代码:
#include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #pragma comment (lib, "shlwapi.lib") #pragma comment (lib, "ntdll.lib") #pragma comment (linker, "/subsystem:windows") #pragma comment (linker, "/entry:start") #pragma comment (linker, "/filealign:0x200") typedef struct _IO_STATUS_BLOCK { union { int Status; PVOID Pointer; }; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; extern "C" __stdcall ZwQuerySystemInformation( IN int SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ); extern "C" __stdcall ZwQueryInformationFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG FileInformationLength, IN int FileInformationClass ); extern "C" __stdcall ZwQueryInformationThread( IN HANDLE ThreadHandle, IN int ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL ); void s0() { HMODULE mod; CreateMutex(NULL, FALSE, "HBInjectMutex"); mod = GetModuleHandle("HBQQXX.dll"); if (mod != NULL) { GetProcAddress(mod, "StopServiceEx"); __asm call eax FreeLibrary(mod); } } int s1() { HANDLE hFile; DWORD Input; DWORD Output; DWORD tmp; hFile = CreateFile("\\\\.\\slHBkernel32", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) { return 0; } Input = 0; Output = 0; DeviceIoControl(hFile, 0x22E00F, &Input, 4, NULL, 0, &tmp, NULL); DeviceIoControl(hFile, 0x22E00B, &Input, 4, &Output, 4, &tmp, NULL); CloseHandle(hFile); return 1; } int s2() { //提权 HANDLE hToken; TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; if (!LookupPrivilegeValue(NULL, "SeDebugPrivilege", &priv.Privileges[0].Luid)) { return -1; } if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken)) { return -2; } if (!AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof(priv), 0, 0)) { return -3; } CloseHandle(hToken); //找system HANDLE hC; DWORD dwPid; BOOL bNext; dwPid = 0; PROCESSENTRY32 p32 = {sizeof(p32)}; hC = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); bNext = Process32First(hC, &p32); while (bNext) { if (lstrcmpi(p32.szExeFile, "SYSTEM") == 0) { dwPid = p32.th32ProcessID; break ; } bNext = Process32Next(hC, &p32); } CloseHandle(hC); if (dwPid == 0) { return -4; } //找到HB驱动的基址和大小 DWORD HBBase; DWORD HBSize; char *offset; int Status; LPBYTE buf; DWORD dwSize; DWORD i; buf = NULL; dwSize = 0x2000; do { dwSize *= 2; if (buf) { VirtualFree(buf, 0, MEM_RELEASE); } buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); Status = ZwQuerySystemInformation(11, buf, dwSize, NULL); } while (Status == 0xC0000004); HBBase = 0; HBSize = 0; for (i=0; i<*(LPDWORD)buf; i++) { offset = strrchr((char *)buf+4+i*0x11C+0x1C, '\\'); if (offset != NULL) offset = offset + 1; else offset = (char *)buf+4+i*0x11C+0x1C; if (offset != NULL) { if (lstrcmpi(offset, "HBKernel32.sys") == 0) { HBBase = *(PULONG)(buf + 4 + i*0x11C + 0x08); HBSize = *(PULONG)(buf + 4 + i*0x11C + 0x0C); break ; } } } VirtualFree(buf, 0, MEM_RELEASE); if (HBBase == 0) { return -5; } //打开system HANDLE hProcess; hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwPid); if (hProcess == NULL) { return -6; } //找HB线程ID DWORD StartAddress; DWORD dwTid; buf = NULL; dwSize = 0x2000; do { dwSize *= 2; if (buf) { VirtualFree(buf, 0, MEM_RELEASE); } buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); Status = ZwQuerySystemInformation(5, buf, dwSize, NULL); } while (Status == 0xC0000004); dwTid = 0; offset = (char *)buf; while (1) { if (*(LPDWORD)(offset+0x44) != dwPid) { offset += *(LPDWORD)offset; continue ; } for (i=0; i<*(LPDWORD)(offset+0x04); i++) { StartAddress = *(LPDWORD)(offset+0xB8+i*0x40+0x1C); if (StartAddress>HBBase && StartAddress<(HBBase+HBSize)) { dwTid = *(LPDWORD)(offset+0xB8+i*0x40+0x24); break ; } } break ; } VirtualFree(buf, 0, MEM_RELEASE); if (dwTid == 0) { CloseHandle(hProcess); return -7; } HANDLE hThread; DWORD OpenThread; hThread = NULL; OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread"); __asm { push dwTid push 0 push THREAD_ALL_ACCESS call OpenThread mov hThread, eax } if (hThread == NULL) { CloseHandle(hProcess); return -8; } SuspendThread(hThread); CloseHandle(hThread); //枚举句柄 HANDLE hHandle; HANDLE hFile; IO_STATUS_BLOCK io; LPBYTE FileName; wchar_t *wname; buf = NULL; dwSize = 0x2000; do { dwSize *= 2; if (buf) { VirtualFree(buf, 0, MEM_RELEASE); } buf = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); Status = ZwQuerySystemInformation(16, buf, dwSize, NULL); } while (Status == 0xC0000004); FileName = (LPBYTE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); for (i=0; i<*(LPDWORD)buf; i++) { if (*(LPDWORD)(buf+4+i*0x10+0x00) != dwPid) continue ; hHandle = 0; hHandle = (HANDLE)*(LPWORD)(buf+4+i*0x10+0x06); if (*(LPBYTE)(buf+4+i*0x10+0x04) == 0x1C) { hFile = INVALID_HANDLE_VALUE; DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS); if (hFile == INVALID_HANDLE_VALUE) continue ; memset(FileName, 0, 0x1000); Status = ZwQueryInformationFile(hFile, &io, FileName, 0x1000, 9); if (Status == 0) { wname = wcsrchr((wchar_t *)(FileName+4), L'\\'); if (wname != NULL) { wname++; if (wcsicmp(wname, L"HBkernel32.sys") == 0) { CloseHandle(hFile); hFile = INVALID_HANDLE_VALUE; DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &hFile, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); VirtualFree(FileName, 0, MEM_RELEASE); VirtualFree(buf, 0, MEM_RELEASE); CloseHandle(hProcess); return 1; } } } } CloseHandle(hFile); hFile = INVALID_HANDLE_VALUE; } } VirtualFree(FileName, 0, MEM_RELEASE); VirtualFree(buf, 0, MEM_RELEASE); CloseHandle(hProcess); return 0; } int s3() { HWND hWnd; hWnd = FindWindow(NULL, "HBInject32"); if (hWnd == NULL) { return 0; } SendMessage(hWnd, WM_CLOSE, 0, 0); SendMessage(hWnd, WM_QUERYENDSESSION, 0, 0); return 1; } int s4() { SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "AppInit_Dlls"); SHDeleteValue(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HBService32"); SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet\\Services\\HBKernel32"); SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\HBKernel32"); SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet002\\Services\\HBKernel32"); SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet003\\Services\\HBKernel32"); SHDeleteKey(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\HBKernel32"); return 1; } int s5() { char src[MAX_PATH]; char dst[MAX_PATH]; GetTempPath(MAX_PATH, dst); lstrcat(dst, "\\2132378.sh"); DeleteFile(dst); GetSystemDirectory(src, MAX_PATH); lstrcat(src, "\\system.exe"); MoveFile(src, dst); DeleteFile(dst); GetTempPath(MAX_PATH, dst); lstrcat(dst, "\\9345834.sh"); DeleteFile(dst); GetSystemDirectory(src, MAX_PATH); lstrcat(src, "\\HBQQXX.dll"); MoveFile(src, dst); DeleteFile(dst); GetTempPath(MAX_PATH, dst); lstrcat(dst, "\\5475451.sh"); DeleteFile(dst); GetSystemDirectory(src, MAX_PATH); lstrcat(src, "\\drivers\\HBKernel32.sys"); MoveFile(src, dst); DeleteFile(dst); return 1; } void start() { s0(); if (s1() == 0) { MessageBox(0, "HBkernel32可能不存在", "killhb", 0); goto home; } if (s2() < 0) { MessageBox(0, "fuck hb驱动失败", "killhb", 0); goto home; } if (s3() == 0) { MessageBox(0, "清理system.exe失败", "killhb", 0); goto home; } if (s4() == 0) { MessageBox(0, "清理注册表失败", "killhb", 0); goto home; } if (s5() == 0) { MessageBox(0, "清理尸体失败", "killhb", 0); goto home; } MessageBox(0, "完成", "killhb", 0); home: ExitProcess(0); }