滴水逆向联盟

标题: 基于Windows8与Visual Studio2012实现杀毒通用模块 [打印本页]

作者: 大灰狼 时间: 2014-9-29 08:41
标题: 基于Windows8与Visual Studio2012实现杀毒通用模块
基于Windows8与Visual Studio2012实现杀毒通用模块

分类： Windows8 Visual Studio2012 VC++编程技术 Visual C++2010编程技术 Visual Studio112012-07-16 15:34 1244人阅读评论(0) [url=]收藏[/url] 举报

windowsservicenullpathmicrosoftaccess

创建第一个Windows8应用程序，

Visual Studio 11效果如下

设计下列控件

针对程序进行命名

按钮插入下列代码实现杀毒，实现卸载驱动，删除文件，删除注册表，请见代码注释

[cpp] view plaincopy

WCHAR path[100];
// 需要删除的系统驱动及文件
WCHAR DeviceName[2][50] = { {"\\\\.\\slHBKernel"},
{"\\\\.\\slHBKernel32"} };
WCHAR ServiceName[2][50] = { {"HBKernel"},
{"HBKernel32"} };
WCHAR FileName[2][50] = { {"\\drivers\\HBKernel.sys"},
{"\\drivers\\HBKernel32.sys"} };
for ( int i=0; i<2; i++ )
{
HANDLE hDevice = CreateFile( DeviceName,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
DWORD dLen;
BOOL Driver_DEL = DeviceIoControl(
hDevice,
0x22E003,
NULL,
0,
NULL,
0,
&dLen,
NULL
);
CloseHandle(hDevice);
if ( Driver_DEL==TRUE )
{
printf("Virus Device Driver %s has been unloaded...\n", DeviceName);
}
SC_HANDLE scm = OpenSCManager(0, 0, 0x0F003F);
SC_HANDLE service = OpenService(scm, ServiceName, SERVICE_ALL_ACCESS|DELETE);
if ( service!=NULL )
{
if ( ControlService(service, 1, NULL) )
{
printf("The %s service has been stopped...\n", ServiceName);
}
if ( DeleteService(service) )
{
printf("The %s file has been removed from the SCM...\n", ServiceName);
}
}
CloseServiceHandle(service);
CloseServiceHandle(scm);
GetSystemDirectory(path, 100);
lstrcat(path, FileName);
if ( DeleteFile(path) )
{
printf("The %s file has been removed from the Disk...\n", FileName);
}
}
// 关闭HBInject程序的窗口
HWND hWnd = FindWindow(NULL, "HBInject");
if ( hWnd!=NULL )
{
SendMessage(hWnd, 0x10, NULL, NULL);
}
// 需要删除的文件
WCHAR files[][20] = { {"\\explore.exe"},
{"\\HBmhly.dll"},
{"\\System.exe"},
{"\\HBWOW.dll"},
{"\\Update.dat"}
};
for ( int j=0; j<5; j++ )
{
GetSystemDirectory(path, 100);
lstrcat(path, files[j]);
if ( DeleteFile(path) )
{
printf("The file %s has been removed from the Disk...\n", path);
}
}
// 需要删除的注册表键值
HKEY key = NULL;
if ( ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS, &key) )
{
if ( RegDeleteValue(key, "HBService")==ERROR_SUCCESS )
{
printf("The HBService has been removed from the Registry...\n");
}
if ( RegDeleteValue(key, "HBService32")==ERROR_SUCCESS )
{
printf("The HBService32 has been removed from the Registry...\n");
}
}

欢迎光临滴水逆向联盟 (http://www.dtdebug.com/) Powered by Discuz! X3.2