利用DLL劫持内存补丁技术注入
当一个可执行文件运行时,Windows加载器将可执行模块映射到进程的地址空间中,加载器分析可执行模块的输入表,并设法找出任何需要的DLL,并将它们映射到进程的地址空间中。由于输入表中只包含DLL名而没有它的路径名,因此加载程序必须在磁盘上搜索DLL文件。首先会尝试从当前程序所在的目录加载DLL,如果没找到,则在Windows系统目录查找,最后是在环境变量中列出的各个目录下查找。利用这个特点,先伪造一个系统同名的DLL,提供同样的输出表,每个输出函数转向真正的系统DLL。程序调用系统DLL时会先调用当前目录下伪造的DLL,完成相关功能后,再跳到系统DLL同名函数里执行。这个过程用个形象的词来描述就是系统DLL被劫持
(hijack)了。
示例DELPHI源码:
Library
USP10;
uses
Windows,
SysUtils,
Classes;
{$R *.res}
ModHandle:
Cardinal
;
POldLpkPresent:
Pointer
;
POldScriptApplyDigitSubstitution:
Pointer
;
POldScriptApplyLogicalWidth:
Pointer
;
POldScriptBreak:
Pointer
;
POldScriptCPtoX:
Pointer
;
POldScriptCacheGetHeight:
Pointer
;
POldScriptFreeCache:
Pointer
;
POldScriptGetCMap:
Pointer
;
POldScriptGetFontProperties:
Pointer
;
POldScriptGetGlyphABCWidth:
Pointer
;
POldScriptGetLogicalWidths:
Pointer
;
POldScriptGetProperties:
Pointer
;
POldScriptIsComplex:
Pointer
;
POldScriptItemize:
Pointer
;
POldScriptJustify:
Pointer
;
POldScriptLayout:
Pointer
;
POldScriptPlace:
Pointer
;
POldScriptRecordDigitSubstitution:
Pointer
;
POldScriptShape:
Pointer
;
POldScriptStringAnalyse:
Pointer
;
POldScriptStringCPtoX:
Pointer
;
POldScriptStringFree:
Pointer
;
POldScriptStringGetLogicalWidths:
Pointer
;
POldScriptStringGetOrder:
Pointer
;
POldScriptStringOut:
Pointer
;
POldScriptStringValidate:
Pointer
;
POldScriptStringXtoCP:
Pointer
;
POldScriptString_pLogAttr:
Pointer
;
POldScriptString_pSize:
Pointer
;
POldScriptString_pcOutChars:
Pointer
;
POldScriptTextOut:
Pointer
;
POldScriptXtoCP:
Pointer
;
POldUspAllocCache:
Pointer
;
POldUspAllocTemp:
Pointer
;
POldUspFreeMem:
Pointer
;
procedure
LpkPresent;
asm
jmp POldLpkPresent
end
;
procedure
ScriptApplyDigitSubstitution;
asm
jmp POldScriptApplyDigitSubstitution
end
;
procedure
ScriptApplyLogicalWidth;
asm
jmp POldScriptApplyLogicalWidth
end
;
procedure
ScriptBreak;
asm
jmp POldScriptBreak
end
;
procedure
ScriptCPtoX;
asm
jmp POldScriptCPtoX
end
;
procedure
ScriptCacheGetHeight;
asm
jmp POldScriptCacheGetHeight
end
;
procedure
ScriptFreeCache;
asm
jmp POldScriptFreeCache
end
;
procedure
ScriptGetCMap;
asm
jmp POldScriptGetCMap
end
;
procedure
ScriptGetFontProperties;
asm
jmp POldScriptGetFontProperties
end
;
procedure
ScriptGetGlyphABCWidth;
asm
jmp POldScriptGetGlyphABCWidth
end
;
procedure
ScriptGetLogicalWidths;
asm
jmp POldScriptGetLogicalWidths
end
;
procedure
ScriptGetProperties;
asm
jmp POldScriptGetProperties
end
;
procedure
ScriptIsComplex;
asm
jmp POldScriptIsComplex
end
;
procedure
ScriptItemize;
asm
jmp POldScriptItemize
end
;
procedure
ScriptJustify;
asm
jmp POldScriptJustify
end
;
procedure
ScriptLayout;
asm
jmp POldScriptLayout
end
;
procedure
ScriptPlace;
asm
jmp POldScriptPlace
end
;
procedure
ScriptRecordDigitSubstitution;
asm
jmp POldScriptRecordDigitSubstitution
end
;
procedure
ScriptShape;
asm
jmp POldScriptShape
end
;
procedure
ScriptStringAnalyse;
asm
jmp POldScriptStringAnalyse
end
;
procedure
ScriptStringCPtoX;
asm
jmp POldScriptStringCPtoX
end
;
procedure
ScriptStringFree;
asm
jmp POldScriptStringFree
end
;
procedure
ScriptStringGetLogicalWidths;
asm
jmp POldScriptStringGetLogicalWidths
end
;
procedure
ScriptStringGetOrder;
asm
jmp POldScriptStringGetOrder
end
;
procedure
ScriptStringOut;
asm
jmp POldScriptStringOut
end
;
procedure
ScriptStringValidate;
asm
jmp POldScriptStringValidate
end
;
procedure
ScriptStringXtoCP;
asm
jmp POldScriptStringXtoCP
end
;
procedure
ScriptString_pLogAttr;
asm
jmp POldScriptString_pLogAttr
end
;
procedure
ScriptString_pSize;
asm
jmp POldScriptString_pSize
end
;
procedure
ScriptString_pcOutChars;
asm
jmp POldScriptString_pcOutChars
end
;
procedure
ScriptTextOut;
asm
jmp POldScriptTextOut
end
;
procedure
ScriptXtoCP;
asm
jmp POldScriptXtoCP
end
;
procedure
UspAllocCache;
asm
jmp POldUspAllocCache
end
;
procedure
UspAllocTemp;
asm
jmp POldUspAllocTemp
end
;
procedure
UspFreeMem;
asm
jmp POldUspFreeMem
end
;
exports
LpkPresent,
ScriptApplyDigitSubstitution,
ScriptApplyLogicalWidth,
ScriptBreak,
ScriptCPtoX,
ScriptCacheGetHeight,
ScriptFreeCache,
ScriptGetCMap,
ScriptGetFontProperties,
ScriptGetGlyphABCWidth,
ScriptGetLogicalWidths,
ScriptGetProperties,
ScriptIsComplex,
ScriptItemize,
ScriptJustify,
ScriptLayout,
ScriptPlace,
ScriptRecordDigitSubstitution,
ScriptShape,
ScriptStringAnalyse,
ScriptStringCPtoX,
ScriptStringFree,
ScriptStringGetLogicalWidths,
ScriptStringGetOrder,
ScriptStringOut,
ScriptStringValidate,
ScriptStringXtoCP,
ScriptString_pLogAttr,
ScriptString_pSize,
ScriptString_pcOutChars,
ScriptTextOut,
ScriptXtoCP,
UspAllocCache,
UspAllocTemp,
UspFreeMem;
begin
ModHandle:= LoadLibrary(
'C:\WINDOWS\system32\usp10.dll'
);
if
ModHandle >
0
then
begin
POldLpkPresent:= GetProcAddress(ModHandle,
'LpkPresent'
);
POldScriptApplyDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptApplyDigitSubstitution'
);
POldScriptApplyLogicalWidth:= GetProcAddress(ModHandle,
'ScriptApplyLogicalWidth'
);
POldScriptBreak:= GetProcAddress(ModHandle,
'ScriptBreak'
);
POldScriptCPtoX:= GetProcAddress(ModHandle,
'ScriptCPtoX'
);
POldScriptCacheGetHeight:= GetProcAddress(ModHandle,
'ScriptCacheGetHeight'
);
POldScriptFreeCache:= GetProcAddress(ModHandle,
'ScriptFreeCache'
);
POldScriptGetCMap:= GetProcAddress(ModHandle,
'ScriptGetCMap'
);
POldScriptGetFontProperties:= GetProcAddress(ModHandle,
'ScriptGetFontProperties'
);
POldScriptGetGlyphABCWidth:= GetProcAddress(ModHandle,
'ScriptGetGlyphABCWidth'
);
POldScriptGetLogicalWidths:= GetProcAddress(ModHandle,
'ScriptGetLogicalWidths'
);
POldScriptGetProperties:= GetProcAddress(ModHandle,
'ScriptGetProperties'
);
POldScriptIsComplex:= GetProcAddress(ModHandle,
'ScriptIsComplex'
);
POldScriptItemize:= GetProcAddress(ModHandle,
'ScriptItemize'
);
POldScriptJustify:= GetProcAddress(ModHandle,
'ScriptJustify'
);
POldScriptLayout:= GetProcAddress(ModHandle,
'ScriptLayout'
);
POldScriptPlace:= GetProcAddress(ModHandle,
'ScriptPlace'
);
POldScriptRecordDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptRecordDigitSubstitution'
);
POldScriptShape:= GetProcAddress(ModHandle,
'ScriptShape'
);
POldScriptStringAnalyse:= GetProcAddress(ModHandle,
'ScriptStringAnalyse'
);
POldScriptStringCPtoX:= GetProcAddress(ModHandle,
'ScriptStringCPtoX'
);
POldScriptStringFree:= GetProcAddress(ModHandle,
'ScriptStringFree'
);
POldScriptStringGetLogicalWidths:= GetProcAddress(ModHandle,
'ScriptStringGetLogicalWidths'
);
POldScriptStringGetOrder:= GetProcAddress(ModHandle,
'ScriptStringGetOrder'
);
POldScriptStringOut:= GetProcAddress(ModHandle,
'ScriptStringOut'
);
POldScriptStringValidate:= GetProcAddress(ModHandle,
'ScriptStringValidate'
);
POldScriptStringXtoCP:= GetProcAddress(ModHandle,
'ScriptStringXtoCP'
);
POldScriptString_pLogAttr:= GetProcAddress(ModHandle,
'ScriptString_pLogAttr'
);
POldScriptString_pSize:= GetProcAddress(ModHandle,
'ScriptString_pSize'
);
POldScriptString_pcOutChars:= GetProcAddress(ModHandle,
'ScriptString_pcOutChars'
);
POldScriptTextOut:= GetProcAddress(ModHandle,
'ScriptTextOut'
);
POldScriptXtoCP:= GetProcAddress(ModHandle,
'ScriptXtoCP'
);
POldUspAllocCache:= GetProcAddress(ModHandle,
'UspAllocCache'
);
POldUspAllocTemp:= GetProcAddress(ModHandle,
'UspAllocTemp'
);
POldUspFreeMem:= GetProcAddress(ModHandle,
'UspFreeMem'
);
end
;
begin
//添加自己的补丁内容!
end
;
end
.