cycbot_vm_3.cpp修正

于 2011-07-06 16:45:52 发布
阅读量420 收藏
点赞数
分类专栏: 原创程序 virus log 文章标签: file application microsoft string null fp
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/a1234567mdy/article/details/6588497
版权 
/*          虚拟机中的程序     */
#include "md5.h"
#include <stdio.h>
#include <iostream>
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
void main() {
	
    Sleep(5000);
	LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	WinExec(Exe_File,SW_MINIMIZE);
	Sleep(70000);
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");
//	Copy_dwm();
//	Copy_csrss();777
//	Copy_conhost();

}

void Copy_cycbot(char *  File_cycbot,char * file_prefix) {
	
	MD5 md5;
	
	//	LPCTSTR  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	//	LPCTSTR  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	LPCTSTR  File_cycbot_temp;
	
	md5.reset();
	md5.update(ifstream( File_cycbot));
	string aaaaa;
	aaaaa = md5.toString();
	char * sss = const_cast<char*>(aaaaa.c_str());
	
	char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	//	char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	md5.reset();
	md5.update(ifstream(cycbot_run));
	string bbbbb = md5.toString();
	char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
	//	char  p[10]; 
	//	DWORD  File_cycbot_temp_d= GetTickCount();
	//	itoa( File_cycbot_temp_d, p, 10);
	//	char s[10] = "c:\\dwm.";
	char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
	//	char s[100] =  "D:\\sample\\cycbot\\Debug\\";
	strcat(s,cycbot_md5);
	CreateDirectory(s,NULL);
//	char * p = "\\dwm.";
	strcat(s,file_prefix);
	strcat(s,sss);
	//	CreateDirectory(sssss,NULL);
	//	char  * t;
	//	t = strcat(s,cycbot_md5);
	//	char * p;
	//	p = strcat(t,"\\dwn.");
	//	char * q;
	//	q = strcat(p,sss);
	File_cycbot_temp = s;
	CopyFile( File_cycbot, File_cycbot_temp,TRUE);
	
}

最新版本,增加对内存的输出,为了统计网址。

/*          虚拟机中的程序     */
#include "md5.h"
#include <stdio.h>
#include <iostream>
#include "tlhelp32.h"
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
int read_process_memory(string Process_stop,char *  File_cycbot);
void main() {
	
    Sleep(5000);
	LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	WinExec(Exe_File,SW_MINIMIZE);
	Sleep(70000);
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");

//	read_process_memory("dwm.exe");
//	Sleep(2);
//	read_process_memory("conhost.exe");
//	Sleep(2);
//	read_process_memory("csrss.exe");

	read_process_memory("dwm.exe","C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe");
	read_process_memory("conhost.exe","C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe");
	read_process_memory("csrss.exe","C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe");

//	Copy_dwm();
//	Copy_csrss();777
//	Copy_conhost();

}

void Copy_cycbot(char *  File_cycbot,char * file_prefix) {
	
	MD5 md5;
	
	//	LPCTSTR  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	//	LPCTSTR  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	LPCTSTR  File_cycbot_temp;
	
	md5.reset();
	md5.update(ifstream( File_cycbot));
	string aaaaa;
	aaaaa = md5.toString();
	char * sss = const_cast<char*>(aaaaa.c_str());
	
	char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	//	char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	md5.reset();
	md5.update(ifstream(cycbot_run));
	string bbbbb = md5.toString();
	char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
	//	char  p[10]; 
	//	DWORD  File_cycbot_temp_d= GetTickCount();
	//	itoa( File_cycbot_temp_d, p, 10);
	//	char s[10] = "c:\\dwm.";
	char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
	//	char s[100] =  "D:\\sample\\cycbot\\Debug\\";
	strcat(s,cycbot_md5);
	CreateDirectory(s,NULL);
//	char * p = "\\dwm.";
	strcat(s,file_prefix);
	strcat(s,sss);
	//	CreateDirectory(sssss,NULL);
	//	char  * t;
	//	t = strcat(s,cycbot_md5);
	//	char * p;
	//	p = strcat(t,"\\dwn.");
	//	char * q;
	//	q = strcat(p,sss);
	File_cycbot_temp = s;
	CopyFile( File_cycbot, File_cycbot_temp,TRUE);
	
}

//int read_process_memory(string Process_stop)
//int read_process_memory(string Process_stop,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot)
{
	PROCESSENTRY32 pe32;
	pe32.dwSize =sizeof(pe32);
	HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if(hpro==INVALID_HANDLE_VALUE)
	{
		cout<<"call function failed/n";
		return 0;
	}
	BOOL nowrun=Process32First(hpro,&pe32);
	
	//	string Process_stop = "4e8786c.exe";
//	string Process_stop = "calc.exe";
	
	HANDLE hToken;
	TOKEN_PRIVILEGES tkp;
	
	MEMORY_BASIC_INFORMATION mbi;
	DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
	
	while(nowrun)
	{
		if(pe32.szExeFile == Process_stop)
		{
			if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
			{
				MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
				return 0;
			}
			tkp.PrivilegeCount=1;
			tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
			//打开进程的令牌环
			if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
			{
				MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
				return 0;
			}
			//修改进程权限
			if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
			{
				MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
				return 0;
			}
			DWORD proid=pe32.th32ProcessID;
			HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
			//			HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
			//			HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
			if(hprocess!=NULL)
			{
				DWORD rByte; 
				LPVOID lpAddBase=(LPVOID)0x00400000; 
				
				//				BYTE rDate[4096]; 
				//				LPVOID lpBuff=LPVOID(&rDate); 
				//				BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte); 
				//				int errorcode_read=GetLastError();
				
				BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
				int errorcode_query=GetLastError();
				
				//				BYTE rDate[8192]; 
				//				LPVOID lpBuff=LPVOID(&rDate); 
				//				BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte); 
				//				int errorcode_read=GetLastError();
				
				//				BYTE rDate[&mbi.RegionSize]; 
				//				DWORD * iIntMalloc=malloc(&mbi.RegionSize);
				//				BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
				BYTE * iNew= new BYTE [mbi.RegionSize];
				//				LPVOID lpBuff1=LPVOID(&iIntMalloc); 
				//				LPVOID lpBuff1=LPVOID(&iNew); 
				//				BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
				LPVOID lpBuff1=LPVOID(iNew); 
				BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte); 
				int errorcode_read1=GetLastError();
				if (errorcode_read1>0)
				{
					return 1;
				}

				MD5 md5;
				md5.reset();
				md5.update(ifstream( File_cycbot));
				string aaaaa;
				aaaaa = md5.toString();
				char * sss = const_cast<char*>(aaaaa.c_str());				
				char file[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\log\\";
				strcat(file,sss);
				strcat(file,".log");
				FILE * fp;
				//				if ((fp = fopen(file, "a")))  //此处改掉
//				if ((fp = fopen(file, "ab")))
				if ((fp = fopen(file, "wb")))
				{
					fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
					//					fwrite(iNew,mbi.RegionSize,mbi.RegionSize,fp); //这样是不可以的
					//					fwrite(iNew,mbi.RegionSize*sizeof(BYTE),mbi.RegionSize,fp); //这样也是不可以的
					int errorcode_read2=GetLastError();
					fclose(fp);  //想着关闭fp
				}
				else
				{
					printf("error!!\n");
					return 0;
				}
				
				delete [] iNew;
				
				//				TerminateProcess(hprocess,0);
				CloseHandle(hprocess);
			}
		}
		nowrun=Process32Next(hpro,&pe32);
	}
	return 1;
}

MD5的修正,主要是打开时应该用二进制模式打开。默认方式下属于文本模式

/*          虚拟机中的程序     */
#include "md5.h"
#include <stdio.h>
#include <iostream>
#include "tlhelp32.h"
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
int read_process_memory(string Process_stop,char *  File_cycbot);
void main() {
	
    Sleep(5000);
	LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	WinExec(Exe_File,SW_MINIMIZE);
	Sleep(70000);
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
	Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");

//	read_process_memory("dwm.exe");
//	Sleep(2);
//	read_process_memory("conhost.exe");
//	Sleep(2);
//	read_process_memory("csrss.exe");

	read_process_memory("dwm.exe","C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe");
	read_process_memory("conhost.exe","C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe");
	read_process_memory("csrss.exe","C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe");

//	Copy_dwm();
//	Copy_csrss();777
//	Copy_conhost();

}

void Copy_cycbot(char *  File_cycbot,char * file_prefix) {
	
	MD5 md5;
	
	//	LPCTSTR  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	//	LPCTSTR  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
	//	char *  File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	LPCTSTR  File_cycbot_temp;
	
	md5.reset();
	md5.update(ifstream( File_cycbot,ios::binary));
	string aaaaa;
	aaaaa = md5.toString();
	char * sss = const_cast<char*>(aaaaa.c_str());
	
	char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
	//	char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
	md5.reset();
	md5.update(ifstream(cycbot_run,ios::binary));
	string bbbbb = md5.toString();
	char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
	//	char  p[10]; 
	//	DWORD  File_cycbot_temp_d= GetTickCount();
	//	itoa( File_cycbot_temp_d, p, 10);
	//	char s[10] = "c:\\dwm.";
	char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
	//	char s[100] =  "D:\\sample\\cycbot\\Debug\\";
	strcat(s,cycbot_md5);
	CreateDirectory(s,NULL);
//	char * p = "\\dwm.";
	strcat(s,file_prefix);
	strcat(s,sss);
	//	CreateDirectory(sssss,NULL);
	//	char  * t;
	//	t = strcat(s,cycbot_md5);
	//	char * p;
	//	p = strcat(t,"\\dwn.");
	//	char * q;
	//	q = strcat(p,sss);
	File_cycbot_temp = s;
	CopyFile( File_cycbot, File_cycbot_temp,TRUE);
	
}

//int read_process_memory(string Process_stop)
//int read_process_memory(string Process_stop,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot)
{
	PROCESSENTRY32 pe32;
	pe32.dwSize =sizeof(pe32);
	HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if(hpro==INVALID_HANDLE_VALUE)
	{
		cout<<"call function failed/n";
		return 0;
	}
	BOOL nowrun=Process32First(hpro,&pe32);
	
	//	string Process_stop = "4e8786c.exe";
//	string Process_stop = "calc.exe";
	
	HANDLE hToken;
	TOKEN_PRIVILEGES tkp;
	
	MEMORY_BASIC_INFORMATION mbi;
	DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
	
	while(nowrun)
	{
		if(pe32.szExeFile == Process_stop)
		{
			if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
			{
				MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
				return 0;
			}
			tkp.PrivilegeCount=1;
			tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
			//打开进程的令牌环
			if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
			{
				MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
				return 0;
			}
			//修改进程权限
			if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
			{
				MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
				return 0;
			}
			DWORD proid=pe32.th32ProcessID;
			HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
			//			HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
			//			HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
			if(hprocess!=NULL)
			{
				DWORD rByte; 
				LPVOID lpAddBase=(LPVOID)0x00400000; 
				
				//				BYTE rDate[4096]; 
				//				LPVOID lpBuff=LPVOID(&rDate); 
				//				BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte); 
				//				int errorcode_read=GetLastError();
				
				BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
				int errorcode_query=GetLastError();
				
				//				BYTE rDate[8192]; 
				//				LPVOID lpBuff=LPVOID(&rDate); 
				//				BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte); 
				//				int errorcode_read=GetLastError();
				
				//				BYTE rDate[&mbi.RegionSize]; 
				//				DWORD * iIntMalloc=malloc(&mbi.RegionSize);
				//				BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
				BYTE * iNew= new BYTE [mbi.RegionSize];
				//				LPVOID lpBuff1=LPVOID(&iIntMalloc); 
				//				LPVOID lpBuff1=LPVOID(&iNew); 
				//				BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
				LPVOID lpBuff1=LPVOID(iNew); 
				BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte); 
				int errorcode_read1=GetLastError();
				if (errorcode_read1>0)
				{
					return 1;
				}

				MD5 md5;
				md5.reset();
				md5.update(ifstream( File_cycbot,ios::binary));
				string aaaaa;
				aaaaa = md5.toString();
				char * sss = const_cast<char*>(aaaaa.c_str());				
				char file[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\log\\";
				strcat(file,sss);
				strcat(file,".log");
				FILE * fp;
				//				if ((fp = fopen(file, "a")))  //此处改掉
//				if ((fp = fopen(file, "ab")))
				if ((fp = fopen(file, "wb")))
				{
					fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
					//					fwrite(iNew,mbi.RegionSize,mbi.RegionSize,fp); //这样是不可以的
					//					fwrite(iNew,mbi.RegionSize*sizeof(BYTE),mbi.RegionSize,fp); //这样也是不可以的
					int errorcode_read2=GetLastError();
					fclose(fp);  //想着关闭fp
				}
				else
				{
					printf("error!!\n");
					return 0;
				}
				
				delete [] iNew;
				
				//				TerminateProcess(hprocess,0);
				CloseHandle(hprocess);
			}
		}
		nowrun=Process32Next(hpro,&pe32);
	}
	return 1;
}
/*
参考:http://www.cppblog.com/ant/archive/2011/06/15/31886.html#148739

*/




马灯
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值