delmod.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

typedef DWORD (WINAPI *TWFSO)(HANDLE, DWORD);
typedef BOOL  (WINAPI *TREMD)(LPCSTR);
typedef BOOL  (WINAPI *TDELF)(LPCSTR);
typedef LONG  (WINAPI *TLSLN)(LPCSTR);
typedef DWORD (WINAPI *TCLSH)(HANDLE);
typedef DWORD (WINAPI *TVIFR)(LPVOID, DWORD, DWORD);

typedef struct _DELMOD {
  TWFSO  pWaitForSingleObject;
  TLSLN  plstrlenA;
  TREMD  pRemoveDirectoryA;
  TDELF  pDeleteFileA;
  TCLSH  pCloseHandle;
  TVIFR  pVirtualFree;
  HANDLE hCaller;
  PSTR   pFileNamesA;
} DELMOD, *PDELMOD;

VOID WINAPI DelModRC(PDELMOD pDelMod) {
  DWORD i, j;
  pDelMod->pWaitForSingleObject(pDelMod->hCaller, INFINITE);
  for(i=0; *(pDelMod->pFileNamesA+i) != '\0'; i+=j+3) {
    j=pDelMod->plstrlenA(pDelMod->pFileNamesA+i)-1;
    if(*(pDelMod->pFileNamesA+i+j) == '\\')
      pDelMod->pRemoveDirectoryA(pDelMod->pFileNamesA+i);
    else
      pDelMod->pDeleteFileA(pDelMod->pFileNamesA+i);
  }
  pDelMod->pCloseHandle(pDelMod->hCaller);
  pDelMod->pVirtualFree(pDelMod->pFileNamesA, 0, MEM_RELEASE);
  pDelMod->pVirtualFree(pDelMod, 0, MEM_RELEASE);
}

BOOL WINAPI RemoveFiles(PTSTR FileList) {
  BOOL Result = FALSE;
  DWORD i = 0, ListSize, AllListSize;
  HANDLE hFileList;
  PSTR FileNamesA;

  if((hFileList = CreateFileA(FileList, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
    if(((ListSize = GetFileSize(hFileList, NULL)) != 0xFFFFFFFF) && (ListSize != 0))
      if(FileNamesA = (PSTR)LocalAlloc(LPTR, AllListSize = ListSize+4))
        if(ReadFile(hFileList, FileNamesA, ListSize, &i, NULL))
          for(i=0; i<ListSize; i++)
            if((*(WORD*)(FileNamesA+i) == 0x0d0a) || (*(WORD*)(FileNamesA+i) == 0x0a0d)) {
              *(WORD*)(FileNamesA+i) = 0;
              i++;
            }
          *(DWORD*)(FileNamesA+i) = 0;
  if(hFileList != INVALID_HANDLE_VALUE)
    CloseHandle(hFileList);

  if(i) {
    HINSTANCE hntdll;
    BYTE WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP RAP = NULL;
    if(hntdll = GetModuleHandle(_T("ntdll.dll")))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(20, TRUE, 0, &WasEn);

    LPCTSTR WKP[5] = {_T("KERNEL32.dll"), _T("winlogon.exe"), _T("explorer.exe"), _T("cmd.exe"), NULL};
    DWORD PID = PW_MEMERROR;
    for(DWORD i=0; WKP[i]; i++) {
      if((PID = (DWORD)ProcessName2PID(WKP[i])) < PW_SESERROR)
        break;
    }

#define AHAccessRequired (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | SYNCHRONIZE)
#define AHAccessOptional (AHAccessRequired | READ_CONTROL)

    HANDLE hProcess;
    if((hProcess = OpenProcess(AHAccessOptional | PROCESS_DUP_HANDLE, FALSE, PID)) == NULL)
      hProcess = OpenProcess(AHAccessRequired | PROCESS_DUP_HANDLE, FALSE, PID);
    if(hProcess) {
      PRCINFO pRCI = GetDefaultRCInfo();
      DELMOD l_DelMod, *pDelMod = NULL;
      l_DelMod.pFileNamesA = NULL;
      if(l_DelMod.pFileNamesA = (PSTR)pRCI->RtlAllocMem(hProcess, AllListSize))
        if(WriteProcessMemory(hProcess, l_DelMod.pFileNamesA, FileNamesA, AllListSize, NULL))
          if(pDelMod = (PDELMOD)pRCI->RtlAllocMem(hProcess, sizeof(l_DelMod)))
            if(DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), hProcess, &l_DelMod.hCaller, SYNCHRONIZE, FALSE, 0)) {
              HINSTANCE hK32 = GetModuleHandle(_T("KERNEL32.dll"));
              l_DelMod.pWaitForSingleObject = (TWFSO)GetProcAddress(hK32, "WaitForSingleObject");
              l_DelMod.pRemoveDirectoryA = (TREMD)GetProcAddress(hK32, "RemoveDirectoryA");
              l_DelMod.pDeleteFileA = (TDELF)GetProcAddress(hK32, "DeleteFileA");
              l_DelMod.plstrlenA = (TLSLN)GetProcAddress(hK32, "lstrlenA");
              l_DelMod.pCloseHandle = (TCLSH)GetProcAddress(hK32, "CloseHandle");
              l_DelMod.pVirtualFree = (TVIFR)GetProcAddress(hK32, "VirtualFree");
              if(WriteProcessMemory(hProcess, pDelMod, &l_DelMod, sizeof(l_DelMod), NULL))
                if(hRemoteExecute(NULL, hProcess, 0, DelModRC, (DWORD)RemoveFiles-(DWORD)DelModRC+sizeof(DWORD)-1, pDelMod) == ErrorAHTimeOut)
                  Result = TRUE;
            }
      if(!Result) {
        if(pDelMod)
          pRCI->RtlFreeMem(hProcess, pDelMod);
        if(l_DelMod.pFileNamesA)
          pRCI->RtlFreeMem(hProcess, l_DelMod.pFileNamesA);
      }
      CloseHandle(hProcess);
    }
    if(RAP)
      RAP(20, WasEn, 0, &WasEn);
  }
  return(Result);
}

BOOL WINAPI RemoveKeys(VOID) {
  return(TRUE);
}

BOOL WINAPI CloseOtherInstances(VOID) {
  return(TRUE);
}

VOID _tmain(int argc, TCHAR** argv) {
  CloseOtherInstances();
  RemoveKeys();
  if(argc==2)
    RemoveFiles(argv[1]);
}