|
#2
wp2319572014-03-15 08:06
|
.386
.model flat,stdcall
option casemap:none
GetKernelBase proto
GetApiAddress proto :dword,:dword,:dword
.data
szFuctionName db 'LoadLibraryA',0
szFuctionName1 db "GetProcAddress",0
szFuctionName2 db "MessageBoxA",0
szkernel32 db "kernel32",0
szuser32 db "user32",0
szCaption db "我的实验",0
sztext db "病毒的开始",0
loadlibary dword 0
keneraddrbase dword ?
getapi dword ?
user32 dword ?
messageb dword ?
kernelbase dword ?
.code
start:
mov esi,[esp]
invoke GetKernelBase
MOV kernelbase,eax
invoke GetApiAddress,offset szFuctionName,sizeof szFuctionName,kernelbase
mov loadlibary ,eax
invoke GetApiAddress,offset szFuctionName1,sizeof szFuctionName1,kernelbase
mov getapi,eax
push offset szkernel32
call loadlibary
mov keneraddrbase,eax
push offset szuser32
call loadlibary
mov user32,eax
push offset szFuctionName2
push user32
call getapi
mov messageb,eax
push 0
push offset szCaption
push offset sztext
push 0
call messageb
mov ebx,eax
jmp $
GetKernelBase proc uses esi
.while 1
xor si,si
.if word ptr [esi]=="ZM"
mov eax,[esi+3ch]
.if word ptr [esi+eax]=="EP"
mov eax,esi
.break
.endif
.endif
dec esi
.if esi<=70000000h
.break
.endif
.endw
ret
GetKernelBase endp
GetApiAddress proc uses esi ecx ebx szfunctionname:dword,ncount:dword,kernelbas:dword
LOCAL ad:dword
mov eax,kernelbas
mov ebx,[eax+3ch]
add ebx,eax
add ebx,078h
mov ebx,[ebx]
add ebx,eax
push ebx
mov ebx,[ebx+020h]
add ebx,eax
mov ad,ebx
cld
xor edx,edx
next1:
mov ebx,ad
mov ebx,[ebx]
add ebx,eax
mov esi,ebx
mov ecx,ncount
mov edi,szfunctionname
next:
cmpsb
jz continue
inc edx
mov ebx,ad
pop ebx
push ebx
cmp edx,[ebx+18h]
ja nofind
add ad,4
jmp next1
continue:
loop next
push eax
mov eax,2
mul edx
mov edx,eax
pop eax
pop ebx
push ebx
mov ebx,[ebx+24h]
add ebx,eax
add edx,ebx
movzx edx,word ptr [edx]
push eax
mov eax,4
mul edx
mov edx,eax
pop eax
pop ebx
mov ebx,[ebx+01ch]
add ebx,eax
add edx,ebx
add eax,[edx]
ret
nofind:
mov eax,0
ret
GetApiAddress endp
end start
