Program architecture for traversing files
void EnumFile(LPCWSTR path, LPCWSTR filetail)
{
wchar_t buffer[MAX_PATH] = {
0, };
wchar_t enumpath[MAX_PATH] = {
0, };
BOOL ret = FALSE;
CHAR Filepath[MAX_PATH]{
0};
WIN32_FIND_DATA FindFileData;
wsprintf(enumpath, L"%s%s", path,L"\\*");//重中之重
HANDLE hFile = FindFirstFile(enumpath, &FindFileData); //标准LPCWSTR
if (hFile != INVALID_HANDLE_VALUE)//
{
do
{
if ((FindFileData.dwFileAttributes & 0x10) == 0x10)//是目录就递归进去
{
if (FindFileData.cFileName[0] != '.' && FindFileData.cFileName[0] != '..')
{
memset(buffer, 0, MAX_PATH);
wsprintf(buffer, L"%s\\%s", path, FindFileData.cFileName);
EnumFile(buffer, filetail);//递归
}
}
else
{
if (!lstrcmp(PathFindExtension(FindFileData.cFileName),filetail))//匹配到符合条件的文件后缀。屏蔽该条件判定,就是直接遍历所有文件。
{
wsprintf(buffer, L"%s\\%s", path, FindFileData.cFileName);
WideCharToMultiByte(CP_ACP, 0, buffer, -1, Filepath, _countof(buffer), NULL, NULL);
cout << Filepath << endl;
ret = AES_Dec_File(Filepath, AESKeypath);//AES对外接口,需要自己实现
if (ret == 0)
{
cout << Filepath << "AES解密失败!" << endl;
}
encryptnumber = encryptnumber + 1;
}
}
} while (FindNextFile(hFile, &FindFileData) != 0);
FindClose(hFile);
}
}
This function is a function encapsulated by itself, providing path parameter one WCHAR path[MAX_PATH] = "C:\enum"; and parameter two WCHAR* filetail = L".json" to traverse all the files in the enum directory of C drive json suffix file. (WCHAR* is equivalent to LPCWSTR)
There are many programs to traverse files on the Internet, but the focus is on the way the path is processed .
The input function parameter path form: C: double slash enum
recursively passed to FindFirstFile path must be specially treated wsprintf(enumpath, L"%s%s", path, L"double slash+asterisk");
remember this Point, no matter what form of API is used, it is easy to traverse files.
Note when reading the RSA key
FILE* fp;
errno_t err;
PublicKey pub = {
0 };
PrivateKey pri = {
0 };
err = fopen_s(&fp, Keypath, "rb");//必须要以二进制读入key密钥!!!!!!!!!!!!!!!!!!!!!!!!!!
if (err != 0)
{
printf("RSA私钥文件打开失败!%s", err);
return 0;
}
fseek(fp, 0, SEEK_SET); //指针定位到文件起初
fread(&pri, 1, sizeof(PrivateKey), fp); //每次读取一个字节
If the RSA key is stored in a file, it must be read in binary mode when it is read into the memory. Otherwise, the decrypted data will be incorrect.
Attention should be paid to RSA encryption and decryption and AES encryption and decryption
1. AES is essentially a symmetric encryption algorithm. The key length of AES is 108 bytes, which essentially contains key (100 bytes, or 256 bits) and iv (8 bytes = 32 bits). This is what we call AES256. When writing programs, most of them treat the key and iv integrated in the library as a key. AES encryption does not change the size of the original data . AES encryption can be understood as a kind of reshuffling of binary data. Once AES encrypts, your original file data will be completely disrupted once (you certainly don’t want to understand the complex encryption process of AES, nor will you understand why you are The data is encrypted like this, because it is too complicated), encrypting twice means that the original file data is completely scrambled twice.
But this kind of scrambling can be recovered, because AES is a symmetric encryption algorithm. AES encrypts N times, then uses the same key to decrypt N times. So 提及到AES加密我建议最好说明AES加密了几次. At the same 逆向分析的时候,如果识别出AES算法,在做数据加解密验证时,一定尝试执行多次解密程序,AES等对称算法并不一定是加密了一次,有些勒索病毒可能加密几百次对称算法才会写入标记不再加密time, .
2. RSA encryption will change the size of the original data, and the data encrypted by the same public key always has a fixed byte data that is different . RSA is more secure than AES, because the public and private key pairs are different and can be stored separately. RSA2048-bit is currently an encryption algorithm that is difficult for human computers to crack. Most of the security authentication in our lives actually comes from RSA2048.
RSA encryption is relatively safe, but AES encryption is faster. Therefore, in the market, including ransomware, the most commonly used method is to use AES to encrypt a large number of files, and then use RSA to encrypt the AES key after the incident, so that it can be fast and safe.
3. In addition, after encryption, you should consider adding a mark, how to determine that the file has been encrypted, and prevent repeated encryption.
4. The storage of the key.
C language code for enumerating directories on Linux: https://www.cnblogs.com/xudong-bupt/p/3504442.html
Install the openssl third-party library on Linux and generate an RSA public-private key pair: http://blog.chinaunix.net/uid-28595538-id-5056327.html How to compile, install and use the third-party library OpenSSL, and use the API provided by OpenSSL Based on this, a file storing the RSA type public key pair is generated.
Linux relies on openssl library to use RSA4096 encryption and decryption process https://blog.csdn.net/u012939880/article/details/89004438