对c/c++程序的逆向
本人学了逆向一个月,已经逆向了很多源码,包括xp系统的finger.exe bootvrfy.exe dllhost.exe lsass.exe regwiz.exe winhlp32.exe 和rand()函数system()函数,
第三方软件有memuse unlocker(部分) autologin 正在逆向的有tracert.exe ping.exe
自从慢慢掌握ida逆向软件后,就一发不可收拾,逆向这种东西没什么教程,也没看过什么教程,基本上掌握了一点汇编知识就开始着手了,都是自己找规律找窍门,
有时候需要灵感,技巧,经验,一下子想通了,就逆向出来了,写出c源代码。
下面是一些文件的代码:
dllhst3g.exe:
#include <windows.h>
#pragma comment(lib,"ole32.lib")
extern "C" HRESULT WINAPI CoRegisterSurrogateEx(REFGUID rguidProcessID,void* reserved);
//本人在原始汇编代码上稍作相应c语言优化,不会降低影响代码运行效率
int WINAPI GetCommandLineArguments(LPCSTR lpString,char** matrix,int MatrixWidth,int MatrixLength)
{//这段代码经过分析,可以知道是将lpString中的字符串以空格为分界分成子字符串放入字符串矩阵matrix中
//matrix大小为MarixWidth*MatrixLength
//这种微软内部的代码都是极好的,适合用来分析,遇到类似情况可以直接用此简洁的代码,具体的大家可以分析,不懂得地方可以问我
LPCSTR curpos=lpString;
int len=lstrlenA(lpString);
int i=0,j=0,somenum=0;
if(len>0)
{
while(somenum<len)
{
if(j>MatrixLength) return 0;
char curchar=*curpos;
curpos++;
if(curchar == ' ')
{
if(j!=0)
{
matrix[i][j]=0;
i++;
j=0;
if(i == MatrixWidth) return i;
}
}
else
{
matrix[i][j]=curchar;
j++;
}
somenum++;
}
if(j!=0) matrix[i][j]=0;
i++;
}
return i;
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
{
#define WIDTH 1
#define LENGTH 260
char command[LENGTH];
if(GetCommandLineArguments(lpCmdLine,(char**)&command,WIDTH,LENGTH) < 1)
return 0;
char* lpMultiByteStr=command;
if(command[0] != '\0')
{
while(*lpMultiByteStr != ':')
{
lpMultiByteStr++;
if(*lpMultiByteStr == '\0') break;
}
if(*lpMultiByteStr != '\0')
{
*lpMultiByteStr = '\0';
lpMultiByteStr++;
}
if(*lpMultiByteStr == '\0' || lstrcmpi(command,"/ProcessID")!=0)
lpMultiByteStr=command;
}
WCHAR WideCharStr[41];
CLSID clsid;
if(MultiByteToWideChar(CP_ACP,0,lpMultiByteStr,lstrlen(lpMultiByteStr)+1,WideCharStr,41) !=0 &&
CLSIDFromString(WideCharStr,&clsid) >= 0 && CoInitializeEx(NULL,COINIT_MULTITHREADED) >=0 )
{
CoRegisterSurrogateEx(clsid,NULL);
CoUninitialize();
TerminateProcess(GetCurrentProcess(),0);
}
return 0;
}
bootvrfy.exe:
// 服务控制管理器是一个RPC 服务器,它显露了一组应用编程接口,程序员可以方便的编写程序来配置
// 服务和控制远程服务器中服务程序。
// 服务程序通常编写成控制台类型的应用程序,总的来说,一个遵守服务控制管理程序接口要求的程序
//
// 包含下面三个函数:
// 1。服务程序主函数(main):调用系统函数 StartServiceCtrlDispatcher 连接程序主线程到服务控制管理程序。
// 2。服务入口点函数(ServiceMain):执行服务初始化任务,同时执行多个服务的服务进程有多个服务入口函数。
// 3。控制服务处理程序函数(Handler):在服务程序收到控制请求时由控制分发线程引用。(此处是Service_Ctrl)。
// 另外在系统运行此服务之前需要安装登记服务程序:installService 函数。删除服务程序则需要先删除服务安装登记:removeService 函数。
#include <windows.h>
#include <winsvc.h>
SERVICE_STATUS_HANDLE BootVerificationStatusHandle=NULL;
SERVICE_STATUS BootVerificationStatus={0,0,0,0,0,0,0};
HANDLE BootVerificationDoneEvnet=NULL;
void WINAPI HandlerProc(DWORD dwControl)//控制服务处理程序函数
{
if(dwControl == SERVICE_CONTROL_STOP)
{
BootVerificationStatus.dwWin32ExitCode=0;
BootVerificationStatus.dwCurrentState=SERVICE_STOP_PENDING;//The service is stopping.
SetEvent(BootVerificationDoneEvnet);//使事件产生信号
}
if(!SetServiceStatus(BootVerificationStatusHandle,&BootVerificationStatus))
GetLastError();
}
void WINAPI ServiceProc(DWORD dwNumServicesArgs,LPWSTR *lpServiceArgVectors)//服务入口点函数
{
SERVICE_STATUS ServiceStatus;
BootVerificationDoneEvnet=CreateEvent(NULL,TRUE,FALSE,NULL);//初始化无信号事件
BootVerificationStatus.dwServiceType=SERVICE_WIN32;
BootVerificationStatus.dwCurrentState=SERVICE_RUNNING;
BootVerificationStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP;
//The service can be stopped. This control code allows the service to receive SERVICE_CONTROL_STOP notifications.
BootVerificationStatus.dwWin32ExitCode=0;
BootVerificationStatus.dwServiceSpecificExitCode=0;
BootVerificationStatus.dwCheckPoint=0;
// This value is not valid and should be zero when the service does not have a start, stop, pause, or continue operation pending
BootVerificationStatus.dwWaitHint=0;
BootVerificationStatusHandle=RegisterServiceCtrlHandlerW(L"BootVerification",HandlerProc);//注册控制服务处理程序函数
if(!SetServiceStatus(BootVerificationStatusHandle,&BootVerificationStatus))//设置服务状态
GetLastError();
NotifyBootConfigStatus(TRUE);//this function reports the boot status to the service control manager
SC_HANDLE scm=OpenSCManagerW(NULL,NULL,SC_MANAGER_CONNECT);//Enables connecting to the service control manager.
if(scm != NULL)
{
SC_HANDLE service=OpenServiceW(scm,L"BootVerification",SERVICE_STOP);
if(service != NULL && ControlService(service,SERVICE_CONTROL_STOP,&ServiceStatus) != NULL/*sends a control code to a service.*/ )
{
WaitForSingleObject(BootVerificationDoneEvnet,INFINITE);//等待事件发出信号
BootVerificationStatus.dwWin32ExitCode=0;
BootVerificationStatus.dwCurrentState=SERVICE_STOPPED;
if(!SetServiceStatus(BootVerificationStatusHandle,&BootVerificationStatus))
GetLastError();
ExitThread(0);
}
}
BootVerificationStatus.dwWin32ExitCode=GetLastError();
SetServiceStatus(BootVerificationStatusHandle,&BootVerificationStatus);
ExitProcess(0);
}
void main()//服务程序主函数
{
SERVICE_TABLE_ENTRYW ServiceStartTable[2];
ServiceStartTable[1].lpServiceName=NULL;//表示TABLE_ENTRY结束
ServiceStartTable[1].lpServiceProc=NULL;//表示TABLE_ENTRY结束
ServiceStartTable[0].lpServiceName=L"BootVerification";//服务名称
ServiceStartTable[0].lpServiceProc=ServiceProc;//服务入口函数
int nret=StartServiceCtrlDispatcherW(ServiceStartTable);//向service control manager注册此服务
nret=GetLastError();
ExitProcess(0);
}
memuse.exe
#define UNICODE
#include <windows.h>
#include "resource.h"
#define IDT_timer 1000
BOOL IsShowInKb;
BOOL IsAlwayOnTop;
HFONT hFont;
HCURSOR hCursor1,hCursor2;
void showstring(HWND hDlg,int nIDDlgItem,DWORDLONG data)
{
NUMBERFMTW Format;//数字分隔符样式111,111,111.00
WCHAR String[25];
WCHAR Value[38];
memset(&Format,0,sizeof(NUMBERFMTW));
if(IsShowInKb)
data /= 1024;
Format.Grouping=3;
Format.lpDecimalSep=L".";
Format.lpThousandSep=L",";
wsprintfW(Value,L"%lu",data,Format);
GetNumberFormatW(LOCALE_USER_DEFAULT,0,Value,&Format,String,25);
if(IsShowInKb) lstrcatW(String,L"K");
SetDlgItemTextW(hDlg,nIDDlgItem,String);
}
void timerfunc(HWND hDlg)
{
WCHAR string[80];
MEMORYSTATUSEX buffer;
buffer.dwLength=sizeof(MEMORYSTATUSEX);
GlobalMemoryStatusEx(&buffer);
showstring(hDlg,TotalPhysical,buffer.ullTotalPhys);
showstring(hDlg,TotalVirtual,buffer.ullTotalPageFile);
showstring(hDlg,UsedPhysical,buffer.ullTotalPhys-buffer.ullAvailPhys);
showstring(hDlg,UsedVirtual,buffer.ullTotalPageFile-buffer.ullAvailPageFile);
showstring(hDlg,AvailablePhysical,buffer.ullAvailPhys);
showstring(hDlg,AvailableVirtual,buffer.ullAvailPageFile);
wsprintfW(string,L"[Ph: %d%%] MemUse v0.4",buffer.dwMemoryLoad);
SetWindowTextW(hDlg,string);
}
void paintsth(HWND hwndDlg,WPARAM wParam,LPARAM lParam)
{
HBRUSH brush=NULL;
if(GetDlgCtrlID(hwndDlg) <= 1803)
{
SetBkColor((HDC)wParam,GetSysColor(COLOR_BTNFACE));
SetTextColor((HDC)wParam,RGB(255,0,0));//红
SelectObject((HDC)wParam,hFont);
GetSysColorBrush(COLOR_BTNFACE);
}
}
BOOL CALLBACK AboutDlgFunc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch(uMsg)
{
case WM_COMMAND:
case WM_CLOSE:
EndDialog(hwndDlg,0);
DeleteObject(hFont);
return 1;
case WM_INITDIALOG:
{
LOGFONTW logfont;
GetObjectW(GetStockObject(DEFAULT_GUI_FONT),sizeof(LOGFONTW),&logfont);
logfont.lfUnderline=TRUE;
hFont=CreateFontIndirectW(&logfont);
hCursor1=LoadCursorW(NULL,IDC_ARROW);
hCursor2=LoadCursorW(NULL,IDC_HAND);
SendMessageW(GetDlgItem(hwndDlg,IDI_MainIcon),STM_SETICON,
GetClassLongW(hwndDlg,GCL_HICON),0);
return 1;
}
case WM_MOUSEMOVE:
SetCursor(hCursor1);
//这里并不是忘记了break
case WM_LBUTTONUP:
{
POINT pt;
pt.y=HIWORD(lParam);
pt.x=LOWORD(lParam);
HWND child=ChildWindowFromPointEx(hwndDlg,pt,CWP_SKIPTRANSPARENT);
if(GetDlgCtrlID(child) <= 1803)//自己看看是哪些控件吧
{
if(uMsg == WM_MOUSEMOVE)//记者上面是没有break的
SetCursor(hCursor2);
else//WM_LBUTTONUP
{
WCHAR Buffer[250];
SendMessageW(child,WM_GETTEXT,250,(LPARAM)Buffer);
ShellExecuteW(hwndDlg,L"open",Buffer,NULL,NULL,SW_SHOWNORMAL);
}
}
}
case WM_CTLCOLORSTATIC:
paintsth(hwndDlg,wParam,lParam);
break;
default:
break;
}
return 0;
}
BOOL CALLBACK DlgFunc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch(uMsg)
{
case WM_INITDIALOG:
{
HMENU sysmenu=GetSystemMenu(hwndDlg,FALSE);
AppendMenuW(sysmenu,MF_SEPARATOR,0,NULL);
AppendMenuW(sysmenu,MF_INSERT,112,L"Always On &Top");
AppendMenuW(sysmenu,MF_INSERT,114,L"S");
AppendMenuW(sysmenu,MF_SEPARATOR,0,NULL);
AppendMenuW(sysmenu,MF_INSERT,113,L"&About...");
SetTimer(hwndDlg,IDT_timer,1000,NULL);
timerfunc(hwndDlg);
HICON icon=LoadIconW((HINSTANCE)GetWindowLongW(hwndDlg,GWL_HINSTANCE),MAKEINTRESOURCEW(IDI_MainIcon));
SetClassLongW(hwndDlg,GCL_HICON,(LONG)icon);
}
break;
case WM_CLOSE:
EndDialog(hwndDlg,0);
break;
case WM_TIMER:
timerfunc(hwndDlg);
break;
case WM_SYSCOMMAND:
{
HMENU sysmenu;
DWORD checkstate;
DWORD uID;
RECT rect;
switch(LOWORD(wParam))
{
case 114://show in kb
{
IsShowInKb= IsShowInKb == FALSE;//取反
sysmenu=GetSystemMenu(hwndDlg,FALSE);
checkstate=MF_CHECKED*(IsShowInKb != FALSE);
uID=114;
}
break;
case 113:
{
DialogBoxParamW((HINSTANCE)GetWindowLongW(hwndDlg,GWL_HINSTANCE),
MAKEINTRESOURCEW(AboutDlg),hwndDlg,AboutDlgFunc,0);
return 0;
}
case 112:
{
GetWindowRect(hwndDlg,&rect);
sysmenu=GetSystemMenu(hwndDlg,FALSE);
IsAlwayOnTop= IsAlwayOnTop == FALSE;//取反
SetWindowPos(hwndDlg,IsAlwayOnTop != FALSE? HWND_TOPMOST:HWND_NOTOPMOST,
rect.left,rect.top,rect.right-rect.left,rect.bottom-rect.top,0);
checkstate=MF_CHECKED*(IsAlwayOnTop != FALSE);
uID=112;
}
break;
default:
return 0;
}
CheckMenuItem(sysmenu,uID,checkstate);
return 0;
}
default:
return 0;
}
return 1;
}
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
DialogBoxParamW(hInstance,MAKEINTRESOURCEW(MainDlg),NULL,DlgFunc,0);
return 0;
}
regwiz.exe:
#include <objbase.h>
CLSID CLSID_REGWIZCTRL={0x50E5E3D0,0xC07E,0x11D0,0xB9,0xFD,0x00,0xA0,0x24,0x9F,0x6B,0x00};
CLSID IID_IREGWIZCTRL={0x50E5E3CF,0xC07E,0x11D0,0xB9,0xFD,0x00,0xA0,0x24,0x9F,0x6B,0x00};
typedef void (WINAPI* UNKNOWN)(LPVOID,WCHAR*);
WCHAR* WINAPI ConvertToUnicode(LPCSTR lpMultiByteStr)
{
WCHAR WideCharStr[256];
MultiByteToWideChar(CP_ACP,0,lpMultiByteStr,-1,WideCharStr,256);
return WideCharStr;
}
int WINAPI LoadAndUseRegWizCtrl(LPCSTR lpMultiByteStr)
{
LPVOID ppv;
if(CoCreateInstance(CLSID_REGWIZCTRL,NULL,CLSCTX_INPROC_SERVER | CLSCTX_REMOTE_SERVER,IID_IREGWIZCTRL,&ppv) >= 0)
{
UNKNOWN unknown=(UNKNOWN)(*(DWORD*)ppv+36);
unknown(ppv,ConvertToUnicode(lpMultiByteStr));
}
return 0;
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
{
CoInitialize(NULL);
LoadAndUseRegWizCtrl(lpCmdLine);
CoUninitialize();
}
winhlp32.exe
#include <windows.h>
#include "resource.h"
#pragma comment(lib,"version.lib")
struct VersionStruct
{
LPVOID lpVersionBuffer;
LPVOID lpXlate;/////////有误。。。。。。。。。。。。。。。。
DWORD dwVersionSize;
DWORD dwHandle;
WCHAR szVersionKey[60];
DWORD cchXlateString;
DWORD cXlate;
HGLOBAL hmemVersion;
HLOCAL pszXlate;
};
VersionStruct VS={NULL,NULL,0,0,L"",0,0,NULL,NULL};
LPCWSTR WINAPI lstrcati2(LPWSTR lpString,LPCWSTR lpString2,int maxpath/*maxlength*/)
{
if(lpString && lpString2 && maxpath>0)
{
int len=lstrlenW(lpString);
lstrcpynW(lpString+len,lpString2,maxpath-len);
}
return lpString;
}
LPCWSTR WINAPI GetVersionDatum(LPCWSTR lpBuffer)
{
unsigned int puLen;
if(VS.hmemVersion == NULL) return NULL;
lstrcpyW(VS.szVersionKey+25,lpBuffer);
VerQueryValueW(VS.lpVersionBuffer,VS.szVersionKey,(void**)&lpBuffer,&puLen);
if(puLen) return lpBuffer;
else return NULL;
}
void FreeVersionInfo()
{
VS.lpVersionBuffer=NULL;
VS.dwHandle=NULL;
if(VS.hmemVersion)
{
GlobalUnlock(VS.hmemVersion);
GlobalFree(VS.hmemVersion);
VS.hmemVersion=0;
}
if(VS.pszXlate)
{
LocalFree(VS.pszXlate);
VS.pszXlate=0;
}
}
LPCWSTR WINAPI GetVersionInfo(WCHAR* dest,const WCHAR* src)
{
unsigned int puLen=0;
if(VS.hmemVersion) FreeVersionInfo();
lstrcati2(dest,L"\\",MAX_PATH);
lstrcati2(dest,src,MAX_PATH);
VS.dwVersionSize=GetFileVersionInfoSizeW(dest,&VS.dwHandle);
if(VS.dwVersionSize==0 || (VS.hmemVersion=GlobalAlloc(GMEM_ZEROINIT,VS.dwVersionSize))==NULL) return NULL;
VS.lpVersionBuffer=GlobalLock(VS.hmemVersion);
if(FALSE == GetFileVersionInfoW(dest,VS.dwHandle,VS.dwVersionSize,VS.lpVersionBuffer)) return 0;
VerQueryValueW(VS.lpVersionBuffer,L"\\VarFileInfo\\Translation",&VS.lpXlate,&puLen);
if(puLen)
{
VS.cXlate=puLen>>2;
VS.cchXlateString=45*(puLen>>2);
VS.pszXlate=LocalAlloc(GMEM_ZEROINIT,90*(puLen>>2));
}
else VS.lpXlate=NULL;
wsprintfW(VS.szVersionKey,L"\\StringFileInfo\\%04X04B0\\",GetThreadLocale());
LPCWSTR result=GetVersionDatum(L"InternalName");
if(result) return result;
if(puLen)
{
wsprintfW(VS.szVersionKey,L"\\StringFileInfo\\%04X%04X\\",LOWORD(VS.lpXlate),HIWORD(VS.lpXlate));
if((result=GetVersionDatum(L"InternalName"))!=0) return result;
}
lstrcpyW(VS.szVersionKey,L"\\StringFileInfo\\040904B0\\");
if((result=GetVersionDatum(L"InternalName"))!=0) return result;
lstrcpyW(VS.szVersionKey,L"\\StringFileInfo\\040904E4\\");
if((result=GetVersionDatum(L"InternalName"))!=0) return result;
lstrcpyW(VS.szVersionKey,L"\\StringFileInfo\\04090000\\");
return GetVersionDatum(L"InternalName");
}
void main()
{
WCHAR WinDir[MAX_PATH]=L"";
WCHAR String[MAX_PATH]=L"";
WCHAR OtherString[MAX_PATH]=L"";
BOOL flag=0;
STARTUPINFOW StartupInfo;
PROCESS_INFORMATION ProcessInformation;
LPWSTR next;
BOOL hasquote=FALSE;
wchar_t symbol[]=L"\\";
wchar_t stringTT[]=L"winhstb",string1[]=L"winhlp32",string2[]=L".exe";
LPWSTR command=GetCommandLineW();
while(*command == '"')//原始:*command && *command=='"' 感觉没必要
{
command++;
hasquote=TRUE;
}
GetSystemWindowsDirectoryW(WinDir,MAX_PATH);
lstrcpyW(String,WinDir);
lstrcati2(WinDir,symbol,MAX_PATH);
lstrcati2(WinDir,string1,MAX_PATH);
lstrcati2(WinDir,string2,MAX_PATH);
lstrcpyW(OtherString,string1);
lstrcati2(OtherString,string2,MAX_PATH);
LPCWSTR versioninfo=GetVersionInfo(String,OtherString);
if(versioninfo && CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE/*ignore case*/,
versioninfo,lstrlenW(versioninfo),stringTT,lstrlenW(stringTT))==CSTR_EQUAL)
{
FreeVersionInfo();
LoadStringW(NULL,ERROR1,WinDir,MAX_PATH);
MessageBoxW(NULL,string2,NULL,MB_OK | MB_ICONHAND );
ExitProcess(1);
}
FreeVersionInfo();
if(hasquote)
{
LPWSTR ptr=command;
while(*command)
{
if(*command == '"') break;
command++;
}
if(*command)
{
next=command+1;
if(next[0] && next[1])
{
if(CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE,next,lstrlenW(string2),
string2,lstrlenW(string2)) == CSTR_EQUAL)
next+=lstrlenW(string2);
if(flag == 0)
{
while(*next == '"') next++;
lstrcati2(WinDir,L" ",MAX_PATH);
lstrcati2(WinDir,next,MAX_PATH);
}
memset(&StartupInfo,0,sizeof(STARTUPINFOW));
StartupInfo.cb=sizeof(StartupInfo);
StartupInfo.lpDesktop=NULL;
StartupInfo.lpTitle=NULL;
StartupInfo.cbReserved2=0;
StartupInfo.lpReserved2=0;
StartupInfo.wShowWindow=SW_SHOW;
StartupInfo.dwFlags=STARTF_FORCEONFEEDBACK | STARTF_RUNFULLSCREEN |
STARTF_USEPOSITION | STARTF_USESHOWWINDOW;
if(CreateProcessW(NULL,string2,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,
NULL,NULL,&StartupInfo,&ProcessInformation))
{
WaitForSingleObject(ProcessInformation.hProcess,INFINITE);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
ExitProcess(0);
}
else ExitProcess(1);
}
}
flag=1;
command=ptr;
while(*command)
{
if(CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE,command,lstrlenW(string1),
string1,lstrlenW(string1)) == CSTR_EQUAL)
break;
command++;
}
if(*command == L'\0')
{
LoadStringW(NULL,ERROR2,WinDir,MAX_PATH);
MessageBoxW(NULL,WinDir,NULL,MB_OK | MB_ICONHAND );
ExitProcess(1);
}
next=command+lstrlenW(string1);
if(CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE,next,lstrlenW(string2),
string2,lstrlenW(string2)) == CSTR_EQUAL)
next+=lstrlenW(string2);
if(flag == 0)
{
while(*next == '"') next++;
lstrcati2(WinDir,L" ",MAX_PATH);
lstrcati2(WinDir,next,MAX_PATH);
}
memset(&StartupInfo,0,sizeof(STARTUPINFOW));
StartupInfo.cb=sizeof(StartupInfo);
StartupInfo.lpDesktop=NULL;
StartupInfo.lpTitle=NULL;
StartupInfo.cbReserved2=0;
StartupInfo.lpReserved2=0;
StartupInfo.wShowWindow=SW_SHOW;
StartupInfo.dwFlags=STARTF_FORCEONFEEDBACK | STARTF_RUNFULLSCREEN |
STARTF_USEPOSITION | STARTF_USESHOWWINDOW;
if(CreateProcessW(NULL,WinDir,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,
NULL,NULL,&StartupInfo,&ProcessInformation))
{
WaitForSingleObject(ProcessInformation.hProcess,INFINITE);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
ExitProcess(0);
}
else ExitProcess(1);
}
while(*command)
{
if(CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE,command,lstrlenW(string1),
string1,lstrlenW(string1)) == CSTR_EQUAL)
break;
command++;
}
if(*command)
{
next=command+lstrlenW(string1);
if(CompareStringW(LOCALE_USER_DEFAULT,NORM_IGNORECASE,next,lstrlenW(string2),
string2,lstrlenW(string2)) == CSTR_EQUAL)
next+=lstrlenW(string2);
if(flag == 0)
{
while(*next == '"') next++;
lstrcati2(WinDir,L" ",MAX_PATH);
lstrcati2(WinDir,next,MAX_PATH);
}
memset(&StartupInfo,0,sizeof(STARTUPINFOW));
StartupInfo.cb=sizeof(StartupInfo);
StartupInfo.lpDesktop=NULL;
StartupInfo.lpTitle=NULL;
StartupInfo.cbReserved2=0;
StartupInfo.lpReserved2=0;
StartupInfo.wShowWindow=SW_SHOW;
StartupInfo.dwFlags=STARTF_FORCEONFEEDBACK | STARTF_RUNFULLSCREEN |
STARTF_USEPOSITION | STARTF_USESHOWWINDOW;
if(CreateProcessW(NULL,string2,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,
NULL,NULL,&StartupInfo,&ProcessInformation))
{
WaitForSingleObject(ProcessInformation.hProcess,INFINITE);
CloseHandle(ProcessInformation.hProcess);
CloseHandle(ProcessInformation.hThread);
ExitProcess(0);
}
else ExitProcess(1);
}
LoadStringW(NULL,ERROR2,WinDir,MAX_PATH);
MessageBoxW(NULL,WinDir,NULL,MB_OK | MB_ICONHAND );
ExitProcess(1);
}
还有一个经典病毒逆向代码
本人现在可以进行c/c++ mfc 和16进制com的逆向
上面贴出的是代码较少的,如果有兴趣想跟我学,联系我qq:571652571,
我会把我的经验和所有源码传授给你们,并且详细分析这些代码(当然这个不能免费了)
如果只想要源码,可以加群124408915