阅读这篇有趣的文章后: http://www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically
我决定尝试为纯粹的研究目的创建代理dll。 : - )
我在ws2_32.dll上执行了所有步骤,这是我得到的代码:
#include <windows.h>
#include <stdio.h>
#pragma pack(1)
HINSTANCE hLThis = 0;
HINSTANCE hL = 0;
FARPROC p[182] = {0};
BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)
{
//to get indication whether we were loaded
FILE* f;
fopen_s(&f, "C:\\load.txt", "a+");
fclose(f);
if (reason == DLL_PROCESS_ATTACH)
{
hLThis = hInst;
hL = LoadLibrary("ws2_32_.dll");
if (!hL) return false;
p[0] = GetProcAddress(hL,"FreeAddrInfoEx");
p[1] = GetProcAddress(hL,"FreeAddrInfoExW");
p[2] = GetProcAddress(hL,"FreeAddrInfoW");
p[3] = GetProcAddress(hL,"GetAddrInfoExA");
p[4] = GetProcAddress(hL,"GetAddrInfoExW");
p[5] = GetProcAddress(hL,"GetAddrInfoW");
p[6] = GetProcAddress(hL,"GetNameInfoW");
p[7] = GetProcAddress(hL,"InetNtopW");
p[8] = GetProcAddress(hL,"InetPtonW");
p[9] = GetProcAddress(hL,"SetAddrInfoExA");
p[10] = GetProcAddress(hL,"SetAddrInfoExW");
p[11] = GetProcAddress(hL,"WEP");
p[12] = GetProcAddress(hL,"WPUCompleteOverlappedRequest");
p[13] = GetProcAddress(hL,"WSAAccept");
p[14] = GetProcAddress(hL,"WSAAddressToStringA");
p[15] = GetProcAddress(hL,"WSAAddressToStringW");
p[16] = GetProcAddress(hL,"WSAAdvertiseProvider");
p[17] = GetProcAddress(hL,"WSAAsyncGetHostByAddr");
p[18] = GetProcAddress(hL,"WSAAsyncGetHostByName");
p[19] = GetProcAddress(hL,"WSAAsyncGetProtoByName");
p[20] = GetProcAddress(hL,"WSAAsyncGetProtoByNumber");
p[21] = GetProcAddress(hL,"WSAAsyncGetServByName");
p[22] = GetProcAddress(hL,"WSAAsyncGetServByPort");
p[23] = GetProcAddress(hL,"WSAAsyncSelect");
p[24] = GetProcAddress(hL,"WSACancelAsyncRequest");
p[25] = GetProcAddress(hL,"WSACancelBlockingCall");
p[26] = GetProcAddress(hL,"WSACleanup");
p[27] = GetProcAddress(hL,"WSACloseEvent");
p[28] = GetProcAddress(hL,"WSAConnect");
p[29] = GetProcAddress(hL,"WSAConnectByList");
p[30] = GetProcAddress(hL,"WSAConnectByNameA");
p[31] = GetProcAddress(hL,"WSAConnectByNameW");
p[32] = GetProcAddress(hL,"WSACreateEvent");
p[33] = GetProcAddress(hL,"WSADuplicateSocketA");
p[34] = GetProcAddress(hL,"WSADuplicateSocketW");
p[35] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersA");
p[36] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExA");
p[37] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExW");
p[38] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersW");
p[39] = GetProcAddress(hL,"WSAEnumNetworkEvents");
p[40] = GetProcAddress(hL,"WSAEnumProtocolsA");
p[41] = GetProcAddress(hL,"WSAEnumProtocolsW");
p[42] = GetProcAddress(hL,"WSAEventSelect");
p[43] = GetProcAddress(hL,"WSAGetLastError");
p[44] = GetProcAddress(hL,"WSAGetOverlappedResult");
p[45] = GetProcAddress(hL,"WSAGetQOSByName");
p[46] = GetProcAddress(hL,"WSAGetServiceClassInfoA");
p[47] = GetProcAddress(hL,"WSAGetServiceClassInfoW");
p[48] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdA");
p[49] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdW");
p[50] = GetProcAddress(hL,"WSAHtonl");
p[51] = GetProcAddress(hL,"WSAHtons");
p[52] = GetProcAddress(hL,"WSAInstallServiceClassA");
p[53] = GetProcAddress(hL,"WSAInstallServiceClassW");
p[54] = GetProcAddress(hL,"WSAIoctl");
p[55] = GetProcAddress(hL,"WSAIsBlocking");
p[56] = GetProcAddress(hL,"WSAJoinLeaf");
p[57] = GetProcAddress(hL,"WSALookupServiceBeginA");
p[58] = GetProcAddress(hL,"WSALookupServiceBeginW");
p[59] = GetProcAddress(hL,"WSALookupServiceEnd");
p[60] = GetProcAddress(hL,"WSALookupServiceNextA");
p[61] = GetProcAddress(hL,"WSALookupServiceNextW");
p[62] = GetProcAddress(hL,"WSANSPIoctl");
p[63] = GetProcAddress(hL,"WSANtohl");
p[64] = GetProcAddress(hL,"WSANtohs");
p[65] = GetProcAddress(hL,"WSAPoll");
p[66] = GetProcAddress(hL,"WSAProviderCompleteAsyncCall");
p[67] = GetProcAddress(hL,"WSAProviderConfigChange");
p[68] = GetProcAddress(hL,"WSARecv");
p[69] = GetProcAddress(hL,"WSARecvDisconnect");
p[70] = GetProcAddress(hL,"WSARecvFrom");
p[71] = GetProcAddress(hL,"WSARemoveServiceClass");
p[72] = GetProcAddress(hL,"WSAResetEvent");
p[73] = GetProcAddress(hL,"WSASend");
p[74] = GetProcAddress(hL,"WSASendDisconnect");
p[75] = GetProcAddress(hL,"WSASendMsg");
p[76] = GetProcAddress(hL,"WSASendTo");
p[77] = GetProcAddress(hL,"WSASetBlockingHook");
p[78] = GetProcAddress(hL,"WSASetEvent");
p[79] = GetProcAddress(hL,"WSASetLastError");
p[80] = GetProcAddress(hL,"WSASetServiceA");
p[81] = GetProcAddress(hL,"WSASetServiceW");
p[82] = GetProcAddress(hL,"WSASocketA");
p[83] = GetProcAddress(hL,"WSASocketW");
p[84] = GetProcAddress(hL,"WSAStartup");
p[85] = GetProcAddress(hL,"WSAStringToAddressA");
p[86] = GetProcAddress(hL,"WSAStringToAddressW");
p[87] = GetProcAddress(hL,"WSAUnadvertiseProvider");
p[88] = GetProcAddress(hL,"WSAUnhookBlockingHook");
p[89] = GetProcAddress(hL,"WSAWaitForMultipleEvents");
p[90] = GetProcAddress(hL,"WSApSetPostRoutine");
p[91] = GetProcAddress(hL,"WSCDeinstallProvider");
p[92] = GetProcAddress(hL,"WSCDeinstallProvider32");
p[93] = GetProcAddress(hL,"WSCEnableNSProvider");
p[94] = GetProcAddress(hL,"WSCEnableNSProvider32");
p[95] = GetProcAddress(hL,"WSCEnumNameSpaceProviders32");
p[96] = GetProcAddress(hL,"WSCEnumNameSpaceProvidersEx32");
p[97] = GetProcAddress(hL,"WSCEnumProtocols");
p[98] = GetProcAddress(hL,"WSCEnumProtocols32");
p[99] = GetProcAddress(hL,"WSCGetApplicationCategory");
p[100] = GetProcAddress(hL,"WSCGetProviderInfo");
p[101] = GetProcAddress(hL,"WSCGetProviderInfo32");
p[102] = GetProcAddress(hL,"WSCGetProviderPath");
p[103] = GetProcAddress(hL,"WSCGetProviderPath32");
p[104] = GetProcAddress(hL,"WSCInstallNameSpace");
p[105] = GetProcAddress(hL,"WSCInstallNameSpace32");
p[106] = GetProcAddress(hL,"WSCInstallNameSpaceEx");
p[107] = GetProcAddress(hL,"WSCInstallNameSpaceEx32");
p[108] = GetProcAddress(hL,"WSCInstallProvider");
p[109] = GetProcAddress(hL,"WSCInstallProvider64_32");
p[110] = GetProcAddress(hL,"WSCInstallProviderAndChains64_32");
p[111] = GetProcAddress(hL,"WSCSetApplicationCategory");
p[112] = GetProcAddress(hL,"WSCSetProviderInfo");
p[113] = GetProcAddress(hL,"WSCSetProviderInfo32");
p[114] = GetProcAddress(hL,"WSCUnInstallNameSpace");
p[115] = GetProcAddress(hL,"WSCUnInstallNameSpace32");
p[116] = GetProcAddress(hL,"WSCUpdateProvider");
p[117] = GetProcAddress(hL,"WSCUpdateProvider32");
p[118] = GetProcAddress(hL,"WSCWriteNameSpaceOrder");
p[119] = GetProcAddress(hL,"WSCWriteNameSpaceOrder32");
p[120] = GetProcAddress(hL,"WSCWriteProviderOrder");
p[121] = GetProcAddress(hL,"WSCWriteProviderOrder32");
p[122] = GetProcAddress(hL,"WahCloseApcHelper");
p[123] = GetProcAddress(hL,"WahCloseHandleHelper");
p[124] = GetProcAddress(hL,"WahCloseNotificationHandleHelper");
p[125] = GetProcAddress(hL,"WahCloseSocketHandle");
p[126] = GetProcAddress(hL,"WahCloseThread");
p[127] = GetProcAddress(hL,"WahCompleteRequest");
p[128] = GetProcAddress(hL,"WahCreateHandleContextTable");
p[129] = GetProcAddress(hL,"WahCreateNotificationHandle");
p[130] = GetProcAddress(hL,"WahCreateSocketHandle");
p[131] = GetProcAddress(hL,"WahDestroyHandleContextTable");
p[132] = GetProcAddress(hL,"WahDisableNonIFSHandleSupport");
p[133] = GetProcAddress(hL,"WahEnableNonIFSHandleSupport");
p[134] = GetProcAddress(hL,"WahEnumerateHandleContexts");
p[135] = GetProcAddress(hL,"WahInsertHandleContext");
p[136] = GetProcAddress(hL,"WahNotifyAllProcesses");
p[137] = GetProcAddress(hL,"WahOpenApcHelper");
p[138] = GetProcAddress(hL,"WahOpenCurrentThread");
p[139] = GetProcAddress(hL,"WahOpenHandleHelper");
p[140] = GetProcAddress(hL,"WahOpenNotificationHandleHelper");
p[141] = GetProcAddress(hL,"WahQueueUserApc");
p[142] = GetProcAddress(hL,"WahReferenceContextByHandle");
p[143] = GetProcAddress(hL,"WahRemoveHandleContext");
p[144] = GetProcAddress(hL,"WahWaitForNotification");
p[145] = GetProcAddress(hL,"WahWriteLSPEvent");
p[146] = GetProcAddress(hL,"__WSAFDIsSet");
p[147] = GetProcAddress(hL,"accept");
p[148] = GetProcAddress(hL,"bind");
p[149] = GetProcAddress(hL,"closesocket");
p[150] = GetProcAddress(hL,"connect");
p[151] = GetProcAddress(hL,"freeaddrinfo");
p[152] = GetProcAddress(hL,"getaddrinfo");
p[153] = GetProcAddress(hL,"gethostbyaddr");
p[154] = GetProcAddress(hL,"gethostbyname");
p[155] = GetProcAddress(hL,"gethostname");
p[156] = GetProcAddress(hL,"getnameinfo");
p[157] = GetProcAddress(hL,"getpeername");
p[158] = GetProcAddress(hL,"getprotobyname");
p[159] = GetProcAddress(hL,"getprotobynumber");
p[160] = GetProcAddress(hL,"getservbyname");
p[161] = GetProcAddress(hL,"getservbyport");
p[162] = GetProcAddress(hL,"getsockname");
p[163] = GetProcAddress(hL,"getsockopt");
p[164] = GetProcAddress(hL,"htonl");
p[165] = GetProcAddress(hL,"htons");
p[166] = GetProcAddress(hL,"inet_addr");
p[167] = GetProcAddress(hL,"inet_ntoa");
p[168] = GetProcAddress(hL,"inet_ntop");
p[169] = GetProcAddress(hL,"inet_pton");
p[170] = GetProcAddress(hL,"ioctlsocket");
p[171] = GetProcAddress(hL,"listen");
p[172] = GetProcAddress(hL,"ntohl");
p[173] = GetProcAddress(hL,"ntohs");
p[174] = GetProcAddress(hL,"recv");
p[175] = GetProcAddress(hL,"recvfrom");
p[176] = GetProcAddress(hL,"select");
p[177] = GetProcAddress(hL,"send");
p[178] = GetProcAddress(hL,"sendto");
p[179] = GetProcAddress(hL,"setsockopt");
p[180] = GetProcAddress(hL,"shutdown");
p[181] = GetProcAddress(hL,"socket");
}
if (reason == DLL_PROCESS_DETACH)
{
FreeLibrary(hL);
}
return 1;
}
// FreeAddrInfoEx
extern "C" __declspec(naked) void __stdcall __E__0__()
{
__asm
{
jmp p[0*4];
}
}
// FreeAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__1__()
{
__asm
{
jmp p[1*4];
}
}
// FreeAddrInfoW
extern "C" __declspec(naked) void __stdcall __E__2__()
{
__asm
{
jmp p[2*4];
}
}
// GetAddrInfoExA
extern "C" __declspec(naked) void __stdcall __E__3__()
{
__asm
{
jmp p[3*4];
}
}
// GetAddrInfoExW
extern "C" __declspec(naked) void __stdcall __E__4__()
{
__asm
{
jmp p[4*4];
}
}
...
我编译了它(使用.def文件)并获得了一个新的proxy.dll文件。 : - )
到目前为止一切顺利。现在,在我的VBox win7 x64上,我已将原始ws2_32.dll重命名为ws2_32_.dll,将proxy.dll放入C:\\Windows\\System32\\并将其重命名为ws2_32.dll。由于premmisions问题,我用live-cd linux做了所有这些。
正如您所见,代理加载ws2_32_.dll所以我们应该没问题。
但是当系统从引导返回时,每个程序使用ws2_32.dll都会抛出错误而文件C:\\load.txt永远不会创建。
我不知道文章中的那个人是怎么做的。我在谷歌上看到你需要将proxy.dll放在(和重命名)与你想要运行代理dll的程序相同的目录中,但我正在寻找全局解决方案。
也许这是校验和问题?我读过微软在它的系统PE上使用了一些秘密校验和。
谢谢,gfgqtmakia。
答案 0 :(得分:0)
已移至32位,现在正在运作。
此外:
.dll才能运行。 (Dependency Walker).dll。这比重启到linux更快。