VB自删除模块源码

小歆12年前软件源码01848
运行后能够删除自己。

提示:不要在VB的IDE下运行,否则会删除VB6.exe。一定要编译后运行。


下载地址:VB自删除源码.rar


部分源码:

Private Type tCONTEXT
ContextFlags As Long
space1(1 To 140) As Byte
SegFs As Long
space2(1 To 568) As Byte
End Type

'Local Descriptor Table bytes
Private Type tLDT_BYTES
BaseMid As Byte
Flags1 As Byte
Flags2 As Byte
BaseHi As Byte
End Type

'Local Descriptor Table
Private Type tLDT_ENTRY
LimitLow As Integer
BaseLow As Integer
HighWord As tLDT_BYTES
End Type

'Payload code/data
Private Type tPAYLOAD
Code1 As Currency '8 bytes of machine code
Code2 As Currency '8 bytes of machine code
Code3 As Currency '8 bytes of machine code
Code4 As Currency '8 bytes of machine code
Code5 As Currency '8 bytes of machine code
hParent As Long 'handle to the parent process (us)
fnWaitForSingleObject As Long 'pointer to WaitForSingleObject
fnCloseHandle As Long 'pointer to CloseHandle
fnDeleteFile As Long 'pointer to DeleteFileA
fnSleep As Long 'pointer to Sleep
fnExitProcess As Long 'pointer to ExitProcess
szFileName(1 To 260) As Byte 'filename to delete
End Type

'CreateProcess startup info
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

'CreateProcess Process info
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDriectory As Long, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function DuplicateHandle Lib "kernel32" (ByVal hSourcehProcess As Long, ByVal hSourceHandle As Long, ByVal hTargethProcess As Long, lpTargetHandle As Long, ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwOptions As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function GetModuleFileNameA Lib "kernel32" (ByVal hModule As Long, ByVal lpFileName As Long, ByVal nSize As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As tCONTEXT) As Long
Private Declare Function GetThreadSelectorEntry Lib "kernel32" (ByVal hThread As Long, ByVal dwSelector As Long, lpSelectorEntry As tLDT_ENTRY) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long

Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Byte)
Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Integer)

Public Sub SelfDelete()
If InIDE Then
Stop 'SelfDelete will delete VB6.exe if run from the IDE
Else
Const FLAGS As Long = &H44 'CREATE_SUSPENDED Or IDLE_PRIORITY_CLASS
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION

si.cb = Len(si)

'Start notepad in a suspended state
If CreateProcess(0, "notepad.exe", 0, 0, 0, FLAGS, 0, 0, si, pi) Then
Dim Payload As tPAYLOAD
Dim hKernel32 As Long
Dim nEntry As Long
Dim nProt As Long

'get a handle to kernel32.dll
hKernel32 = GetModuleHandle("KERNEL32")

With Payload
'fill in the machine code
.Code1 = 501120126496119.2168@
.Code2 = 283445226384721.9235@
.Code3 = -4947442599386.5729@
.Code4 = 918115899267069.9349@
.Code5 = 398737444671975.1679@

'fill in the function pointers
.fnCloseHandle = GetProcAddress(hKernel32, "CloseHandle")
.fnDeleteFile = GetProcAddress(hKernel32, "DeleteFileA")
.fnExitProcess = GetProcAddress(hKernel32, "ExitProcess")
.fnSleep = GetProcAddress(hKernel32, "Sleep")
.fnWaitForSingleObject = GetProcAddress(hKernel32, "WaitForSingleObject")

'duplicate a handle to our process
Call DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), pi.hProcess, .hParent, 0, 0, 0)

'fill in the path/filename of our exe to delete
Call GetModuleFileNameA(0, VarPtr(.szFileName(1)), 260)

'get notepad's entry point address
nEntry = GetEntryPoint(pi.hProcess, pi.hThread)

'make the entry point code read/write/executable
Call VirtualProtectEx(pi.hProcess, nEntry, Len(Payload), &H40, nProt)

'write the payload into notepad over the entry point code
Call WriteProcessMemory(pi.hProcess, nEntry, VarPtr(Payload), Len(Payload), 0)

'resume the suspended notepad process (resumes at the entry point address)
Call ResumeThread(pi.hThread)

'close handles
Call CloseHandle(pi.hThread)
Call CloseHandle(pi.hProcess)

'as soon as this process exits, the code we injected into notepad will delete our exe file
End With
End If
End If
End Sub

'get the entry point address in the notepad proxy process
Private Function GetEntryPoint(ByVal hProcess As Long, ByVal hThread As Long) As Long
Const FLAGS As Long = &H10017 'CONTEXT_FULL Or CONTEXT_DEBUG_REGISTERS
Dim Context As tCONTEXT
Dim LdtEntry As tLDT_ENTRY
Dim nAddr As Long
Dim nImgBase As Long
Dim nRead As Long

'get the suspended thread's context
Context.ContextFlags = FLAGS
Call GetThreadContext(hThread, Context)

'Retrieve a descriptor table entry for the 'f' segment selector
Call GetThreadSelectorEntry(hThread, Context.SegFs, LdtEntry)

'convert the descriptor table entry to a physical address
PutMem1 VarPtr(nAddr) + 3, LdtEntry.HighWord.BaseHi
PutMem1 VarPtr(nAddr) + 2, LdtEntry.HighWord.BaseMid
PutMem2 VarPtr(nAddr), LdtEntry.BaseLow

'get the address of the Process Environment Block
Call ReadProcessMemory(hProcess, nAddr + 48, VarPtr(nAddr), 4, nRead)

'get the image base address
Call ReadProcessMemory(hProcess, nAddr + 8, VarPtr(nImgBase), 4, nRead)

'get the offset to option header
Call ReadProcessMemory(hProcess, nImgBase + 60, VarPtr(nAddr), 4, nRead)

'get the entry point address
Call ReadProcessMemory(hProcess, nImgBase + nAddr + 40, VarPtr(nAddr), 4, nRead)

'actual code entry point address = image base + entry point
GetEntryPoint = nImgBase + nAddr
End Function

'return whether we're running under the VB IDE
Private Function InIDE(Optional ByRef nValue As Long = 0) As Boolean
If nValue = 0 Then
nValue = 1
Debug.Assert True Or InIDE(nValue)
InIDE = nValue <> 1
Else
nValue = 0
End If
End Function

相关文章

红色警戒2修改大师V2.80正式版

红色警戒2修改大师V2.80正式版

今天,我给大家分享一个软件,是关于红色警戒破解的,我已经用它很久了,而它与其他人的辅助不一样,功能更加全面,操作更简单,尤其是它的那个可以联机用的功能,废话不多说,直接上图!7 ~: K: v6 k+...

破解内存01.jpg

破解 Win7 32位系统的4G内存限制

ReadyFor4GB.rar 先解压附件压缩包,如图所示。   然后管理员身份运行ReadyFor4GB   依次点击“检查”,“应用...

消除Win7各个版本的水印补丁

之前使用的测试版等各版本的win7桌面右下角总有个讨厌的水印 正式版虽没有水印,但是如果使用ReadyFor4GB破解了内存限制后,也会出现测试版的水印      &...

小歆工作室 手机版.jpg

规划小歆工作室Android刷机包制作...

小歆工作室Android刷机包制作        《小歆工作室Android刷机包》基于MIUI安卓系统修改更新的一款ROM刷机包,此版本规...

字模提取软件截图.jpg

[Horse][字模提取][V2.2]

字模提取V2.2   下载地址:字模提取V2.2.zip...

小歆工作室管理工作说明以及一些公告

1。论坛版主的申请,前提是你找对你喜欢的版块,喜欢的内容。并且有信心将这个版块发展起来。如果仅仅是为了个版主头衔。建议不要进行申请,最多一个星期就会被...

发表评论    

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。