[ZZ]一段删除自身的代码
1 #include <windows.h>
2
3 BOOL DeleteMyself(WCHAR *pHelper)
4 {
5 int ret;
6 WCHAR helper[MAX_PATH];
7 ZeroMemory(helper, sizeof(helper));
8 if (pHelper)
9 wcsncpy(helper, pHelper, MAX_PATH-2);
10 else
11 wcscpy(helper, L"calc.exe");
12
13 STARTUPINFOW si = {sizeof(STARTUPINFOW),0};
14 PROCESS_INFORMATION pi;
15
16 HANDLE hSYNC = OpenProcess(SYNCHRONIZE, TRUE, GetCurrentProcessId());
17
18 if (CreateProcessW(NULL, helper, 0, 0, TRUE, CREATE_SUSPENDED, 0, 0, &si, &pi))
19 {
20 CONTEXT ctx = {CONTEXT_FULL,0};
21 ret = GetThreadContext(pi.hThread, &ctx);
22
23 WCHAR MyselfPath[MAX_PATH];
24 int nPathLen = GetModuleFileNameW(NULL, MyselfPath, MAX_PATH);
25
26 struct StackContext
27 {
28 DWORD_PTR DeleteFileW;
29 DWORD_PTR WaitForSingleObject_argv1;
30 DWORD_PTR WaitForSingleObject_argv2;
31 DWORD_PTR ExitProcess;
32 DWORD_PTR DeleteFileW_argv1;
33 DWORD_PTR shit;
34 DWORD_PTR ExitProcess_argv1;
35 }stackctx;
36
37 HMODULE hKernel32 = GetModuleHandleW(L"Kernel32.dll");
38
39 ctx.Eip = (DWORD_PTR)GetProcAddress(hKernel32, "WaitForSingleObject");
40 ctx.Esp = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, 512*1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
41 ctx.Esp += 256*1024;
42 stackctx.DeleteFileW = (DWORD_PTR)GetProcAddress(hKernel32, "DeleteFileW");
43 stackctx.WaitForSingleObject_argv1 = (DWORD_PTR)hSYNC;
44 stackctx.WaitForSingleObject_argv2 = (DWORD_PTR)-1;
45 stackctx.ExitProcess = (DWORD_PTR)GetProcAddress(hKernel32, "ExitProcess");
46 stackctx.DeleteFileW_argv1 = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, (nPathLen+1)*sizeof(WCHAR), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
47 ret = WriteProcessMemory(pi.hProcess, (LPVOID)stackctx.DeleteFileW_argv1, MyselfPath, (nPathLen+1)*sizeof(WCHAR), NULL);
48 if (!ret) return FALSE;
49
50 stackctx.shit = 0;
51 stackctx.ExitProcess_argv1 = 0;
52
53 ret = WriteProcessMemory(pi.hProcess, (LPVOID)(ctx.Esp), &stackctx, sizeof(stackctx), NULL);
54 if (!ret) return FALSE;
55
56 ret = SetThreadContext(pi.hThread, &ctx);
57 if (!ret) return FALSE;
58
59 ResumeThread(pi.hThread);
60 CloseHandle(pi.hThread);
61 CloseHandle(pi.hProcess);
62 return TRUE;
63 }else
64 {
65 return FALSE;
66 }
67 }
68
69
70 int main()
71 {
72 DeleteMyself(0);
73 return 0;
74 }
2
3 BOOL DeleteMyself(WCHAR *pHelper)
4 {
5 int ret;
6 WCHAR helper[MAX_PATH];
7 ZeroMemory(helper, sizeof(helper));
8 if (pHelper)
9 wcsncpy(helper, pHelper, MAX_PATH-2);
10 else
11 wcscpy(helper, L"calc.exe");
12
13 STARTUPINFOW si = {sizeof(STARTUPINFOW),0};
14 PROCESS_INFORMATION pi;
15
16 HANDLE hSYNC = OpenProcess(SYNCHRONIZE, TRUE, GetCurrentProcessId());
17
18 if (CreateProcessW(NULL, helper, 0, 0, TRUE, CREATE_SUSPENDED, 0, 0, &si, &pi))
19 {
20 CONTEXT ctx = {CONTEXT_FULL,0};
21 ret = GetThreadContext(pi.hThread, &ctx);
22
23 WCHAR MyselfPath[MAX_PATH];
24 int nPathLen = GetModuleFileNameW(NULL, MyselfPath, MAX_PATH);
25
26 struct StackContext
27 {
28 DWORD_PTR DeleteFileW;
29 DWORD_PTR WaitForSingleObject_argv1;
30 DWORD_PTR WaitForSingleObject_argv2;
31 DWORD_PTR ExitProcess;
32 DWORD_PTR DeleteFileW_argv1;
33 DWORD_PTR shit;
34 DWORD_PTR ExitProcess_argv1;
35 }stackctx;
36
37 HMODULE hKernel32 = GetModuleHandleW(L"Kernel32.dll");
38
39 ctx.Eip = (DWORD_PTR)GetProcAddress(hKernel32, "WaitForSingleObject");
40 ctx.Esp = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, 512*1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
41 ctx.Esp += 256*1024;
42 stackctx.DeleteFileW = (DWORD_PTR)GetProcAddress(hKernel32, "DeleteFileW");
43 stackctx.WaitForSingleObject_argv1 = (DWORD_PTR)hSYNC;
44 stackctx.WaitForSingleObject_argv2 = (DWORD_PTR)-1;
45 stackctx.ExitProcess = (DWORD_PTR)GetProcAddress(hKernel32, "ExitProcess");
46 stackctx.DeleteFileW_argv1 = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, (nPathLen+1)*sizeof(WCHAR), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
47 ret = WriteProcessMemory(pi.hProcess, (LPVOID)stackctx.DeleteFileW_argv1, MyselfPath, (nPathLen+1)*sizeof(WCHAR), NULL);
48 if (!ret) return FALSE;
49
50 stackctx.shit = 0;
51 stackctx.ExitProcess_argv1 = 0;
52
53 ret = WriteProcessMemory(pi.hProcess, (LPVOID)(ctx.Esp), &stackctx, sizeof(stackctx), NULL);
54 if (!ret) return FALSE;
55
56 ret = SetThreadContext(pi.hThread, &ctx);
57 if (!ret) return FALSE;
58
59 ResumeThread(pi.hThread);
60 CloseHandle(pi.hThread);
61 CloseHandle(pi.hProcess);
62 return TRUE;
63 }else
64 {
65 return FALSE;
66 }
67 }
68
69
70 int main()
71 {
72 DeleteMyself(0);
73 return 0;
74 }
浙公网安备 33010602011771号