首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]WoW's一点小诡计简单分析
发表于: 2007-6-7 15:42 51033

[原创]WoW's一点小诡计简单分析

foxabu 活跃值
13
2007-6-7 15:42
51033

查看主题内容

收藏
免费 9
支持
分享
最新回复 (86)
鸡蛋壳
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
51
驱动的结果你也看到了,兼容,以及杀毒等监控报警,还有网吧环境可能以后也会限制驱动,其实驱动是最好用的方法。
2007-6-9 22:17
0
Lancia
雪    币: 219
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
52
学习一下!!
2007-6-10 01:25
0
KuNgBiM
雪    币: 817
活跃值: (1927)
能力值: ( LV12,RANK:2670 )
在线值:
发帖
回帖
粉丝
私信
53
学习..........
2007-6-10 12:32
0
123112
雪    币: 212
活跃值: (70)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
54
把自己的程序的权限提高一下,就可以打开wow了。
2007-6-10 15:01
0
不懂算法
雪    币: 202
活跃值: (77)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
55
权限这东西,总会有高过你的办法
2007-6-10 18:30
0
kx001
雪    币: 222
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
56
够毒的......怕了你了.
2007-8-20 09:33
0
kx001
雪    币: 222
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
57
HOOK进去直接修改你试试看,报错...OpenProcess, 读写内存, 没权限...必须提权...
2007-8-20 09:53
0
kx001
雪    币: 222
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
58
问题是目标进程已经无法用OpenProcess打开了, 返回的进程句柄是 空, Access Denied
2007-8-20 16:44
0
ToT
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
ToT
59
强帖,只能膜拜
2007-8-22 22:09
0
古老阳光
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
60
佩服,太牛了。努力想楼主靠拢
2007-8-22 22:59
0
wjfjason
雪    币: 12566
活跃值: (2078)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
61
我也要来学习学习
2007-8-23 12:21
0
堆栈的栈
雪    币: 211
活跃值: (40)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
62
高手啊,先下载doc了,慢慢研究下,要好好消化了。
2007-8-23 19:51
0
likunkun
雪    币: 334
活跃值: (22)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
63
有技术含量,学习了
2007-8-24 13:21
0
DiKeN
雪    币: 1126
活跃值: (156)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
64
我喜欢这样的代码,不喜欢带goto的代码
BOOL Lock_CurrentProcess()
{
        HANDLE hProcess = ::GetCurrentProcess();
        SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
        PSID pSid;
        BOOL bSus = FALSE;
        if (::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid))
        {
                HANDLE hToken;
                if(::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken))
                {
                        DWORD dwReturnLength;
                        ::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
                        if(dwReturnLength <= 0x400)
                        {
                                LPVOID TokenInformation;
                                TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
                                DWORD dw;
                                if (::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw))
                                {
                                        PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
                                        BYTE Buf[0x200];
                                        PACL pAcl = (PACL)&Buf;
                                        if ((::InitializeAcl(pAcl,1024,ACL_REVISION))
                                                && (::AddAccessDeniedAce(pAcl,ACL_REVISION,0x000000FA,pSid))
                                                && (::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid))
                                                && (::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
                                                )
                                        {
                                                bSus = TRUE;
                                        }
                                }               
                               
                        }
                       
                }
        };

        //Cleanup
        if(hProcess != NULL)
        {
                ::CloseHandle(hProcess);
        }
        if(pSid != NULL)
        {
                ::FreeSid(pSid);
        }
        return bSus;
}
2007-8-24 22:59
0
foxabu
雪    币: 325
活跃值: (97)
能力值: ( LV13,RANK:530 )
在线值:
发帖
回帖
粉丝
私信
65
用try catch也是可以的,我只是按照逆向的要求。基本编译出的代码要和原始代码接近。
2007-8-25 00:08
0
jpinglove
雪    币: 14
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
66
能告诉我,你怎么就这么历害呢
2007-8-25 21:47
0
Lenus
雪    币: 159
活跃值: (339)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
67
他打开的是本进程
2007-8-27 11:25
0
新月之铭
雪    币: 1470
活跃值: (74)
能力值: ( LV5,RANK:75 )
在线值:
发帖
回帖
粉丝
私信
68
大家都在搞外挂?拿出来分享我一个?
2007-8-28 08:26
0
jjnet
雪    币: 101
活跃值: (12)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
69
BOOL Lock_CurrentProcess()
{
  struct CHandle
  {
       CHandle m_handle;
       CHandle() : m_handle(INVALID_HANDLE_VALUE) {}
       ~CHANDLE() {if (INVALID_HANDLE_VALUE!=m_handle) ::CloseHandle(m_handle);}
       operator HANDLE&() {return m_handle;}
   };
   struct Psid_ptr
  {
        PSID m_pSid;
        Psid_ptr() : m_pSid(NULL) {}
        ~Psid_ptr() {if (NULL != m_pSid) ::FreeSid(m_pSid);}
        operator PSID& () {return m_pSid;}
   };

  CHandle hProcess = ::GetCurrentProcess();
  SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
  Psid_ptr pSid;
  BOOL bSus = FALSE;
  if (!::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid)) return false;

    HANDLE hToken;
    if(!::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken)) return false;

      DWORD dwReturnLength;
      ::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
      if(! dwReturnLength <= 0x400) return false;

        LPVOID TokenInformation;
        TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
        DWORD dw;
        if (!::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw)) return false;

          PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
          BYTE Buf[0x200];
          PACL pAcl = (PACL)&Buf;
          if ((::InitializeAcl(pAcl,1024,ACL_REVISION))
            && (::AddAccessDeniedAce(pAcl,ACL_REVISION,0x000000FA,pSid))
            && (::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid))
            && (::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
            )  return true;
    return false;
}

  c++ 最好把需要自动释放的东东用类来做.
ps: 印象中这份代码记得很久以前有位背MSDN的神仙哥哥说过..
2007-8-29 00:39
0
仙剑太郎
雪    币: 214
活跃值: (70)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
70
新知识,学习..
2007-8-29 00:46
0
lcy
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
lcy
71
支持,还没有做过wom的外挂,学习中
2007-8-29 03:48
0
鸡蛋壳
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
72
VB版:
Option Explicit

Private Declare Function InitializeAcl Lib "advapi32.dll" ( _
          ByVal pAcl As Long, _
          ByVal nAclLength As Long, _
          ByVal dwAclRevision As Long) As Long
Private Type ACL
         AclRevision As Byte
         Sbz1 As Byte
         AclSize As Integer
         AceCount As Integer
         Sbz2 As Integer
End Type

Private Declare Function AddAccessDeniedAce Lib "advapi32.dll" ( _
          ByVal pAcl As Long, _
          ByVal dwAceRevision As Long, _
          ByVal AccessMask As Long, _
          ByRef pSid As Any) As Long
Private Declare Function AddAccessAllowedAce Lib "advapi32.dll" ( _
          ByVal pAcl As Long, _
          ByVal dwAceRevision As Long, _
          ByVal AccessMask As Long, _
          ByRef pSid As Any) As Long
Private Enum SE_OBJECT_TYPE
           SE_UNKNOWN_OBJECT_TYPE = 0
           SE_FILE_OBJECT
           SE_SERVICE
           SE_PRINTER
           SE_REGISTRY_KEY
           SE_LMSHARE
           SE_KERNEL_OBJECT
           SE_WINDOW_OBJECT
           SE_DS_OBJECT
           SE_DS_OBJECT_ALL
           SE_PROVIDER_DEFINED_OBJECT
           SE_WMIGUID_OBJECT
End Enum
   
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" ( _
          ByVal hObject As Long) As Long
Private Declare Sub FreeSid Lib "advapi32.dll" ( _
          ByRef pSid As Any)
Private Declare Function GetTokenInformation Lib "advapi32.dll" ( _
          ByVal TokenHandle As Long, _
          ByRef TokenInformationClass As Integer, _
          ByRef TokenInformation As Any, _
          ByVal TokenInformationLength As Long, _
          ByRef ReturnLength As Long) As Long
Private Declare Function LocalAlloc Lib "kernel32.dll" ( _
          ByVal wFlags As Long, _
          ByVal wBytes As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" ( _
          ByVal ProcessHandle As Long, _
          ByVal DesiredAccess As Long, _
          ByRef TokenHandle As Long) As Long
Private Declare Function AllocateAndInitializeSid Lib "advapi32.dll" ( _
          ByRef pIdentifierAuthority As SID_IDENTIFIER_AUTHORITY, _
          ByVal nSubAuthorityCount As Byte, _
          ByVal nSubAuthority0 As Long, _
          ByVal nSubAuthority1 As Long, _
          ByVal nSubAuthority2 As Long, _
          ByVal nSubAuthority3 As Long, _
          ByVal nSubAuthority4 As Long, _
          ByVal nSubAuthority5 As Long, _
          ByVal nSubAuthority6 As Long, _
          ByVal nSubAuthority7 As Long, _
          ByRef lpPSid As Any) As Long
Private Type SID_IDENTIFIER_AUTHORITY
         Value(6) As Byte
End Type
Private Const TOKEN_QUERY As Long = &H8
Private Const LMEM_FIXED As Long = &H0
Private Const LMEM_ZEROINIT As Long = &H40
Private Const LPTR As Long = (LMEM_FIXED + LMEM_ZEROINIT)
Private Const ACL_REVISION As Long = 2
Private Const DACL_SECURITY_INFORMATION As Long = &H4&
Private Const PROTECTED_DACL_SECURITY_INFORMATION As Long = (&H80000000)
Private Declare Function GetLastError Lib "kernel32.dll" () As Long
Private Type SID_AND_ATTRIBUTES
         Sid As Long
         Attributes As Long
End Type

'BOOL Lock_CurrentProcess()
'{
'   HANDLE hProcess = ::GetCurrentProcess();
'   SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
'   PSID pSid;
'   BOOL bSus = FALSE;
'   bSus = ::AllocateAndInitializeSid(&sia,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,&pSid);
'   if(!bSus) goto Cleanup;
'   HANDLE hToken;
'   bSus = ::OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
'   if(!bSus) goto Cleanup;
'   DWORD dwReturnLength;
'   ::GetTokenInformation(hToken,TokenUser,NULL,NULL,&dwReturnLength);
'   if(dwReturnLength > 0x400) goto Cleanup;
'   LPVOID TokenInformation;
'   TokenInformation = ::LocalAlloc(LPTR,0x400);//这里就引用SDK的函数不引用CRT的了
'   DWORD dw;
'   bSus = ::GetTokenInformation(hToken,TokenUser,TokenInformation,0x400,&dw);
'   if(!bSus) goto Cleanup;
'   PTOKEN_USER pTokenUser = (PTOKEN_USER)TokenInformation;
'   BYTE Buf[0x200];
'   PACL pAcl = (PACL)&Buf;
'   bSus = ::InitializeAcl(pAcl,1024,ACL_REVISION);
'   if(!bSus) goto Cleanup;
'   bSus = ::AddAccessDeniedAce(pAcl,ACL_REVISION,0x000000FA,pSid);
'   if(!bSus) goto Cleanup;
'   bSus = ::AddAccessAllowedAce(pAcl,ACL_REVISION,0x00100701,pTokenUser->User.Sid);
'   if(!bSus) goto Cleanup;
'   if(::SetSecurityInfo(hProcess,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,NULL,NULL,pAcl,NULL) == 0)
'     bSus = TRUE;
'Cleanup:
'   if(hProcess != NULL)
'     ::CloseHandle(hProcess);
'   if(pSid != NULL)
'     ::FreeSid(pSid);
'   return bSus;
'}

Public Function DisableProcessAccess(ByVal hProcess As Long, ByVal dwAccessDenied As Long, ByVal dwAccessAllowed As Long) As Boolean
         Dim sia As SID_IDENTIFIER_AUTHORITY
         Dim pSid As Long 'psid
         Dim bSuccess As Boolean
         Dim buf(1 To &H400) As Byte
         Dim buf1(1 To &H400) As Byte
         Dim pTokenUser As Long 'pToken_User
         Dim pAcl As Long 'pAcl
         pAcl = VarPtr(buf(1))
         Dim TokenInfo As Long
         Dim hToken As Long
         Dim dwRetLen As Long
         Dim dw As Long
         bSuccess = AllocateAndInitializeSid(sia, 1, 0, 0, 0, 0, 0, 0, 0, 0, ByVal VarPtr(pSid))
         Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         bSuccess = OpenProcessToken(hProcess, TOKEN_QUERY, ByVal VarPtr(hToken))
         'Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         Call GetTokenInformation(hToken, ByVal 1, ByVal 0, 0, dwRetLen)
         'Debug.Print GetLastError
         TokenInfo = VarPtr(buf1(1))
         bSuccess = GetTokenInformation(hToken, ByVal 1, ByVal TokenInfo, dwRetLen, dw)
         'Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         bSuccess = InitializeAcl(pAcl, &H400, ACL_REVISION)
         'Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         bSuccess = AddAccessDeniedAce(pAcl, ACL_REVISION, dwAccessDenied, ByVal pSid)
         'Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         bSuccess = AddAccessAllowedAce(pAcl, ACL_REVISION, dwAccessAllowed, ByVal pSid)
         'Debug.Print GetLastError
        
         If (Not bSuccess) Then GoTo Cleanup
         If (SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION Or PROTECTED_DACL_SECURITY_INFORMATION, ByVal 0, ByVal 0, ByVal pAcl, ByVal 0) = 0) Then bSuccess = True
         Debug.Print GetLastError
Cleanup:
         If (hProcess <> 0) Then CloseHandle (hProcess)
         If (pSid <> 0) Then Call FreeSid(ByVal pSid)
         DisableProcessAccess = bSuccess
End Function
2007-11-9 19:58
0
gyfhgyfh
雪    币: 220
活跃值: (161)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
73
Private Declare Function AddAccessDeniedAce Lib "advapi32.dll"
...

Public Function DisableProcessAccess

...

难怪结束不了,原来权限被锁住了。
2007-11-9 20:25
0
炉子
雪    币: 66
活跃值: (16)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
74
瞧不起鸡蛋壳这种转载不注明出处的
2007-11-9 20:44
0
chinaruto
雪    币: 109
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
75
晕,这里也转了呀。
2007-11-9 21:20
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//