PHP Forum - Coding Board
Januar 22, 2018, 09:08:13 *
Willkommen Gast. Bitte einloggen oder registrieren.

Einloggen mit Benutzername, Passwort und Sitzungslänge
News:
 
   Übersicht   Hilfe Suche Einloggen Registrieren  
Seiten: [1]
  Drucken  
Autor Thema: Bot Killer  (Gelesen 114 mal)
0 Mitglieder und 1 Gast betrachten dieses Thema.
Syler
Sr. Member
****
Beiträge: 467



Profil anzeigen E-Mail
« am: September 19, 2008, 07:43:10 »

Diese Funktion durchsucht alle laufenden Prozesse, mit Ausnahme Black List, und verwendet dann die ReadProcessMemory Funktion zur ?berpr?fung von bestimmter Zeichenketten. Sollte einfach zu ?ndern, f?r andere Arten von unerw?nschten Programmen.

Code:
/*
        BotKiller
       Coded by a59
*/
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
 
void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 );
void KillBot( PROCESSENTRY32 pe32 );
 
struct s_Search
{
   char* szBot;
   char* szString;
};
 
s_Search sSearch[ ] =
{
   { &quot;VNC Scanning Bot&quot;, &quot;\x52\x46\x42\x20\x30\x30\x33\x2E\x30\x30\x38\x0A&quot; },
   { &quot;RXBot&quot;, &quot;[MAIN]&quot; },
   { &quot;RXBot&quot;, &quot;[SCAN]&quot; },
   { &quot;RXBot&quot;, &quot;[FTP]&quot; },
   { &quot;Unknown&quot;, &quot;&echo bye&quot; },
   { NULL, NULL }
};
 
void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 )
{
   char szBigBuffer[ 0x5000 ] = { 0 };
   unsigned char Curbuf[ 0x500 ] = { 0 };
 
   HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
 
   printf( &quot;Scanning PID: %d [ %s ]\nStart Address: 0x%08X End Address: 0x%08X\n\n&quot;, pe32.th32ProcessID, pe32.szExeFile, uStartAddr, uEndAddr );
   
   for( unsigned long uCurAddr = uStartAddr; uCurAddr <= uEndAddr; uCurAddr++ )
   {
      BOOL bRead = ReadProcessMemory( hProcess, (void *)uCurAddr, (void *)&Curbuf, sizeof( Curbuf ), NULL );
       
      if( bRead )
      {
         int c = 0;
 
         strcat( szBigBuffer, (char *)Curbuf );          
 
         while( sSearch[ c ].szString != NULL )
         {
            if( strstr( szBigBuffer, sSearch[ c ].szString ) )
            {
               printf( &quot;Found string \&quot;%s\&quot; in \&quot;%s\&quot; bot \&quot;%s\&quot;\n\n&quot;, sSearch[ c ].szString, pe32.szExeFile, sSearch[ c ].szBot );
               KillBot( pe32 );                
            }
 
            c++;
         }
 
         if( sizeof( szBigBuffer ) > 0x150 )
            ZeroMemory( szBigBuffer, sizeof( szBigBuffer ) );
      }
       
      if( !bRead )
         break;
   }
 
   CloseHandle( hProcess );
};
 
void KillBot( PROCESSENTRY32 pe32 )
{
   MODULEENTRY32 me32 = { 0 };
   HANDLE hPath = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe32.th32ProcessID );
   HANDLE hKillProcess;
 
   me32.dwSize = sizeof( me32 );
 
   BOOL bRetval = Module32First( hPath, &me32 );
   
   while( bRetval )
   {
      if( !strcmp( pe32.szExeFile, me32.szModule ) )
      {
         SetFileAttributes( me32.szExePath, FILE_ATTRIBUTE_NORMAL );
 
         hKillProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
         TerminateProcess( hKillProcess, 0 );
 
         Sleep( 500 );
 
         if( DeleteFile( me32.szExePath ) )
            printf( &quot;Terminated and deleted %s\n&quot;, me32.szExePath );          
      }
 
      bRetval = Module32Next( hPath, &me32 );
   }    
 
   CloseHandle( hKillProcess );
   CloseHandle( hPath );
};
 
int main( )
{
   char szFile[ 128 ];
   GetModuleFileName( GetModuleHandle( NULL ), szFile, sizeof( szFile ) );
 
   char* szBlockList[ ] = { &quot;explorer.exe&quot;, &quot;hidserv.exe&quot;, &quot;WINLOGON.EXE&quot;, &quot;SERVICES.EXE&quot;, szFile };      
   HANDLE hProcess = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
   PROCESSENTRY32 pe32;
 
   pe32.dwSize = sizeof( PROCESSENTRY32 );
 
   BOOL bRetval = Process32First( hProcess, &pe32 );
   bool bDoSearch = true;
 
   while( bRetval )
   {
      Sleep( 250 );
 
      for( int i = 0; i < ( sizeof( szBlockList ) / sizeof( char* ) ); i++ )
      {
         if( strstr( szBlockList[ i ], pe32.szExeFile ) )
            bDoSearch = false;
      }
 
      if( bDoSearch )
      {
         DoSearch( 0x00400000, 0x004FFFFF, pe32 );
         DoSearch( 0x00100000 ,0x001FFFFF, pe32 );
      }
       
      else
         bDoSearch = true;
 
      bRetval = Process32Next( hProcess, &pe32 );
   }
 
   CloseHandle( hProcess );
 
   printf( &quot;Done scanning, press ENTER to exit this program.\n&quot; );
 
   getchar( );
 
   return 0;
};

Syler
Gespeichert


Seiten: [1]
  Drucken  
 
Gehe zu:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines | New Look by Nolt Prüfe XHTML 1.0 Prüfe CSS