VB自删除模块源码

小歆13年前软件源码03152
运行后能够删除自己。

提示:不要在VB的IDE下运行,否则会删除VB6.exe。一定要编译后运行。


下载地址:VB自删除源码.rar


部分源码:

Private Type tCONTEXT
ContextFlags As Long
space1(1 To 140) As Byte
SegFs As Long
space2(1 To 568) As Byte
End Type

'Local Descriptor Table bytes
Private Type tLDT_BYTES
BaseMid As Byte
Flags1 As Byte
Flags2 As Byte
BaseHi As Byte
End Type

'Local Descriptor Table
Private Type tLDT_ENTRY
LimitLow As Integer
BaseLow As Integer
HighWord As tLDT_BYTES
End Type

'Payload code/data
Private Type tPAYLOAD
Code1 As Currency '8 bytes of machine code
Code2 As Currency '8 bytes of machine code
Code3 As Currency '8 bytes of machine code
Code4 As Currency '8 bytes of machine code
Code5 As Currency '8 bytes of machine code
hParent As Long 'handle to the parent process (us)
fnWaitForSingleObject As Long 'pointer to WaitForSingleObject
fnCloseHandle As Long 'pointer to CloseHandle
fnDeleteFile As Long 'pointer to DeleteFileA
fnSleep As Long 'pointer to Sleep
fnExitProcess As Long 'pointer to ExitProcess
szFileName(1 To 260) As Byte 'filename to delete
End Type

'CreateProcess startup info
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

'CreateProcess Process info
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDriectory As Long, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function DuplicateHandle Lib "kernel32" (ByVal hSourcehProcess As Long, ByVal hSourceHandle As Long, ByVal hTargethProcess As Long, lpTargetHandle As Long, ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwOptions As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function GetModuleFileNameA Lib "kernel32" (ByVal hModule As Long, ByVal lpFileName As Long, ByVal nSize As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As tCONTEXT) As Long
Private Declare Function GetThreadSelectorEntry Lib "kernel32" (ByVal hThread As Long, ByVal dwSelector As Long, lpSelectorEntry As tLDT_ENTRY) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long

Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Byte)
Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Addr As Long, ByVal NewVal As Integer)

Public Sub SelfDelete()
If InIDE Then
Stop 'SelfDelete will delete VB6.exe if run from the IDE
Else
Const FLAGS As Long = &H44 'CREATE_SUSPENDED Or IDLE_PRIORITY_CLASS
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION

si.cb = Len(si)

'Start notepad in a suspended state
If CreateProcess(0, "notepad.exe", 0, 0, 0, FLAGS, 0, 0, si, pi) Then
Dim Payload As tPAYLOAD
Dim hKernel32 As Long
Dim nEntry As Long
Dim nProt As Long

'get a handle to kernel32.dll
hKernel32 = GetModuleHandle("KERNEL32")

With Payload
'fill in the machine code
.Code1 = 501120126496119.2168@
.Code2 = 283445226384721.9235@
.Code3 = -4947442599386.5729@
.Code4 = 918115899267069.9349@
.Code5 = 398737444671975.1679@

'fill in the function pointers
.fnCloseHandle = GetProcAddress(hKernel32, "CloseHandle")
.fnDeleteFile = GetProcAddress(hKernel32, "DeleteFileA")
.fnExitProcess = GetProcAddress(hKernel32, "ExitProcess")
.fnSleep = GetProcAddress(hKernel32, "Sleep")
.fnWaitForSingleObject = GetProcAddress(hKernel32, "WaitForSingleObject")

'duplicate a handle to our process
Call DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), pi.hProcess, .hParent, 0, 0, 0)

'fill in the path/filename of our exe to delete
Call GetModuleFileNameA(0, VarPtr(.szFileName(1)), 260)

'get notepad's entry point address
nEntry = GetEntryPoint(pi.hProcess, pi.hThread)

'make the entry point code read/write/executable
Call VirtualProtectEx(pi.hProcess, nEntry, Len(Payload), &H40, nProt)

'write the payload into notepad over the entry point code
Call WriteProcessMemory(pi.hProcess, nEntry, VarPtr(Payload), Len(Payload), 0)

'resume the suspended notepad process (resumes at the entry point address)
Call ResumeThread(pi.hThread)

'close handles
Call CloseHandle(pi.hThread)
Call CloseHandle(pi.hProcess)

'as soon as this process exits, the code we injected into notepad will delete our exe file
End With
End If
End If
End Sub

'get the entry point address in the notepad proxy process
Private Function GetEntryPoint(ByVal hProcess As Long, ByVal hThread As Long) As Long
Const FLAGS As Long = &H10017 'CONTEXT_FULL Or CONTEXT_DEBUG_REGISTERS
Dim Context As tCONTEXT
Dim LdtEntry As tLDT_ENTRY
Dim nAddr As Long
Dim nImgBase As Long
Dim nRead As Long

'get the suspended thread's context
Context.ContextFlags = FLAGS
Call GetThreadContext(hThread, Context)

'Retrieve a descriptor table entry for the 'f' segment selector
Call GetThreadSelectorEntry(hThread, Context.SegFs, LdtEntry)

'convert the descriptor table entry to a physical address
PutMem1 VarPtr(nAddr) + 3, LdtEntry.HighWord.BaseHi
PutMem1 VarPtr(nAddr) + 2, LdtEntry.HighWord.BaseMid
PutMem2 VarPtr(nAddr), LdtEntry.BaseLow

'get the address of the Process Environment Block
Call ReadProcessMemory(hProcess, nAddr + 48, VarPtr(nAddr), 4, nRead)

'get the image base address
Call ReadProcessMemory(hProcess, nAddr + 8, VarPtr(nImgBase), 4, nRead)

'get the offset to option header
Call ReadProcessMemory(hProcess, nImgBase + 60, VarPtr(nAddr), 4, nRead)

'get the entry point address
Call ReadProcessMemory(hProcess, nImgBase + nAddr + 40, VarPtr(nAddr), 4, nRead)

'actual code entry point address = image base + entry point
GetEntryPoint = nImgBase + nAddr
End Function

'return whether we're running under the VB IDE
Private Function InIDE(Optional ByRef nValue As Long = 0) As Boolean
If nValue = 0 Then
nValue = 1
Debug.Assert True Or InIDE(nValue)
InIDE = nValue <> 1
Else
nValue = 0
End If
End Function

相关文章

一种高速图像数据采集板的设计方案

一种高速图像数据采集板的设计方案

1.概述 随着图像处理技术的快速发展,图像采集处理系统在提高工业生产自动化程度中的应用越来越广泛。本文结合实际系统中的前端图像处理和图像数据传输的需要,充分利用ARM的灵活性和F...

VB代码优化的六条军规

       在优化程序代码大小的诸多技术中,大多包括从代码中删除不必要的元素。在编译应用程序时,Visual Basic自动删除某些元素。而标识符名称、...

flv嗅探工具.jpg

[自浩][FLV嗅探工具][趋于完美版][2012.6.20]

软件名称:FLV嗅探工具【趋于完美版】 软件大小:40K(主程序) 软件说明:嗅探各大主流视频网站的视频下载地址,并且自动切换为超清、高清或者480P高清画质的下载地址,...

VB键盘代码真值表

VB键盘代码常量 值 (0x...

防止错误插入电池的新方法

防止错误插入电池的新方法

只要是电池供电的系统,就一直存在这个问题: 您错误装入电池,将正负极装反,产生反向极性事件。系统暂时出现故障或永久损坏。 设计为适合其装配的系统的定制电池有助于最大程度减少不正确插...

VIP会员试用抵价券发放活动

VIP会员试用抵价券发放活动    为了让广大网友更多的体验小歆工作室的各项服务 从2013年3月30日开启截止至2013年5月31日...

发表评论    

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。