如何将对 ole32.dll 的调用重定向到我自己的代理 DLL?
我正在尝试检测对 CoCreateInstance< 的所有调用/a> 在我正在启动的某个进程中(理想情况下,我也能够检测到子进程中的调用)。
为了实现这一目标,我使用 Windows 7 上的 Microsoft Visual Studio 2008 创建了一个代理 DLL,它转发标准 ole32.dll 库中除一个调用之外的所有调用,如各种文章中所述,例如 拦截:通过 DLL 重定向进行 Windows 黑客攻击。生成的 DLL 看起来不错,但我无法制作现有程序(我正在使用标准 ActiveX 控件测试容器 (tstcon32.exe) 作为测试应用程序)选择我的代理 DLL。无论我做什么,程序似乎总是根据 进程资源管理器。到目前为止,我尝试了一些方法:
- 将包含代理 DLL 的目录添加到
PATH中,然后调用该程序;似乎没有任何效果。 - 将我的代理 DLL 复制到与调用的程序相同的目录中;没有运气。
- 在与调用的程序相同的目录中创建一个
.local文件,如 动态链接库重定向文章并将我的代理 DLL 放入同一目录 - 也不起作用。但后来,我了解到这在更新的 Windows 版本上不再起作用。此外,根据HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs注册表设置,ole32.dll是“已知 DLL”,因此.local<无论如何,基于 /code> 的重定向可能不会起作用。 - 使用基于清单的重定向,如DLL重定向使用清单问题中所述,但这并没有'似乎也没有任何影响。然而,这种方法似乎并不简单,所以我很可能做错了什么。
是否有人有使用存根 DLL 将调用重定向到标准 DLL(例如 ole32.dll)的经验?您如何强制应用程序获取您的存根 DLL?
I'm trying to detect all calls to CoCreateInstance in some process I'm starting (ideally, I'm able to detect calls in child processes as well).
To achieve this, using Microsoft Visual Studio 2008 on Windows 7, I create a proxy DLL which forwards all but one call in the standard ole32.dll library as described in various articles, e.g.
Intercepted: Windows Hacking via DLL Redirection. The resulting DLL looks fine, but I just can't make existing programs (I'm using the standard ActiveX Control Test Container (tstcon32.exe) as a test application) pick up my proxy DLL. No matter what I do, the programs always seem to pick up C:\Windows\SysWow64\ole32.dll according to Process Explorer. I tried a few things so far:
- Prepend the directory which contains my proxy DLL to the
PATHand then invoke the program; didn't seem to have any effect. - Copy my proxy DLL into the same directory as the invoked program; no luck.
- Create a
.localfile in the same directory as the invoked program as described in the Dynamic-Link Library Redirection article and put my proxy DLL into the same directory - didn't work either. But then, I read that this stopped working on more recent Windows versions. Additionally,ole32.dllis a "known DLL" according to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLsregistry setting, so.local-based redirection is probably not going to work anyway. - Use manifest-based redirection as described e.g. in the DLL redirection using manifests question, but that didn't seem to have any effect either. However, this approach seems to be non-trivial, so chances are I did something wrong.
Does anybody have experience with redirecting calls to standard DLLs such as ole32.dll using a stub DLL? How did you force the applications to pick up your stub DLL?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我意识到这有点晚了大约 6 个月,但我正在尝试同样的事情并有一些附加说明:
HKEY_LOCAL_MACHINE\SYSTEM\ 获取并删除。这使您可以绕过 Windows 已锁定这些键的事实。ole32.dll的所有权CurrentControlSet\Control\Session Manager\KnownDLLsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager中创建值为0的键SafeDllSearch的方法是 假设更改搜索路径。应用了这些技术并重新启动后,挂钩仍然不起作用。我更进一步,用我们的一张救援 CD(基于 Windows PE 的环境)启动了一台虚拟机,并覆盖了
system32中的那个。结果 Windows 无法启动 - 没有符号错误,但我从来没有达到LogonUI.exe的程度。我的钩子函数可能被破坏了,所以这可能就是原因。不管怎样,这产生了一种实际的、有形的钩子效应——尽管是一种尖叫“破碎”的效应!不幸的是,它似乎很难调试,我可能会求助于其他挂钩方法 - 即 IAT 修补。
编辑我执行的另一个实验是自己将 Dll 显式加载到目标进程的地址空间中。执行此操作的代码片段如下所示:
为简洁起见,删除了错误处理。
基本上,目标是在目标有机会从 system32 加载 ole32.dll 之前将我的 ole32.dll 强制加载到目标的地址空间中。就我而言,
ole32.dll稍后会在应用程序的加载例程中加载,因此理论上这应该有效。但实际情况并非如此。我不知道为什么。更新 我的原始代码失败,因为 DLL 在运行时有未解析的符号警告。
这项技术确实有效显然,它加载了我的 ole32.dll 和 system32 中的 ole32.dll。为了确保库加载成功,我在上面的代码中添加了一个LoadLibrary(DllPath)调用。I realise this is a little late by about 6 months, but I was trying the same thing and have some additional notes:
ole32.dllfromHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs. This allows you to get around the fact Windows has locked these keys.SafeDllSearchwith the value0inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manageris supposed to alter the search path.Having applied both these techniques and rebooting, hooking still did not work. I went one further, booted up a VM with one of our rescue CDs (a Windows PE based environment) and overwrote the one in
system32. Windows does not boot as a result - no symbol errors, but I never get as far asLogonUI.exe. It is possible my hooked functions are broken, so this may be the cause.Anyway, that produced an actual, tangible hook effect - albeit one that screams "broken"!. Unfortunately it appears highly difficult to debug, and I may be resorting to the other method of hooking - namely IAT patching.
Edit another experiment I performed was to explicitly load the Dll myself into the target process' address space. A snippet of code that does this looks like this:
Error handling removed for brevity.
Basically, the objective was to force load my
ole32.dllinto the target's address space before it had chance to loadole32.dllfrom system32. In my case,ole32.dllwas being loaded later on in the application's load routine, so this in theory should have worked. In practice, it did not. I am not sure why.Update My original code failed because the DLL had unresolved symbol warnings at runtime.
This technique does workSo apparently, it loads both myole32.dllAND the one from system32. To ensure the library was loading successfully, I added aLoadLibrary(DllPath)call to the code above.也许 winapioverride 可以帮助你。它可以记录所有 win api 调用,无需进行任何编程。因此,它会将 dll 注入到执行日志记录的进程中。如果我没记错的话,甚至在进程实际执行任何代码之前,也可以注入自己的自定义 dll。该文档包含一些有关监视 com 对象的信息。
Perhaps winapioverride can help you. It can log all win api calls without programming anything. It therefore injects dlls to the process that do the logging. If I recall it correctly it is also possible to inject own custom dlls - even before the process actually executes any code. The documentation has some information about spying com objects.