windows下删除自身程序源码
windows下删除自身程序源码#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
__declspec(naked) DWORD WINAPI Start_(LPVOID lpThreadParameter)
{
__asm
{
call $+5
sub ,5 ; // _code_start_
mov ebp, ; // hHandle
push
push INFINITE
push
call ; // WaitForSingleObject
call ; // CloseHandle
push ebp ; // lpFileName
call ; // DeleteFileA
pop eax
push EXIT_SUCCESS
sub esp,4 ; // nothing
push MEM_RELEASE
push 0
push eax ; // _code_start_
push ; // ExitThread
mov eax,
jmp eax ; // VirtualFree
}
}
BYTE code[] ={
232,0,0,0,0,128,44,36,5,139,108,36,8,255,117,
252,106,255,255,117,252,255,85,248,255,85,244,
85,255,85,240,88,106,0,131,236,4,104,0,
128,0,0,106,0,80,255,117,236,139,69,232,255,224
};
#include <iostream>
void DeleteMe()
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
ZeroMemory(&tp,sizeof tp);
HANDLE hProcess = GetCurrentProcess();
OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges.Luid);
tp.PrivilegeCount = 1;
tp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),NULL,NULL);
CloseHandle(hToken);
///////////////////////////////////////////////////////////////////////
CHAR szFileName = {'\0'};
GetModuleFileNameA(NULL, szFileName, MAX_PATH);
DWORDdwProcessID = 0;
PROCESSENTRY32W pe32 = { sizeof( PROCESSENTRY32W ) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
Process32FirstW(hSnapshot, &pe32);
do
{
if (0 == lstrcmpiW(pe32.szExeFile, L"winlogon.exe"))
{
dwProcessID = pe32.th32ProcessID;
break;
}
} while (Process32NextW(hSnapshot, &pe32));
CloseHandle(hSnapshot);
//////////////////////////////////////////////////////////////////////
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwProcessID);
HANDLE h= NULL;
DuplicateHandle(hProcess,hProcess,hTargetProcess,&h,0,FALSE,DUPLICATE_SAME_ACCESS);
const SIZE_T dwSize = 4096;
const DWORD codeLen = dwSize - MAX_PATH - sizeof(HANDLE);
PBYTE lpRemoteBuf = (PBYTE)VirtualAllocEx(hTargetProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
PBYTE pLocalBuf =(PBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
HMODULE x =GetModuleHandleA("kernel32") ;
memcpy(pLocalBuf,code,codeLen);
*(PHANDLE(pLocalBuf+codeLen)) = h;
*((FARPROC*)(pLocalBuf+codeLen- 4))=GetProcAddress(x,"WaitForSingleObject");
*((FARPROC*)(pLocalBuf+codeLen- 8))=GetProcAddress(x,"CloseHandle");
*((FARPROC*)(pLocalBuf+codeLen-12))=GetProcAddress(x,"DeleteFileA");
*((FARPROC*)(pLocalBuf+codeLen-16))=GetProcAddress(x,"ExitThread");
*((FARPROC*)(pLocalBuf+codeLen-20))=GetProcAddress(x,"VirtualFree");
memcpy(pLocalBuf+codeLen+4,szFileName,MAX_PATH);
WriteProcessMemory(hTargetProcess, lpRemoteBuf, pLocalBuf,dwSize,0);
VirtualFree(pLocalBuf, 0, MEM_RELEASE);
HANDLE hThread = CreateRemoteThread(hTargetProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpRemoteBuf,
(LPVOID)(lpRemoteBuf + codeLen + sizeof(HANDLE) ),0,0);
CloseHandle(hThread);
CloseHandle(hTargetProcess);
}
int main()
{
DeleteMe();
}
页:
[1]