์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

DLL Ejection

  • -
๋ฐ˜์‘ํ˜•

DLL Ejection <--> DLL Injection ๋ฐ˜๋Œ€๋˜๋Š” ๊ฐœ๋…

DLL Injection์€ ์‹คํ–‰ ์ค‘์ธ ํ”„๋กœ์„ธ์Šค์— DLL์„ ์‚ฝ์ž…ํ•˜์—ฌ ๊ณต๊ฒฉํ•˜๋Š” ๊ธฐ๋ฒ•

DLL Ejection์€ ์‹คํ–‰ ์ค‘์ธ ํ”„๋กœ์„ธ์Šค์— DLL์„ ๋นผ๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•

 

๋‹จ, DLL Ejection ์šฐ๋ฆฌ๊ฐ€ ๊ฐ•์ œ๋กœ Injection์„ ํ•œ DLL๋งŒ ๋บ„ ์ˆ˜ ์žˆ๋‹ค.

๊ธฐ๋ณธ์ ์ธ ์›๋ฆฌ๋Š” Injection๊ณผ ๋™์ผ

 

CreateRemoteThread()ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉ

kernel32.dll์˜ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์—์„œ LoadLibrary()ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉ > Injection

kernel32.dll์˜ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์—์„œ FreeLibrary()ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉ > Ejection

 

 

LOCAL : ๋‚ด๊ฐ€ ์†ํ•ด์žˆ๋Š” ํ”„๋กœ์„ธ์Šค

REMOTE : ๋‚ด๊ฐ€ ์†ํ•ด์žˆ์ง€ ์•Š์€ ํ”„๋กœ์„ธ์Šค

 

CreateRemoteThread()

๋‚ด๊ฐ€ ์†ํ•˜์ง€ ์•Š๋Š” ํ”„๋กœ์„ธ์Šค์—๋‹ค๊ฐ€ ์Šค๋ ˆ๋“œ ์ƒ์„ฑ

 

EjectionDLL ๊ณผ์ •

 

๋‹ค๋ฅธ ํŒŒ์ผ Ejection ์‹คํ–‰

myhack.dll์„ ํƒ€๊นƒ์œผ๋กœ ๋งŒ๋“ค์–ด์ง„ ์ฝ”๋“œ๊ธฐ ๋•Œ๋ฌธ์— fail ๋œธ

 

๋ ˆ์ง€์ŠคํŠธ๋ฆฌ์— dllEjection ์„ค์ •

์‹คํ–‰์ฐฝ - regedit
Local_Machine - SoftWare - Microsoft - Windows NT - CurrentVersion - Windows
์˜ค๋ฅธ์ชฝ ํด๋ฆญ - ์ƒˆ๋กœ๋งŒ๋“ค๊ธฐ - DWORD ๊ฐ’ - LoadAppInt_DLLs ์ƒ์„ฑ
AppInit_DLLs ๋”๋ธ” ํด๋ฆญ ํ›„ C:\novirus\HookMain\KeyHook.dll ์ž…๋ ฅ
LoadAppInt_DLLs ๋”๋ธ” ํด๋ฆญ ํ›„ ๊ฐ’ ๋ฐ์ดํ„ฐ์— 1 ์ž…๋ ฅ ํ›„ ํ™•์ธ

 

๋ฌด์กฐ๊ฑด ์žฌ๋ถ€ํŒ…ํ•˜๊ธฐ

Process Explorer ์‚ฌ์šฉ - Find - Find Handle or DLL - KeyHook.dll ํ™•์ธ

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

2022-06-20  (0) 2022.06.28
2022-06-16  (0) 2022.06.28
Windows PE ์‹ค์Šต ( ์ˆ˜์ • ํ•„์š” )  (0) 2022.06.27
INT / IAT  (0) 2022.06.23
Window PE  (0) 2022.06.22
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.