是否有可能用代理DLLreplace系统DLL?

看完这篇有趣的文章后: http : //www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically

我决定尝试创build一个代理DLL纯粹的研究目的。 🙂

我做了ws2_32.dll上的所有步骤,这是我得到的代码:

 #include <windows.h> #include <stdio.h> #pragma pack(1) HINSTANCE hLThis = 0; HINSTANCE hL = 0; FARPROC p[182] = {0}; BOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID) { //to get indication whether we were loaded FILE* f; fopen_s(&f, "C:\\load.txt", "a+"); fclose(f); if (reason == DLL_PROCESS_ATTACH) { hLThis = hInst; hL = LoadLibrary("ws2_32_.dll"); if (!hL) return false; p[0] = GetProcAddress(hL,"FreeAddrInfoEx"); p[1] = GetProcAddress(hL,"FreeAddrInfoExW"); p[2] = GetProcAddress(hL,"FreeAddrInfoW"); p[3] = GetProcAddress(hL,"GetAddrInfoExA"); p[4] = GetProcAddress(hL,"GetAddrInfoExW"); p[5] = GetProcAddress(hL,"GetAddrInfoW"); p[6] = GetProcAddress(hL,"GetNameInfoW"); p[7] = GetProcAddress(hL,"InetNtopW"); p[8] = GetProcAddress(hL,"InetPtonW"); p[9] = GetProcAddress(hL,"SetAddrInfoExA"); p[10] = GetProcAddress(hL,"SetAddrInfoExW"); p[11] = GetProcAddress(hL,"WEP"); p[12] = GetProcAddress(hL,"WPUCompleteOverlappedRequest"); p[13] = GetProcAddress(hL,"WSAAccept"); p[14] = GetProcAddress(hL,"WSAAddressToStringA"); p[15] = GetProcAddress(hL,"WSAAddressToStringW"); p[16] = GetProcAddress(hL,"WSAAdvertiseProvider"); p[17] = GetProcAddress(hL,"WSAAsyncGetHostByAddr"); p[18] = GetProcAddress(hL,"WSAAsyncGetHostByName"); p[19] = GetProcAddress(hL,"WSAAsyncGetProtoByName"); p[20] = GetProcAddress(hL,"WSAAsyncGetProtoByNumber"); p[21] = GetProcAddress(hL,"WSAAsyncGetServByName"); p[22] = GetProcAddress(hL,"WSAAsyncGetServByPort"); p[23] = GetProcAddress(hL,"WSAAsyncSelect"); p[24] = GetProcAddress(hL,"WSACancelAsyncRequest"); p[25] = GetProcAddress(hL,"WSACancelBlockingCall"); p[26] = GetProcAddress(hL,"WSACleanup"); p[27] = GetProcAddress(hL,"WSACloseEvent"); p[28] = GetProcAddress(hL,"WSAConnect"); p[29] = GetProcAddress(hL,"WSAConnectByList"); p[30] = GetProcAddress(hL,"WSAConnectByNameA"); p[31] = GetProcAddress(hL,"WSAConnectByNameW"); p[32] = GetProcAddress(hL,"WSACreateEvent"); p[33] = GetProcAddress(hL,"WSADuplicateSocketA"); p[34] = GetProcAddress(hL,"WSADuplicateSocketW"); p[35] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersA"); p[36] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExA"); p[37] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersExW"); p[38] = GetProcAddress(hL,"WSAEnumNameSpaceProvidersW"); p[39] = GetProcAddress(hL,"WSAEnumNetworkEvents"); p[40] = GetProcAddress(hL,"WSAEnumProtocolsA"); p[41] = GetProcAddress(hL,"WSAEnumProtocolsW"); p[42] = GetProcAddress(hL,"WSAEventSelect"); p[43] = GetProcAddress(hL,"WSAGetLastError"); p[44] = GetProcAddress(hL,"WSAGetOverlappedResult"); p[45] = GetProcAddress(hL,"WSAGetQOSByName"); p[46] = GetProcAddress(hL,"WSAGetServiceClassInfoA"); p[47] = GetProcAddress(hL,"WSAGetServiceClassInfoW"); p[48] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdA"); p[49] = GetProcAddress(hL,"WSAGetServiceClassNameByClassIdW"); p[50] = GetProcAddress(hL,"WSAHtonl"); p[51] = GetProcAddress(hL,"WSAHtons"); p[52] = GetProcAddress(hL,"WSAInstallServiceClassA"); p[53] = GetProcAddress(hL,"WSAInstallServiceClassW"); p[54] = GetProcAddress(hL,"WSAIoctl"); p[55] = GetProcAddress(hL,"WSAIsBlocking"); p[56] = GetProcAddress(hL,"WSAJoinLeaf"); p[57] = GetProcAddress(hL,"WSALookupServiceBeginA"); p[58] = GetProcAddress(hL,"WSALookupServiceBeginW"); p[59] = GetProcAddress(hL,"WSALookupServiceEnd"); p[60] = GetProcAddress(hL,"WSALookupServiceNextA"); p[61] = GetProcAddress(hL,"WSALookupServiceNextW"); p[62] = GetProcAddress(hL,"WSANSPIoctl"); p[63] = GetProcAddress(hL,"WSANtohl"); p[64] = GetProcAddress(hL,"WSANtohs"); p[65] = GetProcAddress(hL,"WSAPoll"); p[66] = GetProcAddress(hL,"WSAProviderCompleteAsyncCall"); p[67] = GetProcAddress(hL,"WSAProviderConfigChange"); p[68] = GetProcAddress(hL,"WSARecv"); p[69] = GetProcAddress(hL,"WSARecvDisconnect"); p[70] = GetProcAddress(hL,"WSARecvFrom"); p[71] = GetProcAddress(hL,"WSARemoveServiceClass"); p[72] = GetProcAddress(hL,"WSAResetEvent"); p[73] = GetProcAddress(hL,"WSASend"); p[74] = GetProcAddress(hL,"WSASendDisconnect"); p[75] = GetProcAddress(hL,"WSASendMsg"); p[76] = GetProcAddress(hL,"WSASendTo"); p[77] = GetProcAddress(hL,"WSASetBlockingHook"); p[78] = GetProcAddress(hL,"WSASetEvent"); p[79] = GetProcAddress(hL,"WSASetLastError"); p[80] = GetProcAddress(hL,"WSASetServiceA"); p[81] = GetProcAddress(hL,"WSASetServiceW"); p[82] = GetProcAddress(hL,"WSASocketA"); p[83] = GetProcAddress(hL,"WSASocketW"); p[84] = GetProcAddress(hL,"WSAStartup"); p[85] = GetProcAddress(hL,"WSAStringToAddressA"); p[86] = GetProcAddress(hL,"WSAStringToAddressW"); p[87] = GetProcAddress(hL,"WSAUnadvertiseProvider"); p[88] = GetProcAddress(hL,"WSAUnhookBlockingHook"); p[89] = GetProcAddress(hL,"WSAWaitForMultipleEvents"); p[90] = GetProcAddress(hL,"WSApSetPostRoutine"); p[91] = GetProcAddress(hL,"WSCDeinstallProvider"); p[92] = GetProcAddress(hL,"WSCDeinstallProvider32"); p[93] = GetProcAddress(hL,"WSCEnableNSProvider"); p[94] = GetProcAddress(hL,"WSCEnableNSProvider32"); p[95] = GetProcAddress(hL,"WSCEnumNameSpaceProviders32"); p[96] = GetProcAddress(hL,"WSCEnumNameSpaceProvidersEx32"); p[97] = GetProcAddress(hL,"WSCEnumProtocols"); p[98] = GetProcAddress(hL,"WSCEnumProtocols32"); p[99] = GetProcAddress(hL,"WSCGetApplicationCategory"); p[100] = GetProcAddress(hL,"WSCGetProviderInfo"); p[101] = GetProcAddress(hL,"WSCGetProviderInfo32"); p[102] = GetProcAddress(hL,"WSCGetProviderPath"); p[103] = GetProcAddress(hL,"WSCGetProviderPath32"); p[104] = GetProcAddress(hL,"WSCInstallNameSpace"); p[105] = GetProcAddress(hL,"WSCInstallNameSpace32"); p[106] = GetProcAddress(hL,"WSCInstallNameSpaceEx"); p[107] = GetProcAddress(hL,"WSCInstallNameSpaceEx32"); p[108] = GetProcAddress(hL,"WSCInstallProvider"); p[109] = GetProcAddress(hL,"WSCInstallProvider64_32"); p[110] = GetProcAddress(hL,"WSCInstallProviderAndChains64_32"); p[111] = GetProcAddress(hL,"WSCSetApplicationCategory"); p[112] = GetProcAddress(hL,"WSCSetProviderInfo"); p[113] = GetProcAddress(hL,"WSCSetProviderInfo32"); p[114] = GetProcAddress(hL,"WSCUnInstallNameSpace"); p[115] = GetProcAddress(hL,"WSCUnInstallNameSpace32"); p[116] = GetProcAddress(hL,"WSCUpdateProvider"); p[117] = GetProcAddress(hL,"WSCUpdateProvider32"); p[118] = GetProcAddress(hL,"WSCWriteNameSpaceOrder"); p[119] = GetProcAddress(hL,"WSCWriteNameSpaceOrder32"); p[120] = GetProcAddress(hL,"WSCWriteProviderOrder"); p[121] = GetProcAddress(hL,"WSCWriteProviderOrder32"); p[122] = GetProcAddress(hL,"WahCloseApcHelper"); p[123] = GetProcAddress(hL,"WahCloseHandleHelper"); p[124] = GetProcAddress(hL,"WahCloseNotificationHandleHelper"); p[125] = GetProcAddress(hL,"WahCloseSocketHandle"); p[126] = GetProcAddress(hL,"WahCloseThread"); p[127] = GetProcAddress(hL,"WahCompleteRequest"); p[128] = GetProcAddress(hL,"WahCreateHandleContextTable"); p[129] = GetProcAddress(hL,"WahCreateNotificationHandle"); p[130] = GetProcAddress(hL,"WahCreateSocketHandle"); p[131] = GetProcAddress(hL,"WahDestroyHandleContextTable"); p[132] = GetProcAddress(hL,"WahDisableNonIFSHandleSupport"); p[133] = GetProcAddress(hL,"WahEnableNonIFSHandleSupport"); p[134] = GetProcAddress(hL,"WahEnumerateHandleContexts"); p[135] = GetProcAddress(hL,"WahInsertHandleContext"); p[136] = GetProcAddress(hL,"WahNotifyAllProcesses"); p[137] = GetProcAddress(hL,"WahOpenApcHelper"); p[138] = GetProcAddress(hL,"WahOpenCurrentThread"); p[139] = GetProcAddress(hL,"WahOpenHandleHelper"); p[140] = GetProcAddress(hL,"WahOpenNotificationHandleHelper"); p[141] = GetProcAddress(hL,"WahQueueUserApc"); p[142] = GetProcAddress(hL,"WahReferenceContextByHandle"); p[143] = GetProcAddress(hL,"WahRemoveHandleContext"); p[144] = GetProcAddress(hL,"WahWaitForNotification"); p[145] = GetProcAddress(hL,"WahWriteLSPEvent"); p[146] = GetProcAddress(hL,"__WSAFDIsSet"); p[147] = GetProcAddress(hL,"accept"); p[148] = GetProcAddress(hL,"bind"); p[149] = GetProcAddress(hL,"closesocket"); p[150] = GetProcAddress(hL,"connect"); p[151] = GetProcAddress(hL,"freeaddrinfo"); p[152] = GetProcAddress(hL,"getaddrinfo"); p[153] = GetProcAddress(hL,"gethostbyaddr"); p[154] = GetProcAddress(hL,"gethostbyname"); p[155] = GetProcAddress(hL,"gethostname"); p[156] = GetProcAddress(hL,"getnameinfo"); p[157] = GetProcAddress(hL,"getpeername"); p[158] = GetProcAddress(hL,"getprotobyname"); p[159] = GetProcAddress(hL,"getprotobynumber"); p[160] = GetProcAddress(hL,"getservbyname"); p[161] = GetProcAddress(hL,"getservbyport"); p[162] = GetProcAddress(hL,"getsockname"); p[163] = GetProcAddress(hL,"getsockopt"); p[164] = GetProcAddress(hL,"htonl"); p[165] = GetProcAddress(hL,"htons"); p[166] = GetProcAddress(hL,"inet_addr"); p[167] = GetProcAddress(hL,"inet_ntoa"); p[168] = GetProcAddress(hL,"inet_ntop"); p[169] = GetProcAddress(hL,"inet_pton"); p[170] = GetProcAddress(hL,"ioctlsocket"); p[171] = GetProcAddress(hL,"listen"); p[172] = GetProcAddress(hL,"ntohl"); p[173] = GetProcAddress(hL,"ntohs"); p[174] = GetProcAddress(hL,"recv"); p[175] = GetProcAddress(hL,"recvfrom"); p[176] = GetProcAddress(hL,"select"); p[177] = GetProcAddress(hL,"send"); p[178] = GetProcAddress(hL,"sendto"); p[179] = GetProcAddress(hL,"setsockopt"); p[180] = GetProcAddress(hL,"shutdown"); p[181] = GetProcAddress(hL,"socket"); } if (reason == DLL_PROCESS_DETACH) { FreeLibrary(hL); } return 1; } // FreeAddrInfoEx extern "C" __declspec(naked) void __stdcall __E__0__() { __asm { jmp p[0*4]; } } // FreeAddrInfoExW extern "C" __declspec(naked) void __stdcall __E__1__() { __asm { jmp p[1*4]; } } // FreeAddrInfoW extern "C" __declspec(naked) void __stdcall __E__2__() { __asm { jmp p[2*4]; } } // GetAddrInfoExA extern "C" __declspec(naked) void __stdcall __E__3__() { __asm { jmp p[3*4]; } } // GetAddrInfoExW extern "C" __declspec(naked) void __stdcall __E__4__() { __asm { jmp p[4*4]; } } ... 

我编译它( .def文件),并得到一个新的proxy.dll文件。 🙂

到现在为止还挺好。 现在,在我的VBox win7 x64上,我将原始的ws2_32.dll重命名为ws2_32_.dll ,将我的proxy.dll放在C:\\Windows\\System32\\ ,并将其重命名为ws2_32.dll 。 我用live-cd linux做了所有这些,因为premmisions问题。

正如你可以看到代理加载ws2_32_.dll所以我们应该没问题。 但是,当系统从引导返回时,每个程序使用ws2_32.dll会引发错误,并且C:\\load.txt文件永远不会被创build。

我不知道这篇文章中的人做了什么工作。 我已经阅读谷歌,你需要放置(和重命名) proxy.dll在与你想运行代理DLL程序相同的目录,但我正在寻找一个全球性的解决scheme。

也许这是一个校验和的问题? 我读过微软在系统PE上使用一些秘密校验和。

谢谢,gfgqtmakia。

移动到32位,现在它正在工作。

也:

  • 检查您的代理的依赖关系,它可能需要额外的.dll s才能运行。 ( Dependency Walker )
  • 使用本指南来替换系统的.dll 。 这比重新启动到Linux更快。