GETMESSAGE钩⼦可以实现全局注⼊。
SetWindowsHookEx(WH_MOUSE,(HOOKPROC)MouseProc,AfxGetInstanceHandle(),dwThreadId);
4.AppInit_DLLs⽅式:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs注⼊到所有加载了user32.dll的进程。
win7下会被映射到:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows,
并且需要设置LoadAppInit_DLLs为1时AppInit_DLLs才会被启⽤,默认为0。
例如在xp下创建⼀个.reg⽂件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\message.dll"
⼿动导⼊后是可以加载指定dll的,但是在win7下⾯就不⾏,通过该.reg⽂件操作的注册表⼦键路径并没有被重定向到
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows,
但是通过写代码的⽅式是成功的:
void LoadLibByAppInit_DLLs(LPCTSTR pszDllName,BOOL bInstall)
{
HKEY hKey = NULL;
DWORD dwRet = 0;
//win7下会被映射到:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
if ( RegCreateKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"), 0, 0, 0, KEY_ALL_ACCESS, 0, &hKey, 0)!=ERROR_SUCCESS ){ return;
}
dwRet = RegSetValueEx(hKey,_T("LoadAppInit_DLLs"),0,REG_DWORD,(const BYTE *)&bInstall,sizeof(bInstall));
if ( bInstall ){
dwRet = RegSetValueEx(hKey,_T("AppInit_Dlls"),0,REG_SZ,(const BYTE *)pszDllName,lstrlen(pszDllName));
}else{
dwRet = RegSetValueEx(hKey,_T("AppInit_DLLs"),NULL,REG_SZ,NULL,0);
}
RegCloseKey(hKey);
}
在win7下还有⼀个值RequireSignedAppInit_DLLs,如果为1表⽰则只加载有签名的dll,默认为0表⽰不对dll进⾏验证。
5.ShellExecuteHooks⽅式:
local_machine\software\microsoft\windows\currentversion\Explorer\ShellExecuteHooks注⼊到explorer.exe进程。
9.输⼊表⽅式注⼊,原理就是为⽬标pe⽂件增加⼀个导⼊函数,这个导⼊的函数是在要注⼊的dll中。
这样当⽬标PE⽂件被加载时会由系统来完成它的导⼊库的装载⼯作,这样你的DLL就能被加载进去了。
可以使⽤类似DIYTools的PE⼯具来完成,代码我就不写了。
10.CreateProcess以挂起的⽅式创建⽬标进程,修改⼊⼝代码加载指定dll,恢复⼊⼝代码唤醒进程。
11.使⽤微软提供的detours库函数DetourCreateProcessWithDll创建进程并为进程加载指定dll,这个⽅法原理上就是上⾯的CreateProcess⽅法,只不过更简单更稳定了,拿来主义嘛。
12.通过DXG⽅式注⼊使⽤DirectX的进程,暂⽆资料。
13.RegisterUserApiHook。