invoke RegQueryValueEx,\ ;读一个值
dword [RegHandle],\ ;handle of open key
DesktopValue,\ ;the value name "Desktop"
0,\ ;reserved
Reg_SZ,\ ;we want a string
DesktopPath,\ ;save here the desktop pat
DesktopSize ;size of reserved place
cmp eax, 0 ;error?
jnz ErrorMsg ;if so show a error message
invoke RegCloseKey,\ ;we have the desktop path, close key
dword [RegHandle] ;with the handle
;-----从注册表获得桌面---结束--------------
;-----检测路径是否有效,如无效,使他有效------
mov edx, DesktopPath ;address of string
GetZero:
cmp byte [edx], 0 ;check for end of the string
je GotZero ;we have the zero
inc edx ;address + 1
jmp GetZero ;check next byte
GotZero:
dec edx ;address (,0) - 1
cmp byte [edx], "\" ;check for the slash
je HaveSlash ;and dont place a slash
inc edx ;jmp after last byte of the string
mov byte [edx], "\" ;place the \
mov byte [edx + 1d], 0 ; "String",0 <-
HaveSlash:
;-----检测路径是否有效,如无效,使他有效--结束-
;-----改变桌面路径目录------------------
invoke SetCurrentDirectory,\ ;change directory
DesktopPath ;to the desktop path
cmp eax, 0 ;error?
je ErrorMsg ;no path, no victims
;-----改变桌面路径目录---结束------------
;-----在当前目录中找第一个文件--------------
invoke FindFirstFile,\ ;the well known api
LnkFiles,\ ;search for *.lnk
Win32FindData ;structure
mov dword [FindHandle], eax ;save find handle
FindMoreFiles:
cmp eax, 0 ;error? no more files?
je Exit ;exit the application
;-----在当前目录中找第一个文件---结束--------
;-----map .lnk 文件取处理它--------------------
invoke CreateFile,\ ;open the file
Win32FindData.cFileName,\ ;the lnk file
GENERIC_READ + GENERIC_WRITE,\;read and write access
FILE_SHARE_READ,\ ;open it when we can read
0,\ ;no security attributes
OPEN_EXISTING,\ ;open only the file
FILE_ATTRIBUTE_NORMAL,\ ;all attributes
0 ;no flag
cmp eax, INVALID_HANDLE_VALUE ;error?
je FindNextLNK ;find next lnk file
mov dword [FileHandle], eax ;save file handle
invoke CreateFileMapping,\ ;create the map
dword [FileHandle],\ ;handle of file
0,\ ;no security attributes
PAGE_READWRITE,\ ;read and write mapping
0,\ ;size high -> null
0,\ ;size low -> null = size of whole file
0 ;no mapping name
cmp eax, 0 ;error?!
je CloseFile ;close the file and search next
mov dword [MapHandle], eax ;save mapping handle
invoke MapViewOfFile,\ ;write map to address
dword [MapHandle],\ ;handle of created map
FILE_MAP_WRITE,\ ;read and write
0,\ ;high offset
0,\ ;low offset -> null,
address is after call in eax
0 ;how much bytes should be mappep? 0-> all
cmp eax, 0 ;error?
je CloseMap ;if so close the map, search next file
mov dword [MapAddress], eax ;save address in memory where file begins
;-----map .lnk 文件取处理它---end--------------
;-----检测.lnk文件是否有效-----------------------
mov esi, dword [MapAddress] ;filebegin now in esi
cmp dword [esi], "L" ;first dword is a 4C000000h ?
jne CloseMap ;close map, search more files
;-----检测.lnk文件是否有效---结束-----------------
;-----获得关联的应用程序----------------------------
add esi, 4Ch ;jump over header
mov edi, ItemSize ;to copy size of Shell Item List
movsb ;copy one byte, the size (esi->edi)
JumpOverItem:
cmp byte [ItemSize], 0d ;counter on zero?
je JumpedOver ;then we jumped over the Shell Item List strcture
inc esi ;address + 1
dec byte [ItemSize] ;counter - 1
jmp JumpOverItem ;next byte
JumpedOver:
add esi, 22h ;jump over FileLoationInfo
add esi, 0Ch ;jump over Location Volume Table to the volume label (ASCIZ)
mov edi, Victim ;destination is Victim (esi->edi)
CopyVictimString:
cmp byte [esi], 0 ;0 -> end of the string (ASCIZ[ero])
je HaveVictim ;time to infect :)
movsb ;move one byte from esi to edi
jmp CopyVictimString ;check again for end of string
HaveVictim:
mov dword [edi], 0 ;clear all after string
;-----过的关联的应用程序---end----------------------
;-----检测路径是否有效---------------------
mov edx, Victim ;get address
cmp byte [edx + 1d], ":" ;check for the : (eg C:)
jne CloseMap ;if not then close map, search next file
GetVictimZero:
cmp byte [edx], 0 ;check for end of string
je HaveVictimZero ;we have it
inc edx ;next byte
jmp GetVictimZero ;search for zero
HaveVictimZero:
cmp byte [edx - 4d], "." ;check for dot (eg .exe)
jne CloseMap ;search next
;-----检测路径是否有效---end---------------
;*******************************************************
;***** 显示信息 *****************************
;*******************************************************
invoke MessageBox,\ ;only show a messagebox that it works
0,\ ;now owner window
Victim,\ ;show full path of victim
Win32FindData.cFileName,\ ;caption: name of scanned .lnk file
MB_ICONINFORMATION ;information 4 u
;*******************************************************
;*****显示信息***END***********************
;*******************************************************
;-----unmap view of file--------------------------------
invoke UnmapViewOfFile,\ ;unmap the file
dword [MapAddress] ;with the address
;-----unmap view of file---end--------------------------
CloseFile:
invoke CloseHandle,\ ;close the handle
dword [FileHandle] ;file
;-----close file and map handle---end-------------------
;-----find next lnk file--------------------------------
FindNextLNK:
invoke FindNextFile,\ ;next lnk file
dword [FindHandle],\ ;via find handle
Win32FindData ;and the structure
jmp FindMoreFiles ;get more!
;-----find next lnk file---end--------------------------
;-----get the hell out of here--------------------------
Exit:
invoke ExitProcess,\ ;exit
0 ;current process
;-----get the hell out of here---end--------------------
jmp Exit ;get out of here
;-----error message---end-------------------------------
;-----data's--------------------------------------------
DesktopSubkey db "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",0
DesktopValue db "Desktop",0
DesktopPath rb 255d
DesktopSize db 255d
RegHandle dd ?
Reg_SZ db "REG_SZ",0
Win32FindData FINDDATA ;already defined by fasm
LnkFiles db "*.lnk",0
FindHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
ItemSize db ?
Victim rb 255d
;-----data's---end---------------------------------------
;-----api's import, fasm will do-------------------------
data import ;only one section, fasm will do it :)
library kernel32, "KERNEL32.DLL",\
user32, "USER32.DLL",\
advapi32, "ADVAPI32.DLL"
