Analysis of Windows core programming code based on Visual C ++ (43) virus elimination programming

A group of computer commands or program code compiled or inserted in a computer program that destroys computer functions or data, affects computer usage, and is capable of self-replication is called computer virus ). It is destructive, reproducible, and contagious.

 

How can we program and eliminate viruses? Some of them are very cool.

Let's take a look at how to eliminate viruses.

Privilege Escalation

// Function: Raise the permission /// parameter: lpszprivilege: Permission name benableprivilege: ////////////////////////////////////// /// // bool setprivilege (lpctstr lpszprivilege, bool benableprivilege) {token_privileges TP; luid; handle hprocesstoken = NULL; If (! Openprocesstoken (getcurrentprocess (), token_all_access, & hprocesstoken) Return-1; if (! Lookupprivilegevalue (null, lpszprivilege, & luid) return false; TP. privilegecount = 1; TP. privileges [0]. luid = luid; If (benableprivilege) TP. privileges [0]. attributes = se_privilege_enabled; elsetp. privileges [0]. attributes = 0; // enable the privilege or disable all values (hprocesstoken, false, & TP, sizeof (token_privileges), (ptoken_privileges) null, (pdword) null ); if (getlasterror ()! = Error_success) return false; If (hprocesstoken! = NULL) closehandle (hprocesstoken); Return true ;}

 

Deleting a virus prevents the virus from being started by itself.

 

/// Function functions: delete a self-starting item ///////////////////////////////////// //////////////////////////////////////// // void deleterunouceregistry () {hkey htestkey; char szbuf [128]; If (regopenkeyex (HKEY_LOCAL_MACHINE, "Software \ Microsoft \ Windows \ CurrentVersion \ Run", 0, key_read | key_write, & htestkey) = error_success) {If (regdeletevalue (htestkey, "runouce ")! = Error_success) {sprintf (szbuf, "% d", getlasterror (); MessageBox (null, szbuf, null, mb_ OK );}}}

Batch call

//// Instructions for use: place the batch processing in the same folder of the program, and then call the following code ///// kill. change bat to the appropriate file name /////////////////////////////////// //////////////////////////////////////// /// // getmodulefilename (null, szpath, max_path); // obtain the program path lstrcpy (_ tcsrchr (szpath, _ T ('\') + 1, _ T ("kill. bat "); // then remove the program name and add kill. batstrcpy (szcmdline, "cmd.exe/C start"); // strcat (szcmdline, szpath); winexec (szcmdline, sw_shownormal );

 

Anti-Virus image hijacking

/// Function functions: fight against image hijacking ///////////////////////////////////// //////////////////////////////////////// // void deleterunouceregistry () // take the task manager as an example {hkey htestkey; char szbuf [128]; If (regopenkeyex (HKEY_LOCAL_MACHINE, "Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options \ taskmgr", 0, key_read | key_write, & htestkey) = error_success) {If (regdeletevalue (htestkey, "Debugger ")! = Error_success) {sprintf (szbuf, "% d", getlasterror (); MessageBox (null, szbuf, null, mb_ OK );}}}

 

Delete stubborn files

/// Function: delete stubborn files //// instructions for use \\?? \ E: \ autorun. change inf to the appropriate file name /////////////////////////////////// //// // # include <windows. h> # include <stdio. h> # include <stdlib. h> typedef unsigned long ntstatus; typedef unsigned short ushort; typedef unsigned long ulong; typedef unsigned long DWORD; typedef long; typedef _ int64 Longlong; typedef struct unicode_string {ushort length; ushort maxlen; ushort * buffer;} unicode_string, * Punicode_string; # define distinct 0x00000002l # define distinct 0x00000010l # define distinct 0x00000020l # define distinct 0x00000040l # define distinct # define obj_openlink #define distinct # define limit 0X00000080 # define file_pai_del Ete 0x00000004 # define file_open_if 0x00000003 # define limit 0x00000020 # define generic_write (0x40000000l) # define synchronize (0x00100000l) # define generic_read (0x80000000l) typedef struct _ object_attributes {ulong length; handle rootdirectory; punicode_string objectname; ulong attributes; pvoid securitydescriptor; pvoid securityqualityofservice;} object_attributes, * pobject_a Ttributes; typedef const object_attributes * identifier; typedef ntstatus (_ stdcall * zwdeletefile) (in your objectattributes); typedef void (_ stdcall * identifier) (IN out punicode_string destinationstring, in pcwstr sourcestring); typedef struct _ io_status_block {DWORD status; ulong information;} io_status_block, * pio_status_block; typedef ntstatus (_ stdcall * zwcr (Out phandle filehandle, in your desiredaccess, in your objectattributes, out your iostatusblock, in your allocationsize optional, in ulong fileattributes, in ulong your access, in ulong createdisposition, in ulong createoptions, in pvoid eabuffer optional, in ulong ealength); typedef void (ntapi * pio_apc_routine) (IN pvoid apccontext, in pio_s Tatus_block iostatusblock, in ulong reserved); typedef ntstatus (_ stdcall * zwwritefile) (IN handle filehandle, in handle event optional, in processing apcroutine optional, in pvoid apccontext optional, out pio_status_block iostatusblock, in pvoid buffer, in ulong length, in plarge_integer byteoffset optional, in Pulong key optional); typedef ntstatus (_ stdcall * zwclose) (IN handle ); Int main () {hinstance hntdll; zwdeletefile; zookeeper; zwcreatefile; zwwritefile; zwclose; hntdll = loadlibrary ("NTDLL"); If (! Hntdll) return 0; zwdeletefile = (zwdeletefile) getprocaddress) getprocaddress (hntdll, "zwcreatefile"); Signature = (Signature) getprocaddress (hntdll, "signature"); zwclose = (zwclose) signature (hntdll, "zwclose"); unicode_string objectname; rtlin Itunicodestring (& objectname, l "\\?? \ E: \ autorun. inf "); // remember that \\?? \ In the front, wdk said. object_attributes objectattributes = {sizeof (object_attributes), // length null, // rootdirectory & objectname, // objectname success, // attributes 0, // securitydescriptor null, // securityqualityofservice }; handle hfile; pvoid content = "regular"; io_status_block iostatusblock; zwcreatefile (& hfile, generic_write | synchronize | generic_read, & objectattributes, & iostatusblock, 0, primary, file_share_delete, primary, primary, null, 0); zwwritefile (hfile, 0, 0, 0, & iostatusblock, content, 12, null, null); zwclose (hfile); zwdeletefile (& objectattributes ); freelibrary (hntdll); Return 0 ;}

 

Multi-process protection Terminator

//// Function: defend against multi-process protection ////// call enumprocessandsuspendprocess () in the main program () and /// // enumprocessandterminateprocess () the virus program can be terminated ///////////////////////////////// //////////////////////////////////////// //////////// typedef DWORD (winapi * pfsuspendprocess) (handle hprocess); pfsuspendprocess suspendprocess; // The API that suspends the process, in ntdlll. DLL // function: pending process parameters: Process idvoid suspendproc (DWORD dwpid) {hmodule hntdlllib = loadlibrary (" Ntdll. DLL "); // load NTDLL. DLL, obtain the DLL handle suspendprocess = (pfsuspendprocess) getprocaddress (hntdlllib, "zwsuspendprocess"); // obtain the region address if (suspendprocess) {handle hprocess = OpenProcess (process_all_access, false, dwpid); // obtain the suspendprocess (hprocess) handle of the specified process ID; // suspend the process} freelibrary (hntdlllib); // release DLL} void terminateproc (DWORD dwpid) // function: process end parameter: process ID {handle hprocess = OpenProcess (process_all_access, False, dwpid); terminateprocess (hprocess, 0);} // function: enumerate the process and suspend the process void winapi enumprocessandsuspendprocess () {handle hprocesssnap; processentry32 pe32; // snapshothprocesssnap = createconlhelp32snapshot (th32cs_snapprocess, 0); If (hprocesssnap = invalid_handle_value) {printf ("createconlhelp32snapshot (of processes) error! \ N "); return;} // set the input parameter, structure size pe32.dwsize = sizeof (processentry32); // start to list the process if (! Process32first (hprocesssnap, & pe32) {printf ("process32first error! \ N "); // error message closehandle (hprocesssnap); Return ;}do {// enumeration process then suspends the virus process if (stricmp (pe32.szexefile," global.exe ") = 0) {suspendproc (pe32.th32processid );}... // Add the process name to end here} while (process32next (hprocesssnap, & pe32); closehandle (hprocesssnap); // close the handle return;} // function: enumerate the process and end the process void winapi enumprocessandterminateprocess () {handle hprocesssnap; processentry32 pe32; // snapshothprocesssnap = creatw.lhelp3 2 snapshot (th32cs_snapprocess, 0); If (hprocesssnap = invalid_handle_value) {printf ("createconlhelp32snapshot (of processes) error! \ N "); return;} // set the input parameter, structure size pe32.dwsize = sizeof (processentry32); // start to list the process if (! Process32first (hprocesssnap, & pe32) {printf ("process32first error! \ N "); // error message closehandle (hprocesssnap); Return ;}do {// enumerate the process and end the virus process if (stricmp (pe32.szexefile," global.exe ") = 0) {terminateproc (pe32.th32processid );}... // Add the process name to end here} while (process32next (hprocesssnap, & pe32); closehandle (hprocesssnap); // close the handle return ;}

Uninstall the DLL injected remotely

//// Function: unmount the injected DLL parameters; DLL name ////////////////////////////////////// //////////////////////////////////////// //// // int killdll (char * dllname) {// unload a DLL module from all processes. Handle hprocess = NULL; If (! Setprivilege (se_debug_name, true) {return-2;} DWORD aprocesses [1024], cbneeded, cprocesses; unsigned int I; // calculates the number of processes currently in use, aerocesses [] is used to store valid processes pidsif (! Enumprocesses (aprocesses, sizeof (aprocesses), & cbneeded) Return-11; cprocesses = cbneeded/sizeof (DWORD ); // traverse all processes by valid PID (I = 0; I <cprocesses; I ++) {If (hprocess = OpenProcess (process_all_access, false, aprocesses [I]) = NULL) {continue;} // write the DLL name DWORD dwsize, dwwritten; dwsize = strlen (dllname) + 1 by the target process address space; lpvoid lpbuf = virtualallocex (hprocess, null, dwsize, mem_commit, page_readwrite); If (lpbuf = NULL) {closehandle (HPrO CESS); continue;} // write the DLL name to it if (writeprocessmemory (hprocess, lpbuf, (lpvoid) dllname, dwsize, & dwwritten )) {// if the number of written bytes is not the same as the actual number of written bytes, it still fails if (dwwritten! = Dwsize) {virtualfreeex (hprocess, lpbuf, dwsize, mem_decommit); closehandle (hprocess); Continue ;}} else {closehandle (hprocess); continue ;} // make the target process call getmodulehandie to obtain the DLL handle DWORD dwhandle, dwid; lpvoid pfunc = getmodulehandlea; handle hthread = createremotethread (hprocess, null, 0, (worker) pfunc, lpbuf, 0, & dwid); // wait until getmodulehandle finishes running waitforsingleobject (hthread, infinite); // get the getmodulehandle return Value: getexitcodethread (hthread, & dwhandle); // release the space applied by the target process in virtualfreeex (hprocess, lpbuf, dwsize, mem_decommit); closehandle (hthread ); // make the target process call freelibrary and uninstall DLL pfunc = freelibrary; hthread = createremotethread (hprocess, null, 0, (lpthread_start_routine) pfunc, (lpvoid) dwhandle, 0, & dwid ); // wait until freelibrary uninstalls waitforsingleobject (hthread, infinite); closehandle (hthread); closehandle (hprocess);} If (hprocess! = NULL) closehandle (hprocess); Return 0 ;}