反射載入 CGO 生成的 DLL
- 王林轉載
- 2024-02-08 21:00:13448瀏覽
只是想嘗試反射 dll 加載,所以我寫了一個簡單的訊息框:
package main
import "c"
import (
"unsafe"
"syscall"
)
//export onprocessattach
func onprocessattach() {
const (
null = 0
mb_ok = 0
)
caption := "hola"
title := "desdegoo"
ret, _, _ := syscall.newlazydll("user32.dll").newproc("messageboxw").call(
uintptr(null),
uintptr(unsafe.pointer(syscall.stringtoutf16ptr(caption))),
uintptr(unsafe.pointer(syscall.stringtoutf16ptr(title))),
uintptr(mb_ok))
if ret != 1 {
return
}
return
}
func main() {}
我使用以下命令產生了一個 dll(只是一個帶有 cgo/golang 的訊息框) go build --buildmode=c-shared main.go
#當使用 loadlibrary() 載入 dll 並執行匯出函數 onprocessattach 時,它可以工作(彈出訊息框),但是當嘗試實作 dll 反射載入時,透過解析重定位和解析 iat,它就不起作用。 似乎執行基本重定位並將 iat 設為 .rdata 上的空部分,用於初始化 go 運行時(在 nt 標頭的入口點中初始化) 這是我用來解決導入問題的程式碼片段:
// resolve base relocations
IMAGE_DATA_DIRECTORY relocations = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
DWORD_PTR relocationTable = relocations.VirtualAddress + (DWORD_PTR)dllBase;
DWORD relocationsProcessed = 0;
while (relocationsProcessed < relocations.Size)
{
PBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)(relocationTable + relocationsProcessed);
relocationsProcessed += sizeof(BASE_RELOCATION_BLOCK);
DWORD relocationsCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);
PBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)(relocationTable + relocationsProcessed);
for (DWORD i = 0; i < relocationsCount; i++)
{
relocationsProcessed += sizeof(BASE_RELOCATION_ENTRY);
if (relocationEntries[i].Type == 0)
{
continue;
}
DWORD_PTR relocationRVA = relocationBlock->PageAddress + relocationEntries[i].Offset;
DWORD_PTR addressToPatch = 0;
ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase, relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);
addressToPatch += deltaImageBase;
memcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR));
}
}
// resolve IAT
PIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;
IMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
importDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(importsDirectory.VirtualAddress + (DWORD_PTR)dllBase);
LPCSTR libraryName = "";
HMODULE library = NULL;
while (importDescriptor->Name != NULL)
{
libraryName = (LPCSTR)importDescriptor->Name + (DWORD_PTR)dllBase;
library = LoadLibraryA(libraryName);
if (library)
{
PIMAGE_THUNK_DATA thunk = NULL;
thunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)dllBase + importDescriptor->FirstThunk);
while (thunk->u1.AddressOfData != NULL)
{
if (IMAGE_SNAP_BY_ORDINAL(thunk->u1.Ordinal))
{
LPCSTR functionOrdinal = (LPCSTR)IMAGE_ORDINAL(thunk->u1.Ordinal);
thunk->u1.Function = (DWORD_PTR)GetProcAddress(library, functionOrdinal);
}
else {
PIMAGE_IMPORT_BY_NAME functionName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)dllBase + thunk->u1.AddressOfData);
DWORD_PTR functionAddress = (DWORD_PTR)GetProcAddress(library, functionName->Name);
thunk->u1.Function = functionAddress;
}
++thunk;
}
}
importDescriptor++;
}
這樣做之後,我解決了 eat 尋找 onprocessattach 函數的問題,直接運行它顯然不起作用,因為 go 運行時未初始化,但嘗試初始化它會導致程式崩潰,因為如上所述。它會給出 exception_access_violation,因為嘗試讀取無效的位元組區塊。
入口點的反組譯: mov rax, qdword ptr ds:[地址] mov dword ptr ds:[rax]
按照轉儲中的位址,它看起來為空 00 00 00 00 00 00 00 00 00 [..]
雖然原始dll確實有值 90 2b c5 ea 01 [...]
我知道我將 .rdata 上的這些位元組設為 null,但無法弄清楚為什麼在執行重定位時會發生這種情況,也許 go 運行時不適合我想要做的事情?還是別的什麼?
正確答案
解決後我只是忘了在這裡發布解決方案 錯誤出現在以下行
ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase, relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);
這只是一個手指錯誤,應該是添加符號而不是逗號,這就是它使地址無效的原因。
以上是反射載入 CGO 生成的 DLL的詳細內容。更多資訊請關注PHP中文網其他相關文章!