-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
思路新颖 但是隐藏性不好 #5
Comments
反复load反而容易被发现。 |
ZwQuerySystemInformation 可以找到 |
最好的方法是隐藏自己而不是不加载原dll。因为自己的dll毕竟没有正确的签名,文件路径也不对。一般检查的时候签名和路径肯定是首先检查的。 |
或者换一种思路,dll进去以后用自己编写的loadlibrary加载真正的Inject代码,然后自己再把自己FreeLibrary了,这样就完全查不出来了。 |
把真正的inject代码编译成binary然后存到注册表的某个驱动键下面,需要的时候从注册表里load。先加载一个该进程绝对不会用到的系统dll,然后直接把注册表Inject代码覆盖上去,然后Hook掉一个常用API,让这个API跳转到Inject代码执行。 |
是的 只有shellcode |
被劫持程序在自己模块里通过比对模块,就很容易发现有劫持。
原来的那个方法,是在调用函数时再去load原始的dll,调完就释放,这样被劫持的程序里只有一份dll
The text was updated successfully, but these errors were encountered: