隐藏 LoadLibrary() 函数

huobengle

浏览: 862499 次

最近访客更多访客>>

u012363178

Amyxiu

tangang

Ms.朱

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (1289)

社区版块

存档分类

2012-02 ( 2)
2012-01 ( 112)
2011-12 ( 49)
更多存档...

#include <Windows.h>
typedef struct _UNICODE_STRING { // UNICODE_STRING structure
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;

typedef NTSTATUS (WINAPI *fLdrLoadDll) //LdrLoadDll function prototype
(
 IN PWCHAR PathToFile OPTIONAL,
 IN ULONG Flags OPTIONAL,
 IN PUNICODE_STRING ModuleFileName,
 OUT PHANDLE ModuleHandle
 );

typedef VOID (WINAPI *fRtlInitUnicodeString) //RtlInitUnicodeString function prototype
(
 PUNICODE_STRING DestinationString,
 PCWSTR SourceString
 );

HMODULE hntdll;
fLdrLoadDll _LdrLoadDll;
fRtlInitUnicodeString _RtlInitUnicodeString;

HMODULE LoadDll( LPCSTR lpFileName) //Coded by Viotto - http://viotto-security.net
{
    if (hntdll      == NULL) { hntdll = GetModuleHandleA("ntdll.dll"); }
    if (_LdrLoadDll == NULL) { _LdrLoadDll = (fLdrLoadDll) GetProcAddress ( hntdll, "LdrLoadDll"); }
    if (_RtlInitUnicodeString == NULL)
    { _RtlInitUnicodeString = (fRtlInitUnicodeString) GetProcAddress ( hntdll, "RtlInitUnicodeString"); }

int StrLen = lstrlenA(lpFileName);
    BSTR WideStr = SysAllocStringLen(NULL, StrLen);
    MultiByteToWideChar(CP_ACP, 0, lpFileName, StrLen, WideStr, StrLen);

UNICODE_STRING usDllName;
    _RtlInitUnicodeString(&usDllName, WideStr);
    SysFreeString(WideStr);

HANDLE DllHandle;
    _LdrLoadDll(0, 0, &usDllName, &DllHandle);

return (HMODULE)DllHandle;
}

typedef void (* _u)();

int main()
{
    HMODULE hMydll = LoadDll("C:\\ww.dll");
   _u ss = (_u)GetProcAddress(hMydll,"tt");
   ss();
    return 0;
}

网上看到的，先收藏了，说不定会用到

关于LdrLoadDll

调用过程：LoadLibraryA->LoadLibraryW->LdrLoadDll……
针对有些未加载kernel32.dll的进程，可以用ShellCode+LdrLoadDll进行DLL注入
还有就是可以用LdrGetProcedureAddress代替GetProcAddress

分享到：