編製或者在電腦程式中插入的破壞電腦功能或者破壞資料,影響電腦使用並且能夠自我複製的一組電腦指令或者程式碼被稱為電腦病毒(Computer Virus)。具有破壞性,複製性和傳染性。
我們如何編程幹掉病毒呢,有的病毒很拽很得瑟。
看我們來實踐幹掉病毒
提升許可權
// 函數功能:提升許可權 //// 參數:lpszPrivilege:許可權名 bEnablePrivilege:是否允許 ///////////////////////////////////////////////////////////////////////BOOL SetPrivilege(LPCTSTR lpszPrivilege,BOOL bEnablePrivilege){TOKEN_PRIVILEGES tp;LUID luid;HANDLE hProcessToken=NULL; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))return -1;if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))return FALSE;tp.PrivilegeCount = 1;tp.Privileges[0].Luid=luid;if(bEnablePrivilege)tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;elsetp.Privileges[0].Attributes =0;//Enable the privilege or disable all privilegeAdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL);if(GetLastError()!=ERROR_SUCCESS)return FALSE;if(hProcessToken!=NULL)CloseHandle(hProcessToken);return TRUE;}
刪除病毒讓病毒不能自己啟動
/// 函數功能:刪除自啟動項 ///////////////////////////////////////////////////////////////////////////////VOID DeleteRunouceRegistry(){ HKEY hTestKey;CHAR szBuf[128];if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_READ|KEY_WRITE,&hTestKey)==ERROR_SUCCESS){if(RegDeleteValue(hTestKey,"Runouce")!=ERROR_SUCCESS){sprintf(szBuf,"%d",GetLastError());MessageBox(NULL,szBuf,NULL,MB_OK);}}}
批處理調用
//// 使用說明:將批處理放在程式同一個檔案夾中,然後調用下面的代碼 //////// 將kill.bat改成相應的檔案名稱 ////////////////////////////////////////////////////////////////////////////////////////// GetModuleFileName(NULL,szPath,MAX_PATH); //擷取程式的路徑lstrcpy( _tcsrchr(szPath, _T('\\') ) + 1, _T("kill.bat") );//然後去掉程式名加上kill.batstrcpy(szCmdLine,"cmd.exe /c start ");//WinExec的命令列strcat(szCmdLine,szPath);WinExec(szCmdLine,SW_SHOWNORMAL);
對抗病毒鏡像劫持
/// 函數功能:對抗映像劫持 ///////////////////////////////////////////////////////////////////////////////VOID DeleteRunouceRegistry()//這裡以工作管理員為例{ HKEY hTestKey;CHAR szBuf[128];if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr",0,KEY_READ|KEY_WRITE,&hTestKey)==ERROR_SUCCESS){if(RegDeleteValue(hTestKey,"Debugger")!=ERROR_SUCCESS){sprintf(szBuf,"%d",GetLastError());MessageBox(NULL,szBuf,NULL,MB_OK);}}}
刪除頑固檔案
/// 函數功能:強刪頑固檔案 ////// 使用說明:將\\??\\E:\\autorun.inf改成相應的檔案名稱 ////////////////////////////////////////////////////////////////#include <windows.h>#include <stdio.h>#include <stdlib.h> typedef unsigned long NTSTATUS;typedef unsigned short USHORT;typedef unsigned long ULONG;typedef unsigned long DWORD;typedef long LONG;typedef __int64 LONGLONG; typedef struct UNICODE_STRING{ USHORT Length; USHORT MaxLen; USHORT *Buffer;} UNICODE_STRING,*PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L#define OBJ_PERMANENT 0x00000010L#define OBJ_EXCLUSIVE 0x00000020L#define OBJ_CASE_INSENSITIVE 0x00000040L#define OBJ_OPENIF 0x00000080L#define OBJ_OPENLINK 0x00000100L#define OBJ_KERNEL_HANDLE 0x00000200L#define OBJ_FORCE_ACCESS_CHECK 0x00000400L#define OBJ_VALID_ATTRIBUTES 0x000007F2L #define FILE_ATTRIBUTE_NORMAL 0x00000080#define FILE_SHARE_DELETE 0x00000004#define FILE_OPEN_IF 0x00000003#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020#define GENERIC_WRITE (0x40000000L)#define SYNCHRONIZE (0x00100000L)#define GENERIC_READ (0x80000000L) typedef struct _OBJECT_ATTRIBUTES{ ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; typedef NTSTATUS (__stdcall *ZWDELETEFILE)( IN POBJECT_ATTRIBUTES ObjectAttributes); typedef VOID (__stdcall *RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString); typedef struct _IO_STATUS_BLOCK{ DWORD Status; ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef NTSTATUS (__stdcall *ZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength); typedef VOID (NTAPI *PIO_APC_ROUTINE) ( IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved); typedef NTSTATUS (__stdcall *ZWWRITEFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL); typedef NTSTATUS (__stdcall *ZWCLOSE)( IN HANDLE Handle); int main(){ HINSTANCE hNtDll; ZWDELETEFILE ZwDeleteFile; RTLINITUNICODESTRING RtlInitUnicodeString; ZWCREATEFILE ZwCreateFile; ZWWRITEFILE ZwWriteFile; ZWCLOSE ZwClose; hNtDll = LoadLibrary ("NTDLL"); if (!hNtDll) return 0; ZwDeleteFile = (ZWDELETEFILE)GetProcAddress (hNtDll,"ZwDeleteFile"); RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress (hNtDll,"RtlInitUnicodeString"); ZwCreateFile = (ZWCREATEFILE)GetProcAddress (hNtDll,"ZwCreateFile"); ZwWriteFile = (ZWWRITEFILE)GetProcAddress (hNtDll,"ZwWriteFile"); ZwClose = (ZWCLOSE)GetProcAddress (hNtDll,"ZwClose"); UNICODE_STRING ObjectName; RtlInitUnicodeString(&ObjectName,L"\\??\\E:\\autorun.inf");//記得這裡是要有\\??\\在前面的,WDK說的. OBJECT_ATTRIBUTES ObjectAttributes = { sizeof(OBJECT_ATTRIBUTES), // Length NULL, // RootDirectory &ObjectName, // ObjectName OBJ_CASE_INSENSITIVE, // Attributes 0, // SecurityDescriptor NULL, // SecurityQualityOfService }; HANDLE hFile; PVOID content = "ForZwFileTest"; IO_STATUS_BLOCK IoStatusBlock; ZwCreateFile(&hFile, GENERIC_WRITE|SYNCHRONIZE|GENERIC_READ, &ObjectAttributes, &IoStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(hFile, 0, 0, 0, &IoStatusBlock, content, 12, NULL, NULL); ZwClose(hFile); ZwDeleteFile(&ObjectAttributes); FreeLibrary (hNtDll); return 0;}
多進程保護終結者
//// 功能:對抗多進程保護 ////////// 主程式裡調用EnumProcessAndSuspendProcess()和 ////////// EnumProcessAndTerminateProcess()就能將病毒程式結束掉 ///////////////////////////////////////////////////////////////////////////////////////typedef DWORD (WINAPI *PFSuspendProcess)(HANDLE hProcess);PFSuspendProcess SuspendProcess; //掛起進程的API,在ntdlll.dll中//函數功能:掛起進程 參數:進程IDVOID SuspendProc(DWORD dwPID){ HMODULE hNtDllLib=LoadLibrary("ntdll.dll"); //載入ntdll.dll,獲得dll控制代碼 SuspendProcess=(PFSuspendProcess)GetProcAddress(hNtDllLib,"ZwSuspendProcess");//擷取ZwSuspendProcess的地址 if (SuspendProcess) { HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPID); //擷取指定進程ID的控制代碼 SuspendProcess(hProcess); //掛起進程 } FreeLibrary(hNtDllLib);//釋放dll}VOID TerminateProc(DWORD dwPID) //函數功能:結束進程 參數:進程ID{ HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPID); TerminateProcess(hProcess,0); }//函數功能:枚舉進程並掛起進程VOID WINAPI EnumProcessAndSuspendProcess(){HANDLE hProcessSnap;PROCESSENTRY32 pe32;// SnapshothProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );if( hProcessSnap == INVALID_HANDLE_VALUE ){ printf( "CreateToolhelp32Snapshot (of processes) error!\n");return ;}// 設定輸入參數,結構的大小pe32.dwSize = sizeof( PROCESSENTRY32 );// 開始列舉進程if( !Process32First( hProcessSnap, &pe32 ) ){printf( "Process32First error!\n" ); // 出錯資訊CloseHandle( hProcessSnap );return ;}do{ //枚舉進程然後將病毒進程掛起if (stricmp(pe32.szExeFile,"Global.exe")==0){ SuspendProc(pe32.th32ProcessID);} ... //在這裡添加要結束的進程名} while( Process32Next( hProcessSnap, &pe32 ) );CloseHandle( hProcessSnap );//關閉控制代碼return ;}//函數功能:枚舉進程並結束進程VOID WINAPI EnumProcessAndTerminateProcess(){HANDLE hProcessSnap;PROCESSENTRY32 pe32;// SnapshothProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );if( hProcessSnap == INVALID_HANDLE_VALUE ){printf( "CreateToolhelp32Snapshot (of processes) error!\n");return ;}// 設定輸入參數,結構的大小pe32.dwSize = sizeof( PROCESSENTRY32 );// 開始列舉進程if( !Process32First( hProcessSnap, &pe32 ) ){printf( "Process32First error!\n" ); // 出錯資訊CloseHandle( hProcessSnap );return ;}do{ //枚舉進程然後將病毒進程結束if (stricmp(pe32.szExeFile,"Global.exe")==0){TerminateProc(pe32.th32ProcessID);}... //在這裡添加要結束的進程名} while( Process32Next( hProcessSnap, &pe32 ) );CloseHandle( hProcessSnap );//關閉控制代碼return ;}
卸載被遠程注射的dll
///// 函數功能:卸載掉注入的dll 參數;dll名 ////////////////////////////////////////////////////////////////////////////////////////////////int KillDLL(char *DllName){ // 解除所有進程中某DLL模組的載入HANDLE hProcess=NULL;if(!SetPrivilege(SE_DEBUG_NAME,TRUE)){return -2;}DWORD aProcesses[1024],cbNeeded,cProcesses;unsigned int i;//計算目前有多少進程,aerocesses[]用來存放有效進程PIDsif(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded)) return -11;cProcesses=cbNeeded/sizeof(DWORD);//按有效PID遍曆所有的進程for(i= 0;i<cProcesses;i++){if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,aProcesses[i]))==NULL){continue;}// 由目標進程地址空間寫入DLL名稱DWORD dwSize,dwWritten;dwSize=strlen(DllName)+1;LPVOID lpBuf=VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);if(lpBuf=NULL){CloseHandle(hProcess);continue;}//向其中寫入dll的名稱if(WriteProcessMemory(hProcess,lpBuf,(LPVOID)DllName,dwSize,&dwWritten)){ // 若寫入位元組數與實際寫入位元組數不相等,仍屬失敗if(dwWritten!=dwSize){VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);CloseHandle(hProcess);continue;}}else{ CloseHandle(hProcess); continue; }//使目標進程調用GetModuleHandIe,獲得DLL在進程中的控制代碼DWORD dwHandle,dwID;LPVOID pFunc= GetModuleHandleA;HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpBuf,0,&dwID);//等待GetModuleHandle運行完畢 WaitForSingleObject(hThread,INFINITE);//獲得GetModuleHandle的傳回值GetExitCodeThread(hThread,&dwHandle);// 釋放目標進程中申請的空間VirtualFreeEx( hProcess,lpBuf,dwSize,MEM_DECOMMIT);CloseHandle(hThread);//使目標進程調用FreeLibrary,卸載DLL pFunc=FreeLibrary;hThread= CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID);//等待FreeLibrary卸載完畢 WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread);CloseHandle(hProcess);} if(hProcess!=NULL) CloseHandle(hProcess); return 0; }