首页
社区
课程
招聘
[原创]史上最强的木马
发表于: 2009-1-10 10:28 4084

[原创]史上最强的木马

2009-1-10 10:28
4084
系统是内部自行开发的,但由于以前的一个设计造成现在的困扰:
PB7.0开发的系统,使用PBKILLER查到源码如下:
---------------------------------------------------------------
string ls_appname

if handle(getapplication()) > 0 then
  ls_appname = getapplication().filetype
  createmutexa(0,true,ls_appname)

  if getlasterror() = 183 then
    messagebox("提示信息","“" + gs_appname + "”应用系统已经运行!",stopsign!)
    return true
  end if

end if

return false
---------------------------------------------------------------

************************************
使用Pbvm70.dll调用kernel32.createmutexA

使用w32asm反编译Pbvm70.dll如下

kernel32.createmutexA

call dword ptr [11497204]
mov dword ptr [ebx+0c],eax
test eax,eax
jne 1147c747

kernel32.getlasterror

call dword ptr [1149732c]
cmp eax,000000B7
je 1147c70c
test ebx,ebx
je 1147c751
cmp dword ptr [ebx+0c],00000000
je 1147c751

mov eax,00000001
pop ebp
pop edi
pop esi
pop ebx
ret
**************************************

查了网上及本论坛的一些资料,把

call dword ptr [1149732c]
cmp eax,000000B7
je 1147c70c

改为

call dword ptr [1149732c]
cmp eax,000000B7
jne 1147c70c



call dword ptr [1149732c]
cmp eax,000000B7
jmp 1147c70c

但都不行,请论坛的高手帮忙解决一下。

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
标题党!
跟木马有啥关系?
2009-1-10 10:43
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
请高手帮忙一下.
2009-1-10 11:04
0
雪    币: 411
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
这段PB代码,貌似保证只有一个进程可以运行(进程间互斥)。
不懂PB的代码,不过,从变量和语句字面上看,ls_appname = getapplication().filetype 中的filetype好象不对。

MSDN中的说明:
CreateMutex
The CreateMutex function creates or opens a named or unnamed mutex object.

HANDLE CreateMutex(
  LPSECURITY_ATTRIBUTES lpMutexAttributes,  // SD
  BOOL bInitialOwner,                       // initial owner
  LPCTSTR lpName                            // object name
);
Parameters
lpMutexAttributes
[in] Pointer to a SECURITY_ATTRIBUTES structure that determines whether the returned handle can be inherited by child processes. If lpMutexAttributes is NULL, the handle cannot be inherited.
Windows NT/2000: The lpSecurityDescriptor member of the structure specifies a security descriptor for the new mutex. If lpMutexAttributes is NULL, the mutex gets a default security descriptor.

bInitialOwner
[in] Specifies the initial owner of the mutex object. If this value is TRUE and the caller created the mutex, the calling thread obtains ownership of the mutex object. Otherwise, the calling thread does not obtain ownership of the mutex. To determine if the caller created the mutex, see the Return Values section.
lpName
[in] Pointer to a null-terminated string specifying the name of the mutex object. The name is limited to MAX_PATH characters. Name comparison is case sensitive.
If lpName matches the name of an existing named mutex object, this function requests MUTEX_ALL_ACCESS access to the existing object. In this case, the bInitialOwner parameter is ignored because it has already been set by the creating process. If the lpMutexAttributes parameter is not NULL, it determines whether the handle can be inherited, but its security-descriptor member is ignored.

If lpName is NULL, the mutex object is created without a name.

If lpName matches the name of an existing event, semaphore, waitable timer, job, or file-mapping object, the function fails and the GetLastError function returns ERROR_INVALID_HANDLE. This occurs because these objects share the same name space.

Terminal Services: The name can have a "Global\" or "Local\" prefix to explicitly create the object in the global or session name space. The remainder of the name can contain any character except the backslash character (\). For more information, see Kernel Object Name Spaces.

Windows 2000: On Windows 2000 systems without Terminal Services running, the "Global\" and "Local\" prefixes are ignored. The remainder of the name can contain any character except the backslash character.

Windows NT 4.0 and earlier, Windows 95/98: The name can contain any character except the backslash character.

Return Values
If the function succeeds, the return value is a handle to the mutex object. If the named mutex object existed before the function call, the function returns a handle to the existing object and GetLastError returns ERROR_ALREADY_EXISTS. Otherwise, the caller created the mutex.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Remarks
The handle returned by CreateMutex has MUTEX_ALL_ACCESS access to the new mutex object and can be used in any function that requires a handle to a mutex object.

Any thread of the calling process can specify the mutex-object handle in a call to one of the wait functions. The single-object wait functions return when the state of the specified object is signaled. The multiple-object wait functions can be instructed to return either when any one or when all of the specified objects are signaled. When a wait function returns, the waiting thread is released to continue its execution.

The state of a mutex object is signaled when it is not owned by any thread. The creating thread can use the bInitialOwner flag to request immediate ownership of the mutex. Otherwise, a thread must use one of the wait functions to request ownership. When the mutex's state is signaled, one waiting thread is granted ownership, the mutex's state changes to nonsignaled, and the wait function returns. Only one thread can own a mutex at any given time. The owning thread uses the ReleaseMutex function to release its ownership.

The thread that owns a mutex can specify the same mutex in repeated wait function calls without blocking its execution. Typically, you would not wait repeatedly for the same mutex, but this mechanism prevents a thread from deadlocking itself while waiting for a mutex that it already owns. However, to release its ownership, the thread must call ReleaseMutex once for each time that the mutex satisfied a wait.

Two or more processes can call CreateMutex to create the same named mutex. The first process actually creates the mutex, and subsequent processes open a handle to the existing mutex. This enables multiple processes to get handles of the same mutex, while relieving the user of the responsibility of ensuring that the creating process is started first. When using this technique, you should set the bInitialOwner flag to FALSE; otherwise, it can be difficult to be certain which process has initial ownership.

Multiple processes can have handles of the same mutex object, enabling use of the object for interprocess synchronization. The following object-sharing mechanisms are available:

A child process created by the CreateProcess function can inherit a handle to a mutex object if the lpMutexAttributes parameter of CreateMutex enabled inheritance.
A process can specify the mutex-object handle in a call to the DuplicateHandle function to create a duplicate handle that can be used by another process.
A process can specify the name of a mutex object in a call to the OpenMutex or CreateMutex function.
Use the CloseHandle function to close the handle. The system closes the handle automatically when the process terminates. The mutex object is destroyed when its last handle has been closed.

MSDN中的例子:

HANDLE hMutex;

// Create a mutex with no initial owner.

hMutex = CreateMutex(
    NULL,                       // no security attributes
    FALSE,                      // initially not owned
    "MutexToProtectDatabase");  // name of mutex

if (hMutex == NULL)
{
    // Check for error.
}
2009-1-10 11:06
0
雪    币: 411
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
看来标题纯属吸引眼球。
请看楼主的另一贴:
http://bbs.pediy.com/showthread.php?p=562579
2009-1-10 11:07
0
雪    币: 564
活跃值: (12)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
6
楼主做人不厚道。
能解决问题的也不能太厚道,会,就不告诉你,叫你标题党,看你以后还敢不敢。
2009-1-10 11:45
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
回六楼,我按正常的贴子,可都没人看,我也是不得以.我相信真正的高手,也不会计较这个.如果论坛都有热心人,我也不用这样.
2009-1-10 15:52
0
雪    币: 50161
活跃值: (20630)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
8
论坛不欢迎这类带有“欺骗”性子的帖,帖子会被记为违规,或扣声望。
2009-1-10 16:57
0
游客
登录 | 注册 方可回帖
返回
//