VB自删除模块源码

小歆12年前软件源码01761
运行后能够删除自己。

提示:不要在VB的IDE下运行,否则会删除VB6.exe。一定要编译后运行。


下载地址:VB自删除源码.rar


部分源码:

Private Type tCONTEXT
ContextFlags As Long
space1(1 To 140) As Byte
SegFs As Long
space2(1 To 568) As Byte
End Type

'Local Descriptor Table bytes
Private Type tLDT_BYTES
BaseMid As Byte
Flags1 As Byte
Flags2 As Byte
BaseHi As Byte
End Type

'Local Descriptor Table
Private Type tLDT_ENTRY
LimitLow As Integer
BaseLow As Integer
HighWord As tLDT_BYTES
End Type

'Payload code/data
Private Type tPAYLOAD
Code1 As Currency '8 bytes of machine code
Code2 As Currency '8 bytes of machine code
Code3 As Currency '8 bytes of machine code
Code4 As Currency '8 bytes of machine code
Code5 As Currency '8 bytes of machine code
hParent As Long 'handle to the parent process (us)
fnWaitForSingleObject As Long 'pointer to WaitForSingleObject
fnCloseHandle As Long 'pointer to CloseHandle
fnDeleteFile As Long 'pointer to DeleteFileA
fnSleep As Long 'pointer to Sleep
fnExitProcess As Long 'pointer to ExitProcess
szFileName(1 To 260) As Byte 'filename to delete
End Type

'CreateProcess startup info
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

'CreateProcess Process info
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDriectory As Long, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function DuplicateHandle Lib "kernel32" (ByVal hSourcehProcess As Long, ByVal hSourceHandle As Long, ByVal hTargethProcess As Long, lpTargetHandle As Long, ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwOptions As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function GetModuleFileNameA Lib "kernel32" (ByVal hModule As Long, ByVal lpFileName As Long, ByVal nSize As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As tCONTEXT) As Long
Private Declare Function GetThreadSelectorEntry Lib "kernel32" (ByVal hThread As Long, ByVal dwSelector As Long, lpSelectorEntry As tLDT_ENTRY) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long

Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Byte)
Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Integer)

Public Sub SelfDelete()
If InIDE Then
Stop 'SelfDelete will delete VB6.exe if run from the IDE
Else
Const FLAGS As Long = &H44 'CREATE_SUSPENDED Or IDLE_PRIORITY_CLASS
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION

si.cb = Len(si)

'Start notepad in a suspended state
If CreateProcess(0, "notepad.exe", 0, 0, 0, FLAGS, 0, 0, si, pi) Then
Dim Payload As tPAYLOAD
Dim hKernel32 As Long
Dim nEntry As Long
Dim nProt As Long

'get a handle to kernel32.dll
hKernel32 = GetModuleHandle("KERNEL32")

With Payload
'fill in the machine code
.Code1 = 501120126496119.2168@
.Code2 = 283445226384721.9235@
.Code3 = -4947442599386.5729@
.Code4 = 918115899267069.9349@
.Code5 = 398737444671975.1679@

'fill in the function pointers
.fnCloseHandle = GetProcAddress(hKernel32, "CloseHandle")
.fnDeleteFile = GetProcAddress(hKernel32, "DeleteFileA")
.fnExitProcess = GetProcAddress(hKernel32, "ExitProcess")
.fnSleep = GetProcAddress(hKernel32, "Sleep")
.fnWaitForSingleObject = GetProcAddress(hKernel32, "WaitForSingleObject")

'duplicate a handle to our process
Call DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), pi.hProcess, .hParent, 0, 0, 0)

'fill in the path/filename of our exe to delete
Call GetModuleFileNameA(0, VarPtr(.szFileName(1)), 260)

'get notepad's entry point address
nEntry = GetEntryPoint(pi.hProcess, pi.hThread)

'make the entry point code read/write/executable
Call VirtualProtectEx(pi.hProcess, nEntry, Len(Payload), &H40, nProt)

'write the payload into notepad over the entry point code
Call WriteProcessMemory(pi.hProcess, nEntry, VarPtr(Payload), Len(Payload), 0)

'resume the suspended notepad process (resumes at the entry point address)
Call ResumeThread(pi.hThread)

'close handles
Call CloseHandle(pi.hThread)
Call CloseHandle(pi.hProcess)

'as soon as this process exits, the code we injected into notepad will delete our exe file
End With
End If
End If
End Sub

'get the entry point address in the notepad proxy process
Private Function GetEntryPoint(ByVal hProcess As Long, ByVal hThread As Long) As Long
Const FLAGS As Long = &H10017 'CONTEXT_FULL Or CONTEXT_DEBUG_REGISTERS
Dim Context As tCONTEXT
Dim LdtEntry As tLDT_ENTRY
Dim nAddr As Long
Dim nImgBase As Long
Dim nRead As Long

'get the suspended thread's context
Context.ContextFlags = FLAGS
Call GetThreadContext(hThread, Context)

'Retrieve a descriptor table entry for the 'f' segment selector
Call GetThreadSelectorEntry(hThread, Context.SegFs, LdtEntry)

'convert the descriptor table entry to a physical address
PutMem1 VarPtr(nAddr) + 3, LdtEntry.HighWord.BaseHi
PutMem1 VarPtr(nAddr) + 2, LdtEntry.HighWord.BaseMid
PutMem2 VarPtr(nAddr), LdtEntry.BaseLow

'get the address of the Process Environment Block
Call ReadProcessMemory(hProcess, nAddr + 48, VarPtr(nAddr), 4, nRead)

'get the image base address
Call ReadProcessMemory(hProcess, nAddr + 8, VarPtr(nImgBase), 4, nRead)

'get the offset to option header
Call ReadProcessMemory(hProcess, nImgBase + 60, VarPtr(nAddr), 4, nRead)

'get the entry point address
Call ReadProcessMemory(hProcess, nImgBase + nAddr + 40, VarPtr(nAddr), 4, nRead)

'actual code entry point address = image base + entry point
GetEntryPoint = nImgBase + nAddr
End Function

'return whether we're running under the VB IDE
Private Function InIDE(Optional ByRef nValue As Long = 0) As Boolean
If nValue = 0 Then
nValue = 1
Debug.Assert True Or InIDE(nValue)
InIDE = nValue <> 1
Else
nValue = 0
End If
End Function

相关文章

实现VB与EXCEL的无缝连接

  VB是常用的应用软件开发工具之一,由于VB的报表功能有限,而且一但报表格式发生变化,就得相应修改程序,给应用软件的维护工作带来极大的不便。因此有很多程序员现在已经充分利用EXECL的强大...

vb导出其他文件资源

vb导出其他文件资源 Dim TempData() As Byte TempDataPath = "C:\...

VB中LostFocus、GotFocus事件的改进

---- VB中有一个LostFocus事件和一个GotFocus事件,看名字似乎是当当前窗口失去焦点或得到焦点时触发的事件。但在实际应用时却发现当这个窗口和Win...

VB改变图片大小的函数

Public Function ResizePicture(ByVal sourceImage As Bitmap, _ ByVal newSize As Si...

MD5加密算法VB源码

今天在在网页的源代码中找到了MD5加密算法的代码,呵呵,搬过来VB用了~~ 直接调用就可以了  Private Const BITS_TO_A_BYTE = 8 P...

vb中Msgbox函数的用法

VB中的Msgbox函数,可实现弹出窗口 作用:在对话框中显示消息,等待用户单击按钮,并返回一个 Integer 告诉用户单击哪一个按钮。 语法: MsgBox...

发表评论    

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。