勒索软件在遍历文件加密时会用到下列代码,该代码功能主要防止文件被进程占用而无法被加密。
#include <windows.h>
#include <RestartManager.h>
#include <stdio.h>
int __cdecl wmain(int argc, WCHAR** argv)
{
DWORD dwSession = 0;
WCHAR szSessionKey[CCH_RM_SESSION_KEY + 1];
DWORD dwError = RmStartSession(&dwSession, 0, szSessionKey);
if (dwError != ERROR_SUCCESS)
{
wprintf(L"RmStartSession Start Error, ErrorCode: %d\n", dwError);
getchar();
}
PCWSTR pszFile = argv[1];
dwError = RmRegisterResources(dwSession, 1, &pszFile, 0, NULL, 0, NULL);
if (dwError != ERROR_SUCCESS)
{
wprintf(L"RmRegisterResources for File %ls Error, ErrorCode: %d\n", pszFile, dwError);
getchar();
}
DWORD dwReason = 0;
UINT i = 0;
UINT nProcInfoNeeded = 0;
UINT nProcInfo = 10;
RM_PROCESS_INFO rgpi[10];
memset(rgpi, 0, sizeof(rgpi));
dwError = RmGetList(dwSession, &nProcInfoNeeded, &nProcInfo, rgpi, &dwReason);
if (dwError != ERROR_SUCCESS)
{
wprintf(L"RmGetList Error, ErrorCode: %d\n", dwError);
getchar();
}
if (nProcInfoNeeded == 0)
{
wprintf(L"This file is not in locked!");
getchar();
}
for (i = 0; i < nProcInfo; i++)
{
wprintf(L"The locked file: %ls\n\n", pszFile);
wprintf(L"Who lock this file:\n");
wprintf(L"Name: \t%ls\n", rgpi[i].strAppName);
wprintf(L"ID : \t%d\n", rgpi[i].Process.dwProcessId);
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, rgpi[i].Process.dwProcessId);
if (hProcess)
{
// 这个if语句是为了判断是否是某个程序的某个进程(因为一个程序可以有多个进程)
FILETIME ftCreate, ftExit, ftKernel, ftUser;
if (GetProcessTimes(hProcess, &ftCreate, &ftExit, &ftKernel, &ftUser)
&& CompareFileTime(&rgpi[i].Process.ProcessStartTime, &ftCreate) == 0)
{
WCHAR sz[MAX_PATH] = { 0 };
DWORD ProcPathMaxLength = MAX_PATH;
if (QueryFullProcessImageNameW(hProcess, 0, sz, &ProcPathMaxLength) && ProcPathMaxLength <= MAX_PATH)
{
wprintf(L"Path: \t%ls\n", sz);
}
}
wprintf(L"\n");
CloseHandle(hProcess);
}
}
RmEndSession(dwSession);
getchar();
return 0;
}
注意,编译时需要在链接项里的附加库目录加上Rstrtmgr.dll,在链接项的附加依赖项加上Rstrtmgr.lib。
参考链接:https://blog.csdn.net/weixin_43376501/article/details/103191326