U148 Archive

Markdown archive served by Next.js

用进程注入来实现一个壳 :: 『孤光剑隐』

来源: BlogBus 原始链接: http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=456241 存档链接: https://web.archive.org/web/20041120112027id_/http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=456241

用ASP实现远程批量文件改名 微型PHP木马的探讨 网络欺骗浅析 浅析进程“伪隐藏”技术与实现两则 基于Telnet协议的攻击 汇编代码之修改文件时间 win下的几个你所不知道的无敌命令 “隐藏虚拟目录”再分析 深入挖掘Windows脚本技术 IRC攻防手册 andy dreamtheater Angel showlife tx7do charcs chensun netsky xhacker jpxiong Flier lgx KKQQ Ziqi redsaga spy88B8 Luzhu NetKnave eVan SUNU Taynni wuhui CAT Neeao Iceberg kaspersky KusTa Hoky eviloctal lam Net・PoliCe Jace Hardy Gusu・Lanye lilo xiaolu knIfe mifor kaka Lo7e4L Super・Hei lichdr yysun testnet soul Archonwang lamp FlyWeb evilhsu f2s hackfree powers Sunlion EvilPhive xeric icyfoxlovelace GuoMing <<<用Ollydbg手脱UPX加壳的DLL | 首页 | 拒绝DDOS.从我做起!>>> 用进程注入来实现一个壳 时间: 2004-10-23 启动前先启动 Calc.exe, 改一下, 用 Explorer.exe 也可以。 代码:-------------------------------------------------------------------------------- #define UNICODE #define _UNICODE #include <windows.h> #include <tchar.h> #include <conio.h> #include <psapi.h> typedef struct _remoteparameter { DWORD rpwinexec; DWORD rpcreatemutex; DWORD rpsleep; DWORD rpclosehandle; char rpwinexecname[MAX_PATH]; HANDLE rphMutex; TCHAR rpMutex[30]; }REMOTEPARAMETER, PREMOTEPARAMETER; DWORD WINAPI remote(LPVOID); DWORD processtopid(TCHAR); HANDLE createremote(PTSTR); TCHAR cMutex[8]; int main() { TCHAR ExeName[MAX_PATH]; HANDLE hRemoteThread; HANDLE hMutex; int ret; _tcscpy(cMutex,_T("simonzh")); hMutex = OpenMutex(SYNCHRONIZE, TRUE, cMutex ; if (hMutex == NULL) { ret=GetModuleFileName(NULL,ExeName,MAX_PATH); if(ret==0) { OutputDebugString(_T("GetModuleFileName Error\n")); getche(); return -1; } if((hRemoteThread=createremote(ExeName))==NULL) { OutputDebugString(_T("CreateRemote Error\n")); getche(); return -1; } return 0; } CloseHandle(hMutex); // 上面相当于一个壳的 Loader // 下面相当于被加壳的原程序. _tprintf(_T("---[ This is not me. HaHaHa... ]---\n")); getche(); return 0; } DWORD processtopid(TCHAR *processname) { DWORD lpidprocesses[1024],cbneeded,cprocesses; HANDLE hprocess; HMODULE hmodule; UINT i; TCHAR normalname[MAX_PATH]=_T("UnknownProcess"); if(!EnumProcesses(lpidprocesses,sizeof(lpidprocesses),&cbneeded)) { OutputDebugString(_T("EnumProcesses Error\n")); return -1; } cprocesses=cbneeded/sizeof(DWORD); for(i=0;i<cprocesses;i++) { hprocess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,lpidprocesses[i]); if(hprocess) { if(EnumProcessModules(hprocess,&hmodule,sizeof(hmodule),&cbneeded)) { GetModuleBaseName(hprocess,hmodule,normalname,sizeof(normalname)); if(!_tcsicmp(normalname,processname)) { CloseHandle(hprocess); return (lpidprocesses[i]); } } } } CloseHandle(hprocess); return 0; } HANDLE createremote(PTSTR ExeName) { HANDLE ethread; HANDLE rphandle; TCHAR name[15]; TCHAR *remotethr; TCHAR *remotepar; DWORD remotepid; int cb; HINSTANCE hkernel32; REMOTEPARAMETER rp; _tcscpy(name,_T("Calc.exe")); while(1) { remotepid=processtopid(name); if(remotepid==-1) { return NULL; } else if(remotepid==0) { OutputDebugString(_T("Remote Process isn't running\n")); Sleep(1000); continue; } rphandle=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE,remotepid); if(rphandle==NULL) { Sleep(1000); continue; } else { break; } } cb=sizeof(TCHAR)41024; remotethr=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if(remotethr==NULL) { OutputDebugString(_T("VirtualAllocEx for Thread Error\n")); CloseHandle(rphandle); return NULL; } if(WriteProcessMemory(rphandle,remotethr,(LPVOID)remote,cb,NULL)==FALSE) { OutputDebugString(_T("WriteProcessMemory for Thread Error\n")); CloseHandle(rphandle); return NULL; } { memset(&rp,0,sizeof(rp)); _tcscpy(rp.rpMutex, cMutex); WideCharToMultiByte(CP_ACP,0,ExeName,-1,rp.rpwinexecname,_tcslen(ExeName),NULL,NULL); hkernel32=GetModuleHandle(_T("kernel32.dll")); rp.rpwinexec=(DWORD)GetProcAddress(hkernel32,"WinExec"); rp.rpcreatemutex=(DWORD)GetProcAddress(hkernel32,"CreateMutexW"); rp.rpsleep=(DWORD)GetProcAddress(hkernel32,"Sleep"); rp.rpclosehandle=(DWORD)GetProcAddress(hkernel32,"CloseHandle"); } cb=sizeof(TCHAR)*sizeof(rp); remotepar=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_READWRITE); if(remotepar==NULL) { OutputDebugString(_T("VirtualAllocEx for Parameter Error\n")); CloseHandle(rphandle); return NULL; } if(WriteProcessMemory(rphandle,remotepar,(LPVOID)&rp,cb,NULL)==FALSE) { OutputDebugString(_T("WriteProcessMemory for Parameter Error:")); CloseHandle(rphandle); return NULL; } ethread=CreateRemoteThread(rphandle,NULL,0,(LPTHREAD_START_ROUTINE)remotethr,(LPVOID)remotepar,0,NULL); if(ethread==NULL) { OutputDebugString(_T("CreateRemoteThread Error\n")); CloseHandle(rphandle); return NULL; } return ethread; } DWORD WINAPI remote(LPVOID pvparam) { PREMOTEPARAMETER erp=(PREMOTEPARAMETER)pvparam; typedef UINT (WINAPI *EWinExec)(LPCSTR, UINT); typedef HANDLE (WINAPI *ECreateMutex)(LPSECURITY_ATTRIBUTES , BOOL, LPCTSTR); typedef VOID (WINAPI *ESleep)(DWORD); typedef BOOL (WINAPI *ECloseHandle)(HANDLE); EWinExec tWinExec; ECreateMutex tCreateMutex; ESleep tSleep; ECloseHandle tCloseHandle; tWinExec=(EWinExec)erp->rpwinexec; tCreateMutex=(ECreateMutex)erp->rpcreatemutex; tSleep=(ESleep)erp->rpsleep; tCloseHandle=(ECloseHandle)erp->rpclosehandle; erp->rphMutex=tCreateMutex(NULL, TRUE, erp->rpMutex); if(tWinExec(erp->rpwinexecname, SW_SHOW)<=31) { return -1; } tSleep(4000); tCloseHandle(erp->rphMutex); return 0; } 孤光剑隐 发表于 2004-10-23 10:21 引用Trackback(0) | 编辑 评论 发表评论