0

我正在使用高级代码注入代码在远程进程上启动 .dll。例如,您可以从这里找到它的工作原理/代码片段:

https://sourceforge.net/p/diagnostic/svn/HEAD/tree/src/RemoteInit.cpp

我注意到对于某些应用程序,这种方法不起作用 - 它会使主机应用程序崩溃。主要问题似乎是特殊的第 3 方软件,例如通过提供自己的钩子函数ConEmuHk64.dll进行拦截kernel32.dll GetProcAddress- 之后我得到这样的函数指针:

*((FARPROC*) &info.pfuncGetProcAddress) = GetProcAddress(hKernel32, "GetProcAddress");

但相反,我得到了指向位于 ConEmuHk64.dll 中的函数的指针。

在我自己的进程中调用该函数是可以接受的,但是当尝试在远程进程中执行相同操作时 - 它会崩溃,因为ConEmuHk64.dll那里不一定可用。

我已经弄清楚了如何通过手动进入 DOS/NE 其他标头来自动探测该函数的正确地址的机制 - 这是代码片段:

//
//  We use GetProcAddress as a base function, with exception to when GetProcAddress itself is hooked by 3-rd party 
//  software and pointer to function returned to us is incorrect - then we try to locate function manually by
//  ourselfes.
//
FARPROC GetProcAddress2( HMODULE hDll, char* funcName )
{
    FARPROC p = GetProcAddress( hDll, funcName );

    if( !p )
        return NULL;

    IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER *) hDll;

    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
        return p;

    IMAGE_NT_HEADERS* pNtHeaders = (IMAGE_NT_HEADERS *) (((char*) pDosHeader) + pDosHeader->e_lfanew);

    if ( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
        return p;

    IMAGE_OPTIONAL_HEADER* pOptionalHeader = &pNtHeaders->OptionalHeader;

    if( (char*) p >= (char*)hDll && (char*) p <= ((char*)hDll) + pOptionalHeader->SizeOfCode )
        // Sounds like valid address.
        return p;

    // Does not sounds right, may be someone hooked given function ? (ConEmuHk64.dll or ConEmuHk.dll)
    IMAGE_DATA_DIRECTORY* pDataDirectory = &pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
    IMAGE_EXPORT_DIRECTORY* pExp = (IMAGE_EXPORT_DIRECTORY *) ((size_t) pDosHeader + pDataDirectory->VirtualAddress);

    ULONG* addrofnames = (ULONG *) ((BYTE*) hDll + pExp->AddressOfNames);
    ULONG* funcaddr = (ULONG*) ((BYTE*) hDll + pExp->AddressOfFunctions);

    for ( DWORD i = 0; i < pExp->NumberOfNames; i++ )
    {
        char* funcname = (char*) ((BYTE*) hDll + addrofnames[i]);

        if ( strcmp( funcname, funcName ) == 0 )
        {
            void* p2 = (void*) ((BYTE*) hDll + funcaddr[i]);
            return (FARPROC) p2;
        }
    } //for

    return p;
} //GetProcAddress2

这似乎有效GetProcAddress- 我可以检测到钩子函数并覆盖它的行为。但是 - 这种方法不是通用的。我已经为其他方法尝试过类似的函数调用,例如FreeLibrary/AddDllDirectory/RemoveDllDirectory- 并且那些函数指针精确定位到 dll 边界之外 -GetProcAddress在 DOS 标头之前返回地址。

我怀疑按 dll / 代码大小范围进行的比较不正确:

    if( (char*) p >= (char*)hDll && (char*) p <= ((char*)hDll) + pOptionalHeader->SizeOfCode )

但是不知道如何改进公式。

你能推荐我如何完全修复这个问题 - 所以任何 3-rd 方软件都可以拦截任何功能,并且我可以从中幸存而不会崩溃?

4

1 回答 1

1

如果使用“导出的函数转发”,函数指针解析是不正确的(可以通过该术语搜索)。

一个正确的函数解析可以这样写:(你在上面看到的是一些来自某个论坛的复制粘贴函数)。

//
//  We use GetProcAddress as a base function, with exception to when GetProcAddress itself is hooked by 3-rd party 
//  software and pointer to function returned to us is incorrect - then we try to locate function manually by
//  ourselfes.
//
FARPROC GetProcAddress2( HMODULE hDll, char* funcName )
{
    FARPROC p = GetProcAddress( hDll, funcName );

    if( !p )
        return NULL;

    IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER *) hDll;

    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
        return p;

    IMAGE_NT_HEADERS* pNtHeaders = (IMAGE_NT_HEADERS *) (((char*) pDosHeader) + pDosHeader->e_lfanew);

    if ( pNtHeaders->Signature != IMAGE_NT_SIGNATURE )
        return p;

    IMAGE_OPTIONAL_HEADER* pOptionalHeader = &pNtHeaders->OptionalHeader;

    if( (char*) p >= (char*)hDll && (char*) p <= ((char*)hDll) + pOptionalHeader->SizeOfCode )
        // Sounds like valid address.
        return p;

    // Does not sounds right, may be someone hooked given function ? (ConEmuHk64.dll or ConEmuHk.dll)
    IMAGE_DATA_DIRECTORY* pDataDirectory = &pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
    IMAGE_EXPORT_DIRECTORY* pExp = (IMAGE_EXPORT_DIRECTORY *) ((size_t) pDosHeader + pDataDirectory->VirtualAddress);

    ULONG* addrofnames = (ULONG *) ((BYTE*) hDll + pExp->AddressOfNames);
    ULONG* funcaddr = (ULONG*) ((BYTE*) hDll + pExp->AddressOfFunctions);

    for ( DWORD i = 0; i < pExp->NumberOfNames; i++ )
    {
        char* funcname = (char*) ((BYTE*) hDll + addrofnames[i]);

        if ( strcmp( funcname, funcName ) == 0 )
        {
            ULONG addressOfFunction = funcaddr[i];
            void* p2 = (void*) ((BYTE*) hDll + addressOfFunction);

            if( addressOfFunction >= pDataDirectory->VirtualAddress && addressOfFunction < pDataDirectory->VirtualAddress + pDataDirectory->Size )
            {
                // "Exported function forward" - address of function can be found in another module.
                // Actually for example AddDllDirectory is truly located in KernelBase.dll (alias api-ms-win-core-libraryloader-l1-1-0.dll ?)
                char* dll_func = (char*) p2;
                char* pdot = strchr(dll_func, '.');
                if( !pdot ) pdot = dll_func + strlen( dll_func );
                CStringA dllName(dll_func, (int)(pdot - dll_func));
                dllName += ".dll";

                HMODULE hDll2 = GetModuleHandleA(dllName);
                if( hDll2 == NULL )
                    return p;

                return GetProcAddress2( hDll2, pdot + 1 );
            }

            return (FARPROC) p2;
        }
    } //for

    return p;
} //GetProcAddress2

除此之外,仍然可以将 .dll 加载到不同的地址,但 kernel32.dll 或 kernelbase.dll 不会发生这种情况。

但是,如果 .dll 变基成为问题 - 一种解决方法是使用 EasyHook 方法 - 可以位于此处:

https://github.com/EasyHook/EasyHook/blob/b8b2e37cfe1c269eea7042420bde305eb127c973/EasyHookDll/RemoteHook/thread.c

请参阅函数 GetRemoteFuncAddress。

于 2016-09-24T21:16:39.007 回答