本帖最后由 slimay 于 2021-9-19 23:17 编辑
CAPI 第一代 是由defanvie开发的一款第三方,堪称批处理第三方的登峰造极之作, 省略描述几百字...
CAPI 第二代 是由aiwozhonghuaba 根据 CAPI 第一代 的 语法特征 仿写的兼容 win8的capix.dll
CAPI 第三代 就是用第一代,弄了个内存注入, 自动操作系统版本判断,自动修改内存,做了一定免杀加花,
兼容了从xp到 win10的大部分系统.单文件, 无外置dll,是该系列的,一个兼容性扩展版本,32位,
64位通吃
(win8用户太少, 故砍掉对win8的支持)
下载地址: http://cmd1152.ys168.com/ 文件区 CAPI3.0.zip
( 网盘文件随时可能消失, 只发一次 )
核心代码: | #include <stdio.h> | | #include <stdlib.h> | | #include <Windows.h> | | #include <memdll.h> | | | | byte dlldata[] = { 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x0, ...}; | | const BYTE k1[16] = "kernel32.dll"; | | const BYTE k2[16] = "kernelbase.dll"; | | | | extern "C" HWND WINAPI GetConsoleWindow( void ); | | | | | | | | FLOAT GetNtVersionFloat() | | { | | BOOL bRet = FALSE; | | HMODULE hModNtdll = NULL; | | DWORD dwMajorVer, dwMinorVer, dwBuildNumber; | | | | if( hModNtdll = ::LoadLibraryW( L"ntdll.dll" ) ) | | { | | typedef void ( WINAPI * pfRTLGETNTVERSIONNUMBERS )( DWORD*, DWORD*, DWORD* ); | | pfRTLGETNTVERSIONNUMBERS pfRtlGetNtVersionNumbers; | | pfRtlGetNtVersionNumbers = ( pfRTLGETNTVERSIONNUMBERS )::GetProcAddress( hModNtdll, "RtlGetNtVersionNumbers" ); | | if( pfRtlGetNtVersionNumbers ) | | { | | pfRtlGetNtVersionNumbers( &dwMajorVer, &dwMinorVer, &dwBuildNumber ); | | dwBuildNumber &= 0x0ffff; | | | | FLOAT verfv = dwMajorVer + dwMinorVer / 10.0f; | | return verfv; | | } | | | | ::FreeLibrary( hModNtdll ); | | hModNtdll = NULL; | | } | | | | } | | | | | | BOOL EnablePrivilege( BOOL enable ) | | { | | | | HANDLE hToken = NULL; | | if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken ) ) | | return FALSE; | | | | | | LUID luid; | | if( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) ) | | return FALSE; | | | | | | TOKEN_PRIVILEGES tp = {}; | | tp.PrivilegeCount = 1; | | tp.Privileges[0].Luid = luid; | | tp.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0; | | if( !AdjustTokenPrivileges( hToken, FALSE, &tp, 0, NULL, NULL ) ) | | return FALSE; | | | | | | CloseHandle( hToken ); | | | | return TRUE; | | } | | | | | | BOOL InjectDll( HANDLE process, CHAR* dllPath ) | | { | | DWORD dllPathSize = ( ( DWORD )strlen( dllPath ) + 1 ) * sizeof( CHAR ); | | | | | | void* remoteMemory = VirtualAllocEx( process, NULL, dllPathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); | | if( remoteMemory == NULL ) | | { | | return FALSE; | | } | | | | | | if( !WriteProcessMemory( process, remoteMemory, dllPath, dllPathSize, NULL ) ) | | { | | return FALSE; | | } | | | | | | HANDLE remoteThread = CreateRemoteThread( process, NULL, 0, ( LPTHREAD_START_ROUTINE )LoadLibraryA, remoteMemory, 0, NULL ); | | if( remoteThread == NULL ) | | { | | return FALSE; | | } | | | | | | WaitForSingleObject( remoteThread, INFINITE ); | | | | DWORD remoteModule; | | GetExitCodeThread( remoteThread, &remoteModule ); | | | | | | CloseHandle( remoteThread ); | | VirtualFreeEx( process, remoteMemory, dllPathSize, MEM_DECOMMIT ); | | return TRUE; | | } | | | | | | int main( int argc, char** argv ) | | { | | | | if(argc != 2 && argc != 3) | | { | | exit(1); | | } | | | | char szCommandLine[MAX_PATH]; | | sprintf(szCommandLine, "cmd /c \"%s\"", argv[1]); | | | | | | | | EnablePrivilege( TRUE ); | | | | | | STARTUPINFO si = {sizeof( si )}; | | PROCESS_INFORMATION pi; | | si.dwFlags = STARTF_USESHOWWINDOW; | | si.wShowWindow = TRUE; | | | | | | BOOL bRet = CreateProcess( | | NULL, | | szCommandLine, | | NULL, | | NULL, | | TRUE, | | CREATE_SUSPENDED, | | NULL, | | NULL, | | &si, | | &pi ); | | | | if( pi.hProcess == NULL ) | | { | | printf( "Open cmd process failed.\n" ); | | return 1; | | } | | | | | | | | | | memcpy(dlldata + 0x179A, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16); | | memcpy(dlldata + 0x1B60, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16); | | | | remoteInject(pi.hProcess, dlldata, sizeof(dlldata)); | | | | ResumeThread(pi.hThread); | | | | | | | | CloseHandle( pi.hProcess ); | | | | | | return 0; | | }COPY |
|
发表于 2021-9-19 23:10
| 
