VC用远程线程来实现程序自删除
来源:互联网 发布:大数据呼叫中心 编辑:程序博客网 时间:2024/05/21 11:08
#include <windows.h>
#include <tchar.h>
#include <TLHELP32.H>
#include <stddef.h>
/*
push dwTime
call Sleep
mov eax, [esp + 4]
push eax
call DeleteFileA
ret 4
*/
#pragma pack(push, 1)
typedef struct _tagDeleteStruct {
BYTE byPush;
DWORD dwTime;
BYTE wCall1;
DWORD dwSleep;
DWORD dwMov;
BYTE byPushEax;
BYTE wCall2;
DWORD dwDeleteFileA;
BYTE byRet;
WORD w4;
CHAR szFile[1];
} DELETESTRUCT, *PDELETESTRUCT;
#pragma pack(pop)
void EnablePrivilege(void)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp = { 0 };
HANDLE hProcess = GetCurrentProcess();
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
return;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
{
CloseHandle(hToken);
return;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
NULL, NULL);
CloseHandle(hToken);
}
DWORD FindTarget(LPCTSTR lpszProcess)
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First(hSnapshot, &pe32);
do
{
if (0 == lstrcmpi(pe32.szExeFile, lpszProcess))
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
return dwRet;
}
DWORD WINAPI DelProc(LPVOID lpParam)
{
Sleep(50);
DeleteFileA((LPCSTR)lpParam);
return 0;
}
BOOL RemoteDel(DWORD dwProcessID, LPCSTR lpszFileName, DWORD dwTime)
{
// 打开目标进程
HANDLE hProcess = OpenProcess(
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE,
dwProcessID);
if (NULL == hProcess)
return FALSE;
// 向目标进程地址空间写入删除信息
DWORD dwSize = sizeof(DELETESTRUCT) + lstrlenA(lpszFileName);
PDELETESTRUCT pDel = (PDELETESTRUCT)GlobalAlloc(GPTR, dwSize);
HMODULE hKernel32 = GetModuleHandle(_T("kernel32.dll"));
// push dwTime
pDel->byPush = 0x68;
pDel->dwTime = dwTime;
// call Sleep
pDel->wCall1 = 0xe8;
pDel->dwSleep = (DWORD)GetProcAddress(hKernel32, "Sleep");
// mov eax, [esp + 4]
pDel->dwMov = 0x0424448b;
// push eax
pDel->byPushEax = 0x50;
// call DeleteFileA
pDel->wCall2 = 0xe8;
pDel->dwDeleteFileA = (DWORD)GetProcAddress(hKernel32, "DeleteFileA");
// ret 4
pDel->byRet = 0xc2;
pDel->w4 = 0x0004;
lstrcpyA(pDel->szFile, lpszFileName);
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT,
PAGE_READWRITE);
if (NULL == lpBuf)
{
GlobalFree((HGLOBAL)pDel);
CloseHandle(hProcess);
return FALSE;
}
// 修正近调用
pDel->dwSleep -= (DWORD)lpBuf + offsetof(DELETESTRUCT, dwMov);
pDel->dwDeleteFileA -= (DWORD)lpBuf + offsetof(DELETESTRUCT, byRet);
DWORD dwWritten;
WriteProcessMemory(hProcess, lpBuf, (LPVOID)pDel, dwSize, &dwWritten);
// 创建线程,远程删除!
DWORD dwID;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpBuf,
(LPVOID)((DWORD)lpBuf + offsetof(DELETESTRUCT, szFile)), 0, &dwID);
GlobalFree((HGLOBAL)pDel);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int WINAPI _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPTSTR lpCmdLine, int nShowCmd)
{
EnablePrivilege();
CHAR szMe[MAX_PATH];
GetModuleFileNameA(NULL, szMe, MAX_PATH);
DWORD dwId = FindTarget(_T("Explorer.exe"));
RemoteDel(dwId, szMe, 50);
return 0;
#include <tchar.h>
#include <TLHELP32.H>
#include <stddef.h>
/*
push dwTime
call Sleep
mov eax, [esp + 4]
push eax
call DeleteFileA
ret 4
*/
#pragma pack(push, 1)
typedef struct _tagDeleteStruct {
BYTE byPush;
DWORD dwTime;
BYTE wCall1;
DWORD dwSleep;
DWORD dwMov;
BYTE byPushEax;
BYTE wCall2;
DWORD dwDeleteFileA;
BYTE byRet;
WORD w4;
CHAR szFile[1];
} DELETESTRUCT, *PDELETESTRUCT;
#pragma pack(pop)
void EnablePrivilege(void)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp = { 0 };
HANDLE hProcess = GetCurrentProcess();
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
return;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
{
CloseHandle(hToken);
return;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
NULL, NULL);
CloseHandle(hToken);
}
DWORD FindTarget(LPCTSTR lpszProcess)
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First(hSnapshot, &pe32);
do
{
if (0 == lstrcmpi(pe32.szExeFile, lpszProcess))
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
return dwRet;
}
DWORD WINAPI DelProc(LPVOID lpParam)
{
Sleep(50);
DeleteFileA((LPCSTR)lpParam);
return 0;
}
BOOL RemoteDel(DWORD dwProcessID, LPCSTR lpszFileName, DWORD dwTime)
{
// 打开目标进程
HANDLE hProcess = OpenProcess(
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE,
dwProcessID);
if (NULL == hProcess)
return FALSE;
// 向目标进程地址空间写入删除信息
DWORD dwSize = sizeof(DELETESTRUCT) + lstrlenA(lpszFileName);
PDELETESTRUCT pDel = (PDELETESTRUCT)GlobalAlloc(GPTR, dwSize);
HMODULE hKernel32 = GetModuleHandle(_T("kernel32.dll"));
// push dwTime
pDel->byPush = 0x68;
pDel->dwTime = dwTime;
// call Sleep
pDel->wCall1 = 0xe8;
pDel->dwSleep = (DWORD)GetProcAddress(hKernel32, "Sleep");
// mov eax, [esp + 4]
pDel->dwMov = 0x0424448b;
// push eax
pDel->byPushEax = 0x50;
// call DeleteFileA
pDel->wCall2 = 0xe8;
pDel->dwDeleteFileA = (DWORD)GetProcAddress(hKernel32, "DeleteFileA");
// ret 4
pDel->byRet = 0xc2;
pDel->w4 = 0x0004;
lstrcpyA(pDel->szFile, lpszFileName);
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT,
PAGE_READWRITE);
if (NULL == lpBuf)
{
GlobalFree((HGLOBAL)pDel);
CloseHandle(hProcess);
return FALSE;
}
// 修正近调用
pDel->dwSleep -= (DWORD)lpBuf + offsetof(DELETESTRUCT, dwMov);
pDel->dwDeleteFileA -= (DWORD)lpBuf + offsetof(DELETESTRUCT, byRet);
DWORD dwWritten;
WriteProcessMemory(hProcess, lpBuf, (LPVOID)pDel, dwSize, &dwWritten);
// 创建线程,远程删除!
DWORD dwID;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpBuf,
(LPVOID)((DWORD)lpBuf + offsetof(DELETESTRUCT, szFile)), 0, &dwID);
GlobalFree((HGLOBAL)pDel);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int WINAPI _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPTSTR lpCmdLine, int nShowCmd)
{
EnablePrivilege();
CHAR szMe[MAX_PATH];
GetModuleFileNameA(NULL, szMe, MAX_PATH);
DWORD dwId = FindTarget(_T("Explorer.exe"));
RemoteDel(dwId, szMe, 50);
return 0;
}
转自:http://blog.csdn.net/wangningyu/article/details/4675713
- VC用远程线程来实现程序自删除
- 远程线程注入实现自删除
- VC 程序自删除功能的实现
- VC 程序自删除功能的实现
- VC程序自删除
- VC 实现自删除
- Android 用线程来实现远程下载
- VC实现程序自删除(三种方法)
- 程序自删除VC++代码
- 用远线程实现文件自删除
- 基于VC++2010利用API函数MoveFileEx实现程序的隐藏、自启动与自删除
- [C++ VC MFC]巧妙程序自删除
- SDK 实现程序自删除
- c++实现程序自删除
- vc实现无dll远程线程注入
- VC实现程序开机自启动
- VC实现程序开机自启动
- VC程序实现开机自启动
- 数组的定义与初始化
- REST是什么
- private/protected constructor
- android Settings入门
- Android开发_代码中设置全屏和notitle
- VC用远程线程来实现程序自删除
- 杭电2544-最短路 -spfa算法求解最短路
- 寒门再难出贵子
- 转载一些学习centOS过程中会遇到的问题及解决办法
- C++编程思想 第二章对象的创建和使用
- 通过配置避免模糊查询 Like
- OpenGL场景保存为图片
- deb sources
- Python 3语法小记(三) 集合set