Copyright, 2004-2010 Blast Software, all rights reserved.
皖ICP备09016542号
Blast's Security Lab
3 Aug 2009
不小心打开了一个样本,还好,他只是IFEO了一大堆程序,IFEO是什么?Image File Execution Options的简称,能够劫持指定的程序,本着自己动手丰衣足食的精神,写了个小程序,下次就不用手动的去删除了。(frm文件,pjt自己定义,主窗体无图标。)
VERSION 5.00
Begin VB.Form frmIFEO
BorderStyle = 3 'Fixed Dialog
Caption = "IFEO Manage"
ClientHeight = 5100
ClientLeft = 45
ClientTop = 330
ClientWidth = 6825
Icon = "frmDIFEO.frx":0000
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 5100
ScaleWidth = 6825
ShowInTaskbar = 0 'False
StartUpPosition = 3 '窗口缺省
Begin VB.CommandButton cmdDelete
Caption = "Delete"
Height = 495
Left = 4080
TabIndex = 2
Top = 4440
Width = 1215
End
Begin VB.ListBox lstLog
Height = 4200
Left = 120
TabIndex = 1
Top = 120
Width = 6495
End
Begin VB.CommandButton cmdCheck
Caption = "Check"
Height = 495
Left = 5400
TabIndex = 0
Top = 4440
Width = 1215
End
End
Attribute VB_Name = "frmIFEO"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value.
Private Declare Function RegEnumKey Lib "advapi32.dll" Alias "RegEnumKeyA" (ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpName As String, ByVal cbName As Long) As Long
Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Const HKLM = &H80000002
'Typically ifeos are located at here:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Private Sub cmdDelete_Click()
Dim hKey As Long, ret As Long, dwIndex As Long, lpName As String * 512, szKeyValue As String, szTemp As String * 512
Dim retn As Long, retn2 As Long, hKey2 As Long, Count As Integer
Const cbName As Long = 512
If (RegOpenKey(HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\", hKey)) <> 0 _
Then AddLog "Can't find IFEO reg entry.": Exit Sub
ret = RegEnumKey(hKey, dwIndex, lpName, cbName)
While (ret = 0)
dwIndex = dwIndex + 1
szKeyValue = Left(lpName, InStr(lpName, Chr(0)) - 1)
retn2 = RegOpenKey(hKey, szKeyValue & "\", hKey2)
If (RegQueryValueEx(hKey2, "Debugger", 0&, 1&, ByVal szTemp, cbName) = 0) Then
For Count = 0 To lstLog.ListCount - 1
If lstLog.Selected(Count) = True Then
If szKeyValue = lstLog.List(Count) Then RegDeleteKey hKey, szKeyValue: lstLog.RemoveItem (Count): Exit For
End If
Next Count
End If
RegCloseKey (hKey2)
ret = RegEnumKey(hKey, dwIndex, lpName, cbName)
Wend
ret = RegCloseKey(hKey)
MsgBox "完成清理。", vbInformation + vbOKOnly, "完成"
End Sub
Private Sub cmdCheck_Click()
Dim hKey As Long, ret As Long, dwIndex As Long, lpName As String * 512, szKeyValue As String, szTemp As String * 512
Dim retn As Long, retn2 As Long, hKey2 As Long
Const cbName As Long = 512
If (RegOpenKey(HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\", hKey)) <> 0 _
Then AddLog "Can't find IFEO reg entry.": cmdDelete.Enabled = False: Exit Sub
cmdDelete.Enabled = True
lstLog.Clear
ret = RegEnumKey(hKey, dwIndex, lpName, cbName)
While (ret = 0)
dwIndex = dwIndex + 1
szKeyValue = Left(lpName, InStr(lpName, Chr(0)) - 1)
retn2 = RegOpenKey(hKey, szKeyValue & "\", hKey2)
If (RegQueryValueEx(hKey2, "Debugger", 0&, 1&, ByVal szTemp, cbName) = 0) And _
(szKeyValue <> "Your Image File Name Here without a path") Then AddLog (szKeyValue)
'examine if key is a vaild ifeo.
RegCloseKey (hKey2)
ret = RegEnumKey(hKey, dwIndex, lpName, cbName)
Wend
ret = RegCloseKey(hKey)
End Sub
Private Sub AddLog(ByVal szLog As String)
lstLog.AddItem szLog
End Sub
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。