3
閱讀這篇有趣的文章後: http://www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically是否有可能用代理dll替換系統dll?
我決定嘗試和創造純科研目的的代理DLL。 :-)
我做的所有步驟上ws2_32.dll這是我已經得到了代碼:
#include <windows.h>
#include <stdio.h>
#pragma pack(1)
HINSTANCE hLThis = 0;
HINSTANCE hL = 0;
FARPROC p[182] = {0};
BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)
{
//to get indication whether we were loaded
FILE* f;
fopen_s(&f, "C:\\load.txt", "a+");
fclose(f);
if (reason == DLL_PROCESS_ATTACH)
{
hLThis = hInst;
hL = LoadLibrary("ws2_32_.dll");
if (!hL) return false;
p[0] = GetProcAddress(hL,"FreeAddrInfoEx");
p[1] = GetProcAddress(hL,"FreeAddrInfoExW");
p[2] = GetProcAddress(hL,"FreeAddrInfoW");
p[3] = GetProcAddress(hL,"GetAddrInfoExA");
p[4] = GetProcAddress(hL,"GetAddrInfoExW");
p[5] = GetProcAddress(hL,"GetAddrInfoW");
p[6] = GetProcAddress(hL,"GetNameInfoW");
p[7] = GetProcAddress(hL,"InetNtopW");
p[8] = GetProcAddress(hL,"InetPtonW");
p[9] = GetProcAddress(hL,"SetAddrInfoExA");
p[10] = GetProcAddress(hL,"SetAddrInfoExW");
p[11] = GetProcAddress(hL,"WEP");
p[12] = GetProcAddress(hL,"WPUCompleteOverlappedRequest");
p[13] = GetProcAddress(hL,"WSAAccept");
p[14] = GetProcAddress(hL,"WSAAddressToStringA");
p[15] = GetProcAddress(hL,"WSAAddressToStringW");
p[16] = GetProcAddress(hL,"WSAAdvertiseProvider");
p[17] = GetProcAddress(hL,"WSAAsyncGetHostByAddr");
p[18] = GetProcAddress(hL,"WSAAsyncGetHostByName");
p[19] = GetProcAddress(hL,"WSAAsyncGetProtoByName");
p[20] = GetProcAddress(hL,"WSAAsyncGetProtoByNumber");
p[21] = GetProcAddress(hL,"WSAAsyncGetServByName");
p[22] = GetProcAddress(hL,"WSAAsyncGetServByPort");
p[23] = GetProcAddress(hL,"WSAAsyncSelect");
p[24] = GetProcAddress(hL,"WSACancelAsyncRequest");
p[25] = GetProcAddress(hL,"WSACancelBlockingCall");
p[26] = GetProcAddress(hL,"WSACleanup");
p[27] = GetProcAddress(hL,"WSACloseEvent");
p[28] = GetProcAddress(hL,"WSAConnect");
p[29] = GetProcAddress(hL,"WSAConnectByList");
p[30] = GetProcAddress(hL,"WSAConnectByNameA");
p[31] = GetProcAddress(hL,"WSAConnectByNameW");
p[32] = GetProcAddress(hL,"WSACreateEvent");
p[33] = GetProcAddress(hL,"WSADuplicateSocketA");
p[34] = GetProcAddress(hL,"WSADuplicateSocketW");
p[35] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersA");
p[36] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExA");
p[37] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExW");
p[38] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersW");
p[39] = GetProcAddress(hL,"WSAEnumNetworkEvents");
p[40] = GetProcAddress(hL,"WSAEnumProtocolsA");
p[41] = GetProcAddress(hL,"WSAEnumProtocolsW");
p[42] = GetProcAddress(hL,"WSAEventSelect");
p[43] = GetProcAddress(hL,"WSAGetLastError");
p[44] = GetProcAddress(hL,"WSAGetOverlappedResult");
p[45] = GetProcAddress(hL,"WSAGetQOSByName");
p[46] = GetProcAddress(hL,"WSAGetServiceClassInfoA");
p[47] = GetProcAddress(hL,"WSAGetServiceClassInfoW");
p[48] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdA");
p[49] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdW");
p[50] = GetProcAddress(hL,"WSAHtonl");
p[51] = GetProcAddress(hL,"WSAHtons");
p[52] = GetProcAddress(hL,"WSAInstallServiceClassA");
p[53] = GetProcAddress(hL,"WSAInstallServiceClassW");
p[54] = GetProcAddress(hL,"WSAIoctl");
p[55] = GetProcAddress(hL,"WSAIsBlocking");
p[56] = GetProcAddress(hL,"WSAJoinLeaf");
p[57] = GetProcAddress(hL,"WSALookupServiceBeginA");
p[58] = GetProcAddress(hL,"WSALookupServiceBeginW");
p[59] = GetProcAddress(hL,"WSALookupServiceEnd");
p[60] = GetProcAddress(hL,"WSALookupServiceNextA");
p[61] = GetProcAddress(hL,"WSALookupServiceNextW");
p[62] = GetProcAddress(hL,"WSANSPIoctl");
p[63] = GetProcAddress(hL,"WSANtohl");
p[64] = GetProcAddress(hL,"WSANtohs");
p[65] = GetProcAddress(hL,"WSAPoll");
p[66] = GetProcAddress(hL,"WSAProviderCompleteAsyncCall");
p[67] = GetProcAddress(hL,"WSAProviderConfigChange");
p[68] = GetProcAddress(hL,"WSARecv");
p[69] = GetProcAddress(hL,"WSARecvDisconnect");
p[70] = GetProcAddress(hL,"WSARecvFrom");
p[71] = GetProcAddress(hL,"WSARemoveServiceClass");
p[72] = GetProcAddress(hL,"WSAResetEvent");
p[73] = GetProcAddress(hL,"WSASend");
p[74] = GetProcAddress(hL,"WSASendDisconnect");
p[75] = GetProcAddress(hL,"WSASendMsg");
p[76] = GetProcAddress(hL,"WSASendTo");
p[77] = GetProcAddress(hL,"WSASetBlockingHook");
p[78] = GetProcAddress(hL,"WSASetEvent");
p[79] = GetProcAddress(hL,"WSASetLastError");
p[80] = GetProcAddress(hL,"WSASetServiceA");
p[81] = GetProcAddress(hL,"WSASetServiceW");
p[82] = GetProcAddress(hL,"WSASocketA");
p[83] = GetProcAddress(hL,"WSASocketW");
p[84] = GetProcAddress(hL,"WSAStartup");
p[85] = GetProcAddress(hL,"WSAStringToAddressA");
p[86] = GetProcAddress(hL,"WSAStringToAddressW");
p[87] = GetProcAddress(hL,"WSAUnadvertiseProvider");
p[88] = GetProcAddress(hL,"WSAUnhookBlockingHook");
p[89] = GetProcAddress(hL,"WSAWaitForMultipleEvents");
p[90] = GetProcAddress(hL,"WSApSetPostRoutine");
p[91] = GetProcAddress(hL,"WSCDeinstallProvider");
p[92] = GetProcAddress(hL,"WSCDeinstallProvider32");
p[93] = GetProcAddress(hL,"WSCEnableNSProvider");
p[94] = GetProcAddress(hL,"WSCEnableNSProvider32");
p[95] = GetProcAddress(hL,"WSCEnumNameSpaceProviders32");
p[96] = GetProcAddress(hL,"WSCEnumNameSpaceProvidersEx32");
p[97] = GetProcAddress(hL,"WSCEnumProtocols");
p[98] = GetProcAddress(hL,"WSCEnumProtocols32");
p[99] = GetProcAddress(hL,"WSCGetApplicationCategory");
p[100] = GetProcAddress(hL,"WSCGetProviderInfo");
p[101] = GetProcAddress(hL,"WSCGetProviderInfo32");
p[102] = GetProcAddress(hL,"WSCGetProviderPath");
p[103] = GetProcAddress(hL,"WSCGetProviderPath32");
p[104] = GetProcAddress(hL,"WSCInstallNameSpace");
p[105] = GetProcAddress(hL,"WSCInstallNameSpace32");
p[106] = GetProcAddress(hL,"WSCInstallNameSpaceEx");
p[107] = GetProcAddress(hL,"WSCInstallNameSpaceEx32");
p[108] = GetProcAddress(hL,"WSCInstallProvider");
p[109] = GetProcAddress(hL,"WSCInstallProvider64_32");
p[110] = GetProcAddress(hL,"WSCInstallProviderAndChains64_32");
p[111] = GetProcAddress(hL,"WSCSetApplicationCategory");
p[112] = GetProcAddress(hL,"WSCSetProviderInfo");
p[113] = GetProcAddress(hL,"WSCSetProviderInfo32");
p[114] = GetProcAddress(hL,"WSCUnInstallNameSpace");
p[115] = GetProcAddress(hL,"WSCUnInstallNameSpace32");
p[116] = GetProcAddress(hL,"WSCUpdateProvider");
p[117] = GetProcAddress(hL,"WSCUpdateProvider32");
p[118] = GetProcAddress(hL,"WSCWriteNameSpaceOrder");
p[119] = GetProcAddress(hL,"WSCWriteNameSpaceOrder32");
p[120] = GetProcAddress(hL,"WSCWriteProviderOrder");
p[121] = GetProcAddress(hL,"WSCWriteProviderOrder32");
p[122] = GetProcAddress(hL,"WahCloseApcHelper");
p[123] = GetProcAddress(hL,"WahCloseHandleHelper");
p[124] = GetProcAddress(hL,"WahCloseNotificationHandleHelper");
p[125] = GetProcAddress(hL,"WahCloseSocketHandle");
p[126] = GetProcAddress(hL,"WahCloseThread");
p[127] = GetProcAddress(hL,"WahCompleteRequest");
p[128] = GetProcAddress(hL,"WahCreateHandleContextTable");
p[129] = GetProcAddress(hL,"WahCreateNotificationHandle");
p[130] = GetProcAddress(hL,"WahCreateSocketHandle");
p[131] = GetProcAddress(hL,"WahDestroyHandleContextTable");
p[132] = GetProcAddress(hL,"WahDisableNonIFSHandleSupport");
p[133] = GetProcAddress(hL,"WahEnableNonIFSHandleSupport");
p[134] = GetProcAddress(hL,"WahEnumerateHandleContexts");
p[135] = GetProcAddress(hL,"WahInsertHandleContext");
p[136] = GetProcAddress(hL,"WahNotifyAllProcesses");
p[137] = GetProcAddress(hL,"WahOpenApcHelper");
p[138] = GetProcAddress(hL,"WahOpenCurrentThread");
p[139] = GetProcAddress(hL,"WahOpenHandleHelper");
p[140] = GetProcAddress(hL,"WahOpenNotificationHandleHelper");
p[141] = GetProcAddress(hL,"WahQueueUserApc");
p[142] = GetProcAddress(hL,"WahReferenceContextByHandle");
p[143] = GetProcAddress(hL,"WahRemoveHandleContext");
p[144] = GetProcAddress(hL,"WahWaitForNotification");
p[145] = GetProcAddress(hL,"WahWriteLSPEvent");
p[146] = GetProcAddress(hL,"__WSAFDIsSet");
p[147] = GetProcAddress(hL,"accept");
p[148] = GetProcAddress(hL,"bind");
p[149] = GetProcAddress(hL,"closesocket");
p[150] = GetProcAddress(hL,"connect");
p[151] = GetProcAddress(hL,"freeaddrinfo");
p[152] = GetProcAddress(hL,"getaddrinfo");
p[153] = GetProcAddress(hL,"gethostbyaddr");
p[154] = GetProcAddress(hL,"gethostbyname");
p[155] = GetProcAddress(hL,"gethostname");
p[156] = GetProcAddress(hL,"getnameinfo");
p[157] = GetProcAddress(hL,"getpeername");
p[158] = GetProcAddress(hL,"getprotobyname");
p[159] = GetProcAddress(hL,"getprotobynumber");
p[160] = GetProcAddress(hL,"getservbyname");
p[161] = GetProcAddress(hL,"getservbyport");
p[162] = GetProcAddress(hL,"getsockname");
p[163] = GetProcAddress(hL,"getsockopt");
p[164] = GetProcAddress(hL,"htonl");
p[165] = GetProcAddress(hL,"htons");
p[166] = GetProcAddress(hL,"inet_addr");
p[167] = GetProcAddress(hL,"inet_ntoa");
p[168] = GetProcAddress(hL,"inet_ntop");
p[169] = GetProcAddress(hL,"inet_pton");
p[170] = GetProcAddress(hL,"ioctlsocket");
p[171] = GetProcAddress(hL,"listen");
p[172] = GetProcAddress(hL,"ntohl");
p[173] = GetProcAddress(hL,"ntohs");
p[174] = GetProcAddress(hL,"recv");
p[175] = GetProcAddress(hL,"recvfrom");
p[176] = GetProcAddress(hL,"select");
p[177] = GetProcAddress(hL,"send");
p[178] = GetProcAddress(hL,"sendto");
p[179] = GetProcAddress(hL,"setsockopt");
p[180] = GetProcAddress(hL,"shutdown");
p[181] = GetProcAddress(hL,"socket");
}
if (reason == DLL_PROCESS_DETACH)
{
FreeLibrary(hL);
}
return 1;
}
// FreeAddrInfoEx
extern "C" __declspec(naked) void __stdcall __E__0__()
{
__asm
{
jmp p[0*4];
}
}
// FreeAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__1__()
{
__asm
{
jmp p[1*4];
}
}
// FreeAddrInfoW
extern "C" __declspec(naked) void __stdcall __E__2__()
{
__asm
{
jmp p[2*4];
}
}
// GetAddrInfoExA
extern "C" __declspec(naked) void __stdcall __E__3__()
{
__asm
{
jmp p[3*4];
}
}
// GetAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__4__()
{
__asm
{
jmp p[4*4];
}
}
...
我編譯它(與.def文件),並得到了一個新的proxy.dll文件。 :-)
到目前爲止這麼好。現在,在我的VBox win7 x64上,我將原始的ws2_32.dll更名爲ws2_32_.dll,將我的proxy.dll放入C:\\Windows\\System32\\,並將其更名爲ws2_32.dll。由於premmisions問題,我用live-cd linux做了所有這些。
正如你可以看到代理加載ws2_32_.dll所以我們應該沒問題。 但是當系統從引導程序返回時,每個程序使用ws2_32.dll都會引發錯誤,並且從不會創建文件C:\\load.txt。
我不知道文章中的人做了什麼工作。我讀過谷歌,你需要放置(和重命名)proxy.dll在與你想運行代理DLL的程序相同的目錄中,但我正在尋找一個全局解決方案。
也許這是一個校驗和的問題?我讀過微軟在系統PE上使用一些祕密校驗和。
謝謝,gfgqtmakia。
支持的方法是通過分層服務提供程序。 –
@RaymondChen Thx進行評論。 LSP只適用於Winsock,不是嗎?如果它是'user32.dll'而不是'ws2_32.dll'會怎麼樣? – assafmo
是不是並排和一些Windows「已知的DLL」保護將阻止這樣的嘗試? –