zoukankan      html  css  js  c++  java
  • knowndlls反劫持

    KnownDlls必须是在系统目录中,并且是在系统启动的时候,从注册表读取KnownDlls列表。之后,如果加载这个dll,首先搜索系统目录,其次搜索当前目录。

    系统自带KnownDlls,读取注册表里的dll,就不管其他的dll了
    knowndlls,顾名思义,是指系统目录默认加载的DLL,现在病毒伪装的马甲DLL置于文件启动目录之下伺机启动早已不是什么有创意的做法。应用程序启动前优先加载当前目录下的所需DLL,这就给木马的启动又多了一条途径,而knowndlls键值正是斩断这条传播通断的利剑,无论你在当前目录下有多少马甲DLL,应用程序都会从SYSTEM目录下去寻找,从而避免了马甲的毒害。

    KnownDlls必须是在系统目录中,并且是在系统启动的时候,从注册表读取KnownDlls列表。之后,如果加载这个dll,首先搜索系统目录,其次搜索当前目录。

    解决方案是:把HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\knowndlls下的lpk项删除掉,重启电脑,再就可以dll劫持了

    对于win7, 在HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager有个项叫做ExcludeFromKnownDlls(如果这个项没有,就手工加一个吧),把你的Lpk.dll加进去,重启电脑就行了,因为在win7下knowndlls是没有权限操作的!


    这里再附上knowdlls的微软官方解释:

    DLLs: 32-bit

    For 32-bit DLLs the KnownDLLs registry key is found at:
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
    				
    The REG_SZ registry value name is the name of the DLL without the extension. The registry value data is the name of the DLL with the extension. This entry affects only implicitly loaded DLLs, not DLLs loaded using the LoadLibrary() API. 

    Without this entry, Windows NT uses the following search order to locate the DLL:
    1. The directory of the executable for the process that is loading the DLL.
    2. The current directory of the process that is loading the DLL.
    3. The \WINNT\SYSTEM32 directory.
    4. The \WINNT directory.
    5. A directory listed in the path environment variable.
    With the KnownDLLs registry entry, Windows NT uses the following search order to locate the DLL:
    1. The \WINNT\SYSTEM32 directory.
    2. The directory of the executable for the process that is loading the DLL.
    3. The current directory of the process that is loading the DLL.
    4. The \WINNT directory.
    5. A directory listed in the PATH environment variable.
    http://support.microsoft.com/kb/164501/en-us

  • 相关阅读:
    jforum二次开发教程
    gitPermission denied (publickey).
    用keytool创建Keystore和Trustsotre文件只需五步
    导入数据库时报错1067 – Invalid default value for ‘字段名’
    WordPress用户角色及其权限管理编辑插件:User Role Editor汉化版
    http://blog.csdn.net/wh211212/article/details/53005321
    centos 安装 mysql
    卸载apache服务
    Cordova插件相关常用命令
    UI 交互
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693480.html
Copyright © 2011-2022 走看看