|
|
吾爱游客
发表于 2017-8-28 14:57
第一、申请ID:Ming
第二、个人邮箱:2095141905@qq.com
第三、原创技术文章:易语言及VC++及VB编程,以及OllyDbg破解,和ddos原理,电脑基层语言,杀毒软件编写。
 
以下内容为源代码,故不发源码。
简单打造蠕虫病毒专杀工具
网络上经常充斥着N个公司的专杀工具,如冲击波,震荡波等专杀工具,最常见的就是大名鼎鼎的毒霸和瑞星专杀工具了。大伙用了都说好,可是你有没有想过它们到底是怎么实现的呢?
今天我们就来学习一下如何打造一个简单的蠕虫病毒专杀工具吧!
第一步
我定义了一个KillBlastProcess()函数,他的职能跟我们终止一般程式一样,黑防上几乎每期都讲。
1)寻找病毒执行绪MsBlast.exe。我这里用的是win32 SDK的Tool Help函数集中的API函数来实现查找;
2)提升程式自己允可权。有些病毒简单的呼叫TerminateProcess()就可以终止了。但是为了防止万一和通用性,那就有必要了。
完整的程序码如下(当中有文字没加‘//’如要直接复制请自行去除!):
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <string.h>
//link with Advapi32.lib
char chrMsBlast[MAX_PATH];
HKEY hLocKey = NULL;
VOID ShowInfo();
BOOL KillBlastReg();
BOOL KillBlastProcess();
BOOL KillFile();
BOOL EnableDebugPrivilege();
int main()
{
ShowInfo();
if (KillBlastReg() )
{
printf("MS Blast Registry Key Removed...\n");
}
//kill running process
printf("\nAttemping to Locate MS Blast Process...\n");
if( !KillBlastProcess() ) {
printf(".........................\n");
}
//remove msblast.exe
if( !KillFile() )
{
printf("Unable to Delete File '%s'...\n", chrMsBlast);
}
//
printf("\nDone.\n");
return 0;
}
void ShowInfo()
{
printf("\nMs Blast.A.exe 蠕虫病毒专杀工具\n");
printf("--------------------------------------\n");
}
//clean registry
BOOL KillBlastReg()
{
printf("\nAttempting to Clean Registry...\n");
// 打开注册表键
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,
KEY_ALL_ACCESS, // 所有的访问权限
&hLocKey) != ERROR_SUCCESS) {
printf("Unable to Load Registry Key...\n");
return FALSE;
} else {
printf("Registry Key has been Successfully Loaded...\n");
}
// 删除
if(RegDeleteValue(hLocKey, "windows auto update") != ERROR_SUCCESS) {
printf("Unable to Delete Registry Value...It Might Not Exist...\n");
return FALSE;
}
return TRUE;
}
删掉相关的登录档项
BOOL KillBlastProcess() {
HANDLE hProcessSnap = NULL;
HANDLE hBlastProcess = NULL;
BOOL bRet = FALSE;
BOOL bFoundProcess = FALSE;
PROCESSENTRY32 pe32 = {0};
// 获得系统内所有进程的快照
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
// 记得首先必须给结构PROCESSENTRY32的大小赋值,否则可能会不正确
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do {
if(strnicmp(pe32.szExeFile, "msblast.exe", 11) == 0) {
printf("Located MS Blast Process (%d)...\n",pe32.th32ProcessID);
if ( !EnableDebugPrivilege() )
{
printf("EnableDebugPrivilege() failed\n");
bRet = FALSE;
}
bFoundProcess = TRUE;
hBlastProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pe32.th32ProcessID);
if(hBlastProcess == NULL) {
printf("Could not open MS Blast Process...\n");
bRet = FALSE;
}
else
{
if( !TerminateProcess(hBlastProcess, 0) ) {
printf("Could not terminate MS Blast Process...\n");
bRet = FALSE;
} else {
printf("MS Blast Process Has beend Terminated...\n");
bRet = TRUE;
}
CloseHandle(hBlastProcess);
}
break;
}
} while (Process32Next(hProcessSnap, &pe32));
if(bFoundProcess) {
bRet = TRUE;
} else {
printf("MS Blast Process Was Not Running...\n");
bRet = FALSE;
}
} else {
printf("Unable to Enumerate Process List...\n");
bRet = FALSE;
}
CloseHandle (hProcessSnap);
return (bRet);
}
提升许可权的函数如下:
BOOL EnableDebugPrivilege()
{
HANDLE hToken = NULL;
LUID luid;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken) )
{
printf("OpenProcessToken failed\n");
return FALSE;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
printf("LookupPrivilegeValue failed\n");
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
printf("AdjustTokenPrivileges() failed %d\n", GetLastError());
return FALSE;
}
CloseHandle( hToken );
return TRUE;
}
删除蠕虫病毒档案:
BOOL KillFile()
{
printf("\nAttempting to Remove msblast.exe...\n");
// 通过环境变量获得病毒体全路径
GetEnvironmentVariable("SYSTEMROOT", chrMsBlast, MAX_PATH);
strncat(chrMsBlast, "\\msblast.exe", 12);
// 删除操作
if(DeleteFile(chrMsBlast) == 0){
return FALSE;
}
printf("Ms Blast.A.exe has been deleted successfully\n");
return TRUE;
}
祝吾爱论坛越来越壮大!
也请该板块的管理员尽快审核!
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2017-8-29 11:07
