2026-03-27 14:10:45 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文介绍免杀工具ZeroEye5.0的重大更新，新增.NET程序扫描与劫持功能，支持自动生成劫持config和DLL模板，新增sys驱动扫描、C++类重建引擎及递归DLL依赖链解析。文章详细说明了功能特性、参数用法、输出结构和使用流程，为安全测试人员提供了完整的DLL劫持分析与利用工具。 综合评分： 75 文章分类： 免杀,安全工具,渗透测试,漏洞分析,实战经验

cover_image

【免杀工具】ZeroEye5.0重大更新，新增.net劫持扫描及模板

原创

零攻防零攻防

零攻防

2026年3月24日 23:03 广西

5.0版本（重大更新）

新增：.NET程序扫描与劫持

支持.net程序，并且提供劫持的config和dll模板

新增：sys扫描

对sys的简单扫描，枚举系统上可利用的程序

新增：C++类重建引擎

针对？ @ # 这些类函数符号的反推，在vs中也可以定义使用

新增：递归DLL依赖链解析

查找父目录/同目录/子目录关联的dll，增强扫描结果

改进：参数系统重构

改进参数的使用，适配.net

改进：输出优化

好看……

请前往 github 获取更多细节

功能概览

参数说明

用法: ZeroEye [选项]
选项:
&nbsp; -h &nbsp; <帮助|示例> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;显示帮助信息
&nbsp; -i &nbsp; <PE 文件> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;分析PE文件 (自动识别 原生/.NET)
&nbsp; -p &nbsp; <目录> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 扫描指定目录下的可疑程序
&nbsp; -s &nbsp; <签名检查> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 仅扫描有数字签名的程序
&nbsp; -e &nbsp; <排除EXE> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;排除仅依赖系统DLL的程序
&nbsp; -d &nbsp; <PE 模块> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;生成劫持模板 (自动识别 原生/.NET)
&nbsp; -x &nbsp; <架构> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 指定扫描架构 (64/86)
&nbsp; -g &nbsp; <排除列表> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 排除指定DLL (用|分隔)
&nbsp; -t &nbsp; <类型> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 扫描类型: gui,cmd,exe,dotnet,sys,all (默认: all)
&nbsp; -IM &nbsp;<PE 文件> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;查看导入表
&nbsp; -EX &nbsp;<PE 文件> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;查看导出表

示例:
&nbsp; ZeroEye.exe -i a.exe &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;分析PE文件 (自动识别原生/.NET)
&nbsp; ZeroEye.exe -d a.dll &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;生成劫持模板 (自动识别原生/.NET)
&nbsp; ZeroEye.exe -p c:\ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;扫描C盘 (全类型)
&nbsp; ZeroEye.exe -p c:\ -t gui &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 仅扫描GUI程序
&nbsp; ZeroEye.exe -p c:\ -t dotnet &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;仅扫描.NET程序
&nbsp; ZeroEye.exe -p c:\ -t sys &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 仅扫描内核驱动
&nbsp; ZeroEye.exe -p c:\ -t gui,dotnet -s -x 64 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 扫描已签名的64位 GUI+.NET程序
&nbsp; ZeroEye.exe -p c:\ -s -x 64 -g&nbsp;"api-ms|ucrtbase"&nbsp;-e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;扫描已签名64位 仅系统依赖
&nbsp; ZeroEye.exe -IM/-EX a.dll &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 查看导入/导出表

输出目录结构

原生PE（白加黑）

Eyebin/Dll/x64/
└── notepad++[gui-5-3.2MB]/
&nbsp; &nbsp; ├── notepad++.exe &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← 目标程序
&nbsp; &nbsp; ├── SciLexer.dll &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 可劫持DLL
&nbsp; &nbsp; └── infos/
&nbsp; &nbsp; &nbsp; &nbsp; └── Info.txt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 分析结果

.NET程序

Eyebin/Dll/x64/
└── GitHubProtocolHandler[dotnet-2-1.1MB]/
&nbsp; &nbsp; ├── GitHubProtocolHandler.exe &nbsp; &nbsp; &nbsp; &nbsp;← 目标程序
&nbsp; &nbsp; ├── GitHubProtocolHandler.exe.config ← 已替换为劫持config
&nbsp; &nbsp; ├── GitHubProtocolHandler.exe.config.bak ← 原始config备份
&nbsp; &nbsp; ├── *.dll &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← 引用的依赖DLL
&nbsp; &nbsp; └── infos/
&nbsp; &nbsp; &nbsp; &nbsp; ├── Info.txt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 分析结果
&nbsp; &nbsp; &nbsp; &nbsp; ├── GitHubProtocolHandler.config ← 劫持config模板
&nbsp; &nbsp; &nbsp; &nbsp; └── GitHubProtocolHandler_payload.cs ← payload源码

.NET 使用流程：

1.&nbsp;cd&nbsp;到输出文件夹
2. csc /target:library /out:zeroeye_payload.dll /ref:System.Windows.Forms.dll infos\xxx_payload.cs
3. 运行 xxx.exe → 弹窗验证劫持成功

内核驱动

Eyebin/Sys/
└── dbutil_2_3[sys-50KB]/
&nbsp; &nbsp; ├── dbutil_2_3.sys &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 驱动文件
&nbsp; &nbsp; └── infos/
&nbsp; &nbsp; &nbsp; &nbsp; └── Info.txt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 签名者 + 危险API列表

文件夹命名规则

格式：名称[类型-数量-大小]

| 类型 | 含义 | | — | — | | gui | 原生GUI程序 | | cmd | 原生控制台程序 | | dotnet | .NET Framework | | dotnet-core | .NET Core/5+ | | sys | 内核驱动 |

示例：

notepad++[gui-5-3.2MB] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← GUI程序，5个可劫持DLL，总大小3.2MB
cmd_tool[cmd-3-512KB] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← 控制台程序，3个可劫持DLL
GitHandler[dotnet-2-1.1MB] &nbsp; &nbsp; &nbsp;← .NET Framework，2个劫持向量
myapp[dotnet-core-1-256KB] &nbsp; &nbsp; &nbsp;← .NET Core程序
dbutil_2_3[sys-50KB] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← 第三方驱动，50KB
notepad++[gui-5-3.2MB](2) &nbsp; &nbsp; &nbsp;← 重复时自动编号

项目获取

公众号回复以下内容获得成品

ZeroEye5.0

开源项目地址

https://github.com/ImCoriander/ZeroEye

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：零攻防零攻防零攻防《【免杀工具】ZeroEye5.0重大更新，新增.net劫持扫描及模板》