📄 揭开木马的神秘面纱5.htm
字号:
</span></p>
<p class="MsoNormal" style="margin-left:108.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">通过上面的代码,我们可以将包含</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">GetMsgProc</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">函数的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">嵌入任何目标进程(只要权限允许),但是这其中有一个不好的地方,就是如果我们的钩子安装进程退出,那么系统也会自动卸载所有的钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">(因为显然已经不再需要钩子函数了),这下完蛋了,我们陷入了一个两难命题:如果保留钩子安装进程,这个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">木马就不能算是没有进程的,如果不保留钩子安装进程,钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">也不能独立存在</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">……</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">难道我们的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9x</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">版的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">木马彻底破产了?其实不然,一个简单的解决方法是多使用一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">文件,我们在钩子安装进程和木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">之间增加一个钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,钩子安装进程加载钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,再从钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">中加载木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,钩子安装进程退出时钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">会随之退出,但是木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">并不会退出,这样就实现了进程内木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的常驻。假设钩子安装进程为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HookInst.exe</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HookDll.dll</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Trojan.dll</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,目标进程为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DestProc.exe</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,那么木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">常驻目标进程的过程如下所示:</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span>HookInst.exe
---- [ LoadLibrary ]---- HookDll.dll ---[ </span><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">进入</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">
]--> DestProc.exe<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-spacerun: yes">
</span>HookDll.dll<span style="mso-spacerun: yes"> </span>----
[ LoadLibrary ]---- Trojan.dll<span style="mso-spacerun: yes">
</span>---[ </span><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">进入</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">
]--> DestProc.exe<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HookInst.exe
---- [ ExitProcess<span style="mso-spacerun: yes"> </span>]----- [ </span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">进程退出</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">
]<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DestProc.exe
---- [ FreeLibrary<span style="mso-spacerun: yes"> </span>] ----
HookDll.dll ---[ DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">卸载</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">
]<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Trojan.dll<span style="mso-spacerun: yes">
</span>----<span style="mso-spacerun: yes"> </span>[<span style="mso-spacerun: yes">
</span></span><span style="font-size:
10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">继续驻留</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-spacerun:
yes"> </span>]<span style="mso-spacerun: yes"> </span>----
DestProc.exe<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">其实如果仔细回顾一下</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加载、卸载的过程,我们还能想出一个更加简单的方法:我们知道,当一个进程调用</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">LoadLibrary</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加载某个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的时候,系统会自动检查进程是否已经加载了这个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,如果还没有加载,就对进程执行一次真正的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">模块加载,如果该</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">已经被本进程的任意一个线程加载过了,那么系统只是简单的将</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器加一;同样,在卸载</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的时候,系统先将</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器减一,如果这时计数器值变为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">0</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,则将</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">模块真正地从内存中卸载,如果计数器值大于</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">0</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">则什么都不做。看到这里,我们就得到一个在不需要第二个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的情况下就能够长久驻留进程内部的木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,因为钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">在钩子安装进程退出的时候会被通过调用一次</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">FreeLibrary</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">卸载,所以如果我们使得钩子安装进程退出时木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">>1</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,那么</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">FreeLibrary</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">就会仅仅将木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器减一而不是卸载</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">。如何能让木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">>1</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">呢?呵呵,简单得很,在钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">PROCESS_ATTACH</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">中对自己进行一次</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">LoadLibrary</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,这时木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器等于</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">2</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,在钩子安装进程退出的时候,木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的加载计数器会被减为一,但是</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">并不会被真正卸载,过程如下所示:</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span>HookInst.exe
---- [ LoadLibrary ]---- Trojan.dll ---[ </span><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">进入</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">
]--> DestProc.exe<o:p>
</o:p>
</span></p>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -