/* 虚拟机中的程序 */
#include "md5.h"
#include <stdio.h>
#include <iostream>
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
void main() {
Sleep(5000);
LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
WinExec(Exe_File,SW_MINIMIZE);
Sleep(70000);
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");
// Copy_dwm();
// Copy_csrss();777
// Copy_conhost();
}
void Copy_cycbot(char * File_cycbot,char * file_prefix) {
MD5 md5;
// LPCTSTR File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
// LPCTSTR File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
LPCTSTR File_cycbot_temp;
md5.reset();
md5.update(ifstream( File_cycbot));
string aaaaa;
aaaaa = md5.toString();
char * sss = const_cast<char*>(aaaaa.c_str());
char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
md5.reset();
md5.update(ifstream(cycbot_run));
string bbbbb = md5.toString();
char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
// char p[10];
// DWORD File_cycbot_temp_d= GetTickCount();
// itoa( File_cycbot_temp_d, p, 10);
// char s[10] = "c:\\dwm.";
char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
// char s[100] = "D:\\sample\\cycbot\\Debug\\";
strcat(s,cycbot_md5);
CreateDirectory(s,NULL);
// char * p = "\\dwm.";
strcat(s,file_prefix);
strcat(s,sss);
// CreateDirectory(sssss,NULL);
// char * t;
// t = strcat(s,cycbot_md5);
// char * p;
// p = strcat(t,"\\dwn.");
// char * q;
// q = strcat(p,sss);
File_cycbot_temp = s;
CopyFile( File_cycbot, File_cycbot_temp,TRUE);
}
最新版本,增加对内存的输出,为了统计网址。
/* 虚拟机中的程序 */
#include "md5.h"
#include <stdio.h>
#include <iostream>
#include "tlhelp32.h"
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot);
void main() {
Sleep(5000);
LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
WinExec(Exe_File,SW_MINIMIZE);
Sleep(70000);
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");
// read_process_memory("dwm.exe");
// Sleep(2);
// read_process_memory("conhost.exe");
// Sleep(2);
// read_process_memory("csrss.exe");
read_process_memory("dwm.exe","C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe");
read_process_memory("conhost.exe","C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe");
read_process_memory("csrss.exe","C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe");
// Copy_dwm();
// Copy_csrss();777
// Copy_conhost();
}
void Copy_cycbot(char * File_cycbot,char * file_prefix) {
MD5 md5;
// LPCTSTR File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
// LPCTSTR File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
LPCTSTR File_cycbot_temp;
md5.reset();
md5.update(ifstream( File_cycbot));
string aaaaa;
aaaaa = md5.toString();
char * sss = const_cast<char*>(aaaaa.c_str());
char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
md5.reset();
md5.update(ifstream(cycbot_run));
string bbbbb = md5.toString();
char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
// char p[10];
// DWORD File_cycbot_temp_d= GetTickCount();
// itoa( File_cycbot_temp_d, p, 10);
// char s[10] = "c:\\dwm.";
char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
// char s[100] = "D:\\sample\\cycbot\\Debug\\";
strcat(s,cycbot_md5);
CreateDirectory(s,NULL);
// char * p = "\\dwm.";
strcat(s,file_prefix);
strcat(s,sss);
// CreateDirectory(sssss,NULL);
// char * t;
// t = strcat(s,cycbot_md5);
// char * p;
// p = strcat(t,"\\dwn.");
// char * q;
// q = strcat(p,sss);
File_cycbot_temp = s;
CopyFile( File_cycbot, File_cycbot_temp,TRUE);
}
//int read_process_memory(string Process_stop)
//int read_process_memory(string Process_stop,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot)
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
// string Process_stop = "4e8786c.exe";
// string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00400000;
// BYTE rDate[4096];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte);
// int errorcode_read=GetLastError();
BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
int errorcode_query=GetLastError();
// BYTE rDate[8192];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte);
// int errorcode_read=GetLastError();
// BYTE rDate[&mbi.RegionSize];
// DWORD * iIntMalloc=malloc(&mbi.RegionSize);
// BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
BYTE * iNew= new BYTE [mbi.RegionSize];
// LPVOID lpBuff1=LPVOID(&iIntMalloc);
// LPVOID lpBuff1=LPVOID(&iNew);
// BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
LPVOID lpBuff1=LPVOID(iNew);
BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte);
int errorcode_read1=GetLastError();
if (errorcode_read1>0)
{
return 1;
}
MD5 md5;
md5.reset();
md5.update(ifstream( File_cycbot));
string aaaaa;
aaaaa = md5.toString();
char * sss = const_cast<char*>(aaaaa.c_str());
char file[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\log\\";
strcat(file,sss);
strcat(file,".log");
FILE * fp;
// if ((fp = fopen(file, "a"))) //此处改掉
// if ((fp = fopen(file, "ab")))
if ((fp = fopen(file, "wb")))
{
fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
// fwrite(iNew,mbi.RegionSize,mbi.RegionSize,fp); //这样是不可以的
// fwrite(iNew,mbi.RegionSize*sizeof(BYTE),mbi.RegionSize,fp); //这样也是不可以的
int errorcode_read2=GetLastError();
fclose(fp); //想着关闭fp
}
else
{
printf("error!!\n");
return 0;
}
delete [] iNew;
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
return 1;
}
MD5的修正,主要是打开时应该用二进制模式打开。默认方式下属于文本模式
/* 虚拟机中的程序 */
#include "md5.h"
#include <stdio.h>
#include <iostream>
#include "tlhelp32.h"
//#include <windows.h>
using namespace std;
//void Copy_dwm();
//void Copy_csrss();
//void Copy_conhost();
void Copy_cycbot(char * File_cycbot,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot);
void main() {
Sleep(5000);
LPCTSTR Exe_File = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
WinExec(Exe_File,SW_MINIMIZE);
Sleep(70000);
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe","\\dwm.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe","\\csrss.");
Copy_cycbot("C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe","\\conhost.");
// read_process_memory("dwm.exe");
// Sleep(2);
// read_process_memory("conhost.exe");
// Sleep(2);
// read_process_memory("csrss.exe");
read_process_memory("dwm.exe","C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe");
read_process_memory("conhost.exe","C:\\Documents and Settings\\chenjava\\Application Data\\Microsoft\\conhost.exe");
read_process_memory("csrss.exe","C:\\Documents and Settings\\chenjava\\Local Settings\\Temp\\csrss.exe");
// Copy_dwm();
// Copy_csrss();777
// Copy_conhost();
}
void Copy_cycbot(char * File_cycbot,char * file_prefix) {
MD5 md5;
// LPCTSTR File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
// LPCTSTR File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "C:\\Documents and Settings\\chenjava\\Application Data\\dwm.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
LPCTSTR File_cycbot_temp;
md5.reset();
md5.update(ifstream( File_cycbot,ios::binary));
string aaaaa;
aaaaa = md5.toString();
char * sss = const_cast<char*>(aaaaa.c_str());
char * cycbot_run = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\cycbot.exe";
// char * File_cycbot = "D:\\sample\\cycbot\\Debug\\dwm.exe";
md5.reset();
md5.update(ifstream(cycbot_run,ios::binary));
string bbbbb = md5.toString();
char * cycbot_md5 = const_cast<char*>(bbbbb.c_str());
// char p[10];
// DWORD File_cycbot_temp_d= GetTickCount();
// itoa( File_cycbot_temp_d, p, 10);
// char s[10] = "c:\\dwm.";
char s[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\";
// char s[100] = "D:\\sample\\cycbot\\Debug\\";
strcat(s,cycbot_md5);
CreateDirectory(s,NULL);
// char * p = "\\dwm.";
strcat(s,file_prefix);
strcat(s,sss);
// CreateDirectory(sssss,NULL);
// char * t;
// t = strcat(s,cycbot_md5);
// char * p;
// p = strcat(t,"\\dwn.");
// char * q;
// q = strcat(p,sss);
File_cycbot_temp = s;
CopyFile( File_cycbot, File_cycbot_temp,TRUE);
}
//int read_process_memory(string Process_stop)
//int read_process_memory(string Process_stop,char * file_prefix);
int read_process_memory(string Process_stop,char * File_cycbot)
{
PROCESSENTRY32 pe32;
pe32.dwSize =sizeof(pe32);
HANDLE hpro=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hpro==INVALID_HANDLE_VALUE)
{
cout<<"call function failed/n";
return 0;
}
BOOL nowrun=Process32First(hpro,&pe32);
// string Process_stop = "4e8786c.exe";
// string Process_stop = "calc.exe";
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwLength = sizeof(MEMORY_BASIC_INFORMATION);
while(nowrun)
{
if(pe32.szExeFile == Process_stop)
{
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&tkp.Privileges[0].Luid))
{
MessageBox(NULL,"LookupPrivilegeValue error","error",MB_OK);
return 0;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
//打开进程的令牌环
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
MessageBox(NULL,"OpenProcessToken error","error",MB_OK);
return 0;
}
//修改进程权限
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL, 0))
{
MessageBox(NULL,"AdjustTokenPrivileges error","error",MB_OK);
return 0;
}
DWORD proid=pe32.th32ProcessID;
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_VM_OPERATION,FALSE,proid);
// HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS||PROCESS_VM_WRITE||PROCESS_VM_OPERATION,FALSE,proid);
if(hprocess!=NULL)
{
DWORD rByte;
LPVOID lpAddBase=(LPVOID)0x00400000;
// BYTE rDate[4096];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,4096,&rByte);
// int errorcode_read=GetLastError();
BOOL v_Result = VirtualQueryEx(hprocess,lpAddBase,&mbi,dwLength);
int errorcode_query=GetLastError();
// BYTE rDate[8192];
// LPVOID lpBuff=LPVOID(&rDate);
// BOOL b_Result = ReadProcessMemory(hprocess,lpAddBase,lpBuff,8192,&rByte);
// int errorcode_read=GetLastError();
// BYTE rDate[&mbi.RegionSize];
// DWORD * iIntMalloc=malloc(&mbi.RegionSize);
// BYTE iIntMalloc=BYTE(malloc(mbi.RegionSize));
BYTE * iNew= new BYTE [mbi.RegionSize];
// LPVOID lpBuff1=LPVOID(&iIntMalloc);
// LPVOID lpBuff1=LPVOID(&iNew);
// BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,&iNew,mbi.RegionSize,&rByte); 此处不正确,注意下
LPVOID lpBuff1=LPVOID(iNew);
BOOL b_Result1 = ReadProcessMemory(hprocess,lpAddBase,iNew,mbi.RegionSize,&rByte);
int errorcode_read1=GetLastError();
if (errorcode_read1>0)
{
return 1;
}
MD5 md5;
md5.reset();
md5.update(ifstream( File_cycbot,ios::binary));
string aaaaa;
aaaaa = md5.toString();
char * sss = const_cast<char*>(aaaaa.c_str());
char file[200] = "\\\\vmware-host\\Shared Folders\\Shared_Folder\\cycbot\\log\\";
strcat(file,sss);
strcat(file,".log");
FILE * fp;
// if ((fp = fopen(file, "a"))) //此处改掉
// if ((fp = fopen(file, "ab")))
if ((fp = fopen(file, "wb")))
{
fwrite(iNew,sizeof(BYTE),mbi.RegionSize,fp);
// fwrite(iNew,mbi.RegionSize,mbi.RegionSize,fp); //这样是不可以的
// fwrite(iNew,mbi.RegionSize*sizeof(BYTE),mbi.RegionSize,fp); //这样也是不可以的
int errorcode_read2=GetLastError();
fclose(fp); //想着关闭fp
}
else
{
printf("error!!\n");
return 0;
}
delete [] iNew;
// TerminateProcess(hprocess,0);
CloseHandle(hprocess);
}
}
nowrun=Process32Next(hpro,&pe32);
}
return 1;
}
/*
参考:http://www.cppblog.com/ant/archive/2011/06/15/31886.html#148739
*/