RSS Feed

生活的天平本不平衡，只有通过努力改变其偏向。

挥刀自宫术

2010-04-09

本文来自：http://hi.baidu.com/zxhouse
一段自删除代码，写的很牛。

^?View Code CPP

#include <windows.h>    
 
BOOL DeleteMyself(WCHAR *pHelper)    
{    
    int ret;    
	WCHAR helper[MAX_PATH];    
	ZeroMemory(helper, sizeof(helper));    
    if (pHelper)    
		wcsncpy(helper, pHelper, MAX_PATH-2);    
    else   
		wcscpy(helper, L"calc.exe");    
 
	STARTUPINFOW si = {sizeof(STARTUPINFOW),0};    
	PROCESS_INFORMATION pi;    
 
	HANDLE hSYNC = OpenProcess(SYNCHRONIZE, TRUE, GetCurrentProcessId());    
 
    if (CreateProcessW(NULL, helper, 0, 0, TRUE, CREATE_SUSPENDED, 0, 0, &si, &pi))    
	{    
		CONTEXT ctx = {CONTEXT_FULL,0};    
		ret = GetThreadContext(pi.hThread, &ctx);    
 
		WCHAR MyselfPath[MAX_PATH];    
        int nPathLen = GetModuleFileNameW(NULL, MyselfPath, MAX_PATH);    
 
		struct StackContext    
		{    
			DWORD_PTR DeleteFileW;    
			DWORD_PTR WaitForSingleObject_argv1;    
			DWORD_PTR WaitForSingleObject_argv2;    
			DWORD_PTR ExitProcess;    
			DWORD_PTR DeleteFileW_argv1;    
			DWORD_PTR shit;    
			DWORD_PTR ExitProcess_argv1;    
		}stackctx;    
 
		HMODULE hKernel32 = GetModuleHandleW(L"Kernel32.dll");    
 
		ctx.Eip = (DWORD_PTR)GetProcAddress(hKernel32, "WaitForSingleObject");    
		ctx.Esp = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, 512*1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);    
		ctx.Esp += 256*1024;    
		stackctx.DeleteFileW = (DWORD_PTR)GetProcAddress(hKernel32, "DeleteFileW");    
		stackctx.WaitForSingleObject_argv1 = (DWORD_PTR)hSYNC;    
		stackctx.WaitForSingleObject_argv2 = (DWORD_PTR)-1;    
		stackctx.ExitProcess = (DWORD_PTR)GetProcAddress(hKernel32, "ExitProcess");    
		stackctx.DeleteFileW_argv1 = (DWORD_PTR)VirtualAllocEx(pi.hProcess, 0, (nPathLen+1)*sizeof(WCHAR), MEM_COMMIT, PAGE_EXECUTE_READWRITE);    
		ret = WriteProcessMemory(pi.hProcess, (LPVOID)stackctx.DeleteFileW_argv1, MyselfPath, (nPathLen+1)*sizeof(WCHAR), NULL);    
        if (!ret) return FALSE;    
 
		stackctx.shit = 0;    
		stackctx.ExitProcess_argv1 = 0;    
 
		ret = WriteProcessMemory(pi.hProcess, (LPVOID)(ctx.Esp), &stackctx, sizeof(stackctx), NULL);    
        if (!ret) return FALSE;    
 
		ret = SetThreadContext(pi.hThread, &ctx);    
        if (!ret) return FALSE;    
 
		ResumeThread(pi.hThread);    
		CloseHandle(pi.hThread);    
		CloseHandle(pi.hProcess);    
        return TRUE;    
	}else   
	{    
        return FALSE;    
	}    
}    
 
 
int main()    
{    
	DeleteMyself(0);    
    return 0;    
}
//2000/xp/2003/vista 上已经测试通过

作者：lonkil | 分类目录：编程开发 | 标签： VC、win32、奇技淫巧

3 条评论

Timothy 说道：

2010年04月12日 22:06

标题确实很邪恶。。。
lonkil 说道：

2010年04月09日 22:46

To :Koma
兄弟，的回复比代码邪恶多了。:)
Koma 说道：

2010年04月09日 18:56

有点像“标题党”，以还为某些同志被嫂子“河蟹”了一顿……

代码貌似十分邪恶！