4

阅读这篇有趣的文章后:http: //www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically

我决定尝试创建一个代理 dll 用于纯粹的研究目的。:-)

我做了所有的步骤ws2_32.dll,这是我得到的代码:

#include <windows.h>
#include <stdio.h>
#pragma pack(1)

HINSTANCE hLThis = 0;
HINSTANCE hL = 0;
FARPROC p[182] = {0};

BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)
{
    //to get indication whether we were loaded  
    FILE* f;
    fopen_s(&f, "C:\\load.txt", "a+");
    fclose(f);

    if (reason == DLL_PROCESS_ATTACH)
    {
        hLThis = hInst;
        hL = LoadLibrary("ws2_32_.dll");
        if (!hL) return false;

        p[0] = GetProcAddress(hL,"FreeAddrInfoEx");
        p[1] = GetProcAddress(hL,"FreeAddrInfoExW");
        p[2] = GetProcAddress(hL,"FreeAddrInfoW");
        p[3] = GetProcAddress(hL,"GetAddrInfoExA");
        p[4] = GetProcAddress(hL,"GetAddrInfoExW");
        p[5] = GetProcAddress(hL,"GetAddrInfoW");
        p[6] = GetProcAddress(hL,"GetNameInfoW");
        p[7] = GetProcAddress(hL,"InetNtopW");
        p[8] = GetProcAddress(hL,"InetPtonW");
        p[9] = GetProcAddress(hL,"SetAddrInfoExA");
        p[10] = GetProcAddress(hL,"SetAddrInfoExW");
        p[11] = GetProcAddress(hL,"WEP");
        p[12] = GetProcAddress(hL,"WPUCompleteOverlappedRequest");
        p[13] = GetProcAddress(hL,"WSAAccept");
        p[14] = GetProcAddress(hL,"WSAAddressToStringA");
        p[15] = GetProcAddress(hL,"WSAAddressToStringW");
        p[16] = GetProcAddress(hL,"WSAAdvertiseProvider");
        p[17] = GetProcAddress(hL,"WSAAsyncGetHostByAddr");
        p[18] = GetProcAddress(hL,"WSAAsyncGetHostByName");
        p[19] = GetProcAddress(hL,"WSAAsyncGetProtoByName");
        p[20] = GetProcAddress(hL,"WSAAsyncGetProtoByNumber");
        p[21] = GetProcAddress(hL,"WSAAsyncGetServByName");
        p[22] = GetProcAddress(hL,"WSAAsyncGetServByPort");
        p[23] = GetProcAddress(hL,"WSAAsyncSelect");
        p[24] = GetProcAddress(hL,"WSACancelAsyncRequest");
        p[25] = GetProcAddress(hL,"WSACancelBlockingCall");
        p[26] = GetProcAddress(hL,"WSACleanup");
        p[27] = GetProcAddress(hL,"WSACloseEvent");
        p[28] = GetProcAddress(hL,"WSAConnect");
        p[29] = GetProcAddress(hL,"WSAConnectByList");
        p[30] = GetProcAddress(hL,"WSAConnectByNameA");
        p[31] = GetProcAddress(hL,"WSAConnectByNameW");
        p[32] = GetProcAddress(hL,"WSACreateEvent");
        p[33] = GetProcAddress(hL,"WSADuplicateSocketA");
        p[34] = GetProcAddress(hL,"WSADuplicateSocketW");
        p[35] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersA");
        p[36] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExA");
        p[37] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExW");
        p[38] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersW");
        p[39] = GetProcAddress(hL,"WSAEnumNetworkEvents");
        p[40] = GetProcAddress(hL,"WSAEnumProtocolsA");
        p[41] = GetProcAddress(hL,"WSAEnumProtocolsW");
        p[42] = GetProcAddress(hL,"WSAEventSelect");
        p[43] = GetProcAddress(hL,"WSAGetLastError");
        p[44] = GetProcAddress(hL,"WSAGetOverlappedResult");
        p[45] = GetProcAddress(hL,"WSAGetQOSByName");
        p[46] = GetProcAddress(hL,"WSAGetServiceClassInfoA");
        p[47] = GetProcAddress(hL,"WSAGetServiceClassInfoW");
        p[48] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdA");
        p[49] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdW");
        p[50] = GetProcAddress(hL,"WSAHtonl");
        p[51] = GetProcAddress(hL,"WSAHtons");
        p[52] = GetProcAddress(hL,"WSAInstallServiceClassA");
        p[53] = GetProcAddress(hL,"WSAInstallServiceClassW");
        p[54] = GetProcAddress(hL,"WSAIoctl");
        p[55] = GetProcAddress(hL,"WSAIsBlocking");
        p[56] = GetProcAddress(hL,"WSAJoinLeaf");
        p[57] = GetProcAddress(hL,"WSALookupServiceBeginA");
        p[58] = GetProcAddress(hL,"WSALookupServiceBeginW");
        p[59] = GetProcAddress(hL,"WSALookupServiceEnd");
        p[60] = GetProcAddress(hL,"WSALookupServiceNextA");
        p[61] = GetProcAddress(hL,"WSALookupServiceNextW");
        p[62] = GetProcAddress(hL,"WSANSPIoctl");
        p[63] = GetProcAddress(hL,"WSANtohl");
        p[64] = GetProcAddress(hL,"WSANtohs");
        p[65] = GetProcAddress(hL,"WSAPoll");
        p[66] = GetProcAddress(hL,"WSAProviderCompleteAsyncCall");
        p[67] = GetProcAddress(hL,"WSAProviderConfigChange");
        p[68] = GetProcAddress(hL,"WSARecv");
        p[69] = GetProcAddress(hL,"WSARecvDisconnect");
        p[70] = GetProcAddress(hL,"WSARecvFrom");
        p[71] = GetProcAddress(hL,"WSARemoveServiceClass");
        p[72] = GetProcAddress(hL,"WSAResetEvent");
        p[73] = GetProcAddress(hL,"WSASend");
        p[74] = GetProcAddress(hL,"WSASendDisconnect");
        p[75] = GetProcAddress(hL,"WSASendMsg");
        p[76] = GetProcAddress(hL,"WSASendTo");
        p[77] = GetProcAddress(hL,"WSASetBlockingHook");
        p[78] = GetProcAddress(hL,"WSASetEvent");
        p[79] = GetProcAddress(hL,"WSASetLastError");
        p[80] = GetProcAddress(hL,"WSASetServiceA");
        p[81] = GetProcAddress(hL,"WSASetServiceW");
        p[82] = GetProcAddress(hL,"WSASocketA");
        p[83] = GetProcAddress(hL,"WSASocketW");
        p[84] = GetProcAddress(hL,"WSAStartup");
        p[85] = GetProcAddress(hL,"WSAStringToAddressA");
        p[86] = GetProcAddress(hL,"WSAStringToAddressW");
        p[87] = GetProcAddress(hL,"WSAUnadvertiseProvider");
        p[88] = GetProcAddress(hL,"WSAUnhookBlockingHook");
        p[89] = GetProcAddress(hL,"WSAWaitForMultipleEvents");
        p[90] = GetProcAddress(hL,"WSApSetPostRoutine");
        p[91] = GetProcAddress(hL,"WSCDeinstallProvider");
        p[92] = GetProcAddress(hL,"WSCDeinstallProvider32");
        p[93] = GetProcAddress(hL,"WSCEnableNSProvider");
        p[94] = GetProcAddress(hL,"WSCEnableNSProvider32");
        p[95] = GetProcAddress(hL,"WSCEnumNameSpaceProviders32");
        p[96] = GetProcAddress(hL,"WSCEnumNameSpaceProvidersEx32");
        p[97] = GetProcAddress(hL,"WSCEnumProtocols");
        p[98] = GetProcAddress(hL,"WSCEnumProtocols32");
        p[99] = GetProcAddress(hL,"WSCGetApplicationCategory");
        p[100] = GetProcAddress(hL,"WSCGetProviderInfo");
        p[101] = GetProcAddress(hL,"WSCGetProviderInfo32");
        p[102] = GetProcAddress(hL,"WSCGetProviderPath");
        p[103] = GetProcAddress(hL,"WSCGetProviderPath32");
        p[104] = GetProcAddress(hL,"WSCInstallNameSpace");
        p[105] = GetProcAddress(hL,"WSCInstallNameSpace32");
        p[106] = GetProcAddress(hL,"WSCInstallNameSpaceEx");
        p[107] = GetProcAddress(hL,"WSCInstallNameSpaceEx32");
        p[108] = GetProcAddress(hL,"WSCInstallProvider");
        p[109] = GetProcAddress(hL,"WSCInstallProvider64_32");
        p[110] = GetProcAddress(hL,"WSCInstallProviderAndChains64_32");
        p[111] = GetProcAddress(hL,"WSCSetApplicationCategory");
        p[112] = GetProcAddress(hL,"WSCSetProviderInfo");
        p[113] = GetProcAddress(hL,"WSCSetProviderInfo32");
        p[114] = GetProcAddress(hL,"WSCUnInstallNameSpace");
        p[115] = GetProcAddress(hL,"WSCUnInstallNameSpace32");
        p[116] = GetProcAddress(hL,"WSCUpdateProvider");
        p[117] = GetProcAddress(hL,"WSCUpdateProvider32");
        p[118] = GetProcAddress(hL,"WSCWriteNameSpaceOrder");
        p[119] = GetProcAddress(hL,"WSCWriteNameSpaceOrder32");
        p[120] = GetProcAddress(hL,"WSCWriteProviderOrder");
        p[121] = GetProcAddress(hL,"WSCWriteProviderOrder32");
        p[122] = GetProcAddress(hL,"WahCloseApcHelper");
        p[123] = GetProcAddress(hL,"WahCloseHandleHelper");
        p[124] = GetProcAddress(hL,"WahCloseNotificationHandleHelper");
        p[125] = GetProcAddress(hL,"WahCloseSocketHandle");
        p[126] = GetProcAddress(hL,"WahCloseThread");
        p[127] = GetProcAddress(hL,"WahCompleteRequest");
        p[128] = GetProcAddress(hL,"WahCreateHandleContextTable");
        p[129] = GetProcAddress(hL,"WahCreateNotificationHandle");
        p[130] = GetProcAddress(hL,"WahCreateSocketHandle");
        p[131] = GetProcAddress(hL,"WahDestroyHandleContextTable");
        p[132] = GetProcAddress(hL,"WahDisableNonIFSHandleSupport");
        p[133] = GetProcAddress(hL,"WahEnableNonIFSHandleSupport");
        p[134] = GetProcAddress(hL,"WahEnumerateHandleContexts");
        p[135] = GetProcAddress(hL,"WahInsertHandleContext");
        p[136] = GetProcAddress(hL,"WahNotifyAllProcesses");
        p[137] = GetProcAddress(hL,"WahOpenApcHelper");
        p[138] = GetProcAddress(hL,"WahOpenCurrentThread");
        p[139] = GetProcAddress(hL,"WahOpenHandleHelper");
        p[140] = GetProcAddress(hL,"WahOpenNotificationHandleHelper");
        p[141] = GetProcAddress(hL,"WahQueueUserApc");
        p[142] = GetProcAddress(hL,"WahReferenceContextByHandle");
        p[143] = GetProcAddress(hL,"WahRemoveHandleContext");
        p[144] = GetProcAddress(hL,"WahWaitForNotification");
        p[145] = GetProcAddress(hL,"WahWriteLSPEvent");
        p[146] = GetProcAddress(hL,"__WSAFDIsSet");
        p[147] = GetProcAddress(hL,"accept");
        p[148] = GetProcAddress(hL,"bind");
        p[149] = GetProcAddress(hL,"closesocket");
        p[150] = GetProcAddress(hL,"connect");
        p[151] = GetProcAddress(hL,"freeaddrinfo");
        p[152] = GetProcAddress(hL,"getaddrinfo");
        p[153] = GetProcAddress(hL,"gethostbyaddr");
        p[154] = GetProcAddress(hL,"gethostbyname");
        p[155] = GetProcAddress(hL,"gethostname");
        p[156] = GetProcAddress(hL,"getnameinfo");
        p[157] = GetProcAddress(hL,"getpeername");
        p[158] = GetProcAddress(hL,"getprotobyname");
        p[159] = GetProcAddress(hL,"getprotobynumber");
        p[160] = GetProcAddress(hL,"getservbyname");
        p[161] = GetProcAddress(hL,"getservbyport");
        p[162] = GetProcAddress(hL,"getsockname");
        p[163] = GetProcAddress(hL,"getsockopt");
        p[164] = GetProcAddress(hL,"htonl");
        p[165] = GetProcAddress(hL,"htons");
        p[166] = GetProcAddress(hL,"inet_addr");
        p[167] = GetProcAddress(hL,"inet_ntoa");
        p[168] = GetProcAddress(hL,"inet_ntop");
        p[169] = GetProcAddress(hL,"inet_pton");
        p[170] = GetProcAddress(hL,"ioctlsocket");
        p[171] = GetProcAddress(hL,"listen");
        p[172] = GetProcAddress(hL,"ntohl");
        p[173] = GetProcAddress(hL,"ntohs");
        p[174] = GetProcAddress(hL,"recv");
        p[175] = GetProcAddress(hL,"recvfrom");
        p[176] = GetProcAddress(hL,"select");
        p[177] = GetProcAddress(hL,"send");
        p[178] = GetProcAddress(hL,"sendto");
        p[179] = GetProcAddress(hL,"setsockopt");
        p[180] = GetProcAddress(hL,"shutdown");
        p[181] = GetProcAddress(hL,"socket");
    }
    if (reason == DLL_PROCESS_DETACH)
    {
        FreeLibrary(hL);
    }

    return 1;
}

// FreeAddrInfoEx
extern "C" __declspec(naked) void __stdcall __E__0__()
{
    __asm
    {
        jmp p[0*4];
    }
}

// FreeAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__1__()
{
    __asm
    {
        jmp p[1*4];
    }
}

// FreeAddrInfoW
extern "C" __declspec(naked) void __stdcall __E__2__()
{
    __asm
    {
        jmp p[2*4];
    }
}

// GetAddrInfoExA
extern "C" __declspec(naked) void __stdcall __E__3__()
{
    __asm
    {
        jmp p[3*4];
    }
}

// GetAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__4__()
{
    __asm
    {
        jmp p[4*4];
    }
}
...

我已经编译了它(使用.def文件)并得到了一个新proxy.dll文件。:-)

到目前为止,一切都很好。现在,在我的 VBox win7 x64 上,我已将原始文件重命名ws2_32.dllws2_32_.dll,放入proxy.dll其中C:\\Windows\\System32\\并将其重命名为ws2_32.dll. 由于 premmisions 问题,我使用 live-cd linux 完成了所有这些工作。

正如您所看到的代理负载ws2_32_.dll,所以我们应该没问题。但是当系统从引导返回时,每个程序使用都会ws2_32.dll引发错误,并且C:\\load.txt永远不会创建文件。

我不知道文章中的那个人做了什么让它起作用。我在谷歌上读到,您需要将其放置(并重命名)与proxy.dll您要运行代理 dll 的程序相同的目录中,但我正在寻找一个全局解决方案。

也许这是一个校验和问题?我读到微软在它的系统 PE 上使用了一些秘密校验和。

谢谢,gfgqtmakia。

4

1 回答 1

1

移动到 32 位,现在它正在工作。

还:

  • 检查您的代理的依赖关系,它可能需要额外.dll的 s 才能运行。(依赖步行者
  • 使用本指南更换系统的.dll. 这比重新启动到 linux 更快。
于 2012-11-26T14:10:49.283 回答