(Python) DLL Proxying by Unprotect

Created the Tuesday 06 December 2022. Updated 1 month, 3 weeks ago.

Description:

This code uses the ctypes library to load the legitimate DLL and retrieve the address of the function that will be called. It then defines a function named ProxyFunction that will be used to redirect calls to the legitimate DLL. When ProxyFunction is called, it will call the function in the legitimate DLL and return the result. As with the previous example, this code is just an example and more advanced implementations may be needed for more complex scenarios.

Code

            from ctypes import cdll

# Function prototype for the function that will be used to redirect calls to the legitimate DLL
ProxyFunction = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int)

def DllMain():
    # Load the legitimate DLL
    hLegitDLL = ctypes.windll.LoadLibrary("legit.dll")
    if not hLegitDLL:
        # Handle error

    # Retrieve the address of the function in the legitimate DLL
    # This example uses a function named "FunctionA", but the function name can be anything
    FunctionA = ProxyFunction(hLegitDLL.FunctionA)
    if not FunctionA:
        # Handle error

# Function that will be used to redirect calls to the legitimate DLL
def ProxyFunction(arg):
    # Call the function
    return FunctionA(arg)