📄 揭开木马的神秘面纱5.htm
字号:
<p class="MsoNormal" align="center" style="text-align:center"><b style="mso-bidi-font-weight:
normal"><span style="font-size:12.0pt;mso-bidi-font-size:10.0pt;font-family:
宋体;mso-hansi-font-family:"Times New Roman"">揭开木马的神秘面纱<span lang="EN-US"><五><o:p>
</o:p>
</span></span></b></p>
<p class="MsoNormal" align="center" style="text-align:center"><b style="mso-bidi-font-weight:
normal"><span lang="EN-US">DLL</span></b><b style="mso-bidi-font-weight:normal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">木马之</span><span lang="EN-US">Win9X</span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">篇</span><span lang="EN-US"><o:p>
</o:p>
</span></b></p>
<p class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US">Shotgun</span></p>
<p class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count:1" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">在木马四中,我给大家介绍了</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">NT</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">系统下利用远程嵌入</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的方法实现的无进程木马,有很多朋友来信询问,木马四中的代码在</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9x</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">中能不能直接移植,在这里我只能很抱歉的告诉大家,</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9x</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">并不支持我们使用的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">CreateRemoteThread</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">函数,所以木马四的方法并不适用于</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">系统。虽然说</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">下可以通过注册系统服务的方法瞒过进程管理器,但是仍然有诸多的方法可以进行进程浏览、发现系统级的木马。难道</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">下真的无法实现远程进程的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">嵌入?其实虽然</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9x</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">下没有类似</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">CreatRemoteThread</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">这样的函数,但是还是可以通过别的方法来解决,今天我们就来研究一下如何在</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">中实现远程嵌入</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">。</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">一个最直接的想法是,我们自己写一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">CreateRemoteThread</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">函数给</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">使用(我的一个朋友</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Kevin_Qing</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">就已经完成了这样的代码),然后用这个函数来实现</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">LoadLibrary</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">功能,这要求你非常熟悉</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Windows</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">下进程的内存数据格式,同时还可能会涉及到一些机器硬指令和寄存器操作,其实这样是舍近求远了,回头想想我们的最终目的是要嵌入一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">给指定进程,所以我们还是多考虑一下动态链接库本身的特性。(当然,自己实现一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Win9X</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">下的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">CreateRemoteThread()</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">函数也有其特殊的意义,这个我们将在以后的文章中继续探讨)</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">在</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Windows</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">中有一种称为钩子的函数,钩子函数具有非常强大的功能,可以用来侦听、截获系统的事件,</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">windows</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">允许用户安装的钩子函数有很多种:消息钩子、鼠标钩子、键盘钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">……</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">钩子函数是通过</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">SetWindowHook</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">函数(或者它的增强版本</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">SetWindowHookEx</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">)来安装的,被安装的钩子函数一般都属于一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">;钩子函数有一个特性:如果钩子回调函数由一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">提供,而被</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">Hook</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的进程并没有加载这个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,那么系统会自动给这个进程加载这个钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">。看到这里,我想大家已经非常明白,只要使用</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">SetWindowsHook</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">为目标进程安装一个属于某</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的钩子函数,就可以强迫目标进程加载这个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">。</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span>SetWindowsHookEx</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的函数原型为:</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span>HHOOK
SetWindowsHookEx(<span style="mso-tab-count:1">
</span>int idHook,<span style="mso-spacerun:
yes"> </span><span style="mso-tab-count:1">
</span>// </span><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">钩子类型</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:144.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HOOKPROC
lpfn,<span style="mso-spacerun: yes"> </span>// </span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;
font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">钩子函数</span><span lang="EN-US" style="font-size:10.5pt;
mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:144.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HINSTANCE
hMod,<span style="mso-spacerun: yes"> </span>// DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;
font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">句柄</span><span lang="EN-US" style="font-size:10.5pt;
mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:144.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DWORD
dwThreadId<span style="mso-spacerun: yes"> </span>// </span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;
font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">线程</span><span lang="EN-US" style="font-size:10.5pt;
mso-bidi-font-size:10.0pt">ID );<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">其中,第一个参数</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">int
idHook</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">为钩子类型,有以下的钩子类型可以选择:</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_CALLWNDPROC<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_CALLWNDPROCRET<o:p>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -