本帖最后由 slimay 于 2021-9-19 23:17 编辑
CAPI 第一代 是由defanvie开发的一款第三方,堪称批处理第三方的登峰造极之作, 省略描述几百字...
CAPI 第二代 是由aiwozhonghuaba 根据 CAPI 第一代 的 语法特征 仿写的兼容 win8的capix.dll
CAPI 第三代 就是用第一代,弄了个内存注入, 自动操作系统版本判断,自动修改内存,做了一定免杀加花,
兼容了从xp到 win10的大部分系统.单文件, 无外置dll,是该系列的,一个兼容性扩展版本,32位,
64位通吃
(win8用户太少, 故砍掉对win8的支持)
下载地址: http://cmd1152.ys168.com/ 文件区 CAPI3.0.zip
( 网盘文件随时可能消失, 只发一次 )
核心代码:- #include <stdio.h>
- #include <stdlib.h>
- #include <Windows.h>
- #include <memdll.h>
- byte dlldata[] = { 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x0, ...};
- const BYTE k1[16] = "kernel32.dll";
- const BYTE k2[16] = "kernelbase.dll";
- extern "C" HWND WINAPI GetConsoleWindow( void );
- // 获取操作系统版本号 浮点值
- FLOAT GetNtVersionFloat()
- {
- BOOL bRet = FALSE;
- HMODULE hModNtdll = NULL;
- DWORD dwMajorVer, dwMinorVer, dwBuildNumber;
- if( hModNtdll = ::LoadLibraryW( L"ntdll.dll" ) )
- {
- typedef void ( WINAPI * pfRTLGETNTVERSIONNUMBERS )( DWORD*, DWORD*, DWORD* );
- pfRTLGETNTVERSIONNUMBERS pfRtlGetNtVersionNumbers;
- pfRtlGetNtVersionNumbers = ( pfRTLGETNTVERSIONNUMBERS )::GetProcAddress( hModNtdll, "RtlGetNtVersionNumbers" );
- if( pfRtlGetNtVersionNumbers )
- {
- pfRtlGetNtVersionNumbers( &dwMajorVer, &dwMinorVer, &dwBuildNumber );
- dwBuildNumber &= 0x0ffff;
- FLOAT verfv = dwMajorVer + dwMinorVer / 10.0f;
- return verfv;
- }
- ::FreeLibrary( hModNtdll );
- hModNtdll = NULL;
- }
- }
- // 提升进程特权
- BOOL EnablePrivilege( BOOL enable )
- {
- // 得到令牌句柄
- HANDLE hToken = NULL;
- if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken ) )
- return FALSE;
- // 得到特权值
- LUID luid;
- if( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )
- return FALSE;
- // 提升令牌句柄权限
- TOKEN_PRIVILEGES tp = {};
- tp.PrivilegeCount = 1;
- tp.Privileges[0].Luid = luid;
- tp.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
- if( !AdjustTokenPrivileges( hToken, FALSE, &tp, 0, NULL, NULL ) )
- return FALSE;
- // 关闭令牌句柄
- CloseHandle( hToken );
- return TRUE;
- }
- // 注入DLL
- BOOL InjectDll( HANDLE process, CHAR* dllPath )
- {
- DWORD dllPathSize = ( ( DWORD )strlen( dllPath ) + 1 ) * sizeof( CHAR );
- // 申请内存用来存放DLL路径
- void* remoteMemory = VirtualAllocEx( process, NULL, dllPathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
- if( remoteMemory == NULL )
- {
- return FALSE;
- }
- // 写入DLL路径
- if( !WriteProcessMemory( process, remoteMemory, dllPath, dllPathSize, NULL ) )
- {
- return FALSE;
- }
- // 创建远线程调用LoadLibrary
- HANDLE remoteThread = CreateRemoteThread( process, NULL, 0, ( LPTHREAD_START_ROUTINE )LoadLibraryA, remoteMemory, 0, NULL );
- if( remoteThread == NULL )
- {
- return FALSE;
- }
- // 等待远线程结束
- WaitForSingleObject( remoteThread, INFINITE );
- // 取DLL在目标进程的句柄
- DWORD remoteModule;
- GetExitCodeThread( remoteThread, &remoteModule );
- // 释放
- CloseHandle( remoteThread );
- VirtualFreeEx( process, remoteMemory, dllPathSize, MEM_DECOMMIT );
- return TRUE;
- }
- int main( int argc, char** argv )
- {
- // 只接受 1个参数, 即cmd脚本名称
- if(argc != 2 && argc != 3)
- {
- exit(1);
- }
-
- char szCommandLine[MAX_PATH];
- sprintf(szCommandLine, "cmd /c "%s"", argv[1]);
- //system(szCommandLine);
- // 提升权限
- EnablePrivilege( TRUE );
- STARTUPINFO si = {sizeof( si )};
- PROCESS_INFORMATION pi;
- si.dwFlags = STARTF_USESHOWWINDOW;
- si.wShowWindow = TRUE;
- // 创建子进程, 获取子进程信息
- BOOL bRet = CreateProcess(
- NULL,
- szCommandLine, //命令行参数
- NULL,
- NULL,
- TRUE,
- CREATE_SUSPENDED, //为新进程挂起,方便后续注入
- NULL,
- NULL,
- &si,
- &pi );
- if( pi.hProcess == NULL )
- {
- printf( "Open cmd process failed.\n" );
- return 1;
- }
- // 系统大于Win7, 则HOOK "kernelBase.dll", 直接修改dll内存实现
- memcpy(dlldata + 0x179A, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16);
- memcpy(dlldata + 0x1B60, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16);
- // 内存注入dll
- remoteInject(pi.hProcess, dlldata, sizeof(dlldata));
- // 恢复挂起的进程
- ResumeThread(pi.hThread);
- // 关闭进程
- CloseHandle( pi.hProcess );
- //getchar();
- return 0;
- }
|
发表于 2021-9-19 23:10:49
