手动加载DLL（PE文件）

以前学重载内核时学到了手动加载一个PE文件，想在Ring3层也实现一遍，不过在GitHub上看到有现成的源码了就不自己写了。本篇文章就分析一下这个mmLoader，看看怎么实现手动加载PE文件

阅读前需要了解PE文件结构，还不了解的自行恶补

这个库为了实现注入ShellCode，自己实现了memset等常用库函数，还自己定义了要用到的库函数表。实际使用时，如果不用注入ShellCode使用常规的库函数就好

虽然这个库是用来加载DLL的，修改一下也可以用来加载EXE

加载PE文件的主要步骤：

将PE头和各个节映射到内存

重定位

修复IAT

调用模块入口点

映射文件到内存

这一步就是把PE文件的内容读到内存相应的位置，要注意文件中各节的对齐和内存中的对齐是不一样的

/// <summary>
/// Maps all the sections.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <returns>True if successful.</returns>
BOOL MapMemModuleSections(PMEM_MODULE pMemModule, LPVOID lpPeModuleBuffer)
{
// Validate
if (NULL == pMemModule || NULL == pMemModule->pNtFuncptrsTable || NULL == lpPeModuleBuffer)
return FALSE;

// Function pointer
// VirtualAlloc的函数指针，ShellCode用的，实际使用时直接写VirtualAlloc即可，后面类似的不再赘述
Type_VirtualAlloc pfnVirtualAlloc = (Type_VirtualAlloc)(pMemModule->pNtFuncptrsTable->pfnVirtualAlloc);
Type_VirtualFree pfnVirtualFree = (Type_VirtualFree)(pMemModule->pNtFuncptrsTable->pfnVirtualFree);

// Convert to IMAGE_DOS_HEADER
// PE文件头部指针，即DOS头
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)(lpPeModuleBuffer);

// Get the pointer to IMAGE_NT_HEADERS
// NT头，MakePointer是个宏，返回某指针+某偏移量后的新指针
PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(
PIMAGE_NT_HEADERS, pImageDosHeader, pImageDosHeader->e_lfanew);

// Get the section count
int nNumberOfSections = pImageNtHeader->FileHeader.NumberOfSections;

// Get the section header
// 节头
PIMAGE_SECTION_HEADER pImageSectionHeader = MakePointer(
PIMAGE_SECTION_HEADER, pImageNtHeader, sizeof(IMAGE_NT_HEADERS));

// Find the last section limit
// 计算整个模块尺寸
DWORD dwImageSizeLimit = 0;
for (int i = 0; i < nNumberOfSections; ++i)
{
if (0 != pImageSectionHeader[i].VirtualAddress)
{
if (dwImageSizeLimit < (pImageSectionHeader[i].VirtualAddress + pImageSectionHeader[i].SizeOfRawData))
dwImageSizeLimit = pImageSectionHeader[i].VirtualAddress + pImageSectionHeader[i].SizeOfRawData;
}
}

// Align the last image size limit to the page size
// 按页对齐
dwImageSizeLimit = (dwImageSizeLimit + pMemModule->dwPageSize - 1) & ~(pMemModule->dwPageSize - 1);

// Reserve virtual memory
// 优先使用ImageBase作为模块基址，分配一块内存
LPVOID lpBase = pfnVirtualAlloc(
(LPVOID)(pImageNtHeader->OptionalHeader.ImageBase),
dwImageSizeLimit,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);

// Failed to reserve space at ImageBase, then it's up to the system
// 这个基址不能使用，让系统随机选另一个基址（后面需要重定位）
if (NULL == lpBase)
{
// Reserver memory in arbitrary address
lpBase = pfnVirtualAlloc(
NULL,
dwImageSizeLimit,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);

// Failed again, return
if (NULL == lpBase)
{
pMemModule->dwErrorCode = MMEC_ALLOCATED_MEMORY_FAILED;
return FALSE;
}
}

// Commit memory for PE header
LPVOID pDest = pfnVirtualAlloc(lpBase, pImageNtHeader->OptionalHeader.SizeOfHeaders, MEM_COMMIT, PAGE_READWRITE);
if (!pDest)
{
pMemModule->dwErrorCode = MMEC_ALLOCATED_MEMORY_FAILED;
return FALSE;
}

// Copy the data of PE header to the memory allocated
// 复制PE头
mml_memmove(pDest, lpPeModuleBuffer, pImageNtHeader->OptionalHeader.SizeOfHeaders);

// Store the base address of this module.
pMemModule->lpBase = pDest;
pMemModule->dwSizeOfImage = pImageNtHeader->OptionalHeader.SizeOfImage;
pMemModule->bLoadOk = TRUE;

// Get the DOS header, NT header and Section header from the new PE header buffer
pImageDosHeader = (PIMAGE_DOS_HEADER)pDest;
pImageNtHeader = MakePointer(PIMAGE_NT_HEADERS, pImageDosHeader, pImageDosHeader->e_lfanew);
pImageSectionHeader = MakePointer(PIMAGE_SECTION_HEADER, pImageNtHeader, sizeof(IMAGE_NT_HEADERS));

// Map all section data into the memory
// 复制所有的节
LPVOID pSectionBase = NULL;
LPVOID pSectionDataSource = NULL;
for (int i = 0; i < nNumberOfSections; ++i)
{
if (0 != pImageSectionHeader[i].VirtualAddress)
{
// Get the section base
pSectionBase = MakePointer(LPVOID, lpBase, pImageSectionHeader[i].VirtualAddress);

if (0 == pImageSectionHeader[i].SizeOfRawData)
{
if (pImageNtHeader->OptionalHeader.SectionAlignment > 0)
{
// If the size is zero, but the section alignment is not zero then allocate memory with the aligment
pDest = pfnVirtualAlloc(pSectionBase, pImageNtHeader->OptionalHeader.SectionAlignment,
MEM_COMMIT, PAGE_READWRITE);
if (NULL == pDest)
{
pMemModule->dwErrorCode = MMEC_ALLOCATED_MEMORY_FAILED;
return FALSE;
}

// Always use position from file to support alignments smaller than page size.
mml_memset(pSectionBase, 0, pImageNtHeader->OptionalHeader.SectionAlignment);
}
}
else
{
// Commit this section to target address
pDest = pfnVirtualAlloc(pSectionBase, pImageSectionHeader[i].SizeOfRawData, MEM_COMMIT, PAGE_READWRITE);
if (NULL == pDest)
{
pMemModule->dwErrorCode = MMEC_ALLOCATED_MEMORY_FAILED;
return FALSE;
}

// Get the section data source and copy the data to the section buffer
pSectionDataSource = MakePointer(LPVOID, lpPeModuleBuffer, pImageSectionHeader[i].PointerToRawData);
mml_memmove(pDest, pSectionDataSource, pImageSectionHeader[i].SizeOfRawData);
}

// Get next section header
pImageSectionHeader[i].Misc.PhysicalAddress = (DWORD)(ULONGLONG)pDest;
}
}

return TRUE;
}

重定位

代码中那些绝对地址是以模块基址=ImageBase为前提硬编码的，如果模块加载的基址不是ImageBase指定的基址，则需要重定位

新地址=旧地址-ImageBase+实际模块基址

，只要算出

实际模块基址-ImageBase

，重定位时加上偏移量就行了

/// <summary>
/// Relocates the module.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <returns>True if successful.</returns>
BOOL RelocateModuleBase(PMEM_MODULE pMemModule)
{
// Validate the parameters
if (NULL == pMemModule  || NULL == pMemModule->pImageDosHeader)
return FALSE;

PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(
PIMAGE_NT_HEADERS,
pMemModule->pImageDosHeader,
pMemModule->pImageDosHeader->e_lfanew);

// Get the delta of the real image base with the predefined
// 计算偏移量
LONGLONG lBaseDelta = ((PUINT8)pMemModule->iBase - (PUINT8)pImageNtHeader->OptionalHeader.ImageBase);

// This module has been loaded to the ImageBase, no need to do relocation
if (0 == lBaseDelta) return TRUE;

if (0 == pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress
|| 0 == pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
return TRUE;

// 重定位表
PIMAGE_BASE_RELOCATION pImageBaseRelocation = MakePointer(PIMAGE_BASE_RELOCATION, pMemModule->lpBase,
pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);

if (NULL == pImageBaseRelocation)
{
pMemModule->dwErrorCode = MMEC_INVALID_RELOCATION_BASE;
return FALSE;
}

while (0 != (pImageBaseRelocation->VirtualAddress + pImageBaseRelocation->SizeOfBlock))
{
PWORD pRelocationData = MakePointer(PWORD, pImageBaseRelocation, sizeof(IMAGE_BASE_RELOCATION));

int NumberOfRelocationData = (pImageBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);

for (int i = 0; i < NumberOfRelocationData; i++)
{
if (IMAGE_REL_BASED_HIGHLOW == (pRelocationData[i] >> 12))
{
// 需要重定位的地址
PDWORD pAddress = (PDWORD)(pMemModule->iBase + pImageBaseRelocation->VirtualAddress + (pRelocationData[i] & 0x0FFF));
// 重定位
*pAddress += (DWORD)lBaseDelta;
}

#ifdef _WIN64
if (IMAGE_REL_BASED_DIR64 == (pRelocationData[i] >> 12))
{
PULONGLONG pAddress = (PULONGLONG)(pMemModule->iBase + pImageBaseRelocation->VirtualAddress + (pRelocationData[i] & 0x0FFF));
*pAddress += lBaseDelta;
}
#endif
}

pImageBaseRelocation = MakePointer(PIMAGE_BASE_RELOCATION, pImageBaseRelocation, pImageBaseRelocation->SizeOfBlock);
}

return TRUE;
}

修复IAT

这一步载入本模块依赖的模块，并将本模块的IAT定位到依赖模块的相应的函数上

/// <summary>
/// Resolves the import table.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <returns>True if successful.</returns>
BOOL ResolveImportTable(PMEM_MODULE pMemModule)
{
if (NULL == pMemModule  || NULL == pMemModule->pNtFuncptrsTable || NULL == pMemModule->pImageDosHeader)
return FALSE;

Type_GetModuleHandleA pfnGetModuleHandleA = (Type_GetModuleHandleA)(pMemModule->pNtFuncptrsTable->pfnGetModuleHandleA);
Type_LoadLibraryA pfnLoadLibraryA = (Type_LoadLibraryA)(pMemModule->pNtFuncptrsTable->pfnLoadLibraryA);
Type_GetProcAddress pfnGetProcAddress = (Type_GetProcAddress)(pMemModule->pNtFuncptrsTable->pfnGetProcAddress);

PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(PIMAGE_NT_HEADERS, pMemModule->pImageDosHeader, pMemModule->pImageDosHeader->e_lfanew);

if (pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0
|| pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size == 0)
return TRUE;

PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = MakePointer(PIMAGE_IMPORT_DESCRIPTOR, pMemModule->lpBase,
pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

// 遍历导入的模块
for (; pImageImportDescriptor->Name; pImageImportDescriptor++)
{
// Get the dependent module name
// 依赖的模块名
PCHAR pDllName = MakePointer(PCHAR, pMemModule->lpBase, pImageImportDescriptor->Name);

// Get the dependent module handle
// 取依赖的模块句柄，其实直接用LoadLibrary就行了，这里两个函数都用了而且释放模块时也没有FreeLibrary，会造成内存泄漏
HMODULE hMod = pfnGetModuleHandleA(pDllName);

// Load the dependent module
if (NULL == hMod) hMod = pfnLoadLibraryA(pDllName);

// Failed
if (NULL == hMod)
{
pMemModule->dwErrorCode = MMEC_IMPORT_MODULE_FAILED;
return FALSE;
}
// Original thunk
PIMAGE_THUNK_DATA pOriginalThunk = NULL;
if (pImageImportDescriptor->OriginalFirstThunk)
pOriginalThunk = MakePointer(PIMAGE_THUNK_DATA, pMemModule->lpBase, pImageImportDescriptor->OriginalFirstThunk);
else
pOriginalThunk = MakePointer(PIMAGE_THUNK_DATA, pMemModule->lpBase, pImageImportDescriptor->FirstThunk);

// IAT thunk
PIMAGE_THUNK_DATA pIATThunk = MakePointer(PIMAGE_THUNK_DATA, pMemModule->lpBase,
pImageImportDescriptor->FirstThunk);

// 遍历导入的函数
for (; pOriginalThunk->u1.AddressOfData; pOriginalThunk++, pIATThunk++)
{
// 取函数地址
FARPROC lpFunction = NULL;
if (IMAGE_SNAP_BY_ORDINAL(pOriginalThunk->u1.Ordinal))
{
lpFunction = pfnGetProcAddress(hMod, (LPCSTR)IMAGE_ORDINAL(pOriginalThunk->u1.Ordinal));
}
else
{
PIMAGE_IMPORT_BY_NAME pImageImportByName = MakePointer(
PIMAGE_IMPORT_BY_NAME, pMemModule->lpBase, pOriginalThunk->u1.AddressOfData);

lpFunction = pfnGetProcAddress(hMod, (LPCSTR)&(pImageImportByName->Name));
}

// Write into IAT
// 写到IAT
#ifdef _WIN64
pIATThunk->u1.Function = (ULONGLONG)lpFunction;
#else
pIATThunk->u1.Function = (DWORD)lpFunction;
#endif
}
}

return TRUE;
}

设置各节内存保护

没有这一步也无所谓，为了安全和严谨就加上这一步吧

/// <summary>
/// Sets the memory protected stats of all the sections.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <returns>True if successful.</returns>
BOOL SetMemProtectStatus(PMEM_MODULE pMemModule)
{
if (NULL == pMemModule || NULL == pMemModule->pNtFuncptrsTable)
return FALSE;

// 索引含义：可执行、可读、可写，根据这3个属性决定内存保护
int ProtectionMatrix[2][2][2] = {
{
// not executable
{ PAGE_NOACCESS, PAGE_WRITECOPY },
{ PAGE_READONLY, PAGE_READWRITE },
},
{
// executable
{ PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY },
{ PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE },
},
};

Type_VirtualProtect pfnVirtualProtect = (Type_VirtualProtect)(pMemModule->pNtFuncptrsTable->pfnVirtualProtect);
Type_VirtualFree pfnVirtualFree = (Type_VirtualFree)(pMemModule->pNtFuncptrsTable->pfnVirtualFree);

PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)(pMemModule->lpBase);

ULONGLONG ulBaseHigh = 0;
#ifdef _WIN64
ulBaseHigh = (pMemModule->iBase & 0xffffffff00000000);
#endif

PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(
PIMAGE_NT_HEADERS, pImageDosHeader, pImageDosHeader->e_lfanew);

int nNumberOfSections = pImageNtHeader->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER pImageSectionHeader = MakePointer(
PIMAGE_SECTION_HEADER, pImageNtHeader, sizeof(IMAGE_NT_HEADERS));

// 遍历各节
for (int idxSection = 0; idxSection < nNumberOfSections; idxSection++)
{
DWORD protectFlag = 0;
DWORD oldProtect = 0;
BOOL isExecutable = FALSE;
BOOL isReadable = FALSE;
BOOL isWritable = FALSE;

BOOL isNotCache = FALSE;
ULONGLONG dwSectionBase = (pImageSectionHeader[idxSection].Misc.PhysicalAddress | ulBaseHigh);
DWORD dwSecionSize = pImageSectionHeader[idxSection].SizeOfRawData;
if (0 == dwSecionSize) continue;

// This section is in this page
// 接下来根据节属性设置页面内存保护
DWORD dwSectionCharacteristics = pImageSectionHeader[idxSection].Characteristics;

// Discardable
if (dwSectionCharacteristics & IMAGE_SCN_MEM_DISCARDABLE)
{
pfnVirtualFree((LPVOID)dwSectionBase, dwSecionSize, MEM_DECOMMIT);
continue;
}

// Executable
if (dwSectionCharacteristics & IMAGE_SCN_MEM_EXECUTE)
isExecutable = TRUE;

// Readable
if (dwSectionCharacteristics & IMAGE_SCN_MEM_READ)
isReadable = TRUE;

// Writable
if (dwSectionCharacteristics & IMAGE_SCN_MEM_WRITE)
isWritable = TRUE;

if (dwSectionCharacteristics & IMAGE_SCN_MEM_NOT_CACHED)
isNotCache = TRUE;

protectFlag = ProtectionMatrix[isExecutable][isReadable][isWritable];
if (isNotCache) protectFlag |= PAGE_NOCACHE;
// 设置内存保护
if (!pfnVirtualProtect((LPVOID)dwSectionBase, dwSecionSize, protectFlag, &oldProtect))
{
pMemModule->dwErrorCode = MMEC_PROTECT_SECTION_FAILED;
return FALSE;
}
}

return TRUE;
}

调用TLS回调和模块入口点

这一步也是可选的，不过如果不做有些全局变量可能未初始化。做了的话有可能失败，因为操作系统不认我们手动加载的模块，调用某些函数有可能失败…

/// <summary>
/// Executes the TLS callback function.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <returns>True if successful.</returns>
BOOL ExecuteTLSCallback(PMEM_MODULE pMemModule)
{
if (NULL == pMemModule || NULL == pMemModule->pImageDosHeader)
return FALSE;

PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(
PIMAGE_NT_HEADERS,
pMemModule->pImageDosHeader,
pMemModule->pImageDosHeader->e_lfanew);

IMAGE_DATA_DIRECTORY imageDirectoryEntryTls = pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];
if (imageDirectoryEntryTls.VirtualAddress == 0) return TRUE;

PIMAGE_TLS_DIRECTORY tls = (PIMAGE_TLS_DIRECTORY)(pMemModule->iBase + imageDirectoryEntryTls.VirtualAddress);
PIMAGE_TLS_CALLBACK* callback = (PIMAGE_TLS_CALLBACK *)tls->AddressOfCallBacks;
if (callback)
{
while (*callback)
{
(*callback)((LPVOID)pMemModule->hModule, DLL_PROCESS_ATTACH, NULL);
callback++;
}
}
return TRUE;
}

/// <summary>
/// Calls the module entry.
/// </summary>
/// <param name="pMemModule">The <see cref="MemModule" /> instance.</param>
/// <param name="dwReason">The reason of the calling.</param>
/// <returns>True if successful.</returns>
BOOL CallModuleEntry(PMEM_MODULE pMemModule, DWORD dwReason)
{
if (NULL == pMemModule || NULL == pMemModule->pImageDosHeader)
return FALSE;

PIMAGE_NT_HEADERS pImageNtHeader = MakePointer(
PIMAGE_NT_HEADERS,
pMemModule->pImageDosHeader,
pMemModule->pImageDosHeader->e_lfanew);

Type_DllMain pfnModuleEntry = NULL;

pfnModuleEntry = MakePointer(
Type_DllMain,
pMemModule->lpBase,
pImageNtHeader->OptionalHeader.AddressOfEntryPoint);

if (NULL == pfnModuleEntry)
{
pMemModule->dwErrorCode = MMEC_INVALID_ENTRY_POINT;
return FALSE;
}

return pfnModuleEntry(pMemModule->hModule, dwReason, NULL);
}

总流程

这个函数就是把之前分析过的函数调用一遍实现加载PE文件。有些不重要而且看名字就知道干什么的函数就不分析了

BOOL __stdcall LoadMemModule(PMEM_MODULE pMemModule, LPVOID lpPeModuleBuffer, BOOL bCallEntry)
{
if (NULL == pMemModule || NULL == pMemModule->pNtFuncptrsTable || NULL == lpPeModuleBuffer)
return FALSE;

pMemModule->dwErrorCode = ERROR_SUCCESS;

// Verify file format
if (FALSE == IsValidPEFormat(pMemModule, lpPeModuleBuffer))
{
return FALSE;
}

// Map PE header and section table into memory
if (FALSE == MapMemModuleSections(pMemModule, lpPeModuleBuffer))
return FALSE;

// Relocate the module base
if (FALSE == RelocateModuleBase(pMemModule))
{
UnmapMemModule(pMemModule);
return FALSE;
}

// Resolve the import table
if (FALSE == ResolveImportTable(pMemModule))
{
UnmapMemModule(pMemModule);
return FALSE;
}

pMemModule->dwCrc = mml_getcrc32(
0, pMemModule->lpBase, pMemModule->dwSizeOfImage);

// Correct the protect flag for all section pages
if (FALSE == SetMemProtectStatus(pMemModule))
{
UnmapMemModule(pMemModule);
return FALSE;
}

if (FALSE == ExecuteTLSCallback(pMemModule))
return FALSE;

if (bCallEntry)
{
if (FALSE == CallModuleEntry(pMemModule, DLL_PROCESS_ATTACH))
{
// failed to call entry point,
// clean resource, return false
UnmapMemModule(pMemModule);
return FALSE;
}
}

return TRUE;
}

应用

重载某模块，绕过各种hook

重载模块的话会有其他问题，比如全局变量在内存中有两份副本。其实也很好解决，重定位时定位到原模块就行了。不过用来绕hook未免小题大做了，针对性地用汇编绕过部分hook就行了

隐藏注入模块

你手动加载的模块，操作系统根本不知道它的存在，模块列表里没有，也不会引起任何回调

获取模块的原始内容，比如内核中的SSDT