CN111475229B - Dll injection method and system under Windows platform - Google Patents
Dll injection method and system under Windows platform Download PDFInfo
- Publication number
- CN111475229B CN111475229B CN202010273193.3A CN202010273193A CN111475229B CN 111475229 B CN111475229 B CN 111475229B CN 202010273193 A CN202010273193 A CN 202010273193A CN 111475229 B CN111475229 B CN 111475229B
- Authority
- CN
- China
- Prior art keywords
- injection
- dll
- program
- target
- target process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention relates to a dll injection method and a dll injection system under a Windows platform, which comprise the following steps: s01, preparing an injection program; s02, promoting the self authority of an operator; s03, sending a breakpoint event to a target process; s04, responding to a breakpoint event by a target process; s05, the target process runs to a breakpoint, the program is suspended, the return address of the stack is saved, and the address of the injected program is modified; s06, correcting codes of the injection program to enable the codes to return to the original return address after the codes are executed; s07, the target program continues to run and returns to the part of the injection program, and the injection program runs to finish dll injection; s08, the target program jumps to the stored return address to continue to run, the breakpoint return address is modified by sending a breakpoint event to the target program, and the shellcode is jumped to complete dll injection, so that the problem that dll injection cannot be performed on a running process in the prior art is solved, the success rate is high, and limited conditions are few.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a dll injection method and a dll injection system under a Windows platform.
Background
DLL is an abbreviation for Dynamic Link Library, meaning dynamically linked Library. In Windows, many applications are not a complete executable file, but are partitioned into relatively independent dynamic link libraries, i.e., DLL files, that are placed in the system. When a program is executed, the corresponding DLL file is called, and one application program can have a plurality of DLL files. In the Windows operating system, each process running in the Windows operating system lives in the program space of the process, theoretically, each process running on the operating system does not interfere with each other, namely each process has an independent address space, DLL injection is to put a DLL into the address space of a certain process to form a part of the process, and a target process loads own DLL file. After the dll file is loaded, the desired function in the dll may be run, such as obtaining a function address, monitoring a process, etc.
The process injection mode is generally realized by modifying codes and data in a process, or writing codes and data into the process, or modifying dll file names, and an application scene of the mode is that the process is not started or is being started, and some schemes can not be commonly used in multiple versions under windows any more, and under the requirement of a specific environment, for example, the context of the process can not be modified, the process is started completely, and when dll injection is needed at the moment, the mode can not be realized.
Chinese patent document CN105045605B discloses a method and system for injecting a DLL into a target process, in which a DLL injection module for monitoring program startup in an operating system is set, the DLL injection module is registered in the operating system, when a target process requests the operating system to start, the operating system notifies the DLL injection module of the request, and a user inserts a target DLL to be injected into the DLL of the target program as required. The method has the advantages of comprehensive control, good concealment, high flexibility and the like, and can be applied to data leakage prevention and data protection level enhancement; all non-system critical processes can be injected, and the technology of injecting the system explorer can be applied to the security desktop technology; the method can adapt to various common operating systems, including Windows XP, Windows Server 2003, Windows7 and the like, dll injection in the patent adopts a method of modifying a process memory to realize injection, and the method is suitable for realizing process injection when a process is started and cannot realize process injection for the started process.
Chinese patent document CN107479874A discloses a DLL injection method and system based on Windows platform, the method includes the following steps: ) Starting a process, judging whether the current process needs to be injected with a safety detection DLL, and if so, acquiring a module name of the safety detection DLL; judging whether the module name is 'ntdll.dll', if so, inserting the injection information of the current process into a work queue; the safety detection DLL carries out safety detection on the current process; if detected unsafe, then the process ends, if safe, then the current process is allowed to start. By the scheme of the invention, more processes can be injected, antivirus software is not killed by mistake, the stability is higher, the efficiency is higher, the dll injection mode is realized by modifying a key function mode, and the dll injection method is suitable for realizing dll injection in the started process before the target process is started.
Disclosure of Invention
Aiming at the problems in the prior art, the invention discloses a dll injection method and a dll injection system under a Windows platform.
The specific technical scheme disclosed by the invention is as follows: a dll injection method under a Windows platform comprises the following steps:
s01, preparing an injection program;
s02, promoting the self authority of an operator to obtain a SeDebugPrivilege authority;
s03, sending a breakpoint event to a target process;
s04, responding to a breakpoint event by a target process;
s05, the target process runs to a breakpoint, the program is suspended, the return address of the stack is saved, and the address of the injected program is modified;
s06, correcting codes of the injection program to enable the codes to return to the original return address after the codes are executed;
s07, the target process continues to operate and returns to the part of the injection program, and the injection program operates to complete dll injection;
and S08, jumping to the stored return address by the target process to continue running.
Further, the operation steps of the program part in step S07 are:
s071, storing a register environment;
s072, initializing a thread context structure body;
s073, loading a target dll program;
s074, restoring a register environment;
and S075, returning to the original address to run.
Further, the method for promoting the authority in step S02 includes:
s021, obtaining a token of a process needing permission to be promoted by using OpenProcessToken;
s022, using a LookupPrivilegValue function, and finding the LUID of the authority on the corresponding system according to the name character string of the authority;
s023, using the AdjustTokenPrivileges function, rights are added or deleted to the "token" of the specified process.
Further, the breakpoint events include a debug event, a button event, a suspended process, a wait event, and a delay event.
Further, the thread responding to the breakpoint event in step S04 adopts a debugging thread.
Furthermore, the injection program adopts a mode of modifying and writing codes, so that the target process actively loads dll.
Further, the method of loading the dll program in step S073 employs the Shellcode tool.
Furthermore, the dll injection method is suitable for Windows7, Windows8 and Windows10 platform environments.
Further, the dll injection method is applicable to a state where the target thread is running, the target thread is not started, or the target thread is being started.
Based on the method, the invention also provides a dll injection system under the Windows platform, which comprises the following steps:
the injection tool unit is used for sending breakpoint events to the target process and providing dll programs needing to be injected;
the target process unit receives the breakpoint event and provides an injected target process;
the injection program part is used for loading the dll program to a breakpoint in the target process to complete injection;
the correction unit is used for correcting the injection program and returning the injection program to the original running progress of the target process after the injection program is executed;
and the recovery unit is used for recovering the original running progress of the target process after the dll program is executed.
Compared with the prior art, the invention has the following advantages:
1) the invention adopts the injection program to send the breakpoint event, so that the process reaches the breakpoint, skips to shellcode by modifying the return address of the breakpoint, completes dll injection, and realizes dll injection of the program in operation.
2) The dll injection mode in the invention has few limited conditions, high success rate and high stability.
3) The dll injection method is suitable for various windows versions and has universality.
Drawings
FIG. 1 is a flow chart of a dll injection method under a Windows platform in an embodiment of the present invention;
fig. 2 is a structural diagram of a dll injection system under a Windows platform in the embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
Example (b):
as shown in fig. 1, the present invention provides a dll injection method under a Windows platform, which comprises the following steps:
s01, preparing an injection program;
s02, promoting the self authority of an operator to obtain a SeDebugPrivilege authority;
s03, sending a breakpoint event to a target process;
s04, responding to a breakpoint event by a target process;
s05, the target process runs to a breakpoint, the program is suspended, the return address of the stack is saved, and the address of the injected program is modified;
s06, correcting codes of the injection program to enable the codes to return to the original return address after the codes are executed;
s07, the target process continues to operate and returns to the part of the injection program, and the injection program operates to complete dll injection;
and S08, jumping to the stored return address by the target process to continue running.
Further, the operation steps of the program part in step S07 are:
s071, storing a register environment;
s072, initializing a thread context structure body;
s073, loading a target dll program;
s074, restoring a register environment;
and S075, returning to the original address to run.
Further, the method for promoting the authority in step S02 includes:
s021, obtaining a token of a process needing permission to be promoted by using OpenProcessToken;
s022, using a LookupPrivilegValue function, and finding the LUID of the authority on the corresponding system according to the name character string of the authority;
s023, using the AdjustTokenPrivileges function, rights are added or deleted to the "token" of the specified process.
Further, the breakpoint events include a debug event, a button event, a suspended process, a wait event, and a delay event.
Further, the thread responding to the breakpoint event in step S04 adopts a debugging thread.
Furthermore, the injection program adopts a mode of modifying and writing codes, so that the target process actively loads dll.
Further, the method of loading the dll program in step S073 employs the Shellcode tool.
Furthermore, the dll injection method is suitable for Windows7, Windows8 and Windows10 platform environments.
Further, the dll injection method is applicable to a state where the target thread is running, the target thread is not started, or the target thread is being started.
As shown in fig. 2, based on the above method, the present invention further provides a dll injection system under a Windows platform, including:
the injection tool unit is used for sending breakpoint events to the target process and providing dll programs needing to be injected;
the target process unit receives the breakpoint event and provides an injected target process;
the injection program part is used for loading the dll program to a breakpoint in the target process to complete injection;
the correction unit is used for correcting the injection program and returning the injection program to the original running progress of the target process after the injection program is executed;
and the recovery unit is used for recovering the original running progress of the target process after the dll program is executed.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. A dll injection method under a Windows platform is characterized by comprising the following steps:
s01, preparing an injection program;
s02, promoting the self authority of an operator to obtain a SeDebugPrivilege authority;
s03, sending a breakpoint event to a target process;
s04, responding to a breakpoint event by a target process;
s05, the target process runs to a breakpoint, the program is suspended, the return address of the stack is saved, and the address of the injected program is modified;
s06, correcting codes of the injection program to enable the codes to return to the original return address after the codes are executed;
s07, the target process continues to operate and returns to the part of the injection program, and the injection program operates to complete dll injection;
s08, jumping to the stored return address by the target process to continue running,
the operation steps of the program part in step S07 are:
s071, storing a register environment;
s072, initializing a thread context structure body;
s073, loading a target dll program;
s074, restoring a register environment;
s075, returning to the original address operation,
the injection program adopts a mode of modifying and writing codes, so that the target process actively loads dll.
2. The dll injection method under the Windows platform as claimed in claim 1, wherein: the method for promoting the authority in step S02 includes:
s021, obtaining a token of a process needing permission to be promoted by using OpenProcessToken;
s022, using a LookupPrivilegValue function, and finding the LUID of the authority on the corresponding system according to the name character string of the authority;
s023, using the AdjustTokenPrivileges function, rights are added or deleted to the "token" of the specified process.
3. The dll injection method under the Windows platform as claimed in claim 2, wherein: the breakpoint events include debug events, button events, suspended processes, wait events, and delay events.
4. The dll injection method under the Windows platform as claimed in claim 3, wherein: the thread responding to the breakpoint event in step S04 employs a debugging thread.
5. The dll injection method under the Windows platform as claimed in claim 4, wherein: the method of loading the dll program in step S073 employs the Shellcode tool.
6. The dll injection method under the Windows platform as claimed in claim 5, wherein: the dll injection method is suitable for Windows7, Windows8 and Windows10 platform environments.
7. The dll injection method under the Windows platform as claimed in claim 6, wherein: the dll injection method is applicable to a state where the target thread is running, the target thread is not started, or the target thread is starting.
8. A dll injection system under a Windows platform, comprising:
the injection tool unit is used for sending breakpoint events to the target process and providing dll programs needing to be injected;
the target process unit receives the breakpoint event and provides an injected target process;
the injection program part is used for loading the dll program to a breakpoint in the target process to complete injection;
the correction unit is used for correcting the injection program and returning the injection program to the original running progress of the target process after the injection program is executed;
and the recovery unit is used for recovering the original running progress of the target process after the dll program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010273193.3A CN111475229B (en) | 2020-04-09 | 2020-04-09 | Dll injection method and system under Windows platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010273193.3A CN111475229B (en) | 2020-04-09 | 2020-04-09 | Dll injection method and system under Windows platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111475229A CN111475229A (en) | 2020-07-31 |
| CN111475229B true CN111475229B (en) | 2021-01-15 |
Family
ID=71751368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010273193.3A Active CN111475229B (en) | 2020-04-09 | 2020-04-09 | Dll injection method and system under Windows platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111475229B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434863B (en) * | 2021-06-25 | 2023-11-24 | 上海观安信息技术股份有限公司 | Method and device for realizing remote control of host based on PE file structure |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012148080A2 (en) * | 2011-04-28 | 2012-11-01 | 주식회사 파수닷컴 | Computing device having a dll injection function, and dll injection method |
| CN103116715A (en) * | 2013-03-01 | 2013-05-22 | 中标软件有限公司 | API (application programming interface) delay import protection method for executable files of Windows platform |
| CN104137062A (en) * | 2012-02-09 | 2014-11-05 | 微软公司 | Dynamic injection of code into running process |
| US9602581B2 (en) * | 2012-03-02 | 2017-03-21 | Calgary Scientific Inc. | Remote control of an application using dynamic-linked library (DLL) injection |
| CN107479874A (en) * | 2017-07-11 | 2017-12-15 | 北京明朝万达科技股份有限公司 | A kind of DLL method for implanting and system based on windows platform |
| CN105045605B (en) * | 2015-08-28 | 2019-05-24 | 成都卫士通信息产业股份有限公司 | A kind of method and system by DLL injection target process |
-
2020
- 2020-04-09 CN CN202010273193.3A patent/CN111475229B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012148080A2 (en) * | 2011-04-28 | 2012-11-01 | 주식회사 파수닷컴 | Computing device having a dll injection function, and dll injection method |
| CN104137062A (en) * | 2012-02-09 | 2014-11-05 | 微软公司 | Dynamic injection of code into running process |
| US9602581B2 (en) * | 2012-03-02 | 2017-03-21 | Calgary Scientific Inc. | Remote control of an application using dynamic-linked library (DLL) injection |
| CN103116715A (en) * | 2013-03-01 | 2013-05-22 | 中标软件有限公司 | API (application programming interface) delay import protection method for executable files of Windows platform |
| CN105045605B (en) * | 2015-08-28 | 2019-05-24 | 成都卫士通信息产业股份有限公司 | A kind of method and system by DLL injection target process |
| CN107479874A (en) * | 2017-07-11 | 2017-12-15 | 北京明朝万达科技股份有限公司 | A kind of DLL method for implanting and system based on windows platform |
Non-Patent Citations (1)
| Title |
|---|
| Windows系统的dll注入;J坚持C;《https://www.cnblogs.com/wf751620780/p/10730013.html》;20190418;第1-17页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111475229A (en) | 2020-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6363499B1 (en) | Method and system for restoring a computer to its original state after an unsuccessful installation attempt | |
| US7631249B2 (en) | Dynamically determining a buffer-stack overrun | |
| US6438749B1 (en) | Method and system for restoring a computer to its original state after an unsuccessful patch installation attempt | |
| KR101122787B1 (en) | Security-related programming interface | |
| US8239947B1 (en) | Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system | |
| US20160357958A1 (en) | Computer System Security | |
| US20160378458A1 (en) | Method and device for system application installation package, and terminal | |
| US20080148399A1 (en) | Protection against stack buffer overrun exploitation | |
| US7814471B2 (en) | Method and apparatus for providing DLL compatibility | |
| CN111240892B (en) | Data backup method and device | |
| CN102819469A (en) | Method and system for recovering operating system | |
| CN112579202B (en) | Method, device, equipment and storage medium for editing server program of Windows system | |
| EP2241987B1 (en) | Method and system for safely deleting information from a computer | |
| CN111522577A (en) | Dependency package version management method, device, equipment and storage medium | |
| US8788884B2 (en) | Automatic correction of program logic | |
| CN111475229B (en) | Dll injection method and system under Windows platform | |
| CN107479874B (en) | DLL injection method and system based on Windows platform | |
| CN101510157B (en) | Input method installation method and device | |
| US20060031265A1 (en) | Save method for HTML documents | |
| US8689206B2 (en) | Isolating operating system in-memory modules using error injection | |
| CN108959915B (en) | Rootkit detection method, rootkit detection device and server | |
| CN111460436B (en) | Unstructured data operation method and system based on blockchain | |
| US8788845B1 (en) | Data access security | |
| CN112507346A (en) | Vulnerability scanning system | |
| US20150286476A1 (en) | Application determination method, application determination device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Method and System for DLL Injection on Windows Platform Effective date of registration: 20230515 Granted publication date: 20210115 Pledgee: Bank of China Limited by Share Ltd. Guangzhou Tianhe branch Pledgor: GUANGZHOU JEESEEN NETWORK TECHNOLOGIES Co.,Ltd. Registration number: Y2023980040584 |