Implementation of dynamic loading dll

1. Request memory in the target process
2. Write shellcode to target process memory (no features, coding is cumbersome)
3. Create a remote thread to execute shellcode

Previously, you could see that shellcode s are hard to write, depend on libraries, go to string areas, and so on. To make injected code easier to write, the best way is to write through dll

dll load:
1. Static call: Complete the call by adding a header file and a lib file to our program, provided you get the dll and then the header file
2. Dynamic invocation: only one dll is required to complete the invocation

Write a try first

#include <Windows.h>

__declspec(dllexport) void Test(){
	MessageBox(NULL, NULL, NULL, NULL);
}

You can see our Test, but this way the name of the Test is shredded, added by the c++ compiler, and you need to tell the compiler to use C to name the function, so we do this, and then you need to specify the calling conventions for the function parameters
1. u Stdcall standard stack argument, function internal (callee) flat stack
2. u Cdecl C stack argument, function external (caller) stack
3. u Fastcall fast register pass
4. u Thiscall calling convention of thiscall class, using ecx register to pass this pointer

extern "C"{
	__declspec(dllexport) void __stdcall Test(){
		MessageBox(NULL, NULL, NULL, NULL);
	}
}

Write above to u stdcall is a flat reference inside a function

void __stdcall test(int n1, int n2){
	
	return;
}

int main()
{
	test(1, 2);

	return 0;
}

Two returns eight and one returns four

void __stdcall test(int n1, int n2){
002013C0  push        ebp  
002013C1  mov         ebp,esp  
002013C3  sub         esp,0C0h  
002013C9  push        ebx  
002013CA  push        esi  
002013CB  push        edi  
002013CC  lea         edi,[ebp-0C0h]  
002013D2  mov         ecx,30h  
002013D7  mov         eax,0CCCCCCCCh  
002013DC  rep stos    dword ptr es:[edi]  
	
	return;
}
002013DE  pop         edi  
002013DF  pop         esi  
002013E0  pop         ebx  
002013E1  mov         esp,ebp  
002013E3  pop         ebp  
002013E4  ret         8  

It's obvious that the value changes when the parameter returns and it's the change inside the function so it's the function internal stack. Most windows APIs are stdcall, but there are also exceptions, such as wsprintf

char szBuf[256] = {0};
wsprintfA(szBuf,"%s","1234");

It's obvious here that because he's determined by parameters passed in from the outside, he's the external flat parameter of the function

Continue back to dynamically loading DLLs
1. Load the target dll into our process

HMODULE hDll = LoadLibraryA("./TestDLL.dll");

Return value is a module handle

Here you can see that our dll is completely loaded into our memory, so the returned module handle is also the first address of the current dll in the current process. The loading process is done by our operating system (including expanded allocation of memory for each section, relocation, etc.). Sometimes you can also write the loadlibraby yourself because it is too official to use this function. Writing it yourself is called memory loading. This is the way many viruses work

2. Position of calculation function
All have an offset

You can see that the offset is 11212

LPVOID lp = GetProcAddress(hDll, "Test");

You can see 2000+11122 = 31122

You can also write a def

LIBRARY
EXPORTS
Test

What you get here is a function pointer

typedef void(*PFN_FPP)();
PFN_FPP lp = (PFN_FPP)GetProcAddress(hDll, "Test");

Last call is OK

lp();

But how to ask the target process to call Loadlibrary to load our dll and run the export function in our dll

You can see that Loadlibrary exists in Kernel32.dll, so look for Kernel32 in the target process first. Location of dll, Kernel32 in general program. DLL This because he is a very basic DLL
Then find the location of the loadlibraryA or W function exported by the dll

Posted by quikone on Sun, 15 May 2022 19:51:01 +0300