DLL injection(转载)

From Wikipedia, the free encyclopedia

search
DLL injection(转载)
 This article may not meet the general notability guideline. Please help to establish notability by adding reliable, secondary sources about the topic. If notability cannot be established, the article is likely to be merged, redirected, or deleted. (March 2009)

In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[6]

[edit] Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[13]
    1. Get a handle to the target process. This can be done by spawning the process[18]
    2. Allocate some memory in the target process,[21]
    3. Create a new thread in the target process[6]
    4. The operating system will now call DllMain in the injected DLL.[24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[29]

[edit] Approaches on Unix-like systems

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so (on Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD PRELOAD environment variable, that can be set globally or individually for a single process.[30]

For example, in bash, this command launches the command "prog-help" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog—help

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[32] The library has access to external symbols declared in the program like any other library.

[edit] References

  1.  
  2.  
  3. ^ Rocky Pulley (2005-05-19). "Extending Task Manager with DLL Injection". CodeProject. CodeProject. http://secure.codeproject.com/KB/threads/taskex.aspx. Retrieved 2008-09-01. 
  4.  
  5.  
  6.  
  7. ^ "Working with the AppInit_DLLs registry value". Microsoft Help and Support. Microsoft. 2006-11-21. http://support.microsoft.com/kb/197571. Retrieved 2008-08-31. 
  8. ^ Raymond Chen (2007-12-13). "AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs". The Old New Thing. Microsoft. http://blogs.msdn.com/oldnewthing/archive/2007/12/13/6648400.aspx. Retrieved 2008-08-31. 
  9. ^ "dllmain.c". ReactOS. ReactOS Foundation. 2008-07-08. http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/user32/misc/dllmain.c?view=markup. Retrieved 2008-08-31. 
  10.  
  11. ^ "Dll Injection". DreamInCode.net. MediaGroup1. 2006-05-04. http://www.dreamincode.net/code/snippet407.htm. Retrieved 2008-08-31. 
  12. ^ Greg Jenkins (November 2007). "DLL Injection Framework". Ring3 Circus. WordPress. http://www.ring3circus.com/downloads/dll-injection-framework/. Retrieved 2008-08-31. 
  13. ^ Drew Benton (2007-08-17). "A More Complete DLL Injection Solution Using CreateRemoteThread". CodeProject. CodeProject. http://69.10.233.10/KB/threads/completeinject.aspx. Retrieved 2008-09-01. 
  14. ^ CreateProcess ms-help://MS.PSDKXPSP2.1033/dllproc/base/createprocess.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  15. ^ PROCESS_INFORMATION ms-help://MS.PSDKXPSP2.1033/dllproc/base/process_information_str.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  16. ^ GetWindowThreadProcessId Function ms-help://MS.PSDKXPSP2.1033/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfunctions/getwindowthreadprocessid.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  17. ^ EnumProcesses ms-help://MS.PSDKXPSP2.1033/perfmon/base/enumprocesses.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  18. ^ GetModuleBaseName ms-help://MS.PSDKXPSP2.1033/perfmon/base/getmodulebasename.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  19. ^ VirtualAllocEx ms-help://MS.PSDKXPSP2.1033/memory/base/virtualallocex.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  20. ^ WriteProcessMemory ms-help://MS.PSDKXPSP2.1033/debug/base/writeprocessmemory.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  21. ^ "Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability". Matousec. 2006-12-01. http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php. Retrieved 2008-08-31. 
  22. ^ CreateRemoteThread ms-help://MS.PSDKXPSP2.1033/dllproc/base/createremotethread.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  23. ^ LoadLibrary ms-help://MS.PSDKXPSP2.1033/dllproc/base/loadlibrary.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  24. DllMain ms-help://MS.PSDKXPSP2.1033/dllproc/base/dllmain.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  25. ^ SetWindowsHookEx Function ms-help://MS.PSDKXPSP2.1033/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  26. ^ "AppInit_DLLs Registry Value and Windows 95". Microsoft Help and Support. Microsoft. 2005-03-01. http://support.microsoft.com/kb/134655. Retrieved 2008-08-31. 
  27. ^ "Dll Injection using SetWindowsHookEx() Method". Game Reversal. 2008-04-03. http://www.gamereversal.com/index.php?option=com_content&view=article&id=56%3Adll-injection-using-setwindowshookex-method&catid=39%3Ac--c-core-concepts&Itemid=1. Retrieved 2008-09-01. 
  28. ^ "SetThreadContext DLL Injection". 2007-01-16. http://nerd.egloos.com/2940083. Retrieved 2008-09-01. 
  29. ^ Ben Botto (2008-09-06). "DLL Injector". http://busybin.com/busybin/C++/dll_injector/. Retrieved 2008-09-01. 
  30. ^ Linus Torvalds; David Engel, Eric Youngdale, Peter MacDonald, Hongjiu Lu, Lars Wirzenius and Mitch D'Souza (1998-03-14). ld.so/ld-linux.so – dynamic linker/loader man ld.so UNIX man pages. Retrieved on 2008-08-31.
  31. ^ "Code Gen Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Code-Gen-Options.html#Code-Gen-Options. Retrieved 2008-08-31. "-fpic Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. sqq." 
  32. ^ "Link Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Link-Options.html#Link-Options. Retrieved 2008-08-31. "-shared Produce a shared object which can then be linked with other objects to form an executable. sqq."

转载:http://en.wikipedia.org/wiki/DLL_injection

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode