Shulou(Shulou.com)06/02 Report--

For a more detailed report, see 360Analysis: http://bobao.360.cn/learning/detail/3453.html

Note: what a fool, I cut off a bunch of pictures, but it seems that there are too many to pass on.

Only words can be put in.

First, obtain the system version information

1 use GetFIleVersionInfoSizeW (), GetFileVersionInfo () and VerQueryValuew () together

Gets information about file properties. It is mainly taken out by setting the second human parameter of VerQueryValuew ().

About the second parameter:

The parameter specified by the sample is "/"

So take out the VS_FIXEDFILEINFO structure

Second, obtain the volume label information, save it and use it as an encryption key later

Through GetVolumeInfomationw

3. GetProAddress () gets the address of the three functions RtlComputeCrc32 and memset,memcpy

Fourth, get the command line, determine whether to start with "/ u", determine whether to create a mutex, and end if it exists. If it does not exist, create

5. If you start with the parameter / u, you will perform a series of work

1 use wmic to delete volume image and disable automatic repair on boot.

The command explains:

Cmd.exe / c vssadmin.exe delete shadows / all / quiet

All restore points of the system are cleared after the above command is executed

Bcdedit.exe / set {"" default} recoveryenabled no

Bcdedit.exe / set {default} bootstatuspolicy ignoreallfailures\ "

The above command forbids boot startup repair

two。 Delete the registry key value IsShortcut so that the small arrows of normal applications and data file shortcuts are not displayed

Instructions for using isShortcut

The CreateStreamOnHGlobal function creates a stream object from the specified memory. Get the number of drives after successful creation, and traverse the drives

Using GetLogicalDrives (), get the logical drive letter that exists in the system, and the binary bits in this structure indicate which drives are present.

Where bit 0 is set to 1 to indicate drive A: exists in the system; bit 1 is set to 1 to indicate the existence of B: drive; and so on.

GetDriveTypew () gets the logical disk type. The following figure shows the type description.

The obtained drive type is passed in as the second argument of the next function

Determine that if the drive type value is 2 or 3, proceed to the next step, that is, removable storage hard disk and non-removable storage media.

7. Filter directories and specified folders

Specify filtered folders windows,progra files, program files (x86), games

8. Filter the file types that need to be encrypted

There are 22 file formats involved.

9. CryptAcquireContextW () obtains the csp container and stores the address globally; 405EB0, if it is successful, decrypts a key:00405EA8

And imported the decrypted key.

10. Encrypt files

Clean up the metadata tags downloaded by third parties on the network by deleting the Zone.Identifier file. Prevent warnings from being given by untrusted files by the system.

Traverse disk files

Calculate the CRC32 value by using the serial number of the hard disk

Get the reel serial number

Generate system folder shortcuts

/ c explorer.exe\ "% s\" & type\ "% s\" >\ "% tmp%%\\% s\" & start\ "% s\"% tmp%%\\% s\ ""

Use WNetOpenEnumW,WNetEnumResourcew to move horizontally. Traverse network resources.

Use SHChangeNotiy to notify the system to update file association information.

Exit the program

Http://blog.csdn.net/wowolook/article/details/8263001

WINSHELLAPI void WINAPI SHChangeNotify (

LONG wEventID, / / specify the event type

UINT uFlags, / / identify the logo made by dwItem1 and dwItem2

LPCVOID dwItem1

LPCVOID dwItem2

);

The values of 1.wEventId are as follows:

SHCNE_ASSOCCHANGED: modifying file association

SHCNE_ATTRIBUTES: changing file properties

SHCNE_CREATE: create a new file

SHCNE_DELETE: deleting fil

SHCNE_DRIVEADD: add network drives

SHCNE_DRIVEADDGUI: adding network drives through GUI

SHCNE_DRIVEREMOVED: uninstalling network drives

SHCNE_INTERRUPT: executes the event as a system interrupt.

SHCNE_MEDIAINSERTED: install removable media, such as CD-ROM

SHCNE_MEDIAREMOVED: uninstall uninstallable media, such as CD-ROM

SHCNE_MKDIR: create a new directory

SHCNE_NETSHARE: sharing resources on the network

SHCNE_NETUNSHARE: stop sharing resources on the network

SHCNE_RENAMEFOLDER: folder renaming

SHCNE_RENAMEITEM: rename an item in a folder

SHCNE_RMDIR: deleting a directory

SHCNE_SERVERDISCONNECT: disconnect from the web server

SHCNE_UPDATEDIR: update catalog information

SHCNE_UPDATEIMAGE: change an image in the global image list of the system

SHCNE_UPDATEITEM: change the list of printers or files

3. The function does not return a value.

The values of 2.uFlags are as follows:

SHCNF_DWORD: dwItem1 and dwItem2 are DWORD type values.

SHCNF_FLUSH: clears the system event buffer and returns after the system has processed the given event

SHCNF_FLUSHNOWAIT: clear the system event buffer and return immediately

SHCNF_IDLIST:dwItem1 and dwItem2 are the addresses of the project identifier list

SHCNF_PATH:dwItem1 and dwItem2 are path addresses

SHCNF_PRINTER:dwItem1 and dwItem2 are friendly printer names

Start without command line.

1 get the handle and CSP container, decrypt the hard-coded data in which AESkey

2 write key to a file

3 find files and network resources

4. Open the blackmail page.

5 obtain permission to delete volume pair images and shortcut icons, and use cmd rundas if the permissions are insufficient.

6 generate the HTML file copy to another directory

0012FEE8 0018F078 UNICODE "\ CH04F-A3AHT-XFTZT-OTFFT-HAYYY.HTML"

In many applications, a CSIDL can be combined with one of the following identities:

CSIDL_FLAG_CREATE ($8000)

Windows 2000: if the folder referenced by this CSIDL does not exist, create this folder!.

CSIDL_FLAG_DONT_VERIFY ($4000)

WINDOWS 2000: use this CSIDL regardless of whether the folder referenced exists or not!

CSIDL_ADMINTOOLS ($30)

Represents the Administrative tools system folder for the current user

CSIDL_ALTSTARTUP ($H2D)

Unknown

CSIDL_APPDATA ($1A)

Represents the specific application data storage folder for the current user, for example: C:\ Documents and Settings\ username\ Application Data

CSIDL_BITBUCKET ($A)

Represents the Recycle Bin

CSIDL_COMMON_ADMINTOOLS ($2F)

Represents the Administrative tools system folder for all users

CSIDL_COMMON_ALTSTARTUP ($1D)

Represents all users (only WINDOWS NT systems are supported)

CSIDL_COMMON_APPDATA ($23)

Represents a specific application data storage folder for all users, for example: C:\ Documents and Settings\ All Users\ Application Data

CSIDL_COMMON_DESKTOPDIRECTORY ($19)

Represents the Desktop folder for all users, for example: C:\ Documents and Settings\ All Users\ Desktop.

CSIDL_COMMON_DOCUMENTS ($2e)

Represents the my documents folder for all users, for example: C:\ Documents and Settings\ All Users\ Documents

CSIDL_COMMON_FAVORITES ($1F)

Represents the my favorites folder for all users.

CSIDL_COMMON_PROGRAMS ($17)

Represents the programs folder for all users, for example: C:\ Documents and Settings\ All Users\ Start Menu\ Programs

CSIDL_COMMON_STARTMENU ($16)

Represents the start menu folder for all users, for example: C:\ Documents and Settings\ All Users\ Start Menu

CSIDL_COMMON_STARTUP ($18)

Represents the Startup folder for all users, for example: C:\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup

CSIDL_COMMON_TEMPLATES ($2D)

Represents the modules folder for all users, for example: C:\ Documents and Settings\ All Users\ Templates

CSIDL_CONTROLS (. * 3)

Represents the Control Panel folder

CSIDL_COOKIES ($21)

Represents the cookie folder of the current user's Internet Explorer, for example: C:\ Documents and Settings\ username\ Cookies

CSIDL_DESKTOP ($0)

Represents the Desktop virtual folder, which contains everything in the computer

CSIDL_DESKTOPDIRECTORY ($10)

Represents the Desktop folder of the current user, for example: C:\ Documents and Settings\ username\ Desktop

CSIDL_DRIVES ($11)

Represents the my computer virtual folder, which contains all the drives in the computer

CSIDL_FAVORITES ($6)

Represents the favorites folder of the current user, for example: C:\ Documents and Settings\ username\ Favorites

CSIDL_FONTS ($14)

Represents the system fonts folder, for example: C:\ WINNT\ Fonts

CSIDL_HISTORY ($22)

Represents the History folder of Inernet Explorer

CSIDL_INTERNET (. *)

This virtual folder that represents Internet

CSIDL_INTERNET_CACHE ($20)

The "Cache" folder that represents the Internet Explorer of the current user, for example: C:\ Documents and Settings\ username\ Temporary Internet Files

CSIDL_LOCAL_APPDATA ($1C)

Represents the application data folder of the current user, for example: C:\ Documents and Settings\ username\ Local Settings\ Application Data

CSIDL_MYMUSIC

Represents the folder where the current user stores music files, for example: C:\ Documents and Settings\ User\ My Documents\ My Music

CSIDL_MYPICTURES ($27)

Represents the folder where the current user stores image files, for example: C:\ Documents and Settings\ username\ My Documents\ My Pictures

CSIDL_NETHOOD ($13)

A folder that represents the network connection that exists for the current user, for example: C:\ Documents and Settings\ username\ NetHood

CSIDL_NETWORK ($12)

Represents the virtual folder of "network neighbors"

CSIDL_PERSONAL (. $5)

Represents the current user's my documents folder, for example: C:\ Documents and Settings\ username\ My Documents

CSIDL_PRINTERS (. * 4)

Point to the virtual folder Printer

CSIDL_PRINTHOOD ($1B)

Represents a virtual folder of network printers that exist for the current user, for example: C:\ Documents and Settings\ username\ PrintHood

CSIDL_PROFILE ($28)

Represents the folder that currently uses the user profile

CSIDL_PROGRAM_FILES ($26)

A folder that represents program files, for example: C:\ Program Files

CSIDL_PROGRAM_FILES_COMMON ($2B)

Represents the folder of components shared by system programs, for example: C:\ Program Files\ Common

CSIDL_PROGRAMS (. * 2)

Represents the current user's programs menu folder, for example: C:\ Documents and Settings\ username\ Start Menu\ Programs

CSIDL_RECENT (. $8)

Represents the current user's documents menu folder, for example: C:\ Documents and Settings\ username\ Start Menu\ Programs

CSIDL_SENDTO ($9)

Represents the send to folder of the current user, for example: C:\ Documents and Settings\ username\ SendTo

CSIDL_STARTMENU ($B)

Represents the start menu folder of the current user, for example: C:\ Documents and Settings\ username\ Start Menu

CSIDL_STARTUP (. $7)

Represents the startup menu folder of the current user, for example: C:\ Documents and Settings\ username\ Start Menu\ Programs\ Startup

CSIDL_SYSTEM ($25)

Represents the system folder of the WINDOWS system, for example: C:\ WINNT\ SYSTEM32

CSIDL_TEMPLATES ($15)

Represents the folder in the system where the document module is stored

CSIDL_WINDOWS ($24)

Represents the file Jane of the Windows directory in the system, such as C:\ WINNT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.