timwhitez starred DllLoadPath
2023-4-10 10:55:5 Author: github.com(查看原文) 阅读量:36 收藏

Showcasing two different techniques for changing DLL load order by using undocumented APIs. These are not novel techniques but I never saw them documented anywhere.

The proper signatures for RtlCreateProcessParameter and RtlCreateProcessParameters are:

RtlCreateUserProcess(
 IN PUNICODE_STRING      ImagePath,
 IN ULONG                ObjectAttributes,
 IN OUT PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
 IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL,
 IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
 IN HANDLE               ParentProcess,
 IN BOOLEAN              InheritHandles,
 IN HANDLE               DebugPort OPTIONAL,
 IN HANDLE               ExceptionPort OPTIONAL,
 OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation );
 
RtlCreateProcessParameters(
   _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
   _In_ PUNICODE_STRING ImagePathName,
   _In_opt_ PUNICODE_STRING DllPath,
   _In_opt_ PUNICODE_STRING CurrentDirectory,
   _In_opt_ PUNICODE_STRING CommandLine,
   _In_opt_ PVOID Environment,
   _In_opt_ PUNICODE_STRING WindowTitle,
   _In_opt_ PUNICODE_STRING DesktopInfo,
   _In_opt_ PUNICODE_STRING ShellInfo,
   _In_opt_ PUNICODE_STRING RuntimeData
   );

By changing some values in RtlCreateProcessParameters we can achieve interesting behavior.

Writing this one up for people was inspired by this tweet, thank you for reminding me of it :)

image

  const wchar_t Path[] = LR"(C:/Windows/System32/WerFault.exe)";
  const wchar_t CmdLine[] = LR"(C:/ProgramData/WerFault.exe)";
  const wchar_t DllLocation[] = LR"()";
  ...
  status = RtlCreateProcessParameters(&UserProcessParam, &CommandLine, &CommandLine, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);

This one will will cause the application to still look into it's own directory before the one you choose, but it may come useful in some cases.

image

  const wchar_t Path[] = LR"(C:/Tools/TestApplication.exe)";
  const wchar_t CmdLine[] = LR"()";
  const wchar_t DllLocation[] = LR"(C:/ProgramData/)";
  ...
  status = RtlCreateProcessParameters(&UserProcessParam, &ImagePathName, &DllPath, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);

Many thanks to this post for helping me work out some parts.


文章来源: https://github.com/SecurityAndStuff/DllLoadPath
如有侵权请联系:admin#unsafe.sh